db8a6609f1b763cecf471ec03c369abcc22707341dd02812adbca60782c5ba0c

Analysis

max time kernel
188s
max time network
204s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2024, 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db8a6609f1b763cecf471ec03c369abcc22707341dd02812adbca60782c5ba0c.exe
Size

72KB
MD5

3675d4a255310359d993627d2c9e8cf9
SHA1

89ca8779399f28ca9bb834f162cc322d188026b6
SHA256

db8a6609f1b763cecf471ec03c369abcc22707341dd02812adbca60782c5ba0c
SHA512

bf4bd9254082eda9a96c76b046ca9b73ef67fa764881b2c231c1db9f6f0ec9f35c78679f3a4c3370b8525583f078fd42f69326ad34271444ea235b6ab721bfda
SSDEEP

1536:olEksbBUKLHLaVHAFMsWLaZ+LfFAuEMIPgUN3QivEtA:N/0VgHQaZ+fFAEIPgU5QJA

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nifnao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojpdgjid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnbdjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jllmml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbjlpga.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkfeeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oianmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piocoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdgbkab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkhokkel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehbgjenf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjehflie.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flcndk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mieeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moomgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmeapbpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkebekgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cldgmgml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dehkbkip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbghpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhhgmlli.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Joaojf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obeikc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeemop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhdbaihi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phpklp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldnjndpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldnjndpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnhacn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmmqgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbmanj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcqjkafb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mllccpfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lndaaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbiioe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhdeinhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahhbfkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nofoki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afnefieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Joaojf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnfngj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbgbpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eefhcimp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fhljpcfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjehflie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obkahddl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oflfdbip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhgiic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qaegcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ompmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohfafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nconfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmhnea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obgeqcnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmommn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qebpipij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Behbkmgb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbgbpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkeffoig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afnefieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phpklp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhgiic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmlplbib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olnmdi32.exe

Executes dropped EXE 64 IoCs

pid	Process
832	Mohbjkgp.exe
3524	Mebkge32.exe
3804	Mllccpfj.exe
3616	Mahklf32.exe
5104	Nhjjip32.exe
3560	Nconfh32.exe
1956	Nofoki32.exe
2536	Ookhfigk.exe
2028	Odgqopeb.exe
412	Obkahddl.exe
1020	Oheienli.exe
2092	Oooaah32.exe
2488	Okfbgiij.exe
2684	Oflfdbip.exe
4452	Pmeoqlpl.exe
3532	Pcbdcf32.exe
2692	Pecpknke.exe
264	Poidhg32.exe
4628	Peempn32.exe
496	Pgoigcip.exe
4512	Pnhacn32.exe
836	Pdbiphhi.exe
4704	Pnknim32.exe
1564	Pfbfjk32.exe
3756	Pnmjomlg.exe
3136	Qnpgdmjd.exe
4996	Qghlmbae.exe
4120	Qnbdjl32.exe
3364	Aoapcood.exe
4564	Aijeme32.exe
2840	Afnefieo.exe
3824	Ijgakgej.exe
2996	Phpklp32.exe
3208	Eeomfioh.exe
2760	Ifphkbep.exe
548	Ihndgmdd.exe
2704	Jbghpc32.exe
3056	Jllmml32.exe
2120	Jbieebha.exe
2284	Jchaoe32.exe
1988	Jjbjlpga.exe
2540	Jcknee32.exe
2796	Jhhgmlli.exe
4932	Joaojf32.exe
1980	Flcndk32.exe
3792	Gmlplbib.exe
1172	Gdfhil32.exe
2924	Gjpaffhl.exe
4356	Lhgiic32.exe
1328	Lkfeeo32.exe
2728	Lndaaj32.exe
1748	Ldnjndpo.exe
2320	Lmeapbpa.exe
1176	Lnfngj32.exe
1072	Lfnfhg32.exe
1556	Lmhnea32.exe
4760	Ldccid32.exe
3524	Lkmkfncf.exe
5036	Lnkgbibj.exe
1428	Lfbpcgbl.exe
2028	Mkohln32.exe
3568	Mieeka32.exe
2876	Moomgl32.exe
4724	Mmcnap32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Abimhd32.exe	Aeemop32.exe
File opened for modification	C:\Windows\SysWOW64\Igmgji32.exe	Oajcnkdl.exe
File created	C:\Windows\SysWOW64\Jebfgl32.exe	Omcjne32.exe
File created	C:\Windows\SysWOW64\Nofoki32.exe	Nconfh32.exe
File opened for modification	C:\Windows\SysWOW64\Jbieebha.exe	Jllmml32.exe
File created	C:\Windows\SysWOW64\Gjpaffhl.exe	Gdfhil32.exe
File opened for modification	C:\Windows\SysWOW64\Blmamh32.exe	Bagmpoco.exe
File created	C:\Windows\SysWOW64\Pfagcm32.exe	Mcmongoj.exe
File created	C:\Windows\SysWOW64\Gmlplbib.exe	Flcndk32.exe
File opened for modification	C:\Windows\SysWOW64\Gmlplbib.exe	Flcndk32.exe
File opened for modification	C:\Windows\SysWOW64\Oecego32.exe	Obeikc32.exe
File opened for modification	C:\Windows\SysWOW64\Mohbjkgp.exe	db8a6609f1b763cecf471ec03c369abcc22707341dd02812adbca60782c5ba0c.exe
File created	C:\Windows\SysWOW64\Acahge32.dll	Ompmie32.exe
File opened for modification	C:\Windows\SysWOW64\Jllmml32.exe	Jbghpc32.exe
File opened for modification	C:\Windows\SysWOW64\Lmhnea32.exe	Lfnfhg32.exe
File opened for modification	C:\Windows\SysWOW64\Pcagjndj.exe	Pbpjbe32.exe
File opened for modification	C:\Windows\SysWOW64\Odgqopeb.exe	Ookhfigk.exe
File created	C:\Windows\SysWOW64\Kmdhdbhl.dll	Obgeqcnn.exe
File opened for modification	C:\Windows\SysWOW64\Lkmkfncf.exe	Ldccid32.exe
File created	C:\Windows\SysWOW64\Ehbgjenf.exe	Eceoanpo.exe
File opened for modification	C:\Windows\SysWOW64\Oheienli.exe	Obkahddl.exe
File opened for modification	C:\Windows\SysWOW64\Joaojf32.exe	Jhhgmlli.exe
File created	C:\Windows\SysWOW64\Obeikc32.exe	Opgloh32.exe
File created	C:\Windows\SysWOW64\Ompmie32.exe	Onnmmipj.exe
File opened for modification	C:\Windows\SysWOW64\Mcmongoj.exe	Bpodhf32.exe
File created	C:\Windows\SysWOW64\Flcmpceo.dll	Mllccpfj.exe
File created	C:\Windows\SysWOW64\Kbmepohe.dll	Mpdgbkab.exe
File created	C:\Windows\SysWOW64\Dlefhe32.dll	Blmamh32.exe
File created	C:\Windows\SysWOW64\Afnefieo.exe	Aijeme32.exe
File opened for modification	C:\Windows\SysWOW64\Jchaoe32.exe	Jbieebha.exe
File opened for modification	C:\Windows\SysWOW64\Obgeqcnn.exe	Olnmdi32.exe
File created	C:\Windows\SysWOW64\Odpldj32.dll	Ookhfigk.exe
File created	C:\Windows\SysWOW64\Anlqcl32.dll	Lfbpcgbl.exe
File created	C:\Windows\SysWOW64\Ponfed32.exe	Oianmm32.exe
File opened for modification	C:\Windows\SysWOW64\Qaegcb32.exe	Pkhokkel.exe
File created	C:\Windows\SysWOW64\Oennph32.dll	Qnbdjl32.exe
File created	C:\Windows\SysWOW64\Bclgnh32.dll	Nmommn32.exe
File created	C:\Windows\SysWOW64\Bgpldd32.dll	Ponfed32.exe
File created	C:\Windows\SysWOW64\Ejabgcdp.exe	Pjehflie.exe
File created	C:\Windows\SysWOW64\Mcmongoj.exe	Bpodhf32.exe
File created	C:\Windows\SysWOW64\Eeomfioh.exe	Phpklp32.exe
File created	C:\Windows\SysWOW64\Ckefeicm.dll	Obcled32.exe
File created	C:\Windows\SysWOW64\Eefhcimp.exe	Eolpfo32.exe
File created	C:\Windows\SysWOW64\Lhdeinhb.exe	Ponfed32.exe
File created	C:\Windows\SysWOW64\Alaaajmb.exe	Abimhd32.exe
File created	C:\Windows\SysWOW64\Nehekq32.exe	Nbiioe32.exe
File created	C:\Windows\SysWOW64\Lbfglg32.dll	Qebpipij.exe
File created	C:\Windows\SysWOW64\Pnmjomlg.exe	Pfbfjk32.exe
File created	C:\Windows\SysWOW64\Kkjfda32.dll	Afnefieo.exe
File created	C:\Windows\SysWOW64\Pmeoqlpl.exe	Oflfdbip.exe
File opened for modification	C:\Windows\SysWOW64\Pkebekgo.exe	Kdalni32.exe
File opened for modification	C:\Windows\SysWOW64\Nbiioe32.exe	Nmmqgo32.exe
File created	C:\Windows\SysWOW64\Piocoi32.exe	Pfagcm32.exe
File created	C:\Windows\SysWOW64\Hmpfjpko.dll	Pfbfjk32.exe
File created	C:\Windows\SysWOW64\Pbpjbe32.exe	Pkebekgo.exe
File created	C:\Windows\SysWOW64\Iocheg32.dll	Odhipp32.exe
File created	C:\Windows\SysWOW64\Idfqajkm.dll	Gdiadecm.exe
File opened for modification	C:\Windows\SysWOW64\Gjpaffhl.exe	Gdfhil32.exe
File created	C:\Windows\SysWOW64\Abkjnd32.exe	Alaaajmb.exe
File opened for modification	C:\Windows\SysWOW64\Mpdgbkab.exe	Meobeb32.exe
File created	C:\Windows\SysWOW64\Ohpcjnil.dll	Oheienli.exe
File created	C:\Windows\SysWOW64\Moqknklp.dll	Jhhgmlli.exe
File created	C:\Windows\SysWOW64\Lacioppf.dll	Qgalelin.exe
File opened for modification	C:\Windows\SysWOW64\Lfbpcgbl.exe	Lnkgbibj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmepohe.dll"	Mpdgbkab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdalni32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjopil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hepgedme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfbpcgbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgpplb32.dll"	Flcndk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bppnjc32.dll"	Lfnfhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eolpfo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnhacn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hagkpl32.dll"	Hjkbhlno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebndbijh.dll"	Jchaoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flebpn32.dll"	Opgloh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhdbaihi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Elkfed32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbieebha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkmkfncf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nilndhie.dll"	Donceaac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oegejc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mafnie32.dll"	Ldccid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inkqjp32.dll"	Odgqopeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mieeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Defmjlag.dll"	Ahhbfkbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	db8a6609f1b763cecf471ec03c369abcc22707341dd02812adbca60782c5ba0c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjbjlpga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcknee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhoenimd.dll"	Eefhcimp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mllccpfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aoapcood.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlikicki.dll"	Gjpaffhl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lndaaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nconfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Phpklp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnclefep.dll"	Gbmanj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpldj32.dll"	Ookhfigk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdalni32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dehkbkip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eolpfo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fdbked32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Flcndk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbgbpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjopil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbpjbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eccoloed.dll"	Meobeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Igmgji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jieoac32.dll"	Ojpdgjid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbonci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcihcbcl.dll"	Phpklp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Behbkmgb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjehflie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idfqajkm.dll"	Gdiadecm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbpjbe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnkgbibj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmpdbd32.dll"	Fhljpcfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fhljpcfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jhhgmlli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmeoqlpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bckecf32.dll"	Nbiioe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obqopddf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgopplkq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeemop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcmongoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nofoki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oianmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgpldd32.dll"	Ponfed32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4560 wrote to memory of 832	4560	db8a6609f1b763cecf471ec03c369abcc22707341dd02812adbca60782c5ba0c.exe	90
PID 4560 wrote to memory of 832	4560	db8a6609f1b763cecf471ec03c369abcc22707341dd02812adbca60782c5ba0c.exe	90
PID 4560 wrote to memory of 832	4560	db8a6609f1b763cecf471ec03c369abcc22707341dd02812adbca60782c5ba0c.exe	90
PID 832 wrote to memory of 3524	832	Mohbjkgp.exe	91
PID 832 wrote to memory of 3524	832	Mohbjkgp.exe	91
PID 832 wrote to memory of 3524	832	Mohbjkgp.exe	91
PID 3524 wrote to memory of 3804	3524	Mebkge32.exe	92
PID 3524 wrote to memory of 3804	3524	Mebkge32.exe	92
PID 3524 wrote to memory of 3804	3524	Mebkge32.exe	92
PID 3804 wrote to memory of 3616	3804	Mllccpfj.exe	93
PID 3804 wrote to memory of 3616	3804	Mllccpfj.exe	93
PID 3804 wrote to memory of 3616	3804	Mllccpfj.exe	93
PID 3616 wrote to memory of 5104	3616	Mahklf32.exe	94
PID 3616 wrote to memory of 5104	3616	Mahklf32.exe	94
PID 3616 wrote to memory of 5104	3616	Mahklf32.exe	94
PID 5104 wrote to memory of 3560	5104	Nhjjip32.exe	95
PID 5104 wrote to memory of 3560	5104	Nhjjip32.exe	95
PID 5104 wrote to memory of 3560	5104	Nhjjip32.exe	95
PID 3560 wrote to memory of 1956	3560	Nconfh32.exe	96
PID 3560 wrote to memory of 1956	3560	Nconfh32.exe	96
PID 3560 wrote to memory of 1956	3560	Nconfh32.exe	96
PID 1956 wrote to memory of 2536	1956	Nofoki32.exe	97
PID 1956 wrote to memory of 2536	1956	Nofoki32.exe	97
PID 1956 wrote to memory of 2536	1956	Nofoki32.exe	97
PID 2536 wrote to memory of 2028	2536	Ookhfigk.exe	98
PID 2536 wrote to memory of 2028	2536	Ookhfigk.exe	98
PID 2536 wrote to memory of 2028	2536	Ookhfigk.exe	98
PID 2028 wrote to memory of 412	2028	Odgqopeb.exe	99
PID 2028 wrote to memory of 412	2028	Odgqopeb.exe	99
PID 2028 wrote to memory of 412	2028	Odgqopeb.exe	99
PID 412 wrote to memory of 1020	412	Obkahddl.exe	100
PID 412 wrote to memory of 1020	412	Obkahddl.exe	100
PID 412 wrote to memory of 1020	412	Obkahddl.exe	100
PID 1020 wrote to memory of 2092	1020	Oheienli.exe	102
PID 1020 wrote to memory of 2092	1020	Oheienli.exe	102
PID 1020 wrote to memory of 2092	1020	Oheienli.exe	102
PID 2092 wrote to memory of 2488	2092	Oooaah32.exe	103
PID 2092 wrote to memory of 2488	2092	Oooaah32.exe	103
PID 2092 wrote to memory of 2488	2092	Oooaah32.exe	103
PID 2488 wrote to memory of 2684	2488	Okfbgiij.exe	104
PID 2488 wrote to memory of 2684	2488	Okfbgiij.exe	104
PID 2488 wrote to memory of 2684	2488	Okfbgiij.exe	104
PID 2684 wrote to memory of 4452	2684	Oflfdbip.exe	105
PID 2684 wrote to memory of 4452	2684	Oflfdbip.exe	105
PID 2684 wrote to memory of 4452	2684	Oflfdbip.exe	105
PID 4452 wrote to memory of 3532	4452	Pmeoqlpl.exe	106
PID 4452 wrote to memory of 3532	4452	Pmeoqlpl.exe	106
PID 4452 wrote to memory of 3532	4452	Pmeoqlpl.exe	106
PID 3532 wrote to memory of 2692	3532	Pcbdcf32.exe	107
PID 3532 wrote to memory of 2692	3532	Pcbdcf32.exe	107
PID 3532 wrote to memory of 2692	3532	Pcbdcf32.exe	107
PID 2692 wrote to memory of 264	2692	Pecpknke.exe	108
PID 2692 wrote to memory of 264	2692	Pecpknke.exe	108
PID 2692 wrote to memory of 264	2692	Pecpknke.exe	108
PID 264 wrote to memory of 4628	264	Poidhg32.exe	109
PID 264 wrote to memory of 4628	264	Poidhg32.exe	109
PID 264 wrote to memory of 4628	264	Poidhg32.exe	109
PID 4628 wrote to memory of 496	4628	Peempn32.exe	110
PID 4628 wrote to memory of 496	4628	Peempn32.exe	110
PID 4628 wrote to memory of 496	4628	Peempn32.exe	110
PID 496 wrote to memory of 4512	496	Pgoigcip.exe	111
PID 496 wrote to memory of 4512	496	Pgoigcip.exe	111
PID 496 wrote to memory of 4512	496	Pgoigcip.exe	111
PID 4512 wrote to memory of 836	4512	Pnhacn32.exe	112

C:\Users\Admin\AppData\Local\Temp\db8a6609f1b763cecf471ec03c369abcc22707341dd02812adbca60782c5ba0c.exe
"C:\Users\Admin\AppData\Local\Temp\db8a6609f1b763cecf471ec03c369abcc22707341dd02812adbca60782c5ba0c.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Windows\SysWOW64\Mohbjkgp.exe
  C:\Windows\system32\Mohbjkgp.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:832
- - C:\Windows\SysWOW64\Mebkge32.exe
    C:\Windows\system32\Mebkge32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3524
  - - C:\Windows\SysWOW64\Mllccpfj.exe
      C:\Windows\system32\Mllccpfj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3804
    - - C:\Windows\SysWOW64\Mahklf32.exe
        
        C:\Windows\system32\Mahklf32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3616
      - C:\Windows\SysWOW64\Nhjjip32.exe
        
        C:\Windows\system32\Nhjjip32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\SysWOW64\Nconfh32.exe
        
        C:\Windows\system32\Nconfh32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3560
        
        C:\Windows\SysWOW64\Nofoki32.exe
        
        C:\Windows\system32\Nofoki32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Ookhfigk.exe
        
        C:\Windows\system32\Ookhfigk.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Odgqopeb.exe
        
        C:\Windows\system32\Odgqopeb.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Obkahddl.exe
        
        C:\Windows\system32\Obkahddl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:412
        
        C:\Windows\SysWOW64\Oheienli.exe
        
        C:\Windows\system32\Oheienli.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\SysWOW64\Oooaah32.exe
        
        C:\Windows\system32\Oooaah32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\SysWOW64\Okfbgiij.exe
        
        C:\Windows\system32\Okfbgiij.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Oflfdbip.exe
        
        C:\Windows\system32\Oflfdbip.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\Pmeoqlpl.exe
        
        C:\Windows\system32\Pmeoqlpl.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\SysWOW64\Pcbdcf32.exe
        
        C:\Windows\system32\Pcbdcf32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Windows\SysWOW64\Pecpknke.exe
        
        C:\Windows\system32\Pecpknke.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\Poidhg32.exe
        
        C:\Windows\system32\Poidhg32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:264
        
        C:\Windows\SysWOW64\Peempn32.exe
        
        C:\Windows\system32\Peempn32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\SysWOW64\Pgoigcip.exe
        
        C:\Windows\system32\Pgoigcip.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:496
        
        C:\Windows\SysWOW64\Pnhacn32.exe
        
        C:\Windows\system32\Pnhacn32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\SysWOW64\Pdbiphhi.exe
        
        C:\Windows\system32\Pdbiphhi.exe
        23⤵
        Executes dropped EXE
        
        PID:836
        
        C:\Windows\SysWOW64\Pnknim32.exe
        
        C:\Windows\system32\Pnknim32.exe
        24⤵
        Executes dropped EXE
        
        PID:4704
        
        C:\Windows\SysWOW64\Pfbfjk32.exe
        
        C:\Windows\system32\Pfbfjk32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1564
        
        C:\Windows\SysWOW64\Pnmjomlg.exe
        
        C:\Windows\system32\Pnmjomlg.exe
        26⤵
        Executes dropped EXE
        
        PID:3756
        
        C:\Windows\SysWOW64\Qnpgdmjd.exe
        
        C:\Windows\system32\Qnpgdmjd.exe
        27⤵
        Executes dropped EXE
        
        PID:3136
        
        C:\Windows\SysWOW64\Qghlmbae.exe
        
        C:\Windows\system32\Qghlmbae.exe
        28⤵
        Executes dropped EXE
        
        PID:4996
        
        C:\Windows\SysWOW64\Qnbdjl32.exe
        
        C:\Windows\system32\Qnbdjl32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4120
        
        C:\Windows\SysWOW64\Aoapcood.exe
        
        C:\Windows\system32\Aoapcood.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3364
        
        C:\Windows\SysWOW64\Aijeme32.exe
        
        C:\Windows\system32\Aijeme32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4564
        
        C:\Windows\SysWOW64\Afnefieo.exe
        
        C:\Windows\system32\Afnefieo.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2840
        
        C:\Windows\SysWOW64\Ijgakgej.exe
        
        C:\Windows\system32\Ijgakgej.exe
        33⤵
        Executes dropped EXE
        
        PID:3824
        
        C:\Windows\SysWOW64\Phpklp32.exe
        
        C:\Windows\system32\Phpklp32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Eeomfioh.exe
        
        C:\Windows\system32\Eeomfioh.exe
        35⤵
        Executes dropped EXE
        
        PID:3208
        
        C:\Windows\SysWOW64\Ifphkbep.exe
        
        C:\Windows\system32\Ifphkbep.exe
        36⤵
        Executes dropped EXE
        
        PID:2760
        
        C:\Windows\SysWOW64\Ihndgmdd.exe
        
        C:\Windows\system32\Ihndgmdd.exe
        37⤵
        Executes dropped EXE
        
        PID:548
        
        C:\Windows\SysWOW64\Jbghpc32.exe
        
        C:\Windows\system32\Jbghpc32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2704
        
        C:\Windows\SysWOW64\Jllmml32.exe
        
        C:\Windows\system32\Jllmml32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3056
        
        C:\Windows\SysWOW64\Jbieebha.exe
        
        C:\Windows\system32\Jbieebha.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Jchaoe32.exe
        
        C:\Windows\system32\Jchaoe32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Jjbjlpga.exe
        
        C:\Windows\system32\Jjbjlpga.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Jcknee32.exe
        
        C:\Windows\system32\Jcknee32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Jhhgmlli.exe
        
        C:\Windows\system32\Jhhgmlli.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Joaojf32.exe
        
        C:\Windows\system32\Joaojf32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4932
        
        C:\Windows\SysWOW64\Flcndk32.exe
        
        C:\Windows\system32\Flcndk32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Gmlplbib.exe
        
        C:\Windows\system32\Gmlplbib.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3792
        
        C:\Windows\SysWOW64\Gdfhil32.exe
        
        C:\Windows\system32\Gdfhil32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1172
        
        C:\Windows\SysWOW64\Gjpaffhl.exe
        
        C:\Windows\system32\Gjpaffhl.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\Lhgiic32.exe
        
        C:\Windows\system32\Lhgiic32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4356
        
        C:\Windows\SysWOW64\Lkfeeo32.exe
        
        C:\Windows\system32\Lkfeeo32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1328
        
        C:\Windows\SysWOW64\Lndaaj32.exe
        
        C:\Windows\system32\Lndaaj32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Ldnjndpo.exe
        
        C:\Windows\system32\Ldnjndpo.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1748
        
        C:\Windows\SysWOW64\Lmeapbpa.exe
        
        C:\Windows\system32\Lmeapbpa.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2320
        
        C:\Windows\SysWOW64\Lnfngj32.exe
        
        C:\Windows\system32\Lnfngj32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1176
        
        C:\Windows\SysWOW64\Lfnfhg32.exe
        
        C:\Windows\system32\Lfnfhg32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1072
        
        C:\Windows\SysWOW64\Lmhnea32.exe
        
        C:\Windows\system32\Lmhnea32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1556
        
        C:\Windows\SysWOW64\Ldccid32.exe
        
        C:\Windows\system32\Ldccid32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Lkmkfncf.exe
        
        C:\Windows\system32\Lkmkfncf.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3524
        
        C:\Windows\SysWOW64\Lnkgbibj.exe
        
        C:\Windows\system32\Lnkgbibj.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Lfbpcgbl.exe
        
        C:\Windows\system32\Lfbpcgbl.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1428
        
        C:\Windows\SysWOW64\Mkohln32.exe
        
        C:\Windows\system32\Mkohln32.exe
        62⤵
        Executes dropped EXE
        
        PID:2028
        
        C:\Windows\SysWOW64\Mieeka32.exe
        
        C:\Windows\system32\Mieeka32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Moomgl32.exe
        
        C:\Windows\system32\Moomgl32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2876
        
        C:\Windows\SysWOW64\Mmcnap32.exe
        
        C:\Windows\system32\Mmcnap32.exe
        65⤵
        Executes dropped EXE
        
        PID:4724
        
        C:\Windows\SysWOW64\Meobeb32.exe
        
        C:\Windows\system32\Meobeb32.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3424
        
        C:\Windows\SysWOW64\Mpdgbkab.exe
        
        C:\Windows\system32\Mpdgbkab.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\Nbgljf32.exe
        
        C:\Windows\system32\Nbgljf32.exe
        68⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\Nmmqgo32.exe
        
        C:\Windows\system32\Nmmqgo32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4896
        
        C:\Windows\SysWOW64\Nbiioe32.exe
        
        C:\Windows\system32\Nbiioe32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4236
        
        C:\Windows\SysWOW64\Nehekq32.exe
        
        C:\Windows\system32\Nehekq32.exe
        71⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\Nmommn32.exe
        
        C:\Windows\system32\Nmommn32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3800
        
        C:\Windows\SysWOW64\Nnpjdfpb.exe
        
        C:\Windows\system32\Nnpjdfpb.exe
        73⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\Nifnao32.exe
        
        C:\Windows\system32\Nifnao32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2076
        
        C:\Windows\SysWOW64\Obqopddf.exe
        
        C:\Windows\system32\Obqopddf.exe
        75⤵
        Modifies registry class
        
        PID:544
        
        C:\Windows\SysWOW64\Oijgmokc.exe
        
        C:\Windows\system32\Oijgmokc.exe
        76⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\Opdpih32.exe
        
        C:\Windows\system32\Opdpih32.exe
        77⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\Obcled32.exe
        
        C:\Windows\system32\Obcled32.exe
        78⤵
        Drops file in System32 directory
        
        PID:4080
        
        C:\Windows\SysWOW64\Omhpcm32.exe
        
        C:\Windows\system32\Omhpcm32.exe
        79⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\Opgloh32.exe
        
        C:\Windows\system32\Opgloh32.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4664
        
        C:\Windows\SysWOW64\Obeikc32.exe
        
        C:\Windows\system32\Obeikc32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1668
        
        C:\Windows\SysWOW64\Oecego32.exe
        
        C:\Windows\system32\Oecego32.exe
        82⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\Olnmdi32.exe
        
        C:\Windows\system32\Olnmdi32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2392
        
        C:\Windows\SysWOW64\Obgeqcnn.exe
        
        C:\Windows\system32\Obgeqcnn.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:752
        
        C:\Windows\SysWOW64\Oianmm32.exe
        
        C:\Windows\system32\Oianmm32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:380
        
        C:\Windows\SysWOW64\Ponfed32.exe
        
        C:\Windows\system32\Ponfed32.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Lhdeinhb.exe
        
        C:\Windows\system32\Lhdeinhb.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4460
        
        C:\Windows\SysWOW64\Albikp32.exe
        
        C:\Windows\system32\Albikp32.exe
        88⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\Hpnhoqmi.exe
        
        C:\Windows\system32\Hpnhoqmi.exe
        89⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\Kdalni32.exe
        
        C:\Windows\system32\Kdalni32.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4144
        
        C:\Windows\SysWOW64\Pkebekgo.exe
        
        C:\Windows\system32\Pkebekgo.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4584
        
        C:\Windows\SysWOW64\Pbpjbe32.exe
        
        C:\Windows\system32\Pbpjbe32.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1312
        
        C:\Windows\SysWOW64\Pcagjndj.exe
        
        C:\Windows\system32\Pcagjndj.exe
        93⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\Pkhokkel.exe
        
        C:\Windows\system32\Pkhokkel.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3024
        
        C:\Windows\SysWOW64\Qaegcb32.exe
        
        C:\Windows\system32\Qaegcb32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:840
        
        C:\Windows\SysWOW64\Qgopplkq.exe
        
        C:\Windows\system32\Qgopplkq.exe
        96⤵
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Qebpipij.exe
        
        C:\Windows\system32\Qebpipij.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3328
        
        C:\Windows\SysWOW64\Qgalelin.exe
        
        C:\Windows\system32\Qgalelin.exe
        98⤵
        Drops file in System32 directory
        
        PID:4028
        
        C:\Windows\SysWOW64\Aeemop32.exe
        
        C:\Windows\system32\Aeemop32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Abimhd32.exe
        
        C:\Windows\system32\Abimhd32.exe
        100⤵
        Drops file in System32 directory
        
        PID:1600
        
        C:\Windows\SysWOW64\Alaaajmb.exe
        
        C:\Windows\system32\Alaaajmb.exe
        101⤵
        Drops file in System32 directory
        
        PID:5096
        
        C:\Windows\SysWOW64\Abkjnd32.exe
        
        C:\Windows\system32\Abkjnd32.exe
        102⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\Ahhbfkbf.exe
        
        C:\Windows\system32\Ahhbfkbf.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\Bagmpoco.exe
        
        C:\Windows\system32\Bagmpoco.exe
        104⤵
        Drops file in System32 directory
        
        PID:3400
        
        C:\Windows\SysWOW64\Blmamh32.exe
        
        C:\Windows\system32\Blmamh32.exe
        105⤵
        Drops file in System32 directory
        
        PID:524
        
        C:\Windows\SysWOW64\Bbgiibja.exe
        
        C:\Windows\system32\Bbgiibja.exe
        106⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\Bhdbaihi.exe
        
        C:\Windows\system32\Bhdbaihi.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Bonjnc32.exe
        
        C:\Windows\system32\Bonjnc32.exe
        108⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\Behbkmgb.exe
        
        C:\Windows\system32\Behbkmgb.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3420
        
        C:\Windows\SysWOW64\Cldgmgml.exe
        
        C:\Windows\system32\Cldgmgml.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4704
        
        C:\Windows\SysWOW64\Cdfbbhdp.exe
        
        C:\Windows\system32\Cdfbbhdp.exe
        111⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\Cbgbpp32.exe
        
        C:\Windows\system32\Cbgbpp32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3228
        
        C:\Windows\SysWOW64\Donceaac.exe
        
        C:\Windows\system32\Donceaac.exe
        113⤵
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Dehkbkip.exe
        
        C:\Windows\system32\Dehkbkip.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Dlbcoe32.exe
        
        C:\Windows\system32\Dlbcoe32.exe
        115⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\Dacebkko.exe
        
        C:\Windows\system32\Dacebkko.exe
        116⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\Dafbhkhl.exe
        
        C:\Windows\system32\Dafbhkhl.exe
        117⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\Elkfed32.exe
        
        C:\Windows\system32\Elkfed32.exe
        118⤵
        Modifies registry class
        
        PID:496
        
        C:\Windows\SysWOW64\Eceoanpo.exe
        
        C:\Windows\system32\Eceoanpo.exe
        119⤵
        Drops file in System32 directory
        
        PID:3692
        
        C:\Windows\SysWOW64\Ehbgjenf.exe
        
        C:\Windows\system32\Ehbgjenf.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:868
        
        C:\Windows\SysWOW64\Eolpfo32.exe
        
        C:\Windows\system32\Eolpfo32.exe
        121⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3136
        
        C:\Windows\SysWOW64\Eefhcimp.exe
        
        C:\Windows\system32\Eefhcimp.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Elpppcdl.exe
        
        C:\Windows\system32\Elpppcdl.exe
        123⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\Eaabci32.exe
        
        C:\Windows\system32\Eaabci32.exe
        124⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Fhljpcfk.exe
        
        C:\Windows\system32\Fhljpcfk.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Fcanmlea.exe
        
        C:\Windows\system32\Fcanmlea.exe
        126⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Fdbked32.exe
        
        C:\Windows\system32\Fdbked32.exe
        127⤵
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Fljcfa32.exe
        
        C:\Windows\system32\Fljcfa32.exe
        128⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Fohobmke.exe
        
        C:\Windows\system32\Fohobmke.exe
        129⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Fafkoiji.exe
        
        C:\Windows\system32\Fafkoiji.exe
        130⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Pjehflie.exe
        
        C:\Windows\system32\Pjehflie.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Ejabgcdp.exe
        
        C:\Windows\system32\Ejabgcdp.exe
        132⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Oajcnkdl.exe
        
        C:\Windows\system32\Oajcnkdl.exe
        133⤵
        Drops file in System32 directory
        
        PID:5272
        
        C:\Windows\SysWOW64\Igmgji32.exe
        
        C:\Windows\system32\Igmgji32.exe
        134⤵
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Onicbi32.exe
        
        C:\Windows\system32\Onicbi32.exe
        135⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\Oagpne32.exe
        
        C:\Windows\system32\Oagpne32.exe
        136⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\Odfljp32.exe
        
        C:\Windows\system32\Odfljp32.exe
        137⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\Ojpdgjid.exe
        
        C:\Windows\system32\Ojpdgjid.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Odhipp32.exe
        
        C:\Windows\system32\Odhipp32.exe
        139⤵
        Drops file in System32 directory
        
        PID:4408
        
        C:\Windows\SysWOW64\Ohceqo32.exe
        
        C:\Windows\system32\Ohceqo32.exe
        140⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\Onnmmipj.exe
        
        C:\Windows\system32\Onnmmipj.exe
        141⤵
        Drops file in System32 directory
        
        PID:1436
        
        C:\Windows\SysWOW64\Ompmie32.exe
        
        C:\Windows\system32\Ompmie32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4860
        
        C:\Windows\SysWOW64\Oegejc32.exe
        
        C:\Windows\system32\Oegejc32.exe
        143⤵
        Modifies registry class
        
        PID:4724
        
        C:\Windows\SysWOW64\Ohfafn32.exe
        
        C:\Windows\system32\Ohfafn32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4904
        
        C:\Windows\SysWOW64\Omcjne32.exe
        
        C:\Windows\system32\Omcjne32.exe
        145⤵
        Drops file in System32 directory
        
        PID:1956
        
        C:\Windows\SysWOW64\Jebfgl32.exe
        
        C:\Windows\system32\Jebfgl32.exe
        146⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\Bpodhf32.exe
        
        C:\Windows\system32\Bpodhf32.exe
        147⤵
        Drops file in System32 directory
        
        PID:2680
        
        C:\Windows\SysWOW64\Mcmongoj.exe
        
        C:\Windows\system32\Mcmongoj.exe
        148⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Pfagcm32.exe
        
        C:\Windows\system32\Pfagcm32.exe
        149⤵
        Drops file in System32 directory
        
        PID:1984
        
        C:\Windows\SysWOW64\Piocoi32.exe
        
        C:\Windows\system32\Piocoi32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1100
        
        C:\Windows\SysWOW64\Ppiklc32.exe
        
        C:\Windows\system32\Ppiklc32.exe
        151⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Pfcchmlq.exe
        
        C:\Windows\system32\Pfcchmlq.exe
        152⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\Pjopil32.exe
        
        C:\Windows\system32\Pjopil32.exe
        153⤵
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Gnohgk32.exe
        
        C:\Windows\system32\Gnohgk32.exe
        154⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Gdiadecm.exe
        
        C:\Windows\system32\Gdiadecm.exe
        155⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Gkciapkj.exe
        
        C:\Windows\system32\Gkciapkj.exe
        156⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\Gbmanj32.exe
        
        C:\Windows\system32\Gbmanj32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4056
        
        C:\Windows\SysWOW64\Geknje32.exe
        
        C:\Windows\system32\Geknje32.exe
        158⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\Gkeffoig.exe
        
        C:\Windows\system32\Gkeffoig.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2836
        
        C:\Windows\SysWOW64\Hbonci32.exe
        
        C:\Windows\system32\Hbonci32.exe
        160⤵
        Modifies registry class
        
        PID:4200
        
        C:\Windows\SysWOW64\Hcqjkafb.exe
        
        C:\Windows\system32\Hcqjkafb.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4028
        
        C:\Windows\SysWOW64\Hjkbhlno.exe
        
        C:\Windows\system32\Hjkbhlno.exe
        162⤵
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Hepgedme.exe
        
        C:\Windows\system32\Hepgedme.exe
        163⤵
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\Hkjoao32.exe
        
        C:\Windows\system32\Hkjoao32.exe
        164⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\Hnhknj32.exe
        
        C:\Windows\system32\Hnhknj32.exe
        165⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\Hebcjdkb.exe
        
        C:\Windows\system32\Hebcjdkb.exe
        166⤵
        
        PID:496
        
        C:\Windows\SysWOW64\Gddqop32.exe
        
        C:\Windows\system32\Gddqop32.exe
        167⤵
        
        PID:5196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeemop32.exe

Filesize
72KB

MD5
895bccf24374cc1e070cfe59909f4108

SHA1
ddded104b4ec1e365cd6a3a21a7f24fe8e74b7c6

SHA256
92b35f5396d49bf718c88a194c4843f31323238219fbf5d8697450a9f29b314d

SHA512
0281c15e7057b61ec2f7546fbac653f5cab6d4838c21443acdc34f2e675953f9f2e19744f89ebb2730432d6e7f6125add034738eeaceb861fe38cb4e8d68b36f

Download Submit
C:\Windows\SysWOW64\Afnefieo.exe

Filesize
72KB

MD5
cd4db6abfbc3fa5b5527a64ec1bdd201

SHA1
4f338ab7667d4634b29026a3e8c8020a60cdb4d9

SHA256
5f65b71873b2bb4ce2e2bceb18c2cb752fa237404b423aeacf29abcbff9e01ce

SHA512
e018aaf17a1fdf02f4a2e7974651aa6a80513e4d73f2ba32a495fbc020cc9df0e31d45e9d87d6aab229c23c18151710c9bfc96419d54b9ac78ad18ce2bcfd286

Download Submit
C:\Windows\SysWOW64\Aijeme32.exe

Filesize
72KB

MD5
7380adf9fe9c5bbd7fb82dcb0f6d1aa3

SHA1
9149a11a04274d72b3c5f37ab9f37da86c10d95f

SHA256
14f72180e92182761f76a63f2d60198edafb9378a9953e48aea46e379b0e44fb

SHA512
c89ab4b7ed8dee28864acebc4b25c9c5c4a721f27fb8c92b77c3ea8e89f8ad0c1088bc7c62631ddcbf65053f6f20a690d52a5e800fa6244111058a14685cc0d2

Download Submit
C:\Windows\SysWOW64\Albikp32.exe

Filesize
64KB

MD5
138b7d08ee3f4d7358ba238df21b2335

SHA1
c8b58a2ea5f616ec3f8e75a883ceff66ec0db82d

SHA256
8b033a5e69ab795560b552167df9a4eaef8efe7c8640452cd79518de12c4cc71

SHA512
7df7ef164a4107b8c742f124a26695fdbddf38d8ccec9427d54ff3b1066dd08f4badf89938940ba0c27ca0ac788998e87a533726b5defa8a824aa8d26817422a

Download Submit
C:\Windows\SysWOW64\Aoapcood.exe

Filesize
72KB

MD5
e305a0eb7360d42f32a52565b1204af8

SHA1
bd286372506178e2e9a8bf2aa26db24b6f61806c

SHA256
ffdb297080aeabb42c8e62dc2b91ec91b2f7564607944d1ae385683b7607606c

SHA512
af867ac1a62c426e84f01cb60d4ddb816715f9ec518ace277513e37ddad8ffec54ac97d7fd998ac64091613f9840f7d7b1b27ee57818d90b9c1660d4c2f03115

Download Submit
C:\Windows\SysWOW64\Bagmpoco.exe

Filesize
72KB

MD5
e52df9d35b06d07844e6d5a93bada733

SHA1
f8759906d786c8bd9ec70e07412e8f6b0a6dc0a9

SHA256
6f83b772eb3038a1ddfbcb00fb66b013465dc164eb3e053f1b1ef555118c5989

SHA512
2cef2546a73f498dd077eca653df5b84b8cff7557fa1af5d54d1725f6c59bf13e294c5719cd0d4adcf9448cf5be53ceed6535dab115277fb17988eac0edc6ef9

Download Submit
C:\Windows\SysWOW64\Dacebkko.exe

Filesize
72KB

MD5
b016fb0ea22cf56f012a290d8c988d11

SHA1
56e65979b52a0b6203e08c5f486dd94283950824

SHA256
64b7002f71c64715e03c6885778db04c291a1449c12060f8970698cdbc14f22d

SHA512
21bb6491992221f27dcbe938fda050991c776b0a0201e08c0fe1c47383dc03551f20886be83435a74b2b6f99276baf4363e7565869bdd0600a6b077089f1c76a

Download Submit
C:\Windows\SysWOW64\Donceaac.exe

Filesize
72KB

MD5
acf906b89c8f2dff56da911169e67b4d

SHA1
1e2b02d23d11e06db527eca7aab960e0567c8960

SHA256
4dcae6bab4878bae0e2f08e63565438054faae0524cdd0331883e0a4b4076199

SHA512
51cb24880770de76c07afc9993124a1185096be5097ae091833ffbebf75959e5a39e953f44c1731e7b79d18336dd5d812e85c7b8d189f459b9ed488c0f79c934

Download Submit
C:\Windows\SysWOW64\Flcndk32.exe

Filesize
72KB

MD5
7f6cfd0d0726b91c22f8b59bcc2b0410

SHA1
a2ec2ca43d34e903917c7d7b4dd83501eecf9d1d

SHA256
5ec346d7ed60e61809a856ae3710d7ba6ef07c7f62b14b16c8fcf3c5307067bc

SHA512
962be2b7755f0db37be49681ae5b8d213c916d3983aa8924a7d04e79ea8ffb93f9bab2b8d573e915b0345cc638923e882efc49ccac4a05fd649f9c22562e3970

Download Submit
C:\Windows\SysWOW64\Gdiadecm.exe

Filesize
72KB

MD5
98186faff95018bb4538ea08aaafbc26

SHA1
874f61e4bf911b43bed8fd78ed7350e256fd487f

SHA256
fa81f899e8ebbd5ce4302188714f66e4586461b8219d9829e2f1d28e8e1da182

SHA512
e071884ce7586ac1132a970647d9522eb6a7aade127b14c520f436942031fd93db52192deb1b1a5505427d848ced3e80b1f1a01f58d62109056ab6a680b6b034

Download Submit
C:\Windows\SysWOW64\Hepgedme.exe

Filesize
72KB

MD5
5b5282925b7dfa18940334ac8f165b86

SHA1
1b559fbf7ab7cda5bc9de5df60722f10d80f46a9

SHA256
a71b37dd16307e2aa9e8edcc4b382d50105186e54fdc814018a0c68ec3473a7f

SHA512
85f58754427f13828d4b25dc982f5d343deea06fbafd1af8e6a1cc47ec4c16acd1d333034d572b19faf50f18ca1e4b6ad3de3c2472800f27637750f766af8921

Download Submit
C:\Windows\SysWOW64\Ijgakgej.exe

Filesize
72KB

MD5
407a633b2eacaae73dee7cb28d08db9c

SHA1
e0fd7aa046d1421f21b02f5b2e69afa3121f106f

SHA256
2668a9960a51102efc070c1f9ad3b5484cfd68bb9dd744f16ad56ae8978d531e

SHA512
11e123e94b27de63932f1d9794b570dbcccbe0342b9c80828dc7c5f7b609b7b4cacb2fe3ca99c70141d558e210ebbfb6d1721cce2a290a57bbc44e4639362b84

Download Submit
C:\Windows\SysWOW64\Jebfgl32.exe

Filesize
72KB

MD5
4efbf75f2df2ec2f7e054efb1dd39349

SHA1
4e045b3cc176db53039aef3559b1f79b063c708b

SHA256
d9600ff26ed10567f4d2720d84ca401c58c7491a80fb24ec890abc92eede34c1

SHA512
fc3d87cf9a3dd41900a928e6dbc4047212ff75b748e7c8adc90d946da7d9d86632fc394f93f163da5a58134c4d8d935588e0cbd6363fc7687627e0922eb7f6ed

Download Submit
C:\Windows\SysWOW64\Mahklf32.exe

Filesize
72KB

MD5
21b77d38caf3d2cc2998c5a475dc630c

SHA1
8580abbe67a2c6b34eb1a09edd5153bd4301228a

SHA256
223bae3590896a3344e30d4f15231d65f1d7d60ba1f0a73bfd912425f9901b35

SHA512
68baa9a74947c376a953f16730195c3173323789fdf06e72c9ad9f8495c4df0540c2eea53ff1d86f5d45840a73a467cce01b60f99acf30dfdbea9c199a9b9ba2

Download Submit
C:\Windows\SysWOW64\Mebkge32.exe

Filesize
72KB

MD5
e93760b768af2197d80882e55d900964

SHA1
8e0b7c10b1fe6c7f71cd5eb0a95660f9e9d9ccda

SHA256
d5bf563e5de7414eefaee90c89fb9a88a0ddeedb667e2a99bbf46964df98a909

SHA512
ca926a6816351147f1f1c27876560d8d30d071dbdc553382323c7f2565252e5697120d85e90814d865b2e1b029bb0b02f8a16aff37d236d9c83e540f932276c5

Download Submit
C:\Windows\SysWOW64\Mllccpfj.exe

Filesize
72KB

MD5
e54e78c4dc072c5861bf19dbc178f80e

SHA1
d5103c4165967008a05a45e6c1bf22dfa0cb7201

SHA256
bdfb45714eb246b248025f9324916493a2e8e9254ce7b32fd349bfebf87bcaac

SHA512
1e0671050a0a1398a0762b3f83956fdf8030f0386907afe98282021ffb88c785963003310cce225e3663715a9a29044e3fdd313963d48ad4d786440108fd8ddd

Download Submit
C:\Windows\SysWOW64\Mohbjkgp.exe

Filesize
72KB

MD5
73f254e531f630f48262324bbaf02c65

SHA1
56bee091aea17585dff7cda85613140c9d55471c

SHA256
2376bb4c4c08804a0d84417b13d02585257c58c077fa757c5e5f236cad1c108f

SHA512
4d50f88ff4947b50e8bed34339e730f8cf22893c8d69dd58ce312d4a99ada3af5ccfc994ca5476fea4326128b338cff34beb0538d78d2a043699344c9cf6dbd5

Download Submit
C:\Windows\SysWOW64\Nconfh32.exe

Filesize
72KB

MD5
9c992da6f3cc8cf2841b03a100345224

SHA1
2893d2c6910beb47d9de5d8139657839e4dd3a2f

SHA256
542d74fe2e77196ecfa69bc902b1805b8a44048b82aa24df742969b32ddd93f6

SHA512
f861c264383c646e1e5aa27260bde53bb57c791b23ce469e24eab757a0d08a415ea19178c80acdd5763613fda1325dad42d66423dc16b918ba3d84fbb6b8d81b

Download Submit
C:\Windows\SysWOW64\Nhjjip32.exe

Filesize
72KB

MD5
f57a394f8946255f59e21eff1f11366f

SHA1
59638c039a97406727492b482eff099e48180deb

SHA256
f7ab451f458718c74715cfa310e98b6d0be371252cdb90afbf9f4f1150215b16

SHA512
b840996c01f2536ee5478bbfaae31dcc0b5e2bba1c9e0753d0258765e501ac88efbab29980f8daf59686b56d1f36f3a22af080616d3f076d55aecb8ff5cce36a

Download Submit
C:\Windows\SysWOW64\Nifnao32.exe

Filesize
72KB

MD5
4eef40452c77b3bb94d2be0131d3906c

SHA1
0887a6bbd35a391d18fb9618341c22b4eb7c0c77

SHA256
65e853aea6fde854fec43e1d53fecb22c00f037b03c57bba61ccdcdcaee4dcdd

SHA512
9221495cc1bfca5e5051785ce2d4f3cb1e5c795c1d374c33019c59e84e28f8cb0dd7b7debea6517e0e68852a8046660cb01c35d954fa682cbb690a7398eaba56

Download Submit
C:\Windows\SysWOW64\Nofoki32.exe

Filesize
72KB

MD5
a9b9d0171be90fdde08e9cb407d9cc1e

SHA1
6e60e5534cb8c645766c8ca01f96d33d1455f22b

SHA256
edc6e45130810317b641d583a09cdc8452301bf7cb81b2a97dbbb804041396a3

SHA512
3e21bb312062efd93724fe2c708ff41ac880d0743d49c12e571f1c28996f5002f7c1d455dacd91c499c59474c8f1adfacc9351a634eb6cfa75427c209221f5c2

Download Submit
C:\Windows\SysWOW64\Obeikc32.exe

Filesize
72KB

MD5
f7f764ec2370cb59f571a2ee25539168

SHA1
8bcdd334e103d57e66726b9ea4d6754fe05643a9

SHA256
03c71f9310f471e3beb40f29c31cbb3b13d84ceb02efd6d291100cd430b80268

SHA512
2dc8564f6f165688106a4d995fbd8a43b7cea9e470169202e1a5452e442d0b423beccba6369c432a303630ff97a598f2dbe486dd9d43a815a5cb26677381594b

Download Submit
C:\Windows\SysWOW64\Obkahddl.exe

Filesize
72KB

MD5
644d3250df6c1817f36052f6934483c8

SHA1
33f2713396c4e25d6335139fc98a8f1562705218

SHA256
a82ed1b82c101e52b85a9d3f61e1245d23cdb10915d66275e345cd96d2756fbe

SHA512
1c38d8a817e8154c580e7bbb56ffa1aa97163e5a6bc6b582b01734c2a7cca788202f6a89de3b7ac741df12c66bff03ffb6ebd17090ec359bb15af7013c5e5f45

Download Submit
C:\Windows\SysWOW64\Odgqopeb.exe

Filesize
72KB

MD5
cb4fd4281a2820a872f4c8b153a7fc78

SHA1
c3bb0f634fafd003b1a455db21a4ea709fbaddff

SHA256
9268e25677137efd1dc3a9d4ada4c5317e0d982fcf0a6762db741b20ad15fae0

SHA512
9f63f65753f34c71e527ffff39d91428c8559ffc85ec7dfd59ffc2818b803a4834ed5b3e5a52285d706d32ef8bb1320b23749bd4a052392ad2d607626b1922f4

Download Submit
C:\Windows\SysWOW64\Oflfdbip.exe

Filesize
72KB

MD5
8dbeeb4ec647b46b4e980a4a534c0fd4

SHA1
3eb3007b4064d09eff7ae521504ac75e1c8281df

SHA256
914becc654a3b053ac44ff623aea5cc43c94c52d80dd2bafc4e77be9d9e20d47

SHA512
45c7f8d0ea97f22819eab8959621317b3f7a8a1f972c4fa28a3608788353a3d378a890157876a072ad33cceeaf5295017f947e15aaeb2683cf6edb6b6f4f85eb

Download Submit
C:\Windows\SysWOW64\Oheienli.exe

Filesize
72KB

MD5
89e4e6ba323393d136e836c1e15ebe22

SHA1
b464d75c7b8170d1731c15cb17f79c28bd103118

SHA256
dadbfeeac496e844f5300f87ca37f9114caecbc59712e49500589d989297d5fa

SHA512
6868c92d2bbb82a8a07952c05e281fdf628b287b0f533824230fdad181e526f427639719433196a6392e0713fcb7b31d8c2de697c7efa41132624c9bf6ea5687

Download Submit
C:\Windows\SysWOW64\Okfbgiij.exe

Filesize
72KB

MD5
b180963f4e038663712a61f1bb9400ad

SHA1
6bdb4bf444276d0d7c87d13bd17d75f21c714c25

SHA256
bab0f2d5b93d4983754469ce1d573c8e9ae18ec9d5945b10311c1490d603bb50

SHA512
94c14febcde7bdc1956701b6e559340b639db23b1cc567690d1b20759197d5b1e1c8978a665d353553f205102b170757e804a4ee2143ec4a4921101aa2d8297c

Download Submit
C:\Windows\SysWOW64\Ookhfigk.exe

Filesize
72KB

MD5
2992164c7858b74a8964c68879bd7dfa

SHA1
605b49783dfc6457f3f4e1bb20dd83886faf3cec

SHA256
b94f765b14034e80ce7d3e95270d77aa2bcc553b291e0fbfcf8d708e5ee6596b

SHA512
e954ca3a976b50a012ed0aaa3ed0386d3e276602d9d6e4a0c81d425ad5ce8b55c5db95ffa29b202d5a7eac3f85e893c0407719e27994ff16dbd51a1283807db7

Download Submit
C:\Windows\SysWOW64\Oooaah32.exe

Filesize
72KB

MD5
2cd9e03f6df7f3c0872ca5b65c269e9d

SHA1
674a341d8dd820ec28295be9225c0df9635254ab

SHA256
2c206e614d5d3fba0317590b34433f7622e95f53341e1e7dd0a5c8b3a2b7d5e7

SHA512
e93a21ad6d8cc191b67d89d6c87576711cbfbfdbc3ba387fdce9fceb67e173a33b5180a6641c96573368c23cd7b51d39329009b2b6ff560b42765bfab466ae54

Download Submit
C:\Windows\SysWOW64\Pcbdcf32.exe

Filesize
72KB

MD5
f168ba8a883a4c15c4b3f059425682f4

SHA1
4f06b3b397bbbf6033ac94b9dfe88a643bd8ed5e

SHA256
daafd2e62fe438a95e248b265f24ccb74df4ede4ee18068be5e6f56e76c8cfa8

SHA512
edde7436ee1987335d55d1b2e5950f50c6173bf3becbbf68031ca4383b133d17e3bc2d7062eb21a8fab052eaebe8cc8a7f3d939e7fb68b8cafce3ecb348b5c48

Download Submit
C:\Windows\SysWOW64\Pdbiphhi.exe

Filesize
72KB

MD5
041e552502e02f4c91c7abc459f360da

SHA1
6feca39bc9e4d2a80c35b5dc925c121afad16cc3

SHA256
b84ecc8cec3ac27b938d6d943a79bb237c1680222e92a0bfb218f6e312c60cfc

SHA512
6981d4743083d1dc3a8c596b1eec09f28dc8de776ffee3b60afd58d102b92cf7b13dfe6d3b93e98907d954aa5216e759344028849b5a02c05cbbb8b423357f5d

Download Submit
C:\Windows\SysWOW64\Pecpknke.exe

Filesize
72KB

MD5
d1107f22a802784b01212d1d64b5146f

SHA1
cafb7c0f0c32d7b661a11c801e4748cd25c62889

SHA256
63d3c2c77a6a6996e75b057c4007ed57998cdecbbba16869df2b056be21167b3

SHA512
c6663413ce5cd61638da01281516f2ff55621360d968c3fa1c515540d4677e246d0e8cd6e4616ee3d433d7874eefcde4e073cb5291ab8d316445b8ad3ac0bd8b

Download Submit
C:\Windows\SysWOW64\Peempn32.exe

Filesize
72KB

MD5
4938f659379d9f7a362a5b44c589fa45

SHA1
4efadb46562499e9b5c11c1b448f85cd4b73f964

SHA256
aaa254966fb95aa03afe9393c6a347648736680c5ab777bfd74cd9e26515ff6e

SHA512
66236a36f3a5d0370269d68d68ef04df83e02a5c519ddd75f14d5ca9e28eea35b8494dc2191fd482725c897b9e5421c9726a4e05906e27481e2cce76780655bd

Download Submit
C:\Windows\SysWOW64\Pfbfjk32.exe

Filesize
72KB

MD5
0665df6f3ff67808192c6bce0f6623ce

SHA1
a6be86b60e33df135aaab0fcabb804d31f3739ce

SHA256
86187d75ef90de36c0d2f0d85f365ecc4d80c0e160e4c09cd8398d19a51f95a6

SHA512
b445df4c9a8c6c076eea6bf9e01ae81209f7d1ce646e9d70299e45ad8b68a98b246ca029aface9f77933980a6a9180ac319f15ce31eb08ec2a173cd54339d6c1

Download Submit
C:\Windows\SysWOW64\Pfcchmlq.exe

Filesize
72KB

MD5
f7d1a4dade587d76ef3e2a46c13116ad

SHA1
17c866173c068d9f31edd9bb00abbce7f8f8b13a

SHA256
ff4103c9c031407c946a571fea6a62af1e274421fa07a4e47d6473069e904d46

SHA512
c01ebb7f20895212f594e3dcd4819d797b7099c5eaaa2f2347f1496ca2d529ab2f5bed05786e2eeb3412a10afe93bf1ec425feb246906cfe32cb3f4e11ee0f44

Download Submit
C:\Windows\SysWOW64\Pgoigcip.exe

Filesize
72KB

MD5
252b2cdb171763e95033338b9196b425

SHA1
5b809f470ab805d654da7bbb15ed220c1a087356

SHA256
c07a921a1324eac3ed5a118255a5d82b6e6d84caf0744faef88e211db6e50006

SHA512
301fabaee99fb2465e6aea9d7fc9c1693e9e3fe9c3d39d670fb4ec8dddb3a424bcbaac3be4b5e6a22b5d20310a6a72690de34e6eb73e77f5d65bc3bbf2e70f88

Download Submit
C:\Windows\SysWOW64\Pmeoqlpl.exe

Filesize
72KB

MD5
6654d98c307640d31dccdb3c58b157a6

SHA1
f8c75c014b36aa36c1e1a4f042104cb9bf2602a1

SHA256
5816691587212c926927b07f612370b86676fa775f4077b324b3f7001b1fb955

SHA512
154aa5a0e8a75258e7c4f6fc51eac161a60b10a52ef5d82220d30d82d1383a5fabe249a0a53fe37d0b0a8b4ce03c5a86b66491206d380417017b7951853c41cd

Download Submit
C:\Windows\SysWOW64\Pnhacn32.exe

Filesize
72KB

MD5
93943cbbf464b86afd90a591d7ccee05

SHA1
ed64e1d18864b41ba5318e587476930f6321bacc

SHA256
8ebcbb85955645375efde321f30df796a4cbe721c5464d00aaa86442142ee1d6

SHA512
45c87319e2630058d918dfe25e6b3a052566c44b7daa835308d017a5342b1dc2dca351083a30f3609fe1f07425347c2cf7920139ea8febc0d0212716205e4bcd

Download Submit
C:\Windows\SysWOW64\Pnknim32.exe

Filesize
72KB

MD5
d11d0ba1d5e4dda74fd39b80ec6d8814

SHA1
99d23c0a6be0a29f739e165bd7c655ab2ace3bde

SHA256
28e0db392b03a11ff9aee2c775c532c4c2734d0efc22b40b1f189b2f2777e51a

SHA512
df4df2be3a43686927664905bf0136a7171582d82f98baa87c263f81657dfcdb9479a2f1fb01702f00d5bb368d2be49a310125366e33f320a86a3957aca38e5d

Download Submit
C:\Windows\SysWOW64\Pnmjomlg.exe

Filesize
72KB

MD5
549abe63357fae89bd0c7a63cb1eac2c

SHA1
75ed689097804f01808101c9b5716ece9dd90664

SHA256
2e3d9eb0420f5233cc2f7faf9e5c78ff44007b3456e884f259aa581a246df6c3

SHA512
ff72f985c7543264d46d81221b045515bd7d4767c4f78bd53612a101018cb64f7d78126f1cda1a9fa7f238b09f5397ca020b8b3d98e5330e1b863f07c8e989b2

Download Submit
C:\Windows\SysWOW64\Poidhg32.exe

Filesize
72KB

MD5
3bb9b2ef852e81548bad50bb1815c994

SHA1
c8a89131db0527d8697a29cbcc410fbbc5712438

SHA256
33ad0f611c402022c092f99436c13a3b1675812a6248d191ae3f6864eb83af4a

SHA512
919f96f6826bde3c95d76891110d4f07ddc921e968777fee376681ed51fbabd7aa51c580f0e3a89debab8ea2305ad6ad7bfaa7cc9551b1f9d8745ddd128b17e3

Download Submit
C:\Windows\SysWOW64\Qghlmbae.exe

Filesize
72KB

MD5
fca175d70bf69d7b2cbb22b9c77066cc

SHA1
4a1da1d8d020e92070ee8b98d1367845eac4c489

SHA256
a5ab980fce1898d753ee1fa6051c96d03b40773dae3f0f0961b561588f00c46b

SHA512
dc9ce205bac2ddd53dc79bbd1af61ff38cd1239aa4802b3b61e5cceac7326495a7b01661deca693a43c5cf24896026de07e51995f97b647fb1ff470db87dede2

Download Submit
C:\Windows\SysWOW64\Qnbdjl32.exe

Filesize
72KB

MD5
82826f27b9e2197961b4ce2b7c1d8d54

SHA1
f18866bb63285d798f2d1a545d59a11ded20fdad

SHA256
bcf9fad473b9446c2e57b2539b569153957c3de963e86413533d9a66807deb94

SHA512
76eedce0c4f3ce8d9437b89014b14cdb0ec512d1d809cd437946356c1a09cf832d345e856ec326db2a47e15b83f928047430faf8d3f7aeeef72c15417d937f4e

Download Submit
C:\Windows\SysWOW64\Qnpgdmjd.exe

Filesize
72KB

MD5
244479bca243d4944f4b93e9ac0b5724

SHA1
570acb0b7f12b45e649374919078dc24bfc8f678

SHA256
283e641fd0340e3c2215fb40927bdac556787ac5ddd675cfdd2c9ae16eb0bfc0

SHA512
eadf0d72c2773901a78e44cb0c5269bad7aa2e138390ef0884c028896984147860e1483471c1a1d90bf69ca53679a035e0ccba384fc9a673526966127fc67adb

Download Submit
memory/264-154-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/412-81-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/412-155-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/496-171-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/496-250-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/548-300-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/832-12-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/836-185-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/836-258-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1020-93-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1564-266-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1564-202-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1956-55-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1956-139-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1988-332-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2028-77-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2028-149-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2092-97-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2092-156-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2120-319-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2284-330-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2488-111-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2536-71-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2684-119-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2692-141-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2692-196-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2704-306-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2760-298-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2840-312-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2840-262-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2996-280-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3056-317-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3136-218-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3136-276-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3208-287-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3364-247-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3524-20-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3532-136-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3560-48-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3560-130-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3616-114-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3616-35-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3756-274-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3756-209-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3804-105-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3804-24-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3824-275-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3824-325-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4120-285-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4120-234-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4452-122-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4452-176-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4512-181-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4512-257-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4560-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4560-63-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4564-252-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4564-297-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4628-242-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4628-160-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4704-198-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4996-279-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4996-226-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5104-45-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads