0e1120c2f451f2f67c09ab491d9832cb4a464307addd3c01ace815924c875f7e

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 18:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e1120c2f451f2f67c09ab491d9832cb4a464307addd3c01ace815924c875f7e.exe
Size

384KB
MD5

67dcd2b14948f27c7a08e661b33f9814
SHA1

bea8406ca877bee31af6a0b763bd748fac15c1e6
SHA256

0e1120c2f451f2f67c09ab491d9832cb4a464307addd3c01ace815924c875f7e
SHA512

5282726434c1abdaf2128537d1f147996eca314077dfbe2a8a12ea0a7658d592e76136a0ad6974978e403735df7ae0a20b7bf0c9cf5abc8cd893107be72d191e
SSDEEP

6144:WZP1c76qDmpui6yYPaIGckpyWO63t5YNpui6yYPaIGcky0PVd68LwYwI+8mkUr1s:WZP1i6q6pV6yYPI3cpV6yYPZ0PVdvcY9

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oblhcj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehbnigjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Haaaaeim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Koajmepf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lomjicei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebdlangb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojhiogdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofjqihnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ofjqihnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Piocecgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agimkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Doagjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Johggfha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojnfihmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpimlfke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glfmgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oophlo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kcjjhdjb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loacdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pblajhje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Efeihb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnfpinmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofkgcobj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkaclqkk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmdnadc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oblhcj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqppci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fgcjfbed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Glfmgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Epmmqheb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmkdcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mmkdcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdbpgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aaoaic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egaejeej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Enpfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Paihlpfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hidgai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jofalmmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdmdnadc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aajhndkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paihlpfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	0e1120c2f451f2f67c09ab491d9832cb4a464307addd3c01ace815924c875f7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ombcji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qobhkjdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdmfllhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Omdieb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Feoodn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imgicgca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jniood32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paiogf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aajhndkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnfkdb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebaplnie.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipkdek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fpimlfke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Phcgcqab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaoaic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbihjifh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kcoccc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhenai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gejopl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjeiodek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpanan32.exe

Executes dropped EXE 64 IoCs

pid	Process
1960	Dijbno32.exe
1628	Eiahnnph.exe
3292	Efeihb32.exe
3204	Epmmqheb.exe
2260	Feoodn32.exe
4636	Fpimlfke.exe
2644	Fbjena32.exe
2676	Gejopl32.exe
1744	Glgcbf32.exe
4120	Glipgf32.exe
3700	Hlnjbedi.exe
2944	Hidgai32.exe
1952	Hfhgkmpj.exe
2516	Hbohpn32.exe
4952	Imgicgca.exe
5056	Illfdc32.exe
3192	Igdgglfl.exe
4488	Jekqmhia.exe
2616	Jofalmmp.exe
3316	Jniood32.exe
5044	Komhll32.exe
4236	Kjeiodek.exe
116	Kpanan32.exe
768	Lpfgmnfp.exe
2264	Lnangaoa.exe
4032	Modgdicm.exe
4436	Mmkdcm32.exe
4696	Mmpmnl32.exe
2360	Nnfpinmi.exe
3124	Nagiji32.exe
1812	Ogcnmc32.exe
3692	Ombcji32.exe
1656	Ofkgcobj.exe
4284	Oabhfg32.exe
2132	Phonha32.exe
4256	Pmlfqh32.exe
5008	Phajna32.exe
560	Paiogf32.exe
4208	Phcgcqab.exe
3140	Ppolhcnm.exe
3552	Pdmdnadc.exe
1632	Qobhkjdi.exe
3088	Qjiipk32.exe
3468	Afbgkl32.exe
3356	Amlogfel.exe
1428	Akpoaj32.exe
3660	Aajhndkb.exe
4404	Aonhghjl.exe
3908	Agimkk32.exe
2420	Aaoaic32.exe
4128	Bgkiaj32.exe
1752	Bnlhncgi.exe
1936	Bdfpkm32.exe
4144	Boldhf32.exe
840	Cpmapodj.exe
1308	Cnaaib32.exe
1180	Coqncejg.exe
1256	Cdmfllhn.exe
3336	Cnfkdb32.exe
3880	Cgnomg32.exe
4532	Cnhgjaml.exe
2320	Cdbpgl32.exe
2728	Cogddd32.exe
2620	Dnonkq32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Piocecgj.exe	Pbcncibp.exe
File created	C:\Windows\SysWOW64\Qgjamboa.dll	Imgicgca.exe
File opened for modification	C:\Windows\SysWOW64\Modgdicm.exe	Lnangaoa.exe
File created	C:\Windows\SysWOW64\Nagiji32.exe	Nnfpinmi.exe
File created	C:\Windows\SysWOW64\Cdmfllhn.exe	Coqncejg.exe
File created	C:\Windows\SysWOW64\Nmjfodne.exe	Nfnamjhk.exe
File opened for modification	C:\Windows\SysWOW64\Paihlpfi.exe	Piocecgj.exe
File opened for modification	C:\Windows\SysWOW64\Pififb32.exe	Pblajhje.exe
File opened for modification	C:\Windows\SysWOW64\Phcgcqab.exe	Paiogf32.exe
File created	C:\Windows\SysWOW64\Chnpamkc.dll	Aajhndkb.exe
File opened for modification	C:\Windows\SysWOW64\Foclgq32.exe	Fqppci32.exe
File created	C:\Windows\SysWOW64\Loacdc32.exe	Ljdkll32.exe
File opened for modification	C:\Windows\SysWOW64\Johggfha.exe	Jpbjfjci.exe
File opened for modification	C:\Windows\SysWOW64\Khiofk32.exe	Koajmepf.exe
File created	C:\Windows\SysWOW64\Edeeci32.exe	Egaejeej.exe
File created	C:\Windows\SysWOW64\Keiifian.dll	Pdmdnadc.exe
File created	C:\Windows\SysWOW64\Ehojko32.dll	Bgkiaj32.exe
File opened for modification	C:\Windows\SysWOW64\Efeihb32.exe	Eiahnnph.exe
File created	C:\Windows\SysWOW64\Pdmdnadc.exe	Ppolhcnm.exe
File created	C:\Windows\SysWOW64\Gaqhjggp.exe	Gkaclqkk.exe
File created	C:\Windows\SysWOW64\Cmpdihki.dll	Feoodn32.exe
File created	C:\Windows\SysWOW64\Oblhcj32.exe	Ojqcnhkl.exe
File opened for modification	C:\Windows\SysWOW64\Ojhiogdd.exe	Ocnabm32.exe
File created	C:\Windows\SysWOW64\Hbihjifh.exe	Heegad32.exe
File created	C:\Windows\SysWOW64\Dkjfaikb.dll	Oqhoeb32.exe
File created	C:\Windows\SysWOW64\Eehnaq32.dll	Boldhf32.exe
File created	C:\Windows\SysWOW64\Jniood32.exe	Jofalmmp.exe
File created	C:\Windows\SysWOW64\Kjeiodek.exe	Komhll32.exe
File created	C:\Windows\SysWOW64\Akpoaj32.exe	Amlogfel.exe
File created	C:\Windows\SysWOW64\Jhkilook.dll	Ebaplnie.exe
File created	C:\Windows\SysWOW64\Agimkk32.exe	Aonhghjl.exe
File created	C:\Windows\SysWOW64\Bnlhncgi.exe	Bgkiaj32.exe
File opened for modification	C:\Windows\SysWOW64\Joqafgni.exe	Ipkdek32.exe
File created	C:\Windows\SysWOW64\Qobhkjdi.exe	Pdmdnadc.exe
File opened for modification	C:\Windows\SysWOW64\Aonhghjl.exe	Aajhndkb.exe
File created	C:\Windows\SysWOW64\Kcjjhdjb.exe	Kheekkjl.exe
File created	C:\Windows\SysWOW64\Kcoccc32.exe	Khiofk32.exe
File created	C:\Windows\SysWOW64\Nqaiecjd.exe	Noblkqca.exe
File created	C:\Windows\SysWOW64\Hgncclck.dll	Cgnomg32.exe
File created	C:\Windows\SysWOW64\Glqfgdpo.dll	Mhldbh32.exe
File opened for modification	C:\Windows\SysWOW64\Bgkiaj32.exe	Aaoaic32.exe
File created	C:\Windows\SysWOW64\Mkiongah.dll	Foclgq32.exe
File created	C:\Windows\SysWOW64\Dohjem32.dll	Kpanan32.exe
File created	C:\Windows\SysWOW64\Coqncejg.exe	Cnaaib32.exe
File opened for modification	C:\Windows\SysWOW64\Geanfelc.exe	Glfmgp32.exe
File created	C:\Windows\SysWOW64\Kheekkjl.exe	Kolabf32.exe
File created	C:\Windows\SysWOW64\Oppceehj.dll	Mmpmnl32.exe
File opened for modification	C:\Windows\SysWOW64\Loacdc32.exe	Ljdkll32.exe
File created	C:\Windows\SysWOW64\Aajhndkb.exe	Akpoaj32.exe
File created	C:\Windows\SysWOW64\Lhenai32.exe	Lomjicei.exe
File opened for modification	C:\Windows\SysWOW64\Nfnamjhk.exe	Nqaiecjd.exe
File opened for modification	C:\Windows\SysWOW64\Ojnfihmo.exe	Nmjfodne.exe
File created	C:\Windows\SysWOW64\Kdjfee32.dll	Eiahnnph.exe
File opened for modification	C:\Windows\SysWOW64\Hbohpn32.exe	Hfhgkmpj.exe
File opened for modification	C:\Windows\SysWOW64\Jniood32.exe	Jofalmmp.exe
File created	C:\Windows\SysWOW64\Ogcnmc32.exe	Nagiji32.exe
File created	C:\Windows\SysWOW64\Illfdc32.exe	Imgicgca.exe
File opened for modification	C:\Windows\SysWOW64\Haaaaeim.exe	Hnphoj32.exe
File opened for modification	C:\Windows\SysWOW64\Ocnabm32.exe	Omdieb32.exe
File created	C:\Windows\SysWOW64\Koajmepf.exe	Kcjjhdjb.exe
File created	C:\Windows\SysWOW64\Gbhhqamj.dll	Noblkqca.exe
File created	C:\Windows\SysWOW64\Doagjc32.exe	Dnonkq32.exe
File created	C:\Windows\SysWOW64\Fqppci32.exe	Enpfan32.exe
File opened for modification	C:\Windows\SysWOW64\Filapfbo.exe	Foclgq32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5356	5272	WerFault.exe	228

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Amlogfel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ebaplnie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnfpinmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdmfllhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjjkejin.dll"	Jpbjfjci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ofjqihnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kjeiodek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Akpoaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnhgjaml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppadalgj.dll"	Kheekkjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Khiofk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpepbgbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anhejhfp.dll"	Jekqmhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaaklfpn.dll"	Pblajhje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nagiji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Phonha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Egaejeej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijcomn32.dll"	Loacdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnfpinmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ogcnmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ombcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijilflah.dll"	Cnfkdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpkcqhdh.dll"	Dhikci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akcjcnpe.dll"	Edeeci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hhaggp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hnphoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ebdlangb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oifoah32.dll"	Ebdlangb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Johggfha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gejopl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kldjcoje.dll"	Enpfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qobhkjdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ojnfihmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leilnmkp.dll"	Mmkdcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Phonha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afbgkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Illfdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bgkiaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idkobdie.dll"	Koajmepf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfidbo32.dll"	Illfdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Haaaaeim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ipkdek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nfnamjhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfdqcn32.dll"	Phonha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhhlki32.dll"	Qobhkjdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Coqncejg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oondonie.dll"	Egaejeej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkiongah.dll"	Foclgq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fgcjfbed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjiqkhgo.dll"	Ilkoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kcjjhdjb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nfihbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fllhjc32.dll"	Ocnabm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pbcncibp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hbohpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbdjofbi.dll"	Pmlfqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciipkkdj.dll"	Bdfpkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kcoccc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ojnfihmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fbjena32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cpmapodj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgnddp32.dll"	Coqncejg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jibclo32.dll"	Fqppci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kcjjhdjb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 844 wrote to memory of 1960	844	0e1120c2f451f2f67c09ab491d9832cb4a464307addd3c01ace815924c875f7e.exe	93
PID 844 wrote to memory of 1960	844	0e1120c2f451f2f67c09ab491d9832cb4a464307addd3c01ace815924c875f7e.exe	93
PID 844 wrote to memory of 1960	844	0e1120c2f451f2f67c09ab491d9832cb4a464307addd3c01ace815924c875f7e.exe	93
PID 1960 wrote to memory of 1628	1960	Dijbno32.exe	94
PID 1960 wrote to memory of 1628	1960	Dijbno32.exe	94
PID 1960 wrote to memory of 1628	1960	Dijbno32.exe	94
PID 1628 wrote to memory of 3292	1628	Eiahnnph.exe	95
PID 1628 wrote to memory of 3292	1628	Eiahnnph.exe	95
PID 1628 wrote to memory of 3292	1628	Eiahnnph.exe	95
PID 3292 wrote to memory of 3204	3292	Efeihb32.exe	96
PID 3292 wrote to memory of 3204	3292	Efeihb32.exe	96
PID 3292 wrote to memory of 3204	3292	Efeihb32.exe	96
PID 3204 wrote to memory of 2260	3204	Epmmqheb.exe	97
PID 3204 wrote to memory of 2260	3204	Epmmqheb.exe	97
PID 3204 wrote to memory of 2260	3204	Epmmqheb.exe	97
PID 2260 wrote to memory of 4636	2260	Feoodn32.exe	98
PID 2260 wrote to memory of 4636	2260	Feoodn32.exe	98
PID 2260 wrote to memory of 4636	2260	Feoodn32.exe	98
PID 4636 wrote to memory of 2644	4636	Fpimlfke.exe	99
PID 4636 wrote to memory of 2644	4636	Fpimlfke.exe	99
PID 4636 wrote to memory of 2644	4636	Fpimlfke.exe	99
PID 2644 wrote to memory of 2676	2644	Fbjena32.exe	100
PID 2644 wrote to memory of 2676	2644	Fbjena32.exe	100
PID 2644 wrote to memory of 2676	2644	Fbjena32.exe	100
PID 2676 wrote to memory of 1744	2676	Gejopl32.exe	101
PID 2676 wrote to memory of 1744	2676	Gejopl32.exe	101
PID 2676 wrote to memory of 1744	2676	Gejopl32.exe	101
PID 1744 wrote to memory of 4120	1744	Glgcbf32.exe	102
PID 1744 wrote to memory of 4120	1744	Glgcbf32.exe	102
PID 1744 wrote to memory of 4120	1744	Glgcbf32.exe	102
PID 4120 wrote to memory of 3700	4120	Glipgf32.exe	103
PID 4120 wrote to memory of 3700	4120	Glipgf32.exe	103
PID 4120 wrote to memory of 3700	4120	Glipgf32.exe	103
PID 3700 wrote to memory of 2944	3700	Hlnjbedi.exe	104
PID 3700 wrote to memory of 2944	3700	Hlnjbedi.exe	104
PID 3700 wrote to memory of 2944	3700	Hlnjbedi.exe	104
PID 2944 wrote to memory of 1952	2944	Hidgai32.exe	105
PID 2944 wrote to memory of 1952	2944	Hidgai32.exe	105
PID 2944 wrote to memory of 1952	2944	Hidgai32.exe	105
PID 1952 wrote to memory of 2516	1952	Hfhgkmpj.exe	106
PID 1952 wrote to memory of 2516	1952	Hfhgkmpj.exe	106
PID 1952 wrote to memory of 2516	1952	Hfhgkmpj.exe	106
PID 2516 wrote to memory of 4952	2516	Hbohpn32.exe	107
PID 2516 wrote to memory of 4952	2516	Hbohpn32.exe	107
PID 2516 wrote to memory of 4952	2516	Hbohpn32.exe	107
PID 4952 wrote to memory of 5056	4952	Imgicgca.exe	108
PID 4952 wrote to memory of 5056	4952	Imgicgca.exe	108
PID 4952 wrote to memory of 5056	4952	Imgicgca.exe	108
PID 5056 wrote to memory of 3192	5056	Illfdc32.exe	109
PID 5056 wrote to memory of 3192	5056	Illfdc32.exe	109
PID 5056 wrote to memory of 3192	5056	Illfdc32.exe	109
PID 3192 wrote to memory of 4488	3192	Igdgglfl.exe	110
PID 3192 wrote to memory of 4488	3192	Igdgglfl.exe	110
PID 3192 wrote to memory of 4488	3192	Igdgglfl.exe	110
PID 4488 wrote to memory of 2616	4488	Jekqmhia.exe	111
PID 4488 wrote to memory of 2616	4488	Jekqmhia.exe	111
PID 4488 wrote to memory of 2616	4488	Jekqmhia.exe	111
PID 2616 wrote to memory of 3316	2616	Jofalmmp.exe	112
PID 2616 wrote to memory of 3316	2616	Jofalmmp.exe	112
PID 2616 wrote to memory of 3316	2616	Jofalmmp.exe	112
PID 3316 wrote to memory of 5044	3316	Jniood32.exe	113
PID 3316 wrote to memory of 5044	3316	Jniood32.exe	113
PID 3316 wrote to memory of 5044	3316	Jniood32.exe	113
PID 5044 wrote to memory of 4236	5044	Komhll32.exe	114

C:\Users\Admin\AppData\Local\Temp\0e1120c2f451f2f67c09ab491d9832cb4a464307addd3c01ace815924c875f7e.exe
"C:\Users\Admin\AppData\Local\Temp\0e1120c2f451f2f67c09ab491d9832cb4a464307addd3c01ace815924c875f7e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:844
- C:\Windows\SysWOW64\Dijbno32.exe
  C:\Windows\system32\Dijbno32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\SysWOW64\Eiahnnph.exe
    C:\Windows\system32\Eiahnnph.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1628
  - - C:\Windows\SysWOW64\Efeihb32.exe
      C:\Windows\system32\Efeihb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3292
    - - C:\Windows\SysWOW64\Epmmqheb.exe
        
        C:\Windows\system32\Epmmqheb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3204
      - C:\Windows\SysWOW64\Feoodn32.exe
        
        C:\Windows\system32\Feoodn32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\Fpimlfke.exe
        
        C:\Windows\system32\Fpimlfke.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\SysWOW64\Fbjena32.exe
        
        C:\Windows\system32\Fbjena32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SysWOW64\Gejopl32.exe
        
        C:\Windows\system32\Gejopl32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Glgcbf32.exe
        
        C:\Windows\system32\Glgcbf32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\Glipgf32.exe
        
        C:\Windows\system32\Glipgf32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4120
        
        C:\Windows\SysWOW64\Hlnjbedi.exe
        
        C:\Windows\system32\Hlnjbedi.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\SysWOW64\Hidgai32.exe
        
        C:\Windows\system32\Hidgai32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\Hfhgkmpj.exe
        
        C:\Windows\system32\Hfhgkmpj.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Hbohpn32.exe
        
        C:\Windows\system32\Hbohpn32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\SysWOW64\Imgicgca.exe
        
        C:\Windows\system32\Imgicgca.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Illfdc32.exe
        
        C:\Windows\system32\Illfdc32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\SysWOW64\Igdgglfl.exe
        
        C:\Windows\system32\Igdgglfl.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3192
        
        C:\Windows\SysWOW64\Jekqmhia.exe
        
        C:\Windows\system32\Jekqmhia.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Jofalmmp.exe
        
        C:\Windows\system32\Jofalmmp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\SysWOW64\Jniood32.exe
        
        C:\Windows\system32\Jniood32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3316
        
        C:\Windows\SysWOW64\Komhll32.exe
        
        C:\Windows\system32\Komhll32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Kjeiodek.exe
        
        C:\Windows\system32\Kjeiodek.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4236
        
        C:\Windows\SysWOW64\Kpanan32.exe
        
        C:\Windows\system32\Kpanan32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:116
        
        C:\Windows\SysWOW64\Lpfgmnfp.exe
        
        C:\Windows\system32\Lpfgmnfp.exe
        25⤵
        Executes dropped EXE
        
        PID:768
        
        C:\Windows\SysWOW64\Lnangaoa.exe
        
        C:\Windows\system32\Lnangaoa.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2264
        
        C:\Windows\SysWOW64\Modgdicm.exe
        
        C:\Windows\system32\Modgdicm.exe
        27⤵
        Executes dropped EXE
        
        PID:4032
        
        C:\Windows\SysWOW64\Mmkdcm32.exe
        
        C:\Windows\system32\Mmkdcm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Mmpmnl32.exe
        
        C:\Windows\system32\Mmpmnl32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4696
        
        C:\Windows\SysWOW64\Nnfpinmi.exe
        
        C:\Windows\system32\Nnfpinmi.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Nagiji32.exe
        
        C:\Windows\system32\Nagiji32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Ogcnmc32.exe
        
        C:\Windows\system32\Ogcnmc32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\Ombcji32.exe
        
        C:\Windows\system32\Ombcji32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Ofkgcobj.exe
        
        C:\Windows\system32\Ofkgcobj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1656
        
        C:\Windows\SysWOW64\Oabhfg32.exe
        
        C:\Windows\system32\Oabhfg32.exe
        35⤵
        Executes dropped EXE
        
        PID:4284
        
        C:\Windows\SysWOW64\Phonha32.exe
        
        C:\Windows\system32\Phonha32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2132
        
        C:\Windows\SysWOW64\Pmlfqh32.exe
        
        C:\Windows\system32\Pmlfqh32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\Phajna32.exe
        
        C:\Windows\system32\Phajna32.exe
        38⤵
        Executes dropped EXE
        
        PID:5008
        
        C:\Windows\SysWOW64\Paiogf32.exe
        
        C:\Windows\system32\Paiogf32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:560
        
        C:\Windows\SysWOW64\Phcgcqab.exe
        
        C:\Windows\system32\Phcgcqab.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4208
        
        C:\Windows\SysWOW64\Ppolhcnm.exe
        
        C:\Windows\system32\Ppolhcnm.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3140
        
        C:\Windows\SysWOW64\Pdmdnadc.exe
        
        C:\Windows\system32\Pdmdnadc.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3552
        
        C:\Windows\SysWOW64\Qobhkjdi.exe
        
        C:\Windows\system32\Qobhkjdi.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Qjiipk32.exe
        
        C:\Windows\system32\Qjiipk32.exe
        44⤵
        Executes dropped EXE
        
        PID:3088
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3468
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3356
        
        C:\Windows\SysWOW64\Akpoaj32.exe
        
        C:\Windows\system32\Akpoaj32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1428
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3660
        
        C:\Windows\SysWOW64\Aonhghjl.exe
        
        C:\Windows\system32\Aonhghjl.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4404
        
        C:\Windows\SysWOW64\Agimkk32.exe
        
        C:\Windows\system32\Agimkk32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3908
        
        C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2420
        
        C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4128
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        53⤵
        Executes dropped EXE
        
        PID:1752
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4144
        
        C:\Windows\SysWOW64\Cpmapodj.exe
        
        C:\Windows\system32\Cpmapodj.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:840
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1308
        
        C:\Windows\SysWOW64\Coqncejg.exe
        
        C:\Windows\system32\Coqncejg.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1180
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1256
        
        C:\Windows\SysWOW64\Cnfkdb32.exe
        
        C:\Windows\system32\Cnfkdb32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3336
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3880
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4532
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2320
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        64⤵
        Executes dropped EXE
        
        PID:2728
        
        C:\Windows\SysWOW64\Dnonkq32.exe
        
        C:\Windows\system32\Dnonkq32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2620
        
        C:\Windows\SysWOW64\Doagjc32.exe
        
        C:\Windows\system32\Doagjc32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4816
        
        C:\Windows\SysWOW64\Dhikci32.exe
        
        C:\Windows\system32\Dhikci32.exe
        67⤵
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Ebaplnie.exe
        
        C:\Windows\system32\Ebaplnie.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3580
        
        C:\Windows\SysWOW64\Egohdegl.exe
        
        C:\Windows\system32\Egohdegl.exe
        69⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\Ebdlangb.exe
        
        C:\Windows\system32\Ebdlangb.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Egaejeej.exe
        
        C:\Windows\system32\Egaejeej.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4732
        
        C:\Windows\SysWOW64\Edeeci32.exe
        
        C:\Windows\system32\Edeeci32.exe
        72⤵
        Modifies registry class
        
        PID:1196
        
        C:\Windows\SysWOW64\Ehbnigjj.exe
        
        C:\Windows\system32\Ehbnigjj.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3256
        
        C:\Windows\SysWOW64\Enpfan32.exe
        
        C:\Windows\system32\Enpfan32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3684
        
        C:\Windows\SysWOW64\Fqppci32.exe
        
        C:\Windows\system32\Fqppci32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1020
        
        C:\Windows\SysWOW64\Foclgq32.exe
        
        C:\Windows\system32\Foclgq32.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Filapfbo.exe
        
        C:\Windows\system32\Filapfbo.exe
        77⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\Fgcjfbed.exe
        
        C:\Windows\system32\Fgcjfbed.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Gkaclqkk.exe
        
        C:\Windows\system32\Gkaclqkk.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1380
        
        C:\Windows\SysWOW64\Gaqhjggp.exe
        
        C:\Windows\system32\Gaqhjggp.exe
        80⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\Glfmgp32.exe
        
        C:\Windows\system32\Glfmgp32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3136
        
        C:\Windows\SysWOW64\Geanfelc.exe
        
        C:\Windows\system32\Geanfelc.exe
        82⤵
        
        PID:908
        
        C:\Windows\SysWOW64\Hhaggp32.exe
        
        C:\Windows\system32\Hhaggp32.exe
        83⤵
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Heegad32.exe
        
        C:\Windows\system32\Heegad32.exe
        84⤵
        Drops file in System32 directory
        
        PID:5232
        
        C:\Windows\SysWOW64\Hbihjifh.exe
        
        C:\Windows\system32\Hbihjifh.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5276
        
        C:\Windows\SysWOW64\Hnphoj32.exe
        
        C:\Windows\system32\Hnphoj32.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Haaaaeim.exe
        
        C:\Windows\system32\Haaaaeim.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Iijfhbhl.exe
        
        C:\Windows\system32\Iijfhbhl.exe
        88⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Ilkoim32.exe
        
        C:\Windows\system32\Ilkoim32.exe
        89⤵
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Ipihpkkd.exe
        
        C:\Windows\system32\Ipihpkkd.exe
        90⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Ipkdek32.exe
        
        C:\Windows\system32\Ipkdek32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Joqafgni.exe
        
        C:\Windows\system32\Joqafgni.exe
        92⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Jocnlg32.exe
        
        C:\Windows\system32\Jocnlg32.exe
        93⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Jihbip32.exe
        
        C:\Windows\system32\Jihbip32.exe
        94⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Jpbjfjci.exe
        
        C:\Windows\system32\Jpbjfjci.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Johggfha.exe
        
        C:\Windows\system32\Johggfha.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Jhplpl32.exe
        
        C:\Windows\system32\Jhplpl32.exe
        97⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Kolabf32.exe
        
        C:\Windows\system32\Kolabf32.exe
        98⤵
        Drops file in System32 directory
        
        PID:5868
        
        C:\Windows\SysWOW64\Kheekkjl.exe
        
        C:\Windows\system32\Kheekkjl.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Kcjjhdjb.exe
        
        C:\Windows\system32\Kcjjhdjb.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Koajmepf.exe
        
        C:\Windows\system32\Koajmepf.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Khiofk32.exe
        
        C:\Windows\system32\Khiofk32.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Kcoccc32.exe
        
        C:\Windows\system32\Kcoccc32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Kcapicdj.exe
        
        C:\Windows\system32\Kcapicdj.exe
        104⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Lpepbgbd.exe
        
        C:\Windows\system32\Lpepbgbd.exe
        105⤵
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Lpgmhg32.exe
        
        C:\Windows\system32\Lpgmhg32.exe
        106⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Lomjicei.exe
        
        C:\Windows\system32\Lomjicei.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5332
        
        C:\Windows\SysWOW64\Lhenai32.exe
        
        C:\Windows\system32\Lhenai32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5380
        
        C:\Windows\SysWOW64\Ljdkll32.exe
        
        C:\Windows\system32\Ljdkll32.exe
        109⤵
        Drops file in System32 directory
        
        PID:5492
        
        C:\Windows\SysWOW64\Loacdc32.exe
        
        C:\Windows\system32\Loacdc32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Mfkkqmiq.exe
        
        C:\Windows\system32\Mfkkqmiq.exe
        111⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Modpib32.exe
        
        C:\Windows\system32\Modpib32.exe
        112⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Mhldbh32.exe
        
        C:\Windows\system32\Mhldbh32.exe
        113⤵
        Drops file in System32 directory
        
        PID:5772
        
        C:\Windows\SysWOW64\Mhoahh32.exe
        
        C:\Windows\system32\Mhoahh32.exe
        114⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Mlljnf32.exe
        
        C:\Windows\system32\Mlljnf32.exe
        115⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Mhckcgpj.exe
        
        C:\Windows\system32\Mhckcgpj.exe
        116⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Nqmojd32.exe
        
        C:\Windows\system32\Nqmojd32.exe
        117⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Nfihbk32.exe
        
        C:\Windows\system32\Nfihbk32.exe
        118⤵
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Noblkqca.exe
        
        C:\Windows\system32\Noblkqca.exe
        119⤵
        Drops file in System32 directory
        
        PID:5200
        
        C:\Windows\SysWOW64\Nqaiecjd.exe
        
        C:\Windows\system32\Nqaiecjd.exe
        120⤵
        Drops file in System32 directory
        
        PID:5340
        
        C:\Windows\SysWOW64\Nfnamjhk.exe
        
        C:\Windows\system32\Nfnamjhk.exe
        121⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Nmjfodne.exe
        
        C:\Windows\system32\Nmjfodne.exe
        122⤵
        Drops file in System32 directory
        
        PID:5532
        
        C:\Windows\SysWOW64\Ojnfihmo.exe
        
        C:\Windows\system32\Ojnfihmo.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Oqhoeb32.exe
        
        C:\Windows\system32\Oqhoeb32.exe
        124⤵
        Drops file in System32 directory
        
        PID:5760
        
        C:\Windows\SysWOW64\Ojqcnhkl.exe
        
        C:\Windows\system32\Ojqcnhkl.exe
        125⤵
        Drops file in System32 directory
        
        PID:5896
        
        C:\Windows\SysWOW64\Oblhcj32.exe
        
        C:\Windows\system32\Oblhcj32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5996
        
        C:\Windows\SysWOW64\Oophlo32.exe
        
        C:\Windows\system32\Oophlo32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6100
        
        C:\Windows\SysWOW64\Ofjqihnn.exe
        
        C:\Windows\system32\Ofjqihnn.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Omdieb32.exe
        
        C:\Windows\system32\Omdieb32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5436
        
        C:\Windows\SysWOW64\Ocnabm32.exe
        
        C:\Windows\system32\Ocnabm32.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5796
        
        C:\Windows\SysWOW64\Pbcncibp.exe
        
        C:\Windows\system32\Pbcncibp.exe
        132⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Piocecgj.exe
        
        C:\Windows\system32\Piocecgj.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5152
        
        C:\Windows\SysWOW64\Paihlpfi.exe
        
        C:\Windows\system32\Paihlpfi.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5400
        
        C:\Windows\SysWOW64\Pakdbp32.exe
        
        C:\Windows\system32\Pakdbp32.exe
        135⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Pblajhje.exe
        
        C:\Windows\system32\Pblajhje.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        137⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5272 -s 224
        138⤵
        Program crash
        
        PID:5356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5272 -ip 5272
1⤵
PID:6108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4064 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
1⤵
PID:6672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aajhndkb.exe

Filesize
384KB

MD5
69617c12890a7fd4bec3bd807612cf0e

SHA1
fee93b63b20178b1104c45347d5f9df0521524b3

SHA256
bcf8d60eb00ac21e9142ede3fc3d1d48b770dfbda88fed003ef411981e63bd94

SHA512
f757de7e932e0d5bf4b47f5590706c1e7ac0db8471f0d540bd5ba27443077c4900c1c0258d9c99f2c8788eddb9760be69bc9cd5bd8186cb5e967e6278098a37d

Download Submit
C:\Windows\SysWOW64\Amlogfel.exe

Filesize
384KB

MD5
8536f0109b0a926f1cb23d3cd49deef7

SHA1
d407f77d0723c979f48ec7cee5761ea3ed9290d0

SHA256
99248a953251f00c4c10d7c7aaac6ffd80a67dd65ec278fb3062008e638b73c0

SHA512
21c1f191a7a8a922e93a839201ec4009b89e7e038800f8ca25fb5bc4c5655798d826c1a9e30eea45d0851bf054660ccf63544fb4a96494eb9053ba5b172636d7

Download Submit
C:\Windows\SysWOW64\Cdmfllhn.exe

Filesize
384KB

MD5
af19abfa326df2c03ed5e1cde5cb412a

SHA1
ed8e34cd8ed459fbc86c8c163bbff50a3ff75830

SHA256
ef7994e10624329b4a66c8e9b11a460895bf87c344a963f204989e5520081a66

SHA512
0722178d5da5eb18be91f6faa277d90f3b138b5444f6a3452d22d21be30edf34a714bccb2c3385b498e8b4d248847566976d351ba59ebcd56283584b0c4ea2bf

Download Submit
C:\Windows\SysWOW64\Cogddd32.exe

Filesize
384KB

MD5
5484dac9ab7a8e70b046cd76f80b91a2

SHA1
722a0870393e57304c4cb9496d23f94a139fa5e6

SHA256
004201446de58afdce103a1d2d22e7b6eed09a26fe544897bf14395c9f19d02c

SHA512
169c37e635e24d2ab2bc67ec79a1ac910ee4467b28a641e7064adaaa69632dd1bef8ad5f62fbca714fd161a722d3441f74d71c4df98da4e911d18aa14751e200

Download Submit
C:\Windows\SysWOW64\Cpmapodj.exe

Filesize
384KB

MD5
fbbbdc9ba2fc900fa10dcb2902a528e3

SHA1
364444acc425ef031bbdd32d4bdd7bc20005b265

SHA256
adcc62d8345e2eee3aa4b0d627fc583ec32117dfc8703e63316ca5d8fe6efa14

SHA512
a83ac65ce744fcfc8abc73e9ed2c66117576b0d0c4b175dd963c24a67c14ac2ee8117b7fc2ecf7796c7d28cdc3a0b8af417eebe7496460567ece6af8d3fd6e45

Download Submit
C:\Windows\SysWOW64\Dijbno32.exe

Filesize
384KB

MD5
ff73fb42d8af47206cce9025a5e3fc91

SHA1
9434d048ab4cea554ad53859c7cb6950fa2c4cbc

SHA256
f1dd30a5b38037b6dd5189a7f95505e627c687e51ea12ffa8601b469cd03b7c3

SHA512
cb95195ec7d95b5a7f5f309b9f88863d4e57f63796c17460d2f89b91b437e178814f8d6449fa0f7a6791a5305450ed53b14a82f15f0ea235a5508c6842cc87d9

Download Submit
C:\Windows\SysWOW64\Efeihb32.exe

Filesize
384KB

MD5
14b43c2c4c9d25701fd66cfaef835834

SHA1
8cc9ff41a88ff7a7869d3953b8230910f18bba04

SHA256
2ebae4ba44bc26551fc91e6dba30313ce3479d2f1749d4d0abe65cdf3dfb695c

SHA512
b3f4471d3bf737e452c7fbcd38adcbf13ff493a7ed42b5c103e17c0dbc0b82fa077e36373589eb88276765226a82c0d6bfb9786907bbef8f7a95096942e7bc2f

Download Submit
C:\Windows\SysWOW64\Eiahnnph.exe

Filesize
384KB

MD5
8d56e1ddc5153cb6735fd3df01410d74

SHA1
c4449be260aea071d49a32cf6725bfca0d8c3dd1

SHA256
61dc49d4725c58f8bc5a9fbe6b8cc4cab3bba7680fcbe29a35a8fb7b4f580b3a

SHA512
fd807a9504dfaf3719be6647b88599805af8515285d361c19dd073eb60862ce83a6e74a8c862e9b316c73a0613f07fd12fbd198a032e538b1ee6ec6b6282dee6

Download Submit
C:\Windows\SysWOW64\Epmmqheb.exe

Filesize
384KB

MD5
d5fbd91a8b54c3568d9213113179dbe3

SHA1
632593b5b1782881c40e0038ae0e73bb947afd82

SHA256
f1da42817efa315e542903c305bda85b8fb89012d9f39fc8b832a2c3f9dac6f7

SHA512
c1083ebf9648af4277ddc81a6597d2553bf34dec8cf22e227b9d3290bf487e9333836a76a0d896653df4a8a1d541cc97244e2655a02722f0413c3b18b98fb8ce

Download Submit
C:\Windows\SysWOW64\Fbjena32.exe

Filesize
384KB

MD5
ebeb6078531dc85927598b23b4f2ca04

SHA1
1a6fc6b7b453c876c49795515b867538091a9f9b

SHA256
9b6984ea1e05b97f1dd359934a4baee8ad9259de3017dc561106f9755fcc30fe

SHA512
b94757538ae583fab8c7e1d3943600cbc0e35d8e809673fd7227bf7e33702319fa4fe0faa96508c3fb2e19ce25eff78ea9b6e5836c8b396cc3ae3d22e8da2d2a

Download Submit
C:\Windows\SysWOW64\Feoodn32.exe

Filesize
384KB

MD5
b48f90a5ebbedc8d979637272df125a2

SHA1
14aca504e97ea13ae5aa246dbc4684c0ce2ff1ca

SHA256
857fe8c2652e60af12bce6c8ba24c5c96bde332b701e2b0443a2f13f0e7b11b9

SHA512
55578a2d6de98600b686fb128cc4de34215cf36e5b6d0eafcabfcd155a3f2d369437c06674f9e92aa6c3f7953777a9c1b2ceebc15ffe0b4732730653bd9fbd84

Download Submit
C:\Windows\SysWOW64\Fgcjfbed.exe

Filesize
384KB

MD5
483996c54aafa0408d95f6856681114f

SHA1
91c691b5e23b916e0b5e3a99d090979143a46fc6

SHA256
ed1e34fdcbc1f8f20475239a5688ec45b67878a519531002429e30c6584d62ce

SHA512
42e168f5579afc635591ffdf8f8050b412e2e06a3f3304428aee4cda97e7bf59191c941362bebc240e8dfc8d9223fd1dbc033318a21d0fa173ceeda4d9ccccdb

Download Submit
C:\Windows\SysWOW64\Fpimlfke.exe

Filesize
384KB

MD5
e6acb0a90e87154355d9ec40cd8d5163

SHA1
6e6f733ae8e24745c6f6c92cbfa53e45e71f0db7

SHA256
ce66a569490df93957c8c55effe90bf093163b6310e38c8d68ad014d8203e140

SHA512
08e2ee05135da88ae290a72882c4d0b2214dbced4c15ce1949a1e6e3808e4a2adddf305b53ffaae0dc834399b55a94d7d302a7745790daeb29314aa2b3b24949

Download Submit
C:\Windows\SysWOW64\Gejopl32.exe

Filesize
384KB

MD5
fae1f3588f6d7f5fae368a692f72b4f2

SHA1
d7f1a5497bc70c76189210c83764c2bca999eacc

SHA256
9045b59c910ce7ada24ba9820ae545d5d81f93c5fc87f274b3242d9343ef7038

SHA512
cfd448ab35782d293dae09106316404257a184241920d52f540134d2a46c2dd8767dd9632f7b4a8f343744bc58e843aac9d3216bfc8624b08d08f4c3be91130e

Download Submit
C:\Windows\SysWOW64\Glfmgp32.exe

Filesize
384KB

MD5
132b7183e8dfc7e40cd2526c7a7fd9fb

SHA1
7f7be2cec0f6ea16da7735169bf1b38c7033d45a

SHA256
75a64a439200d301040fdc30c878c361e7c18e91a237c15d7976cbe234fdad81

SHA512
419bb400d17627da077549e278e10f76f899708a2de0801c3474d034959f6d8897042d0972e0e8148a67e62e2af49014dd9be14c751ddc296f694cd3d7a8d4e8

Download Submit
C:\Windows\SysWOW64\Glgcbf32.exe

Filesize
384KB

MD5
61e38d840954080a54ec42f33a33e991

SHA1
a09d3ff1906ab6106f31eb12b8e5409d0f02e9e7

SHA256
cbfe0bbc4d8200b57a9f55c33f4ffa0cb511b377839e5cb2577aa659623de24a

SHA512
9e24baa85604ac3ba41337df4ac9a116cd987a164bc2c9a0fbc916b85e0eef95834978aca2356a419f4d5c8e8712821233a0402751fac31e1962482777a15ef4

Download Submit
C:\Windows\SysWOW64\Glipgf32.exe

Filesize
384KB

MD5
e6886a003912ef3974ae53f6ad72495b

SHA1
36da7affd86b1c6e4027312b9c67903aa1ea6478

SHA256
6a859e6ecae056b00e94f8661d20e69e2d53618e4a178385b918da8669a2fc4d

SHA512
80aa14f8de2765027789995cc2525c392db98921d9af157919a46a00a92e618d7be9187843c0a271839b3bdd057db1ab93e10f2c8db714f1214ab64ede3de077

Download Submit
C:\Windows\SysWOW64\Haaaaeim.exe

Filesize
384KB

MD5
1bc6cf30e74d7ee1967b8c12c6c331d1

SHA1
45d66fa1d7cd8bdf8a9e0fb6ef886455072c95cb

SHA256
305dab2108c874caae2db9dcf89e493e0c16bc5392fa2ca768fad0c7272f7d4d

SHA512
732c4ac9d48d949964a04ec0c4961080d2dc64e449ee6c71eb9b2293a6e793cf824bef5c8ff3928b744bc744e8e784ec5aeeca75c18e464e6c316b5e020529ec

Download Submit
C:\Windows\SysWOW64\Hbohpn32.exe

Filesize
384KB

MD5
74ec3e55acb3c4d316e5533973034328

SHA1
e4057d840979fd0c5922378c8a10606b39a4b6ca

SHA256
725a8680abceb03baf45df99ec5feeb8d130dcd35f48d00a4b9870b5c43aa818

SHA512
f0b1b2c8e18d67705e2d4bfa4aa99075f9418ea94101eac131d5caf76c16139cf8d4227be35891e4931a255abc6681359b00e2b55fe3d903baa7403909c8b912

Download Submit
C:\Windows\SysWOW64\Hfhgkmpj.exe

Filesize
384KB

MD5
7a3da4a93b92009e98ec03bad48a25ac

SHA1
c9dfe6c532ef8e62e331b471cc15f23a0ef19934

SHA256
ab69f774b0432f5cc734063bcf6afbe697dedec76791a372fece41f3f4dfd93d

SHA512
73a22fb22f67a1d858cf2c7661ca67dfa44b1f6c1ec130212dae5c3d62aff6a83956a99621a379158f88b62e16a4e093547aa440090758751b181577186b3c2e

Download Submit
C:\Windows\SysWOW64\Hfjjlc32.dll

Filesize
7KB

MD5
e8a9a4f01d450e8a023b291e03fbf7ab

SHA1
a5623f9ab7e08359d33530d7a3e7ae7949f591a0

SHA256
7f1859d93a1a811a3e2823d4024c733438835d1dd0953b2f9d05543daf4489a0

SHA512
0ed4b4ff8462db0f5a80ddf26724d40713acec6edaa50a5f90b97b5f702bab20a710c2c84b2c0892ef34f6fd4e5d029cfba54df2806430e4da951ec85b4b5bc3

Download Submit
C:\Windows\SysWOW64\Hidgai32.exe

Filesize
384KB

MD5
422e82fb8b122805593dd145522e61cb

SHA1
0c7dc334078a2f6da5f9ca348bdb5992bcbac5a0

SHA256
2eda520b2af80f1895f4c0231a62981262df208bff2b04f22b3887ec36547b84

SHA512
2c083a9f024ef5fba5c8059447ff9107ef4e613594ec2fa0456fc1b12b0733e1dfbd9ddc14bebd56d27694f8e3e78e4a0795ec07c781a7c74b283744f94afc70

Download Submit
C:\Windows\SysWOW64\Hlnjbedi.exe

Filesize
384KB

MD5
10aa347af95abbf52524b1b6275b34c5

SHA1
9e456bb2d98cad43039a1db86d7305927bfadc90

SHA256
db262460b58936d4d913b313115c48e82afd4fb0cbf336c64cabdd65c015f0ba

SHA512
a951f1fd9c77d44833282323e0a948e9d211d26847b004639f4ec9c2e0c1deae3c33b3d39807ed8bf366559174b69189480db0aa8d4696b1c89102bdbcd1ab42

Download Submit
C:\Windows\SysWOW64\Igdgglfl.exe

Filesize
384KB

MD5
4d57ed5d51037fdf7a6373d0acbc962b

SHA1
47bb3340faa37ce7359958df7b213155e9fbe4e1

SHA256
9c57584f6896a320cbc6a3d67f774a69f1225ae3a4440d7977b7292a13bc05aa

SHA512
c5f6aa071192a439545a161586919d9ba239feaaaa87ba9022a8680e5375f2ac3e14be7b97a30149a3eb24d515baf543d691bf9e7b3ed2bf6e3a70764897da87

Download Submit
C:\Windows\SysWOW64\Ilkoim32.exe

Filesize
384KB

MD5
b74456a12f263052cf9119cf0c2f6e66

SHA1
0d22b3e1ca20bd9c0ab44b3565f450fe86524627

SHA256
3b45d8410e106082507202214b3a71c79158fe700b01ab28e51fc5f1e9d537d5

SHA512
8b4aa8d9fef3e8da36474ce17322153b5305f89b4dd36a45b80616a9bdc446cad941fb70f84393a868ca586ef61f6c16301adf7bc010d95d06b2de32651df380

Download Submit
C:\Windows\SysWOW64\Illfdc32.exe

Filesize
384KB

MD5
d6de2d036977ddede296c2cb6e317c71

SHA1
a6c26d57f5348d08ea553ff4430991db09e53650

SHA256
d61b68e00aca898913ef5055a12d633e95d87a0727fd075b71e94cda2adb8603

SHA512
210d51c412aae69dbb38d336e8e6d015f78527c5bd39ee782d1cf0558619248a08af3ebd191e48b15617671e062e9257a0b8defa78a3accc55f695c47f4fd9bd

Download Submit
C:\Windows\SysWOW64\Imgicgca.exe

Filesize
384KB

MD5
97b4587775f5189b25c1371c55aada76

SHA1
828530eddfb6483e6d4003753979de4c45ff1d77

SHA256
4166059d554dc21d362b36b37ce4f663823c0b7232c1d87c53a4a58dba577df3

SHA512
fec8ec275df2975d1771fff122ecd427556f71067f6719a7c78435e10c2a89a576c8415b0feb782ab81e4daa7906bc2cfde9e4a841d1db7b43234db8b6a59aa7

Download Submit
C:\Windows\SysWOW64\Ipihpkkd.exe

Filesize
384KB

MD5
3dd367da4bd8fff8667216b6dda755f7

SHA1
754b459cd55b6c8c2df2c9240e5ea597b0d051c0

SHA256
920fa40c8a11eb9df96fc56848dc68fb91348f420b6b71a6447ae8b7dcc62ce2

SHA512
db290faf2e50ad4e057f513cd1b5389a89cd64c8019877bd2044cd985b86a117eb52a0ed09a0ad471b06235b28912d29ef8ec6f60fc82d5443ccd54ef64c6d7b

Download Submit
C:\Windows\SysWOW64\Jekqmhia.exe

Filesize
384KB

MD5
c53ab5e0363734af295b46ba79fe118b

SHA1
1dbbcee09a01519f90c3172dbf8e2f615ef9e955

SHA256
3fbd0b457b41e0579b819c76edc382941135c3bb49410668c84db0b82289a572

SHA512
c5f9d538c5263a0a978c40637961e65ae0259da0beb3f7713a0ff95490136b2ab318320679785a4f0e996fcb4aa68a4886b342791a4dc670a06a201abc2203c8

Download Submit
C:\Windows\SysWOW64\Jniood32.exe

Filesize
384KB

MD5
a86a82c8daec4966d5945f196b3733c4

SHA1
c4f1e7049f03d604269bd36208ebbc6ebbfb1219

SHA256
6df39ad558b189277f96ae1ca319976c4b99ade006754479c8fa72ec96dab2da

SHA512
4b850389bb2a0097669c47857f7b7c103bdddf33ba8e72b2563c3b0fcc8d2de86376ad833ab023f98c17e23790c4a30e7c0a238ced5c06e97a5f9b47ecd11735

Download Submit
C:\Windows\SysWOW64\Jofalmmp.exe

Filesize
384KB

MD5
09f872e3cf805143be01201c462f3482

SHA1
c93211849a7dc99fe32c8f31b5515c1a3d572ce3

SHA256
8418f11c811daca49513b863fe0b96f16c7ce255cbf6f7ecc5981c43173b98ec

SHA512
53fa7581b01c91e43c372c2168773b5c0efc962509af418b2d1eddfa8e0e57470bc31ff487bbda5641669702c4a2b8417d4edcb5e82318982394d4877313164d

Download Submit
C:\Windows\SysWOW64\Johggfha.exe

Filesize
384KB

MD5
066f49c2e3ebf759c19e80ac61a75598

SHA1
e2572d189a5b7d50f576af8dc080651375991e99

SHA256
14d4a953ffc8966f24cdb109345f01016766090d4ab7698b930a532cd3a4f9c3

SHA512
e30bd1ac3e7ac6ffc7407d8c89b1eb5f0f0d13e37369f106a412d54f1b1effe953cc8a09fd6bdf553659dbe98e3ce91b2101bec9de6402da4f6ebca8f337e5de

Download Submit
C:\Windows\SysWOW64\Kjeiodek.exe

Filesize
384KB

MD5
93ca6dbfc5fa171f0ae347901348c917

SHA1
e52deb21f3094c7fb5fbee2566e90712929379be

SHA256
107ffbce34cd99e2469cd3de1719d8499c905a6fdbd6ab9f3e8523a2968435dd

SHA512
1c8c68af8cdbb6934547270888d42806432876c6bec6e97c508ae0490d5417a69d2ab0c49ec89857e1ffc72c01d30ee39297975bf8f6b14dede4063e66f0d796

Download Submit
C:\Windows\SysWOW64\Komhll32.exe

Filesize
384KB

MD5
11b6eb89e375d48d698192bd7c508c3c

SHA1
e2b5988322e5a14bca9223af5bf86c511c145e14

SHA256
4e09198377a0a4f55a380d162d131c31268cb7c057bbb39134be5b60d583af22

SHA512
4868a3ce02b58cba59939e88d885e90d48d16cb41b33273442d4659077ad43d18246b0ece5f7e6b0ce86153d0933e8939f770d1f8e2a78627a2a16fbc4100e63

Download Submit
C:\Windows\SysWOW64\Kpanan32.exe

Filesize
384KB

MD5
92e1890dede1d0386f7045871dfdf1a5

SHA1
84efa8df2e5d4b884c1675267037f6c6ae8a5c50

SHA256
42c1637b1ecd252c5e67153f8325e4b93a7140cd42bfbb21bce367c2c0feceb9

SHA512
c095a8787d0fa7df8c3162e3a94d41b606ae69beb1df4a9331cc3f1545a190279c1c42bac1e4cf4bb344fa555f1f035a10743cf3bb88398bfb49969f6051fe9d

Download Submit
C:\Windows\SysWOW64\Lnangaoa.exe

Filesize
256KB

MD5
6b480a1a1db584f6e2560181b506551e

SHA1
302a156dc41c3bbd71f7f1e029c1b029ccca5ae9

SHA256
c9ece5a637e1bbc047223fbd8f7e96444469e1417fec482305655e8988f4c8e2

SHA512
e6bc859a0497c3827f13b7d23edf6a4c0b54b15b0218809d86a7353b45cd2ad50ab4566914eb0dd0ed4e0a356926bd6ff5f0a7bcb1b6eb51366f3bbb171444c3

Download Submit
C:\Windows\SysWOW64\Lnangaoa.exe

Filesize
384KB

MD5
0748b5a36040d9f5cc91857a21aa1579

SHA1
6a5fd8e5d2e2721356dbc6bb04f115fa9168c368

SHA256
34ca672fd658856e61f394d79fb6af51e51749641e766b64d94c8c5b473b86d9

SHA512
1e03398afac7f3485a4972867ccd6fe35ee696810250adb47eb7ca965b136d1f38b780653a7f5d92195c7ed8ae3d86d3b8f9a0e4cfacc879de1323fffccfd58e

Download Submit
C:\Windows\SysWOW64\Lpfgmnfp.exe

Filesize
384KB

MD5
7a0302eb1c1777ca032417f6c56bc4e4

SHA1
4a8f36f266ac1f84ff4a368e777032652e79efc6

SHA256
a9c93fa1e75fc28c21e08cea3a54be6f12bb6f6fbfa64fc3cb01a2cc700527b5

SHA512
f61701c45435300aedfe9a391da641a5ab960c60f97aa5fe6fef362c932b9a8629ea0e2d2005a8c0dcfbeeeffaac7d51cc01c8ab8411bcb9e60af79db31d5719

Download Submit
C:\Windows\SysWOW64\Mhoahh32.exe

Filesize
384KB

MD5
69e00ed48857bdf4263d1eb1d3419e57

SHA1
6b643a1dc90af4b3728e6c91215e2e9e00bb3bb9

SHA256
3b2cfff4e6f7f472a84893063a35ec3919faf616aa445c06492d345998cdfcfe

SHA512
ee8a2c08884ddd5b32d06ae1686d81c51616f1070e88a99449e400b4ef9a78844bf9669d73f5880db8fc12bd739cc4e58c513742c964f08be6c8494163d83b97

Download Submit
C:\Windows\SysWOW64\Mmkdcm32.exe

Filesize
384KB

MD5
569d82d27526ea3ed2ca93ccde6b3ad9

SHA1
9f209eeb50702bf4d093efd5c08883a311518b51

SHA256
67f713f72dc6c0ec2365ab60be75d184e90b10413c7dcf6754d2298836157121

SHA512
b2431036b9383061831441f1b516bd99af6b8b882fd870a89ab1f4489ae7194ac2952efe5d887dc37db839be4ae27f7602957a6383a35b0c77c9885912fc5b68

Download Submit
C:\Windows\SysWOW64\Mmpmnl32.exe

Filesize
384KB

MD5
df210bce40d03eff05fb5e82104ee8e7

SHA1
a0682295433f2b688b606505bdddf4e4a5e084f6

SHA256
ac47109f2de3fdc71261008a53d79bb6b41cdc893faf35472259483db37aa74d

SHA512
51261e9704cdac2ef88c508d7c0ee2c0d94916fd5a70867dd3cfb32fdba95d44a14df43d24329a80bafe496cd0bffc467b1ebe6b274da5b25f1ab98e7f24e461

Download Submit
C:\Windows\SysWOW64\Modgdicm.exe

Filesize
384KB

MD5
478023d1890c13836b1d251b04e3e453

SHA1
83a8af3a27a3ae1d82f02dcf7d1094c970ab731b

SHA256
24f284576aa300ce13470c9cd435aa7004e0f3c2bf341a9740068bb5daaea0df

SHA512
f269db9ff51b84202e5c88300aa2692234842bcb1ab5f69f3f8b895dadf9359d070d754fae21a2612099d9f304f882c389a1da685ea2a086d4e9eaef00e13907

Download Submit
C:\Windows\SysWOW64\Nagiji32.exe

Filesize
384KB

MD5
e8ef2c2d6cff7d96bd1543a519e2ba76

SHA1
1f4d4aba92715933269bc1ccf4cb40166b86dc76

SHA256
c6f63cf2eddd562f039026e889a1a7bd15cbdc32e24646a658e86f4d7cdbe0b7

SHA512
a222a712b044356c13b0bd2a40feb1344874262992867fd3fe44c7262ca168ad0036170f9ae9373080dad72ff57a643a7759b7ff5e08719c4d46f14f2dcc5fe3

Download Submit
C:\Windows\SysWOW64\Nfnamjhk.exe

Filesize
384KB

MD5
918fd0998b7e838720e18625841e94f9

SHA1
de980c5a5d52874b22635ab02c5f25507b430571

SHA256
3915a05832ee694cfddffb32da92010e053bc7961df7fd63ee03cff41e7507b5

SHA512
0e913d7ce6ba64a522392a71d1396b88b80e2c5670cadd4c281c932d071ff77cb6abd4f5b479630c5dee1bc1aa9b0afa6d92683d8d98631eb0f2d862e2173049

Download Submit
C:\Windows\SysWOW64\Nnfpinmi.exe

Filesize
384KB

MD5
035e0def810521690e436c73bed7da49

SHA1
ae59934974d5104d11a2500e86035dea92f9966c

SHA256
79bb77fd90074cf35d18e1ea5a94dfcaba7d7c2acb5ef4adf9b817cf7d32c31c

SHA512
260b67bc1cac53693663fbebf607129e4139de1996ebd2b7f1553fbc17a353acde433bb794cd14f11a9c88f79723cd8bd39d352b50d4f8b25fbfaaa0538f7b92

Download Submit
C:\Windows\SysWOW64\Oabhfg32.exe

Filesize
384KB

MD5
fe83bd445a5651f0be4e33266273c028

SHA1
64971392366fe1de829434859bc4ef7b2af81630

SHA256
de84e34f9ef64e7ac9a5edde62d5e70426eeaab64b897bc9212d87529a922cc0

SHA512
901e95d2f01cf9c88f211c79228d6f5f7ceaffb944da687613435ff9426172216630c24f21ccc428f443dd13b147859bccdfe81c4b32eeab1fa6bd5b7d25cac7

Download Submit
C:\Windows\SysWOW64\Oblhcj32.exe

Filesize
384KB

MD5
a9145b5c52abdb19a6a34224c7d5431a

SHA1
3e030ba7be93f88007c32067e3dc3922ae7cdf77

SHA256
d4f1868a29e810c0baf177574568c6ada62a1c93a6783a13d174408b702d6b56

SHA512
1808068cfe69fc4546ed0f9b02102758a53668efefeffaa55052575badc031d2a490b21d1dce5cd8a7347d7a9316f90a730cf556e25df2f6efeeced646ffd5a6

Download Submit
C:\Windows\SysWOW64\Ogcnmc32.exe

Filesize
384KB

MD5
5f1e5139e21130e431984e260d5f1f97

SHA1
3ed9756690b2688df5f3e718c9879432c470b4e6

SHA256
962e4b241e1116d9b34f4bda2bf64b8435dd13aa33ac263a0899242aa6191bc6

SHA512
0a56b2d6b37a2503e8ffc60e00b5457e841161b7d826d047ab0f0034033b179f758b7d788526f17348f516e4a8e7a5afe0043a7b140021a059c88afb3a50721d

Download Submit
C:\Windows\SysWOW64\Ombcji32.exe

Filesize
384KB

MD5
11ca5899be14130a5aeb93b4eea6c0da

SHA1
1c0da27a0476dc23b04cc976846aebe256db10af

SHA256
684174c95ac151e80a4c6f330d83b0bee2c8185429843a802cd3a6d6c911a509

SHA512
15a178373094aca91f4947e4cb62d29335e4b590d4e1bf889315c44dafa64dabdf25b90627c2e1e5398f1a8e22b1a21402b389622b44affebb8cca1723d48497

Download Submit
C:\Windows\SysWOW64\Oqhoeb32.exe

Filesize
384KB

MD5
836eb6104f30277f7a8d3809083f4c27

SHA1
945206d27714bda8959bb5f21aeebcce1c875501

SHA256
9c8aa37233d8e3b56bd43811dad0e65e84c648422cb8fbb117b8733a650accc2

SHA512
4ae757d9748ec46c421cb5af5062b6d1023b4ed44da6b9e9de4abfda0cdf06c6199b62fa4900c949dbd3562e352b459611d48cf39bb2c7e47452a53dd59ebb96

Download Submit
C:\Windows\SysWOW64\Paihlpfi.exe

Filesize
384KB

MD5
38a7417eee04473d67d32735d208edca

SHA1
65cbf8aee84ee94a5ab490af9e02491758476a3d

SHA256
5d23026fe436529183cec753f262855fb2d1e86e5d8b8a7f6c8f41b5bf0f96ba

SHA512
23e5a2b0da0c2c4351d7b8a8b5780193a9a68198df656cbe7ae127750c1e88887d44cee33246aa15b6d5460224d32cb35a72f63e43c631299c3a0f18bdbc569e

Download Submit
C:\Windows\SysWOW64\Phonha32.exe

Filesize
384KB

MD5
bac5a501e62c7baf0e89f45246048c4c

SHA1
04c8b68867e6ba499a86741fe697bbbff3a38836

SHA256
e1e2df3ff1a6230babef398a90c191519426c54174c696add4f1a15906ebb4dc

SHA512
cd153409426cb54ba7a9d6ab6fd54517888a157cace6c291b00c47a3d35b41adc5dd27bd22e73503984a7b888c28a0a0c19e398406e5fda0616fb6bc1aaf73cb

Download Submit
memory/116-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/560-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/768-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/840-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/844-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/844-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/908-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1020-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1108-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1180-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1196-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1256-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1308-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1348-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1380-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1428-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1628-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1628-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1632-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1656-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1708-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1744-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1752-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1812-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1936-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1952-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1960-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1960-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2132-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2260-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2260-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2264-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2320-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2360-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2412-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2420-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2516-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2564-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2616-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2620-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2644-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2644-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2676-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2728-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2944-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3088-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3124-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3136-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3140-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3192-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3204-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3204-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3256-497-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3292-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3292-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3316-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3336-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3356-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3432-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3468-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3552-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3580-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3660-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3684-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3692-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3700-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3880-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3908-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4032-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4120-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4128-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4144-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4208-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4236-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4256-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4284-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4404-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4436-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4488-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4532-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4636-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4636-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4696-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4732-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4772-539-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4816-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4952-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5008-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5044-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5056-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5188-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5232-569-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5276-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5320-580-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5368-587-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5412-594-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads