aca46266432ab78a9a0a91fbf5974db17e5bad18e4516616f1afa94d190295e7

Analysis

max time kernel
142s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2024, 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aca46266432ab78a9a0a91fbf5974db17e5bad18e4516616f1afa94d190295e7.exe
Size

96KB
MD5

000ee2d0b05a6b227c229d1df8d92faf
SHA1

99cbdc7c38279f3768809bf2ee41550f6bf81724
SHA256

aca46266432ab78a9a0a91fbf5974db17e5bad18e4516616f1afa94d190295e7
SHA512

d9851812642e8bbef126df260ae1dc8e604f573913ff20c814b164faf2a17fe4e9a2aa17b9d46414d73f4976fa848741592cbf4d2ced4a3277e38eacbafabbbe
SSDEEP

1536:wz/YpZ8M530iyaZvseFF2w5MAX/2Lk1lPXuhiTMuZXGTIVefVDkryyAyqX:wUpZ6mZvs2F2w5MAXEalPXuhuXGQmVDf

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocjoadei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncaklhdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mablfnne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnmeodjc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgnomg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgnomg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkcndeen.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhenai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmggingc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknnoofg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jogqlpde.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocohmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocohmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmblagmf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojqcnhkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ggfglb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnibokbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieccbbkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afpjel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaqcnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaopoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pagbaglh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fofilp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojqcnhkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eajlhg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofkgcobj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnphoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqcejcha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baepolni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmckbjdl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmblagmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfmmplad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkcndeen.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcmfnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afpjel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgapmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okfbgiij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncnofeof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgcihgaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohqpjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejjaqk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pidlqb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbdgec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnmeodjc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjkmomfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeapcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejjaqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Madbagif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahofoogd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qbonoghb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcoepkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbdgec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpagc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmckbjdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lljdai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcnnllcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibdplaho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Logicn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lljdai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcfmneaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qbajeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cildom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fklcgk32.exe

Executes dropped EXE 64 IoCs

pid	Process
3812	Lckiihok.exe
1616	Mfeeabda.exe
2060	Nggnadib.exe
1228	Ncnofeof.exe
3188	Npepkf32.exe
4484	Ngndaccj.exe
1728	Omnjojpo.exe
4820	Ocjoadei.exe
2872	Ofkgcobj.exe
4828	Ocohmc32.exe
4600	Ondljl32.exe
2224	Pjkmomfn.exe
2096	Pagbaglh.exe
4488	Pplobcpp.exe
5080	Palklf32.exe
4528	Pmblagmf.exe
3400	Qobhkjdi.exe
2112	Qfmmplad.exe
1824	Afpjel32.exe
5036	Ahofoogd.exe
2220	Cgnomg32.exe
756	Dgcihgaj.exe
4892	Dkcndeen.exe
636	Ddnobj32.exe
4916	Ekjded32.exe
4356	Enmjlojd.exe
4816	Eghkjdoa.exe
3656	Fofilp32.exe
312	Ggfglb32.exe
3568	Ggkqgaol.exe
560	Hnibokbd.exe
3356	Hbgkei32.exe
1604	Hnphoj32.exe
3284	Hihibbjo.exe
4300	Ilibdmgp.exe
4296	Ieccbbkn.exe
5020	Jidinqpb.exe
2804	Jeocna32.exe
4996	Jeapcq32.exe
1568	Kcmfnd32.exe
3860	Kemooo32.exe
2760	Lljdai32.exe
1836	Ljpaqmgb.exe
2172	Lhenai32.exe
2932	Lpochfji.exe
2900	Mablfnne.exe
2020	Mfbaalbi.exe
3476	Mlofcf32.exe
3108	Noppeaed.exe
3344	Nmfmde32.exe
3112	Nqcejcha.exe
456	Nmjfodne.exe
1796	Ojqcnhkl.exe
3620	Oophlo32.exe
2708	Omfekbdh.exe
3540	Padnaq32.exe
232	Pbhgoh32.exe
804	Pidlqb32.exe
4812	Qbonoghb.exe
4000	Qbajeg32.exe
3984	Ajjokd32.exe
1080	Aiplmq32.exe
1712	Aibibp32.exe
1548	Bmggingc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pbhgoh32.exe	Padnaq32.exe
File created	C:\Windows\SysWOW64\Qbajeg32.exe	Qbonoghb.exe
File opened for modification	C:\Windows\SysWOW64\Ecgodpgb.exe	Ejjaqk32.exe
File created	C:\Windows\SysWOW64\Hgapmj32.exe	Hbdgec32.exe
File created	C:\Windows\SysWOW64\Fooqlnoa.dll	Khihld32.exe
File created	C:\Windows\SysWOW64\Godcje32.dll	Qobhkjdi.exe
File created	C:\Windows\SysWOW64\Fofilp32.exe	Eghkjdoa.exe
File opened for modification	C:\Windows\SysWOW64\Omfekbdh.exe	Oophlo32.exe
File created	C:\Windows\SysWOW64\Pcbdcf32.exe	Pdngpo32.exe
File created	C:\Windows\SysWOW64\Keiifian.dll	Pmblagmf.exe
File opened for modification	C:\Windows\SysWOW64\Hnphoj32.exe	Hbgkei32.exe
File created	C:\Windows\SysWOW64\Jeocna32.exe	Jidinqpb.exe
File created	C:\Windows\SysWOW64\Mnknop32.dll	Jidinqpb.exe
File opened for modification	C:\Windows\SysWOW64\Padnaq32.exe	Omfekbdh.exe
File created	C:\Windows\SysWOW64\Jihiic32.dll	Mfeeabda.exe
File opened for modification	C:\Windows\SysWOW64\Omnjojpo.exe	Ngndaccj.exe
File opened for modification	C:\Windows\SysWOW64\Qobhkjdi.exe	Pmblagmf.exe
File created	C:\Windows\SysWOW64\Celipg32.dll	Hnmeodjc.exe
File opened for modification	C:\Windows\SysWOW64\Qcncodki.exe	Qmckbjdl.exe
File created	C:\Windows\SysWOW64\Mmebednk.dll	Aiplmq32.exe
File created	C:\Windows\SysWOW64\Gadeee32.dll	Eajlhg32.exe
File opened for modification	C:\Windows\SysWOW64\Hgapmj32.exe	Hbdgec32.exe
File opened for modification	C:\Windows\SysWOW64\Ncaklhdi.exe	Madbagif.exe
File created	C:\Windows\SysWOW64\Ocjoadei.exe	Omnjojpo.exe
File created	C:\Windows\SysWOW64\Dkcndeen.exe	Dgcihgaj.exe
File created	C:\Windows\SysWOW64\Eajlhg32.exe	Ecgodpgb.exe
File opened for modification	C:\Windows\SysWOW64\Ejjaqk32.exe	Djgdkk32.exe
File created	C:\Windows\SysWOW64\Pcdqhecd.exe	Pcbdcf32.exe
File created	C:\Windows\SysWOW64\Eghkjdoa.exe	Enmjlojd.exe
File created	C:\Windows\SysWOW64\Ggkqgaol.exe	Ggfglb32.exe
File opened for modification	C:\Windows\SysWOW64\Cgiohbfi.exe	Baepolni.exe
File opened for modification	C:\Windows\SysWOW64\Fofilp32.exe	Eghkjdoa.exe
File created	C:\Windows\SysWOW64\Lpochfji.exe	Lhenai32.exe
File opened for modification	C:\Windows\SysWOW64\Ibdplaho.exe	Icogcjde.exe
File created	C:\Windows\SysWOW64\Kongimkh.dll	Ibdplaho.exe
File opened for modification	C:\Windows\SysWOW64\Jogqlpde.exe	Jhmhpfmi.exe
File created	C:\Windows\SysWOW64\Mekdffee.exe	Lolcnman.exe
File created	C:\Windows\SysWOW64\Oheienli.exe	Ookhfigk.exe
File created	C:\Windows\SysWOW64\Jgbfjmkq.dll	Mfbaalbi.exe
File opened for modification	C:\Windows\SysWOW64\Fqbeoc32.exe	Eajlhg32.exe
File created	C:\Windows\SysWOW64\Mcqelbcc.dll	Fklcgk32.exe
File created	C:\Windows\SysWOW64\Hmafal32.dll	Bfolacnc.exe
File created	C:\Windows\SysWOW64\Hnmeodjc.exe	Hchqbkkm.exe
File opened for modification	C:\Windows\SysWOW64\Jaqcnl32.exe	Ibdplaho.exe
File opened for modification	C:\Windows\SysWOW64\Palklf32.exe	Pplobcpp.exe
File opened for modification	C:\Windows\SysWOW64\Eghkjdoa.exe	Enmjlojd.exe
File created	C:\Windows\SysWOW64\Caecnh32.dll	Lpochfji.exe
File created	C:\Windows\SysWOW64\Ljpaqmgb.exe	Lljdai32.exe
File created	C:\Windows\SysWOW64\Omfekbdh.exe	Oophlo32.exe
File created	C:\Windows\SysWOW64\Gcnnllcg.exe	Gjcmngnj.exe
File opened for modification	C:\Windows\SysWOW64\Pehjfm32.exe	Pcfmneaa.exe
File created	C:\Windows\SysWOW64\Afpjel32.exe	Qfmmplad.exe
File created	C:\Windows\SysWOW64\Hbgkei32.exe	Hnibokbd.exe
File created	C:\Windows\SysWOW64\Hpceplkl.dll	Hnphoj32.exe
File created	C:\Windows\SysWOW64\Padnaq32.exe	Omfekbdh.exe
File created	C:\Windows\SysWOW64\Kojkgebl.dll	Ejjaqk32.exe
File opened for modification	C:\Windows\SysWOW64\Gcnnllcg.exe	Gjcmngnj.exe
File created	C:\Windows\SysWOW64\Pjkmomfn.exe	Ondljl32.exe
File created	C:\Windows\SysWOW64\Lhenai32.exe	Ljpaqmgb.exe
File created	C:\Windows\SysWOW64\Ocgjojai.dll	Nqcejcha.exe
File created	C:\Windows\SysWOW64\Klbjgbff.dll	Pjkmomfn.exe
File created	C:\Windows\SysWOW64\Ojgljk32.dll	Omfekbdh.exe
File created	C:\Windows\SysWOW64\Dknnoofg.exe	Cildom32.exe
File created	C:\Windows\SysWOW64\Nkgdfb32.dll	Ocohmc32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keiifian.dll"	Pmblagmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fklcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khihld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngndaccj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofkgcobj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmblagmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blnfhilh.dll"	Hnibokbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jggocdgo.dll"	Hbgkei32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnphoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mablfnne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npepkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkgdfb32.dll"	Ocohmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgnomg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ookhfigk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fklcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hchqbkkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcoepkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojgljk32.dll"	Omfekbdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kannaq32.dll"	Pcdqhecd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjkmomfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjkmomfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgamhc32.dll"	Dkcndeen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkclkjqn.dll"	Logicn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkidlkmq.dll"	Oheienli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adfnba32.dll"	Npepkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocjoadei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgbfjmkq.dll"	Mfbaalbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	aca46266432ab78a9a0a91fbf5974db17e5bad18e4516616f1afa94d190295e7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Noppeaed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baepolni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aibibp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lolcnman.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojidbohn.dll"	Ekjded32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mfbaalbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qbonoghb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caecnh32.dll"	Lpochfji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecgodpgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghkogl32.dll"	Lckiihok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbgkei32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hihibbjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpqiega.dll"	Mablfnne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjcmngnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaopoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iafphi32.dll"	Palklf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekjded32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fofilp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Padnaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkheoa32.dll"	Mdpagc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jihiic32.dll"	Mfeeabda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggnadib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaadlo32.dll"	Mlofcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ieccbbkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jeocna32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icogcjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oojnjjli.dll"	Jogqlpde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Logicn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcoepkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gelfeh32.dll"	Cgnomg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfolacnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hgapmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhenai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldqdebb.dll"	Qmckbjdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oheienli.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4404 wrote to memory of 3812	4404	aca46266432ab78a9a0a91fbf5974db17e5bad18e4516616f1afa94d190295e7.exe	90
PID 4404 wrote to memory of 3812	4404	aca46266432ab78a9a0a91fbf5974db17e5bad18e4516616f1afa94d190295e7.exe	90
PID 4404 wrote to memory of 3812	4404	aca46266432ab78a9a0a91fbf5974db17e5bad18e4516616f1afa94d190295e7.exe	90
PID 3812 wrote to memory of 1616	3812	Lckiihok.exe	91
PID 3812 wrote to memory of 1616	3812	Lckiihok.exe	91
PID 3812 wrote to memory of 1616	3812	Lckiihok.exe	91
PID 1616 wrote to memory of 2060	1616	Mfeeabda.exe	92
PID 1616 wrote to memory of 2060	1616	Mfeeabda.exe	92
PID 1616 wrote to memory of 2060	1616	Mfeeabda.exe	92
PID 2060 wrote to memory of 1228	2060	Nggnadib.exe	93
PID 2060 wrote to memory of 1228	2060	Nggnadib.exe	93
PID 2060 wrote to memory of 1228	2060	Nggnadib.exe	93
PID 1228 wrote to memory of 3188	1228	Ncnofeof.exe	94
PID 1228 wrote to memory of 3188	1228	Ncnofeof.exe	94
PID 1228 wrote to memory of 3188	1228	Ncnofeof.exe	94
PID 3188 wrote to memory of 4484	3188	Npepkf32.exe	95
PID 3188 wrote to memory of 4484	3188	Npepkf32.exe	95
PID 3188 wrote to memory of 4484	3188	Npepkf32.exe	95
PID 4484 wrote to memory of 1728	4484	Ngndaccj.exe	96
PID 4484 wrote to memory of 1728	4484	Ngndaccj.exe	96
PID 4484 wrote to memory of 1728	4484	Ngndaccj.exe	96
PID 1728 wrote to memory of 4820	1728	Omnjojpo.exe	97
PID 1728 wrote to memory of 4820	1728	Omnjojpo.exe	97
PID 1728 wrote to memory of 4820	1728	Omnjojpo.exe	97
PID 4820 wrote to memory of 2872	4820	Ocjoadei.exe	98
PID 4820 wrote to memory of 2872	4820	Ocjoadei.exe	98
PID 4820 wrote to memory of 2872	4820	Ocjoadei.exe	98
PID 2872 wrote to memory of 4828	2872	Ofkgcobj.exe	99
PID 2872 wrote to memory of 4828	2872	Ofkgcobj.exe	99
PID 2872 wrote to memory of 4828	2872	Ofkgcobj.exe	99
PID 4828 wrote to memory of 4600	4828	Ocohmc32.exe	100
PID 4828 wrote to memory of 4600	4828	Ocohmc32.exe	100
PID 4828 wrote to memory of 4600	4828	Ocohmc32.exe	100
PID 4600 wrote to memory of 2224	4600	Ondljl32.exe	101
PID 4600 wrote to memory of 2224	4600	Ondljl32.exe	101
PID 4600 wrote to memory of 2224	4600	Ondljl32.exe	101
PID 2224 wrote to memory of 2096	2224	Pjkmomfn.exe	102
PID 2224 wrote to memory of 2096	2224	Pjkmomfn.exe	102
PID 2224 wrote to memory of 2096	2224	Pjkmomfn.exe	102
PID 2096 wrote to memory of 4488	2096	Pagbaglh.exe	103
PID 2096 wrote to memory of 4488	2096	Pagbaglh.exe	103
PID 2096 wrote to memory of 4488	2096	Pagbaglh.exe	103
PID 4488 wrote to memory of 5080	4488	Pplobcpp.exe	104
PID 4488 wrote to memory of 5080	4488	Pplobcpp.exe	104
PID 4488 wrote to memory of 5080	4488	Pplobcpp.exe	104
PID 5080 wrote to memory of 4528	5080	Palklf32.exe	105
PID 5080 wrote to memory of 4528	5080	Palklf32.exe	105
PID 5080 wrote to memory of 4528	5080	Palklf32.exe	105
PID 4528 wrote to memory of 3400	4528	Pmblagmf.exe	106
PID 4528 wrote to memory of 3400	4528	Pmblagmf.exe	106
PID 4528 wrote to memory of 3400	4528	Pmblagmf.exe	106
PID 3400 wrote to memory of 2112	3400	Qobhkjdi.exe	107
PID 3400 wrote to memory of 2112	3400	Qobhkjdi.exe	107
PID 3400 wrote to memory of 2112	3400	Qobhkjdi.exe	107
PID 2112 wrote to memory of 1824	2112	Qfmmplad.exe	108
PID 2112 wrote to memory of 1824	2112	Qfmmplad.exe	108
PID 2112 wrote to memory of 1824	2112	Qfmmplad.exe	108
PID 1824 wrote to memory of 5036	1824	Afpjel32.exe	109
PID 1824 wrote to memory of 5036	1824	Afpjel32.exe	109
PID 1824 wrote to memory of 5036	1824	Afpjel32.exe	109
PID 5036 wrote to memory of 2220	5036	Ahofoogd.exe	110
PID 5036 wrote to memory of 2220	5036	Ahofoogd.exe	110
PID 5036 wrote to memory of 2220	5036	Ahofoogd.exe	110
PID 2220 wrote to memory of 756	2220	Cgnomg32.exe	111

C:\Users\Admin\AppData\Local\Temp\aca46266432ab78a9a0a91fbf5974db17e5bad18e4516616f1afa94d190295e7.exe
"C:\Users\Admin\AppData\Local\Temp\aca46266432ab78a9a0a91fbf5974db17e5bad18e4516616f1afa94d190295e7.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4404
- C:\Windows\SysWOW64\Lckiihok.exe
  C:\Windows\system32\Lckiihok.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3812
- - C:\Windows\SysWOW64\Mfeeabda.exe
    C:\Windows\system32\Mfeeabda.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1616
  - - C:\Windows\SysWOW64\Nggnadib.exe
      C:\Windows\system32\Nggnadib.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2060
    - - C:\Windows\SysWOW64\Ncnofeof.exe
        
        C:\Windows\system32\Ncnofeof.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1228
      - C:\Windows\SysWOW64\Npepkf32.exe
        
        C:\Windows\system32\Npepkf32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\SysWOW64\Ngndaccj.exe
        
        C:\Windows\system32\Ngndaccj.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\SysWOW64\Omnjojpo.exe
        
        C:\Windows\system32\Omnjojpo.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\SysWOW64\Ocjoadei.exe
        
        C:\Windows\system32\Ocjoadei.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Ofkgcobj.exe
        
        C:\Windows\system32\Ofkgcobj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Ocohmc32.exe
        
        C:\Windows\system32\Ocohmc32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\SysWOW64\Ondljl32.exe
        
        C:\Windows\system32\Ondljl32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\SysWOW64\Pjkmomfn.exe
        
        C:\Windows\system32\Pjkmomfn.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Pagbaglh.exe
        
        C:\Windows\system32\Pagbaglh.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Palklf32.exe
        
        C:\Windows\system32\Palklf32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\Pmblagmf.exe
        
        C:\Windows\system32\Pmblagmf.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\SysWOW64\Qobhkjdi.exe
        
        C:\Windows\system32\Qobhkjdi.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\SysWOW64\Afpjel32.exe
        
        C:\Windows\system32\Afpjel32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\Ahofoogd.exe
        
        C:\Windows\system32\Ahofoogd.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:756
        
        C:\Windows\SysWOW64\Dkcndeen.exe
        
        C:\Windows\system32\Dkcndeen.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Ddnobj32.exe
        
        C:\Windows\system32\Ddnobj32.exe
        25⤵
        Executes dropped EXE
        
        PID:636
        
        C:\Windows\SysWOW64\Ekjded32.exe
        
        C:\Windows\system32\Ekjded32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Enmjlojd.exe
        
        C:\Windows\system32\Enmjlojd.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4356
        
        C:\Windows\SysWOW64\Eghkjdoa.exe
        
        C:\Windows\system32\Eghkjdoa.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4816
        
        C:\Windows\SysWOW64\Fofilp32.exe
        
        C:\Windows\system32\Fofilp32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3656
        
        C:\Windows\SysWOW64\Ggfglb32.exe
        
        C:\Windows\system32\Ggfglb32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:312
        
        C:\Windows\SysWOW64\Ggkqgaol.exe
        
        C:\Windows\system32\Ggkqgaol.exe
        31⤵
        Executes dropped EXE
        
        PID:3568
        
        C:\Windows\SysWOW64\Hnibokbd.exe
        
        C:\Windows\system32\Hnibokbd.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:560
        
        C:\Windows\SysWOW64\Hbgkei32.exe
        
        C:\Windows\system32\Hbgkei32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3356
        
        C:\Windows\SysWOW64\Hnphoj32.exe
        
        C:\Windows\system32\Hnphoj32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Hihibbjo.exe
        
        C:\Windows\system32\Hihibbjo.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3284
        
        C:\Windows\SysWOW64\Ilibdmgp.exe
        
        C:\Windows\system32\Ilibdmgp.exe
        36⤵
        Executes dropped EXE
        
        PID:4300
        
        C:\Windows\SysWOW64\Ieccbbkn.exe
        
        C:\Windows\system32\Ieccbbkn.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Jidinqpb.exe
        
        C:\Windows\system32\Jidinqpb.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5020
        
        C:\Windows\SysWOW64\Jeocna32.exe
        
        C:\Windows\system32\Jeocna32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Jeapcq32.exe
        
        C:\Windows\system32\Jeapcq32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4996
        
        C:\Windows\SysWOW64\Kcmfnd32.exe
        
        C:\Windows\system32\Kcmfnd32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1568
        
        C:\Windows\SysWOW64\Kemooo32.exe
        
        C:\Windows\system32\Kemooo32.exe
        42⤵
        Executes dropped EXE
        
        PID:3860
        
        C:\Windows\SysWOW64\Lljdai32.exe
        
        C:\Windows\system32\Lljdai32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2760
        
        C:\Windows\SysWOW64\Ljpaqmgb.exe
        
        C:\Windows\system32\Ljpaqmgb.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1836
        
        C:\Windows\SysWOW64\Lhenai32.exe
        
        C:\Windows\system32\Lhenai32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Lpochfji.exe
        
        C:\Windows\system32\Lpochfji.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Mablfnne.exe
        
        C:\Windows\system32\Mablfnne.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Mfbaalbi.exe
        
        C:\Windows\system32\Mfbaalbi.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Mlofcf32.exe
        
        C:\Windows\system32\Mlofcf32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\Noppeaed.exe
        
        C:\Windows\system32\Noppeaed.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3108
        
        C:\Windows\SysWOW64\Nmfmde32.exe
        
        C:\Windows\system32\Nmfmde32.exe
        51⤵
        Executes dropped EXE
        
        PID:3344
        
        C:\Windows\SysWOW64\Nqcejcha.exe
        
        C:\Windows\system32\Nqcejcha.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3112
        
        C:\Windows\SysWOW64\Nmjfodne.exe
        
        C:\Windows\system32\Nmjfodne.exe
        53⤵
        Executes dropped EXE
        
        PID:456
        
        C:\Windows\SysWOW64\Ojqcnhkl.exe
        
        C:\Windows\system32\Ojqcnhkl.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1796
        
        C:\Windows\SysWOW64\Oophlo32.exe
        
        C:\Windows\system32\Oophlo32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3620
        
        C:\Windows\SysWOW64\Omfekbdh.exe
        
        C:\Windows\system32\Omfekbdh.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Padnaq32.exe
        
        C:\Windows\system32\Padnaq32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3540
        
        C:\Windows\SysWOW64\Pbhgoh32.exe
        
        C:\Windows\system32\Pbhgoh32.exe
        58⤵
        Executes dropped EXE
        
        PID:232
        
        C:\Windows\SysWOW64\Pidlqb32.exe
        
        C:\Windows\system32\Pidlqb32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:804
        
        C:\Windows\SysWOW64\Qbonoghb.exe
        
        C:\Windows\system32\Qbonoghb.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Qbajeg32.exe
        
        C:\Windows\system32\Qbajeg32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4000
        
        C:\Windows\SysWOW64\Ajjokd32.exe
        
        C:\Windows\system32\Ajjokd32.exe
        62⤵
        Executes dropped EXE
        
        PID:3984
        
        C:\Windows\SysWOW64\Aiplmq32.exe
        
        C:\Windows\system32\Aiplmq32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1080
        
        C:\Windows\SysWOW64\Aibibp32.exe
        
        C:\Windows\system32\Aibibp32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\Bmggingc.exe
        
        C:\Windows\system32\Bmggingc.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1548
        
        C:\Windows\SysWOW64\Bfolacnc.exe
        
        C:\Windows\system32\Bfolacnc.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4832
        
        C:\Windows\SysWOW64\Baepolni.exe
        
        C:\Windows\system32\Baepolni.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Cgiohbfi.exe
        
        C:\Windows\system32\Cgiohbfi.exe
        68⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\Cildom32.exe
        
        C:\Windows\system32\Cildom32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1756
        
        C:\Windows\SysWOW64\Dknnoofg.exe
        
        C:\Windows\system32\Dknnoofg.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4288
        
        C:\Windows\SysWOW64\Djgdkk32.exe
        
        C:\Windows\system32\Djgdkk32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3996
        
        C:\Windows\SysWOW64\Ejjaqk32.exe
        
        C:\Windows\system32\Ejjaqk32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3060
        
        C:\Windows\SysWOW64\Ecgodpgb.exe
        
        C:\Windows\system32\Ecgodpgb.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Eajlhg32.exe
        
        C:\Windows\system32\Eajlhg32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3120
        
        C:\Windows\SysWOW64\Fqbeoc32.exe
        
        C:\Windows\system32\Fqbeoc32.exe
        75⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\Fbaahf32.exe
        
        C:\Windows\system32\Fbaahf32.exe
        76⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\Fklcgk32.exe
        
        C:\Windows\system32\Fklcgk32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3856
        
        C:\Windows\SysWOW64\Gnmlhf32.exe
        
        C:\Windows\system32\Gnmlhf32.exe
        78⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\Gjcmngnj.exe
        
        C:\Windows\system32\Gjcmngnj.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Gcnnllcg.exe
        
        C:\Windows\system32\Gcnnllcg.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5204
        
        C:\Windows\SysWOW64\Hbdgec32.exe
        
        C:\Windows\system32\Hbdgec32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5244
        
        C:\Windows\SysWOW64\Hgapmj32.exe
        
        C:\Windows\system32\Hgapmj32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Hchqbkkm.exe
        
        C:\Windows\system32\Hchqbkkm.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Hnmeodjc.exe
        
        C:\Windows\system32\Hnmeodjc.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5372
        
        C:\Windows\SysWOW64\Icogcjde.exe
        
        C:\Windows\system32\Icogcjde.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Ibdplaho.exe
        
        C:\Windows\system32\Ibdplaho.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5500
        
        C:\Windows\SysWOW64\Jaqcnl32.exe
        
        C:\Windows\system32\Jaqcnl32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5544
        
        C:\Windows\SysWOW64\Jhmhpfmi.exe
        
        C:\Windows\system32\Jhmhpfmi.exe
        88⤵
        Drops file in System32 directory
        
        PID:5592
        
        C:\Windows\SysWOW64\Jogqlpde.exe
        
        C:\Windows\system32\Jogqlpde.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Kdffjgpj.exe
        
        C:\Windows\system32\Kdffjgpj.exe
        90⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Kaopoj32.exe
        
        C:\Windows\system32\Kaopoj32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Khihld32.exe
        
        C:\Windows\system32\Khihld32.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Logicn32.exe
        
        C:\Windows\system32\Logicn32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Lddble32.exe
        
        C:\Windows\system32\Lddble32.exe
        94⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\Lolcnman.exe
        
        C:\Windows\system32\Lolcnman.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Mekdffee.exe
        
        C:\Windows\system32\Mekdffee.exe
        96⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Mcoepkdo.exe
        
        C:\Windows\system32\Mcoepkdo.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Mdpagc32.exe
        
        C:\Windows\system32\Mdpagc32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Mkjjdmaj.exe
        
        C:\Windows\system32\Mkjjdmaj.exe
        99⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Madbagif.exe
        
        C:\Windows\system32\Madbagif.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5348
        
        C:\Windows\SysWOW64\Ncaklhdi.exe
        
        C:\Windows\system32\Ncaklhdi.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5440
        
        C:\Windows\SysWOW64\Ocdgahag.exe
        
        C:\Windows\system32\Ocdgahag.exe
        102⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Ohqpjo32.exe
        
        C:\Windows\system32\Ohqpjo32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5624
        
        C:\Windows\SysWOW64\Ookhfigk.exe
        
        C:\Windows\system32\Ookhfigk.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Oheienli.exe
        
        C:\Windows\system32\Oheienli.exe
        105⤵
        Modifies registry class
        
        PID:5832
        
        C:\Windows\SysWOW64\Okfbgiij.exe
        
        C:\Windows\system32\Okfbgiij.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5916
        
        C:\Windows\SysWOW64\Pdngpo32.exe
        
        C:\Windows\system32\Pdngpo32.exe
        107⤵
        Drops file in System32 directory
        
        PID:6028
        
        C:\Windows\SysWOW64\Pcbdcf32.exe
        
        C:\Windows\system32\Pcbdcf32.exe
        108⤵
        Drops file in System32 directory
        
        PID:6092
        
        C:\Windows\SysWOW64\Pcdqhecd.exe
        
        C:\Windows\system32\Pcdqhecd.exe
        109⤵
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Pcfmneaa.exe
        
        C:\Windows\system32\Pcfmneaa.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4880
        
        C:\Windows\SysWOW64\Pehjfm32.exe
        
        C:\Windows\system32\Pehjfm32.exe
        111⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\Pkabbgol.exe
        
        C:\Windows\system32\Pkabbgol.exe
        112⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Qmanljfo.exe
        
        C:\Windows\system32\Qmanljfo.exe
        113⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\Qmckbjdl.exe
        
        C:\Windows\system32\Qmckbjdl.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Qcncodki.exe
        
        C:\Windows\system32\Qcncodki.exe
        115⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        116⤵
        
        PID:5240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1316 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:1412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afpjel32.exe

Filesize
96KB

MD5
e321c2cc28180735e45783f9a471c0ca

SHA1
56dc27f28f38a5ca5b5a77a7469b9bc55ba79b92

SHA256
f2b913a5eb99688517d64b7044a1378393ec39883e64952c500cc7cf9253683d

SHA512
06029fcd85267bfbac490b2e34a5ec786cc0380dcc9d9789a37e85b468dc6a36ea8b21f020ffb7ee64529a8cf509014c3f32b328a22467dc5be59fdc0f57bc50

Download Submit
C:\Windows\SysWOW64\Ahofoogd.exe

Filesize
96KB

MD5
c77bd9f30355332514ed1b866be42dc6

SHA1
9ed938d2b0ba6327c0f0f96ae88430e68324dc6a

SHA256
6d18b9d8d96bf68c256cdd3e591adbf39edd2f85281107a415f02f7b82a1e159

SHA512
c669244bdf1e909280b788aadec2b2ec6afecf216fec1628883cda1151f7b5b8c4658188292d1d16cf1d4d5afb4997714456e44f180e58473339e0fc47213048

Download Submit
C:\Windows\SysWOW64\Ajjokd32.exe

Filesize
96KB

MD5
c4cc0b80fa04f4bc7b3fddfab4c2d2c3

SHA1
d683091b5f8778781d5927cfa0c879ad95a1838b

SHA256
50dd507b0196f78579ca4ab4cf9311395d85d3b086f1f4afb201632ba133f054

SHA512
95be1101a5b1a4eaa2dba77a5acbd65e7fcefee55e6bdf8a0753c546305e2b4ba1efc453c4c55e74432024692eca8eed8815200e3899890ca40349cd53b2ccd6

Download Submit
C:\Windows\SysWOW64\Bmggingc.exe

Filesize
96KB

MD5
cde76316b173bccd39547501288cba51

SHA1
fac54c23e576a926b3e31b1ada368a51d8f18785

SHA256
87f40ed38290c1be97d5c006978a16f821fee62551a6e478ee8c43f8e9048a25

SHA512
cd7c74330b168aeadadaa8582adbe709aad2efd04fba1d8eea871b5145105af5f71071d7371a094cc78edba37c9e8f2ae6eff29a4788a5af8b290b0c1aa1d2eb

Download Submit
C:\Windows\SysWOW64\Cgnomg32.exe

Filesize
96KB

MD5
67ef1da5733c5ac1518c86269b0bda2f

SHA1
0ba2a3eedd10bb605022eb33cdd343830ed94591

SHA256
0784b50cc7d13d0d4fdcf1f3859b768a326996ee492a31f79a91b40b0f6f65fb

SHA512
692898dc4c992d97736ff39bf1e1cc6c9007d16ba31f068037388bde08db03af8bf6a1ea0b3e3d4f312c21c210ba14086fcf7cc42fcc003cea9bd3dc11029877

Download Submit
C:\Windows\SysWOW64\Cildom32.exe

Filesize
96KB

MD5
9f56e8c0918ec02f6bf6c32b77ea7182

SHA1
4bae7d93b6a04127876e0128153ac914d1b28359

SHA256
a503d274d9d76cfebc62ea78d1c538b24484792ae046ce232fe96577b91472bc

SHA512
cfb859a25076d35d09a6e0d893747629c3e1efd16f677c7b9bf9895906c165bf3bb22e2112946ecbc38e5293fe68d0189fdc154bd302bb7cec9bf5e01de91a90

Download Submit
C:\Windows\SysWOW64\Ddnobj32.exe

Filesize
96KB

MD5
8c6306c8fe3e5b64a934a4d6c510b743

SHA1
f59ee9b4ea728364a668e203437ef5de78354141

SHA256
3abcf88f5a5b8a51e794bbd5bfaeacdc59ecd57bcb826719b2e324da4cce14c1

SHA512
699f3ca16468ca0b5733e173499ff0a9eef2ec0956c8376f6bff413eed0053ce45de3151a75d1d6d880cb73297c297842454d8d20d74f5a4bd6530be64768593

Download Submit
C:\Windows\SysWOW64\Dgcihgaj.exe

Filesize
96KB

MD5
da735accdf392ee75ecf89bb866a3f48

SHA1
062ebae5ae8183a89e37c18ffe8495144b1de2fb

SHA256
7a1d73f0aa1a565ceafdd926b4f1fc106b50c6d299ae289bc4d285e88aba5d11

SHA512
e24b7027feb1ba3e73ab5dfbe2d7e8f4c38d0412a9852e00853786b3ad875b841f7734d14f6abfc345d7a3281d720066e5ff2088f089103da3f4fc841c18a580

Download Submit
C:\Windows\SysWOW64\Dkcndeen.exe

Filesize
96KB

MD5
560ac4adfa6d126aa22c44909264193b

SHA1
58cde1a7ca334999be6c75f7819f558a2cfef217

SHA256
29aabe4e5a91c025b85a2bdc046c931c2d7f0a9e20d08123a1c65dd75d96bac7

SHA512
9eea24e4b6dcce5023e7eac43b71425b983c51f8a53d3ca7692a6615a9fb0d0e8a2e1a4bc80185471738e7059a2110dc70743e1d0a38a460f4f2a2ba8bc26194

Download Submit
C:\Windows\SysWOW64\Eghkjdoa.exe

Filesize
96KB

MD5
f4e31f2a28b69a1713372449fe070ebe

SHA1
3b17d6aa97ccb4fc8438bd1b96ef35c3caa980ac

SHA256
63f153a51a3b887b0eb5ceb7de83499b543fab15f6e1f2c927b703bddb36e57b

SHA512
f10cd482e1e68485ab9e6d68a93cfe9a49e25a31e96e4e2e7a5e123eee36a47da1c9047ae13257d1b199686dd5e4079e5eb4f1922278934610f3b6a05953769f

Download Submit
C:\Windows\SysWOW64\Ekjded32.exe

Filesize
96KB

MD5
e7c72f93d66b26f3ac405d6faf1426df

SHA1
7a6524f1e1ee9a17dc5d6911f7860e8e5e6cd92a

SHA256
89343e50dee70bbe608a73af1840f2a0625561bf0e6e251fdd8003b46bbf7cae

SHA512
758a278776d62205198b36a485bec59328fcedc98603f0d8bd8cda350ad3ac0ade2dfa68ea99fde40b06979f4176ebe370878645b6f010b04422648048a4689e

Download Submit
C:\Windows\SysWOW64\Enmjlojd.exe

Filesize
96KB

MD5
d08567cd2a0c640905407abb74dfa550

SHA1
5688ed87ceaba67bf8ee7628d387507ad50a9240

SHA256
80f5cf62149c3839be7f01e578d673a93cca1e6d67c31da31e02821d899c2918

SHA512
9d207da9625bc99990980aeecbac55de1b89d2a03e17a09452bee537fb01ec3c7df13d59158321de58664b53d97c06b641aa51341d1f76062680f9f898ce4b4c

Download Submit
C:\Windows\SysWOW64\Fofilp32.exe

Filesize
96KB

MD5
4e43b29b5d6b63ad2c9baca28eaa35ce

SHA1
64e0ee909a480aeb52e28c86cde78ba4101ee014

SHA256
2335846923c859676a04c4e8d0635b3eb60eb729dec613176d847b76886e4b30

SHA512
cd99a9cc3a7c1a1feae2e67b28f47fd59d8c4744815a43c770b668cf1239a40540d5ab8145a1cd30b8c1ad63597c3aec3d086166330e9ac4690a6f09f82641cb

Download Submit
C:\Windows\SysWOW64\Ggfglb32.exe

Filesize
96KB

MD5
bedd8dc0df0d0d1b30f5a6cb1c141429

SHA1
63106e8e1efb4419ee65588c1327b2317c136583

SHA256
e3c83bd07cf0835a02848944b82da916ea7f76fffdaa60bb8fe7272cc87cb0b4

SHA512
706439147166b7c0280df45c00f238a967a8e31b6d1bc6412d5f1ebb64c9f2e262c3514d164b872f8d53dc427dad5fddcae5b618037910a6864cd7532ac9549c

Download Submit
C:\Windows\SysWOW64\Ggkqgaol.exe

Filesize
96KB

MD5
8a435e180203e3db44e3d371432c3e4f

SHA1
42402fc74d426d7f26c9310386bfc8d4e6dee405

SHA256
e0ed863fd8d559eb0f8ec2cb5839cd827fcb09a212e3409ef679e0f0f9700e2c

SHA512
57275c0d7b5e7ef6301e389f2780b121fa3bd16feec58cf70faa5a96a376d019b2a59d5ef2bb6d1671da6bd185e786de5fb12f31bc73a4f6ec191cdcd7e731d1

Download Submit
C:\Windows\SysWOW64\Hbgkei32.exe

Filesize
96KB

MD5
1daf92370f1b0539b1aecc9ec6f97156

SHA1
4210409c0aa2e99581b53fbb39e48a84dc1f8e85

SHA256
3e1f84db7b023190b6f657e4b403817f40be0c20424092bba533910b102a65f7

SHA512
dc4ed2bc07e472f648f528ffad8e6511f88ff0ca0e8403444777a7bb8598d1794fceed06cf10c4d240ae6e2a037358e9e215d4dba3c784b759e247ab834d5e23

Download Submit
C:\Windows\SysWOW64\Hgapmj32.exe

Filesize
96KB

MD5
e1e36968370257da89ac07ae0e48ed31

SHA1
270f62861837abdfa0a23776cc0bd0ee4ef660c2

SHA256
fd4360fede4f725ec504e2239b4c1e395e52907171d30b8d27909ea6f6c1d496

SHA512
408a2b2e7c1542f3f1918103e6181764825620352b3212f27a9ec74c7f89a4389467a0dd168ed9d7e2f87f0d3e44d1dfc0790cf927296b6057acc62881b5862e

Download Submit
C:\Windows\SysWOW64\Hnibokbd.exe

Filesize
96KB

MD5
46971f7002bcb01a807b7507c772b959

SHA1
7bbcf18ee6c1f38b2f256c73267be750f68167c3

SHA256
7a5424d642e3adc04b33b74bb5319252de77ffacb6f70982ace75d7d1d91e2e1

SHA512
738ec2d343f9b9c8b7d1bf991dc74346367de8a9e28d2d895cf4d74fc1530a9981b763e87db89568920d115512e5ed2cf5607d25cc225e54fec86c54d003b83b

Download Submit
C:\Windows\SysWOW64\Ilibdmgp.exe

Filesize
96KB

MD5
70e4840e7ad43f01753e5da67e586387

SHA1
d23aac1d8fe7a275b9421164e80757eee58c5662

SHA256
85d2e0dab12677deeca081d645adf638f28457e8879facdd73de0e967d258967

SHA512
3086a8881e9d29d56b888960fccd8efb6b8c477897639e4f7e682bbcf91533237e593dea04c9f755db5ac356723a9ec243c1053ff1b59b92339527da39170e72

Download Submit
C:\Windows\SysWOW64\Jogqlpde.exe

Filesize
96KB

MD5
9f388b780d47cc599aad10e0c4cdbd3f

SHA1
24fe67c6570ae2112e9628f3088cd60af9cda475

SHA256
b88fd2a25c78bfa6618833d2dc209a5fe57e5ec646adaa9b9aad6550edee148e

SHA512
46a63c0780508958a40c32a85ff74a32278a7b5b2525bdfb3d798a789ad8fbbf0f9434dd28f42c82e2df19ba4d66b92910f8756ba70230ba003e01d37d050519

Download Submit
C:\Windows\SysWOW64\Khihld32.exe

Filesize
96KB

MD5
cd595db23ed7b2f7d8406ff3b6b1c649

SHA1
9d083eb9dd80279089d139a308248f7ab40a8b9c

SHA256
3fbbe0f08ee615949b9e46c94f8f1e895ca7d2bf0057bbe667b63ea6e246ffb1

SHA512
ff42d21394398b2c83d93bd68890e5dfe6d107d11ecc6c03eb45980012a5a0622b7fed3d5bebb00f7413c989da0ab99fc52466b61c8a7c81b12fecdb619cbd38

Download Submit
C:\Windows\SysWOW64\Lckiihok.exe

Filesize
96KB

MD5
2dfd4a0e41d1ef4088b027372af51557

SHA1
bf25ca601cac52965929f072a90c49528a8fb44c

SHA256
e32d6362f1283e3f3d0b6b88f78cc1445393548dc4847cee0b08d40307d28065

SHA512
f51a66f74627e1e11381ba7b56e90f8bc524821d2b358a2adbbde36cef793e4c4cbbb199ccffee52ee2360cc868df6b81656768c6ce2ff850b7fa3928d54edf5

Download Submit
C:\Windows\SysWOW64\Lljdai32.exe

Filesize
96KB

MD5
92a899a2e179b0a0a4bf3040009d97dc

SHA1
e0f73e77de377d054c495614e263477d1c205021

SHA256
15208c5f7689b08ac6bcd66b4d7b4b198e854a7cc8dbd7f76b543836c5c6467a

SHA512
c00df8865225586f3aadf799f7e90dcb4d777e3c5c276b8976beeab17ae18159401770b0f06a9f4d55d17db651947836242a1f7d6c7f31cb47141ee1accf4761

Download Submit
C:\Windows\SysWOW64\Lolcnman.exe

Filesize
96KB

MD5
3c0d4d0425d0cfa2c9fcb047ed4072c1

SHA1
40e79d530a3fd53010667021496298e24dab3024

SHA256
93ef24236c684e979af073b93231a654db3a5058763c331d524581ab47cd479e

SHA512
8bc474cb64e89694886ffa173c2980ab172d6d4d14736a3da2e4cca0b54bea1f57220a60b81c09869510a14a768d2f7cf775d98539f9dd039d30949a0ea32446

Download Submit
C:\Windows\SysWOW64\Mdpagc32.exe

Filesize
96KB

MD5
543f5c05dd860d3615f7375eac49223a

SHA1
04f6c9ba1ec1dc320f259f4557edfda8fb3cb027

SHA256
faa24ffabe1a8b94667c970eb4a11fca2a5a5d63f9f91e10d38ed406f812f408

SHA512
c8690321116363089086511b29f624a827ab51aacca9f2f11eceb6ad58558f45ec0f5651af8754337f98616ab67000581ce1a857eec7b011086f38fccdbb7689

Download Submit
C:\Windows\SysWOW64\Mfeeabda.exe

Filesize
96KB

MD5
55a4041218ed78d665981f48bbb2dafa

SHA1
9abd81ce27fa83660ea72a9a06e3545e6df9dfc6

SHA256
c5eed2a47fd0357b7088f230947ad01c509de546409f67756f7c52449d8e8233

SHA512
e039ada0a282a15a2f6b1d3bb9351252cc5e0f0641ba4261fbbd8d7de7b08ba562f3a05b5b5f535b98ec309297c06a2d2b144387ebad6c29ebd47fadba083827

Download Submit
C:\Windows\SysWOW64\Ncnofeof.exe

Filesize
96KB

MD5
e05f7190aa4a3535d8d4d95ac8dc85dd

SHA1
586964b8d99463179d8e7d739e5fd800e778a100

SHA256
be4e0c701b993886a7bb2410c1e0de3b8bfb99eb06def9ee8db8b2eacbfbc0dc

SHA512
a1b402f1a1ddb7b85e6061e20bf782389ced0f74d2612fba6d7ba90dad192552b94d18e313104b0a05c96c0bfc55e5fded6d5056f21fcb0ae9e56c4ac7a57114

Download Submit
C:\Windows\SysWOW64\Nggnadib.exe

Filesize
96KB

MD5
4a9d90791e2c95f15698ba809c20b4a4

SHA1
952ade03d3511879b3a9705f14874a7e5bcc323a

SHA256
048e70f9cfcffc7514676550f1415b077f23a25a0347db715e395223f8971ffe

SHA512
67b75bb475bf4ac345dd2168b503e553ba21f74bcbf7deb5bb50cfe11e3cb5eb58f79a1db029c26fe358121f0b01dfd0fad9dbf90de33040754dad74ef9d4eb6

Download Submit
C:\Windows\SysWOW64\Ngndaccj.exe

Filesize
96KB

MD5
58a9c0d22da0e660eb43fb63219d7d60

SHA1
0edf5fa4ba35462b86379b3501f2e3d50c3d73e4

SHA256
d5de7fdaaf629740f2957520988ef6b0bd19a50a0aec1becafe8098511ff8a3f

SHA512
53bf05ab1cf6563df0f99436e106ef4667408b3c54459fddb0f1430e4ed93bacf0dd9582b3e953eaf96722b5b3353442d1716cb9424aedb9b5630d73e9a570c7

Download Submit
C:\Windows\SysWOW64\Noppeaed.exe

Filesize
96KB

MD5
3b6fe816c4ea1055a5563d4088cfaaa9

SHA1
5ba4fc68fc21d56ad9fb7a153d4d3e897d6b3fed

SHA256
4acf55118a19356b44cb7b630f163819be0af1f34681f760695c6ee122f93492

SHA512
2772b924016ebd828ca4c5d97a9485f74c587032c0e6fe731a29608ddc567668f4580193670e4232df9c41a0a7e40f63a7e8eff170d81ab760a0ec26c38965cc

Download Submit
C:\Windows\SysWOW64\Npepkf32.exe

Filesize
96KB

MD5
37867c6aa25ae66ddd4070e939eb28a0

SHA1
594b285d0028e2102a1c9ea788cd0cfb80f50775

SHA256
2bb56f708d38edf92eb3a1d7306f49119ebd40585dabd4811a67534bc8bb178b

SHA512
15c369c480de87fa623eab6782c30101e3494f095371dff8c5a4562ae00e00b75232a4bb64fc2199e7be0f0abb5772c90993d7cfb835af3b9593f134d19161c1

Download Submit
C:\Windows\SysWOW64\Nqcejcha.exe

Filesize
96KB

MD5
bf162c7b6c66ae82314b1aa1d4c310c1

SHA1
be838e420796baea7e2e646415fcce108560dfbc

SHA256
05c221b83c1e2619c370629481099c1a3e6316978b103b81cb6273cd3a803f05

SHA512
7577d1cdd26063ba3548d9ebd75170ffb9bdfad438ce316962f81d72945a9220144cac466c817da6597c5caff2c308520938dbb7f3015a25c184c151ba0667aa

Download Submit
C:\Windows\SysWOW64\Ocjoadei.exe

Filesize
96KB

MD5
e58aba2f01713fc6bb669e339c18bba0

SHA1
f3c154221b53480b982c4bacd447ecf110464ee2

SHA256
f20188479243334ccc09495f36429a95fd8f2199b337ffa8c04143bca55b3ee2

SHA512
27fd0f6c278c30603c6263defaeb79e5f7902d257f8994650b049247ba92991805912c5c114f2fe8f6b6f291e70e535c49a36640c8f501d3f2c1b03d73d431e8

Download Submit
C:\Windows\SysWOW64\Ocohmc32.exe

Filesize
96KB

MD5
47b7e18e2cb006e2702584b3f620c369

SHA1
5e7d05e78fa804b7bcc3dc0a3b21281e4fddb4cb

SHA256
afeaed304c5597535806d3e25377f26ea05d43e36f740f24f511a9b85a062ee3

SHA512
568e3d2115cdfb5da12f8a1cba687993ce13aae7b84f2c1f62885be89a398468325e57d1168f59f7ca3ecfe04a499572b75dd117703f9fc4d7ce8286772cd67b

Download Submit
C:\Windows\SysWOW64\Ofkgcobj.exe

Filesize
96KB

MD5
a1d970575aa41d9e9841df82981b2f55

SHA1
ba7171aa33f732f076cb069a9da95d54d421af25

SHA256
23f08d1c4498e9fc8e133ba3eae8f5f0cfb884cde6cb61b9ec8e862279e1cb3e

SHA512
2245f2b54d24aa9ab5f4d19f6a1e6aa2b6dcb4a478db31c64671e045d42a5b3909c2ba0f5651cae79033bde2f676086d6d366f74839ed55de3d6be0e4ce98a0e

Download Submit
C:\Windows\SysWOW64\Ojqcnhkl.exe

Filesize
96KB

MD5
2a1fb05056064bd510b93aae477f8a5a

SHA1
683248c4c23d72524c716a7da3f55acd02b3a0e8

SHA256
3552d6ca847f837bfd205abd473df49e3d5660a1f3e546511d52dcf4cbfd43b6

SHA512
e4f0b5e48977ae9b7ecc9f3a9a101a96c94399d8a3e5e58dfda6049404f5a5682c3cb70cc266d8de98f7399ebe7b287a57377a444600b12ec2a751e00de2a5d7

Download Submit
C:\Windows\SysWOW64\Omfekbdh.exe

Filesize
96KB

MD5
39a2c46d37e1b32fda80f04b3a7c68f2

SHA1
9d840bb032ff749af9321f326b2e1a29ae3bda20

SHA256
ce06b9bc0fbf2a122273c7d33f92c23ae6b946d4e15f41f0b569ec4f90248fc5

SHA512
b4a6550bd94df77b8847f5b32dbce8f4c9af361e287012f6ae68b51234bae5825afb15771d3e975a6462e8d181ff84c1a6a42fa2f7c927d6dfffad6446331b18

Download Submit
C:\Windows\SysWOW64\Omnjojpo.exe

Filesize
96KB

MD5
4dc153ec906bab7e79e0d14c31446880

SHA1
b16b9ae39406586f5ed2f1e737b89c3c8746ea1a

SHA256
d1ce6326d800cbce36c1fcc9ffec7e925f6d2afacb06e2d9694c6c68cb10f1a9

SHA512
bf2d1a5ddbad4d08f06bb85600b81a7942a11a96414ecaf962ad6801ab1c02babebf2b891c3a8ac66b81de11376c86d1a74bb40220366400a2464f4853bbb278

Download Submit
C:\Windows\SysWOW64\Ondljl32.exe

Filesize
96KB

MD5
02813456259ba8be7d540ece8bed53e1

SHA1
95fbf8f7f039dc71f65e2109e98c204e5ccfd13a

SHA256
74fe00ed963e9ea9d89f18c78f3275194a14f8ea6e0b256b80c2928f21d2ff5f

SHA512
c88362ab436173e5a5859518c72cc8b9b7a5d206e05dfa2bc0fb0c77428fb5d0b708c990551292a9593915c2ed5b0ec6d61f37cb0ed2b85c92e9c77df39145af

Download Submit
C:\Windows\SysWOW64\Pagbaglh.exe

Filesize
96KB

MD5
8a728aa02139fea845042fb8ab40b4d2

SHA1
3736f0eb69d459b7550d926fd7ffe3f0cd883604

SHA256
aea8de837639a92b20ad37f014a67e4d407aeacb408d049948aa461c6b5c8c82

SHA512
d1d48db8dafe5b7ec524ba09ad58e430bed97a5f7f83f0c5d078fd1cc6afce0497c0d16e6ecc06020abb64aa593d2fe8c1b993e1d9a80d53390b44c819b79abe

Download Submit
C:\Windows\SysWOW64\Palklf32.exe

Filesize
96KB

MD5
aa45e9353b7086abfc30de0355433c9d

SHA1
8b3dd3441b7ffaad7d4e8df55656819e781d4e0d

SHA256
592b0b1e2e6185e6c87e41889044b1a820c981c62320cb5edf786b2d58a39ae7

SHA512
cbb7bf68a4fc7a2cab0767754b191b553d13dd6a2c077e7e6245432f57df14b2ab67f053bd55764da598e0c6467a52ee3556e7abfa0a6f239ce830d52e277d27

Download Submit
C:\Windows\SysWOW64\Pdngpo32.exe

Filesize
96KB

MD5
1a42854b68ac5f06ce243ab8d3e9c422

SHA1
35ebdb4d640c46f2ba437d536acd858a4a4742fe

SHA256
3613cf55276564e00e7821c95933342b5438fb7ed251c131772615493a23b927

SHA512
e63148e4eebc83082f8eb2a2a1441b21130346b1ac27a09e6d4aaa40a52f3ec55382ce231adec4a08abe06a7a663200a2e08900442fe15055a83ee3dc743d90c

Download Submit
C:\Windows\SysWOW64\Pehjfm32.exe

Filesize
96KB

MD5
af3e7c9700dda5e64cfe51ad3fb3c770

SHA1
03bcb392b891b6ea96f40bf78186b144d9d94332

SHA256
8c5b64926531ab2947b5d42a57fbdb82af299edadfa25ba2704c66d29c80c4d5

SHA512
63e1e7fc232b82750abe102eff876dfde9422c542994765b4b55abc95acec2492e702f06b76339788447e540df4b19a0d3d33c3e98aab159a0c04c0ff5042fa7

Download Submit
C:\Windows\SysWOW64\Pjkmomfn.exe

Filesize
96KB

MD5
035f64f709cc6b9d755cf1dc6266127f

SHA1
6d2e8225f488a0b2988aae7e771520a650d634a5

SHA256
904fe7f521ba50e2309e94d906ae83f448aa135af1529d26c29cdde2d2654385

SHA512
eb34ffb8f24cf9573f3865f2f244eeb305d92260650dbd3e66c959057fb15636e2b53ad86f32110c637292afea6a718ac680c98b215dde77f15d2e5560f0c676

Download Submit
C:\Windows\SysWOW64\Pkabbgol.exe

Filesize
96KB

MD5
f36085e25672630544d6531453f4b5c7

SHA1
fa34ab727eee466c5fed8544943063bc68055c67

SHA256
eb6f8a76301a594ea15b26607cbceff3a1f82b960c91e1c95befb3b517e31776

SHA512
b2f714dade795222c356349e4dd8b1b79f94c685fe57d599ddba32de31be22112887ad07d2ea1f554d53222503a72c75bb17f5d7c4e319a197a140a68d4894bd

Download Submit
C:\Windows\SysWOW64\Pmblagmf.exe

Filesize
96KB

MD5
abe07a730f99754401e3a57481e4a6a0

SHA1
a88345abe6600e59305b3c4bd4b9d931591a7065

SHA256
94f9dd657000eb2566c76e1c4e2655ab5bfeb09e9e09e05018841711edc919f7

SHA512
c5ed3ed10e4d9ae976494ad2fbade3f43374d81f5836d7b465a33d8fac382ecbba3454145be6f39a10d3806e1865fa58eb8cc2ad736e09a67147d5a18a32e021

Download Submit
C:\Windows\SysWOW64\Pplobcpp.exe

Filesize
96KB

MD5
38be2613151b511360d3107d672db867

SHA1
f11e0d4eb4e3844e8893ad02cb0a734d117bda37

SHA256
543b8a2d56185eb58e8d04ea14265c8ddf1fcd1b7edc624226b2a59deb000e06

SHA512
ce82b56bc4688abb58869a2731e4204616dbb4b843292461ea16e1203f552b24d81720f9ff3e457e72109166f7e0f87f456bc045149e005b483b577e76f44997

Download Submit
C:\Windows\SysWOW64\Qfmmplad.exe

Filesize
96KB

MD5
da00503316db1cdca6a220dea913e14a

SHA1
f5d6f129dc4a4e9643e196d6cf985c35297b005b

SHA256
2e0c15cbf0421929087198c997de138f4243c5f1c33ebe362f065f97c6faf91d

SHA512
0827d4197a4a4caeedd0089a028624c02432084bb5e3b777385c1dd6841e3b50171fe725c5e3fe8fd43441f71ed395e1c42bcc0c3b5e8f514f2ce5c46bda8705

Download Submit
C:\Windows\SysWOW64\Qmckbjdl.exe

Filesize
96KB

MD5
530d569a1d59f6549ef0672ed85b95b5

SHA1
163efe71712d0a2ba33d6904a2b6ccfafd70b093

SHA256
859df67c60668d693dab4ce9ad51dba75519e549e7a0f347db5be2b17d7f0d33

SHA512
7b480490a6d8cce9a51e1596aef675b7bfc66b2565dbb3624140b13b240e8f6dffedbaa8be78789b0a5310ab08b5282a838da38336729c46c035128b824117e5

Download Submit
C:\Windows\SysWOW64\Qobhkjdi.exe

Filesize
96KB

MD5
9bbf0c2133a4da9157775a4fb69df471

SHA1
5a4dc4b47aa7133ba862490f3810377b1dd82aef

SHA256
fb028cff083abe80c3b09cb1ecccdb760ae9f667caed1ce1751c0ad27d61eba3

SHA512
5411cff495440d540216ff7dead2bbe3909d0c8f9493529d10ebe6a72320c522167c46bc830cfd64b76b27416ea615dda211e42bb4966faa065910678a8911b3

Download Submit
memory/232-411-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/312-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/456-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/560-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/636-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/756-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/804-413-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1080-437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1228-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1228-573-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1384-501-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1548-449-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1568-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1576-467-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1604-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1616-559-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1616-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1712-443-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1720-461-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1728-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1728-594-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1756-473-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1796-386-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1824-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1836-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2020-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2060-566-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2060-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2096-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2112-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2172-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2220-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2224-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2708-399-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2760-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2804-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2872-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2900-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2932-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3060-491-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3108-362-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3112-375-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3120-503-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3188-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3188-580-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3284-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3324-509-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3344-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3356-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3400-137-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3476-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3540-401-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3568-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3612-528-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3620-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3656-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3812-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3812-552-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3856-522-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3860-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3984-431-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3996-485-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4000-425-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4260-515-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4288-479-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4296-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4300-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4356-208-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4404-521-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4404-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4404-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4484-49-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4484-587-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4488-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4528-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4600-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4812-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4816-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4820-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4828-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4832-455-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4892-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4916-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4996-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5020-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5036-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5080-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5148-534-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5204-540-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5244-546-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5284-553-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5328-560-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5372-567-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5432-575-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5500-581-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5544-588-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads