dfa481d3211c5394cf41840cb1d11c181dfde9dd550ba1a7cf9d6719d288187c

Analysis

max time kernel
90s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04/06/2024, 04:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfa481d3211c5394cf41840cb1d11c181dfde9dd550ba1a7cf9d6719d288187c.exe
Size

290KB
MD5

a1021156d75072e4501335fe855d134b
SHA1

0538fd7e09cc94b9e5092350e05422bc18ac2021
SHA256

dfa481d3211c5394cf41840cb1d11c181dfde9dd550ba1a7cf9d6719d288187c
SHA512

a9850965d952a6fb5ad9a02d2d32aceb7c2c784990a3ffe85e5936ff6ea97f07da910dee56c220327c0495be420677defb2486f687525e9d6df2a12d6b8cfabc
SSDEEP

6144:bMrFJ2vDwYOMAUmKyIxLDXXoq9FJZCUmKyIxL:orFJ6Dw32XXf9Do3

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Miifeq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndcdmikd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcpnhfhf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfknkg32.exe

Executes dropped EXE 64 IoCs

pid	Process
1204	Mcpnhfhf.exe
920	Miifeq32.exe
4004	Mnebeogl.exe
2316	Npcoakfp.exe
2904	Ngmgne32.exe
2672	Ngpccdlj.exe
4372	Nlmllkja.exe
2396	Ndcdmikd.exe
4456	Ngbpidjh.exe
1852	Njqmepik.exe
3580	Npjebj32.exe
5068	Ngdmod32.exe
4232	Nlaegk32.exe
4444	Ndhmhh32.exe
4700	Nggjdc32.exe
4560	Odkjng32.exe
400	Ogifjcdp.exe
4796	Oncofm32.exe
4200	Odmgcgbi.exe
1404	Ofnckp32.exe
3672	Olhlhjpd.exe
976	Ocbddc32.exe
3032	Onhhamgg.exe
2936	Ogpmjb32.exe
1644	Ojoign32.exe
3480	Oqhacgdh.exe
2324	Ogbipa32.exe
1152	Pmoahijl.exe
612	Pdfjifjo.exe
5060	Pfhfan32.exe
3324	Pmannhhj.exe
4608	Pdifoehl.exe
2768	Pggbkagp.exe
3684	Pnakhkol.exe
4984	Pmdkch32.exe
2944	Pgioqq32.exe
4872	Pncgmkmj.exe
1064	Pqbdjfln.exe
4964	Pcppfaka.exe
2780	Pfolbmje.exe
2900	Pnfdcjkg.exe
4792	Pqdqof32.exe
3908	Pcbmka32.exe
3036	Pfaigm32.exe
3004	Qnhahj32.exe
4820	Qqfmde32.exe
4108	Qdbiedpa.exe
316	Qfcfml32.exe
3716	Qmmnjfnl.exe
1688	Qddfkd32.exe
4044	Qgcbgo32.exe
1732	Anmjcieo.exe
3648	Ampkof32.exe
1028	Adgbpc32.exe
3740	Ageolo32.exe
4928	Ajckij32.exe
556	Anogiicl.exe
3736	Aqncedbp.exe
5012	Afjlnk32.exe
4356	Anadoi32.exe
3524	Aqppkd32.exe
1008	Acnlgp32.exe
732	Afmhck32.exe
1640	Aabmqd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Onhhamgg.exe	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Ngbpidjh.exe	Ndcdmikd.exe
File created	C:\Windows\SysWOW64\Njqmepik.exe	Ngbpidjh.exe
File created	C:\Windows\SysWOW64\Eohipl32.dll	Njqmepik.exe
File created	C:\Windows\SysWOW64\Oncofm32.exe	Ogifjcdp.exe
File opened for modification	C:\Windows\SysWOW64\Pfhfan32.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Djoeni32.dll	Odkjng32.exe
File created	C:\Windows\SysWOW64\Gqckln32.dll	Oqhacgdh.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Fpkknm32.dll	Npjebj32.exe
File created	C:\Windows\SysWOW64\Hfligghk.dll	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Fjegoh32.dll	Nlaegk32.exe
File opened for modification	C:\Windows\SysWOW64\Pmoahijl.exe	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Olcjhi32.dll	Mcpnhfhf.exe
File created	C:\Windows\SysWOW64\Agocgbni.dll	Npcoakfp.exe
File created	C:\Windows\SysWOW64\Coffpf32.dll	Ndcdmikd.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Ojoign32.exe	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Pcppfaka.exe	Pqbdjfln.exe
File opened for modification	C:\Windows\SysWOW64\Ampkof32.exe	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Adgbpc32.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Ochpdn32.dll	Pnfdcjkg.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Anogiicl.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Onliio32.dll	dfa481d3211c5394cf41840cb1d11c181dfde9dd550ba1a7cf9d6719d288187c.exe
File opened for modification	C:\Windows\SysWOW64\Odkjng32.exe	Nggjdc32.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pfolbmje.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Knfoif32.dll	Ogifjcdp.exe
File opened for modification	C:\Windows\SysWOW64\Pnakhkol.exe	Pggbkagp.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Pqdqof32.exe	Pnfdcjkg.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bagflcje.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6044	5272	WerFault.exe	214

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfbgbeai.dll"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmcjho32.dll"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	dfa481d3211c5394cf41840cb1d11c181dfde9dd550ba1a7cf9d6719d288187c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoddikd.dll"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfoif32.dll"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjegoh32.dll"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjlibkf.dll"	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njqmepik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	dfa481d3211c5394cf41840cb1d11c181dfde9dd550ba1a7cf9d6719d288187c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Popodg32.dll"	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pncgmkmj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3772 wrote to memory of 1204	3772	dfa481d3211c5394cf41840cb1d11c181dfde9dd550ba1a7cf9d6719d288187c.exe	84
PID 3772 wrote to memory of 1204	3772	dfa481d3211c5394cf41840cb1d11c181dfde9dd550ba1a7cf9d6719d288187c.exe	84
PID 3772 wrote to memory of 1204	3772	dfa481d3211c5394cf41840cb1d11c181dfde9dd550ba1a7cf9d6719d288187c.exe	84
PID 1204 wrote to memory of 920	1204	Mcpnhfhf.exe	85
PID 1204 wrote to memory of 920	1204	Mcpnhfhf.exe	85
PID 1204 wrote to memory of 920	1204	Mcpnhfhf.exe	85
PID 920 wrote to memory of 4004	920	Miifeq32.exe	86
PID 920 wrote to memory of 4004	920	Miifeq32.exe	86
PID 920 wrote to memory of 4004	920	Miifeq32.exe	86
PID 4004 wrote to memory of 2316	4004	Mnebeogl.exe	87
PID 4004 wrote to memory of 2316	4004	Mnebeogl.exe	87
PID 4004 wrote to memory of 2316	4004	Mnebeogl.exe	87
PID 2316 wrote to memory of 2904	2316	Npcoakfp.exe	88
PID 2316 wrote to memory of 2904	2316	Npcoakfp.exe	88
PID 2316 wrote to memory of 2904	2316	Npcoakfp.exe	88
PID 2904 wrote to memory of 2672	2904	Ngmgne32.exe	89
PID 2904 wrote to memory of 2672	2904	Ngmgne32.exe	89
PID 2904 wrote to memory of 2672	2904	Ngmgne32.exe	89
PID 2672 wrote to memory of 4372	2672	Ngpccdlj.exe	90
PID 2672 wrote to memory of 4372	2672	Ngpccdlj.exe	90
PID 2672 wrote to memory of 4372	2672	Ngpccdlj.exe	90
PID 4372 wrote to memory of 2396	4372	Nlmllkja.exe	91
PID 4372 wrote to memory of 2396	4372	Nlmllkja.exe	91
PID 4372 wrote to memory of 2396	4372	Nlmllkja.exe	91
PID 2396 wrote to memory of 4456	2396	Ndcdmikd.exe	93
PID 2396 wrote to memory of 4456	2396	Ndcdmikd.exe	93
PID 2396 wrote to memory of 4456	2396	Ndcdmikd.exe	93
PID 4456 wrote to memory of 1852	4456	Ngbpidjh.exe	94
PID 4456 wrote to memory of 1852	4456	Ngbpidjh.exe	94
PID 4456 wrote to memory of 1852	4456	Ngbpidjh.exe	94
PID 1852 wrote to memory of 3580	1852	Njqmepik.exe	96
PID 1852 wrote to memory of 3580	1852	Njqmepik.exe	96
PID 1852 wrote to memory of 3580	1852	Njqmepik.exe	96
PID 3580 wrote to memory of 5068	3580	Npjebj32.exe	97
PID 3580 wrote to memory of 5068	3580	Npjebj32.exe	97
PID 3580 wrote to memory of 5068	3580	Npjebj32.exe	97
PID 5068 wrote to memory of 4232	5068	Ngdmod32.exe	98
PID 5068 wrote to memory of 4232	5068	Ngdmod32.exe	98
PID 5068 wrote to memory of 4232	5068	Ngdmod32.exe	98
PID 4232 wrote to memory of 4444	4232	Nlaegk32.exe	101
PID 4232 wrote to memory of 4444	4232	Nlaegk32.exe	101
PID 4232 wrote to memory of 4444	4232	Nlaegk32.exe	101
PID 4444 wrote to memory of 4700	4444	Ndhmhh32.exe	102
PID 4444 wrote to memory of 4700	4444	Ndhmhh32.exe	102
PID 4444 wrote to memory of 4700	4444	Ndhmhh32.exe	102
PID 4700 wrote to memory of 4560	4700	Nggjdc32.exe	103
PID 4700 wrote to memory of 4560	4700	Nggjdc32.exe	103
PID 4700 wrote to memory of 4560	4700	Nggjdc32.exe	103
PID 4560 wrote to memory of 400	4560	Odkjng32.exe	104
PID 4560 wrote to memory of 400	4560	Odkjng32.exe	104
PID 4560 wrote to memory of 400	4560	Odkjng32.exe	104
PID 400 wrote to memory of 4796	400	Ogifjcdp.exe	105
PID 400 wrote to memory of 4796	400	Ogifjcdp.exe	105
PID 400 wrote to memory of 4796	400	Ogifjcdp.exe	105
PID 4796 wrote to memory of 4200	4796	Oncofm32.exe	106
PID 4796 wrote to memory of 4200	4796	Oncofm32.exe	106
PID 4796 wrote to memory of 4200	4796	Oncofm32.exe	106
PID 4200 wrote to memory of 1404	4200	Odmgcgbi.exe	107
PID 4200 wrote to memory of 1404	4200	Odmgcgbi.exe	107
PID 4200 wrote to memory of 1404	4200	Odmgcgbi.exe	107
PID 1404 wrote to memory of 3672	1404	Ofnckp32.exe	108
PID 1404 wrote to memory of 3672	1404	Ofnckp32.exe	108
PID 1404 wrote to memory of 3672	1404	Ofnckp32.exe	108
PID 3672 wrote to memory of 976	3672	Olhlhjpd.exe	109

C:\Users\Admin\AppData\Local\Temp\dfa481d3211c5394cf41840cb1d11c181dfde9dd550ba1a7cf9d6719d288187c.exe
"C:\Users\Admin\AppData\Local\Temp\dfa481d3211c5394cf41840cb1d11c181dfde9dd550ba1a7cf9d6719d288187c.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3772
- C:\Windows\SysWOW64\Mcpnhfhf.exe
  C:\Windows\system32\Mcpnhfhf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Windows\SysWOW64\Miifeq32.exe
    C:\Windows\system32\Miifeq32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:920
  - - C:\Windows\SysWOW64\Mnebeogl.exe
      C:\Windows\system32\Mnebeogl.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4004
    - - C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2316
      - C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4232
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4200
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:976
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        26⤵
        Executes dropped EXE
        
        PID:1644
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3480
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2324
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        29⤵
        Executes dropped EXE
        
        PID:1152
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:612
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5060
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3324
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2768
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        35⤵
        Executes dropped EXE
        
        PID:3684
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4984
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        37⤵
        Executes dropped EXE
        
        PID:2944
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1064
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4964
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2780
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3908
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        45⤵
        Executes dropped EXE
        
        PID:3036
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3004
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4820
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4108
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3716
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1688
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4044
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1732
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3648
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1028
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        56⤵
        Executes dropped EXE
        
        PID:3740
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:556
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3736
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        62⤵
        Executes dropped EXE
        
        PID:3524
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1008
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        64⤵
        Executes dropped EXE
        
        PID:732
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1640
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        66⤵
        Drops file in System32 directory
        
        PID:3720
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        67⤵
        
        PID:380
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        68⤵
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        70⤵
        Modifies registry class
        
        PID:3820
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4828
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        72⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1592
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1208
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3296
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        76⤵
        Drops file in System32 directory
        
        PID:4776
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        77⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3108
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:700
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        81⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2084
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        84⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        86⤵
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5344
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        88⤵
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        89⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        90⤵
        Drops file in System32 directory
        
        PID:5488
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5604
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5692
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        95⤵
        Drops file in System32 directory
        
        PID:5736
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        96⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        97⤵
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        98⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5912
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        101⤵
        Drops file in System32 directory
        
        PID:5996
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        102⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        104⤵
        Drops file in System32 directory
        
        PID:6132
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        105⤵
        Drops file in System32 directory
        
        PID:4784
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        106⤵
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        107⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        108⤵
        Drops file in System32 directory
        
        PID:5372
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5464
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        110⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        111⤵
        Drops file in System32 directory
        
        PID:5596
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        113⤵
        Drops file in System32 directory
        
        PID:5728
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5772
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        115⤵
        Drops file in System32 directory
        
        PID:5820
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        116⤵
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1292
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        119⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1836
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        120⤵
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        121⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5320
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1892
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        125⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5272 -s 408
        126⤵
        Program crash
        
        PID:6044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5272 -ip 5272
1⤵
PID:5904

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:5868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afmhck32.exe

Filesize
290KB

MD5
f671336f4707073c09499c29efa6c0c7

SHA1
119280b4605af6ee1a23499539743eeeadd75d00

SHA256
8690e9f59c770406bf2561cc9e51f5169534fe6027aa00841d68d996d2f428bb

SHA512
cb453ae3c6153eba03eedecacd6a4d0ee86b071c0c824656be9e94f0b26bbae7e885f7043aaa762bccde39f9886d0ee1fc55e8fc3466fa737a40fcf132becd8b

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
290KB

MD5
376c46a3ac6ea70618aef1194932e165

SHA1
39d6596b72d3312cf84de54c97fb69c86d5a7675

SHA256
d09ce613d5637acb5ae1e5fd543ea9ad5448d1d6c36febbdab8c1127b04d5e00

SHA512
07cd9ab346d99ead061011a0964334297603e19e63193674442acb4686457c45647602d0fb3febb8dbed712eaebe885b1e4bb39187f988776013ef7750872f55

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
290KB

MD5
2f49a36393e13c21782f92f108c8f9c7

SHA1
dc1459a96870353ed0e7afbefd81e82735831d0a

SHA256
c26f3424121c742629732dbe81dd89f333e3e66a58e1b37a7d16a4462ad10a54

SHA512
68f0a2e6656bdfe324edebb549543193dd21ffdf9884961053643ed6d277ac0da9307a2801569d02fdcafb4b46fa1427794dbb33845c821dd6720321fb7c3fdf

Download Submit
C:\Windows\SysWOW64\Agocgbni.dll

Filesize
7KB

MD5
292e5b394c0d8f7ffb722abd06355838

SHA1
a82767c8a68f16cd675bad4b1ce797ffdddde0df

SHA256
99ebec05f3063f704a57dd90828d68d9c612a8a303840696df88046a4b645153

SHA512
68a62bac766a833d686b37df93dbe8dc5c38f7a56bf6c2e5ff07a4e5c224b08fad6b17b03599e2bcc00aa2e3dd26e96d2a03510e8451991fed2b2a40de5b3a21

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
290KB

MD5
ed029d8c50bec80509f59d7592027b02

SHA1
7cf0782e97f12df8c4e4c571e3d752f08bd247a2

SHA256
d56737592b8241f7bb9a7a7df3e43979d2ff299af93b40d817058176342111a2

SHA512
1834b286adec4e9d93ac92315a8d84a35de2acd058146cba1babcd42ff30cc73fdb316dfce8299d304e8f424597b2683cfdfaff3d4e3f5c47438a8277ee3a1c0

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
290KB

MD5
9985aab043aed91beba4a54d7556c743

SHA1
531396922f2576b4bd01048136db8795b7070e75

SHA256
37ebaffda8e4a3c3011bbfb2e28175b7faadd33a67231adf7845d9b61ed11292

SHA512
bed97d7f9099ba547262cdd6d7cb20b0c5a03e03d1c67c1b756403584c5cbf7a94119b71bfbf29c798155b4c210eadfc496e67fd3bb5b9298bb9972388a1895e

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
290KB

MD5
e5fc8deb282872d424b6d53ddfc4ee85

SHA1
5776d0eede4bee2fdc3ad150533b2e60b8904db6

SHA256
0e712155f14814c5acb4f5078be4b1cf18d5beb2b2a0e7d1eb57e0f6d56139ba

SHA512
19ebb43f64f07212e65e58096647cedc918d9452f69caffc85f5aa7a85a21ba9d0c7a79f0e1bba71f6f3844832a5cfe1b33edc262df4a46f9ffb54c96197d96c

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
290KB

MD5
6a8974ee1ce5a6394a3cf35d098ca599

SHA1
df234ffdbc6d59d4c3df821d5eb441aee95d93c4

SHA256
c7d1b38951edebab5548e20dddf1c8ae96ee3a63887ce854cd6a02aee2a5d01d

SHA512
345d327e2a8468cf492e9f26df49f1f552cdceb9290679b77499d67484f809b5a938ae13203ef253a877d776ea0d0ec156526f46bacb8c33bb2b9d3ecb35a251

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
290KB

MD5
127ad56746584f3bb4f427f3fe6960b7

SHA1
e308218faffefb852bf058fc24691b76624ba79e

SHA256
cd03b46a44b18e932cb077f41dbfbf6ae529c7620ce25480fa3c2448fe0c57a2

SHA512
56275e48a5a5a625ee0df4601c148b3aded2d9a0d717b769708e1834e70c0e1b524df5d37766a0f26a9a72f50f2d3492ce2621a1345330b72d55899d4ad91859

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
290KB

MD5
6b051897d08a3d8a02b16ec2ed6ec845

SHA1
0268830f3cf6328ecc5d53fba6bbee1e536a6303

SHA256
49cce925cae3a607e50a55bfab9234bd46165c1a446943c370c281379f1c6867

SHA512
2ae22497e9cb2f55add39d2fd7114cee3744d8c4640fcf6321fac5a1e9feb3b026fe89f4f6a7c3b61639c85666a745fbef353e1167cd34b40c441b4cc1d6e5a9

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
290KB

MD5
6b37abd3181e62e6f8bd7483f1ce28a0

SHA1
98bcc2221a333cdeb3266204dfe44d435a48ad72

SHA256
d18f9f8dbcaf24901f4b734f30b83f9d4a4d3f6b13c1e1c27006517de55786be

SHA512
55dec205a0884adde438a44c1ace563ee4e86c8516b85247a2d63174a0bd39e2150867743b9a26604383ea4b65c10bd615cf102c342d7f91e787d7ecdf6b32c3

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
290KB

MD5
d135a785cf8dff9063f7d114a17a569d

SHA1
f87fe28338e5fbd966aa1eada1162a79b26829a1

SHA256
f8763878d95c945e4cf0aa51d5fa07708a29f0324709b9c39d3805646e210071

SHA512
0593d3600a9d7e347e15f392eb963ca22e8ee0339290f8d03632b545a84fbc6dfe3a080e67a3ac0d986f1004574e8c19eb9e42b3b510e9263eed668a84b5a06b

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
290KB

MD5
98d86760ec45c5fc1af11550d0d6279b

SHA1
e84222653364e81b105fb47002947c36497133b0

SHA256
53dee86d52582cf6357d6a23da07b464e5c07b124850aa5f376ad3ce588f253f

SHA512
bd2604073e59d81e659ca9183f59f663409ae6e0ccb1849be6cc53f8c5919fbc53af8b22b646ee01c299b86394d531870c9aa22f9dbafe9fb13b7d5ba1d6279e

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
290KB

MD5
693077b65fb93d7aa9f32a546c6cb155

SHA1
9ed8d2fefad1894f83dc832319cce55d21a3482c

SHA256
657fe97db5103b6f6246dae30e738b624070883e3dd4254ade472a1c32bf7ca2

SHA512
45daaec23844a1e4580cb032eb40a9aee720fba982758b75e89cf3719c2eab26746b98ec6d4b5507e9f56f1b626d93121f9e42f0d3fa7d7e7826f432f4a02b29

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
290KB

MD5
868fad49397e748a97f8f25ea2f64132

SHA1
ecfb1ff0e9d4ee5da7527faa4d874f0e4f1b0b71

SHA256
bf8c34c3f6e8b6ebf7632faf28b364096c9042cc98ae7ec9b88705f2e8c7c386

SHA512
e7fdf752b425ab6140aea8fcc9aab4bfe34a02ead29bf9e1a849b681e23cce9c1de79079f7887247d465a3d0c53bcc5092d1c2274cfd2824868bfc982eee1f63

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
290KB

MD5
3a6997b15ecdcb73edcaac02fb4695e7

SHA1
bebe9949ab0b0bc79631efa3042e7562767a4375

SHA256
25cab8fad9878301864160d74adf782954daaf18d6ed78e47007911f5b55a8d3

SHA512
a114d839cb58711146f949233195736f7195e9718f687bdf432e8474c556d003a070859d9ecae55b3566ba8202bf225213fee79df5d3599e580fc24bc01ef5c1

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
290KB

MD5
bfdfc8623a11efd5c1ef76ca71cfc757

SHA1
4cebceb184f2367609c59cab535b2b436b40b8f9

SHA256
e6a1e00e1c52bc789dab4e0622dc59d7d2613ba898d7fb65aa829d0eaabafb44

SHA512
89ce6f49f914e175f74c4ca832a897653f3a9e6c13074efd3cb3c42598a9c5e412749c95400ef72f1587c9850cd6efaff8c3ec36d0c82087dac0fb192c207410

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
290KB

MD5
7698f83a1205ab12f250f4a2c955be84

SHA1
8c4eac08c27394ac874f5b7a941a77fee34537b8

SHA256
3f5d1aeac8ebcf1111c3879e8cd9c4401dbb23724474afef99f2f79c373ef3bf

SHA512
210558c2bbf794c2a74eda7ce9456fccbeae70c5c783feaf1b062cfbe605c812de86ae604ac676a27bf90e1dee474327beea05563d534652f6fbf193b7aa811d

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
290KB

MD5
311abed433cb2058f51dea13b41db491

SHA1
4ca293ee6b549ea4a97e057d22cfa016c938fa31

SHA256
0987708cc8f51486fb18e0b923bff7cc5f4fd42936e54971a288b428e121d514

SHA512
0a6776cdf1e8a03a881f098aa92afdebb78e791441adc4433ea1e9fb342c05dc0b6321f4a099cf36b4b50f29eb469d9ee82c32832bc10c6d76db5d76830badb7

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
290KB

MD5
bebfd8ae5ab02f989f64a30590d7b307

SHA1
9c5a6ce59affb6f319d2b349408a2428b960f19f

SHA256
17e03d647f865b8a4d0619fa261e351ac1fe51a6d7005e583d37ae5c91021ab6

SHA512
327a67c6aaca5ca661d2fae003044fa14b0518b013a0495b96d95bedded2bb0b4ec02ed80656aa5a5cd8be99b2c5d58d0d3e51c500966ceecb49b0b6efd5ff1c

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
290KB

MD5
b4ca3bdfb79d3e777958dca634a33849

SHA1
d7558b90b4b1408e634d524e696cf27e1df01e3e

SHA256
01bc85f65d8d592369ba3bba273990ab8d3a58c1155800fadb9dd4c51593f022

SHA512
53797a9be0d28dc7fb73148f8eab7e56d092d50f0812735926bc667366f3766f3dfed1e8607dfe4e35e7bf7cd8e7bf8c42210b571678104c8ba699a5c943c78c

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
290KB

MD5
9d72ba0a5f5c8ee3020d448c2c33271f

SHA1
57f46f7cf27569ebddb4c0385f139b90458dc3c6

SHA256
baeb1aaf0ec260940bb6248333ef2c0e61b13a62a1c53eb7088a4e536723f49f

SHA512
e794d624268be91a5269be78903e7ac898575772fa56baa05743f651d78bab074a525789d0b7c3ffbd593f45d7061b39de0603745e94694c2219221f9c6314df

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
290KB

MD5
84ee335b9a4dc782793120b9a07ceaff

SHA1
3c7f14911ea68f446ae3ed477be0011373b60464

SHA256
6e9ca457f69d6909a930fd2cd26a4fbef98749e506590e6c6ed829228a75ea1e

SHA512
d8782ef3675a4fe1df6e2df10cbe3a62656e3ba368db0ad3af75b9d5ec05e0cd90fcba0887928d0bec2eb2978b69f1921397b6f9669e81b2f15c93f7e6b45a0b

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
290KB

MD5
ea95cc02cd91f258c78c0e9970a0cf78

SHA1
a721de19c9fadcc9e302d55663a79fd48f00356c

SHA256
f9c6e1d53b7d371e95bc39487dccbc81b55335d1a8eda30f0e0d1684c932c48c

SHA512
6bb1028b19b6bfa16829a040c941c99217893ade6176f7bd5d51e6268c1a0630d1e5b423831e86396ca0afda4da1c4f0f5f2b4d949c1c5b80a5fc1b0eccc6aad

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
290KB

MD5
924e986d1ab7f536482d15494041e8b0

SHA1
6e7a5ff25e6f51acece7337c07d15466b46483f0

SHA256
8ccadce6f0f2fbbda4f488776cb6d0ad983e177022fd2339d2381d68443d951b

SHA512
4e20a2d48f09af42a3a802758b52f4cfa132940a3ec520910eaa0750e5f667a7878c74fea2e27e93817a5d020c8fcfb7ad54254fef50e0c967f6a8fa4d97b063

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
290KB

MD5
e7d3b056ac49ffb8fdfb8573b3d733e1

SHA1
28607ae262067a884374837c00029a88cca2dd78

SHA256
d77271122d6b20b3585d8037d370ee660997d8d18eea233670f60d8ea26b50c4

SHA512
98d0f91058764a65cf62274386af30920977403d71339c0103d710ef54ac8c02268ac0598dfa5f9b8a8a89adf0753002fb70db6af85411fc2deaa0d4a313d990

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
290KB

MD5
c99733458393c998e49b9b8eb0c05873

SHA1
43f988e43daa16951d58dbde42c0f809f61d4160

SHA256
60d9da8fac84c111951b0128b7b43f626ac8004b50312d119147738584729a4b

SHA512
fde4f361e0a12fc5e737bd6ebfb879ff11d652dd5e47236a85f846afbf3e178a6ec9ffddb3f9bdc80444afbeaeeb067d887183e92e2b46eed227cb20ff5ef7d0

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
290KB

MD5
f5ca63ab16d570987c957d75771332ec

SHA1
1d85e94dc2eb29cffb6d182902f99e08fe441045

SHA256
c5592941bbdda5829095b9f49ba81b699be51fe935e52397131a32dc2896c893

SHA512
6f6b2058b9f9eca657777e0d7b99f76abcaba8e45020cd2b4939767686b2888ed6b5a80ecafbe2c915605aaea5a910640532f9441eec721402a5d7db4e97750a

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
290KB

MD5
329437ac09a17f3b2575b767bb31c49b

SHA1
c6d454dba2198ce0b62c53db4c83171ca44eeac0

SHA256
630632ad9925866882d0d28734482c9454b8d98b91e20ab42917550493b1f045

SHA512
1d1a7e5d3819e7c464c49f6695153735f4adfe4c6a05779718e165751c2ead00be7d13b3dbf3e6bc6313ff6cf93b1da47510cfed80a79c773e1c853f4199eb99

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
290KB

MD5
f67fbb4463b6a7078549385c97d63a75

SHA1
4c597e4cc62de76fdb8bc4a1aab2208b7f769528

SHA256
9fa8295a4622db6d8eaf292f894a5de63103be1bdefc352ebf6ddc4a05ea605a

SHA512
cd3977393825f9600c312b68f467f0a70652e0af55e3a6312f188b447e41f92185f1032d4a98bea343766c2b47d4e3e06e180a273ad5012071c331b7ffd96abe

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
290KB

MD5
3c80b68c8d1e4c5ff4a784cff11dd765

SHA1
44c333c4769f43f2261b57a4836c9de7fdb480a6

SHA256
41b0613a257c582b4de6acf6cc1670ddc1f81db0f05bf7687fd749708e22db20

SHA512
28546e6d608f50d1996dd376f04bd3c18d377702f83f74bdbd84481221ccb0015bafc3ffdd3401a9ff894d6c9453738981b38b6ee5305a833fc92e232be34506

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
290KB

MD5
f7b9c8244a16af57bf93c5c3655f6979

SHA1
f0e15687ea849370d1592675841675d1a8e34ade

SHA256
5923790f0c848933101dcf35465c9bc5c855a2849221213869476114552f8020

SHA512
e93f6e3be6501955119e4f623feeaab42868845b4b04af0741a8988ac04080dbfa60c118aa62e32805682ae3cf8ee218dc64a91f5752005b92b83344c184df9b

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
290KB

MD5
517ae32b4cfd1ae61ace17190f1e2b23

SHA1
8a09773d724b6db301d5e20cd77eb3a622c3cb5a

SHA256
57a3285628254f6daa50317c82758da69b21902d8be5b137a0f5042b2b6238ec

SHA512
426022711d1792e0f82d46da2c8a7781adaae45cf29fea438d867784b58c0d4a84b72d1a086d30572e7d5e31c7f98b33092c4918991a9efa5de72dc6687259f9

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
290KB

MD5
d174462d8f8acf1368903432cb135bd8

SHA1
51bcb3983f24233c1f5db69c787b3c152ab4dd61

SHA256
39e069d083d11ef8ba242ddaf7efecea658d0b5466155ed6a0b19599377ed952

SHA512
1344259989c4b5dfb2da9f074828202d703566a785fca1faea2ac508fb9748546ba44e73a4eccd2f6f909fbfcf19809603ff38aeb45bd917ef2287745f065bb2

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
290KB

MD5
58c3e9d4e06b06eaf5b9afcb4cbd2b9d

SHA1
6aba2dd72783055f2939e019f6914f980953cd0f

SHA256
665de251b7d0acca828ad1b6bcfad90f69493d588b3c1c6e4b789c130ed4d17c

SHA512
b35fe60bf1c7aac96d1cbea41f2b1271e386d973c578b48395812fde3053083fe643bd6d7b5690effb174366c9a706bebbedd11dde1f89c0dd967951e25fd0ba

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
290KB

MD5
8ba7cce6bff33fa08a3c6687d97d9e2a

SHA1
356dde6ead94d2ea7d4a4b59085a29e356b3fee5

SHA256
991d1a7a24ab893809c559c3dabde769e88112869a3b840870797e5fdb24ada7

SHA512
fea06cf82c51fdd60bca25efdfb340a35646a425814a29027dc100121f08116fe141562e66ca321ecd8619a2025c093c0277fc4cc9aeffcd8b32bbf23be86901

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
290KB

MD5
b0c5c9729f1ff15eb08be48bb70d7767

SHA1
bed18470aeea916603e003a583df71048d32e8d1

SHA256
9de58021c1ef4ad5bdf1bd7b6178d7a09b5573eb100c7abe199133505b03e710

SHA512
b0b79d6f8b90d9d1c36b58152b8f5cd694152f4f39d6123b4af39a453381173c52ec846ac0684bd53bb9d2b5d5ee1012a2953bbdb5d93dd61b1efc6f325a051e

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
290KB

MD5
88b4d36293ea840ef2175d89f727b04c

SHA1
1c25d17a7af544004d911519dbfbdebb554bbe29

SHA256
b1cd789c1fbcdfe436835dffe9e930fa8ae13dcae3e2a9491a3cb18b7cb18d57

SHA512
c1f1380f8a1db781f8740226c3a0dbd2a47b99026ba90c5068c1e65074349ab7b30d4479b962b1683da66d17198ab77d7c5dfd1b1f94634368fda6daeb3bbae2

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
192KB

MD5
c4696c50fed45fdd92d1621890798234

SHA1
89e0cb527af5292977cb6f445cd3efca1e7c998b

SHA256
6372af08262107beaada108c47d0c96333d16a8cd89fc051bcc8a91bb1dd1682

SHA512
f8069049ee77da68989f8378c037dc0d961011f572c33798b0b318f8a837775170f5b0adb02715519dbadcaaea8766b6badc0d1809e4a89bc89d90cc6868e5f6

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
290KB

MD5
1ed6a02b1d749afe9e48e8446fbe6339

SHA1
bf50ea95d03ae16feb9992ca909719e0d4db2a7d

SHA256
4ebbaa638b79f4753c181e97765cf29ca23f76f072fcc4476fbf5623931348e5

SHA512
24e25166868bd88f6b832edb8e5df699aa18b334808cfb4f7e0814c25a9c1b4fe430643cbc2b566f4f9adb7ddb8a5acce2bed8d8f833e2f2019f5fd8a1497dbc

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
290KB

MD5
f5739c0a3142c3679934c882546eb297

SHA1
0029ccc9f6a6e43318bd58135554edfdcfa0afe6

SHA256
337ac0a3ac004bb830c83ee323205ccf307cc729c174a2a0ebfc53c78b91a905

SHA512
69186b1c9922c4dec5313dbbeb1c46617c5573aaa319abe4bb2e7b0f08ca273acd312fe84fc9567203ad0fdf12fdd426ddd5d0053538b1c2b00f57d05cfbf8c5

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
290KB

MD5
9f347875b92c0d4b7e067fe028a05c65

SHA1
74de8475c90f08c598b80f2b7789fed57d1c5a8c

SHA256
45ef63957fd355dd92acead11dad5e2c34a8d0f4df8231a2011864a3dbf0b781

SHA512
da2269c097faad0f4dc7181241b5a6d6cbe558b0a8f24dd893b64e1ff87c306f90e451595483e50cb336ea603707c5db2f3f1452fe6014562e0e4b8bbb16d360

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
290KB

MD5
7c25876fe17fc2a664bb134ee2282069

SHA1
e60cb6d27230466887a96f7e9dbc890fb8bbe978

SHA256
455b1402816b611a2c1a2b2cd4a546cf22f3c67dae06bcf13ae56efe61e62df5

SHA512
5ce5660650bffcd2dd1b22d76c444c6be4159dd9b3b7a2ab8af240425ae9a242404db42c0d7dd9aa392bcbc9ec90186f6da615336395fd97ed1520d9d4b28529

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
290KB

MD5
18143eaf89393e06eb1adc65e481572e

SHA1
d705cf7d34c67ba12a60f123161b4cb66377d346

SHA256
7adcb170c396aacb4f21f4ac7b200d2676246d6d91bbfd33fe1ff4931e05fab2

SHA512
812ac096b23febce8a326b4fc274c945ca53fef0c851ae68d1ae00ed1b49dcd1dffeb664a4542deb716961bd7b94aa11638d077d4b33ce4b678bf17fa02c3d58

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
290KB

MD5
3b4e959fb0cf98660f96596743a0277c

SHA1
22ab89d4a62a4a96937f266eacf6dd65650c737c

SHA256
8c11564250cbd00011d087eec70ed34631820e17de0a56ba57e9f049a028abc1

SHA512
7deb779d24f1c9457929592589895151f2332cc909c93f635f96a83790b9f8a28a891d03de386edea43949c6f999785f3b5efcf48504507d239a45d313e96955

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
290KB

MD5
9e53ac5bcd95132c9ddcc599aec126fe

SHA1
83bf3ec789009821feef3b0f8f3f2933272e103d

SHA256
45483750d16aa05dde93bae1dd985a2d73a619909a678677c4f26476e8ac43d2

SHA512
ff7be36c57017c2dae8ac894ada07b96ef71d3329b2432931f4f4c7bf7a112e97c7c81d29c4a1883b41e487f6b44138d69ce1c966eb16f903ec367dabf34d831

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
290KB

MD5
d213276b8f85967701c87b6001e07949

SHA1
a6daeb8e010fa0c03b3328b4e94927173a8760d3

SHA256
67a80855fa80fead5fbb2bff59ce50302d6f778ae108e604dbc2d59d0c2f29d0

SHA512
c533732e02cbaf5fd08b9563f3c85beaa80553a3c971116778e8b9000e66eb910ff98aa79e186a08b879a6bfc7c1cf5367ba88f80258ecec792dc7725a0f42ca

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
290KB

MD5
fde9e0fc4f0d84ac848a73d263c30cd7

SHA1
e27a2af81e8ae89faa9458de1d277916058940bd

SHA256
bafeacc4a392e2aba5f41ad5a186b0f4190e3e450aebc0e60d7106f62618f128

SHA512
9f1a84faa388df092c8fd7121d65b0ecc6459c56556174a63a1c5b7d66fd2e7eb57bbd6ba4c29938d1550a7d5a27143e6cb7724613d8beed94707f0dc688d6a2

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
290KB

MD5
547fa4fb3849f27fdba09378f8059c75

SHA1
733faf52aaf0ecbe7d82835a2036cf0007441b76

SHA256
31b83d7b4ffc02b9beee60c81f4cafc391ff51e5030335cd08d6c611821d878d

SHA512
61f1d7b7c23d433d1179b0faf544be2adaf2ded45420a518c2e5ff495ba388e14f51f110e14e959027a2df43644457a52dceeea99c7a10a0e39759e20ca7ace0

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
290KB

MD5
a36a39d6a6c2810768ec21dfb8c6e0e7

SHA1
4f595f13a2781cf2e2ae149a48cf9b96bc33a3e6

SHA256
7afb0d4843624341eb76d95300bd1abf08bc330e98ab10654b6ffea04f393145

SHA512
73a35f2540996179e9f3c3e9973a0a9e99ff04eb33d1140ea4a65419211a6f3899b7a492bc5ecda3555e75394e81dc764aaa19ab1089398df8677fba9ff1e213

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
290KB

MD5
7cc9adb5b1eb7110fb7a8239fef5644a

SHA1
7b572c287d62da07afc15a9d3832e335d8cf5657

SHA256
de8fde3357d4ae284d69032d8cebfaa023bc6cf6d165953a2dfdd5db29cd4ded

SHA512
25a18b8a397059d89e54d27f4a27c6390d6fb57c90f03d5c5138c79e2fc2ad274e432f65b427070189350c0f9378deee422aecd082ebe13a24ce6e49bec3c194

Download Submit
memory/316-355-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/380-462-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/400-142-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/556-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/612-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/700-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/732-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/920-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/920-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/976-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1008-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1028-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1064-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1152-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1192-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1204-549-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1204-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1208-506-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1404-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1592-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1640-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1644-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1688-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1732-381-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1852-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2084-556-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2116-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2316-571-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2316-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2324-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2396-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2672-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2672-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2768-266-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2780-306-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2900-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2904-578-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2904-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2936-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2944-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3004-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3032-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3036-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3108-530-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3232-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3296-512-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3324-253-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3480-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3524-434-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3580-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3648-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3672-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3684-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3716-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3720-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3736-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3740-398-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3772-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3772-548-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3820-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3908-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4004-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4008-494-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4044-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4108-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4200-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4232-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4356-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4372-598-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4372-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4444-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4456-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4560-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4580-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4608-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4700-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4776-518-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4792-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4796-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4820-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4828-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4872-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4928-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4964-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4968-542-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4984-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5012-422-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5060-244-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5068-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5156-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5200-569-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5236-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5288-580-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5320-847-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5344-591-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5376-592-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5428-599-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5736-888-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5868-884-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads