98425364ca768cb4d358af604422c4c4b1d137e52667fb19ffc8565e0c50d585

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 00:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98425364ca768cb4d358af604422c4c4b1d137e52667fb19ffc8565e0c50d585.exe
Size

76KB
MD5

4ff15f9f43f40d47d4fd8fc75f929fd3
SHA1

7ec4efe0983a4f94e6e2b74c16e613c318cd4127
SHA256

98425364ca768cb4d358af604422c4c4b1d137e52667fb19ffc8565e0c50d585
SHA512

9e8ea3f7b227fb2465e38b6205f67e7ce81c9ca2bfa0395f6e1cdb1fcec672461447ea7acee3831d675d152973001b58ecfe7b91f980e0070815c90e349c68ad
SSDEEP

1536:KU7EDsPkph7WEJug/s+HioQV+/eCeyvCQ:DIDltkg/ZHrk+

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlbejloe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlbejloe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Noblkqca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmfplibd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnojho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjpfjl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgifbhid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnipbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfnfjehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cacckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khfkfedn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqaiecjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojhiogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekgqennl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klgqabib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpoihnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdpcal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eaceghcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnmlhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfmmplad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aknbkjfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdpcal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eaceghcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaopoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbcedmnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akkffkhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpolbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kidben32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nofefp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbagbebm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfbaalbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojhiogdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbqinm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfnfjehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cggimh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dahmfpap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhckcgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbldphde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmkofa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amnlme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ggmmlamj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnibokbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Halhfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kolabf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljpaqmgb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nofefp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdmlkfjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mokfja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfldgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cacckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnajppda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kiikpnmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcapicdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojhpimhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akblfj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omalpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcpakn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	98425364ca768cb4d358af604422c4c4b1d137e52667fb19ffc8565e0c50d585.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngndaccj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcmfnd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khfkfedn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljqhkckn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bklomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgifbhid.exe

Executes dropped EXE 64 IoCs

pid	Process
4300	Fnipbc32.exe
2236	Gmfplibd.exe
2012	Gojiiafp.exe
692	Hfhgkmpj.exe
732	Hpchib32.exe
4724	Iohejo32.exe
3452	Ipoheakj.exe
4536	Jcoaglhk.exe
1968	Jilfifme.exe
868	Jokkgl32.exe
2888	Komhll32.exe
2624	Keimof32.exe
4440	Kfnfjehl.exe
4272	Lgpoihnl.exe
3536	Ljqhkckn.exe
3020	Lopmii32.exe
3664	Ljhnlb32.exe
4532	Mjaabq32.exe
4012	Nnojho32.exe
716	Njfkmphe.exe
2224	Njhgbp32.exe
1644	Ngndaccj.exe
2436	Ojomcopk.exe
744	Offnhpfo.exe
2664	Ocjoadei.exe
3148	Ojfcdnjc.exe
644	Ojhpimhp.exe
4916	Pfoann32.exe
2040	Pfandnla.exe
3816	Pjpfjl32.exe
1356	Pjbcplpe.exe
4464	Pjdpelnc.exe
2632	Qfmmplad.exe
908	Akkffkhk.exe
2300	Aknbkjfh.exe
1996	Amnlme32.exe
4516	Akblfj32.exe
2176	Akdilipp.exe
4784	Bkgeainn.exe
888	Bmhocd32.exe
4940	Bklomh32.exe
3860	Bddcenpi.exe
2700	Bpkdjofm.exe
4492	Cggimh32.exe
4340	Cgifbhid.exe
2072	Cdmfllhn.exe
3832	Cdpcal32.exe
2920	Cacckp32.exe
3472	Cnjdpaki.exe
4632	Dahmfpap.exe
2928	Dolmodpi.exe
4280	Dnajppda.exe
1416	Dbocfo32.exe
2988	Ebaplnie.exe
3272	Ehpadhll.exe
4144	Fbbicl32.exe
3316	Gbiockdj.exe
3220	Gpmomo32.exe
2992	Gpolbo32.exe
2348	Ggkqgaol.exe
3512	Ggmmlamj.exe
2860	Geanfelc.exe
4704	Hnibokbd.exe
4104	Hiacacpg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mjaabq32.exe	Ljhnlb32.exe
File opened for modification	C:\Windows\SysWOW64\Gnmlhf32.exe	Fqdbdbna.exe
File opened for modification	C:\Windows\SysWOW64\Lgpoihnl.exe	Kfnfjehl.exe
File created	C:\Windows\SysWOW64\Ggpenegb.dll	Pfandnla.exe
File created	C:\Windows\SysWOW64\Cildom32.exe	Acccdj32.exe
File created	C:\Windows\SysWOW64\Eelche32.dll	Keimof32.exe
File created	C:\Windows\SysWOW64\Jilfifme.exe	Jcoaglhk.exe
File opened for modification	C:\Windows\SysWOW64\Gbiockdj.exe	Fbbicl32.exe
File opened for modification	C:\Windows\SysWOW64\Mfpell32.exe	Mjidgkog.exe
File created	C:\Windows\SysWOW64\Pmkofa32.exe	Pbcncibp.exe
File opened for modification	C:\Windows\SysWOW64\Akblfj32.exe	Amnlme32.exe
File opened for modification	C:\Windows\SysWOW64\Nblolm32.exe	Mhckcgpj.exe
File created	C:\Windows\SysWOW64\Nnojho32.exe	Mjaabq32.exe
File created	C:\Windows\SysWOW64\Akdilipp.exe	Akblfj32.exe
File created	C:\Windows\SysWOW64\Ihkjno32.exe	Haaaaeim.exe
File created	C:\Windows\SysWOW64\Elfahb32.dll	Cildom32.exe
File opened for modification	C:\Windows\SysWOW64\Kaopoj32.exe	Khfkfedn.exe
File created	C:\Windows\SysWOW64\Iohejo32.exe	Hpchib32.exe
File created	C:\Windows\SysWOW64\Bpkdjofm.exe	Bddcenpi.exe
File opened for modification	C:\Windows\SysWOW64\Fbbicl32.exe	Ehpadhll.exe
File created	C:\Windows\SysWOW64\Jpehef32.dll	Geanfelc.exe
File created	C:\Windows\SysWOW64\Enndkpea.dll	Hbldphde.exe
File created	C:\Windows\SysWOW64\Bcejdp32.dll	Mfbaalbi.exe
File opened for modification	C:\Windows\SysWOW64\Hegmlnbp.exe	Hjaioe32.exe
File opened for modification	C:\Windows\SysWOW64\Ngndaccj.exe	Njhgbp32.exe
File opened for modification	C:\Windows\SysWOW64\Ggkqgaol.exe	Gpolbo32.exe
File created	C:\Windows\SysWOW64\Ejccgi32.exe	Egbken32.exe
File created	C:\Windows\SysWOW64\Aamebb32.dll	Cdpcal32.exe
File opened for modification	C:\Windows\SysWOW64\Jllhpkfk.exe	Jafdcbge.exe
File opened for modification	C:\Windows\SysWOW64\Mfbaalbi.exe	Mfpell32.exe
File created	C:\Windows\SysWOW64\Igkilc32.dll	Noblkqca.exe
File created	C:\Windows\SysWOW64\Halhfe32.exe	Hiacacpg.exe
File opened for modification	C:\Windows\SysWOW64\Kcmfnd32.exe	Kidben32.exe
File created	C:\Windows\SysWOW64\Cgifbhid.exe	Cggimh32.exe
File created	C:\Windows\SysWOW64\Nofefp32.exe	Nfnamjhk.exe
File created	C:\Windows\SysWOW64\Qamago32.exe	Pakdbp32.exe
File created	C:\Windows\SysWOW64\Kcmfnd32.exe	Kidben32.exe
File created	C:\Windows\SysWOW64\Mmmncpmp.dll	Ihkjno32.exe
File opened for modification	C:\Windows\SysWOW64\Fqdbdbna.exe	Fcpakn32.exe
File created	C:\Windows\SysWOW64\Haidfpki.exe	Hgocgjgk.exe
File opened for modification	C:\Windows\SysWOW64\Hiacacpg.exe	Hnibokbd.exe
File created	C:\Windows\SysWOW64\Knaodd32.dll	Afockelf.exe
File opened for modification	C:\Windows\SysWOW64\Kcapicdj.exe	Kiikpnmj.exe
File created	C:\Windows\SysWOW64\Bljlpjaf.dll	Bmhocd32.exe
File opened for modification	C:\Windows\SysWOW64\Gpmomo32.exe	Gbiockdj.exe
File created	C:\Windows\SysWOW64\Lopmii32.exe	Ljqhkckn.exe
File created	C:\Windows\SysWOW64\Opnaqk32.dll	Gpolbo32.exe
File opened for modification	C:\Windows\SysWOW64\Hkaeih32.exe	Hegmlnbp.exe
File opened for modification	C:\Windows\SysWOW64\Lbqinm32.exe	Klgqabib.exe
File created	C:\Windows\SysWOW64\Jcoaglhk.exe	Ipoheakj.exe
File opened for modification	C:\Windows\SysWOW64\Kibeoo32.exe	Kolabf32.exe
File created	C:\Windows\SysWOW64\Jhnojl32.exe	Jbagbebm.exe
File created	C:\Windows\SysWOW64\Jafdcbge.exe	Jhnojl32.exe
File created	C:\Windows\SysWOW64\Egbken32.exe	Ecdbop32.exe
File created	C:\Windows\SysWOW64\Fboecfii.exe	Ejccgi32.exe
File opened for modification	C:\Windows\SysWOW64\Ehpadhll.exe	Ebaplnie.exe
File created	C:\Windows\SysWOW64\Ehblpall.dll	Ebaplnie.exe
File opened for modification	C:\Windows\SysWOW64\Jbagbebm.exe	Jihbip32.exe
File created	C:\Windows\SysWOW64\Dndfnlpc.dll	Oiccje32.exe
File created	C:\Windows\SysWOW64\Cdpcal32.exe	Cdmfllhn.exe
File created	C:\Windows\SysWOW64\Pqhfnd32.dll	Hfhgkmpj.exe
File opened for modification	C:\Windows\SysWOW64\Kfnfjehl.exe	Keimof32.exe
File opened for modification	C:\Windows\SysWOW64\Kidben32.exe	Kibeoo32.exe
File opened for modification	C:\Windows\SysWOW64\Mhckcgpj.exe	Mokfja32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
6152	6764	WerFault.exe	234
2248	6764	WerFault.exe	234

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfoann32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enndkpea.dll"	Hbldphde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Loacdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fnipbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jilfifme.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oiccje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndqojdee.dll"	Nnojho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kcapicdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjdpelnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfnamjhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qapnmopa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abhemohm.dll"	Komhll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljqhkckn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkmmde32.dll"	Bddcenpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekdaogi.dll"	Lbcedmnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oiccje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afockelf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppcbba32.dll"	Pjpfjl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jldbpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpolbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpbdco32.dll"	Halhfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gdgdeppb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hegmlnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqhfnd32.dll"	Hfhgkmpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljhnlb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Offnhpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cacckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dahmfpap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkaeih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	98425364ca768cb4d358af604422c4c4b1d137e52667fb19ffc8565e0c50d585.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Komhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlglnp32.dll"	Jldbpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mobpnd32.dll"	Jbbmmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gikgni32.dll"	Bkgeainn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgicnp32.dll"	Dolmodpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjaioe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kocphojh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckjooo32.dll"	Gojiiafp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nblolm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opnaqk32.dll"	Gpolbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bljlpjaf.dll"	Bmhocd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfnamjhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojomcopk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npmknd32.dll"	Jlbejloe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpmkebjc.dll"	Akdilipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdmfllhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pneclb32.dll"	Ggmmlamj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dahkpm32.dll"	Ihdldn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkgppbgc.dll"	Kcapicdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfldgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlhego32.dll"	Nfnamjhk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjpfjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipeabep.dll"	Cdmfllhn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iohejo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omdieb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdnoeb32.dll"	Qapnmopa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnajppda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdohflaf.dll"	Ljpaqmgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmkofa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejccgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gnmlhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdpcal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbiockdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amnlme32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 536 wrote to memory of 4300	536	98425364ca768cb4d358af604422c4c4b1d137e52667fb19ffc8565e0c50d585.exe	91
PID 536 wrote to memory of 4300	536	98425364ca768cb4d358af604422c4c4b1d137e52667fb19ffc8565e0c50d585.exe	91
PID 536 wrote to memory of 4300	536	98425364ca768cb4d358af604422c4c4b1d137e52667fb19ffc8565e0c50d585.exe	91
PID 4300 wrote to memory of 2236	4300	Fnipbc32.exe	92
PID 4300 wrote to memory of 2236	4300	Fnipbc32.exe	92
PID 4300 wrote to memory of 2236	4300	Fnipbc32.exe	92
PID 2236 wrote to memory of 2012	2236	Gmfplibd.exe	93
PID 2236 wrote to memory of 2012	2236	Gmfplibd.exe	93
PID 2236 wrote to memory of 2012	2236	Gmfplibd.exe	93
PID 2012 wrote to memory of 692	2012	Gojiiafp.exe	94
PID 2012 wrote to memory of 692	2012	Gojiiafp.exe	94
PID 2012 wrote to memory of 692	2012	Gojiiafp.exe	94
PID 692 wrote to memory of 732	692	Hfhgkmpj.exe	95
PID 692 wrote to memory of 732	692	Hfhgkmpj.exe	95
PID 692 wrote to memory of 732	692	Hfhgkmpj.exe	95
PID 732 wrote to memory of 4724	732	Hpchib32.exe	96
PID 732 wrote to memory of 4724	732	Hpchib32.exe	96
PID 732 wrote to memory of 4724	732	Hpchib32.exe	96
PID 4724 wrote to memory of 3452	4724	Iohejo32.exe	97
PID 4724 wrote to memory of 3452	4724	Iohejo32.exe	97
PID 4724 wrote to memory of 3452	4724	Iohejo32.exe	97
PID 3452 wrote to memory of 4536	3452	Ipoheakj.exe	98
PID 3452 wrote to memory of 4536	3452	Ipoheakj.exe	98
PID 3452 wrote to memory of 4536	3452	Ipoheakj.exe	98
PID 4536 wrote to memory of 1968	4536	Jcoaglhk.exe	99
PID 4536 wrote to memory of 1968	4536	Jcoaglhk.exe	99
PID 4536 wrote to memory of 1968	4536	Jcoaglhk.exe	99
PID 1968 wrote to memory of 868	1968	Jilfifme.exe	100
PID 1968 wrote to memory of 868	1968	Jilfifme.exe	100
PID 1968 wrote to memory of 868	1968	Jilfifme.exe	100
PID 868 wrote to memory of 2888	868	Jokkgl32.exe	101
PID 868 wrote to memory of 2888	868	Jokkgl32.exe	101
PID 868 wrote to memory of 2888	868	Jokkgl32.exe	101
PID 2888 wrote to memory of 2624	2888	Komhll32.exe	102
PID 2888 wrote to memory of 2624	2888	Komhll32.exe	102
PID 2888 wrote to memory of 2624	2888	Komhll32.exe	102
PID 2624 wrote to memory of 4440	2624	Keimof32.exe	103
PID 2624 wrote to memory of 4440	2624	Keimof32.exe	103
PID 2624 wrote to memory of 4440	2624	Keimof32.exe	103
PID 4440 wrote to memory of 4272	4440	Kfnfjehl.exe	104
PID 4440 wrote to memory of 4272	4440	Kfnfjehl.exe	104
PID 4440 wrote to memory of 4272	4440	Kfnfjehl.exe	104
PID 4272 wrote to memory of 3536	4272	Lgpoihnl.exe	105
PID 4272 wrote to memory of 3536	4272	Lgpoihnl.exe	105
PID 4272 wrote to memory of 3536	4272	Lgpoihnl.exe	105
PID 3536 wrote to memory of 3020	3536	Ljqhkckn.exe	106
PID 3536 wrote to memory of 3020	3536	Ljqhkckn.exe	106
PID 3536 wrote to memory of 3020	3536	Ljqhkckn.exe	106
PID 3020 wrote to memory of 3664	3020	Lopmii32.exe	107
PID 3020 wrote to memory of 3664	3020	Lopmii32.exe	107
PID 3020 wrote to memory of 3664	3020	Lopmii32.exe	107
PID 3664 wrote to memory of 4532	3664	Ljhnlb32.exe	108
PID 3664 wrote to memory of 4532	3664	Ljhnlb32.exe	108
PID 3664 wrote to memory of 4532	3664	Ljhnlb32.exe	108
PID 4532 wrote to memory of 4012	4532	Mjaabq32.exe	109
PID 4532 wrote to memory of 4012	4532	Mjaabq32.exe	109
PID 4532 wrote to memory of 4012	4532	Mjaabq32.exe	109
PID 4012 wrote to memory of 716	4012	Nnojho32.exe	110
PID 4012 wrote to memory of 716	4012	Nnojho32.exe	110
PID 4012 wrote to memory of 716	4012	Nnojho32.exe	110
PID 716 wrote to memory of 2224	716	Njfkmphe.exe	111
PID 716 wrote to memory of 2224	716	Njfkmphe.exe	111
PID 716 wrote to memory of 2224	716	Njfkmphe.exe	111
PID 2224 wrote to memory of 1644	2224	Njhgbp32.exe	112

C:\Users\Admin\AppData\Local\Temp\98425364ca768cb4d358af604422c4c4b1d137e52667fb19ffc8565e0c50d585.exe
"C:\Users\Admin\AppData\Local\Temp\98425364ca768cb4d358af604422c4c4b1d137e52667fb19ffc8565e0c50d585.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:536
- C:\Windows\SysWOW64\Fnipbc32.exe
  C:\Windows\system32\Fnipbc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4300
- - C:\Windows\SysWOW64\Gmfplibd.exe
    C:\Windows\system32\Gmfplibd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2236
  - - C:\Windows\SysWOW64\Gojiiafp.exe
      C:\Windows\system32\Gojiiafp.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2012
    - - C:\Windows\SysWOW64\Hfhgkmpj.exe
        
        C:\Windows\system32\Hfhgkmpj.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:692
      - C:\Windows\SysWOW64\Hpchib32.exe
        
        C:\Windows\system32\Hpchib32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:732
        
        C:\Windows\SysWOW64\Iohejo32.exe
        
        C:\Windows\system32\Iohejo32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\SysWOW64\Ipoheakj.exe
        
        C:\Windows\system32\Ipoheakj.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Windows\SysWOW64\Jcoaglhk.exe
        
        C:\Windows\system32\Jcoaglhk.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\SysWOW64\Jilfifme.exe
        
        C:\Windows\system32\Jilfifme.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\Jokkgl32.exe
        
        C:\Windows\system32\Jokkgl32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SysWOW64\Komhll32.exe
        
        C:\Windows\system32\Komhll32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SysWOW64\Keimof32.exe
        
        C:\Windows\system32\Keimof32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Kfnfjehl.exe
        
        C:\Windows\system32\Kfnfjehl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\SysWOW64\Lgpoihnl.exe
        
        C:\Windows\system32\Lgpoihnl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\SysWOW64\Ljqhkckn.exe
        
        C:\Windows\system32\Ljqhkckn.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3536
        
        C:\Windows\SysWOW64\Lopmii32.exe
        
        C:\Windows\system32\Lopmii32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Ljhnlb32.exe
        
        C:\Windows\system32\Ljhnlb32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\SysWOW64\Mjaabq32.exe
        
        C:\Windows\system32\Mjaabq32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SysWOW64\Nnojho32.exe
        
        C:\Windows\system32\Nnojho32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Windows\SysWOW64\Njfkmphe.exe
        
        C:\Windows\system32\Njfkmphe.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:716
        
        C:\Windows\SysWOW64\Njhgbp32.exe
        
        C:\Windows\system32\Njhgbp32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Ngndaccj.exe
        
        C:\Windows\system32\Ngndaccj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1644
        
        C:\Windows\SysWOW64\Ojomcopk.exe
        
        C:\Windows\system32\Ojomcopk.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Offnhpfo.exe
        
        C:\Windows\system32\Offnhpfo.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Ocjoadei.exe
        
        C:\Windows\system32\Ocjoadei.exe
        26⤵
        Executes dropped EXE
        
        PID:2664
        
        C:\Windows\SysWOW64\Ojfcdnjc.exe
        
        C:\Windows\system32\Ojfcdnjc.exe
        27⤵
        Executes dropped EXE
        
        PID:3148
        
        C:\Windows\SysWOW64\Ojhpimhp.exe
        
        C:\Windows\system32\Ojhpimhp.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:644
        
        C:\Windows\SysWOW64\Pfoann32.exe
        
        C:\Windows\system32\Pfoann32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Pfandnla.exe
        
        C:\Windows\system32\Pfandnla.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2040
        
        C:\Windows\SysWOW64\Pjpfjl32.exe
        
        C:\Windows\system32\Pjpfjl32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3816
        
        C:\Windows\SysWOW64\Pjbcplpe.exe
        
        C:\Windows\system32\Pjbcplpe.exe
        32⤵
        Executes dropped EXE
        
        PID:1356
        
        C:\Windows\SysWOW64\Pjdpelnc.exe
        
        C:\Windows\system32\Pjdpelnc.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4464
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2632
        
        C:\Windows\SysWOW64\Akkffkhk.exe
        
        C:\Windows\system32\Akkffkhk.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:908
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2300
        
        C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Akblfj32.exe
        
        C:\Windows\system32\Akblfj32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4516
        
        C:\Windows\SysWOW64\Akdilipp.exe
        
        C:\Windows\system32\Akdilipp.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\Bmhocd32.exe
        
        C:\Windows\system32\Bmhocd32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:888
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4940
        
        C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3860
        
        C:\Windows\SysWOW64\Bpkdjofm.exe
        
        C:\Windows\system32\Bpkdjofm.exe
        44⤵
        Executes dropped EXE
        
        PID:2700
        
        C:\Windows\SysWOW64\Cggimh32.exe
        
        C:\Windows\system32\Cggimh32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4492
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4340
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2072
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        50⤵
        Executes dropped EXE
        
        PID:3472
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4632
        
        C:\Windows\SysWOW64\Dolmodpi.exe
        
        C:\Windows\system32\Dolmodpi.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\Dnajppda.exe
        
        C:\Windows\system32\Dnajppda.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Dbocfo32.exe
        
        C:\Windows\system32\Dbocfo32.exe
        54⤵
        Executes dropped EXE
        
        PID:1416
        
        C:\Windows\SysWOW64\Ebaplnie.exe
        
        C:\Windows\system32\Ebaplnie.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2988
        
        C:\Windows\SysWOW64\Ehpadhll.exe
        
        C:\Windows\system32\Ehpadhll.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3272
        
        C:\Windows\SysWOW64\Fbbicl32.exe
        
        C:\Windows\system32\Fbbicl32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4144
        
        C:\Windows\SysWOW64\Gbiockdj.exe
        
        C:\Windows\system32\Gbiockdj.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3316
        
        C:\Windows\SysWOW64\Gpmomo32.exe
        
        C:\Windows\system32\Gpmomo32.exe
        59⤵
        Executes dropped EXE
        
        PID:3220
        
        C:\Windows\SysWOW64\Gpolbo32.exe
        
        C:\Windows\system32\Gpolbo32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Ggkqgaol.exe
        
        C:\Windows\system32\Ggkqgaol.exe
        61⤵
        Executes dropped EXE
        
        PID:2348
        
        C:\Windows\SysWOW64\Ggmmlamj.exe
        
        C:\Windows\system32\Ggmmlamj.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3512
        
        C:\Windows\SysWOW64\Geanfelc.exe
        
        C:\Windows\system32\Geanfelc.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2860
        
        C:\Windows\SysWOW64\Hnibokbd.exe
        
        C:\Windows\system32\Hnibokbd.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4704
        
        C:\Windows\SysWOW64\Hiacacpg.exe
        
        C:\Windows\system32\Hiacacpg.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4104
        
        C:\Windows\SysWOW64\Halhfe32.exe
        
        C:\Windows\system32\Halhfe32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1300
        
        C:\Windows\SysWOW64\Hbldphde.exe
        
        C:\Windows\system32\Hbldphde.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Haaaaeim.exe
        
        C:\Windows\system32\Haaaaeim.exe
        68⤵
        Drops file in System32 directory
        
        PID:3168
        
        C:\Windows\SysWOW64\Ihkjno32.exe
        
        C:\Windows\system32\Ihkjno32.exe
        69⤵
        Drops file in System32 directory
        
        PID:1452
        
        C:\Windows\SysWOW64\Ihbponja.exe
        
        C:\Windows\system32\Ihbponja.exe
        70⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\Ihdldn32.exe
        
        C:\Windows\system32\Ihdldn32.exe
        71⤵
        Modifies registry class
        
        PID:776
        
        C:\Windows\SysWOW64\Jlbejloe.exe
        
        C:\Windows\system32\Jlbejloe.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Jldbpl32.exe
        
        C:\Windows\system32\Jldbpl32.exe
        73⤵
        Modifies registry class
        
        PID:3868
        
        C:\Windows\SysWOW64\Jihbip32.exe
        
        C:\Windows\system32\Jihbip32.exe
        74⤵
        Drops file in System32 directory
        
        PID:3292
        
        C:\Windows\SysWOW64\Jbagbebm.exe
        
        C:\Windows\system32\Jbagbebm.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1336
        
        C:\Windows\SysWOW64\Jhnojl32.exe
        
        C:\Windows\system32\Jhnojl32.exe
        76⤵
        Drops file in System32 directory
        
        PID:1428
        
        C:\Windows\SysWOW64\Jafdcbge.exe
        
        C:\Windows\system32\Jafdcbge.exe
        77⤵
        Drops file in System32 directory
        
        PID:5012
        
        C:\Windows\SysWOW64\Jllhpkfk.exe
        
        C:\Windows\system32\Jllhpkfk.exe
        78⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\Kolabf32.exe
        
        C:\Windows\system32\Kolabf32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Kibeoo32.exe
        
        C:\Windows\system32\Kibeoo32.exe
        80⤵
        Drops file in System32 directory
        
        PID:5180
        
        C:\Windows\SysWOW64\Kidben32.exe
        
        C:\Windows\system32\Kidben32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\Kcmfnd32.exe
        
        C:\Windows\system32\Kcmfnd32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5260
        
        C:\Windows\SysWOW64\Kiikpnmj.exe
        
        C:\Windows\system32\Kiikpnmj.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5304
        
        C:\Windows\SysWOW64\Kcapicdj.exe
        
        C:\Windows\system32\Kcapicdj.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Lohqnd32.exe
        
        C:\Windows\system32\Lohqnd32.exe
        85⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Ljpaqmgb.exe
        
        C:\Windows\system32\Ljpaqmgb.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Loofnccf.exe
        
        C:\Windows\system32\Loofnccf.exe
        87⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Loacdc32.exe
        
        C:\Windows\system32\Loacdc32.exe
        88⤵
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Mjidgkog.exe
        
        C:\Windows\system32\Mjidgkog.exe
        89⤵
        Drops file in System32 directory
        
        PID:5612
        
        C:\Windows\SysWOW64\Mfpell32.exe
        
        C:\Windows\system32\Mfpell32.exe
        90⤵
        Drops file in System32 directory
        
        PID:5660
        
        C:\Windows\SysWOW64\Mfbaalbi.exe
        
        C:\Windows\system32\Mfbaalbi.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5720
        
        C:\Windows\SysWOW64\Mokfja32.exe
        
        C:\Windows\system32\Mokfja32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5764
        
        C:\Windows\SysWOW64\Mhckcgpj.exe
        
        C:\Windows\system32\Mhckcgpj.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5828
        
        C:\Windows\SysWOW64\Nblolm32.exe
        
        C:\Windows\system32\Nblolm32.exe
        94⤵
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Nqmojd32.exe
        
        C:\Windows\system32\Nqmojd32.exe
        95⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Njedbjej.exe
        
        C:\Windows\system32\Njedbjej.exe
        96⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\Noblkqca.exe
        
        C:\Windows\system32\Noblkqca.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6048
        
        C:\Windows\SysWOW64\Nfldgk32.exe
        
        C:\Windows\system32\Nfldgk32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Nqaiecjd.exe
        
        C:\Windows\system32\Nqaiecjd.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6140
        
        C:\Windows\SysWOW64\Nfnamjhk.exe
        
        C:\Windows\system32\Nfnamjhk.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Nofefp32.exe
        
        C:\Windows\system32\Nofefp32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5328
        
        C:\Windows\SysWOW64\Oiccje32.exe
        
        C:\Windows\system32\Oiccje32.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Omalpc32.exe
        
        C:\Windows\system32\Omalpc32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5536
        
        C:\Windows\SysWOW64\Omdieb32.exe
        
        C:\Windows\system32\Omdieb32.exe
        104⤵
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5716
        
        C:\Windows\SysWOW64\Pbcncibp.exe
        
        C:\Windows\system32\Pbcncibp.exe
        106⤵
        Drops file in System32 directory
        
        PID:5800
        
        C:\Windows\SysWOW64\Pmkofa32.exe
        
        C:\Windows\system32\Pmkofa32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Pbhgoh32.exe
        
        C:\Windows\system32\Pbhgoh32.exe
        108⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Pakdbp32.exe
        
        C:\Windows\system32\Pakdbp32.exe
        109⤵
        Drops file in System32 directory
        
        PID:6060
        
        C:\Windows\SysWOW64\Qamago32.exe
        
        C:\Windows\system32\Qamago32.exe
        110⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\Qapnmopa.exe
        
        C:\Windows\system32\Qapnmopa.exe
        111⤵
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Afockelf.exe
        
        C:\Windows\system32\Afockelf.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Acccdj32.exe
        
        C:\Windows\system32\Acccdj32.exe
        113⤵
        Drops file in System32 directory
        
        PID:5672
        
        C:\Windows\SysWOW64\Cildom32.exe
        
        C:\Windows\system32\Cildom32.exe
        114⤵
        Drops file in System32 directory
        
        PID:5868
        
        C:\Windows\SysWOW64\Ekgqennl.exe
        
        C:\Windows\system32\Ekgqennl.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5908
        
        C:\Windows\SysWOW64\Edoencdm.exe
        
        C:\Windows\system32\Edoencdm.exe
        116⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Eaceghcg.exe
        
        C:\Windows\system32\Eaceghcg.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5228
        
        C:\Windows\SysWOW64\Ecdbop32.exe
        
        C:\Windows\system32\Ecdbop32.exe
        118⤵
        Drops file in System32 directory
        
        PID:5836
        
        C:\Windows\SysWOW64\Egbken32.exe
        
        C:\Windows\system32\Egbken32.exe
        119⤵
        Drops file in System32 directory
        
        PID:4336
        
        C:\Windows\SysWOW64\Ejccgi32.exe
        
        C:\Windows\system32\Ejccgi32.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Fboecfii.exe
        
        C:\Windows\system32\Fboecfii.exe
        121⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Fcpakn32.exe
        
        C:\Windows\system32\Fcpakn32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6000
        
        C:\Windows\SysWOW64\Fqdbdbna.exe
        
        C:\Windows\system32\Fqdbdbna.exe
        123⤵
        Drops file in System32 directory
        
        PID:6068
        
        C:\Windows\SysWOW64\Gnmlhf32.exe
        
        C:\Windows\system32\Gnmlhf32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Gdgdeppb.exe
        
        C:\Windows\system32\Gdgdeppb.exe
        125⤵
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Hgocgjgk.exe
        
        C:\Windows\system32\Hgocgjgk.exe
        126⤵
        Drops file in System32 directory
        
        PID:6104
        
        C:\Windows\SysWOW64\Haidfpki.exe
        
        C:\Windows\system32\Haidfpki.exe
        127⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\Hjaioe32.exe
        
        C:\Windows\system32\Hjaioe32.exe
        128⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6216
        
        C:\Windows\SysWOW64\Hegmlnbp.exe
        
        C:\Windows\system32\Hegmlnbp.exe
        129⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6260
        
        C:\Windows\SysWOW64\Hkaeih32.exe
        
        C:\Windows\system32\Hkaeih32.exe
        130⤵
        Modifies registry class
        
        PID:6316
        
        C:\Windows\SysWOW64\Jbbmmo32.exe
        
        C:\Windows\system32\Jbbmmo32.exe
        131⤵
        Modifies registry class
        
        PID:6376
        
        C:\Windows\SysWOW64\Khfkfedn.exe
        
        C:\Windows\system32\Khfkfedn.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6420
        
        C:\Windows\SysWOW64\Kaopoj32.exe
        
        C:\Windows\system32\Kaopoj32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6472
        
        C:\Windows\SysWOW64\Kdmlkfjb.exe
        
        C:\Windows\system32\Kdmlkfjb.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6520
        
        C:\Windows\SysWOW64\Kocphojh.exe
        
        C:\Windows\system32\Kocphojh.exe
        135⤵
        Modifies registry class
        
        PID:6588
        
        C:\Windows\SysWOW64\Klgqabib.exe
        
        C:\Windows\system32\Klgqabib.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6632
        
        C:\Windows\SysWOW64\Lbqinm32.exe
        
        C:\Windows\system32\Lbqinm32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6672
        
        C:\Windows\SysWOW64\Lbcedmnl.exe
        
        C:\Windows\system32\Lbcedmnl.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6716
        
        C:\Windows\SysWOW64\Ldikgdpe.exe
        
        C:\Windows\system32\Ldikgdpe.exe
        139⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6764 -s 400
        140⤵
        Program crash
        
        PID:6152
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6764 -s 400
        140⤵
        Program crash
        
        PID:2248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 6764 -ip 6764
1⤵
PID:7064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
1⤵
PID:6244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bmhocd32.exe

Filesize
76KB

MD5
dc60aec0d8677c91dcf89d7c94a62ac0

SHA1
b33b4d8c30b5b1e9087a58e44535378d494f494f

SHA256
2a955766fba97ca0fa42c937756361829b1fab677000df76b220e0687f21016f

SHA512
3cfa50afa228a9d5b0e348c608417ccbc86c5c21d8ec4f5d819bc858d44023a4f04b0ed4eb8c0a66976bb36a970c76ff506353d78e488fb2a3a48e7505cdce15

Download Submit
C:\Windows\SysWOW64\Cdpcal32.exe

Filesize
76KB

MD5
d8812809080f87b24b40cea4ebf0e3dc

SHA1
87debf02fdcd483d1718fd11ee7631eb107353b9

SHA256
8c85062d384c27780dda373964110bf1eed9ffaa6e02e17298a677741eba3083

SHA512
6ebe508c76963714b1ed3d925441da7e8914e2e022aea797fdd36cbb3fdedebc37af6f2656978676074ba4e85ea48d4449994e8b43b296dfdc55b7bf019d17a7

Download Submit
C:\Windows\SysWOW64\Dnajppda.exe

Filesize
76KB

MD5
633fded54c958606061128f93fa22f7a

SHA1
1cf9933d8d985d5fd73876b611ae2b8094a57215

SHA256
acc736d440b7f15cbb239250e3d5d874710d52405f51b2de3d28bd8d4d6efab0

SHA512
7c186089a18162df60a2e640b56afc7986ab7438583f3054b5087e63930f35dffe2048e08e9e18f0bd6e1e82640c0db52c7fe4f8fb89f77b77fdb72a29e195ad

Download Submit
C:\Windows\SysWOW64\Eaceghcg.exe

Filesize
76KB

MD5
476cdbae7803b56ac2cdb568276be118

SHA1
2b323cd36e4a7ddd0a8864e301bfe3b154408a3a

SHA256
69fdddf50898865df3512e757ffe6d62e10d20120b77ca0acee6f9e6d96dd45a

SHA512
cf7b2a1dfd00d660edfc5fc23c982bbe3c390809bb72276cb8bc6642b31171f8d8ee8e2fe2f2776f678ccd96cb0d228a8961d7483ac2d709fc4f71698a7f215f

Download Submit
C:\Windows\SysWOW64\Ebaplnie.exe

Filesize
76KB

MD5
782f1236cf23601f276bdfb73b3523f9

SHA1
e965e9332690f0bf2233d0e86bcad1b2c70f84d8

SHA256
79e04f79c23eaba2f8eb5bf0498ac09528ec81848187905b30e8cfc180521e38

SHA512
dff9ebc49593aab302b40a20802a6d3d01cfdd4552dfe65c34cc3bd986d02c628b362a5a171c46bcb0ed416feb466bf89010f393514cb04dde724b3e3fef445f

Download Submit
C:\Windows\SysWOW64\Egbken32.exe

Filesize
76KB

MD5
f2233473ad1cf5ebf2ef2ec7b82b6f6d

SHA1
4bbef0e12e587cad3be7e6829e053bcb4ee366d1

SHA256
7b1d29e3f9f63f025b4f7606db570d87011b86f27fc9a0ed8a262905be237d4a

SHA512
a7ef90f75c6164049b601394f55892bbe257afd6cfba4c5adf3087f9cff54d937dcc2c200d5b5c59188d6ba9ec02af312315b1206ff59f1358463c224c55ebc6

Download Submit
C:\Windows\SysWOW64\Fnipbc32.exe

Filesize
76KB

MD5
24b260cc5cff042142d9b2177f4ef1bb

SHA1
a1c0ff7a33709954a863ca032bac68d38c444c94

SHA256
ea5f8b6be1c78d5b99bcfa7c670f9f8c15eb0249cc6323aedd09c4111877ae4f

SHA512
9b2fb0a7ce958911af6e1b7d3e4f8e309b01db1340e97aba5ff0641eb614c3e380df482145561777d60755f769febdf77b7e156823479441d1b0b420c7973dfb

Download Submit
C:\Windows\SysWOW64\Fqdbdbna.exe

Filesize
76KB

MD5
5885475303493547d0f50097d796a0a7

SHA1
5dd90da40d65247184802e6fe531c15850b6aa26

SHA256
bffcf2fe523ffbd9abad49ccac993d24a8bfc2afe4a778ffddfe1501d27c4570

SHA512
bdf660b52fe1b4db74137ef21b152e223e667d98ab5109d7d97ac00368feaa02ece6930e053d413bd0ac3647165b049990253f8b4cf244e2edc4d7d113b70cc2

Download Submit
C:\Windows\SysWOW64\Ggmmlamj.exe

Filesize
76KB

MD5
285406cf69a08043848f72d30bc464e4

SHA1
df22f2c212c4e484436b85b3c2e13fa43d2a7196

SHA256
8afee686fc00d669bf75cb4876e51d3bd1546442273be502b70a7b5d4c2c2f3e

SHA512
e307068517f0d8eda7481f10259e98af2af5ecc07c2ebff1cdb21800220c1990271e9e3d9d58fbb01b4ca26bddad0c3a793d4a27f1fbbdf5550f0c7c06d2f533

Download Submit
C:\Windows\SysWOW64\Gmfplibd.exe

Filesize
76KB

MD5
eb23b3c22eaf7bce5965058a6a6c27f8

SHA1
87551c066530ae0d14fd50e58954608102143d47

SHA256
7ecc9628a6d829e0ca43d51dac22744e6c6cc1e1a061bf6910fd2af85a7ccc69

SHA512
e39f263378badb45dcaac224657cbce0c78ae52eda8305c0a8f09a1d07265484543c4815db5a3a16275f37bae8b84b159f187c298860cacad662e2a6feeee3af

Download Submit
C:\Windows\SysWOW64\Gojiiafp.exe

Filesize
76KB

MD5
df1ec4adbcb6a06348743e86e79cfeb2

SHA1
a1ecaf7441755d9829d49015dcc5e221bd49a12f

SHA256
c12277b3dfd120d2d2094574aae6d609bcb496b8a36f10c6cac889d3bc48f6c6

SHA512
9483727db503e2736353816bf532922317b153b71d6bab73963a8e7ac6ea17cb3ff56caf162058c633ff32e6aaa5b4073c14e6867a998f1c4a2fd540683265bb

Download Submit
C:\Windows\SysWOW64\Gpmomo32.exe

Filesize
76KB

MD5
adf2e2d0be775d99539252b6f041c067

SHA1
37100f6a28a108027b43716cd7d664111af390bd

SHA256
9e9695da9417a9f25b4c0ec78ea8658bc6ef1176f9d8832a5eda124727bf71ad

SHA512
15b732b001308cd790f50acfb7f31bb0fae7e3b2161be029b002047e828f07c38c3f256c7c9378047f24516b90cb8045b28a68cde643f6e00ad33082df6b6fbe

Download Submit
C:\Windows\SysWOW64\Hbldphde.exe

Filesize
76KB

MD5
20c31e781ab99304b1a0ef8fcb5d3d25

SHA1
33f19339c75548562febeb2de9e29f46cba772d3

SHA256
2dfccf877d094383979b852f14bafe46256a0c8d46a9f746319737f96ad38036

SHA512
012c326fa38aea4a5df33aa31479856ea71876fa65ba7969fbbc493e87d6b7851607313d6346bb3cf57ce2d97dc3ab815605e481bb37c3761b277816c9f79491

Download Submit
C:\Windows\SysWOW64\Hfhgkmpj.exe

Filesize
76KB

MD5
beb500ce4518b9ea4f056572405ff21c

SHA1
8e4c2a54c10be9e6368c6b37ba777305779601f7

SHA256
004661cad3f5c417f1dedb66690866365f0f9851db07877d4dc293ca8f4e52e8

SHA512
f2bc7c5ecba8ce43e35cf9672557e04382afe9b25f0499473e5967d7b7de22304572bbd14a0c334b08e21623151bf9b1de04ccb4a07970c7453e79919a4d695d

Download Submit
C:\Windows\SysWOW64\Hgocgjgk.exe

Filesize
76KB

MD5
72b63431f6673454f3c2152d47180db8

SHA1
4efe56707346998d054e72ade948ffda3dcc5921

SHA256
78e8a88161d2025c2bb645781ee70b806c2778ae1ee379e59ced77094cf13bf3

SHA512
e03d401d99603adf6822324ec8922118418d5a87407524685b9c9d49f3fcadb3a484a8a5c8c1687f81efe76096cedb34d1c7477c1a05199f1b457ae1b7569217

Download Submit
C:\Windows\SysWOW64\Hpchib32.exe

Filesize
76KB

MD5
c35e956f7ae7e1e99c7f44eb0b4bb040

SHA1
207f8a49242360ab31c28424628d19d25302e222

SHA256
c5195ac0873c7ba06ca04d8ddc296006236a84f78fadb5c758137a1d8b41f66c

SHA512
9813555545984f67be9300f639105483a6b22f720e64c5ada7a221c09f47606f8585c6ef13ad3bca5c8eb857eb9a51738868bac6f04e2dde2d5a16901bb4209a

Download Submit
C:\Windows\SysWOW64\Ihbponja.exe

Filesize
76KB

MD5
f3ed99b75c107268694380f1298c37c5

SHA1
40e9b3bb69e8069bda073fed94242c28cf4e5401

SHA256
38bca4b423ededcb26fa28522cdc9b4f7cf0d9646615963e81308e9693f51b94

SHA512
6475b98ec67a1cd3bab853ce01280bd3446037be8b159ea61f01aca845d598fc1d0e908f4ba8abe98161223dee82003cd727234f3b0a3131ab448297fd0665d9

Download Submit
C:\Windows\SysWOW64\Iohejo32.exe

Filesize
76KB

MD5
16f81d886f66f5df533b0f8784029a30

SHA1
c0a1103ed49a0f735d9a886c3df003c421cdfa77

SHA256
d77b68e6fc34e0cf2068aea8849051035365aa06b2a86420f24555ca8a97575b

SHA512
ae5cf41eaa89b207d434b8f107229581b0f5de08e2558cfa10d1299984c7823ad70b4d8452f437d8a68590611a45da626262c05392680097b62ce7dc3b3e936f

Download Submit
C:\Windows\SysWOW64\Ipoheakj.exe

Filesize
76KB

MD5
f872bec5e21136da9c04ffc31cc52da7

SHA1
5a00a850ace684e79ffa4753bff5669f068f9655

SHA256
841da582e473b873abffc3c0e19325abc0642eb21ff8687a962f5bfdff9b4aab

SHA512
f9dd85eeaf000749fd7153ed29ddc149d4bb6950f75fb826daad4400f8d03f5683f96119a2e35371711a6e29b10294c8afa2c1ececcb781e3558cd9a7c3e14ac

Download Submit
C:\Windows\SysWOW64\Jcoaglhk.exe

Filesize
76KB

MD5
acdd414ca79e44a9cbfd21356d0f0136

SHA1
21554db86976531ff7439633211ec89768e2a92b

SHA256
cd2f9535d64e4e357c819f9451f252f57ca763b687402994d36d17d6275e051a

SHA512
320c103b75b18cb309b5ec2d007d0dcc527529995ca5f1bb07b57a264f79f305891386c641cff8f1ca5b63c88a3f423b5be3a622361dede04e9d394cce4139b6

Download Submit
C:\Windows\SysWOW64\Jilfifme.exe

Filesize
76KB

MD5
cc8fbbe2bf6ac428111acc1bdad33cc6

SHA1
510c35c5e58618071bbc77ebc497f8785e38f896

SHA256
2ad248b082ad62032ab7382daab062f20ecec30a618ff2e8af78768d32dad09a

SHA512
1ca86a670e6a76264f25233fe98276fb377fb3eecc821cd5d9d2e1d8166560c7b2c243e015b3f54abfc74149100bd2fcca06e6b15017b93081b687cb812601ad

Download Submit
C:\Windows\SysWOW64\Jokkgl32.exe

Filesize
76KB

MD5
fd922e717e613e6744be9b3fcd05e3d9

SHA1
d8b2bc91831a7429a1b7b47ef0e5a026f1a28d6a

SHA256
76984533d75991e760dae847afa65d8dbe4a23e127dd69fff3f763156d18dba1

SHA512
c17440d51320a3090a9cd1afbccaa8c39f283834e41aa5c926e2025ca9690340180a8d65fe470ba9df3348ac1c449215278deac3b62b1f5c4f8b2ebe952771d6

Download Submit
C:\Windows\SysWOW64\Keimof32.exe

Filesize
76KB

MD5
89e32829ae8ac6c4ae3dd890c3d26e48

SHA1
8b2fe76ea177767ec3729f6581c72b6717d72317

SHA256
bc4410507045c9bc3b44276882e6a79e85a39066dcb65bc0a359fe2bb840999c

SHA512
aaaa1680d82031fcdbc87c93baf3f7bdb57c71fbc6b62bca606f033f88e922a99fd16b567b3bbccaa47630ca2aa22a46aeee0fb1de84ca74bb996ee206155f53

Download Submit
C:\Windows\SysWOW64\Kfnfjehl.exe

Filesize
76KB

MD5
e8118e3853d3c5681275ea60078dc689

SHA1
fb10dc3849d245ee563b73c66e4acb8d296277c4

SHA256
a69e4390afd3e78ac0c198aa4ebf72c24bf4b1c55ad39af04e8dedf8462d7b47

SHA512
4737eb714320e7d4292d113be42c9f0597753128fd4eced6103ef160ee71250b878e5df1f671ff7cb440995e644ba5b969c5456b12860c3e0711fef99c39ebf8

Download Submit
C:\Windows\SysWOW64\Komhll32.exe

Filesize
76KB

MD5
59e548024b394a53f17aef803fc9b74d

SHA1
e1d2b608f5e12e5ea7c70e68c28e9d51f78e9967

SHA256
def0f8c2a8c5580ffc9f6c3df1806cb5ca229d645830296971bd33d97c905952

SHA512
0ddd3e0c297f74adf617c9e30ee57c8b0f66356e3ae229ffe6e8905832638a1342e0d7892e0ee59d4832a0ed6af6ca4842a3dfb63ea2da994b507404b0b9b555

Download Submit
C:\Windows\SysWOW64\Lgpoihnl.exe

Filesize
76KB

MD5
254fa73b836d4022c72246bb461b7e3c

SHA1
bbf683cdd10742b728ff2ff3ad5887f97e0cd686

SHA256
cd74f95fb5c7e49022c25c3f77ad4e9d7611d9ce921a8ea527228f419b25fe47

SHA512
7658354e98c0f3c0c0f5a19633d9a1d091cec71a10c165a477509317bb183424e1739f6ed635c9484a1de78e5cb50351dacc597cf5f7fbc0e606ba12a620ec83

Download Submit
C:\Windows\SysWOW64\Ljhnlb32.exe

Filesize
76KB

MD5
f8f2eeb651cdd059f9c6132f140451f1

SHA1
5f9aaad8f980e691b05c0714d819c54872e619f9

SHA256
6fbf8ba1aa1d3f2895063133733444dd6f3ffc7e4153733590166032b817616b

SHA512
dc38ec94054766c7496bc16e3913ba6feb2313f44b512956f1ae1e893a38d3d6512366e37a309e89281e8cebe1904d6bfc1b9dcc472ffa4967829a7d72ef2029

Download Submit
C:\Windows\SysWOW64\Ljpaqmgb.exe

Filesize
76KB

MD5
a87cac65edfd0590b2cc8bd3f9d07a88

SHA1
c31a287aa6cc3f1ace7dde2ee8b3e5005e8ad98a

SHA256
9fce4adcf43cb3acb6399204ae221f3017008eea9d00e568da564ea9097a465e

SHA512
ad8659ed42f4b27bcb8c08ae9c6612dd576fad79619ae837b0143071b0ba25ea5c5b87aa4e852b7d564866d69be0e5d5d46a869a8296b3e4cc19767d1690dcb6

Download Submit
C:\Windows\SysWOW64\Ljqhkckn.exe

Filesize
76KB

MD5
496252dbdfcfd6b67b11883d4bdede42

SHA1
dd0356f86db9036b14fb262c07d8a06ed836303a

SHA256
6d9a4b1d4df84dc6f3653846056dc026843abfd57d40bf8da378c65811d97e91

SHA512
2c3578a77cf8c1f45fa35d6cf7b5c2af6f48c52a2fe8f1e6f8098bbeae00bf9c66e90f54800a896e768017a28c9afe97d5a08b645acf5ab478d24c11c1454bb2

Download Submit
C:\Windows\SysWOW64\Lopmii32.exe

Filesize
76KB

MD5
21373cf9c8c18e95412cc874a380b8c0

SHA1
d66ef4975695c3fba1c34ee77ad971608fe6c601

SHA256
67a09e89376c022ea07a46054873502503358bad6bd8102d3d323d4d1aeea8f0

SHA512
03b86328f9d5de110749b424dcb795b7ac6bb4023483a453f7bd9cea3fd559fa76f9d7380a42aa75065bf406db01c2cf48eb5879a34f15d83b1ce6db7454c06a

Download Submit
C:\Windows\SysWOW64\Mfpell32.exe

Filesize
76KB

MD5
953f60eeafd5f99e5214646234db4676

SHA1
ebf3aa7247a8bfca4ca8902318a89cf2e7a96c9c

SHA256
5c3ee7868ab4f48aefc608e0228bbe8274e0dfab59206bf568fbe47bec7b45ae

SHA512
78cb8ac9eedc139752a776acddd4fe7b831dfa2eabb37ca7acf057905a47818e172a8471a21f33939048d084e1eae88a6dff6474acba9241c6466ffa78dcd29d

Download Submit
C:\Windows\SysWOW64\Mjaabq32.exe

Filesize
76KB

MD5
e87032b1bb2fdc64d0403105bbc56f3b

SHA1
263868ead69b73c4204a6d63043058d54285187a

SHA256
587804101926cb18edbfff2c92a447763fc0e59aa73ae86efedea6a56e8c32fe

SHA512
16f2c32ada24271b5e5b2d718eb6da8cb4dd8f0cace38c15f88b01bb9ce43280e86152d4adeb88aa0ddded84c890b79e9155da4f97b0c59f1326b5516465abb8

Download Submit
C:\Windows\SysWOW64\Ngndaccj.exe

Filesize
76KB

MD5
70821b627d6967211081926c200308ff

SHA1
ce05e6ba29721c39783e400a0a9764400b66a294

SHA256
5c57545ed479e8691ac11bc29793c66596a7ca2303d6301b96ed7a757d21ad44

SHA512
5e7d92a9f6b40b81ab6d496b506db54a21f3cc1b6e3ba4db7eaf1b911be80cfaafedf7cdfc4b290cf5a2ed166f3287bc08b0df27da5189f9363ee76075ee1d03

Download Submit
C:\Windows\SysWOW64\Njfkmphe.exe

Filesize
76KB

MD5
87eecd576a07653387e62b9092531951

SHA1
7d3fcb579b10531e1b88606415a4c8232c037a12

SHA256
0642e1aeaba90a044d67b258aa33166c69c06a30aacc31813493fad11d5cefe8

SHA512
9659a7d43ad4a3692738f008fd736f56f3f61cd38a0e00e3c79b14afca6c8531f13beca2ec5833f611c87d9774645f6dd6eb93ee2c86659d582090d74dc034f4

Download Submit
C:\Windows\SysWOW64\Njhgbp32.exe

Filesize
76KB

MD5
9c7e8fc79122842b822f2565261e6602

SHA1
10099203ccf2e0df7592dece5199cd0e6094bdc7

SHA256
18c701e1226eadac9c08327787bfea67c940efdbf9cac9319b3450b661226f4a

SHA512
12cf63866550703648d1c81f467b87ba3c5be3bc4f2f20265ca0e54305ba7327df4797278c0ddbc5b5774f351bc74390272735a360472c2e545e4d9efa4f3ca2

Download Submit
C:\Windows\SysWOW64\Nnojho32.exe

Filesize
76KB

MD5
7c40137facc3fe34a95c5dc28c85acf6

SHA1
560f58c6f03a158533df3177993922f4e4425a5f

SHA256
08c7827af364eabdb6774d53cbf696a63be2e6632f5d933bb018df20cdb22317

SHA512
53cc4cea3324db68fe0d569516f6b33024615ec8d06603a5a9dc4dd36b586f847bc6560141f23462c1d13631956b50cd3278a4b92039d9cbdad0cef6f08c978e

Download Submit
C:\Windows\SysWOW64\Ocjoadei.exe

Filesize
76KB

MD5
8c34337ef8ee95e6d863674295e20dd5

SHA1
9adaae3bb52c71894639fac5e28c34ac1a0e8d3f

SHA256
ea0a883aa24be50b9ef4cc6d78c587143ca30584ec2faee16b0acd6a813b6cbd

SHA512
9af38dc00938e571430b2a65a866447ce3b7eee08153d8fb826e8b2472ac5e933e39e82b5bdec9c4c87a2f15c56a3b2ce6413ac7c0839673aa3c27a8838b0177

Download Submit
C:\Windows\SysWOW64\Offnhpfo.exe

Filesize
76KB

MD5
fac90d2dfc7530854215d273013919d9

SHA1
29a90c3d3482d72841b12f235c4ca99ca9fcfa76

SHA256
f4a8b3ac679dfd5547c656915e9d834eaebfef97a30a2b6d82e6f42131b0b9e4

SHA512
3becc978a571970f4ab616032449bfc2b8b3e9674522de18993d2bb27dd8b835fa0da22c4df3b76635d784175e606ea4bb2accb32ea7d55abe7beeb68ab34ece

Download Submit
C:\Windows\SysWOW64\Ojfcdnjc.exe

Filesize
76KB

MD5
207d263405f287b48a2a605a02c593c1

SHA1
02fceaaf9cca4cef7699bcc7c084c174f3d5d09f

SHA256
8f49ac45cb71cbff0c830b14f3c97dc845c2d83065b032072f69b279addbbd3c

SHA512
0c59d42515b2ae97ee9d001ec85e40288ab9a6f588ce668d48e7beba50e5b0af30eeb62ff949ab8e8055ca92aeddaa9d1a0c1954cda9a0b01c2a600f44f986a0

Download Submit
C:\Windows\SysWOW64\Ojhpimhp.exe

Filesize
76KB

MD5
e1a3250905a4b39a2febe794c59d704b

SHA1
f7acf86728aac697767d1e253b8425b493809f29

SHA256
f7a64bd755e3c4ef4d457dfcc1e82526cb1f30549814bf1580bd86f85909dc68

SHA512
41fd03db7d799929d47494d7a1e2e2638a19d1577f7994c69565b12f376c82d979750170e0d684f64065ae8223f8e79d5be5141301ac068cbb66ff97f3848332

Download Submit
C:\Windows\SysWOW64\Ojomcopk.exe

Filesize
76KB

MD5
87850f5c791de013f17f261e2eee420d

SHA1
20603747860e332db8492930ab940aa621e9d068

SHA256
990b29e07b82eb978dd3b3a4aad3095600def8b87c9db5d2813676f32e9bfe7b

SHA512
c29131c5af2f4dee52b7bf3e29c5a48723944b9125d3527449e7908187e6576093f3196dfad3c32aed51d1b955db78829cfefdf2a49a9d668f1c93145d896253

Download Submit
C:\Windows\SysWOW64\Pakdbp32.exe

Filesize
76KB

MD5
fa3f2a09da41af7284392c1eec8a46b8

SHA1
fb919f2b623ccb91f770562ee60d7376e5ff3851

SHA256
2cd4c03824c29d87886916302f7192e6af625ce2ea05abe75b70d79080b60f5b

SHA512
7afb4225664511f54028c2fe118a260350e6e6fdc6f4c5ed916f6c845db0f45312727cde6ec710cbcfd2328b9510df194c101e5c4e10c25df2bc56442d2826a1

Download Submit
C:\Windows\SysWOW64\Pfandnla.exe

Filesize
76KB

MD5
e91dad3e41a4b8017fb28242fe7bb8a2

SHA1
d8ca36cdda5f8817f0e64a70c29fa14158df0203

SHA256
437fb5d11a4cc7af4c90ed8c962e00af0185de3437c86122031744e5186cdc03

SHA512
5c904b4bbd27c93e28429b7c71b94556c6663d28e2592c5d79e01d33ddb19569cd9bbfaa5314f03df5c2824378e8f6de146a7ac1358776ee7360fdff9882cb7a

Download Submit
C:\Windows\SysWOW64\Pfoann32.exe

Filesize
76KB

MD5
1fbf35b2cccbe373b330706917b57c35

SHA1
a674b26c7ac7dc79d3e963a81cc0c8e133356bed

SHA256
7afe38b611909cc9518e84c9bd716d18fb43988a33dd85d15fb901a198b289d4

SHA512
f80f897ceceb6ecb4573625ca98ed2d7dc5488c9cadf7969cbfcf1ab074746c8adf22a4199934a81ce5b009a2e02a98de443d1271f12de6fdd349b660cf723bb

Download Submit
C:\Windows\SysWOW64\Pjbcplpe.exe

Filesize
76KB

MD5
46d7cd73b8481904182d1177e514d15a

SHA1
575e3e5265752c6b2dd44b7fafa301a1b0665d98

SHA256
e677a605460dd85aa599084e98f2ff4b5275ff1577098a77ba3b4e554849dbd4

SHA512
8243821d091a3927bbd4cceb6ac76c04ec2ddd39cfa44fae3664913db2f3e5723641217e0a95883145107adf39b8e38b05ef967a81ed7e71df0b8a273f03f86e

Download Submit
C:\Windows\SysWOW64\Pjdpelnc.exe

Filesize
76KB

MD5
4dde9627a5f9a9c897968b985bab2893

SHA1
7a7271d16f1182ce91e680fe507b9709b8aa6815

SHA256
1ea4fe1e5fdb006ae7e88f109b0b491f20d01d7b984074dc3b8c2b2aeec1cf16

SHA512
39f62bade948e8fcd1d528e6308a54e2ddd76fb68357e08540cf2c6824d7a640f6d59cc8d1ad2c6586837e13b9b0b77b5d61b520cd3c2550aac68f781c1bfd6a

Download Submit
C:\Windows\SysWOW64\Pjpfjl32.exe

Filesize
76KB

MD5
cb1be9b5d4c8b7f4d82b7814c67b6ff2

SHA1
3007c3a0ebc02b1d7befc523cba9e20f31e30a2a

SHA256
fc03af8825b35e41811679d91d6c116e5d9cfc7e419a4ac5ce31ae50be779236

SHA512
a1942833f7ae4cb7d22a5b3d607ed017bc79c784e463eaa28f65fffc4b841ad27a1aa78463cdb7564ad832e7802c73b4a22ed64fe90859186b4fbeb7454d38f4

Download Submit
C:\Windows\SysWOW64\Pmkofa32.exe

Filesize
76KB

MD5
c44e541dc5c30e2f5f7e0aa94266bc52

SHA1
40ee0a47896f7fe42aa48a63aa9c4de96496c9f3

SHA256
a8be65ba35086f8309e838f6daebed9b9bf38732491bbcfe1577bba35775933d

SHA512
7260645547590607ccc166d5d625758e9dd2111e8a38252d4be715e590d9d88410a23c8c7216b354e8b2f6732738d3023fce79db2f51cafbb669b4912a39802c

Download Submit
memory/536-533-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/536-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/536-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/644-217-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/692-573-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/692-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/716-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/732-580-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/732-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/744-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/776-485-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/868-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/888-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/908-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1072-527-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1300-455-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1336-509-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1356-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1416-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1428-520-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1452-473-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1644-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1788-479-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1968-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1996-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2012-566-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2012-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2040-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2072-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2176-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2224-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2236-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2236-559-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2300-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2348-425-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2436-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2624-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2632-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2664-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2700-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2860-437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2888-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2920-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2928-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2988-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2992-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3020-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3036-461-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3148-208-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3168-467-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3220-413-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3272-399-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3292-503-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3316-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3452-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3452-594-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3472-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3512-431-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3536-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3664-141-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3816-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3832-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3860-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3868-497-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4012-153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4104-449-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4144-401-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4272-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4280-379-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4300-552-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4300-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4340-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4440-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4464-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4492-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4516-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4532-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4536-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4632-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4704-443-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4724-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4724-587-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4784-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4876-495-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4916-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4940-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5012-525-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5128-534-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5180-540-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5220-549-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5260-553-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5304-563-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5364-569-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5424-574-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5480-581-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5524-588-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads