485fa189fdfbce62bcc165280123c79f1aadcf6f0d03b82e3483963f340548fe

Analysis

max time kernel
51s
max time network
59s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13-06-2024 22:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

485fa189fdfbce62bcc165280123c79f1aadcf6f0d03b82e3483963f340548fe.exe
Size

73KB
MD5

da55bb55be6284c0aa4e4a27f4bb418f
SHA1

9a9d6c7bba9d451937ac91f697f18c1c76f106c3
SHA256

485fa189fdfbce62bcc165280123c79f1aadcf6f0d03b82e3483963f340548fe
SHA512

0ddf5285fd39d3aeccb170995a486248cda178fdb26489940e02aa9f38907ce988397b8fa0d020ae459f8954dbaad69f58c5c9d79a87aebfdbbd36dd23068df9
SSDEEP

1536:HXKz1Iw8q4PL6dQWa0LT6PXypsjMMs3bOs86/TG5YMkhohBM:a5n8q4PLkQuLTaXyEhWzd/TSUAM

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mckemg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njciko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmlpoqpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpnhfhf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njqmepik.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nngokoej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphoelqn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	485fa189fdfbce62bcc165280123c79f1aadcf6f0d03b82e3483963f340548fe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miifeq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlcifmbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Migjoaaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgagbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Miifeq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeiofcji.exe

Executes dropped EXE 64 IoCs

pid	Process
3120	Lpebpm32.exe
3564	Lbdolh32.exe
1088	Lingibiq.exe
2672	Lmiciaaj.exe
3292	Lphoelqn.exe
2832	Mgagbf32.exe
1044	Mmlpoqpg.exe
1440	Mdehlk32.exe
1084	Megdccmb.exe
4824	Mlampmdo.exe
2140	Mckemg32.exe
540	Miemjaci.exe
652	Mlcifmbl.exe
3476	Mdjagjco.exe
4484	Migjoaaf.exe
1492	Mpablkhc.exe
4688	Mcpnhfhf.exe
1964	Miifeq32.exe
3340	Npcoakfp.exe
2504	Nngokoej.exe
3216	Njqmepik.exe
1456	Ncianepl.exe
1296	Njciko32.exe
1616	Nlaegk32.exe
3356	Ndhmhh32.exe
3436	Njefqo32.exe
3724	Oponmilc.exe
1908	Ocnjidkf.exe
4560	Oncofm32.exe
2656	Odmgcgbi.exe
5096	Ofnckp32.exe
2964	Olhlhjpd.exe
3052	Odocigqg.exe
2040	Ofqpqo32.exe
3112	Olkhmi32.exe
3648	Oqfdnhfk.exe
220	Ogpmjb32.exe
1192	Onjegled.exe
2000	Oqhacgdh.exe
3764	Ocgmpccl.exe
3468	Ojaelm32.exe
4616	Pmoahijl.exe
2012	Pdfjifjo.exe
2064	Pfhfan32.exe
4548	Pqmjog32.exe
2092	Pclgkb32.exe
2560	Pjeoglgc.exe
4300	Pnakhkol.exe
1784	Pcncpbmd.exe
3520	Pgioqq32.exe
1888	Pmfhig32.exe
2436	Pqbdjfln.exe
4820	Pgllfp32.exe
2464	Pfolbmje.exe
1100	Pdpmpdbd.exe
1052	Pgnilpah.exe
2344	Qmkadgpo.exe
2144	Qqfmde32.exe
3016	Qfcfml32.exe
2556	Qqijje32.exe
4552	Qddfkd32.exe
3060	Ajanck32.exe
2224	Adgbpc32.exe
4008	Ageolo32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Npcoakfp.exe	Miifeq32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Lmiciaaj.exe	Lingibiq.exe
File created	C:\Windows\SysWOW64\Mmlpoqpg.exe	Mgagbf32.exe
File created	C:\Windows\SysWOW64\Pfhfan32.exe	Pdfjifjo.exe
File opened for modification	C:\Windows\SysWOW64\Olhlhjpd.exe	Ofnckp32.exe
File opened for modification	C:\Windows\SysWOW64\Odocigqg.exe	Olhlhjpd.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Knfoif32.dll	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Qhbepcmd.dll	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Qeobam32.dll	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Lpebpm32.exe	485fa189fdfbce62bcc165280123c79f1aadcf6f0d03b82e3483963f340548fe.exe
File opened for modification	C:\Windows\SysWOW64\Lmiciaaj.exe	Lingibiq.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Gbdhjm32.dll	Nngokoej.exe
File opened for modification	C:\Windows\SysWOW64\Ofnckp32.exe	Odmgcgbi.exe
File created	C:\Windows\SysWOW64\Hmmblqfc.dll	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Ambgef32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Donfhp32.dll	Odocigqg.exe
File created	C:\Windows\SysWOW64\Olkhmi32.exe	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Nngokoej.exe	Npcoakfp.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Aabmqd32.exe
File opened for modification	C:\Windows\SysWOW64\Pmoahijl.exe	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Dbnamnpl.dll	Pclgkb32.exe
File opened for modification	C:\Windows\SysWOW64\Pgllfp32.exe	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Lphoelqn.exe	Lmiciaaj.exe
File created	C:\Windows\SysWOW64\Gfhkicbi.dll	Mlampmdo.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Mdjagjco.exe	Mlcifmbl.exe
File opened for modification	C:\Windows\SysWOW64\Pfolbmje.exe	Pgllfp32.exe
File opened for modification	C:\Windows\SysWOW64\Pqbdjfln.exe	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Ocnjidkf.exe	Oponmilc.exe
File created	C:\Windows\SysWOW64\Ehaaclak.dll	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Jclhkbae.dll	Njefqo32.exe
File opened for modification	C:\Windows\SysWOW64\Oqfdnhfk.exe	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bffkij32.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Mdjagjco.exe	Mlcifmbl.exe
File created	C:\Windows\SysWOW64\Mcpnhfhf.exe	Mpablkhc.exe
File created	C:\Windows\SysWOW64\Ojaelm32.exe	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cdhhdlid.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5532	5440	WerFault.exe	200

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpcoaap.dll"	Onjegled.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpablkhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnecbhin.dll"	Mgagbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hddeok32.dll"	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Donfhp32.dll"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbkfake.dll"	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiclgb32.dll"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppdbdbc.dll"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igjnojdk.dll"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hleecc32.dll"	Mdehlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Miifeq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jholncde.dll"	Mckemg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onjegled.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmlpoqpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpbkoql.dll"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbagnedl.dll"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Megdccmb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 3120	1460	485fa189fdfbce62bcc165280123c79f1aadcf6f0d03b82e3483963f340548fe.exe	81
PID 1460 wrote to memory of 3120	1460	485fa189fdfbce62bcc165280123c79f1aadcf6f0d03b82e3483963f340548fe.exe	81
PID 1460 wrote to memory of 3120	1460	485fa189fdfbce62bcc165280123c79f1aadcf6f0d03b82e3483963f340548fe.exe	81
PID 3120 wrote to memory of 3564	3120	Lpebpm32.exe	82
PID 3120 wrote to memory of 3564	3120	Lpebpm32.exe	82
PID 3120 wrote to memory of 3564	3120	Lpebpm32.exe	82
PID 3564 wrote to memory of 1088	3564	Lbdolh32.exe	83
PID 3564 wrote to memory of 1088	3564	Lbdolh32.exe	83
PID 3564 wrote to memory of 1088	3564	Lbdolh32.exe	83
PID 1088 wrote to memory of 2672	1088	Lingibiq.exe	84
PID 1088 wrote to memory of 2672	1088	Lingibiq.exe	84
PID 1088 wrote to memory of 2672	1088	Lingibiq.exe	84
PID 2672 wrote to memory of 3292	2672	Lmiciaaj.exe	85
PID 2672 wrote to memory of 3292	2672	Lmiciaaj.exe	85
PID 2672 wrote to memory of 3292	2672	Lmiciaaj.exe	85
PID 3292 wrote to memory of 2832	3292	Lphoelqn.exe	86
PID 3292 wrote to memory of 2832	3292	Lphoelqn.exe	86
PID 3292 wrote to memory of 2832	3292	Lphoelqn.exe	86
PID 2832 wrote to memory of 1044	2832	Mgagbf32.exe	87
PID 2832 wrote to memory of 1044	2832	Mgagbf32.exe	87
PID 2832 wrote to memory of 1044	2832	Mgagbf32.exe	87
PID 1044 wrote to memory of 1440	1044	Mmlpoqpg.exe	88
PID 1044 wrote to memory of 1440	1044	Mmlpoqpg.exe	88
PID 1044 wrote to memory of 1440	1044	Mmlpoqpg.exe	88
PID 1440 wrote to memory of 1084	1440	Mdehlk32.exe	89
PID 1440 wrote to memory of 1084	1440	Mdehlk32.exe	89
PID 1440 wrote to memory of 1084	1440	Mdehlk32.exe	89
PID 1084 wrote to memory of 4824	1084	Megdccmb.exe	90
PID 1084 wrote to memory of 4824	1084	Megdccmb.exe	90
PID 1084 wrote to memory of 4824	1084	Megdccmb.exe	90
PID 4824 wrote to memory of 2140	4824	Mlampmdo.exe	91
PID 4824 wrote to memory of 2140	4824	Mlampmdo.exe	91
PID 4824 wrote to memory of 2140	4824	Mlampmdo.exe	91
PID 2140 wrote to memory of 540	2140	Mckemg32.exe	92
PID 2140 wrote to memory of 540	2140	Mckemg32.exe	92
PID 2140 wrote to memory of 540	2140	Mckemg32.exe	92
PID 540 wrote to memory of 652	540	Miemjaci.exe	93
PID 540 wrote to memory of 652	540	Miemjaci.exe	93
PID 540 wrote to memory of 652	540	Miemjaci.exe	93
PID 652 wrote to memory of 3476	652	Mlcifmbl.exe	94
PID 652 wrote to memory of 3476	652	Mlcifmbl.exe	94
PID 652 wrote to memory of 3476	652	Mlcifmbl.exe	94
PID 3476 wrote to memory of 4484	3476	Mdjagjco.exe	95
PID 3476 wrote to memory of 4484	3476	Mdjagjco.exe	95
PID 3476 wrote to memory of 4484	3476	Mdjagjco.exe	95
PID 4484 wrote to memory of 1492	4484	Migjoaaf.exe	96
PID 4484 wrote to memory of 1492	4484	Migjoaaf.exe	96
PID 4484 wrote to memory of 1492	4484	Migjoaaf.exe	96
PID 1492 wrote to memory of 4688	1492	Mpablkhc.exe	97
PID 1492 wrote to memory of 4688	1492	Mpablkhc.exe	97
PID 1492 wrote to memory of 4688	1492	Mpablkhc.exe	97
PID 4688 wrote to memory of 1964	4688	Mcpnhfhf.exe	98
PID 4688 wrote to memory of 1964	4688	Mcpnhfhf.exe	98
PID 4688 wrote to memory of 1964	4688	Mcpnhfhf.exe	98
PID 1964 wrote to memory of 3340	1964	Miifeq32.exe	99
PID 1964 wrote to memory of 3340	1964	Miifeq32.exe	99
PID 1964 wrote to memory of 3340	1964	Miifeq32.exe	99
PID 3340 wrote to memory of 2504	3340	Npcoakfp.exe	100
PID 3340 wrote to memory of 2504	3340	Npcoakfp.exe	100
PID 3340 wrote to memory of 2504	3340	Npcoakfp.exe	100
PID 2504 wrote to memory of 3216	2504	Nngokoej.exe	101
PID 2504 wrote to memory of 3216	2504	Nngokoej.exe	101
PID 2504 wrote to memory of 3216	2504	Nngokoej.exe	101
PID 3216 wrote to memory of 1456	3216	Njqmepik.exe	102

C:\Users\Admin\AppData\Local\Temp\485fa189fdfbce62bcc165280123c79f1aadcf6f0d03b82e3483963f340548fe.exe
"C:\Users\Admin\AppData\Local\Temp\485fa189fdfbce62bcc165280123c79f1aadcf6f0d03b82e3483963f340548fe.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Windows\SysWOW64\Lpebpm32.exe
  C:\Windows\system32\Lpebpm32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3120
- - C:\Windows\SysWOW64\Lbdolh32.exe
    C:\Windows\system32\Lbdolh32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3564
  - - C:\Windows\SysWOW64\Lingibiq.exe
      C:\Windows\system32\Lingibiq.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1088
    - - C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2672
      - C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3292
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:652
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        23⤵
        Executes dropped EXE
        
        PID:1456
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1296
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        25⤵
        Executes dropped EXE
        
        PID:1616
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3356
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3436
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3724
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1908
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2656
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2964
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3112
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3648
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:220
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3764
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3468
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        43⤵
        Executes dropped EXE
        
        PID:4616
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2064
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2092
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        48⤵
        Executes dropped EXE
        
        PID:2560
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1784
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        51⤵
        Executes dropped EXE
        
        PID:3520
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2436
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4820
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        55⤵
        Executes dropped EXE
        
        PID:2464
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1100
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        57⤵
        Executes dropped EXE
        
        PID:1052
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        58⤵
        Executes dropped EXE
        
        PID:2344
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2144
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2556
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4552
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        63⤵
        Executes dropped EXE
        
        PID:3060
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2224
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4008
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:32
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3684
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        69⤵
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5056
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        72⤵
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3920
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3248
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2532
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        76⤵
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1636
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        78⤵
        Drops file in System32 directory
        
        PID:2320
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:60
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:956
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3644
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        83⤵
        Drops file in System32 directory
        
        PID:2472
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1092
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        86⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5032
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1836
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:704
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        93⤵
        Drops file in System32 directory
        
        PID:3916
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3572
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2184
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3948
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        97⤵
        
        PID:992
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:368
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        99⤵
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:836
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        101⤵
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        102⤵
        Drops file in System32 directory
        
        PID:4492
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        103⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4536
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3672
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        107⤵
        
        PID:208
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        108⤵
        Drops file in System32 directory
        
        PID:4596
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5048
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2152
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        111⤵
        Drops file in System32 directory
        
        PID:4448
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2972
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        113⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        114⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        116⤵
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5264
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5308
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        119⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        120⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        121⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5440 -s 400
        122⤵
        Program crash
        
        PID:5532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5440 -ip 5440
1⤵
PID:5508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
73KB

MD5
2eec3761264808f5639288ee909ce974

SHA1
8c244b22a05df206c2951ddefaddd4f52403a0c8

SHA256
4885e0636be5189928ac0912f5f94dd5f36b77cc51f49acb152809ecbc94261d

SHA512
479ebd091177b613e79791765c9ff97b2b6ae8b29cc788a51d52af37b9f541e88cc48e7ab4efee2c37e59851cc0083c2a627e2c4c01792540c9dd54961decf02

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
73KB

MD5
c368d4eee138d7cf6cbf1f90c90b8ec4

SHA1
bc9d615ef78bc99641b755018e37933ca85d7c61

SHA256
fbded9eb4df6cff748d72a1e22a9b008060886c71c0c3965b41e24e63dc44adb

SHA512
21fe389bc075993f5b9e228ec21be2782f8eef992c47932a4d815d303b86bdf781dabee8a9a1c09c7dce8275fb7b20e1f07cec7162cce20e6697c53cc5a5e265

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
73KB

MD5
7d773f00491bb3566cd4e2c584a4d351

SHA1
b0e42cd9cdeae03c7559035e7e50b217972484e9

SHA256
55230f87c50f7d6b2a35ddefa5570b60e27953f0fe9f7df7c45751eca5ac874b

SHA512
b19759638d45e294cec0d75c149f07c4b6d803aaf70e5dcc3afab254bf19bcada3a8cf2745d106490040656efa825948b8fbb087a8ec978d1df4019eea9a13a1

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
73KB

MD5
377dba2bac2e6c908c45f3fe643042db

SHA1
c14bc43454797d678a74a56ddc2bc0631afd2b9a

SHA256
9ca3bca6545c1630b06b99c7662ae03af9abfbd26ce1cad81bc5c22102e1d7bb

SHA512
537aa3ebc126cd00e81da03bbdbdf396c77fdeb5f597ba5cad1f7a5278e48a9742d63feebe6d7715bd3034b94f8cc826a2a2d7a0433d77b1c7bb834d94362283

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
73KB

MD5
f02711528b36360fdc961ab48cecb319

SHA1
394f536e0538568336e7bac8498f70b50908f123

SHA256
9fcb4544c8f19af09f580a9ddfe94691a3a9a3349081a6e2b5e12d352b353258

SHA512
59337c63dee4080f08dd385187bcf82097de10027c433fbad2670d31922c6822d58abf5f47a0329b01f119e0df4975c4ea133e52cecee17ef4c117c781df2c18

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
73KB

MD5
ec4c6de117a64371f6ca5aed9749df5b

SHA1
48f8d682a372ac2a5e854b5759a4a48c4bf65388

SHA256
7e93d334622e088b7cf7bd8420c60f47077d85f5dec703566a8910a8ba39cd6a

SHA512
03cf0992067b967f474b7069d859bad519306762a5c88fbb607808ae5e8e3d8bbaaee2e985402f1994e211946027b16234ff6da579d2d5b45ea8dc8575ba70b0

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
73KB

MD5
810081f26734c20884fd7d6f9ce3aec6

SHA1
a6e651224fde683d9f1386d952d82cefaf56204f

SHA256
f5dd71c9991a405f175e394ff32501101581796fc834e74a576f2548dfa40a5d

SHA512
be6a0f8bbe7732dae24e972aba3563c6f3f64ad5e4b62ef061a66af83189486deeeaeda7897241f6693a22aa96ce21d6340e08444895ac4d1c043202482cd0b1

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
73KB

MD5
761f3fa10b00969abb2af6fa14774c70

SHA1
32f0259f7fa9d80f20b6a1c642763bf864e0de99

SHA256
3a4d6a5f68aa2311eefce305b7569172446873b874d78a677abac4979513d0e6

SHA512
dcf1299a54751eb9eceeefe012227fb0c679abbe9bea33b8f9557f5f1dea0d1092429ae1fb27e8544f6667015679728449ba6750e3bce428b80018da9a42a21b

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
73KB

MD5
6230d3cf49dde657ebf79897b37a1d89

SHA1
fe9e728d5a31f53feb29780ea189851e439a71ba

SHA256
c4b351abdb12a527340bbb8275e1e046d23d52f4826f1c4086095062f273f617

SHA512
3318d1c6d0fb9499a5fdcde5282af0043654a3124b098528636543e8298a0196a4d054c1f82cee3f8192702e82147b2d89e51383301d2180feb2389f463f36fc

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
73KB

MD5
6c13faf0c2bf240ce1a4b9bd98f667e6

SHA1
c898072365cf4a6d366305bc9686bda43d462bcd

SHA256
7763449898e865aeb53f3658a11e30a522fec6f51cae06639eabb4e970e9b557

SHA512
a4331cd2cfeefc355d8198f4fb1ca78b2b9695f18fa148925044c594c4c326eb1a7c7bfa43c927a2f251a3e5b29708c98ecbbb19c37dd403458c380736ac71f7

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
73KB

MD5
7716af620eee93a0e28d0f8f169a449b

SHA1
bc60ebe5ae546ee9519558d6d6b74c839c2c3149

SHA256
0808513791f94d984960257fb7e01f5da20375180b1eaf7ea596c7194c81915a

SHA512
b9b1647d25bd300c7e08602889a818c1ecc0acdc1c638a08d624dd2d463f286e31b3cb7567c3af524faaa1bb0c6c640545035fd91e3dd1288c215e51748e07f6

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
73KB

MD5
0d6b5ac5aba420ea98b84b072a2f62d5

SHA1
97d6f89b10658e4f7fed828fd3f0124c9a9e8371

SHA256
3634e064f027c45bbf5b0fea2b2ffd9d8f3538276907379ae5b8f3126bbd9805

SHA512
e2875d1fc247be98e8362b53c7aee0279186d4fae96f68cb41808dd30761478b3033ffa8fa5dffaa8b73aa62184e9c244a4e8fa243de4bf5639947eff9972faf

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
73KB

MD5
acb495bea73dad9b608d1d34372e98fe

SHA1
6e4a352468bcbebcb796442e069e200af65818f5

SHA256
bb0102fb72e4d6e84ae26a44f1bef4097e1f9b19e2e72a491aff3c5d475a0779

SHA512
c2256971d6def0f9da13ac5a05da5e992563a5379f57e05638aa0b481a9657de262acfcad2b3bf2907a348fc12df27674c3a66358f02e7c196de90a16ffc5fc6

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
73KB

MD5
a8f0ab5ff9c8ee7cd85ff5a8da1dc716

SHA1
9803b8ace139dbb3d8067f45920dc343d7f9699b

SHA256
462636f33282d48b9c0ac871e52228240298694288517fc59b084ee1e874dde2

SHA512
a597953f9f72162a413c72225472783a05c272ab0480f5e289d6561d816831c833a4b5242970d21c4e384a5e52d3b73c300e51d8bbaa10cdc2e61c8c726cd05d

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
73KB

MD5
09e80d5e88e888b929335dc5eaffc393

SHA1
54066a09012ff766c0750caed5af6ae877b23710

SHA256
e6526c664f0e6e64f6682119404cc6b27422106142d117892512f29c8d9cfe6b

SHA512
4bec397248ea0fd69ba053a452115f21136bb67cf99b3521968812845a4dfdd07ffd60c3696124eb3b73ff4025e67d4b2b078e83170d06964339ad551778cf14

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
73KB

MD5
7ac2263b2be583582feaf63663182938

SHA1
9b2f81af6fdea619eaec7fa67d60e4ea19ab8422

SHA256
04a58adb05a222011aa99b9dda9dd889b3635615c0d180cfe97b1567556ea71c

SHA512
cc7fcb2cc432bae5b158dc22d31236e32ff25771e72c20ca6b48c6ed95d55e0f316b1f8d1fa3fe19c959f32742277a07ba6e5cf411b8367820d6b0d03850369c

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
73KB

MD5
5dd847b5cad718d71b6f17697412302b

SHA1
c311fa3b1acf559e4aae3bf0f51da4bfca2bbd87

SHA256
64b229ee79ab80ec40f322fafd5e35c73bc98a5f92b8b519b8535a9ecc25fd66

SHA512
62a3d8c20637c9f8ef70158ab7d504c17c32f496a72c246a584e6f48c72928c0087ea9f1a5033738b11e020337b52aa1022da5ba9b3545418e96f03e9b24a406

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
73KB

MD5
73640906f748dbcd505944183055a4a1

SHA1
a1bc540ca6f998bff2bedb5bca5c23c22dc7b0b2

SHA256
5541e278f34273bccf47aa33b49e720447f00b44817254a681ca82df3ed02684

SHA512
fc73985e9b62946549afa59ae6a629fa6eba56a765cc0b25f997f9d9c4789c9a23d8669c2f401359d503c3706613e457ec4f2624d97bb2f04cfef531a3cd8ccf

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
73KB

MD5
a15d355169f2bbb355bff9d59b69b206

SHA1
7ce4bf928abc4fe27e435342f34d9b826b537bfd

SHA256
78984e5732217c6d8a959c312f345bb55cd96ca68b9b47e40f4dbd4076c5676a

SHA512
c157a91688c4aa76e0245d266408f7386ef21e776ffb861bc82e7d3859fa378cedb70e0d78f153516b4bc3b04823a1e07f92a1a38cfb2c9793a76464361f1ed3

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
73KB

MD5
ab44ea8bd1d238d37714a8b6200e3ebd

SHA1
acb2c731d16abb75d866b7f854275e8038fefe7a

SHA256
90127f8bb1e5c95746a5c8681cdd8de1c6b7b3115402dd1bffe454f990e1495d

SHA512
ec225094118c8a069e2ca228b4d4c373c94f60460f12fc34959d9b75f1e830550c8d95c37009221d54acf5357d78a13af9cc2fafecb4eb83921afa92a8c45b65

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
73KB

MD5
241bcf850465853905dc56ec36f0ddc8

SHA1
6781fcd1c72dba1455276a3676fffccb2168fe86

SHA256
c0ed137929ea0ea66b02a01c747286d8901c2473d04e599ea051e7ad3f1f1c68

SHA512
6f3129c217597a8433ace19fb239b919b751fef98042279827d789c460a703ab9f6187fbbaf336c21a44e6113903557ac4f7507bdb58d947f3c9e006b0a18e3c

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
73KB

MD5
eaaad20178c1891322d90a8708e2c467

SHA1
24920b2961dd3f93425248e7bf7d51902006c61d

SHA256
a5e1d4e667190dce12e0b53ab3d022ba94dd0ffc4baded3912db2253f70b73aa

SHA512
bcae6ee9409d7e137bf177fd8495091cc2a9ac43d74f1421f9ba773aa0af45480b80d2a13d975bec075c481a118624d54ed9a6db64dd5dfa0bb2265064f81b25

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
73KB

MD5
1e54868f771c3dfbf69f65e150e4db8f

SHA1
e7aae24fd10e9d8da3208e94fc50c7cc81be999b

SHA256
bacfb3ec38b946b94b7bcb582f1fd02b6c5e5caee50fceb7019ba1fd915f59f7

SHA512
799956f9e0d2927ecb9d13768662fff11a67f1acdb59f0138a745374370da20a6e54c18c16ac110e37d6a61dab32c6290986a918d68335b9b83e5382dad25521

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
73KB

MD5
02bdf8151e52a56fe4a7b467c806d6b6

SHA1
870e7b2fb5803ced69e1d61c8b11e92884e21548

SHA256
6a88133bc5b2819f47b387ab2cfdb87561d8edd042f8a2bdc234f825c4b462fc

SHA512
b17e5fa0fba0581555242ace010891bbf8632edfd3b6563bf3ca4eecf0c24c46339ad6c2299bb08f6ed72ef7b33b428aa782a8314dac1ef3eda340bc17eef9bc

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
73KB

MD5
be796d36a6c69d4ef9d16e446a99e61c

SHA1
22b1645d9c87ee113e3707f10229a79b71708723

SHA256
ccfc058b78d80ed1d0adf4e28bbcb45080e4c0ef41beb5a6db731ede2a2fdb57

SHA512
e19c790a8ae200bbe9d52674b1cebc287eb471454f4c913c547fa8dfde1b900447047fb5550ab6726722976b216cec73dc5c2a7d844525529368d9476937ef30

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
73KB

MD5
88569951c58e6b1657ff8e4528c24e58

SHA1
9334e750ef84a39d39bfb3f7fc5c7d2df277133f

SHA256
b250ae0f536a1cb618c9cfa7501a5c50d57278237678cacc79ec0bc643b1423c

SHA512
8edb03975ea0a230fc959421fda495132c1c2666e6535b5e7b738dcea6a2ab7e9cd56bce87689f10b42b269980320b84a708c52c659be51fdbdd4228ae545913

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
73KB

MD5
cc14ff015ee8a1e44969d82969e7290b

SHA1
94f4c7dc4e27a37c573b6a54147bb982f088b005

SHA256
873a48008c9930f91c44bdc4afb0b6e27d896b9f63b0d4a0f61cb9ff0383f53e

SHA512
4e25d1409db3ee33a453881a0bc939499e3cec2ceac07dd88b8c81ebf7a287222cc8f4cf9cbc81beafd01c99b4109fa3af25a6200f1c378faf3a02f76b58d5d7

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
73KB

MD5
ae6c53757ba6c7b6b7fc43a47cdde422

SHA1
762b51e477f4ee396dc3c5c59a986f371e8e3cb1

SHA256
aa0b8b4c4de1dacdb771740b3ffb6e512f28702bf094138c1bbb8b29b34c003f

SHA512
53d1fa2535a709fa636e12fcc56701746dae1804fcebcd88d9c8319303b5b198198a7a216539a56841df80da48b6711bff5db7ef82b4d556777df3f024daae31

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
73KB

MD5
52193506e17aa94ec5ee0da58fe5dabb

SHA1
5671d3575d182fcb297f21e7dddfe12dd5c85367

SHA256
5c297a5a74b45d549674aceaef6b5ea51b37a839dba946dbd4d7cab8127a9df6

SHA512
5e305be53e4aee28eb10f40da3aa915319d8a22e42ed92422f19c31b6a4fae20581449b3ab95a8073a70f5d56449412c7fd9e7022b09818c6ff1eed6892acbd7

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
73KB

MD5
941bdf81df045b167c7afaafdcd403bd

SHA1
3dcc97eef985e14134e9d79c3c542820ddbe9c89

SHA256
0ea5c8610445355f41a8903f0cfada7b696f154473662af55db575a1e782b495

SHA512
440e2fbaa50073d5e9dd5fd19e992c8ef39d0e57ee3d0f65793a73582235ebfc28b8e7f1fe4bbb609023e0003768f9a62a45e98de0fd3baaa1b22b6bc4ab4065

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
73KB

MD5
04feb28b3fcd11c15e6f22b332560486

SHA1
ea67e49990ea30ed61d4e68781ed4c2d6fc0dcbb

SHA256
ff6540e54aab603023d58ba4366469cf0f47b48416e3ab368663ad8210194992

SHA512
de48dcbbaf9eda2a1a6b0cbb038b4702907daac13eafaee91761cfcfdab8d962bdbd7a97f8c3ab219c3eda07c51b2265fab849ea70d57f9ab8cc4848547570ca

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
73KB

MD5
9748a136cf585f574cff9e0ed55ea29f

SHA1
6c1d09a16e78c76e71f42d8f72c3cf0b0141908a

SHA256
9a780717c0b85b733ede992bf253b054770098f92c63b67806e411a28402c176

SHA512
d0df7f9d178194dcbfed07d154f46953f4e67fee00738c4f625c2da665618d0f226312d9d114db245090c32007076affee46cdb62f9d0b70311c7a4412b6b2f6

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
73KB

MD5
7c4b8c4a897f8c93ef8dfbb20d1a907a

SHA1
10c98ea06daa1e9ffd199798679b72f06a7fb5c0

SHA256
27f23b7c4ee470ef7dd7fea5525d1e1deae22aa624f2e68e088cef20420636a9

SHA512
f1d8c3495196cefb81060e5a1ad0d28c6decbdbb9d03f4c4f68e57a068ed5bd1f93258599cc6b7a1cdf9c3189c1be137430bf5abc4f8a2db3bcada829ad59f7c

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
73KB

MD5
a1dc4f60c986192e1e0d18285c2811da

SHA1
32e51ff433562238bea93c68b88e237644900ce4

SHA256
fd2ca3e1a63eec7f4ad95662ab30534d3f45810ca858f7e3f9e9422d410391c0

SHA512
0a6ede16accb01a9d9388e8fcbb352055875baa8758f86d5c1aad0701c04ae74c0d6d3950b72f99401050d3fbcc167bb2f67c250ce28a81d4b0264b6170c1ca1

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
73KB

MD5
15ad9e5ef4c825990ffec92e6665bda2

SHA1
3dd36a150b70a3e18525cc54e71d67b7cbaddf8b

SHA256
91fd7afd92bbf0c522629759cc38cf4050cb92f75d9f515c22b2b68e988d69d3

SHA512
402e081f4dc23f1cd813177e4abc389a3fe84fcb353944483bd2d4b3961255fab23854b4955a7bcb63db5b444ab8e25bfbf7647716985a958b4704d02503e83d

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
73KB

MD5
7bdf6acedb7ffeae359a570f596349e5

SHA1
bc0d7b1524883703551183d7a7ecbbd8ef42e879

SHA256
52a4e03c671270daa4b51b57d085a0ffaf48692589cb248e61f8972a8adec748

SHA512
64a2b2bed56996751ac90143b56fad527863c9698a73688089ed7603e54683c77c6c09f30080ba5d9f1793fe5135221d9a77bc69e4783348fe6a75372efb8c79

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
73KB

MD5
b9778a0326ad661f4b4b788721a022fb

SHA1
78dd1c32f1be25e1a485ab607fe521d6b06dc760

SHA256
ed344276df9de3eaa406b241297ab7f2752fb781c13389958af71ddcbc231b21

SHA512
5a64bf4265ace4022fb4a2b28697a72cd3f36c4ca5f0bfcc9a99388549a9511a4901c1149b82bf1dc201a7b9c01a6a74527966cf7faede53486a38af21bf3c38

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
73KB

MD5
e338c8fe4a698ed1f7cdace4612d59fd

SHA1
d7710692949d4092101f575f247460fdf1fab62f

SHA256
c0807f9729facff6a09f0eb1ea834623a286aa4c5c0eab8f4da29124aae515c8

SHA512
fa95cf4494d227b946ee86e25fd6cd7cfbfccb0995630b892c3defe346d7528cb4ca81f41dc04e2485094d4220a284826b140e83a9d4e574002f8de335a19890

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
73KB

MD5
89477ab75ecfa6f18f77a266f24a9364

SHA1
f41ae46cb8163cf898b0a68500187a6b50ae30f6

SHA256
e711a0cfa46bf0250c410de1fcb4e3f79f3235372afff86bc9cf08fd59935ed1

SHA512
fd159d2fb51d3bb135fd054d2594dc1c845801cd6600444b575941417a1164998f58417dfa75c8fb358f1b41905dd5d7ca57bf2df1f324e2beb60f4e9a9e679f

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
73KB

MD5
acffe36b438c40a7094644b6c125c03f

SHA1
3edf9bf9645db510317bfaf13dc755ee1980ae92

SHA256
3fcd855e0271552f805ad9d054e3b0757a37a0b87f07a4b2661aebc3130157dd

SHA512
9ebb1ee4637b13da8fe3c3e3e820ad15e4182839b796f2b57da8f9433d7177cca67bfd479f763ab297e5dc56e1eb2182f57070437d82c536501732b08e67e2fa

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
73KB

MD5
330cdb5595f756734ffb30bfaeb07ed8

SHA1
5109c7a000f31f9cb8e292b9e10b1d29484b08ce

SHA256
ff530fb7db6ad5df03233ab8e20ba1b13487c535f732e49f0b6db6bd32375a75

SHA512
eef3a87de7aed0cecc7b55bcb3e8f2edac238f568bb56b1d5807afaecd47e8e3ee615de44d7fa1503ff6397f196f248d4d321bcb3f163f647c3e3e3a5798783a

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
73KB

MD5
7591d094e4720c1a69d85158871ac60e

SHA1
b0272a97982c1536b75f7ad087776d1efad622d0

SHA256
b4f4a1be4ba714c98a0e3259239842c7b4d3ae96c87240be100ea3ed3f5d1a11

SHA512
bb98052261d6a225e16c77c16c6219e9c7f17ca2b006d0a28687c0a473e16659bce5f6b3280ef2263fa888f8d17d5de70cf567609b26b998d82467b62642a4b3

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
73KB

MD5
0444dd12f9fc54aa33206a5f70feaf41

SHA1
2aaea9482745a6fb656a5ef1b293530974c0aaeb

SHA256
f5a0fba4ee921b174dbcca54cace41f8c8256de12ca48d335743494431271700

SHA512
2c7a59c91c12113114c3b382da025f7e1ddbd1517903e3dd977afcf2b3778333a5fa57a018d43b4f592524cfa93a33ec20320f5791cfdb3790539bc4ef66cf2b

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
73KB

MD5
899ce97a328d59f9cdfc69499bc80158

SHA1
73b05187438981fd6dc680b45093e3a755523f41

SHA256
654880a4401cb885bedd1744604b05301d5d7b8086fd456c3760fc74829fd9ba

SHA512
c55a33cfacee169a6f86c96ebcd272d4fbe22d2761d64207e3fab96a7d5b257690b3af434521960552dfa0c8ef789c4f865e38a50600329af426871268c564ac

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
73KB

MD5
d6de1f663db9df9adca48b5e182b79be

SHA1
1bec90d87b6f85964e0a4100964dae49949cbc46

SHA256
9e40fcaab98a43bfb324378b96e791882dd2126f117db263d885537c4c648964

SHA512
d82f0b2b7daf762819192fd4e5e65af7b43896e1eceb00158fcdfdf30de8ac61e8e495fb255fadfcd9dc5af0c11b781a7c4b1e4500dd107e91544edc65eb0efa

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
73KB

MD5
f3e50c589ce616a5695beab601c60069

SHA1
ee8b40454f599e51bd9ab0aeef2183882d364e7f

SHA256
fc0a11908daec12f16a2fd9682f7a9208024bc18552748d4e65ea0770d24ccc8

SHA512
c3a4e37b8cf67e691999c3665b21947c4445fe570aede2e9d71851cbdace4a780c41065025da4ab63122369f3f2462a126200bdaf4cd81a82651d581ae3af691

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
73KB

MD5
05d237da7ade9069dedfb3c5b434624e

SHA1
a03ddc19d0f1a79949999348c48bbf692ed68c85

SHA256
209c7013ce25c5df7ecb8602e300ed3733ecf0ec84b206ff59a77d2225243ec9

SHA512
3571945b32707cbba74b6848144adb854ef37e03c68ae60d79f4e2260ba518416bbbf7596b3262829ab62eb41d1c541a60d4854e038b8479a1f8509cc492158f

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
73KB

MD5
14f6dcd0a06df8423288aad63c4abe2d

SHA1
2980be579a8076ab615cbcf8f1778a60cb0aa190

SHA256
a049d7d2a59c31fa68077fe3976d6da102a404e827eb0c2a3eb12ff60f8388c6

SHA512
84a66cd011bae13fe716229e0de6c78faeb7cf9093c380bc8765777cc2a96d8fd2293273811541e922d96f24fa89cea668031366443c3ebc59820c5a1154fa2b

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
73KB

MD5
684a27432479d34a9240e4a6d359145e

SHA1
79e7932abcedf94c5cdb55739b09c69761e49a06

SHA256
9721796d28609eb966f64346812d2306a2f4e249af42957235459590bf314983

SHA512
cfe43d6f61f90f0ebd47a3d49fe835e7e5e5630f902352d73eed0cc9b11423f2cd15e13ba885900b74e7b0cac21b26a0e9ae80d1662cb74d4c622b59c6e32fc2

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
64KB

MD5
4f539ec6a9c48a8f1c42658fa87dc63f

SHA1
c422ac7e21e226e4da415c67d6c0861602d46f86

SHA256
90fa7d58ffe4345b8770f001d59f24a2703a726c7a2b3cf9f5058fea369e0bfc

SHA512
3e6458953a66784e3104f7c3c8f680984f45592526d23a05fc7068948bd4d1ae7e32ca061f421e94741b75e67025544242d3e843fb33b6361c1d66a2c8ac8cf3

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
73KB

MD5
b1498467a8c33d582734912927488b82

SHA1
7ac5b24d66afef7467827cf87099555fbad39957

SHA256
d9c224fb9e9e2deef8615ef060f5d65502d0a70753bcd9cd35a234c6721497a7

SHA512
a551e06fe72770af72f0069a6850e14be7634a4000af1ca600cac6124cd821145cf6e99a07596fb4eb24aa3bbed8cad34f68f336c8178b67daa2afc17b608c35

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
73KB

MD5
720094d295023e307c2edd5f9e489571

SHA1
f9a5f9852fb1ba5ae057f61987ba52c59a80039d

SHA256
e35c00bca3eb57324d43627816f4514443a535fb3774f9fd7e660c357940e4b1

SHA512
8eb304ceaacd04d1622f3ed024c2db6d6986738d7a92390d5f6c9389e24b2bdc31ceb762e5b340ccaff26261005b1e9262cf6e57957591a7e3e69ea7efc5179a

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
73KB

MD5
b22583ae729b40e799b12f7f17069904

SHA1
48e47eeea8ae8eab3d15fc706069f04f6f49ad65

SHA256
19c9343c4a9c661411325ba67e982cde23895bbbe700fe82d818e04b02c2fdf2

SHA512
4130b16d1295041c43daf11a34fdde297d3a07d289c351a5593381139ee7f7b9434478ab1223893540bb555850b5e0d9d384906459f76e4dcb969ccc965dc367

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
73KB

MD5
904795adbba51dd8f51a024296c0b7b8

SHA1
3a067246adc856c8ab5dccc5657b827dbb241a76

SHA256
87deade3b8dd7e31f1c98f14998ef40b057c3d2903ad7aaf8cd6e4a090541790

SHA512
e4c8cf689a42c857ab8bd4b213e9c52587ba1d24cec49922b43d29896d5e736dc7512d6e8781378732a1b1245ae57bb7ed1b33a433c057e2f62a5b37dfe5ff88

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
73KB

MD5
ab20cdd472bd1dad47abc7981f2c1f4a

SHA1
1ad8227bf63438c545a8b79c129968ae9e7d7a74

SHA256
18ed9f033a3d87d9ff16f642dd5f91f225432d9927683af65e03b88721807c1d

SHA512
9bee48ad2fdf67b917d3c17e6af4766f867918d89fc909dd355d5b80d908f1c097e72eea3495d8512fa43ffa81195b7986faa68e39f59f92072a2632745b3d59

Download Submit
memory/32-460-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/60-532-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/220-286-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/540-96-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/652-104-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/956-542-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1044-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1044-593-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1052-400-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1084-71-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1088-565-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1088-24-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1092-573-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1100-398-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1192-292-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1296-188-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1440-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1456-176-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1460-544-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1460-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1492-128-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1616-192-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1636-520-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1784-358-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1888-374-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1908-223-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1964-148-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2000-298-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2012-322-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2040-268-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2064-328-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2092-340-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2140-87-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2144-412-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2224-442-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2320-526-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2344-411-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2396-458-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2436-376-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2464-388-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2472-559-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2504-159-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2532-508-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2556-424-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2560-346-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2656-240-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2672-31-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2672-572-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2832-52-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2832-586-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2964-257-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3016-418-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3052-266-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3060-436-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3064-566-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3112-274-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3120-551-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3120-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3216-168-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3240-585-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3248-502-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3292-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3292-579-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3340-151-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3356-200-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3436-208-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3468-310-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3476-111-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3520-364-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3564-558-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3564-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3596-478-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3644-555-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3648-284-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3684-470-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3724-216-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3764-304-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3920-498-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4008-448-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4288-515-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4292-545-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4300-352-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4364-472-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4484-120-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4508-494-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4548-334-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4552-430-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4560-232-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4616-316-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4688-136-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4820-387-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4824-79-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4920-587-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5032-594-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5056-484-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5096-248-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads