1c24e88c357a30a276909e05026d9a8fa328a28253dd05783aeb88c91d743242

Analysis

max time kernel
148s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2024, 21:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c24e88c357a30a276909e05026d9a8fa328a28253dd05783aeb88c91d743242.exe
Size

120KB
MD5

599885ab499a4ebef18acacdd458426c
SHA1

6d1e13e1e706503a3593d0582a1cb613d14d8cb0
SHA256

1c24e88c357a30a276909e05026d9a8fa328a28253dd05783aeb88c91d743242
SHA512

64f03a506e123d1c01f1fc224e77eb4778e9e95b6e33cb36b5baad1f10e3ee8ce40567c2d1a1a0e07bcbb5fcec6a965d21896079f1f0df6b2a3ed0961475c465
SSDEEP

3072:/N1+rJaZPEdY+aDWyueu203H/6TC+qF1SsB1bw4AVRrd9:P2bLAHu9C81NBy9

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbgalmej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nmnqjp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ennqfenp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Goljqnpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amfjeobf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Alqjpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kcbnnpka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflibgil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mebcop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkokcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enemaimp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabomkll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dheibpje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfohgqlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Edionhpn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkhpfbce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qhakoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eiahnnph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbaahf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njmqnobn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Goedpofl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Poaqemao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amodep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Omcjep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njmqnobn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojomcopk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fooclapd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ekefmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npiiffqe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fohfbpgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Caienjfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kenggi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kglmio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gokbgpeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eglgbdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dannij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aanbhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ohhnbhok.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjmba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fbaahf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekefmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qgnbaj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehbnigjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmpkqqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkmioc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Legjmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ennqfenp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcekfnkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Podmkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnlnbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aanbhp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Milidebi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjneln32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlnbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ckidcpjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fdkggg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohcegi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqilgmdg.exe

Executes dropped EXE 64 IoCs

pid	Process
3508	Ngdmod32.exe
2120	Npmagine.exe
3464	Olcbmj32.exe
3672	Ocnjidkf.exe
4728	Opakbi32.exe
1740	Ojjolnaq.exe
3648	Ognpebpj.exe
3976	Onhhamgg.exe
2872	Ocdqjceo.exe
3600	Onjegled.exe
2292	Oddmdf32.exe
4452	Pnlaml32.exe
4140	Cjkjpgfi.exe
3240	Ddakjkqi.exe
3528	Ealadnik.exe
3432	Ekefmc32.exe
1872	Eglgbdep.exe
3196	Edpgli32.exe
1468	Eoekia32.exe
5028	Foghnabl.exe
4780	Fojedapj.exe
1700	Fhbimf32.exe
4952	Fajnfl32.exe
3828	Fonnop32.exe
232	Fdkggg32.exe
1876	Gaogak32.exe
396	Gkglja32.exe
3296	Gdppbfff.exe
3980	Goedpofl.exe
3684	Goljqnpd.exe
4648	Loeolc32.exe
3092	Ngmpcn32.exe
4548	Ploknb32.exe
5008	Pgdokkfg.exe
5084	Phhhhc32.exe
412	Poaqemao.exe
2536	Pflibgil.exe
4508	Podmkm32.exe
3344	Plhnda32.exe
2460	Qgnbaj32.exe
3656	Qhonib32.exe
4460	Qcdbfk32.exe
4948	Qhakoa32.exe
1916	Aokcklid.exe
2096	Amodep32.exe
4836	Acilajpk.exe
4020	Amaqjp32.exe
2384	Aihaoqlp.exe
1044	Acnemi32.exe
4764	Amfjeobf.exe
3688	Afnnnd32.exe
2592	Bfqkddfd.exe
3720	Bmkcqn32.exe
5132	Bgpgng32.exe
5172	Bqilgmdg.exe
5212	Bgbdcgld.exe
5256	Bmomlnjk.exe
5300	Bgeaifia.exe
5344	Cabomkll.exe
5384	Cjmpkqqj.exe
5420	Cpihcgoa.exe
5464	Cfcqpa32.exe
5516	Caienjfd.exe
5560	Cffmfadl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bgbdcgld.exe	Bqilgmdg.exe
File created	C:\Windows\SysWOW64\Ncabfkqo.exe	Nmgjia32.exe
File created	C:\Windows\SysWOW64\Ekonpckp.exe	Ojomcopk.exe
File created	C:\Windows\SysWOW64\Jdbbeh32.dll	Afnnnd32.exe
File created	C:\Windows\SysWOW64\Ffpcchkn.dll	Bmkcqn32.exe
File opened for modification	C:\Windows\SysWOW64\Dpehof32.exe	Dikpbl32.exe
File opened for modification	C:\Windows\SysWOW64\Hlegnjbm.exe	Gdaociml.exe
File opened for modification	C:\Windows\SysWOW64\Nmnqjp32.exe	Nlmdbh32.exe
File created	C:\Windows\SysWOW64\Dnmhpg32.exe	Dkokcl32.exe
File created	C:\Windows\SysWOW64\Dheibpje.exe	Ddjmba32.exe
File created	C:\Windows\SysWOW64\Jchdqkfl.dll	Nmkmjjaa.exe
File created	C:\Windows\SysWOW64\Ojjolnaq.exe	Opakbi32.exe
File created	C:\Windows\SysWOW64\Nmhbnnof.dll	Aokcklid.exe
File created	C:\Windows\SysWOW64\Fkhpfbce.exe	Foapaa32.exe
File created	C:\Windows\SysWOW64\Lbgalmej.exe	Kkmioc32.exe
File created	C:\Windows\SysWOW64\Fgjhpcmo.exe	Fdlkdhnk.exe
File created	C:\Windows\SysWOW64\Gokbgpeg.exe	Fkofga32.exe
File opened for modification	C:\Windows\SysWOW64\Ncbafoge.exe	Mlofcf32.exe
File opened for modification	C:\Windows\SysWOW64\Fjocbhbo.exe	Fcekfnkb.exe
File opened for modification	C:\Windows\SysWOW64\Npmagine.exe	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Bpapcb32.dll	Fajnfl32.exe
File created	C:\Windows\SysWOW64\Pmphblgf.dll	Dheibpje.exe
File opened for modification	C:\Windows\SysWOW64\Njmqnobn.exe	Ncchae32.exe
File created	C:\Windows\SysWOW64\Akcjcnpe.dll	Eqlfhjig.exe
File created	C:\Windows\SysWOW64\Ppajlp32.dll	Mahnhhod.exe
File created	C:\Windows\SysWOW64\Qcanijap.dll	Afgacokc.exe
File created	C:\Windows\SysWOW64\Epmmqheb.exe	Eicedn32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Alcfei32.exe	Aanbhp32.exe
File created	C:\Windows\SysWOW64\Bjbalpnl.dll	Dhlpqc32.exe
File created	C:\Windows\SysWOW64\Khoana32.dll	Nlkgmh32.exe
File created	C:\Windows\SysWOW64\Khihgadg.dll	Ncbafoge.exe
File created	C:\Windows\SysWOW64\Hppdbdbc.dll	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Dhjckcgi.exe	Dmdonkgc.exe
File created	C:\Windows\SysWOW64\Eiokinbk.exe	Ebdcld32.exe
File created	C:\Windows\SysWOW64\Fkofga32.exe	Feenjgfq.exe
File opened for modification	C:\Windows\SysWOW64\Apeknk32.exe	Ncbafoge.exe
File created	C:\Windows\SysWOW64\Beapme32.dll	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Mjneln32.exe	Milidebi.exe
File opened for modification	C:\Windows\SysWOW64\Afgacokc.exe	Achegd32.exe
File created	C:\Windows\SysWOW64\Dmohno32.exe	Dfdpad32.exe
File created	C:\Windows\SysWOW64\Dfiildio.exe	Dooaoj32.exe
File created	C:\Windows\SysWOW64\Fhbimf32.exe	Fojedapj.exe
File created	C:\Windows\SysWOW64\Jgbbpbop.dll	Dpehof32.exe
File created	C:\Windows\SysWOW64\Pdpjda32.dll	Kbbhqn32.exe
File created	C:\Windows\SysWOW64\Kfkklk32.dll	Fqikob32.exe
File created	C:\Windows\SysWOW64\Npmagine.exe	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Ngmpcn32.exe	Loeolc32.exe
File opened for modification	C:\Windows\SysWOW64\Meepdp32.exe	Mnkggfkb.exe
File created	C:\Windows\SysWOW64\Fimgpahk.dll	Dfdpad32.exe
File created	C:\Windows\SysWOW64\Djiono32.dll	Eiokinbk.exe
File created	C:\Windows\SysWOW64\Feenjgfq.exe	Fajbjh32.exe
File opened for modification	C:\Windows\SysWOW64\Gdppbfff.exe	Gkglja32.exe
File created	C:\Windows\SysWOW64\Moefhk32.dll	Ngmpcn32.exe
File created	C:\Windows\SysWOW64\Fonnop32.exe	Fajnfl32.exe
File created	C:\Windows\SysWOW64\Phhhhc32.exe	Pgdokkfg.exe
File created	C:\Windows\SysWOW64\Cjmpkqqj.exe	Cabomkll.exe
File created	C:\Windows\SysWOW64\Paedlhhc.dll	Meepdp32.exe
File created	C:\Windows\SysWOW64\Njinmf32.exe	Ngjbaj32.exe
File created	C:\Windows\SysWOW64\Balenlhn.dll	Omcjep32.exe
File created	C:\Windows\SysWOW64\Ocdqjceo.exe	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Onjegled.exe	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Meebmkdh.dll	Liqihglg.exe
File created	C:\Windows\SysWOW64\Lefioe32.dll	Qcaofebg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5416	5740	WerFault.exe	320

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnmeliho.dll"	Bgpgng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bgeaifia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eadpldgf.dll"	Kkjlic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Napjdpcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oeheqm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddhomdje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngmpcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Acilajpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Emlenj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmokmkpo.dll"	Ilccoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjdgn32.dll"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Plhnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmhbnnof.dll"	Aokcklid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qcaofebg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ckmehb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmohno32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eicedn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Edionhpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Enemaimp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjmgbm32.dll"	Gqnejaff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Alqjpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnijfj32.dll"	Ehbnigjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcblekh.dll"	Ckidcpjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	1c24e88c357a30a276909e05026d9a8fa328a28253dd05783aeb88c91d743242.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fojedapj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbcqpq32.dll"	Gkglja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inicaa32.dll"	Dmdonkgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kjhcjq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Liqihglg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dheibpje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aojlaeei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmphblgf.dll"	Dheibpje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eiahnnph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pgdokkfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dpnbog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ebdcld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faagecfk.dll"	Apeknk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cabomkll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afgacokc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Knfeeimj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Paelfmaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Domdjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkknm32.dll"	1c24e88c357a30a276909e05026d9a8fa328a28253dd05783aeb88c91d743242.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Goljqnpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdohmibo.dll"	Goljqnpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmliok32.dll"	Dpnbog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Djklmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kkjlic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Balenlhn.dll"	Omcjep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofblbapl.dll"	Fkhpfbce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbbkg32.dll"	Npmagine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfhjkabi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ljgpkonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfdpad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fqfojblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mbbagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddjmba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfiildio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pigqjdgo.dll"	Aojlaeei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfqkddfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Emhkdmlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eiokinbk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 684 wrote to memory of 3508	684	1c24e88c357a30a276909e05026d9a8fa328a28253dd05783aeb88c91d743242.exe	95
PID 684 wrote to memory of 3508	684	1c24e88c357a30a276909e05026d9a8fa328a28253dd05783aeb88c91d743242.exe	95
PID 684 wrote to memory of 3508	684	1c24e88c357a30a276909e05026d9a8fa328a28253dd05783aeb88c91d743242.exe	95
PID 3508 wrote to memory of 2120	3508	Ngdmod32.exe	96
PID 3508 wrote to memory of 2120	3508	Ngdmod32.exe	96
PID 3508 wrote to memory of 2120	3508	Ngdmod32.exe	96
PID 2120 wrote to memory of 3464	2120	Npmagine.exe	97
PID 2120 wrote to memory of 3464	2120	Npmagine.exe	97
PID 2120 wrote to memory of 3464	2120	Npmagine.exe	97
PID 3464 wrote to memory of 3672	3464	Olcbmj32.exe	98
PID 3464 wrote to memory of 3672	3464	Olcbmj32.exe	98
PID 3464 wrote to memory of 3672	3464	Olcbmj32.exe	98
PID 3672 wrote to memory of 4728	3672	Ocnjidkf.exe	99
PID 3672 wrote to memory of 4728	3672	Ocnjidkf.exe	99
PID 3672 wrote to memory of 4728	3672	Ocnjidkf.exe	99
PID 4728 wrote to memory of 1740	4728	Opakbi32.exe	100
PID 4728 wrote to memory of 1740	4728	Opakbi32.exe	100
PID 4728 wrote to memory of 1740	4728	Opakbi32.exe	100
PID 1740 wrote to memory of 3648	1740	Ojjolnaq.exe	101
PID 1740 wrote to memory of 3648	1740	Ojjolnaq.exe	101
PID 1740 wrote to memory of 3648	1740	Ojjolnaq.exe	101
PID 3648 wrote to memory of 3976	3648	Ognpebpj.exe	102
PID 3648 wrote to memory of 3976	3648	Ognpebpj.exe	102
PID 3648 wrote to memory of 3976	3648	Ognpebpj.exe	102
PID 3976 wrote to memory of 2872	3976	Onhhamgg.exe	103
PID 3976 wrote to memory of 2872	3976	Onhhamgg.exe	103
PID 3976 wrote to memory of 2872	3976	Onhhamgg.exe	103
PID 2872 wrote to memory of 3600	2872	Ocdqjceo.exe	105
PID 2872 wrote to memory of 3600	2872	Ocdqjceo.exe	105
PID 2872 wrote to memory of 3600	2872	Ocdqjceo.exe	105
PID 3600 wrote to memory of 2292	3600	Onjegled.exe	106
PID 3600 wrote to memory of 2292	3600	Onjegled.exe	106
PID 3600 wrote to memory of 2292	3600	Onjegled.exe	106
PID 2292 wrote to memory of 4452	2292	Oddmdf32.exe	107
PID 2292 wrote to memory of 4452	2292	Oddmdf32.exe	107
PID 2292 wrote to memory of 4452	2292	Oddmdf32.exe	107
PID 4452 wrote to memory of 4140	4452	Pnlaml32.exe	108
PID 4452 wrote to memory of 4140	4452	Pnlaml32.exe	108
PID 4452 wrote to memory of 4140	4452	Pnlaml32.exe	108
PID 4140 wrote to memory of 3240	4140	Cjkjpgfi.exe	109
PID 4140 wrote to memory of 3240	4140	Cjkjpgfi.exe	109
PID 4140 wrote to memory of 3240	4140	Cjkjpgfi.exe	109
PID 3240 wrote to memory of 3528	3240	Ddakjkqi.exe	110
PID 3240 wrote to memory of 3528	3240	Ddakjkqi.exe	110
PID 3240 wrote to memory of 3528	3240	Ddakjkqi.exe	110
PID 3528 wrote to memory of 3432	3528	Ealadnik.exe	111
PID 3528 wrote to memory of 3432	3528	Ealadnik.exe	111
PID 3528 wrote to memory of 3432	3528	Ealadnik.exe	111
PID 3432 wrote to memory of 1872	3432	Ekefmc32.exe	112
PID 3432 wrote to memory of 1872	3432	Ekefmc32.exe	112
PID 3432 wrote to memory of 1872	3432	Ekefmc32.exe	112
PID 1872 wrote to memory of 3196	1872	Eglgbdep.exe	113
PID 1872 wrote to memory of 3196	1872	Eglgbdep.exe	113
PID 1872 wrote to memory of 3196	1872	Eglgbdep.exe	113
PID 3196 wrote to memory of 1468	3196	Edpgli32.exe	115
PID 3196 wrote to memory of 1468	3196	Edpgli32.exe	115
PID 3196 wrote to memory of 1468	3196	Edpgli32.exe	115
PID 1468 wrote to memory of 5028	1468	Eoekia32.exe	116
PID 1468 wrote to memory of 5028	1468	Eoekia32.exe	116
PID 1468 wrote to memory of 5028	1468	Eoekia32.exe	116
PID 5028 wrote to memory of 4780	5028	Foghnabl.exe	117
PID 5028 wrote to memory of 4780	5028	Foghnabl.exe	117
PID 5028 wrote to memory of 4780	5028	Foghnabl.exe	117
PID 4780 wrote to memory of 1700	4780	Fojedapj.exe	118

C:\Users\Admin\AppData\Local\Temp\1c24e88c357a30a276909e05026d9a8fa328a28253dd05783aeb88c91d743242.exe
"C:\Users\Admin\AppData\Local\Temp\1c24e88c357a30a276909e05026d9a8fa328a28253dd05783aeb88c91d743242.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:684
- C:\Windows\SysWOW64\Ngdmod32.exe
  C:\Windows\system32\Ngdmod32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3508
- - C:\Windows\SysWOW64\Npmagine.exe
    C:\Windows\system32\Npmagine.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\Windows\SysWOW64\Olcbmj32.exe
      C:\Windows\system32\Olcbmj32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3464
    - - C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3672
      - C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Windows\SysWOW64\Ealadnik.exe
        
        C:\Windows\system32\Ealadnik.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Windows\SysWOW64\Ekefmc32.exe
        
        C:\Windows\system32\Ekefmc32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\SysWOW64\Eglgbdep.exe
        
        C:\Windows\system32\Eglgbdep.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SysWOW64\Edpgli32.exe
        
        C:\Windows\system32\Edpgli32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\SysWOW64\Eoekia32.exe
        
        C:\Windows\system32\Eoekia32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\Foghnabl.exe
        
        C:\Windows\system32\Foghnabl.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Fojedapj.exe
        
        C:\Windows\system32\Fojedapj.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SysWOW64\Fhbimf32.exe
        
        C:\Windows\system32\Fhbimf32.exe
        23⤵
        Executes dropped EXE
        
        PID:1700
        
        C:\Windows\SysWOW64\Fajnfl32.exe
        
        C:\Windows\system32\Fajnfl32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4952
        
        C:\Windows\SysWOW64\Fonnop32.exe
        
        C:\Windows\system32\Fonnop32.exe
        25⤵
        Executes dropped EXE
        
        PID:3828
        
        C:\Windows\SysWOW64\Fdkggg32.exe
        
        C:\Windows\system32\Fdkggg32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:232
        
        C:\Windows\SysWOW64\Gaogak32.exe
        
        C:\Windows\system32\Gaogak32.exe
        27⤵
        Executes dropped EXE
        
        PID:1876
        
        C:\Windows\SysWOW64\Gkglja32.exe
        
        C:\Windows\system32\Gkglja32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Gdppbfff.exe
        
        C:\Windows\system32\Gdppbfff.exe
        29⤵
        Executes dropped EXE
        
        PID:3296
        
        C:\Windows\SysWOW64\Goedpofl.exe
        
        C:\Windows\system32\Goedpofl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3980
        
        C:\Windows\SysWOW64\Goljqnpd.exe
        
        C:\Windows\system32\Goljqnpd.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3684
        
        C:\Windows\SysWOW64\Loeolc32.exe
        
        C:\Windows\system32\Loeolc32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4648
        
        C:\Windows\SysWOW64\Ngmpcn32.exe
        
        C:\Windows\system32\Ngmpcn32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Ploknb32.exe
        
        C:\Windows\system32\Ploknb32.exe
        34⤵
        Executes dropped EXE
        
        PID:4548
        
        C:\Windows\SysWOW64\Pgdokkfg.exe
        
        C:\Windows\system32\Pgdokkfg.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Phhhhc32.exe
        
        C:\Windows\system32\Phhhhc32.exe
        36⤵
        Executes dropped EXE
        
        PID:5084
        
        C:\Windows\SysWOW64\Poaqemao.exe
        
        C:\Windows\system32\Poaqemao.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:412
        
        C:\Windows\SysWOW64\Pflibgil.exe
        
        C:\Windows\system32\Pflibgil.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2536
        
        C:\Windows\SysWOW64\Podmkm32.exe
        
        C:\Windows\system32\Podmkm32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4508
        
        C:\Windows\SysWOW64\Plhnda32.exe
        
        C:\Windows\system32\Plhnda32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3344
        
        C:\Windows\SysWOW64\Qgnbaj32.exe
        
        C:\Windows\system32\Qgnbaj32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2460
        
        C:\Windows\SysWOW64\Qhonib32.exe
        
        C:\Windows\system32\Qhonib32.exe
        42⤵
        Executes dropped EXE
        
        PID:3656
        
        C:\Windows\SysWOW64\Qcdbfk32.exe
        
        C:\Windows\system32\Qcdbfk32.exe
        43⤵
        Executes dropped EXE
        
        PID:4460
        
        C:\Windows\SysWOW64\Qhakoa32.exe
        
        C:\Windows\system32\Qhakoa32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4948
        
        C:\Windows\SysWOW64\Aokcklid.exe
        
        C:\Windows\system32\Aokcklid.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Amodep32.exe
        
        C:\Windows\system32\Amodep32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2096
        
        C:\Windows\SysWOW64\Acilajpk.exe
        
        C:\Windows\system32\Acilajpk.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Amaqjp32.exe
        
        C:\Windows\system32\Amaqjp32.exe
        48⤵
        Executes dropped EXE
        
        PID:4020
        
        C:\Windows\SysWOW64\Aihaoqlp.exe
        
        C:\Windows\system32\Aihaoqlp.exe
        49⤵
        Executes dropped EXE
        
        PID:2384
        
        C:\Windows\SysWOW64\Acnemi32.exe
        
        C:\Windows\system32\Acnemi32.exe
        50⤵
        Executes dropped EXE
        
        PID:1044
        
        C:\Windows\SysWOW64\Amfjeobf.exe
        
        C:\Windows\system32\Amfjeobf.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4764
        
        C:\Windows\SysWOW64\Afnnnd32.exe
        
        C:\Windows\system32\Afnnnd32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3688
        
        C:\Windows\SysWOW64\Bfqkddfd.exe
        
        C:\Windows\system32\Bfqkddfd.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Bmkcqn32.exe
        
        C:\Windows\system32\Bmkcqn32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3720
        
        C:\Windows\SysWOW64\Bgpgng32.exe
        
        C:\Windows\system32\Bgpgng32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Bqilgmdg.exe
        
        C:\Windows\system32\Bqilgmdg.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5172
        
        C:\Windows\SysWOW64\Bgbdcgld.exe
        
        C:\Windows\system32\Bgbdcgld.exe
        57⤵
        Executes dropped EXE
        
        PID:5212
        
        C:\Windows\SysWOW64\Bmomlnjk.exe
        
        C:\Windows\system32\Bmomlnjk.exe
        58⤵
        Executes dropped EXE
        
        PID:5256
        
        C:\Windows\SysWOW64\Bgeaifia.exe
        
        C:\Windows\system32\Bgeaifia.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Cabomkll.exe
        
        C:\Windows\system32\Cabomkll.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Cjmpkqqj.exe
        
        C:\Windows\system32\Cjmpkqqj.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5384
        
        C:\Windows\SysWOW64\Cpihcgoa.exe
        
        C:\Windows\system32\Cpihcgoa.exe
        62⤵
        Executes dropped EXE
        
        PID:5420
        
        C:\Windows\SysWOW64\Cfcqpa32.exe
        
        C:\Windows\system32\Cfcqpa32.exe
        63⤵
        Executes dropped EXE
        
        PID:5464
        
        C:\Windows\SysWOW64\Caienjfd.exe
        
        C:\Windows\system32\Caienjfd.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5516
        
        C:\Windows\SysWOW64\Cffmfadl.exe
        
        C:\Windows\system32\Cffmfadl.exe
        65⤵
        Executes dropped EXE
        
        PID:5560
        
        C:\Windows\SysWOW64\Dpnbog32.exe
        
        C:\Windows\system32\Dpnbog32.exe
        66⤵
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Dfhjkabi.exe
        
        C:\Windows\system32\Dfhjkabi.exe
        67⤵
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Dannij32.exe
        
        C:\Windows\system32\Dannij32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5732
        
        C:\Windows\SysWOW64\Dmdonkgc.exe
        
        C:\Windows\system32\Dmdonkgc.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Dhjckcgi.exe
        
        C:\Windows\system32\Dhjckcgi.exe
        70⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Dikpbl32.exe
        
        C:\Windows\system32\Dikpbl32.exe
        71⤵
        Drops file in System32 directory
        
        PID:5880
        
        C:\Windows\SysWOW64\Dpehof32.exe
        
        C:\Windows\system32\Dpehof32.exe
        72⤵
        Drops file in System32 directory
        
        PID:5932
        
        C:\Windows\SysWOW64\Dhlpqc32.exe
        
        C:\Windows\system32\Dhlpqc32.exe
        73⤵
        Drops file in System32 directory
        
        PID:5988
        
        C:\Windows\SysWOW64\Djklmo32.exe
        
        C:\Windows\system32\Djklmo32.exe
        74⤵
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Dmihij32.exe
        
        C:\Windows\system32\Dmihij32.exe
        75⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Dpgeee32.exe
        
        C:\Windows\system32\Dpgeee32.exe
        76⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Dhomfc32.exe
        
        C:\Windows\system32\Dhomfc32.exe
        77⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Emlenj32.exe
        
        C:\Windows\system32\Emlenj32.exe
        78⤵
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Kjhcjq32.exe
        
        C:\Windows\system32\Kjhcjq32.exe
        79⤵
        Modifies registry class
        
        PID:4100
        
        C:\Windows\SysWOW64\Kbpkkn32.exe
        
        C:\Windows\system32\Kbpkkn32.exe
        80⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Kenggi32.exe
        
        C:\Windows\system32\Kenggi32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5484
        
        C:\Windows\SysWOW64\Kkhpdcab.exe
        
        C:\Windows\system32\Kkhpdcab.exe
        82⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Kbbhqn32.exe
        
        C:\Windows\system32\Kbbhqn32.exe
        83⤵
        Drops file in System32 directory
        
        PID:5720
        
        C:\Windows\SysWOW64\Keqdmihc.exe
        
        C:\Windows\system32\Keqdmihc.exe
        84⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\Kkjlic32.exe
        
        C:\Windows\system32\Kkjlic32.exe
        85⤵
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Kkmioc32.exe
        
        C:\Windows\system32\Kkmioc32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6020
        
        C:\Windows\SysWOW64\Lbgalmej.exe
        
        C:\Windows\system32\Lbgalmej.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6124
        
        C:\Windows\SysWOW64\Liqihglg.exe
        
        C:\Windows\system32\Liqihglg.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:716
        
        C:\Windows\SysWOW64\Lkofdbkj.exe
        
        C:\Windows\system32\Lkofdbkj.exe
        89⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Legjmh32.exe
        
        C:\Windows\system32\Legjmh32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:688
        
        C:\Windows\SysWOW64\Lkabjbih.exe
        
        C:\Windows\system32\Lkabjbih.exe
        91⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Lieccf32.exe
        
        C:\Windows\system32\Lieccf32.exe
        92⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Ljgpkonp.exe
        
        C:\Windows\system32\Ljgpkonp.exe
        93⤵
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Lacdmh32.exe
        
        C:\Windows\system32\Lacdmh32.exe
        94⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\Llhikacp.exe
        
        C:\Windows\system32\Llhikacp.exe
        95⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Mbbagk32.exe
        
        C:\Windows\system32\Mbbagk32.exe
        96⤵
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Milidebi.exe
        
        C:\Windows\system32\Milidebi.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5600
        
        C:\Windows\SysWOW64\Mjneln32.exe
        
        C:\Windows\system32\Mjneln32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5868
        
        C:\Windows\SysWOW64\Mahnhhod.exe
        
        C:\Windows\system32\Mahnhhod.exe
        99⤵
        Drops file in System32 directory
        
        PID:6080
        
        C:\Windows\SysWOW64\Mnlnbl32.exe
        
        C:\Windows\system32\Mnlnbl32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5584
        
        C:\Windows\SysWOW64\Qcaofebg.exe
        
        C:\Windows\system32\Qcaofebg.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Qljcoj32.exe
        
        C:\Windows\system32\Qljcoj32.exe
        102⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Qaflgago.exe
        
        C:\Windows\system32\Qaflgago.exe
        103⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\Ahqddk32.exe
        
        C:\Windows\system32\Ahqddk32.exe
        104⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\Aojlaeei.exe
        
        C:\Windows\system32\Aojlaeei.exe
        105⤵
        Modifies registry class
        
        PID:6244
        
        C:\Windows\SysWOW64\Aeddnp32.exe
        
        C:\Windows\system32\Aeddnp32.exe
        106⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\Ahcajk32.exe
        
        C:\Windows\system32\Ahcajk32.exe
        107⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Achegd32.exe
        
        C:\Windows\system32\Achegd32.exe
        108⤵
        Drops file in System32 directory
        
        PID:6384
        
        C:\Windows\SysWOW64\Afgacokc.exe
        
        C:\Windows\system32\Afgacokc.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6432
        
        C:\Windows\SysWOW64\Alqjpi32.exe
        
        C:\Windows\system32\Alqjpi32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6476
        
        C:\Windows\SysWOW64\Aanbhp32.exe
        
        C:\Windows\system32\Aanbhp32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6520
        
        C:\Windows\SysWOW64\Alcfei32.exe
        
        C:\Windows\system32\Alcfei32.exe
        112⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Ckmehb32.exe
        
        C:\Windows\system32\Ckmehb32.exe
        113⤵
        Modifies registry class
        
        PID:6668
        
        C:\Windows\SysWOW64\Fjohde32.exe
        
        C:\Windows\system32\Fjohde32.exe
        114⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\Gdaociml.exe
        
        C:\Windows\system32\Gdaociml.exe
        115⤵
        Drops file in System32 directory
        
        PID:6796
        
        C:\Windows\SysWOW64\Hlegnjbm.exe
        
        C:\Windows\system32\Hlegnjbm.exe
        116⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\Ilccoh32.exe
        
        C:\Windows\system32\Ilccoh32.exe
        117⤵
        Modifies registry class
        
        PID:6916
        
        C:\Windows\SysWOW64\Kmfhkf32.exe
        
        C:\Windows\system32\Kmfhkf32.exe
        118⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\Kglmio32.exe
        
        C:\Windows\system32\Kglmio32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7000
        
        C:\Windows\SysWOW64\Knfeeimj.exe
        
        C:\Windows\system32\Knfeeimj.exe
        120⤵
        Modifies registry class
        
        PID:7048
        
        C:\Windows\SysWOW64\Kcbnnpka.exe
        
        C:\Windows\system32\Kcbnnpka.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7092
        
        C:\Windows\SysWOW64\Ljobpiql.exe
        
        C:\Windows\system32\Ljobpiql.exe
        122⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\Mebcop32.exe
        
        C:\Windows\system32\Mebcop32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6172
        
        C:\Windows\SysWOW64\Mnkggfkb.exe
        
        C:\Windows\system32\Mnkggfkb.exe
        124⤵
        Drops file in System32 directory
        
        PID:6260
        
        C:\Windows\SysWOW64\Meepdp32.exe
        
        C:\Windows\system32\Meepdp32.exe
        125⤵
        Drops file in System32 directory
        
        PID:6332
        
        C:\Windows\SysWOW64\Mgclpkac.exe
        
        C:\Windows\system32\Mgclpkac.exe
        126⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\Napjdpcn.exe
        
        C:\Windows\system32\Napjdpcn.exe
        127⤵
        Modifies registry class
        
        PID:6484
        
        C:\Windows\SysWOW64\Ngjbaj32.exe
        
        C:\Windows\system32\Ngjbaj32.exe
        128⤵
        Drops file in System32 directory
        
        PID:6568
        
        C:\Windows\SysWOW64\Njinmf32.exe
        
        C:\Windows\system32\Njinmf32.exe
        129⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\Nmgjia32.exe
        
        C:\Windows\system32\Nmgjia32.exe
        130⤵
        Drops file in System32 directory
        
        PID:5316
        
        C:\Windows\SysWOW64\Ncabfkqo.exe
        
        C:\Windows\system32\Ncabfkqo.exe
        131⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\Nlhkgi32.exe
        
        C:\Windows\system32\Nlhkgi32.exe
        132⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\Nnfgcd32.exe
        
        C:\Windows\system32\Nnfgcd32.exe
        133⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\Neqopnhb.exe
        
        C:\Windows\system32\Neqopnhb.exe
        134⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\Nlkgmh32.exe
        
        C:\Windows\system32\Nlkgmh32.exe
        135⤵
        Drops file in System32 directory
        
        PID:7084
        
        C:\Windows\SysWOW64\Nnicid32.exe
        
        C:\Windows\system32\Nnicid32.exe
        136⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\Neclenfo.exe
        
        C:\Windows\system32\Neclenfo.exe
        137⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\Nlmdbh32.exe
        
        C:\Windows\system32\Nlmdbh32.exe
        138⤵
        Drops file in System32 directory
        
        PID:6232
        
        C:\Windows\SysWOW64\Nmnqjp32.exe
        
        C:\Windows\system32\Nmnqjp32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6324
        
        C:\Windows\SysWOW64\Ohcegi32.exe
        
        C:\Windows\system32\Ohcegi32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6460
        
        C:\Windows\SysWOW64\Omqmop32.exe
        
        C:\Windows\system32\Omqmop32.exe
        141⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\Oeheqm32.exe
        
        C:\Windows\system32\Oeheqm32.exe
        142⤵
        Modifies registry class
        
        PID:6732
        
        C:\Windows\SysWOW64\Ohfami32.exe
        
        C:\Windows\system32\Ohfami32.exe
        143⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\Omcjep32.exe
        
        C:\Windows\system32\Omcjep32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Ohhnbhok.exe
        
        C:\Windows\system32\Ohhnbhok.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:680
        
        C:\Windows\SysWOW64\Odalmibl.exe
        
        C:\Windows\system32\Odalmibl.exe
        146⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\Paelfmaf.exe
        
        C:\Windows\system32\Paelfmaf.exe
        147⤵
        Modifies registry class
        
        PID:6452
        
        C:\Windows\SysWOW64\Dkokcl32.exe
        
        C:\Windows\system32\Dkokcl32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3856
        
        C:\Windows\SysWOW64\Dnmhpg32.exe
        
        C:\Windows\system32\Dnmhpg32.exe
        149⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\Dfdpad32.exe
        
        C:\Windows\system32\Dfdpad32.exe
        150⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6980
        
        C:\Windows\SysWOW64\Dmohno32.exe
        
        C:\Windows\system32\Dmohno32.exe
        151⤵
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Domdjj32.exe
        
        C:\Windows\system32\Domdjj32.exe
        152⤵
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Ddjmba32.exe
        
        C:\Windows\system32\Ddjmba32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3288
        
        C:\Windows\SysWOW64\Dheibpje.exe
        
        C:\Windows\system32\Dheibpje.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3672
        
        C:\Windows\SysWOW64\Dooaoj32.exe
        
        C:\Windows\system32\Dooaoj32.exe
        155⤵
        Drops file in System32 directory
        
        PID:3648
        
        C:\Windows\SysWOW64\Dfiildio.exe
        
        C:\Windows\system32\Dfiildio.exe
        156⤵
        Modifies registry class
        
        PID:6364
        
        C:\Windows\SysWOW64\Doaneiop.exe
        
        C:\Windows\system32\Doaneiop.exe
        157⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\Dbpjaeoc.exe
        
        C:\Windows\system32\Dbpjaeoc.exe
        158⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\Dijbno32.exe
        
        C:\Windows\system32\Dijbno32.exe
        159⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\Dbbffdlq.exe
        
        C:\Windows\system32\Dbbffdlq.exe
        160⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\Emhkdmlg.exe
        
        C:\Windows\system32\Emhkdmlg.exe
        161⤵
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Ebdcld32.exe
        
        C:\Windows\system32\Ebdcld32.exe
        162⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7120
        
        C:\Windows\SysWOW64\Eiokinbk.exe
        
        C:\Windows\system32\Eiokinbk.exe
        163⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Enkdaepb.exe
        
        C:\Windows\system32\Enkdaepb.exe
        164⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\Eiahnnph.exe
        
        C:\Windows\system32\Eiahnnph.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6716
        
        C:\Windows\SysWOW64\Ennqfenp.exe
        
        C:\Windows\system32\Ennqfenp.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7044
        
        C:\Windows\SysWOW64\Eicedn32.exe
        
        C:\Windows\system32\Eicedn32.exe
        167⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Epmmqheb.exe
        
        C:\Windows\system32\Epmmqheb.exe
        168⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\Efgemb32.exe
        
        C:\Windows\system32\Efgemb32.exe
        169⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\Npepkf32.exe
        
        C:\Windows\system32\Npepkf32.exe
        170⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\Nfohgqlg.exe
        
        C:\Windows\system32\Nfohgqlg.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2968
        
        C:\Windows\SysWOW64\Ncchae32.exe
        
        C:\Windows\system32\Ncchae32.exe
        172⤵
        Drops file in System32 directory
        
        PID:3400
        
        C:\Windows\SysWOW64\Njmqnobn.exe
        
        C:\Windows\system32\Njmqnobn.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1644
        
        C:\Windows\SysWOW64\Nmkmjjaa.exe
        
        C:\Windows\system32\Nmkmjjaa.exe
        174⤵
        Drops file in System32 directory
        
        PID:5028
        
        C:\Windows\SysWOW64\Npiiffqe.exe
        
        C:\Windows\system32\Npiiffqe.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5060
        
        C:\Windows\SysWOW64\Ojomcopk.exe
        
        C:\Windows\system32\Ojomcopk.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1876
        
        C:\Windows\SysWOW64\Ekonpckp.exe
        
        C:\Windows\system32\Ekonpckp.exe
        177⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Eqlfhjig.exe
        
        C:\Windows\system32\Eqlfhjig.exe
        178⤵
        Drops file in System32 directory
        
        PID:5380
        
        C:\Windows\SysWOW64\Ehbnigjj.exe
        
        C:\Windows\system32\Ehbnigjj.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:684
        
        C:\Windows\SysWOW64\Enpfan32.exe
        
        C:\Windows\system32\Enpfan32.exe
        180⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\Edionhpn.exe
        
        C:\Windows\system32\Edionhpn.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3684
        
        C:\Windows\SysWOW64\Fooclapd.exe
        
        C:\Windows\system32\Fooclapd.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4952
        
        C:\Windows\SysWOW64\Fdlkdhnk.exe
        
        C:\Windows\system32\Fdlkdhnk.exe
        183⤵
        Drops file in System32 directory
        
        PID:5108
        
        C:\Windows\SysWOW64\Fgjhpcmo.exe
        
        C:\Windows\system32\Fgjhpcmo.exe
        184⤵
        
        PID:324
        
        C:\Windows\SysWOW64\Foapaa32.exe
        
        C:\Windows\system32\Foapaa32.exe
        185⤵
        Drops file in System32 directory
        
        PID:5224
        
        C:\Windows\SysWOW64\Fkhpfbce.exe
        
        C:\Windows\system32\Fkhpfbce.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Fnfmbmbi.exe
        
        C:\Windows\system32\Fnfmbmbi.exe
        187⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\Feqeog32.exe
        
        C:\Windows\system32\Feqeog32.exe
        188⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\Fbdehlip.exe
        
        C:\Windows\system32\Fbdehlip.exe
        189⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\Fecadghc.exe
        
        C:\Windows\system32\Fecadghc.exe
        190⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\Fohfbpgi.exe
        
        C:\Windows\system32\Fohfbpgi.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5936
        
        C:\Windows\SysWOW64\Fajbjh32.exe
        
        C:\Windows\system32\Fajbjh32.exe
        192⤵
        Drops file in System32 directory
        
        PID:4136
        
        C:\Windows\SysWOW64\Feenjgfq.exe
        
        C:\Windows\system32\Feenjgfq.exe
        193⤵
        Drops file in System32 directory
        
        PID:232
        
        C:\Windows\SysWOW64\Fkofga32.exe
        
        C:\Windows\system32\Fkofga32.exe
        194⤵
        Drops file in System32 directory
        
        PID:4876
        
        C:\Windows\SysWOW64\Gokbgpeg.exe
        
        C:\Windows\system32\Gokbgpeg.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5420
        
        C:\Windows\SysWOW64\Gicgpelg.exe
        
        C:\Windows\system32\Gicgpelg.exe
        196⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\Gnpphljo.exe
        
        C:\Windows\system32\Gnpphljo.exe
        197⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Mlofcf32.exe
        
        C:\Windows\system32\Mlofcf32.exe
        198⤵
        Drops file in System32 directory
        
        PID:5944
        
        C:\Windows\SysWOW64\Ncbafoge.exe
        
        C:\Windows\system32\Ncbafoge.exe
        199⤵
        Drops file in System32 directory
        
        PID:2936
        
        C:\Windows\SysWOW64\Apeknk32.exe
        
        C:\Windows\system32\Apeknk32.exe
        200⤵
        Modifies registry class
        
        PID:2756
        
        C:\Windows\SysWOW64\Ckidcpjl.exe
        
        C:\Windows\system32\Ckidcpjl.exe
        201⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Ddhomdje.exe
        
        C:\Windows\system32\Ddhomdje.exe
        202⤵
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Enemaimp.exe
        
        C:\Windows\system32\Enemaimp.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Ecdbop32.exe
        
        C:\Windows\system32\Ecdbop32.exe
        204⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\Fcneeo32.exe
        
        C:\Windows\system32\Fcneeo32.exe
        205⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Fbaahf32.exe
        
        C:\Windows\system32\Fbaahf32.exe
        206⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5572
        
        C:\Windows\SysWOW64\Fqfojblo.exe
        
        C:\Windows\system32\Fqfojblo.exe
        207⤵
        Modifies registry class
        
        PID:3764
        
        C:\Windows\SysWOW64\Fcekfnkb.exe
        
        C:\Windows\system32\Fcekfnkb.exe
        208⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3252
        
        C:\Windows\SysWOW64\Fjocbhbo.exe
        
        C:\Windows\system32\Fjocbhbo.exe
        209⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Fqikob32.exe
        
        C:\Windows\system32\Fqikob32.exe
        210⤵
        Drops file in System32 directory
        
        PID:5716
        
        C:\Windows\SysWOW64\Ggepalof.exe
        
        C:\Windows\system32\Ggepalof.exe
        211⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Gqnejaff.exe
        
        C:\Windows\system32\Gqnejaff.exe
        212⤵
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Gbmadd32.exe
        
        C:\Windows\system32\Gbmadd32.exe
        213⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5740 -s 424
        214⤵
        Program crash
        
        PID:5416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1028 --field-trial-handle=2272,i,17338911640954948469,1637568328132129119,262144 --variations-seed-version /prefetch:8
1⤵
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5740 -ip 5740
1⤵
PID:4364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afnnnd32.exe

Filesize
120KB

MD5
8c0ce796b764e77ce357710af992ca32

SHA1
d243597dc6293196edf369a43adc57996ed92b3a

SHA256
cd9ad6eed2e62f51c3a467f9455e222a3115bfe67728f86649b3f2a4bfc9b6ef

SHA512
7b23c11546dd87600d4d9535110dec1ddfc22eab0ab4666b679f6a104d7702f727b0de9fb7345ece50605f269944db3cb7e41404c917f768dc28c4b5f47bde18

Download Submit
C:\Windows\SysWOW64\Alcfei32.exe

Filesize
120KB

MD5
f49486d403f953f1c2f364e3831badc0

SHA1
e538ce1ea6a59d74fa2d8d04f04db50f84259392

SHA256
6881ed36119e989e3ed0062c6980d2b91b73b7008e7185ea6b42caeb8425cc69

SHA512
674517aa0129f0f92ba9710e37412b549f3401be7fd074ac1a8190aa4f6b449241aad0914bff45bc7db8f4c0acf64351add74e95837e5baf0f0492ff73617e51

Download Submit
C:\Windows\SysWOW64\Amodep32.exe

Filesize
120KB

MD5
4cd1c71e65588ebaa7ddd7fa7fb26c02

SHA1
472745fe66f061583ed7905e9ccc6fa828f7d413

SHA256
41593ae57040260e9d1168f5c9d3931896d1a1c477764f88537107af000b65ed

SHA512
abdae96646be6f56483fd96aff2c8fbde227f45d4abc4ea02a0f7cc1a2b18520aaee737f6efdeba20879016d6c7be3627eab5894c73397d3249c635138928a3e

Download Submit
C:\Windows\SysWOW64\Bqilgmdg.exe

Filesize
120KB

MD5
625a8218d3fc1bf0e21cd2561ca6f3af

SHA1
1d5ac06b3770739baca1b59fceafb728aff73e5c

SHA256
7145cc80b10d75708455e9f5241f3b55ae035d48bc6fc1969e720e471e239ac2

SHA512
559b7f72871195db7184db74a3a76b4354d2fb3d5621d40519829beca2ca792b14ea57853510d9c4b72eb2eea4159654e58e8f2111405fbc4d3b8de913556442

Download Submit
C:\Windows\SysWOW64\Cabomkll.exe

Filesize
120KB

MD5
27d3e2fa42ab4889575895b1d8c10764

SHA1
fbcb464cacd4815c510e851bbca04e291f8c88cc

SHA256
673da7ff50c593a415914cb4329e9963198fada83acb706660f1747f13fb31d3

SHA512
b7a8676b662bc750e370ef719058b98a597cbef89c35c240800aefe3a239bb1b654a28865d95fe959b3bbf77efce1c2379cee46b8ecd577832a4a8bf3305647f

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
120KB

MD5
aa4261a4e551b43262d4ea86e56caa29

SHA1
3e49e671ac15b33410f17322307db4c4f78e4c2c

SHA256
02d07755c22c47454929dff24d2bedc2ffa5fc8457591b932679ea09211f2105

SHA512
d4003cde91a0defa8ecb72ecf66fd60a45fd351227e7ad57c60f38a292b0cb29c1614b5eaddc9b6d687ecad2ed5e3dbd9264f1511c4836a48636827f1c3e7e49

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
120KB

MD5
57b9a89c3d3a099d6a3620a88a0090c6

SHA1
aaee517ef70b89bbacdee6d99bda3a9cc1dfb932

SHA256
ae178fc2c074c3d0d4b6707df687113af92dad8b7a56a920fd7f32bf519fb50a

SHA512
dbd523a2e3b6fc498c8087c09e63d83f54a5e2e088db3b2982be598d6923c50d49b68ca0295fa2b9897f9ff0029be1e611feaa85e3fa5e341f1fc4206a02e345

Download Submit
C:\Windows\SysWOW64\Ealadnik.exe

Filesize
120KB

MD5
b4a4ba3eecb74cfb246b3329a16ff03b

SHA1
5669f1a358d1e06c4af47cc6e5cb9dad5cb5bc2e

SHA256
0f8ba9e9b4e0c83e4dc54f16977839f39051db0e291463da9b0e01bf91612f24

SHA512
2d0bf3070e1dadb6027617a1dbacbff2606e47ec03e62b0ad224721f293892e9b38c0585dde1270de0d706a6d8a3bdbb70dbcb7a0c6e177056a4b4018d587468

Download Submit
C:\Windows\SysWOW64\Edpgli32.exe

Filesize
120KB

MD5
318f194a80c4ea00e142969a5a1c2ad5

SHA1
f1d5893ab1a849067ab263413192eb8ca9ab969c

SHA256
d5fcfd1d242e4e57af2b8a2f92fff4ea83e8313d6a961b31d542c8dca48944de

SHA512
a8094328556941af0c45e6098353c0839dcee37734b1cfc2eb1ba2aafad3315352c4ccc331fb7daf09f1558144d91cd07f261d65faaf64ec2bb760bd48505b32

Download Submit
C:\Windows\SysWOW64\Eglgbdep.exe

Filesize
120KB

MD5
ff43d9caf6e3d30f626cd92714eb0010

SHA1
359076a5210175fff2cd4cbf366b08d90084ca61

SHA256
b681ecece06193ce894aa4d8fdaeeff5e37224a58878561706616bafd701ca48

SHA512
6c76246e42013f7a271797ca78fdf1cc8537385022810feaa2dc6c49d41a57bb5e0df6d06c14723f7147d5499e2e225ee9e3ffedda1262f35c9614e5d3bfdede

Download Submit
C:\Windows\SysWOW64\Ekefmc32.exe

Filesize
120KB

MD5
57a1d8b8eb1bc6234500d4ff5a4b77ea

SHA1
3bd1b333d960ee5090c0072895a708ef598da737

SHA256
4a7e7640ea8897ca0f4a83ac3f9680c7539daa6d4c883ddae55ac526ee110169

SHA512
c5876a3f09a629c8e065c9c03ad9ade0095c5762c4948db7731f2c29c7cf46651a6531b9b6e7b3db9beff2f5024a9440d37580c6fcd5d9c9246f550e83cb4a5c

Download Submit
C:\Windows\SysWOW64\Enkdaepb.exe

Filesize
120KB

MD5
c2f6587e87546ff40333ce3485c90bf3

SHA1
641affec5e1b07e703ba6be53d93730cc85ff2b9

SHA256
939cd5f5daad7bb3149ffcffc39ff596879c519c1ce0746cecbebdb9e9507fa6

SHA512
bf5f539762416a44d85be88b974a8f997fc2372dbb4b0c2f6b3d7311faca76211f713137fb5d71dbbcc6c5f62664fd4959280cfc28bed77cc8abf80d661701f1

Download Submit
C:\Windows\SysWOW64\Eoekia32.exe

Filesize
120KB

MD5
ea86206433eff68a10956ea972bd1fee

SHA1
28bbd15a16f381d488a98ee3607309b850cc2909

SHA256
3cdc25eabf8a091840808546cfd354b74fa99154e35ad85cf8d4e812e1d14c82

SHA512
80695f26282b205f21b575ff2b006a50d745e66ba057bc749586d613bb7df568174cdfe114c166dd76490acf6c44156525f0cfe222d2bb2aa89293c02616b936

Download Submit
C:\Windows\SysWOW64\Fajnfl32.exe

Filesize
120KB

MD5
eae8a9af03a41ddb29a3869a6f91fa60

SHA1
85eb104721f70d8f2606ff79932076fbb18ec0f7

SHA256
f96d97caac7cd4563551d704c308f3551e6c3a6d84b89bd72078124064284153

SHA512
b1a9a4b6be1cbc89a73096d79e5470623d27f6f4ae3f08883101edab36e56f1c3b5f3f0cef28ab12ae0c2ac5776fc355d40ea867af0e1f4c0020d17fc9e09d7d

Download Submit
C:\Windows\SysWOW64\Fdkggg32.exe

Filesize
120KB

MD5
772ec13c5779d752833b4049f4f1cb5e

SHA1
7c5ffdf9083a67f719448c13edac126d63cdb6b5

SHA256
722b9da9006a048bf274a6925172f22a235bd457e05ac30b8caff0de6e881bd2

SHA512
4071499099ff34576842afac50bab530afc0bc67e3cf0c5bd3bf66f9a0fdfe9538cb4e454006e878a7595dd576aa80e8c2017aff0fb0a4770a0ac095cec1650b

Download Submit
C:\Windows\SysWOW64\Fhbimf32.exe

Filesize
120KB

MD5
dd2bef502546979adfb471cdda871f10

SHA1
f6fd7b2247a0f442cfad0ee778e9db98b1e0d29e

SHA256
3148650b49adb34a754fe49e622cdef35995f3a540c5c15996f6cbc29e8abbcf

SHA512
56824faec9446cbf718279f217b009bd519c29e645c56b18c6709364133efe2d55a5b44a9331347f6f28efd7e10fd40f62beaf4ed4e41cc634e5f2ad5c4bed89

Download Submit
C:\Windows\SysWOW64\Foghnabl.exe

Filesize
120KB

MD5
37b33858a9069fc2c66b3920a8439f7f

SHA1
61eebdc6c47c61456aeda9daf16ffaf7ea517d26

SHA256
2115b8cbe4237585f0f07c976b66b0c9c32214e48f08ce9787f38d0e5f67ede8

SHA512
580d0a43ad8355a6aad3871874d851b2a0094795e945efa7e0ba488f99ccd1227fa00084d182069b32c8effcfaea553c7e03c9c91c431eeb88bee00391ac2e72

Download Submit
C:\Windows\SysWOW64\Fojedapj.exe

Filesize
120KB

MD5
f3d3003ef9175ddad3e27a3f124cbf5a

SHA1
d12962cf3452adfcebe2d0052a8b14e0cefaf27c

SHA256
04cf3cd53093ad9dce6e68caab80856aea335813cff20188a9f8fa71dcb1d35f

SHA512
d95bca8965ec688f8c376992b31017a757863ce7ed1df975541811a8e2dcae03db06bb73b7256b5f7dda6b77e2f4ebb4fbd595633ba29e92b5da726eeaf33a8e

Download Submit
C:\Windows\SysWOW64\Fonnop32.exe

Filesize
120KB

MD5
9cf55971e01a75201494e0424a8f7859

SHA1
d452d8cd52b71531e23a53147e8d528faf108771

SHA256
3bfcc83c7b966a8dfda103a742e49970c90200e62525c2d6dbe6483798be56d2

SHA512
8f6e05c276a6dda35fef82266d60f771e18210fdcccd9a3719b11b0542e8248eee3f3267f102823e6685b5f848a4a4bb3ba70fc3c93e8f1f7c6976c7b5f89240

Download Submit
C:\Windows\SysWOW64\Gaogak32.exe

Filesize
120KB

MD5
094a0fc344c5401d45515a1752631800

SHA1
29a1025df517c2eeb1e024ac9516cd43547224cf

SHA256
6e7789ee4cf19329172e989501f16e68b85ac88bccfd90c6ffc2d810fefd3267

SHA512
057d026de294c0c9b90ced29e7d2f9c40f0f67e6ff39f147b3eaa6345184c5bc483fe3380b1aa7bb0cfdc5d6d313c03a85fc1558aa48f82bf53bfceeef268630

Download Submit
C:\Windows\SysWOW64\Gdppbfff.exe

Filesize
120KB

MD5
ea03223d4900873ca9a178d4d9ba0bb1

SHA1
fae48705238dc3c52e1a5776b576b64b1f03ef0f

SHA256
2f872626e1c9fffd5cf75def8018b25d4589558da9849370c60dbcc6bfe44504

SHA512
e507d20455d29f2dc26a2bb3533b19c8d35ded31ed1a3633643284b720730ee92a6ea5c1f77ec6dee4e99f4866a5ec942218f9121283b02aa504b1fd64d1d761

Download Submit
C:\Windows\SysWOW64\Gkglja32.exe

Filesize
120KB

MD5
87889fcfe536aa81dbcc8e4e53dd10fa

SHA1
badddce126cd144cb825995305db3bb1431c1c17

SHA256
36bf0b9788094e7859bab64d0b6facd39772e6b11f1cbd608351c0ef20f4d922

SHA512
87e3b707e0d3a3c3e33cb35a0b01745fbf707584da59d5a78b179f46566129840ecbf13c090b5aeb265aa6a4606e84d8b6518b3c611ba3b7511d93659c9537fe

Download Submit
C:\Windows\SysWOW64\Goedpofl.exe

Filesize
120KB

MD5
78b2d8cc2f9cd981066a84212a3f7fad

SHA1
549d773004de9781fbe512b83d9b2b378c66c2ce

SHA256
96a16301baf81cad38b7ed74d415169675618ef31929540f30f3fba6437fa1b1

SHA512
970e3aa87f4baec8bda70b34715d5e713caa2c976196c8071ef606e98ae3f10a3fc7d33b8b1204be842c4b3ff87d6ccc93e0d32410026b148cc2f4b5ed0db948

Download Submit
C:\Windows\SysWOW64\Goljqnpd.exe

Filesize
120KB

MD5
fdd66479d320a6530650cbbc59e4542c

SHA1
75350477e2fb79d509890408ec4bff0599404118

SHA256
485a5b9dbc1228d04e80fdd7b9cfc3793afb8f163941f2d9d06b55e80fb820f1

SHA512
78ef082ef443390667d5c93218ff716d2f31274f19e6caaee4c46333dbe5c3cd2251b39ac63106d350768d3a478e0bc0fa05fe17cdb6cc6f67d3e3fb7f524d23

Download Submit
C:\Windows\SysWOW64\Kmfhkf32.exe

Filesize
120KB

MD5
817f2ce0e150df9689352d2b364a086c

SHA1
d9495a685b9a65ed147afbab9b4b621ccc293613

SHA256
533048c3198e00650bd7235ca4d07ce364d80cba166f39815c28d289d80d96dd

SHA512
e2a00ad3ca616ae4074b0a077d03a38a3f51c6ae604619a77044a32ebf21f53a0ce7b1b3cfab5aed7402f44d0695f661fa87ed2c5973afe42079085c1e6506c9

Download Submit
C:\Windows\SysWOW64\Loeolc32.exe

Filesize
120KB

MD5
6ed82fa4315bdef7a930905cb3d4202e

SHA1
ca48bcf5272564195f791ad663bc4da177506b87

SHA256
fb337c23aa75ded758d84c32ff2f4b8f79fd8c53a43a68c36a1642b5f6a639fa

SHA512
7bbfb66c58c2d5c4ffe9631f666c38b7a537aac504fe1c44c67dac663026ef43a615842922ff20280965b4467648bbbe7d69b8ab20b7d15855b43b53bab6cd3b

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
120KB

MD5
44298587bfdec9dc66db977857a6195c

SHA1
7525fdc953315f894995886a89d9f625714fc84f

SHA256
b1a0c0eb29850bbc705422650aec07b0ade272ca7359437e1a2973dfed36b2d5

SHA512
bfe23dc6247d1fddcaf8fef3a848adc2e801d89a7f4fadfd8c01a132b48322e8568a8b17ff27bf14716a3741a241f3fbdab7e75ad4706940ffa54e06be56b42a

Download Submit
C:\Windows\SysWOW64\Ngmpcn32.exe

Filesize
120KB

MD5
37a14c3039763c05bc9878419743545e

SHA1
2f81647e0e1ec4d26ac658aede55e56f65d9c2d7

SHA256
98c76b665c5da6323243ed13095814c0e1d03f4a9f8062fc7b564921a635da79

SHA512
1d3a022e209e8baf71b05e1b37bb05f6a4287c679c409d8f15bb1d2a42b641f399e63cdf65159d973ba6b24462db7d6eefbb67c4a67e928f26bd74e006f47ccd

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
120KB

MD5
8ad464c428c3b8e921a4a86d5b34456a

SHA1
f266f6a34cfec6391d7af873c3b9607160c4cf9b

SHA256
cda08fcd7a5e7fed8ee44838c49afc7468765b4bbb4c7fe05891444279e5ca84

SHA512
976c6883e09ff59f3598c144a6d2c42f8cc60666899df974225e6ee98449f00411c3a7e275750f4f8048ef2e9c596e7122ebb3ccffc3260a50abbba94c800146

Download Submit
C:\Windows\SysWOW64\Oadacmff.dll

Filesize
7KB

MD5
28e1bb9871cd318d1ef4673f55c896b1

SHA1
34b96610a266efdf301af30c9938415aa92e73ab

SHA256
0ae499003600ea09b2bbb3f3ee88d9737044300d2bdf2c941d727e75dbe4b143

SHA512
d8fa35c8c60e4884bbea03bb53e26f195e52c1082f540ac687c541b02e41ffe84d219bdcf27259cd8e828407de2e6f51a2b4b2c74652f288dd51bf541a1666af

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
120KB

MD5
c3bb4a695bf00e457d6b5050df6920cf

SHA1
5b2597eb5313d0a8dfe40a8824d33b97e5191297

SHA256
57413458995b1c04d7db0cd2446d7d2cabd5be15fa17fd8ee99ad5602f4ef23d

SHA512
413e7b8911e8cf5aa8186a52d0da1d9b4d7408b12fb2ff162c553fd74073664e60588dfc2a90b943de0438d196489bf4661f36a8f22c914bf819a38fbada25b9

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
120KB

MD5
a8773e55e54b9cbfe7c3b1f66f49c140

SHA1
8dbb4aac8b8c6c80a00ec9529df1433be071f1ca

SHA256
3ee052e39bc9a01b9f1ac3c36daedcb4b8462538174a9b50e5591b9b4e41f76a

SHA512
4b5239de5fe14046a9679d5238a1f20dbb7935a1f98ff19aa96ee158e466772f7997c4a999d2485ca1397e9aa11e77e849add3fb79780fc5ef8bea8a10f362d4

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
120KB

MD5
f4a194056fed79ef569b97e2e7d1a6a3

SHA1
ce8f43fb543496a45d96e764790c5a5ff1b40dd6

SHA256
467d7f3b3708a1960cda0cd49ee22806e08564beebfd858366ce9956d71de94a

SHA512
67040cdafd5fc729787f0cdb514b436ea639eefa922d52079144f72039b501914c244ffd05ff797c77d8cfbfab199d6cae5cc07138283e12446899f253a1e816

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
120KB

MD5
8f4f6ebcc1d0d6a4278fc83cfda5057a

SHA1
e212b3aac98d88641b9a043ca5f6a94053806cc0

SHA256
afb6aae15f5f5aef42622faf3b2dd044dc13c287f8f3fcb456b4aeef993a3559

SHA512
444f5012c964c9a70cf4052e170f906d065a2140e6010b8fce4447826d8c7e64663a46140eabc704209d0a6cdc8120a2ce3f9f1009e7fb79a1078be4f3a8255a

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
120KB

MD5
6c997d0e724adef4b744223b30937040

SHA1
0254d80e1fbd6d07e55c8b4009d87edcba6597a7

SHA256
0d5be8418bac703ce9a39b12c72a0205744f7309cb5d742bae92eb9b0156ef96

SHA512
88ba90a48164b9da3af05cf4ce25ca812ada73c484628ebe6c2d1f84d9cb339d20f7e0719f7ece488730e714b5125b27e505df5b0237998aead4e17372725fe4

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
120KB

MD5
08d8c6a3e75a2a3ccea8e4190405acdf

SHA1
28faf65a065c9cd2fe75856d65f5c0cc7fc560f2

SHA256
726c83528c5469418dd27a09d769ead2c2ae5cfcf5ebbb966467de423ae5d9cf

SHA512
0a44ee6103216e94c5c853b585f812f9776ad9d814aa96aea0de41bcbea0737a242b75a6a6bdb7ce42a043f0fd0ccfcbffddf1a14da7b7ebf76a90c34cd38b1e

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
120KB

MD5
f81ea0820cb572672003f761a8bd640c

SHA1
412697f732cfc7f97ececa874ae3e688ee9bd120

SHA256
b27e3c7c16a35cee92f5772f2507f9662a68b65c1d8de4ddd70a20a504735c7c

SHA512
6727a737bb442e5a4e15cc2c050a7c3eae40ab8e7fb78bf22b89509949f81873d648f058f3723943541a0b62754eda29976f20bd2e50cbd871a5a6b5d593f80f

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
120KB

MD5
6507f4b29bf25554264ab00ab91385f6

SHA1
3adaebfb38dd765c8d8d747c1f26e5bb9572e494

SHA256
83d21fc628721f7868fcbc40b07eede89ddbc785a8a8d25a1e5dcb92caf9f8dd

SHA512
ba479eff909b9f3a9ed92e32abecaa66649ce8f71f263e5596a3e950f195b081e425b4fbfe508d71c8d2f7aba930c98f686658d2ebeb57cb637f9e69725675cf

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
120KB

MD5
824c029c736b219edb695ce2152ac88b

SHA1
f8bb32166250b20def810c471a10bed332cc2f4d

SHA256
99f6486ca85cb87f738968df698fba8256a4495a5818a1bdb1ab95d5d1df24b9

SHA512
e39cb9fd7349e704ffd6b143fe4cfb2f2bdbe2bf95030ae20306a7a7501e3e67f1b0a50a53b8540e8d3fa26d3a9eff8704b9c6c1de96100f73a9cecfe0dc44bc

Download Submit
C:\Windows\SysWOW64\Phhhhc32.exe

Filesize
120KB

MD5
e90911282d9e307daf53e76404faa295

SHA1
b2850c3492554e57a58e81bf66e3973a45595389

SHA256
c07cc222e8bfaa47abc2d10d825bdc283767cecf17899230ab76a4a40d36103b

SHA512
6f85c6bf040a2bf4f07a4b0ae22739100f28353a2025a103e39fea887e27c005cef77b2995a0efd9172bbf9a4c3bb1bea33bcd4a6cf20b778a81e4f9a56e687c

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
120KB

MD5
c688357c1b45a6396308702da65baa02

SHA1
ce50920cf92a1464ad3f981eeafcf15750f8bfed

SHA256
62a83037d9351ec9e2f8a3a2695d24f9e629898ad8cf5c4ff3e00e44e6905d0e

SHA512
f8585a3dde36939c6567554f57de14af4e1667785e999ecf914efd10b1145d60cdd84547ed56cf46ff8b4e36dc9b1e34ea1e0e56ee230af6740064d0dced98ee

Download Submit
memory/232-199-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/396-216-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/412-280-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/684-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1044-358-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1468-151-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1700-176-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1740-47-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1872-135-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1876-208-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1916-328-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2096-334-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2120-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2292-87-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2384-352-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2460-304-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2536-286-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2592-376-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2872-72-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3092-260-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3196-148-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3240-112-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3296-224-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3344-298-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3432-127-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3464-24-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3508-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3528-120-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3600-80-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3648-55-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3656-310-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3672-32-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3684-240-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3688-370-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3720-382-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3828-192-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3976-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3980-231-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4020-346-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4140-103-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4452-95-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4460-316-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4508-292-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4548-262-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4648-248-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4728-39-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4764-364-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4780-172-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4836-345-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4948-322-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4952-184-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5008-268-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5028-159-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5084-274-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5132-388-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5172-394-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5212-400-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5256-406-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5300-412-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5344-418-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5384-424-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5420-430-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5464-436-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5516-442-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads