7140225d70e8877b6a59c8427e560131f60bc008ddf4854775cef2e68538a14b

Analysis

max time kernel
139s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2024, 23:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7140225d70e8877b6a59c8427e560131f60bc008ddf4854775cef2e68538a14b.exe
Size

59KB
MD5

7ca9439f6cc5f841912f379aa681c98e
SHA1

0a5aba2d58abf1afe84d4ee4e60dd042abbc5e59
SHA256

7140225d70e8877b6a59c8427e560131f60bc008ddf4854775cef2e68538a14b
SHA512

b9a0648db09665900380ff2dd074016a16f26cc3d666b0383b588bc71ae5d5031250333395580e98890680fd72bc66f39809d4d68def2e171b69ac7298686633
SSDEEP

1536:LdtSNwsTX7gmwBjvAGlO/QcV0vOYTHrD+2LvO:yNwsEBDATQcym2HrDDvO

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpaihooo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmhbqbae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egkddo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epdime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dckoia32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqmlccdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhgonidg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdlkdhnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iahgad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpjmph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpaihooo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfpell32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnaaib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jimldogg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egbken32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phajna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdlkdhnk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fofilp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jikoopij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahfmpnql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kabcopmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmaciefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eaceghcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjocbhbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbenoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iahgad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbbeml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofjqihnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eojiqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnqcfjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgihop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjidgkog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfldgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbbeml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aphnnafb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnaaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpbjkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iondqhpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampaho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppahmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjiipk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqncnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khgbqkhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhjhmhhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abmjqe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnjdpaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhgonidg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egened32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lplfcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajmladbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgdemb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgihop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbenoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfojdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfmolc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgmhcaac.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Affikdfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Affikdfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpljehpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjfmkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdagpnbk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bphgeo32.exe

Executes dropped EXE 64 IoCs

pid	Process
4032	Oaplqh32.exe
4488	Pnfiplog.exe
4552	Pfandnla.exe
3996	Phajna32.exe
1436	Pplobcpp.exe
5096	Ppolhcnm.exe
2564	Ppahmb32.exe
3280	Qjfmkk32.exe
872	Qjiipk32.exe
1796	Aphnnafb.exe
4648	Aagkhd32.exe
3980	Akpoaj32.exe
396	Aggpfkjj.exe
4748	Ahfmpnql.exe
4440	Bgkiaj32.exe
4444	Bgnffj32.exe
3804	Bdagpnbk.exe
2508	Bphgeo32.exe
3884	Bahdob32.exe
4684	Bajqda32.exe
1644	Cnaaib32.exe
2800	Cpbjkn32.exe
3184	Caageq32.exe
4024	Cnjdpaki.exe
4264	Dnmaea32.exe
3548	Dolmodpi.exe
1108	Dkcndeen.exe
1712	Dhgonidg.exe
4188	Dhikci32.exe
3036	Eqdpgk32.exe
4844	Enhpao32.exe
2944	Ebfign32.exe
4548	Eojiqb32.exe
5072	Egened32.exe
1776	Eqncnj32.exe
1736	Fdlkdhnk.exe
2404	Fbplml32.exe
2596	Fbbicl32.exe
3940	Fofilp32.exe
1084	Fohfbpgi.exe
4136	Fkofga32.exe
4692	Galoohke.exe
4356	Gnpphljo.exe
4068	Gnblnlhl.exe
456	Geldkfpi.exe
4696	Gpaihooo.exe
1824	Ggmmlamj.exe
1420	Gaebef32.exe
2076	Hbenoi32.exe
916	Hnlodjpa.exe
4672	Hhfpbpdo.exe
3648	Haodle32.exe
4524	Hnbeeiji.exe
624	Hihibbjo.exe
2476	Iijfhbhl.exe
4776	Iimcma32.exe
2284	Iahgad32.exe
2620	Iajdgcab.exe
828	Iondqhpl.exe
884	Joqafgni.exe
4176	Jocnlg32.exe
3872	Jihbip32.exe
1376	Jbccge32.exe
212	Jimldogg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ieppioao.dll	Eqdpgk32.exe
File created	C:\Windows\SysWOW64\Odibfg32.dll	Pfojdh32.exe
File created	C:\Windows\SysWOW64\Dkkaiphj.exe	Cgmhcaac.exe
File opened for modification	C:\Windows\SysWOW64\Dkcndeen.exe	Dolmodpi.exe
File opened for modification	C:\Windows\SysWOW64\Kamjda32.exe	Kibeoo32.exe
File opened for modification	C:\Windows\SysWOW64\Affikdfn.exe	Afcmfe32.exe
File opened for modification	C:\Windows\SysWOW64\Gddgpqbe.exe	Fjocbhbo.exe
File created	C:\Windows\SysWOW64\Cimjkpjn.dll	Hihibbjo.exe
File opened for modification	C:\Windows\SysWOW64\Nbbeml32.exe	Nfldgk32.exe
File created	C:\Windows\SysWOW64\Bgdemb32.exe	Bpjmph32.exe
File created	C:\Windows\SysWOW64\Efehkimj.dll	Dnljkk32.exe
File created	C:\Windows\SysWOW64\Dgihop32.exe	Dnqcfjae.exe
File opened for modification	C:\Windows\SysWOW64\Qjiipk32.exe	Qjfmkk32.exe
File opened for modification	C:\Windows\SysWOW64\Bgnffj32.exe	Bgkiaj32.exe
File created	C:\Windows\SysWOW64\Fjocbhbo.exe	Fnhbmgmk.exe
File opened for modification	C:\Windows\SysWOW64\Pfandnla.exe	Pnfiplog.exe
File created	C:\Windows\SysWOW64\Aggpfkjj.exe	Akpoaj32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfogbjb.exe	Bpqjjjjl.exe
File created	C:\Windows\SysWOW64\Cgilho32.dll	Eaceghcg.exe
File created	C:\Windows\SysWOW64\Bpjmph32.exe	Bdcmkgmm.exe
File created	C:\Windows\SysWOW64\Hlfpph32.dll	Bgkiaj32.exe
File created	C:\Windows\SysWOW64\Lnjkcfod.dll	Eqncnj32.exe
File created	C:\Windows\SysWOW64\Acqgojmb.exe	Pmbegqjk.exe
File created	C:\Windows\SysWOW64\Enfqikef.dll	Ppolhcnm.exe
File created	C:\Windows\SysWOW64\Dkcndeen.exe	Dolmodpi.exe
File opened for modification	C:\Windows\SysWOW64\Hihibbjo.exe	Hnbeeiji.exe
File created	C:\Windows\SysWOW64\Phajna32.exe	Pfandnla.exe
File opened for modification	C:\Windows\SysWOW64\Cpbjkn32.exe	Cnaaib32.exe
File created	C:\Windows\SysWOW64\Dnmaea32.exe	Cnjdpaki.exe
File created	C:\Windows\SysWOW64\Heffebak.dll	Iahgad32.exe
File created	C:\Windows\SysWOW64\Jimldogg.exe	Jbccge32.exe
File opened for modification	C:\Windows\SysWOW64\Lpochfji.exe	Lplfcf32.exe
File created	C:\Windows\SysWOW64\Clmipm32.dll	Dhikci32.exe
File created	C:\Windows\SysWOW64\Gddgpqbe.exe	Fjocbhbo.exe
File created	C:\Windows\SysWOW64\Eojiqb32.exe	Ebfign32.exe
File opened for modification	C:\Windows\SysWOW64\Kedlip32.exe	Jimldogg.exe
File created	C:\Windows\SysWOW64\Dndfnlpc.dll	Ocihgnam.exe
File created	C:\Windows\SysWOW64\Fcanfh32.dll	Bfmolc32.exe
File created	C:\Windows\SysWOW64\Mjbaohka.dll	Dphiaffa.exe
File opened for modification	C:\Windows\SysWOW64\Eqdpgk32.exe	Dhikci32.exe
File created	C:\Windows\SysWOW64\Fkofga32.exe	Fohfbpgi.exe
File created	C:\Windows\SysWOW64\Lfgnho32.dll	Pjaleemj.exe
File created	C:\Windows\SysWOW64\Nnoefe32.dll	Egkddo32.exe
File created	C:\Windows\SysWOW64\Bajqda32.exe	Bahdob32.exe
File created	C:\Windows\SysWOW64\Nmaciefp.exe	Nfgklkoc.exe
File opened for modification	C:\Windows\SysWOW64\Dnqcfjae.exe	Dckoia32.exe
File created	C:\Windows\SysWOW64\Ppahmb32.exe	Ppolhcnm.exe
File created	C:\Windows\SysWOW64\Jilpfgkh.dll	Cnjdpaki.exe
File created	C:\Windows\SysWOW64\Gpaihooo.exe	Geldkfpi.exe
File created	C:\Windows\SysWOW64\Mjliff32.dll	Lebijnak.exe
File created	C:\Windows\SysWOW64\Bigpblgh.dll	Cgmhcaac.exe
File opened for modification	C:\Windows\SysWOW64\Epdime32.exe	Egkddo32.exe
File created	C:\Windows\SysWOW64\Iimcma32.exe	Iijfhbhl.exe
File opened for modification	C:\Windows\SysWOW64\Iimcma32.exe	Iijfhbhl.exe
File opened for modification	C:\Windows\SysWOW64\Kabcopmg.exe	Khgbqkhj.exe
File created	C:\Windows\SysWOW64\Lebijnak.exe	Lljdai32.exe
File opened for modification	C:\Windows\SysWOW64\Gnpphljo.exe	Galoohke.exe
File opened for modification	C:\Windows\SysWOW64\Lpgmhg32.exe	Lebijnak.exe
File created	C:\Windows\SysWOW64\Abmjqe32.exe	Ampaho32.exe
File created	C:\Windows\SysWOW64\Cepjip32.dll	Dnmaea32.exe
File opened for modification	C:\Windows\SysWOW64\Eojiqb32.exe	Ebfign32.exe
File created	C:\Windows\SysWOW64\Dagdgfkf.dll	Iimcma32.exe
File created	C:\Windows\SysWOW64\Khgbqkhj.exe	Kamjda32.exe
File opened for modification	C:\Windows\SysWOW64\Bphgeo32.exe	Bdagpnbk.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5664	6124	WerFault.exe	226

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbobhb32.dll"	Aggpfkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgpfqchb.dll"	Jihbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodfed32.dll"	Egbken32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkcndeen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjpdeo32.dll"	Galoohke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocgkan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajmladbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfmcjlk.dll"	Oaplqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Joqafgni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klhhpb32.dll"	Omalpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ggmmlamj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeclnmik.dll"	Lljdai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omfekbdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dphiaffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dolmodpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ggmmlamj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpnmig32.dll"	Jbccge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fkofga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbbeml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apggckbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekbmje32.dll"	Akpoaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpaihooo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fglnkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cimjkpjn.dll"	Hihibbjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epdime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohoiloe.dll"	Fnhbmgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnokgcbe.dll"	7140225d70e8877b6a59c8427e560131f60bc008ddf4854775cef2e68538a14b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aafjpc32.dll"	Ampaho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fdpnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcdibc32.dll"	Cpbjkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdcmkgmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kedlip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmkmfbo.dll"	Kibeoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfhmjf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fohfbpgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iijfhbhl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jihbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iolgql32.dll"	Fdpnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omdieb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpkhqmjb.dll"	Cnaaib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbplml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpceplkl.dll"	Hnbeeiji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfpph32.dll"	Bgkiaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gnblnlhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lljdai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pplobcpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnjkcfod.dll"	Eqncnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcgckb32.dll"	Iijfhbhl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	7140225d70e8877b6a59c8427e560131f60bc008ddf4854775cef2e68538a14b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bahdob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfhmjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jihbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqdpgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khgbqkhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhdjkflc.dll"	Acqgojmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nhhdnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocihgnam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajmladbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mldjbclh.dll"	Hhfpbpdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfpell32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfjqmbc.dll"	Mcfbkpab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogmeemdg.dll"	Nmhijd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnqcfjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oaplqh32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 4032	2252	7140225d70e8877b6a59c8427e560131f60bc008ddf4854775cef2e68538a14b.exe	91
PID 2252 wrote to memory of 4032	2252	7140225d70e8877b6a59c8427e560131f60bc008ddf4854775cef2e68538a14b.exe	91
PID 2252 wrote to memory of 4032	2252	7140225d70e8877b6a59c8427e560131f60bc008ddf4854775cef2e68538a14b.exe	91
PID 4032 wrote to memory of 4488	4032	Oaplqh32.exe	92
PID 4032 wrote to memory of 4488	4032	Oaplqh32.exe	92
PID 4032 wrote to memory of 4488	4032	Oaplqh32.exe	92
PID 4488 wrote to memory of 4552	4488	Pnfiplog.exe	93
PID 4488 wrote to memory of 4552	4488	Pnfiplog.exe	93
PID 4488 wrote to memory of 4552	4488	Pnfiplog.exe	93
PID 4552 wrote to memory of 3996	4552	Pfandnla.exe	94
PID 4552 wrote to memory of 3996	4552	Pfandnla.exe	94
PID 4552 wrote to memory of 3996	4552	Pfandnla.exe	94
PID 3996 wrote to memory of 1436	3996	Phajna32.exe	95
PID 3996 wrote to memory of 1436	3996	Phajna32.exe	95
PID 3996 wrote to memory of 1436	3996	Phajna32.exe	95
PID 1436 wrote to memory of 5096	1436	Pplobcpp.exe	96
PID 1436 wrote to memory of 5096	1436	Pplobcpp.exe	96
PID 1436 wrote to memory of 5096	1436	Pplobcpp.exe	96
PID 5096 wrote to memory of 2564	5096	Ppolhcnm.exe	97
PID 5096 wrote to memory of 2564	5096	Ppolhcnm.exe	97
PID 5096 wrote to memory of 2564	5096	Ppolhcnm.exe	97
PID 2564 wrote to memory of 3280	2564	Ppahmb32.exe	98
PID 2564 wrote to memory of 3280	2564	Ppahmb32.exe	98
PID 2564 wrote to memory of 3280	2564	Ppahmb32.exe	98
PID 3280 wrote to memory of 872	3280	Qjfmkk32.exe	99
PID 3280 wrote to memory of 872	3280	Qjfmkk32.exe	99
PID 3280 wrote to memory of 872	3280	Qjfmkk32.exe	99
PID 872 wrote to memory of 1796	872	Qjiipk32.exe	100
PID 872 wrote to memory of 1796	872	Qjiipk32.exe	100
PID 872 wrote to memory of 1796	872	Qjiipk32.exe	100
PID 1796 wrote to memory of 4648	1796	Aphnnafb.exe	101
PID 1796 wrote to memory of 4648	1796	Aphnnafb.exe	101
PID 1796 wrote to memory of 4648	1796	Aphnnafb.exe	101
PID 4648 wrote to memory of 3980	4648	Aagkhd32.exe	102
PID 4648 wrote to memory of 3980	4648	Aagkhd32.exe	102
PID 4648 wrote to memory of 3980	4648	Aagkhd32.exe	102
PID 3980 wrote to memory of 396	3980	Akpoaj32.exe	103
PID 3980 wrote to memory of 396	3980	Akpoaj32.exe	103
PID 3980 wrote to memory of 396	3980	Akpoaj32.exe	103
PID 396 wrote to memory of 4748	396	Aggpfkjj.exe	104
PID 396 wrote to memory of 4748	396	Aggpfkjj.exe	104
PID 396 wrote to memory of 4748	396	Aggpfkjj.exe	104
PID 4748 wrote to memory of 4440	4748	Ahfmpnql.exe	105
PID 4748 wrote to memory of 4440	4748	Ahfmpnql.exe	105
PID 4748 wrote to memory of 4440	4748	Ahfmpnql.exe	105
PID 4440 wrote to memory of 4444	4440	Bgkiaj32.exe	106
PID 4440 wrote to memory of 4444	4440	Bgkiaj32.exe	106
PID 4440 wrote to memory of 4444	4440	Bgkiaj32.exe	106
PID 4444 wrote to memory of 3804	4444	Bgnffj32.exe	107
PID 4444 wrote to memory of 3804	4444	Bgnffj32.exe	107
PID 4444 wrote to memory of 3804	4444	Bgnffj32.exe	107
PID 3804 wrote to memory of 2508	3804	Bdagpnbk.exe	108
PID 3804 wrote to memory of 2508	3804	Bdagpnbk.exe	108
PID 3804 wrote to memory of 2508	3804	Bdagpnbk.exe	108
PID 2508 wrote to memory of 3884	2508	Bphgeo32.exe	109
PID 2508 wrote to memory of 3884	2508	Bphgeo32.exe	109
PID 2508 wrote to memory of 3884	2508	Bphgeo32.exe	109
PID 3884 wrote to memory of 4684	3884	Bahdob32.exe	110
PID 3884 wrote to memory of 4684	3884	Bahdob32.exe	110
PID 3884 wrote to memory of 4684	3884	Bahdob32.exe	110
PID 4684 wrote to memory of 1644	4684	Bajqda32.exe	111
PID 4684 wrote to memory of 1644	4684	Bajqda32.exe	111
PID 4684 wrote to memory of 1644	4684	Bajqda32.exe	111
PID 1644 wrote to memory of 2800	1644	Cnaaib32.exe	112

C:\Users\Admin\AppData\Local\Temp\7140225d70e8877b6a59c8427e560131f60bc008ddf4854775cef2e68538a14b.exe
"C:\Users\Admin\AppData\Local\Temp\7140225d70e8877b6a59c8427e560131f60bc008ddf4854775cef2e68538a14b.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\SysWOW64\Oaplqh32.exe
  C:\Windows\system32\Oaplqh32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4032
- - C:\Windows\SysWOW64\Pnfiplog.exe
    C:\Windows\system32\Pnfiplog.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4488
  - - C:\Windows\SysWOW64\Pfandnla.exe
      C:\Windows\system32\Pfandnla.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4552
    - - C:\Windows\SysWOW64\Phajna32.exe
        
        C:\Windows\system32\Phajna32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3996
      - C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\SysWOW64\Ppolhcnm.exe
        
        C:\Windows\system32\Ppolhcnm.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\Ppahmb32.exe
        
        C:\Windows\system32\Ppahmb32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Qjfmkk32.exe
        
        C:\Windows\system32\Qjfmkk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\SysWOW64\Qjiipk32.exe
        
        C:\Windows\system32\Qjiipk32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\SysWOW64\Aagkhd32.exe
        
        C:\Windows\system32\Aagkhd32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Windows\SysWOW64\Akpoaj32.exe
        
        C:\Windows\system32\Akpoaj32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\SysWOW64\Aggpfkjj.exe
        
        C:\Windows\system32\Aggpfkjj.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\Bdagpnbk.exe
        
        C:\Windows\system32\Bdagpnbk.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3804
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Cpbjkn32.exe
        
        C:\Windows\system32\Cpbjkn32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3184
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4024
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4264
        
        C:\Windows\SysWOW64\Dolmodpi.exe
        
        C:\Windows\system32\Dolmodpi.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3548
        
        C:\Windows\SysWOW64\Dkcndeen.exe
        
        C:\Windows\system32\Dkcndeen.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Dhgonidg.exe
        
        C:\Windows\system32\Dhgonidg.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1712
        
        C:\Windows\SysWOW64\Dhikci32.exe
        
        C:\Windows\system32\Dhikci32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4188
        
        C:\Windows\SysWOW64\Eqdpgk32.exe
        
        C:\Windows\system32\Eqdpgk32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Enhpao32.exe
        
        C:\Windows\system32\Enhpao32.exe
        32⤵
        Executes dropped EXE
        
        PID:4844
        
        C:\Windows\SysWOW64\Ebfign32.exe
        
        C:\Windows\system32\Ebfign32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2944
        
        C:\Windows\SysWOW64\Eojiqb32.exe
        
        C:\Windows\system32\Eojiqb32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4548
        
        C:\Windows\SysWOW64\Egened32.exe
        
        C:\Windows\system32\Egened32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5072
        
        C:\Windows\SysWOW64\Eqncnj32.exe
        
        C:\Windows\system32\Eqncnj32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Fdlkdhnk.exe
        
        C:\Windows\system32\Fdlkdhnk.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1736
        
        C:\Windows\SysWOW64\Fbplml32.exe
        
        C:\Windows\system32\Fbplml32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Fbbicl32.exe
        
        C:\Windows\system32\Fbbicl32.exe
        39⤵
        Executes dropped EXE
        
        PID:2596
        
        C:\Windows\SysWOW64\Fofilp32.exe
        
        C:\Windows\system32\Fofilp32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3940
        
        C:\Windows\SysWOW64\Fohfbpgi.exe
        
        C:\Windows\system32\Fohfbpgi.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1084
        
        C:\Windows\SysWOW64\Fkofga32.exe
        
        C:\Windows\system32\Fkofga32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4136
        
        C:\Windows\SysWOW64\Galoohke.exe
        
        C:\Windows\system32\Galoohke.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\Gnpphljo.exe
        
        C:\Windows\system32\Gnpphljo.exe
        44⤵
        Executes dropped EXE
        
        PID:4356
        
        C:\Windows\SysWOW64\Gnblnlhl.exe
        
        C:\Windows\system32\Gnblnlhl.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4068
        
        C:\Windows\SysWOW64\Geldkfpi.exe
        
        C:\Windows\system32\Geldkfpi.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:456
        
        C:\Windows\SysWOW64\Gpaihooo.exe
        
        C:\Windows\system32\Gpaihooo.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4696
        
        C:\Windows\SysWOW64\Ggmmlamj.exe
        
        C:\Windows\system32\Ggmmlamj.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1824
        
        C:\Windows\SysWOW64\Gaebef32.exe
        
        C:\Windows\system32\Gaebef32.exe
        49⤵
        Executes dropped EXE
        
        PID:1420
        
        C:\Windows\SysWOW64\Hbenoi32.exe
        
        C:\Windows\system32\Hbenoi32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2076
        
        C:\Windows\SysWOW64\Hnlodjpa.exe
        
        C:\Windows\system32\Hnlodjpa.exe
        51⤵
        Executes dropped EXE
        
        PID:916
        
        C:\Windows\SysWOW64\Hhfpbpdo.exe
        
        C:\Windows\system32\Hhfpbpdo.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4672
        
        C:\Windows\SysWOW64\Haodle32.exe
        
        C:\Windows\system32\Haodle32.exe
        53⤵
        Executes dropped EXE
        
        PID:3648
        
        C:\Windows\SysWOW64\Hnbeeiji.exe
        
        C:\Windows\system32\Hnbeeiji.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4524
        
        C:\Windows\SysWOW64\Hihibbjo.exe
        
        C:\Windows\system32\Hihibbjo.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Iijfhbhl.exe
        
        C:\Windows\system32\Iijfhbhl.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Iimcma32.exe
        
        C:\Windows\system32\Iimcma32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4776
        
        C:\Windows\SysWOW64\Iahgad32.exe
        
        C:\Windows\system32\Iahgad32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2284
        
        C:\Windows\SysWOW64\Iajdgcab.exe
        
        C:\Windows\system32\Iajdgcab.exe
        59⤵
        Executes dropped EXE
        
        PID:2620
        
        C:\Windows\SysWOW64\Iondqhpl.exe
        
        C:\Windows\system32\Iondqhpl.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:828
        
        C:\Windows\SysWOW64\Joqafgni.exe
        
        C:\Windows\system32\Joqafgni.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:884
        
        C:\Windows\SysWOW64\Jocnlg32.exe
        
        C:\Windows\system32\Jocnlg32.exe
        62⤵
        Executes dropped EXE
        
        PID:4176
        
        C:\Windows\SysWOW64\Jihbip32.exe
        
        C:\Windows\system32\Jihbip32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3872
        
        C:\Windows\SysWOW64\Jikoopij.exe
        
        C:\Windows\system32\Jikoopij.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1520
        
        C:\Windows\SysWOW64\Jbccge32.exe
        
        C:\Windows\system32\Jbccge32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\Jimldogg.exe
        
        C:\Windows\system32\Jimldogg.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:212
        
        C:\Windows\SysWOW64\Kedlip32.exe
        
        C:\Windows\system32\Kedlip32.exe
        67⤵
        Modifies registry class
        
        PID:3500
        
        C:\Windows\SysWOW64\Kibeoo32.exe
        
        C:\Windows\system32\Kibeoo32.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Kamjda32.exe
        
        C:\Windows\system32\Kamjda32.exe
        69⤵
        Drops file in System32 directory
        
        PID:3764
        
        C:\Windows\SysWOW64\Khgbqkhj.exe
        
        C:\Windows\system32\Khgbqkhj.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Kabcopmg.exe
        
        C:\Windows\system32\Kabcopmg.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4904
        
        C:\Windows\SysWOW64\Lljdai32.exe
        
        C:\Windows\system32\Lljdai32.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Lebijnak.exe
        
        C:\Windows\system32\Lebijnak.exe
        73⤵
        Drops file in System32 directory
        
        PID:3128
        
        C:\Windows\SysWOW64\Lpgmhg32.exe
        
        C:\Windows\system32\Lpgmhg32.exe
        74⤵
        
        PID:876
        
        C:\Windows\SysWOW64\Lchfib32.exe
        
        C:\Windows\system32\Lchfib32.exe
        75⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\Lplfcf32.exe
        
        C:\Windows\system32\Lplfcf32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3044
        
        C:\Windows\SysWOW64\Lpochfji.exe
        
        C:\Windows\system32\Lpochfji.exe
        77⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\Mhjhmhhd.exe
        
        C:\Windows\system32\Mhjhmhhd.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4496
        
        C:\Windows\SysWOW64\Mjidgkog.exe
        
        C:\Windows\system32\Mjidgkog.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2544
        
        C:\Windows\SysWOW64\Mfpell32.exe
        
        C:\Windows\system32\Mfpell32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3928
        
        C:\Windows\SysWOW64\Mohidbkl.exe
        
        C:\Windows\system32\Mohidbkl.exe
        81⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\Mcfbkpab.exe
        
        C:\Windows\system32\Mcfbkpab.exe
        82⤵
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Nfgklkoc.exe
        
        C:\Windows\system32\Nfgklkoc.exe
        83⤵
        Drops file in System32 directory
        
        PID:3420
        
        C:\Windows\SysWOW64\Nmaciefp.exe
        
        C:\Windows\system32\Nmaciefp.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5104
        
        C:\Windows\SysWOW64\Nhhdnf32.exe
        
        C:\Windows\system32\Nhhdnf32.exe
        85⤵
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Nfldgk32.exe
        
        C:\Windows\system32\Nfldgk32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5152
        
        C:\Windows\SysWOW64\Nbbeml32.exe
        
        C:\Windows\system32\Nbbeml32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Nmhijd32.exe
        
        C:\Windows\system32\Nmhijd32.exe
        88⤵
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Ofckhj32.exe
        
        C:\Windows\system32\Ofckhj32.exe
        89⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Ocgkan32.exe
        
        C:\Windows\system32\Ocgkan32.exe
        90⤵
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Ocihgnam.exe
        
        C:\Windows\system32\Ocihgnam.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Omalpc32.exe
        
        C:\Windows\system32\Omalpc32.exe
        92⤵
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Ofjqihnn.exe
        
        C:\Windows\system32\Ofjqihnn.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5468
        
        C:\Windows\SysWOW64\Omdieb32.exe
        
        C:\Windows\system32\Omdieb32.exe
        94⤵
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Omfekbdh.exe
        
        C:\Windows\system32\Omfekbdh.exe
        95⤵
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Pfojdh32.exe
        
        C:\Windows\system32\Pfojdh32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5608
        
        C:\Windows\SysWOW64\Pmhbqbae.exe
        
        C:\Windows\system32\Pmhbqbae.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5652
        
        C:\Windows\SysWOW64\Pmkofa32.exe
        
        C:\Windows\system32\Pmkofa32.exe
        98⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Pplhhm32.exe
        
        C:\Windows\system32\Pplhhm32.exe
        99⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Pjaleemj.exe
        
        C:\Windows\system32\Pjaleemj.exe
        100⤵
        Drops file in System32 directory
        
        PID:5800
        
        C:\Windows\SysWOW64\Pfhmjf32.exe
        
        C:\Windows\system32\Pfhmjf32.exe
        101⤵
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Pmbegqjk.exe
        
        C:\Windows\system32\Pmbegqjk.exe
        102⤵
        Drops file in System32 directory
        
        PID:5896
        
        C:\Windows\SysWOW64\Acqgojmb.exe
        
        C:\Windows\system32\Acqgojmb.exe
        103⤵
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Apggckbf.exe
        
        C:\Windows\system32\Apggckbf.exe
        104⤵
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Ajmladbl.exe
        
        C:\Windows\system32\Ajmladbl.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Afcmfe32.exe
        
        C:\Windows\system32\Afcmfe32.exe
        106⤵
        Drops file in System32 directory
        
        PID:6096
        
        C:\Windows\SysWOW64\Affikdfn.exe
        
        C:\Windows\system32\Affikdfn.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6140
        
        C:\Windows\SysWOW64\Ampaho32.exe
        
        C:\Windows\system32\Ampaho32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Abmjqe32.exe
        
        C:\Windows\system32\Abmjqe32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5256
        
        C:\Windows\SysWOW64\Bpqjjjjl.exe
        
        C:\Windows\system32\Bpqjjjjl.exe
        110⤵
        Drops file in System32 directory
        
        PID:5324
        
        C:\Windows\SysWOW64\Bjfogbjb.exe
        
        C:\Windows\system32\Bjfogbjb.exe
        111⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Bfmolc32.exe
        
        C:\Windows\system32\Bfmolc32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5500
        
        C:\Windows\SysWOW64\Babcil32.exe
        
        C:\Windows\system32\Babcil32.exe
        113⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Bdcmkgmm.exe
        
        C:\Windows\system32\Bdcmkgmm.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Bpjmph32.exe
        
        C:\Windows\system32\Bpjmph32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5712
        
        C:\Windows\SysWOW64\Bgdemb32.exe
        
        C:\Windows\system32\Bgdemb32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5792
        
        C:\Windows\SysWOW64\Cpljehpo.exe
        
        C:\Windows\system32\Cpljehpo.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5836
        
        C:\Windows\SysWOW64\Ccppmc32.exe
        
        C:\Windows\system32\Ccppmc32.exe
        118⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Cgmhcaac.exe
        
        C:\Windows\system32\Cgmhcaac.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5980
        
        C:\Windows\SysWOW64\Dkkaiphj.exe
        
        C:\Windows\system32\Dkkaiphj.exe
        120⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Dphiaffa.exe
        
        C:\Windows\system32\Dphiaffa.exe
        121⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6132
        
        C:\Windows\SysWOW64\Dnljkk32.exe
        
        C:\Windows\system32\Dnljkk32.exe
        122⤵
        Drops file in System32 directory
        
        PID:5188
        
        C:\Windows\SysWOW64\Dckoia32.exe
        
        C:\Windows\system32\Dckoia32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5344
        
        C:\Windows\SysWOW64\Dnqcfjae.exe
        
        C:\Windows\system32\Dnqcfjae.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Dgihop32.exe
        
        C:\Windows\system32\Dgihop32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5552
        
        C:\Windows\SysWOW64\Egkddo32.exe
        
        C:\Windows\system32\Egkddo32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5676
        
        C:\Windows\SysWOW64\Epdime32.exe
        
        C:\Windows\system32\Epdime32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Eaceghcg.exe
        
        C:\Windows\system32\Eaceghcg.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5888
        
        C:\Windows\SysWOW64\Ekljpm32.exe
        
        C:\Windows\system32\Ekljpm32.exe
        129⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Egbken32.exe
        
        C:\Windows\system32\Egbken32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Ecikjoep.exe
        
        C:\Windows\system32\Ecikjoep.exe
        131⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\Eqmlccdi.exe
        
        C:\Windows\system32\Eqmlccdi.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5348
        
        C:\Windows\SysWOW64\Fglnkm32.exe
        
        C:\Windows\system32\Fglnkm32.exe
        133⤵
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Fdpnda32.exe
        
        C:\Windows\system32\Fdpnda32.exe
        134⤵
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Fnhbmgmk.exe
        
        C:\Windows\system32\Fnhbmgmk.exe
        135⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Fjocbhbo.exe
        
        C:\Windows\system32\Fjocbhbo.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5944
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        137⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6124 -s 400
        138⤵
        Program crash
        
        PID:5664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 6124 -ip 6124
1⤵
PID:5412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3904 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:5844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aagkhd32.exe

Filesize
59KB

MD5
9f8b3ee5fd9d0c9950968cb695c6588c

SHA1
8d21890646d8be7d48576577557b61ee8ccae438

SHA256
da4b481f783d84417185751fec722e2592d38752bb9f7bbee477511285ec0315

SHA512
a5bc910269dee5cac019d46d8789bbbf9e5483be9369c55919b6beefa08690c80265275058eb8b906f8b24651ba0bba4f128ccb51f5b6ad6b8fa41a36b585776

Download Submit
C:\Windows\SysWOW64\Acqgojmb.exe

Filesize
59KB

MD5
db692b2c5afc76debccf04283733431d

SHA1
dff6b81903203bac078045d1944b2ae1ddcdf84c

SHA256
1f66cb6413e37cc06829a9f09c91d35941830cf65a48963c7ea9d746c267552f

SHA512
1851293e97c84da63d179f4da1e044090bcb472794bf367a5f00e01b27f547249a9ef490a53a1e10fea3b83ba8e24a5d9ffc56d5528cbd0b442cda9e505eb8a1

Download Submit
C:\Windows\SysWOW64\Aggpfkjj.exe

Filesize
59KB

MD5
97abab09985ed6f3a998352b86f69df8

SHA1
37ea0c3c0ead90c30cba420eb647002a58c29db0

SHA256
17d840fced7bd24a77242b4ac2c3e43ed738cb6774f9c74fbeb86cbebef095c5

SHA512
23bb8d7454a656a1b71595930f5d0e14d9b4978d86a6c0cf7d90f63883184c3ce9cacb8b8c84c6be1deec43435a93f6b6b32c03363c1240c0bcfd206d521ca3f

Download Submit
C:\Windows\SysWOW64\Ahfmpnql.exe

Filesize
59KB

MD5
cd263035d11bd1941424897c759005ac

SHA1
db333264c078119de57479562c9bd7513c9efedc

SHA256
265a3b03fbf84e76b5aeb332632cecd3d73afd5f636e9b6c0c2161ea4fea2886

SHA512
2d4d2294f0b2189b11ff04ada35eb8c5e163281098231f4f593242123d2a793e782a986c5f98a75bb51f4f8d279191e65720e2e2821e4b7a3ddd07830f823ef6

Download Submit
C:\Windows\SysWOW64\Akpoaj32.exe

Filesize
59KB

MD5
24ce8c63558d0c3e90701c88f844bebc

SHA1
322d261472d373c70bbc08c882dc57e03923e45c

SHA256
eafe505ec4f3428e1deffe412af93ae276b36737f0d3f6746859ec3e42885520

SHA512
d5bf4c2a09954b3f00a6ad381692fa33e170d69a2073fe87793147a82e3d33822fa0c6789527dc09690952dec247aefc4bebff7acc51dd4b8c64d03d9ab48b9b

Download Submit
C:\Windows\SysWOW64\Aphnnafb.exe

Filesize
59KB

MD5
9d6b857302849e12557e27aaf9134339

SHA1
07d4b877c1057eac5c8148e020e16ac954fca29a

SHA256
ffd16b3de111bf8534027ab01d0ae005725b2428236ce7e1058fca99357e7b49

SHA512
eb507f3470d8fe3d63930eda582fbac2cb38f52388aaf352d1039cf41dbbda66c74fdf524709731dcdc1364d883a80edfd49b84f6cf9e6ad4d5e5ed0e3c0030e

Download Submit
C:\Windows\SysWOW64\Bahdob32.exe

Filesize
59KB

MD5
07aaf162f693be62df583c737027ea9a

SHA1
d976537ef1311633b81ee5f818b0d457b646e79f

SHA256
fdeebf549c00789b94bc5ea87abe5e9972faceea98217d5cbd19324b9b66761d

SHA512
26fb4796c92dcf511eb09c830588ec153f1240ed910fdc65b72e99a9102b61efbf81205df1f06ef72d153c6011de9a439b830b9b01bcea5ed4d32dda6141498b

Download Submit
C:\Windows\SysWOW64\Bajqda32.exe

Filesize
59KB

MD5
8f6e85a17d91d07acdc8beb48a74be30

SHA1
f0dd9c7b6a92f5b3576abe3612fac7ab1407d3e0

SHA256
b5f65d6a12b9352fb47d4446987ff7ee8c5a342c851938bc29555f4e6931620d

SHA512
4d4ec72143b267aff984660c7b36f5bc922c5581685e81ea3e0f67067bdcc5adff060e0c4f99239fbff7cf220028f54c3caaa6672d90eac7939a77ee10dd9cd1

Download Submit
C:\Windows\SysWOW64\Bdagpnbk.exe

Filesize
59KB

MD5
eb7fd1c3e711f00e2c6ec5635093baaf

SHA1
35f816195109a55cc9805dd04a2138d3c73d1eb2

SHA256
b68400e2e1435d385c390946805f454701cb16390d7fd2397c4ca1e72e91d1cb

SHA512
a83c800216fb95743356b96762437557119060c5974458046de95e99b19df4f5857a6e0f5f5cad5a9fb675a9366437e6fed76b6cb6bdb63ad8ee6946882085c5

Download Submit
C:\Windows\SysWOW64\Bgkiaj32.exe

Filesize
59KB

MD5
7dea41a7557e7e093c5b476350acec36

SHA1
8f6f25c553cfc5e45f8311c6b6884699305480b4

SHA256
0c782a996010dbb89c50bcd127958222f0ea958bc6f5c52f97482e5675ffaa7d

SHA512
4d126f7d1abe11c6f443650a38f34b008c46371bd02f35856562b6ab1c4b5efa11574b2e23a1fd2e701fea72ac72d7561d58755a2e49ab4057963e69bd55ca06

Download Submit
C:\Windows\SysWOW64\Bgnffj32.exe

Filesize
59KB

MD5
db45d2f443a83c2c6572dd43836d76d8

SHA1
e4fe9ca8295951f702000d0db50f741a3c7df685

SHA256
9151f21afe97cf5fd1afaf634711ed2e7c34fd4825df6c8dab784e4815c132ab

SHA512
e3afe5935e6a4071668a41417da363a61445f7bc600126d09b8ea38795d41a581fade32a8fc4831d2ab9efc591b7eb5a35ab24c2d4dc8018c202eccbac7d458d

Download Submit
C:\Windows\SysWOW64\Bphgeo32.exe

Filesize
59KB

MD5
47deebb45933957fff0c79399787224d

SHA1
48c00b8e5d4f81ca85a3838fecb6f0ef42a8890a

SHA256
ddc224777da962789d9dad1a7eee5cb78ca7a4509add5fc2ff248bddab7b2390

SHA512
60a0d17c65e84ff751e4470e0dfc76735c3a435c162a56512345959baf2d3c864a2e17cda1750547bde48a0e7c5aab668bfdf904dd7938aa730f31d6d621aa91

Download Submit
C:\Windows\SysWOW64\Caageq32.exe

Filesize
59KB

MD5
a94f4ce0302602a254e96240e013fe5d

SHA1
af20829700daa76b62ac59de1a4f1eaed99b4ca8

SHA256
6bff1a9b9ff7fd954a38010b44a7761ef480ab17ccb16fe068096fff3ccee06b

SHA512
dda24a66b4b3a4287e90bd19babe584eddba834c83fcf4cdcdc2109008ea44da17e4075471324e2a5147db15c0b43b566f5f568ccb0152939316bfb7317dd475

Download Submit
C:\Windows\SysWOW64\Ccppmc32.exe

Filesize
59KB

MD5
140f0a67077724f5d5122d127c5676dc

SHA1
f870bb6968b500e5a3726b5fbf7335a892351dbf

SHA256
bd929d5ebe93f7a254e5dd3695e22eb4132f5ee18f40915930f9c9362f43beae

SHA512
189428e98cf527b27021a218bc8c2f6704d3af6d4b3480558f650c71fc560f57cd6e84d92f8aedbfd17d298928f9aa41abf6fc2d3d1d73b8f2e514736f87a593

Download Submit
C:\Windows\SysWOW64\Cnaaib32.exe

Filesize
59KB

MD5
151676cf47a861612751adfed1147890

SHA1
90a497c4518696b650cf7e806c600e6c9f98f82a

SHA256
65a622a69710faba23fc1f5d3afa108a88499e7785e13e5b4a361b8ed465d674

SHA512
79e550d39e568d919f592a0bb4f8ee7d2eb4cd72b74d5c7af13df452fa6715d633ed4abcee74a18c16b3c8538f3ce4649f26f60a40139c6d009224288dc3c705

Download Submit
C:\Windows\SysWOW64\Cnjdpaki.exe

Filesize
59KB

MD5
b848ffe09354e815ea7d5bf2e7ef473e

SHA1
df4b7ee44272456323f33fd940a8d0207ab45952

SHA256
6f3f4935ff24271df92b388c9075dbce9fda2eb1b7a02f650b251810717d7e34

SHA512
2b3858703046f3aacac2de6ccd0561316a7dd7ed848c212893286a10a0f6e5f89b9b7cec2851342fac5c36fe7d8fd471ada363038ba2818905bb78157ba3b56e

Download Submit
C:\Windows\SysWOW64\Cpbjkn32.exe

Filesize
59KB

MD5
5e60d3a07e1b838e93343cfaad63360d

SHA1
f5cd3c7a891221248e796fe33644d9325133ae85

SHA256
1339c86710bbdaea9be628cde207c3d45667c19e719a90c9ed2bf04a96ebdf9a

SHA512
67d883984061ca8cc1508ab134175fb879ee352d805926e51d5e94f89d221da28a171177003051cd0a27ca01ed7b0bd2b93e0283897b8573aba5a8941dc5bf4e

Download Submit
C:\Windows\SysWOW64\Dhgonidg.exe

Filesize
59KB

MD5
4bd841f01c27f2dcda42b9ef2075a6c9

SHA1
f67e157226bd73d6ec86e6c15957a2607649e570

SHA256
31ce54dde7386c93ae7fbd92792107433cd0a4a0cc445519086068400b354865

SHA512
7d411a0b173f4d22bb725bf283b1f0e750388241442eba1ca92f6bf2f49a7c897b0f2fad84ca32f5aa6334b0acb14fd4cf5d0d3b5dfad9b76412c4a9a1463ac3

Download Submit
C:\Windows\SysWOW64\Dhikci32.exe

Filesize
59KB

MD5
8b410f47cde216365e22966f7e1eb181

SHA1
a64677a5e90acb77c59c8f5dfd8370f8cc1935a6

SHA256
48bb17e7d610a8cd4124cc726f454d69b72c098e65e7e2434533dbfbb5ec10d9

SHA512
670a1af0c6c0d6ab245961fe71cfbe7fe58cfd235ea38306a1712d88d86d993ee28e0787cc19a9055ba0757b192b3fdf43b70c5af46995bbfb8e9cf0724caaf6

Download Submit
C:\Windows\SysWOW64\Dkcndeen.exe

Filesize
59KB

MD5
4f4e675f7ad24a0cd411d0061b651abf

SHA1
28fc7fa68586d6911053e0557c5870f4780d0cc4

SHA256
f7380445011a4c8605e748a0eac07f997b9fb500efdd90f73e89581a3e273fb1

SHA512
ef80efd467c0cc074de224540c0b338a5479290f5c7d271dae10a3204cf3ad684bf6f5d71b5dc8b2a56788392d54ee32a97fffc660fbcb18b8ed9859d5a148c7

Download Submit
C:\Windows\SysWOW64\Dnmaea32.exe

Filesize
59KB

MD5
dc4cbcdda4c1546ae4a0ebf634048621

SHA1
452da873c407d61fe4c0f4e254b3306d1f2c5926

SHA256
23b25abe89c31419969fa21e8ee03c13018694bbb6b5d949587abb30f9eddf93

SHA512
919e6a7bf7d542c8af580f10a3e80ce90a17d9cfd74565a9553dec979b8921cfeb0873022a3d6cf7de463d164826ae3e06f52df5d9091241c5064b0af947fa69

Download Submit
C:\Windows\SysWOW64\Dolmodpi.exe

Filesize
59KB

MD5
edfd05e2f12c9dee0b8c9a6ecc2ac4c5

SHA1
1003d41185e4e7fe7af96a575b1b05e71c8216ba

SHA256
bed3be598340a2cb398a784a580f2020c2ac537f1ff06a2a54200c0c7f4beec3

SHA512
aec15606a0b5921518a813b9969c2ffe7bc6d6c5ba328b2ab42d79e156044b9322fd9e9c7d31e192a73b3753f70024cf0364c68569a24a84e73a795443aa5235

Download Submit
C:\Windows\SysWOW64\Ebfign32.exe

Filesize
59KB

MD5
8fe4b18a858167fae0acc13487e8f20c

SHA1
13d5a8ef09c8e904c55fccd0159a2ef39fbfc3c5

SHA256
f90c319927a4e1a1d5b00dee9b4cc83c987c78942a5c5317842d3d69bac0bb11

SHA512
800a1a05f4934a4738896ecb9e41f404eb4e857aa702424594ecfdfd84e7228d30d2384d73bfe7c6e03fbbb32efeae95804996cc1ff5821862314ec2d660b3ea

Download Submit
C:\Windows\SysWOW64\Enhpao32.exe

Filesize
59KB

MD5
7567e5d556f8d23656d1c9385f5ef42d

SHA1
4f5ce81b67a21bdef59f7b4578886f65f6624f1d

SHA256
a3e08f20bae3dd3e23745585649b8aa0b0759c9d17d4b36ef44169bcb65974fd

SHA512
2e246eb461a1a0e854d5893c6d7313e726a30cad825f00e043bcb69d6bf753a9907a2b121249cdc16c9991d3edfd25172b412beb24ae68307b5924cfac030f3b

Download Submit
C:\Windows\SysWOW64\Eqdpgk32.exe

Filesize
59KB

MD5
845db29feb9840ec788d3178043b663e

SHA1
4566efc336bc2815fd7386b779259be9550f7340

SHA256
8df1e6042f2e8cec35b8a38de71c967bc68a9423109e8a957cfe567fdd967a65

SHA512
6e7df46e4b7aea0cee1894ca0190bbb827f83d5f075080d5198775dfc9b08c372f7a203a9ff65d7f46aca31921525a1aab53e2d038186e21d172da863ee78cc3

Download Submit
C:\Windows\SysWOW64\Eqmlccdi.exe

Filesize
59KB

MD5
f249511080861fb01b31bd451ac0a6f5

SHA1
e1734694498dc3de0b98b196297140982de13974

SHA256
e32874fee9c6082777fb5ec1deb64516aa11d6ed296213ebba9dfa3e0e70fddf

SHA512
566462b50cd5fa210e8811cd4ef918bab3d08c98f9908baddd54116549b329694b82ad9e2fe3c6dfe3200388cbe40ea7dd5ca429205f66a150bf0c29a6c877e7

Download Submit
C:\Windows\SysWOW64\Fbbicl32.exe

Filesize
59KB

MD5
8b2ae72518cd8e52f5586c6344d47707

SHA1
e79e23d9d266b521009ccf1d284295b14910ca96

SHA256
7f2d57e48cea855a16bb2386bf570f365f5ca98cf2a3fe78aa7859efb5a3ea42

SHA512
af2dfa988b256e8828a1954aaeb28eb80945fc764d3e267bcbc2db6aa394597b8188db4cda28900caf9f4276a12081926e50607c5304a853f901a119159f06bc

Download Submit
C:\Windows\SysWOW64\Fdlkdhnk.exe

Filesize
59KB

MD5
8c540795057597a460e69879405ff22a

SHA1
d306cc9b563f3ce9ed6dfc034363f08a3ec83c60

SHA256
4dfb84c66d170ced99c028e99db79517133c554eb0576b449f3bdc792d6489ae

SHA512
62edeacfb2209a97b470c837b59453e60861c559558b24597aa329cee8f2b9db1c79f56206597169ae9a50aff5e70283326a7bde09700dacad0dcadb43668c6e

Download Submit
C:\Windows\SysWOW64\Fdpnda32.exe

Filesize
59KB

MD5
319555de21e87bb96262d00353ff444c

SHA1
7125ea2e06e47b0308c22fee9de966009df8c50f

SHA256
91421fed3abab0b6f011df41b38135d3b48a180da901c25aa66a19ebd7b25a04

SHA512
efea21a74a296ed10745c9088985dda18b9cf8fd58d8ce2008415745ae63de078bcaa3d9dcf611bc632c75f4d96257b2b99db6adf5c481804024446bad046541

Download Submit
C:\Windows\SysWOW64\Fjocbhbo.exe

Filesize
59KB

MD5
49234749d395e81d3b42cbc3cb549b48

SHA1
bc286327de24303b1a9d3776ccfc48cbca6863cc

SHA256
13c3aaa3223998e0301238718ae3017882249fd623dca1f4a78a46cbe0ef1c5d

SHA512
af45a382a6f7741d11da435b25c4c5ca061d3f7acd3d82fce4f553c416791447afaf1d2bb5e1e90a9bb0e4b5eff1e8b3659b8877823387712b2f512bd6079d70

Download Submit
C:\Windows\SysWOW64\Fohfbpgi.exe

Filesize
59KB

MD5
cc8f0c83214b41a3b1657799406a9fa1

SHA1
db8e05c0f287f1a54ba1f47c44be2f046857dc3a

SHA256
d0c33c9e2cd05182033a11e91917b1e2f2334165c85bcfdb00deb86eb990ad5b

SHA512
5351c59f91a4ae333232951f547184a8ca6b9768c4f56c808cc5f78c39d66e92c8db6e278cfb7903366fc9253cbba09bda66d713bf84018ba6d1976f6c830477

Download Submit
C:\Windows\SysWOW64\Gnpphljo.exe

Filesize
59KB

MD5
a2cb8790ca0fbf120f5ce94fe6a12885

SHA1
6eae5b3e4cfbf5a45bdbc668defd917c603a15ea

SHA256
6343b1704415918748daee6e9750cbd0c76cefb59e065f47070d72177fc3271d

SHA512
976f23a9c0a9e8f1ad00bb2db1347d34fd3d717724e5ac7c3387a6d913af28424afe207e17e529b59c5c8756b8084a0a011ccc9dbc35ea3a79b5e9d56d3ee6e0

Download Submit
C:\Windows\SysWOW64\Hbenoi32.exe

Filesize
59KB

MD5
a2951de6935dc1b2876e407103b4322c

SHA1
871800404351a15935ea587a6f967df44328e9ff

SHA256
2513f16b82ebc75f0532982c621b7be1aeb4ad2952e00e9529669a9ec903bd48

SHA512
6ed759cf5c2320583b50fb443efd7ce12ddc9ef290582e2c74724d89f1916324a7dba220ab26368d65444588584d1762c4bfee0249bf4f157380032321012b53

Download Submit
C:\Windows\SysWOW64\Hihibbjo.exe

Filesize
59KB

MD5
6f856ec9cdfd7b2ebb0b6403ca7be4c7

SHA1
7b0c4c448ceabc41670843f04b80998f89bb5882

SHA256
0d9da50bd6bca6120340df452b5a66c473786ab5d92244c809c5dd7a929217de

SHA512
a46e5b667f93f634638ca65a4026d292a3428b34a76917e8f1bd714631b819d5ea6efbc3a1137a8c8b38c298231f5169963ab73fd05bf15f5143af49eb2e70e2

Download Submit
C:\Windows\SysWOW64\Iajdgcab.exe

Filesize
59KB

MD5
c641f67e6b12ed5fae24da9f3322b4e8

SHA1
547a6d021960c2a430fe45aa4ddc013a43e9caaf

SHA256
50f3c13364e45eaa65bf109185e2be41c4742b85d1cda1941b290e35c43ed0bf

SHA512
f78ea7c888ec7609e1342c90ea4d1ecc2d2f51f502896204b54783f25af02d0c006c290a2eb8ccb2ca566947063000f010616a49907e7ad4156825aaed1c53d9

Download Submit
C:\Windows\SysWOW64\Joqafgni.exe

Filesize
59KB

MD5
a19e3ba9bd310f0d3fe794fd44ece862

SHA1
ee83bccffc467c69ef1f3ba74dc92ea2c392b8c1

SHA256
12a60f655866607237233cb876b918442a9fee281a076edcbab63365d5403242

SHA512
5ac94b3427d2a65df565bb57767d492b4691125e59d3fc1c3cfe9375f0f27bc7763cdd219891411c26cb755f999b295359820d1bf957cc07d47f89b31561a33d

Download Submit
C:\Windows\SysWOW64\Kabcopmg.exe

Filesize
59KB

MD5
afd6d1d05256e383f50e2dfc9b1ebe68

SHA1
79e41615865d7b536e8353efd296f825eb7757f6

SHA256
ac68c684b9146eb1bb4b710a7fc1c3d2bb5dc1cefd6faa0a7e8dd7cacbf399a3

SHA512
061ee5b6b1f584084fbc3bb1aecb1a37f36441738ec8b41b2c5c04d049607ce5e66e3df4b2b4e531e108c82bcdf347d9d692b1726f133df7e8c0a7eb0a8fe989

Download Submit
C:\Windows\SysWOW64\Mfpell32.exe

Filesize
59KB

MD5
ed78c4946cc46ea7f065899cb06f3ec5

SHA1
ad646d52f5d152e9fc58d605ada85fe620ae3e84

SHA256
7d60fb7675453a0d6bcb3c9f837794846d36c3228aa4bcae0b8e3c4c504e0d33

SHA512
9ee9948d5484921c80d918351f01161813e304bc4157b62e73b4039225fcbf83f48dec8ab4e384e664e095de6f5fc5f1e91c001bb3ae4c82ec614e97b6fa2ae3

Download Submit
C:\Windows\SysWOW64\Mhjhmhhd.exe

Filesize
59KB

MD5
c3bc9f5d4e36cda29319d7c3dff8991f

SHA1
525677cd92e095ad3699b2abb1c85c8321c78305

SHA256
6fe76b865c8cf0a0417a8c00cb754502cb260c533bc64e27d4cae284070effb5

SHA512
09df18a0ac7314be3c9b0aa17b5e329ce3b07228fe6f58b38a99e2aa2165da0226917897a11d16db2d671cb37de6c047d948bab937bde4ade8a726691759605b

Download Submit
C:\Windows\SysWOW64\Nfgklkoc.exe

Filesize
59KB

MD5
8e6da6dbdad5ff8c3a82371d268a3acb

SHA1
abfc7f6392c78c4d2fdb054c37c4819fd2d02a72

SHA256
cd591d1e7d01d70cd777981f35d66e9906c1ba72041958eafed15fa5f33f1a5e

SHA512
85fd540720465c4c4516032c9ae7216c012b3b2027c6316750608bcf1753c90e3e9fdad8fa306019f3d070458cb897d0f1010a748f0a72b8981953b082cd5fdd

Download Submit
C:\Windows\SysWOW64\Nmhijd32.exe

Filesize
59KB

MD5
df2be90ce35cb2942a3671bee037957f

SHA1
6222b004e17c519f16f1105840833f8d34f4a8a0

SHA256
b4edb45b8c3e6869f7716d2ac36f1b30047d7815358572bd5ed62173569468c0

SHA512
50f8f8bc5eba432f3d205336985ccb847e21d7caf07610089ee48278d960e8605d934c4b193913c58ff0b2c3f4e2e2bd702ac68a6ea138159ff413a7a483c5fe

Download Submit
C:\Windows\SysWOW64\Oaplqh32.exe

Filesize
59KB

MD5
e480a93df70ec1c869ac4fe6ca5b55fd

SHA1
bb354741b4ed8ac3d1b528ed3ea2c6bf1c1f8789

SHA256
2a9e96cb9b49e0656719636f9ad27e229c925075226ceb05e5c3cc66add36083

SHA512
99fa15ce70a957f700a1dfe8072b3099382fe9e5c8c007065e8b77188ba4364daa820e39df6d0de7a870087d632c96a56758fd1e4bcc5c3d101e37e0ed77c518

Download Submit
C:\Windows\SysWOW64\Omdieb32.exe

Filesize
59KB

MD5
17f3e962f9d36b4dc25cc5b2fe6ae53c

SHA1
98637701647d4590cb11e74862c48969bfd5eab2

SHA256
ee237b3960c1509b14352d49aed056bdaf9033033c71adaee5371f7998176d55

SHA512
a829fb0e6ea06b22424c9ca3d06f21ff6cfd26e326cf8b8649415b0d09545791a69cf06958d2e17f5f32cfa3e0a384df20c02948606ed096812e83d73d8008a0

Download Submit
C:\Windows\SysWOW64\Pfandnla.exe

Filesize
59KB

MD5
e432a374008c80718ef7772b3c03a1b9

SHA1
673425553e34f6dafc6fe299251aacccd6323fdc

SHA256
415ad5961698478bba248f141f0558a1cd8ad9e60a43060d1ad6bf9d53781cf1

SHA512
10210efd9259d4d896b5287b183bc35d466c672f52aa903561ad5d81bc240ab75408f2ff26a59a597ae517d5dbc8ae8014cca26c132608646129d6c3a6882df5

Download Submit
C:\Windows\SysWOW64\Phajna32.exe

Filesize
59KB

MD5
8740195826e071fb6ab15bc4d78845a5

SHA1
868b488b565af6dd512babbcbbd16e7f0bc7c313

SHA256
9005bd814c1ef513396659ca6d3e853a20a93ab28ffa156b6cb22eac71eb05b6

SHA512
ebbb73f9ac898f60819e5fb82d249a24ee81359d028138c57a10bc17f06e7f68d3d0fc1b0c9f2bf17ecb8f64c584c0227e487476418d0f2bdbe59770420d3f0f

Download Submit
C:\Windows\SysWOW64\Pnfiplog.exe

Filesize
59KB

MD5
46ff7521fc0faa51b1dfadd1073a5918

SHA1
da5cb650671b083d5e112ebed6cb0cd2b4477a91

SHA256
62ba0d0d5b0f03bcdaabcbf931ca42ee65b9f6d01c188a34cb2e6aea33e5193d

SHA512
ce547f4e73592c8bb8266e430fe891ca6eeb24dcc7fb3c0571ade301628758f03bfb88ad02f9c0e13a522c8b2879b366fafae3dffa9cac33d140a9b08aa46c02

Download Submit
C:\Windows\SysWOW64\Ppahmb32.exe

Filesize
59KB

MD5
a654af18dbb21a5ed9f0c77e08c29c29

SHA1
9c0be1b8f07ebdd396a989cce2d9be808ceea170

SHA256
5a80d80d72e39c86fd018a0c246b6a4acad3abf44419c24510df4240ee0c7a59

SHA512
ac28fc7dfdb753f10178e0a9db1796882e23e10476855282525c58e9387133e13dec2564cabe5d8be4ecfe2a78b6e963dbb4a0d959a580e412ea1bcd108511d7

Download Submit
C:\Windows\SysWOW64\Pplobcpp.exe

Filesize
59KB

MD5
d080e846215c0383934ea141cc15ff5d

SHA1
d256340282abb4e98c158a4b566ca85bec63cb96

SHA256
21112aa2a5901b7161a04dd7fd0a1c6d81dfc211cf0534ea623160a63e10c220

SHA512
9fd01dda8e023fc7ea8e428f018ef41f5705faa5ade9712fcab9469dea89eb1626c21541696b66679eca8c44ab2a655c743f786202fafadd1a2f6c2902f27e3b

Download Submit
C:\Windows\SysWOW64\Ppolhcnm.exe

Filesize
59KB

MD5
7f18f546d1feeabaf1f634da9aba2026

SHA1
47e1ac4440600c660314e42f3602218f1ab91b6c

SHA256
9b58133156f16bbce9222bc131b4ad72a6f73f3b4df4b238a6f908ddaa075c50

SHA512
ce33a2c416b535f9bdb4c4537c968a8b0ffa4b4afaa4e838f8a1091ed0878a6a9812cd7082748b0ebd30cdbaddfa2cd9e755d05094fec255e78e11c7e68bf2c3

Download Submit
C:\Windows\SysWOW64\Qjfmkk32.exe

Filesize
59KB

MD5
1cff6bd85d2ba0089f47c6c797decbb7

SHA1
4ee93728a85a98209d7566a4fc2a04a5b7f4091c

SHA256
a2fa35021076d6b6174ee7b01bed0c9327e1f38597d1fa88f473199427333eb0

SHA512
2f200dbaa89ccd92f83abe54d31c84e9a4fd7cf4790787b55404ee4a60433124d68190c5512e6f6c3bc1db7017c510fc05c728e42f68dd010eb495edaa179740

Download Submit
C:\Windows\SysWOW64\Qjiipk32.exe

Filesize
59KB

MD5
a9f08b752404a0a35ea7e42f67adf398

SHA1
21862c1d9c84ea96ca3674fa563611271969b78c

SHA256
4dc0524058374241dca10b23b3c1acdc58cca51117f6f928e481385d192c3eec

SHA512
6927f1ee0d30984ba277906205bc99ae6c52ec3164c0622e83579fe027439181aff347d2d6ba519292abe13d2e1982885bd23eab36f7a71689ecd1f18fa7e075

Download Submit
memory/212-451-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/396-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/456-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/624-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/828-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/872-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/876-499-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/884-426-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/916-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1084-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1108-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1200-505-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1376-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1420-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1436-575-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1436-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1460-541-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1520-439-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1564-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1644-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1712-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1736-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1776-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1796-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1824-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1992-569-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2076-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2252-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2252-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2252-1-0x0000000000433000-0x0000000000434000-memory.dmp

Filesize
4KB

Download
memory/2284-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2404-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2476-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2508-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2544-529-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2564-589-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2564-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2596-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2620-417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2800-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2944-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3036-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-511-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3128-493-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3184-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3280-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3420-555-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3500-457-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3548-209-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3648-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3764-469-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3804-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3872-438-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3884-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3928-535-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3940-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3980-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3996-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3996-568-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4024-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4032-547-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4032-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4068-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4136-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4176-432-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4188-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4264-201-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4356-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4392-475-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4440-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4444-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4488-554-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4488-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4496-523-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4524-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4548-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4552-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4552-561-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4584-487-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4648-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4672-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4684-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4692-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4696-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4748-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4752-517-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4776-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4828-548-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4904-481-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5072-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5096-582-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5096-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5104-562-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5152-576-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5196-583-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5244-590-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5972-982-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6124-967-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads