cb3989c5fb7500bb2d94d4b093b27d1e6792454e1ce31a0ea96430c675aa9965

Analysis

max time kernel
141s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2024, 02:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb3989c5fb7500bb2d94d4b093b27d1e6792454e1ce31a0ea96430c675aa9965.exe
Size

483KB
MD5

431e357a397b863f509388648119a96e
SHA1

a5b11e0bd499e4a8ba10ffc60fe26e3055e9aaf3
SHA256

cb3989c5fb7500bb2d94d4b093b27d1e6792454e1ce31a0ea96430c675aa9965
SHA512

be3931e174518fe60f70f4b49df60981463ccfb2083d2379748c6e0fda61f0bc6d9a700750b7dd2a7f1a23c406cffeca8bed337fe4d1eaff9625576fab4350ac
SSDEEP

6144:D7sYbQqKtFy5v1k3RMZebBDRMZebBGzxUur/THL1k3RMZebBvG0NPhGcRPTDpL1/:/stY5vARM0RM/3ARMSG0dhvARMoHG

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgbpaipl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gndick32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpeiie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbkqfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Foclgq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkaclqkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chfegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcngpjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chkobkod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofgdcipq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjlcjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmpkadnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocohmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocaebc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aggpfkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhbebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Feenjgfq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkaobnio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kncaec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aggpfkjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbnlaldg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcimdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bahdob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Heegad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilkoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flmqlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcdjbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaldccip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjkmomfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agimkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfcabp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgbpaipl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdimqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipdndloi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iefphb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmlmkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbhboolf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcifkf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbkml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pplhhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcclncbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnldla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbccge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klndfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilkoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iefphb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lindkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcfbkpab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njpdnedf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcngpjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbplml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddllkbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbccge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcain32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfcabp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjkmomfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdecgbfa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfeeabda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekjded32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofgdcipq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilnbicff.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caojpaij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Heegad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klcekpdo.exe

Executes dropped EXE 64 IoCs

pid	Process
5044	Achegd32.exe
2832	Lmpkadnm.exe
1956	Mkjnfkma.exe
4152	Mjahlgpf.exe
1640	Nndjndbh.exe
2020	Njpdnedf.exe
2124	Oejbfmpg.exe
3612	Odoogi32.exe
1556	Omgcpokp.exe
1020	Pmlmkn32.exe
2004	Qeodhjmo.exe
4484	Alkijdci.exe
3668	Aaohcj32.exe
2792	Badanigc.exe
1764	Bebjdgmj.exe
2968	Bkaobnio.exe
452	Clchbqoo.exe
212	Cbdjeg32.exe
1632	Cdecgbfa.exe
5108	Dbkqfe32.exe
4772	Dmcain32.exe
4116	Eecphp32.exe
1876	Epmmqheb.exe
4560	Fihnomjp.exe
4320	Flmqlg32.exe
984	Gflhoo32.exe
1140	Hbhboolf.exe
5032	Hmbphg32.exe
752	Hlglidlo.exe
5000	Ilnbicff.exe
460	Jcdjbk32.exe
4368	Knnhjcog.exe
2040	Klcekpdo.exe
3484	Kncaec32.exe
3608	Klhnfo32.exe
4224	Lpfgmnfp.exe
236	Lokdnjkg.exe
3944	Lnldla32.exe
2924	Lcimdh32.exe
932	Lmaamn32.exe
4052	Mmhgmmbf.exe
3848	Mgnlkfal.exe
4056	Mfeeabda.exe
3088	Mcifkf32.exe
1168	Mjcngpjh.exe
3972	Ncnofeof.exe
1396	Nqbpojnp.exe
4960	Njjdho32.exe
64	Ngndaccj.exe
2484	Nfcabp32.exe
4232	Oplfkeob.exe
2280	Ocjoadei.exe
3568	Ocohmc32.exe
3812	Ocaebc32.exe
2172	Pjkmomfn.exe
3856	Pfandnla.exe
4112	Pmnbfhal.exe
1976	Ppolhcnm.exe
3124	Aogbfi32.exe
4352	Adcjop32.exe
4640	Adhdjpjf.exe
888	Aggpfkjj.exe
1348	Aaldccip.exe
2268	Agimkk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jbofpe32.dll	Ngndaccj.exe
File created	C:\Windows\SysWOW64\Pfandnla.exe	Pjkmomfn.exe
File created	C:\Windows\SysWOW64\Badjai32.dll	Ekcgkb32.exe
File opened for modification	C:\Windows\SysWOW64\Fbdehlip.exe	Fqeioiam.exe
File created	C:\Windows\SysWOW64\Dblamanm.dll	Pjlcjf32.exe
File created	C:\Windows\SysWOW64\Qeodhjmo.exe	Pmlmkn32.exe
File created	C:\Windows\SysWOW64\Dbkqfe32.exe	Cdecgbfa.exe
File opened for modification	C:\Windows\SysWOW64\Ncnofeof.exe	Mjcngpjh.exe
File created	C:\Windows\SysWOW64\Ekhobd32.dll	Alkijdci.exe
File created	C:\Windows\SysWOW64\Ncnofeof.exe	Mjcngpjh.exe
File created	C:\Windows\SysWOW64\Achegd32.exe	cb3989c5fb7500bb2d94d4b093b27d1e6792454e1ce31a0ea96430c675aa9965.exe
File opened for modification	C:\Windows\SysWOW64\Lcimdh32.exe	Lnldla32.exe
File created	C:\Windows\SysWOW64\Hnflfgji.dll	Ckbemgcp.exe
File opened for modification	C:\Windows\SysWOW64\Pmlmkn32.exe	Omgcpokp.exe
File created	C:\Windows\SysWOW64\Clmmco32.dll	Inebjihf.exe
File created	C:\Windows\SysWOW64\Klndfj32.exe	Kedlip32.exe
File opened for modification	C:\Windows\SysWOW64\Hhimhobl.exe	Hlppno32.exe
File opened for modification	C:\Windows\SysWOW64\Fbgbnkfm.exe	Finnef32.exe
File created	C:\Windows\SysWOW64\Gnnccl32.exe	Feenjgfq.exe
File created	C:\Windows\SysWOW64\Gmefoohh.dll	Feenjgfq.exe
File created	C:\Windows\SysWOW64\Khgbqkhj.exe	Koonge32.exe
File opened for modification	C:\Windows\SysWOW64\Khgbqkhj.exe	Koonge32.exe
File created	C:\Windows\SysWOW64\Mbkkam32.dll	Cglbhhga.exe
File created	C:\Windows\SysWOW64\Gkaclqkk.exe	Gnnccl32.exe
File created	C:\Windows\SysWOW64\Pmapoggk.dll	Gkaclqkk.exe
File opened for modification	C:\Windows\SysWOW64\Iefphb32.exe	Ieccbbkn.exe
File created	C:\Windows\SysWOW64\Adcjop32.exe	Aogbfi32.exe
File created	C:\Windows\SysWOW64\Adnbpqkj.dll	Bmhocd32.exe
File opened for modification	C:\Windows\SysWOW64\Fbplml32.exe	Ekcgkb32.exe
File created	C:\Windows\SysWOW64\Cbdjeg32.exe	Clchbqoo.exe
File opened for modification	C:\Windows\SysWOW64\Ngndaccj.exe	Njjdho32.exe
File created	C:\Windows\SysWOW64\Pififb32.exe	Ppnenlka.exe
File created	C:\Windows\SysWOW64\Jfmlqhcc.dll	Kheekkjl.exe
File created	C:\Windows\SysWOW64\Jlgfga32.dll	Koonge32.exe
File opened for modification	C:\Windows\SysWOW64\Mhldbh32.exe	Lhgkgijg.exe
File created	C:\Windows\SysWOW64\Mjcngpjh.exe	Mcifkf32.exe
File opened for modification	C:\Windows\SysWOW64\Fqeioiam.exe	Foclgq32.exe
File created	C:\Windows\SysWOW64\Hfibla32.dll	Joqafgni.exe
File created	C:\Windows\SysWOW64\Lmpkadnm.exe	Achegd32.exe
File created	C:\Windows\SysWOW64\Mgpilmfi.dll	Gndick32.exe
File opened for modification	C:\Windows\SysWOW64\Dojqjdbl.exe	Dddllkbf.exe
File created	C:\Windows\SysWOW64\Inebjihf.exe	Hhimhobl.exe
File opened for modification	C:\Windows\SysWOW64\Adhdjpjf.exe	Adcjop32.exe
File created	C:\Windows\SysWOW64\Aaldccip.exe	Aggpfkjj.exe
File opened for modification	C:\Windows\SysWOW64\Ipdndloi.exe	Inebjihf.exe
File opened for modification	C:\Windows\SysWOW64\Koonge32.exe	Kheekkjl.exe
File created	C:\Windows\SysWOW64\Debcil32.dll	Mcfbkpab.exe
File opened for modification	C:\Windows\SysWOW64\Lmpkadnm.exe	Achegd32.exe
File opened for modification	C:\Windows\SysWOW64\Oejbfmpg.exe	Njpdnedf.exe
File created	C:\Windows\SysWOW64\Hbhboolf.exe	Gflhoo32.exe
File created	C:\Windows\SysWOW64\Hhimhobl.exe	Hlppno32.exe
File created	C:\Windows\SysWOW64\Odoogi32.exe	Oejbfmpg.exe
File created	C:\Windows\SysWOW64\Bcoaln32.dll	Eqgmmk32.exe
File created	C:\Windows\SysWOW64\Ocjoadei.exe	Oplfkeob.exe
File created	C:\Windows\SysWOW64\Bdlgcp32.dll	Ocaebc32.exe
File created	C:\Windows\SysWOW64\Dgjoif32.exe	Doojec32.exe
File created	C:\Windows\SysWOW64\Caojpaij.exe	Chfegk32.exe
File created	C:\Windows\SysWOW64\Mjahlgpf.exe	Mkjnfkma.exe
File opened for modification	C:\Windows\SysWOW64\Lpfgmnfp.exe	Klhnfo32.exe
File created	C:\Windows\SysWOW64\Gaqhjggp.exe	Gkaclqkk.exe
File created	C:\Windows\SysWOW64\Jhnojl32.exe	Jhifomdj.exe
File created	C:\Windows\SysWOW64\Papambbb.dll	Dgjoif32.exe
File created	C:\Windows\SysWOW64\Hlhefcoo.dll	Pjkmomfn.exe
File opened for modification	C:\Windows\SysWOW64\Aaldccip.exe	Aggpfkjj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6976	6808	WerFault.exe	236

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbccge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpeiie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmlmkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Flmqlg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckbemgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmapoggk.dll"	Gkaclqkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhlclpe.dll"	Kedlip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcclncbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpcncmnn.dll"	Hlglidlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfeeabda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aggpfkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pggdhe32.dll"	Heegad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekcgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Falmlm32.dll"	Jhifomdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khgbqkhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pplhhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbhboolf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpojkp32.dll"	Bahdob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddllkbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khiofk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njpdnedf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocaebc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lphdhn32.dll"	Jhnojl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgfeip32.dll"	Cbdjeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Begfqa32.dll"	Egened32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lindkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaeidf32.dll"	Kcapicdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmaamn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhbebj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kcapicdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Knnhjcog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Omdieb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngndaccj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adhdjpjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kajefoog.dll"	Omdieb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnflfgji.dll"	Ckbemgcp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkaclqkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kakmna32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpfgmnfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnldla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocjoadei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hanpdgfl.dll"	Klndfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjahlgpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chfegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcoaln32.dll"	Eqgmmk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ppnenlka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oingap32.dll"	Ppolhcnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bahdob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kiikpnmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Finnef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipdndloi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khiofk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocohmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aogbfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjhjimfo.dll"	Dhdbhifj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Domdocba.dll"	Bgbpaipl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekjded32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jimldogg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebjdgmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clchbqoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kncaec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kiikpnmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	cb3989c5fb7500bb2d94d4b093b27d1e6792454e1ce31a0ea96430c675aa9965.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oejbfmpg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4436 wrote to memory of 5044	4436	cb3989c5fb7500bb2d94d4b093b27d1e6792454e1ce31a0ea96430c675aa9965.exe	91
PID 4436 wrote to memory of 5044	4436	cb3989c5fb7500bb2d94d4b093b27d1e6792454e1ce31a0ea96430c675aa9965.exe	91
PID 4436 wrote to memory of 5044	4436	cb3989c5fb7500bb2d94d4b093b27d1e6792454e1ce31a0ea96430c675aa9965.exe	91
PID 5044 wrote to memory of 2832	5044	Achegd32.exe	92
PID 5044 wrote to memory of 2832	5044	Achegd32.exe	92
PID 5044 wrote to memory of 2832	5044	Achegd32.exe	92
PID 2832 wrote to memory of 1956	2832	Lmpkadnm.exe	93
PID 2832 wrote to memory of 1956	2832	Lmpkadnm.exe	93
PID 2832 wrote to memory of 1956	2832	Lmpkadnm.exe	93
PID 1956 wrote to memory of 4152	1956	Mkjnfkma.exe	94
PID 1956 wrote to memory of 4152	1956	Mkjnfkma.exe	94
PID 1956 wrote to memory of 4152	1956	Mkjnfkma.exe	94
PID 4152 wrote to memory of 1640	4152	Mjahlgpf.exe	95
PID 4152 wrote to memory of 1640	4152	Mjahlgpf.exe	95
PID 4152 wrote to memory of 1640	4152	Mjahlgpf.exe	95
PID 1640 wrote to memory of 2020	1640	Nndjndbh.exe	96
PID 1640 wrote to memory of 2020	1640	Nndjndbh.exe	96
PID 1640 wrote to memory of 2020	1640	Nndjndbh.exe	96
PID 2020 wrote to memory of 2124	2020	Njpdnedf.exe	97
PID 2020 wrote to memory of 2124	2020	Njpdnedf.exe	97
PID 2020 wrote to memory of 2124	2020	Njpdnedf.exe	97
PID 2124 wrote to memory of 3612	2124	Oejbfmpg.exe	98
PID 2124 wrote to memory of 3612	2124	Oejbfmpg.exe	98
PID 2124 wrote to memory of 3612	2124	Oejbfmpg.exe	98
PID 3612 wrote to memory of 1556	3612	Odoogi32.exe	99
PID 3612 wrote to memory of 1556	3612	Odoogi32.exe	99
PID 3612 wrote to memory of 1556	3612	Odoogi32.exe	99
PID 1556 wrote to memory of 1020	1556	Omgcpokp.exe	100
PID 1556 wrote to memory of 1020	1556	Omgcpokp.exe	100
PID 1556 wrote to memory of 1020	1556	Omgcpokp.exe	100
PID 1020 wrote to memory of 2004	1020	Pmlmkn32.exe	101
PID 1020 wrote to memory of 2004	1020	Pmlmkn32.exe	101
PID 1020 wrote to memory of 2004	1020	Pmlmkn32.exe	101
PID 2004 wrote to memory of 4484	2004	Qeodhjmo.exe	102
PID 2004 wrote to memory of 4484	2004	Qeodhjmo.exe	102
PID 2004 wrote to memory of 4484	2004	Qeodhjmo.exe	102
PID 4484 wrote to memory of 3668	4484	Alkijdci.exe	103
PID 4484 wrote to memory of 3668	4484	Alkijdci.exe	103
PID 4484 wrote to memory of 3668	4484	Alkijdci.exe	103
PID 3668 wrote to memory of 2792	3668	Aaohcj32.exe	104
PID 3668 wrote to memory of 2792	3668	Aaohcj32.exe	104
PID 3668 wrote to memory of 2792	3668	Aaohcj32.exe	104
PID 2792 wrote to memory of 1764	2792	Badanigc.exe	105
PID 2792 wrote to memory of 1764	2792	Badanigc.exe	105
PID 2792 wrote to memory of 1764	2792	Badanigc.exe	105
PID 1764 wrote to memory of 2968	1764	Bebjdgmj.exe	106
PID 1764 wrote to memory of 2968	1764	Bebjdgmj.exe	106
PID 1764 wrote to memory of 2968	1764	Bebjdgmj.exe	106
PID 2968 wrote to memory of 452	2968	Bkaobnio.exe	107
PID 2968 wrote to memory of 452	2968	Bkaobnio.exe	107
PID 2968 wrote to memory of 452	2968	Bkaobnio.exe	107
PID 452 wrote to memory of 212	452	Clchbqoo.exe	108
PID 452 wrote to memory of 212	452	Clchbqoo.exe	108
PID 452 wrote to memory of 212	452	Clchbqoo.exe	108
PID 212 wrote to memory of 1632	212	Cbdjeg32.exe	109
PID 212 wrote to memory of 1632	212	Cbdjeg32.exe	109
PID 212 wrote to memory of 1632	212	Cbdjeg32.exe	109
PID 1632 wrote to memory of 5108	1632	Cdecgbfa.exe	110
PID 1632 wrote to memory of 5108	1632	Cdecgbfa.exe	110
PID 1632 wrote to memory of 5108	1632	Cdecgbfa.exe	110
PID 5108 wrote to memory of 4772	5108	Dbkqfe32.exe	111
PID 5108 wrote to memory of 4772	5108	Dbkqfe32.exe	111
PID 5108 wrote to memory of 4772	5108	Dbkqfe32.exe	111
PID 4772 wrote to memory of 4116	4772	Dmcain32.exe	112

C:\Users\Admin\AppData\Local\Temp\cb3989c5fb7500bb2d94d4b093b27d1e6792454e1ce31a0ea96430c675aa9965.exe
"C:\Users\Admin\AppData\Local\Temp\cb3989c5fb7500bb2d94d4b093b27d1e6792454e1ce31a0ea96430c675aa9965.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4436
- C:\Windows\SysWOW64\Achegd32.exe
  C:\Windows\system32\Achegd32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:5044
- - C:\Windows\SysWOW64\Lmpkadnm.exe
    C:\Windows\system32\Lmpkadnm.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\SysWOW64\Mkjnfkma.exe
      C:\Windows\system32\Mkjnfkma.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1956
    - - C:\Windows\SysWOW64\Mjahlgpf.exe
        
        C:\Windows\system32\Mjahlgpf.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4152
      - C:\Windows\SysWOW64\Nndjndbh.exe
        
        C:\Windows\system32\Nndjndbh.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\Njpdnedf.exe
        
        C:\Windows\system32\Njpdnedf.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\SysWOW64\Oejbfmpg.exe
        
        C:\Windows\system32\Oejbfmpg.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Odoogi32.exe
        
        C:\Windows\system32\Odoogi32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Windows\SysWOW64\Omgcpokp.exe
        
        C:\Windows\system32\Omgcpokp.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\SysWOW64\Pmlmkn32.exe
        
        C:\Windows\system32\Pmlmkn32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\SysWOW64\Qeodhjmo.exe
        
        C:\Windows\system32\Qeodhjmo.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Alkijdci.exe
        
        C:\Windows\system32\Alkijdci.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\SysWOW64\Aaohcj32.exe
        
        C:\Windows\system32\Aaohcj32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\Badanigc.exe
        
        C:\Windows\system32\Badanigc.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\SysWOW64\Bebjdgmj.exe
        
        C:\Windows\system32\Bebjdgmj.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\SysWOW64\Bkaobnio.exe
        
        C:\Windows\system32\Bkaobnio.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\Clchbqoo.exe
        
        C:\Windows\system32\Clchbqoo.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Cbdjeg32.exe
        
        C:\Windows\system32\Cbdjeg32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\SysWOW64\Cdecgbfa.exe
        
        C:\Windows\system32\Cdecgbfa.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\SysWOW64\Dbkqfe32.exe
        
        C:\Windows\system32\Dbkqfe32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\Dmcain32.exe
        
        C:\Windows\system32\Dmcain32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\SysWOW64\Eecphp32.exe
        
        C:\Windows\system32\Eecphp32.exe
        23⤵
        Executes dropped EXE
        
        PID:4116
        
        C:\Windows\SysWOW64\Epmmqheb.exe
        
        C:\Windows\system32\Epmmqheb.exe
        24⤵
        Executes dropped EXE
        
        PID:1876
        
        C:\Windows\SysWOW64\Fihnomjp.exe
        
        C:\Windows\system32\Fihnomjp.exe
        25⤵
        Executes dropped EXE
        
        PID:4560
        
        C:\Windows\SysWOW64\Flmqlg32.exe
        
        C:\Windows\system32\Flmqlg32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Gflhoo32.exe
        
        C:\Windows\system32\Gflhoo32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:984
        
        C:\Windows\SysWOW64\Hbhboolf.exe
        
        C:\Windows\system32\Hbhboolf.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Hmbphg32.exe
        
        C:\Windows\system32\Hmbphg32.exe
        29⤵
        Executes dropped EXE
        
        PID:5032
        
        C:\Windows\SysWOW64\Hlglidlo.exe
        
        C:\Windows\system32\Hlglidlo.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\Ilnbicff.exe
        
        C:\Windows\system32\Ilnbicff.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5000
        
        C:\Windows\SysWOW64\Jcdjbk32.exe
        
        C:\Windows\system32\Jcdjbk32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:460
        
        C:\Windows\SysWOW64\Knnhjcog.exe
        
        C:\Windows\system32\Knnhjcog.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Klcekpdo.exe
        
        C:\Windows\system32\Klcekpdo.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2040
        
        C:\Windows\SysWOW64\Kncaec32.exe
        
        C:\Windows\system32\Kncaec32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Klhnfo32.exe
        
        C:\Windows\system32\Klhnfo32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3608
        
        C:\Windows\SysWOW64\Lpfgmnfp.exe
        
        C:\Windows\system32\Lpfgmnfp.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4224
        
        C:\Windows\SysWOW64\Lokdnjkg.exe
        
        C:\Windows\system32\Lokdnjkg.exe
        38⤵
        Executes dropped EXE
        
        PID:236
        
        C:\Windows\SysWOW64\Lnldla32.exe
        
        C:\Windows\system32\Lnldla32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Lcimdh32.exe
        
        C:\Windows\system32\Lcimdh32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2924
        
        C:\Windows\SysWOW64\Lmaamn32.exe
        
        C:\Windows\system32\Lmaamn32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:932
        
        C:\Windows\SysWOW64\Mmhgmmbf.exe
        
        C:\Windows\system32\Mmhgmmbf.exe
        42⤵
        Executes dropped EXE
        
        PID:4052
        
        C:\Windows\SysWOW64\Mgnlkfal.exe
        
        C:\Windows\system32\Mgnlkfal.exe
        43⤵
        Executes dropped EXE
        
        PID:3848
        
        C:\Windows\SysWOW64\Mfeeabda.exe
        
        C:\Windows\system32\Mfeeabda.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4056
        
        C:\Windows\SysWOW64\Mcifkf32.exe
        
        C:\Windows\system32\Mcifkf32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3088
        
        C:\Windows\SysWOW64\Mjcngpjh.exe
        
        C:\Windows\system32\Mjcngpjh.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1168
        
        C:\Windows\SysWOW64\Ncnofeof.exe
        
        C:\Windows\system32\Ncnofeof.exe
        47⤵
        Executes dropped EXE
        
        PID:3972
        
        C:\Windows\SysWOW64\Nqbpojnp.exe
        
        C:\Windows\system32\Nqbpojnp.exe
        48⤵
        Executes dropped EXE
        
        PID:1396
        
        C:\Windows\SysWOW64\Njjdho32.exe
        
        C:\Windows\system32\Njjdho32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4960
        
        C:\Windows\SysWOW64\Ngndaccj.exe
        
        C:\Windows\system32\Ngndaccj.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:64
        
        C:\Windows\SysWOW64\Nfcabp32.exe
        
        C:\Windows\system32\Nfcabp32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2484
        
        C:\Windows\SysWOW64\Oplfkeob.exe
        
        C:\Windows\system32\Oplfkeob.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4232
        
        C:\Windows\SysWOW64\Ocjoadei.exe
        
        C:\Windows\system32\Ocjoadei.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Ocohmc32.exe
        
        C:\Windows\system32\Ocohmc32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Ocaebc32.exe
        
        C:\Windows\system32\Ocaebc32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3812
        
        C:\Windows\SysWOW64\Pjkmomfn.exe
        
        C:\Windows\system32\Pjkmomfn.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2172
        
        C:\Windows\SysWOW64\Pfandnla.exe
        
        C:\Windows\system32\Pfandnla.exe
        57⤵
        Executes dropped EXE
        
        PID:3856
        
        C:\Windows\SysWOW64\Pmnbfhal.exe
        
        C:\Windows\system32\Pmnbfhal.exe
        58⤵
        Executes dropped EXE
        
        PID:4112
        
        C:\Windows\SysWOW64\Ppolhcnm.exe
        
        C:\Windows\system32\Ppolhcnm.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Aogbfi32.exe
        
        C:\Windows\system32\Aogbfi32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4352
        
        C:\Windows\SysWOW64\Adhdjpjf.exe
        
        C:\Windows\system32\Adhdjpjf.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Aggpfkjj.exe
        
        C:\Windows\system32\Aggpfkjj.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:888
        
        C:\Windows\SysWOW64\Aaldccip.exe
        
        C:\Windows\system32\Aaldccip.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1348
        
        C:\Windows\SysWOW64\Agimkk32.exe
        
        C:\Windows\system32\Agimkk32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2268
        
        C:\Windows\SysWOW64\Bmhocd32.exe
        
        C:\Windows\system32\Bmhocd32.exe
        66⤵
        Drops file in System32 directory
        
        PID:1760
        
        C:\Windows\SysWOW64\Bdagpnbk.exe
        
        C:\Windows\system32\Bdagpnbk.exe
        67⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        68⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1236
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        71⤵
        
        PID:224
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4008
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2920
        
        C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        76⤵
        Drops file in System32 directory
        
        PID:2312
        
        C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2240
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        79⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Dhdbhifj.exe
        
        C:\Windows\system32\Dhdbhifj.exe
        81⤵
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Doojec32.exe
        
        C:\Windows\system32\Doojec32.exe
        82⤵
        Drops file in System32 directory
        
        PID:5232
        
        C:\Windows\SysWOW64\Dgjoif32.exe
        
        C:\Windows\system32\Dgjoif32.exe
        83⤵
        Drops file in System32 directory
        
        PID:5304
        
        C:\Windows\SysWOW64\Ekjded32.exe
        
        C:\Windows\system32\Ekjded32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Eqgmmk32.exe
        
        C:\Windows\system32\Eqgmmk32.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Ebfign32.exe
        
        C:\Windows\system32\Ebfign32.exe
        86⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Egened32.exe
        
        C:\Windows\system32\Egened32.exe
        87⤵
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Ekcgkb32.exe
        
        C:\Windows\system32\Ekcgkb32.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Fbplml32.exe
        
        C:\Windows\system32\Fbplml32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5616
        
        C:\Windows\SysWOW64\Foclgq32.exe
        
        C:\Windows\system32\Foclgq32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5660
        
        C:\Windows\SysWOW64\Fqeioiam.exe
        
        C:\Windows\system32\Fqeioiam.exe
        91⤵
        Drops file in System32 directory
        
        PID:5752
        
        C:\Windows\SysWOW64\Fbdehlip.exe
        
        C:\Windows\system32\Fbdehlip.exe
        92⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Finnef32.exe
        
        C:\Windows\system32\Finnef32.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Fbgbnkfm.exe
        
        C:\Windows\system32\Fbgbnkfm.exe
        94⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Feenjgfq.exe
        
        C:\Windows\system32\Feenjgfq.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5968
        
        C:\Windows\SysWOW64\Gnnccl32.exe
        
        C:\Windows\system32\Gnnccl32.exe
        96⤵
        Drops file in System32 directory
        
        PID:6032
        
        C:\Windows\SysWOW64\Gkaclqkk.exe
        
        C:\Windows\system32\Gkaclqkk.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Gaqhjggp.exe
        
        C:\Windows\system32\Gaqhjggp.exe
        98⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\Gndick32.exe
        
        C:\Windows\system32\Gndick32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5152
        
        C:\Windows\SysWOW64\Giljfddl.exe
        
        C:\Windows\system32\Giljfddl.exe
        100⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Heegad32.exe
        
        C:\Windows\system32\Heegad32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Hlppno32.exe
        
        C:\Windows\system32\Hlppno32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5408
        
        C:\Windows\SysWOW64\Hhimhobl.exe
        
        C:\Windows\system32\Hhimhobl.exe
        103⤵
        Drops file in System32 directory
        
        PID:5512
        
        C:\Windows\SysWOW64\Inebjihf.exe
        
        C:\Windows\system32\Inebjihf.exe
        104⤵
        Drops file in System32 directory
        
        PID:5580
        
        C:\Windows\SysWOW64\Ipdndloi.exe
        
        C:\Windows\system32\Ipdndloi.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Ilkoim32.exe
        
        C:\Windows\system32\Ilkoim32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5688
        
        C:\Windows\SysWOW64\Ieccbbkn.exe
        
        C:\Windows\system32\Ieccbbkn.exe
        107⤵
        Drops file in System32 directory
        
        PID:5844
        
        C:\Windows\SysWOW64\Iefphb32.exe
        
        C:\Windows\system32\Iefphb32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5924
        
        C:\Windows\SysWOW64\Joqafgni.exe
        
        C:\Windows\system32\Joqafgni.exe
        109⤵
        Drops file in System32 directory
        
        PID:5996
        
        C:\Windows\SysWOW64\Jhifomdj.exe
        
        C:\Windows\system32\Jhifomdj.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Jhnojl32.exe
        
        C:\Windows\system32\Jhnojl32.exe
        111⤵
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Jbccge32.exe
        
        C:\Windows\system32\Jbccge32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Jimldogg.exe
        
        C:\Windows\system32\Jimldogg.exe
        113⤵
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Kedlip32.exe
        
        C:\Windows\system32\Kedlip32.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Klndfj32.exe
        
        C:\Windows\system32\Klndfj32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Kakmna32.exe
        
        C:\Windows\system32\Kakmna32.exe
        116⤵
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Kheekkjl.exe
        
        C:\Windows\system32\Kheekkjl.exe
        117⤵
        Drops file in System32 directory
        
        PID:5332
        
        C:\Windows\SysWOW64\Koonge32.exe
        
        C:\Windows\system32\Koonge32.exe
        118⤵
        Drops file in System32 directory
        
        PID:5276
        
        C:\Windows\SysWOW64\Khgbqkhj.exe
        
        C:\Windows\system32\Khgbqkhj.exe
        119⤵
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Khiofk32.exe
        
        C:\Windows\system32\Khiofk32.exe
        120⤵
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Kiikpnmj.exe
        
        C:\Windows\system32\Kiikpnmj.exe
        121⤵
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Kcapicdj.exe
        
        C:\Windows\system32\Kcapicdj.exe
        122⤵
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Lcclncbh.exe
        
        C:\Windows\system32\Lcclncbh.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Lindkm32.exe
        
        C:\Windows\system32\Lindkm32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Lhgkgijg.exe
        
        C:\Windows\system32\Lhgkgijg.exe
        125⤵
        Drops file in System32 directory
        
        PID:5684
        
        C:\Windows\SysWOW64\Mhldbh32.exe
        
        C:\Windows\system32\Mhldbh32.exe
        126⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\Mpeiie32.exe
        
        C:\Windows\system32\Mpeiie32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Mcfbkpab.exe
        
        C:\Windows\system32\Mcfbkpab.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6184
        
        C:\Windows\SysWOW64\Nbnlaldg.exe
        
        C:\Windows\system32\Nbnlaldg.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6240
        
        C:\Windows\SysWOW64\Oqhoeb32.exe
        
        C:\Windows\system32\Oqhoeb32.exe
        130⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\Ofgdcipq.exe
        
        C:\Windows\system32\Ofgdcipq.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6332
        
        C:\Windows\SysWOW64\Omdieb32.exe
        
        C:\Windows\system32\Omdieb32.exe
        132⤵
        Modifies registry class
        
        PID:6408
        
        C:\Windows\SysWOW64\Pcbkml32.exe
        
        C:\Windows\system32\Pcbkml32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6484
        
        C:\Windows\SysWOW64\Pjlcjf32.exe
        
        C:\Windows\system32\Pjlcjf32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6528
        
        C:\Windows\SysWOW64\Pbhgoh32.exe
        
        C:\Windows\system32\Pbhgoh32.exe
        135⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\Pplhhm32.exe
        
        C:\Windows\system32\Pplhhm32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6660
        
        C:\Windows\SysWOW64\Pidlqb32.exe
        
        C:\Windows\system32\Pidlqb32.exe
        137⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\Ppnenlka.exe
        
        C:\Windows\system32\Ppnenlka.exe
        138⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6764
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        139⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6808 -s 404
        140⤵
        Program crash
        
        PID:6976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 6808 -ip 6808
1⤵
PID:6892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1712 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
1⤵
PID:6472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaohcj32.exe

Filesize
483KB

MD5
b3308142305ba246f06d209421ecf75e

SHA1
86b7fc1cd79ef99b37ac7a5f8aea522bff1d8605

SHA256
17ca9eff32178c88940c721b86162cd7fb545a95064b08d96b354abdde2592bd

SHA512
43bfa63aa26738d99c645d172004e76146d81d2a273f9b14d754594930de1cc1733faac00bcd38f1f77356a20581a93da33cbfceadf9bc5db318efb21e8eaf3e

Download Submit
C:\Windows\SysWOW64\Achegd32.exe

Filesize
483KB

MD5
253fcab2e07a96f2c05fa8fcc1ce0b3b

SHA1
f5c65760cbbc164596fa6ba2aa8d012d97547cd8

SHA256
fd8234ba2f7535353842d2b74320d733d78852466cf06b5066225b28cefab0f4

SHA512
ce0721d539377a1a88a3270c69da9df1db987263a39772115339b1d7367d35ce3f6d7efb02a7e4df32af77d21e762b16430d855920bdf7dfaadf5b3e7911a63c

Download Submit
C:\Windows\SysWOW64\Alkijdci.exe

Filesize
483KB

MD5
a10b4f68dd825c293fa9db47653d0405

SHA1
6c1eb03c8e03eb857308f2dcea9ed722cc5babf8

SHA256
9678ce2793f29ac294948322b69fdadee55abc390249272cb4f3dd5782b4caf4

SHA512
3f4e67fc73cb3e4430bf38608bcc2a67cf0ccb766c071a759249feb62c4506a7f3602e28552dbd008f969c59281d76c9861914485d1e966d6ea8979c8203e1ee

Download Submit
C:\Windows\SysWOW64\Badanigc.exe

Filesize
483KB

MD5
47375815408271731d49ab1da89b3aef

SHA1
f0b5f279c4bad78bf8af16b6fad541fa417a3eed

SHA256
b63d0a10f77608df848057b416357b46e89d1b0b85f1e3635f56bb5caba8cf06

SHA512
fe960071ed7b9411eb7ef85a061fcaab8b0266d9606a8c0e49af94f68a5097a6970b34ab1e936af41dd938a15974a6e9abe72c9922dff4160cc1a32bc7e8d740

Download Submit
C:\Windows\SysWOW64\Bdagpnbk.exe

Filesize
483KB

MD5
1a040317ea2917ebe32e6b1581867d8d

SHA1
85d9417a7644edd1d72f9efa6e13cd4d4428c45d

SHA256
997dece0f858830ab3f827919e2135716e8de032bf7b407b955154fe435b6558

SHA512
8d035680f142a629f82c4e69fe5d29dade5fb4d4782b46650dc0c43d3cbc45ac5a8b95a5b48a8df06e8f4414db8e06e2a52b9440effe0ff8498969fa9afa973d

Download Submit
C:\Windows\SysWOW64\Bebjdgmj.exe

Filesize
483KB

MD5
04300f819b08b0d75c119b8641e3802b

SHA1
f00a7b2ae9d9ea9cbd20afd548d62806a007c7be

SHA256
819359295d2a3eae6a39d9a04b682c8f41d45db1f2cc96df70b6a7733a956afb

SHA512
96d284f3180ab0a640162023d5223df057a664f1560a855df0737cf73c47b971100eb4601122c7fccad3ef4e456946035c238be08e2fe77f85cd0523912c05e7

Download Submit
C:\Windows\SysWOW64\Bkaobnio.exe

Filesize
483KB

MD5
15acc227d46717ee9486c3f24f103c14

SHA1
788f1873812e8aeab0c8fe168a750cd37e9110fb

SHA256
13f17f896ab38c68763c46a8dc038ac4ebff2d14c65d79c0991a5f28b35b7cc3

SHA512
87b6158f2dee40891d9bc88915a6849d7675d77aafe6889549313209f909bec5555e65ec9719dd28c0efb4c52fbb1a6aacb4e8b3aea602b3585869f7fe2fb76f

Download Submit
C:\Windows\SysWOW64\Cbdjeg32.exe

Filesize
483KB

MD5
f13e0cc7b42b7202ef6d91344d63b846

SHA1
a6bcfa547eed0ae5b2330f935482b3071c513c69

SHA256
6db2b7020e7200a8f4890daa9a4d9352eb89c8da7cc23d51eba8da9ce6913e01

SHA512
a74c93da68a25b9bc0708415a1f9d18ea384b0f39431943d1624fad46f86b339ff4edec41888d449f3918bf2d44e40c817b342ac2c49638a1549ff455a28d169

Download Submit
C:\Windows\SysWOW64\Cdecgbfa.exe

Filesize
483KB

MD5
f6eee366f79dbd256048ac48a587f582

SHA1
2acdcb58fa445ba082902d253d741516e7a6cb42

SHA256
c5cfd28afbe02aa323d640617e19448c07f01d59341b0d798945ce2b61c1ed25

SHA512
d61aa63960fa358073b5c9662fa1771ff4463ec9d6a8f8386409c57718b5f5f5c8e96d54f019bfcc09b8191fbc4d346dfa602e5be3dd0fd362f4a4c91ea1794f

Download Submit
C:\Windows\SysWOW64\Cglbhhga.exe

Filesize
483KB

MD5
1e3e61d5cd4bf23afac123b9557cddda

SHA1
bd88c946d7ae246da37e354af82a7c610b9fbf71

SHA256
6b72948c0c31ef7d56e28e686b1331e045740a022477f9b93c981c9c4ffa10c4

SHA512
5d16c85a6cd7219b73a147dcabb06de935f79ba08c1887811537214dc309cb2e20f8f3789bcb273005eca94a938151e853ff28bbef17111c5668e1aa18cdb06a

Download Submit
C:\Windows\SysWOW64\Chfegk32.exe

Filesize
483KB

MD5
884ce182b6f34fc310c723dbb1619dd3

SHA1
f08ffb3b63db206e1646eb776bb739934cb73f40

SHA256
baf4aa67085885232cec19ef0fd81a4e1b3681947c4380860cdbfee49131549b

SHA512
e30fd868daa609c7204ad20431dbcac200a2c24dde5cdcd876dc4415c8250f25a1154d524734ecd8888d4802603de811e305f8085ffb85aac13a081659ec267a

Download Submit
C:\Windows\SysWOW64\Ckbemgcp.exe

Filesize
483KB

MD5
5d8e45cb146acd715633142aa7569240

SHA1
e2e1aa5ea735ae6090f22e7af348da04bbf27c78

SHA256
1ca36d4ac4da89f0ed24deababafe2751808c1dcadd789ef5a0e50298f5a5ed9

SHA512
db575600d57c735aa6322a9a9eb81aee5023d19234683fe25742f113b175588ebe65a2f61232436a8cfaedaec4fce7aff8229d6028db2eb990b0a4f8a5336dcb

Download Submit
C:\Windows\SysWOW64\Clchbqoo.exe

Filesize
483KB

MD5
453c63098d656b65a9c3f88be6f5c1d9

SHA1
61b7782c5ecbc3360df603e02716cbbca1cc4075

SHA256
9e4eef25754d2b33c64d90fe0e0782eae2aee3c09362a687c82f642987ba08eb

SHA512
4b6f0df10d01591e9bec89607390ba6cbebf5b87dec958899b9c293937d99d48639b5baf06b30f7d437a28cc371d0a2a339ecb801e5a231c50a0eb7f6dda3787

Download Submit
C:\Windows\SysWOW64\Dbkqfe32.exe

Filesize
483KB

MD5
512c3c6f547528550f907b1450c8b102

SHA1
3032acd4b18c4bc7a6b70a2fdf756024ed916444

SHA256
e25a5079d061f8ef17b404e7ab62e58c2ef559e340ee897e642f17cfec4a1d3a

SHA512
1a9c8883592171c79fe84cf960064716141e99265db23621275983522bc4ac4e1132aab61e98368a3b3d40512112cc6bb7cfa905847ace4358cadf6ca0c29c43

Download Submit
C:\Windows\SysWOW64\Dhdbhifj.exe

Filesize
483KB

MD5
314fff747586f8f67d840ce4d0740591

SHA1
9c7940c386801ec24872befca0e37833f2b17aeb

SHA256
0cfc3c262ee85628fcae610de2bc9e99f2d499b95b25637f0202dc51ccddec9a

SHA512
d62007080ebd83659ff67d0e3215a540e00e910a09517f27300497728830218c127236d034495df0338063dd1790b1d411c2c67c5fa3b67211ec1192a3c9b451

Download Submit
C:\Windows\SysWOW64\Dmcain32.exe

Filesize
483KB

MD5
a1a5de1f6b2b5b97b6444b48cce17bcf

SHA1
b423dc0889e690198987fdd996c4cb0666a25e64

SHA256
c3b84dad480972cdb8bf27e18d29a597dedc315c08ca619e80be0f1a6e5f2c19

SHA512
2fa1a7a7ca1edc1ddf43a3d3bf122d41dae4f72add1370e061cf92dece4535abe767a4b943b4a53c3aff00d09b72e019694a0e62137467175c8760d1ba3fabe6

Download Submit
C:\Windows\SysWOW64\Eecphp32.exe

Filesize
483KB

MD5
754e8829048a7c78704901de2c48fa00

SHA1
e50167111388597f4036082b9d36b29ef5501ed5

SHA256
c5bf5d642775b64282d778aeae9dbfd7690cd40cd5324d459e328faba6084c47

SHA512
8ebeaf7f727ad6ccb3e2ec9e4fd515062f634b9f1ddfde9bce3e51ee9016e243514f7199a29ef78eaa54fb9be74b1c81b049bca107afcc4238d2ca1b56979a15

Download Submit
C:\Windows\SysWOW64\Egened32.exe

Filesize
483KB

MD5
00e1a56106ccaae3f05ccb1065fd3cd1

SHA1
11c3f3573ef8655fecfbc12c079d826a29c07f23

SHA256
950f21ff93bc55e57797cd7f3870f0fd3f513c0971e74658bd7b6697465c041c

SHA512
ed8d2622df1c73e343636564f369dbedbcf2cc5afdbd516682d2b7d7f6f6a7f4d058ca0457c6b347bd99a98261edab0c9698fa16fecff5777067e4c5143dbc89

Download Submit
C:\Windows\SysWOW64\Epmmqheb.exe

Filesize
483KB

MD5
826bf975dde92aa488f52ccbc26770c7

SHA1
4f7e891caff94ba3b09ed756bea47dba1ac1033c

SHA256
b9cd0efe88525e699f58930c5c59655a4b4867fd4afb62d1674c0cfb0b8e7253

SHA512
99529ad3a59e915a805770d16bdd4e2b9f1060761d7e6c78c5e670498c3318786f80fc99eee8a12e2bf5c497f33d95a2c7904a4d9ea8e30e5cca4699f01392eb

Download Submit
C:\Windows\SysWOW64\Fbplml32.exe

Filesize
483KB

MD5
e21c556995f710e6e9cc8340c1167d4f

SHA1
b44337db71153a306fef3cdb5a3db2e18cff7751

SHA256
835991a536a3d868085fa0517f4fdc427f189be9c3fe2c6274ac2451288b2f9e

SHA512
8a4b9b6131ef9c46e3af9748c53ab4355a3de890e623b9f2643540b4f1802a242c7f876a25a91d751256bc4101940b27bbeaa0fb29942a84422452c0e86f863c

Download Submit
C:\Windows\SysWOW64\Fihnomjp.exe

Filesize
483KB

MD5
e1981a6ad5588bc6e0c6cb8d590b41d1

SHA1
42db61a6900c4af0ed047f7e4e79da898cf8237f

SHA256
9a34f3bc01ed052e3a4584c4e2cd3296f6c0470531ea65a1c6cce864ecc6e634

SHA512
19fad7c151656335208777eb58b7bdfc03013848c01e34dc188ade397e68c645d0f850d895bdb794460f849dd1a6a38a776f72a85e2541d7752518fd259c3540

Download Submit
C:\Windows\SysWOW64\Flmqlg32.exe

Filesize
483KB

MD5
90953b69d5bd3e1be2c5674684c3270f

SHA1
431f753aec547baf8bb2b5862047eb54896320e6

SHA256
19426fee7ec9a3398b37012d263ebcd0d5ef0d0f5573c7373730f16409ccb551

SHA512
1111c9d4566d1c219d946af6d13d7f5e1a552b029485fd461a9ea9a02e47e5471bcb02e31f1386fb03cd17edd09600262c5b7122f7b533492a4b058c7bd92d02

Download Submit
C:\Windows\SysWOW64\Gaqhjggp.exe

Filesize
483KB

MD5
972829f9884d5aa94a7594c3de90ded1

SHA1
284f7603095a6b4e55bb188a9556e60666f9263f

SHA256
3d1e66b9f92182cb6c44b86bb6f2f7970ebc3e2129f9688faea8043e94be699e

SHA512
8b3b45feee979187401bf564fdf72d02b8d8e3d177d862b5c54f1271e4a7ae81b4bd1998268b2382a595358ddad21d41f03b0abed404f55a2f91c5a09052c8b2

Download Submit
C:\Windows\SysWOW64\Gflhoo32.exe

Filesize
483KB

MD5
988e2bdf57d04b5ced1cf7c470045ee2

SHA1
19b173aea2f750b8f239bf8b6ab448ccfe415445

SHA256
0954cb2c46152aafdbbc5675a110afffb6036a311f5f8b2d2fe383e8bc1fce19

SHA512
d58b55de328ea0aa5984d52d1573f054e88c7401768c7451b15a059a4b808fbd3ec7e91aab6834b1672a2a4b7e69c7e9e482a02cf8bb4b06c758d3ef9e348a22

Download Submit
C:\Windows\SysWOW64\Gkaclqkk.exe

Filesize
483KB

MD5
e84f024d07f8a322b50f18696337a19b

SHA1
3c766eea12ee8985a692201a60c85fb2a016faa5

SHA256
f4da36267f9583816f186f4b07ebf00081650ecc8be73242863eaeab2dc8915a

SHA512
e32836fa079180474493966e1d38075e97ad828421a061ead71cd2d1e9ad90ae2e79b1c503c32e02be3c1bbb4b5142d117572fc61784204269fc4c9679321dfc

Download Submit
C:\Windows\SysWOW64\Hbhboolf.exe

Filesize
483KB

MD5
c98972db19c6990559772761a03e0faa

SHA1
40018c3023da3920a56432e02e8a1bc97dc167a2

SHA256
92fdcdb19ec42b72f56b00460851dc53204857ccfe743ff64065cdc88165d1a1

SHA512
ede8f8759a24daae04d97cc751858b3d90cd9cfec1c204ca2f0460d7d5179e628efa0a65e9b4f95a82dfe0b2cdcf582dbb1c7e5e1ed7deba6957aaae8ee050d7

Download Submit
C:\Windows\SysWOW64\Hlglidlo.exe

Filesize
483KB

MD5
1897622c068809ab960ea96f99e87c69

SHA1
09342940f9fa452ae6239fa130b18324ca3a5718

SHA256
957830378aae412567879849b81a59ab68fd3fdddd3a9de111950a10a6226a2c

SHA512
e83c51ccce591c0223347a13e86baf8d9486f384e69be9ed61d80c4daff981abd140f2fbfc19d5e9ebbebad89cc178ba017d7dc58748a5171caea8e0765b3a92

Download Submit
C:\Windows\SysWOW64\Hlglidlo.exe

Filesize
483KB

MD5
e5d3319db5fdb8dbcdedf3a045497d11

SHA1
3446bb1c1e4d7d7cb142d1866edad1a5520b8318

SHA256
1cf16c0f2c93312e1e20955317598ea7b278f4c42a18718aecba2a3c2079bd3d

SHA512
680b014c3363b44a2a0ef422f4774ca758507a2f24660a1cefb280c85223108a590554a91bfd01d4681ae464c72b8b58b43476afccd1b598849e2fb62b14720a

Download Submit
C:\Windows\SysWOW64\Ilnbicff.exe

Filesize
483KB

MD5
83bab8e5a4a04ee12d99840db0a6725a

SHA1
3d21cdb60cb6f940de63dbe0159eaf69efa2c5a7

SHA256
771e9154bb29cbc9959e59758cf44e82090dc8f3c2f33546173ee80e511efd3c

SHA512
df58cfd0071cf80a70bdcaa3df387ac4edef2b809c57e997d990810f770079a996e2fea9ad8537d5118929d2e8cbc8f389789df2a99068a04cbd760830dfd92e

Download Submit
C:\Windows\SysWOW64\Ipdndloi.exe

Filesize
483KB

MD5
682bfbb95603da77e88b187429b5487f

SHA1
3f8eb4f13c1460ce4f7cf21bce15d06336b9ea0e

SHA256
81ae332cb9150eed2f16abfa26bd94787847cf86ac1dadcf6eca90a144a1e888

SHA512
a44ad872a70b205690652c976fcfe43e92b6478784b6eb4ed97ca9009719d97e42e0ba809d7c9912b8da3482c640ec278ced6f6fa67f6bac04002fe8693426cd

Download Submit
C:\Windows\SysWOW64\Jcdjbk32.exe

Filesize
483KB

MD5
26f0281b3dbd24db58cc52e030d5f6a6

SHA1
15c15772d9510c9357cbcddb355a16d5cde8e967

SHA256
816d699cabf778f3410608a83d79ccca1c969bdea62da4f8633c34e440a6ff90

SHA512
606859e4d28d67c4ccb7138f5869f8eec187f2ee2d2974eabf61871e169973462e08e44d2e5457bb13af764f81b58705b95a35138dc9758ff447bc1a90d325a2

Download Submit
C:\Windows\SysWOW64\Khiofk32.exe

Filesize
483KB

MD5
0b45384cbc04e11efd9478ac4fc57d44

SHA1
48ae1988775ba2b67f87e5a03efc0474251e8f73

SHA256
7809d618512ec612d137435ea01afcb22782ca9ebfbb96b21c5261c7514e84b6

SHA512
10e6da0a61c76d887927d1940fc7ecf3345cdcddff15751d80e9b51f979f65703808d063e1df3f298e4e29abeba9de3bba80f8c762244b61351622dcfa2fbe05

Download Submit
C:\Windows\SysWOW64\Kncaec32.exe

Filesize
483KB

MD5
7331aae417f485ea5fb16ea4560292af

SHA1
fe31eac20fe0d8c6c1dc7756d4c88368b52fcfbc

SHA256
ff9b9d262d389962e9eaf22acae409cf5a12ae5e8a399a780b17acc25c618213

SHA512
bf3c5f86419bcf11d653b12b70e67337fcf07de0db55471cf3fc086fa1bff51b13e5892ff31a0f495fcb00376ab32b79dbd3173660f2a899d0445f2fe36d79fa

Download Submit
C:\Windows\SysWOW64\Knnhjcog.exe

Filesize
483KB

MD5
8160cb2469ab9f261ad879c30e75f98d

SHA1
3a27b3f81acd87780086272cbe9e91cf23cbd19c

SHA256
57fe8fe60c2f3ba92b6bca69b064718a982f80a6b17dde9dc11594f2003b2ad2

SHA512
2b9811b7855ac983e5a8d0b76f43a7487173c1c8a94ca11909c68ec91c62fe6969082bd2422cb88d8daf8607be4d930cb1ff1d8c2b11b1be28553a324db46ddf

Download Submit
C:\Windows\SysWOW64\Lhgkgijg.exe

Filesize
483KB

MD5
738020819150c3ad18082eaa3152af79

SHA1
277b99a5eb56dd7897cd2c398ec33af7512efa27

SHA256
d8bf9b72a500907cbb2672a2149c0b5fb3524ea804062e29c2e1a7fd52848f63

SHA512
6b2a6f4ab409bd9697d24462111d34b090891120e9d43240ca990c944cf17aeebbb1ea7d928d3bc51524e16adb55ac77393c63ca98c4c30482720e6af71a6c87

Download Submit
C:\Windows\SysWOW64\Lmpkadnm.exe

Filesize
483KB

MD5
ac8c84cbc137e087bcdbd302c1543fe7

SHA1
d16cac23733b6ad42f252f264b3fdbf55ca41706

SHA256
db4e381c3a8723312d4392b3bac9bc4f144d66f384569af6cfbc7f26b780c7e1

SHA512
50629bb00ef64feb8b22f67f6f69a70b053260b490de9ec1b67b25d41b736fd2ff401d9ab699c39ebebb6a9b593f43a2d8bf2b7281107fe9f3788e431faea3fa

Download Submit
C:\Windows\SysWOW64\Mfeeabda.exe

Filesize
483KB

MD5
e6e45f53a424cadfc20e4a7c0aa568f5

SHA1
a5277ace85c937447def5014dc1a5876639f65fd

SHA256
483357528913f39c356e976510ac24842e8d433029309d8ebd813b8002f125ff

SHA512
9e98ef9e16c1991a56e13e40fee99d20de56710e220a1cf54ba46ec2c7736ac0bc3697ae1a99c230be32b16311b2d73e8a048b6f0cc6e11f3d5d85d3c1285148

Download Submit
C:\Windows\SysWOW64\Mjahlgpf.exe

Filesize
483KB

MD5
629f91a798cd541f3d41e35467fe6a53

SHA1
609cb36456418200a2d50eb666cd28f913a91499

SHA256
41aa3969bb80f48614dd97731535829cfc894eb585e16eebd20b6cc5082176cc

SHA512
b7c9391565a8b88176dad540231ad2d5c7972dab230437874b86809a48eb9bdfde5a61d24ee2aeb80b88f7ab73875b6bf0fe1d615a205100744623ce91a222a3

Download Submit
C:\Windows\SysWOW64\Mkjnfkma.exe

Filesize
483KB

MD5
5af04a703a7e053c8bce70050c9cd796

SHA1
1f9ee08a2f89913f6aa4221587bca5102d4ac172

SHA256
1a33dda9e4c39852383d7ec7523b0e4a3d1af03777b92335eda136f359721fc7

SHA512
204efda46374ae4287e8d033dbda67fa6ff7b7652e638bca492f45246a747b8fb86ff2b791c2f49544e9d15e90f95bb8ed9d18a6df312a4e764a12ef4f703366

Download Submit
C:\Windows\SysWOW64\Njpdnedf.exe

Filesize
483KB

MD5
8d22a101f105ad891ad9511768c17ae1

SHA1
08008c595b2690edaf0a67a861631ea1cee6f6b5

SHA256
a1f6c3dd9cf9b46ebfb51c417a239bb3bbc5bfaeb5262563d2f02ed104ff9c82

SHA512
30abfe185e83c202c22b0cb3b37f565b8f394c50ec8ad5cd53de5dc9371178b800c828d21e6b84b4b43a6cc6f91d9dd379913d2a58b58d0a7d39101919c22e30

Download Submit
C:\Windows\SysWOW64\Nndjndbh.exe

Filesize
483KB

MD5
e5bbee26d590556cb0d2ab805194aea7

SHA1
78dbfdaf1e3754564a55f143188183b69ba321a9

SHA256
254a77630ab1c67c8ccbf0a453cdbf01ae043492393dd62ff4f2b134d8487622

SHA512
05fd868849cd0737cadf3b50029d4b903e7ad3baef9016ce514be8c65680b51eb26c9fac223e0c8c48c80ec262f0c23ea212c3683a01d6ef5cb06bf01e7a153f

Download Submit
C:\Windows\SysWOW64\Odoogi32.exe

Filesize
483KB

MD5
c4d47f6dddd0df588fea90e397b8057d

SHA1
1ba7db17683dbdda2c39ad229e14d68ddfab485d

SHA256
022d45b54121690b3f596a8b899b44b4e52be9cd79a43671518488fe3ac0a294

SHA512
2a4047fab82a8317b4f2ceadfc7c044034012e3d6b6ee851ec06a9af59637dd36332098e5065dd2271dc257363542eccd63cca8adb166d6d809406dd52a6e5ba

Download Submit
C:\Windows\SysWOW64\Oejbfmpg.exe

Filesize
483KB

MD5
e3f7c66432ca43cc3b8a635be533a971

SHA1
b7895d2c596728bd6b984293bf1a447da5a65131

SHA256
06abe2d3e63653a9ba0d74a10fc736fe7c942aa4be2760663ae9a1ea72302561

SHA512
61159fe3cda2ef2cafd75927e4d31876ccca97834a36b66cf970428811171e138bd47b3e7d7edfd42dff728f9103ee25225d2f57281aec461e814c69f669ef77

Download Submit
C:\Windows\SysWOW64\Omgcpokp.exe

Filesize
483KB

MD5
eda370d00a125f39749ab779c4758c9d

SHA1
5a5d85b0a0961a42c341d4cf0adbb59f2b07e511

SHA256
32e286e9a94407825c342b11256ca0d5476608e5175aee400960599a71a5ce4a

SHA512
31a63c394e478d602b8d441e489fd3025faeb5672eb574c973173aa8ca01cd1ef15c434a1e28de3eb73abacc87bc52f384960c628fd31630940a1b1015a3e498

Download Submit
C:\Windows\SysWOW64\Pfandnla.exe

Filesize
483KB

MD5
68c022c65887092f0fe549746ddec7a8

SHA1
c3052dfd30a56b7da8915ca4ffb5579e8a7fa493

SHA256
156d00ec38d1c4fc8b915adb13626c94800ecc41b1890b2f8eadc5cd88e0490e

SHA512
9e8273e95226fc2f81e1d2a7c0eab56684750dd3ce68af4a6dd0fb3378891a6a22c5d79dc1a1bea9f3f24e23883ead67d2fa24966aa9b59fedf0ab3fb17df787

Download Submit
C:\Windows\SysWOW64\Pjlcjf32.exe

Filesize
483KB

MD5
b15a23ef07065d5ae8b7ca419de63d55

SHA1
83c27721ca5cd48c8489561345af40c5ac1994e8

SHA256
a1a73a9ea8a263cecef5a76c81fa01bd1fd4cd81687da883cf5fcdae9aa25384

SHA512
2e9888653b898c320654b8a732f7c1f458465918b955a4d159acfe4d7d01178ad3f3613ee1dcb9bc7dc2cbff6cfb2b95aa6872e11fe1ec0a866249ed6a5a4369

Download Submit
C:\Windows\SysWOW64\Pmlmkn32.exe

Filesize
483KB

MD5
6c75f67304c05e2b126ef4fd622284a7

SHA1
b982badee8c53763a09b012406acbe40e184ae8e

SHA256
3b531245a60e16d9fb91fc9f05e414d19fc7d7f705dd1de17265a0b90c8d1d5a

SHA512
8c6228e88578a5ed5eac7785e49ee8394e6784271546af56e27f0e37aca4fc9a87f56040dd3dc96e4dcb431d68d38f802bc5112977d813531cb19a0f0cc16b1e

Download Submit
C:\Windows\SysWOW64\Qeodhjmo.exe

Filesize
483KB

MD5
e4f2bbb3a9022a65d15f662679c37a87

SHA1
963a3d529ce2d7cf1299673d29023845e1613df5

SHA256
d873ee63d9f9a4c235e8636a88b6e440c8f8377544d069603cc74705b9f7eede

SHA512
d7a69fb1e8f5bcb08cd57589a25db6e31d43e0c02b803f8cd5825f28a5b00932e0de0634595cf2278e33b05fc84f8fecc9af9bca9b1b03e251a1525a039b63d5

Download Submit
memory/64-359-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/212-145-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/224-485-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/236-287-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/452-141-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/460-249-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/632-497-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/752-233-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/888-437-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/932-309-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/984-209-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1020-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1140-217-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1168-335-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1236-473-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1348-443-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1396-347-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1556-73-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1632-152-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1640-580-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1640-41-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1736-467-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1760-455-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1764-120-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1876-185-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1956-25-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1956-566-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1972-528-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1976-413-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2004-89-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2020-49-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2020-587-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2040-263-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2124-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2124-594-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2172-395-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2240-521-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2268-453-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2280-377-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2312-515-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2372-479-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2484-365-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2792-113-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2832-559-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2832-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2920-510-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2924-299-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2968-129-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3088-329-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3124-419-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3484-269-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3516-461-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3528-503-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3568-383-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3608-275-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3612-65-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3668-105-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3812-389-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3848-317-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3856-401-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3944-293-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3972-341-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4008-491-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4052-315-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4056-323-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4112-407-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4116-177-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4152-573-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4152-32-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4224-281-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4232-371-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4320-201-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4352-425-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4368-257-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4436-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4436-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4436-527-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4484-97-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4560-193-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4592-538-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4640-432-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4772-169-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4960-353-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5000-240-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5032-225-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5044-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5044-552-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5108-160-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5144-540-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5184-550-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5232-553-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5304-560-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5356-567-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5400-574-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5472-581-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5524-592-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads