9bbceeb79f77bdb23dd580c6dcab41816aadb08018db46d6ba5ea7a327e329d1

Analysis

max time kernel
166s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2024, 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9bbceeb79f77bdb23dd580c6dcab41816aadb08018db46d6ba5ea7a327e329d1.exe
Size

443KB
MD5

b122013f7f5d5d72c5cf7eb53a230380
SHA1

e379f8743addd29c21952701df9e536c6c0591dd
SHA256

9bbceeb79f77bdb23dd580c6dcab41816aadb08018db46d6ba5ea7a327e329d1
SHA512

cffb257819e7cded278b008c4c9718b1dfac551ed97c8a0d8e5d255f9c369bca4d552299f516cb7744aaede14bc4e043df97e0ebf2d72713de82c6c43bf03817
SSDEEP

6144:6w8oZtcZ7zeXmRL13n4GAI13n4GAvs0PEpNF0pNO021fv13n4GA3uKjwszeXmOEB:6w8o/61J1HJ1Uj+HiPj

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciokcgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocegnoog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfidh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oijqbh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjbddh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enfcjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilbdcfe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfidh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnehgmob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjbddh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbqeonfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eliecc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jgiiclkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jllmml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Affgno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okcmingd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcngafol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jelhcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opgloh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbeaba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkkbnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onbpop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngipjp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hecadm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eckogc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mggolhaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbbldp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kagimmol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfcqod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meepoc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilbclg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Giokid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jchaoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aiimejap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knldfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ladpcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqopqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhdicjfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfcqod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hppedpkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lajfbmmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfoflj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpgalc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhelddln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jajdff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laofhbmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbnbhfde.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jllmml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognginic.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hocjaj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnehgmob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fapobl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Habndbpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkkbnl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhpeelnd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbmbiqqp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhihkjfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onkbenbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfjchn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghanoeel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gagebknp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdiglgbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlpabkba.exe

Executes dropped EXE 64 IoCs

pid	Process
4436	Ecoaijio.exe
4276	Egbdjhlp.exe
852	Fdadpk32.exe
8	Gcngafol.exe
1536	Hmkeekag.exe
4740	Igneda32.exe
848	Jelhcd32.exe
496	Ldoafodd.exe
2824	Logbigbg.exe
3028	Maaoaa32.exe
4980	Nhdicjfp.exe
1752	Nnabladg.exe
4196	Oeopnmoa.exe
4208	Ohpiphlb.exe
1820	Poeahaib.exe
1504	Pdbiphhi.exe
5028	Pgcbbc32.exe
2092	Anijjkbj.exe
2080	Bomppneg.exe
2676	Bgkaip32.exe
1348	Bgokdomj.exe
872	Ciaddaaj.exe
3856	Cejaobel.exe
628	Cbnbhfde.exe
2248	Dhbqalle.exe
4944	Dfcqod32.exe
2152	Ellicihn.exe
4332	Fghcqq32.exe
4032	Mjkiephp.exe
3952	Nhafcd32.exe
840	Nalgbi32.exe
4080	Ngipjp32.exe
4424	Ogpfko32.exe
2220	Oknnanhj.exe
4052	Pddokabk.exe
1984	Qkqdnkge.exe
5140	Ababkdij.exe
5180	Abflfc32.exe
5236	Bndblcdq.exe
5276	Cnkilbni.exe
5328	Cegnol32.exe
5368	Dbphcpog.exe
5408	Dbdano32.exe
5452	Dlmegd32.exe
5500	Diafqi32.exe
5540	Eangjkkd.exe
5580	Ejglcq32.exe
5628	Eliecc32.exe
5672	Fefcgh32.exe
5716	Fbjcplhj.exe
5756	Geabbfoc.exe
5800	Giokid32.exe
5844	Gkeakl32.exe
5892	Hocjaj32.exe
5932	Ijdnka32.exe
5968	Ileflmpb.exe
6016	Icooig32.exe
6056	Ikjcmi32.exe
6096	Icdhdfcj.exe
6140	Jllmml32.exe
5172	Jchaoe32.exe
5216	Kbbhka32.exe
5308	Kcbded32.exe
5360	Komoed32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pignccea.exe	Okodlgbl.exe
File created	C:\Windows\SysWOW64\Ecoiapdj.exe	Cklffq32.exe
File opened for modification	C:\Windows\SysWOW64\Ibagmiie.exe	Ijfbhflj.exe
File opened for modification	C:\Windows\SysWOW64\Ghanoeel.exe	Gagebknp.exe
File created	C:\Windows\SysWOW64\Clfofd32.dll	Gfedfk32.exe
File opened for modification	C:\Windows\SysWOW64\Ijmobhdd.exe	Hmioicek.exe
File created	C:\Windows\SysWOW64\Dfcqod32.exe	Dhbqalle.exe
File opened for modification	C:\Windows\SysWOW64\Pgbdmfnc.exe	Pkigbfja.exe
File opened for modification	C:\Windows\SysWOW64\Pbpall32.exe	Plfipakk.exe
File created	C:\Windows\SysWOW64\Hiipnb32.dll	Fcikhace.exe
File opened for modification	C:\Windows\SysWOW64\Hmkeekag.exe	Gcngafol.exe
File created	C:\Windows\SysWOW64\Fcbehbim.exe	Eflhiolf.exe
File opened for modification	C:\Windows\SysWOW64\Ncpelbap.exe	Mncmck32.exe
File created	C:\Windows\SysWOW64\Jdlcde32.dll	Ngedbp32.exe
File opened for modification	C:\Windows\SysWOW64\Enfcjb32.exe	Eckfaj32.exe
File created	C:\Windows\SysWOW64\Caioglje.dll	Oiojmgcb.exe
File opened for modification	C:\Windows\SysWOW64\Mbmbiqqp.exe	Mggolhaj.exe
File opened for modification	C:\Windows\SysWOW64\Ojjfpjjj.exe	Okcmingd.exe
File created	C:\Windows\SysWOW64\Ljeeki32.dll	Nhafcd32.exe
File opened for modification	C:\Windows\SysWOW64\Jkbhok32.exe	Jajdff32.exe
File opened for modification	C:\Windows\SysWOW64\Nnabladg.exe	Nhdicjfp.exe
File opened for modification	C:\Windows\SysWOW64\Doidql32.exe	Dgkbfjeg.exe
File opened for modification	C:\Windows\SysWOW64\Kdbchp32.exe	Knenffqf.exe
File created	C:\Windows\SysWOW64\Pabgnqhk.dll	Kdbchp32.exe
File created	C:\Windows\SysWOW64\Cppfmf32.dll	Qmlmjq32.exe
File opened for modification	C:\Windows\SysWOW64\Onkbenbi.exe	Oiojmgcb.exe
File created	C:\Windows\SysWOW64\Hfjmajbc.exe	Hppedpkf.exe
File created	C:\Windows\SysWOW64\Ifkppk32.dll	Habndbpf.exe
File created	C:\Windows\SysWOW64\Meepoc32.exe	Lilbdcfe.exe
File created	C:\Windows\SysWOW64\Nmajbnha.exe	Nlpabkba.exe
File opened for modification	C:\Windows\SysWOW64\Fapobl32.exe	Fjcjpb32.exe
File created	C:\Windows\SysWOW64\Iefkmhfm.dll	Jkbhok32.exe
File opened for modification	C:\Windows\SysWOW64\Oiojmgcb.exe	Okkidceh.exe
File opened for modification	C:\Windows\SysWOW64\Hbldkllm.exe	Gfedfk32.exe
File opened for modification	C:\Windows\SysWOW64\Lajfbmmi.exe	Kagimmol.exe
File created	C:\Windows\SysWOW64\Nhdicjfp.exe	Maaoaa32.exe
File opened for modification	C:\Windows\SysWOW64\Bkbcpb32.exe	Bpmobi32.exe
File created	C:\Windows\SysWOW64\Lcmopeae.exe	Liekgo32.exe
File created	C:\Windows\SysWOW64\Mciokcgg.exe	Mjqjbn32.exe
File created	C:\Windows\SysWOW64\Eggkfmfh.dll	Dlmegd32.exe
File created	C:\Windows\SysWOW64\Lfjchn32.exe	Komoed32.exe
File created	C:\Windows\SysWOW64\Cnkjaaqb.dll	Gaglma32.exe
File created	C:\Windows\SysWOW64\Ljnqoldc.dll	Plfipakk.exe
File created	C:\Windows\SysWOW64\Jikojcaa.exe	Ibagmiie.exe
File opened for modification	C:\Windows\SysWOW64\Mhihkjfj.exe	Mbpoop32.exe
File created	C:\Windows\SysWOW64\Cmjhoq32.dll	Immhdc32.exe
File opened for modification	C:\Windows\SysWOW64\Ecoiapdj.exe	Cklffq32.exe
File created	C:\Windows\SysWOW64\Chkggi32.dll	Lilbdcfe.exe
File created	C:\Windows\SysWOW64\Foaoho32.dll	Bocjdiol.exe
File created	C:\Windows\SysWOW64\Idjmfmgp.exe	Iffmmihf.exe
File created	C:\Windows\SysWOW64\Hppedpkf.exe	Hbldkllm.exe
File opened for modification	C:\Windows\SysWOW64\Panhmi32.exe	Palkgi32.exe
File created	C:\Windows\SysWOW64\Ecoaijio.exe	9bbceeb79f77bdb23dd580c6dcab41816aadb08018db46d6ba5ea7a327e329d1.exe
File opened for modification	C:\Windows\SysWOW64\Headon32.exe	Heohinog.exe
File created	C:\Windows\SysWOW64\Neclpamg.exe	Nfnooe32.exe
File created	C:\Windows\SysWOW64\Qbeaba32.exe	Ppeipfdm.exe
File opened for modification	C:\Windows\SysWOW64\Kbbhka32.exe	Jchaoe32.exe
File created	C:\Windows\SysWOW64\Amhopf32.dll	Ooalibaf.exe
File created	C:\Windows\SysWOW64\Foaeccgp.dll	Diafqi32.exe
File opened for modification	C:\Windows\SysWOW64\Gbcaemdg.exe	Gbqeonfj.exe
File opened for modification	C:\Windows\SysWOW64\Oknnanhj.exe	Ogpfko32.exe
File opened for modification	C:\Windows\SysWOW64\Diafqi32.exe	Dlmegd32.exe
File created	C:\Windows\SysWOW64\Copajm32.exe	Cgdlfk32.exe
File created	C:\Windows\SysWOW64\Lnccmnak.exe	Lcmopeae.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5788	5484	WerFault.exe	396

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anijjkbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlialb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egoomnin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoebjc32.dll"	Mbpoop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpfmgq32.dll"	Gbcaemdg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojjfpjjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ileflmpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpdcmkpj.dll"	Mlialb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpfhbh32.dll"	Admkgifd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibpgnl32.dll"	Hfoflj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijmobhdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kodeje32.dll"	Opgloh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpjqaldi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacboi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnabladg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcbded32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Neclpamg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmbbhi32.dll"	Hcnnjoam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Poeahaib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opjponbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgbppknb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbcaemdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akdameeh.dll"	Kdalni32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jelhcd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Palkgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijmobhdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Diafqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabgnqhk.dll"	Kdbchp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ooalibaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmdend32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaoaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegnol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbdano32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dlmegd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icdhdfcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qkqdnkge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Panhmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjocaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqdhecgn.dll"	Mpoljg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmiodlkh.dll"	Mncmck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdiglgbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Doidql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbefkjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jllmml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abnnnjfh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfphmp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gaglma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geollfdn.dll"	Knenffqf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laofhbmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Negoaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jikojcaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iekijfnm.dll"	Komoed32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gplbcgbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlfcqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnimia32.dll"	Bodano32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpoagb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdalni32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgkaip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amgekh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgdlfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmafigoe.dll"	Liekgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Emgnje32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 336 wrote to memory of 4436	336	9bbceeb79f77bdb23dd580c6dcab41816aadb08018db46d6ba5ea7a327e329d1.exe	101
PID 336 wrote to memory of 4436	336	9bbceeb79f77bdb23dd580c6dcab41816aadb08018db46d6ba5ea7a327e329d1.exe	101
PID 336 wrote to memory of 4436	336	9bbceeb79f77bdb23dd580c6dcab41816aadb08018db46d6ba5ea7a327e329d1.exe	101
PID 4436 wrote to memory of 4276	4436	Ecoaijio.exe	102
PID 4436 wrote to memory of 4276	4436	Ecoaijio.exe	102
PID 4436 wrote to memory of 4276	4436	Ecoaijio.exe	102
PID 4276 wrote to memory of 852	4276	Egbdjhlp.exe	103
PID 4276 wrote to memory of 852	4276	Egbdjhlp.exe	103
PID 4276 wrote to memory of 852	4276	Egbdjhlp.exe	103
PID 852 wrote to memory of 8	852	Fdadpk32.exe	105
PID 852 wrote to memory of 8	852	Fdadpk32.exe	105
PID 852 wrote to memory of 8	852	Fdadpk32.exe	105
PID 8 wrote to memory of 1536	8	Gcngafol.exe	106
PID 8 wrote to memory of 1536	8	Gcngafol.exe	106
PID 8 wrote to memory of 1536	8	Gcngafol.exe	106
PID 1536 wrote to memory of 4740	1536	Hmkeekag.exe	107
PID 1536 wrote to memory of 4740	1536	Hmkeekag.exe	107
PID 1536 wrote to memory of 4740	1536	Hmkeekag.exe	107
PID 4740 wrote to memory of 848	4740	Igneda32.exe	108
PID 4740 wrote to memory of 848	4740	Igneda32.exe	108
PID 4740 wrote to memory of 848	4740	Igneda32.exe	108
PID 848 wrote to memory of 496	848	Jelhcd32.exe	109
PID 848 wrote to memory of 496	848	Jelhcd32.exe	109
PID 848 wrote to memory of 496	848	Jelhcd32.exe	109
PID 496 wrote to memory of 2824	496	Ldoafodd.exe	110
PID 496 wrote to memory of 2824	496	Ldoafodd.exe	110
PID 496 wrote to memory of 2824	496	Ldoafodd.exe	110
PID 2824 wrote to memory of 3028	2824	Logbigbg.exe	111
PID 2824 wrote to memory of 3028	2824	Logbigbg.exe	111
PID 2824 wrote to memory of 3028	2824	Logbigbg.exe	111
PID 3028 wrote to memory of 4980	3028	Maaoaa32.exe	112
PID 3028 wrote to memory of 4980	3028	Maaoaa32.exe	112
PID 3028 wrote to memory of 4980	3028	Maaoaa32.exe	112
PID 4980 wrote to memory of 1752	4980	Nhdicjfp.exe	113
PID 4980 wrote to memory of 1752	4980	Nhdicjfp.exe	113
PID 4980 wrote to memory of 1752	4980	Nhdicjfp.exe	113
PID 1752 wrote to memory of 4196	1752	Nnabladg.exe	114
PID 1752 wrote to memory of 4196	1752	Nnabladg.exe	114
PID 1752 wrote to memory of 4196	1752	Nnabladg.exe	114
PID 4196 wrote to memory of 4208	4196	Oeopnmoa.exe	115
PID 4196 wrote to memory of 4208	4196	Oeopnmoa.exe	115
PID 4196 wrote to memory of 4208	4196	Oeopnmoa.exe	115
PID 4208 wrote to memory of 1820	4208	Ohpiphlb.exe	116
PID 4208 wrote to memory of 1820	4208	Ohpiphlb.exe	116
PID 4208 wrote to memory of 1820	4208	Ohpiphlb.exe	116
PID 1820 wrote to memory of 1504	1820	Poeahaib.exe	117
PID 1820 wrote to memory of 1504	1820	Poeahaib.exe	117
PID 1820 wrote to memory of 1504	1820	Poeahaib.exe	117
PID 1504 wrote to memory of 5028	1504	Pdbiphhi.exe	118
PID 1504 wrote to memory of 5028	1504	Pdbiphhi.exe	118
PID 1504 wrote to memory of 5028	1504	Pdbiphhi.exe	118
PID 5028 wrote to memory of 2092	5028	Pgcbbc32.exe	119
PID 5028 wrote to memory of 2092	5028	Pgcbbc32.exe	119
PID 5028 wrote to memory of 2092	5028	Pgcbbc32.exe	119
PID 2092 wrote to memory of 2080	2092	Anijjkbj.exe	120
PID 2092 wrote to memory of 2080	2092	Anijjkbj.exe	120
PID 2092 wrote to memory of 2080	2092	Anijjkbj.exe	120
PID 2080 wrote to memory of 2676	2080	Bomppneg.exe	121
PID 2080 wrote to memory of 2676	2080	Bomppneg.exe	121
PID 2080 wrote to memory of 2676	2080	Bomppneg.exe	121
PID 2676 wrote to memory of 1348	2676	Bgkaip32.exe	123
PID 2676 wrote to memory of 1348	2676	Bgkaip32.exe	123
PID 2676 wrote to memory of 1348	2676	Bgkaip32.exe	123
PID 1348 wrote to memory of 872	1348	Bgokdomj.exe	124

C:\Users\Admin\AppData\Local\Temp\9bbceeb79f77bdb23dd580c6dcab41816aadb08018db46d6ba5ea7a327e329d1.exe
"C:\Users\Admin\AppData\Local\Temp\9bbceeb79f77bdb23dd580c6dcab41816aadb08018db46d6ba5ea7a327e329d1.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:336
- C:\Windows\SysWOW64\Ecoaijio.exe
  C:\Windows\system32\Ecoaijio.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Windows\SysWOW64\Egbdjhlp.exe
    C:\Windows\system32\Egbdjhlp.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4276
  - - C:\Windows\SysWOW64\Fdadpk32.exe
      C:\Windows\system32\Fdadpk32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:852
    - - C:\Windows\SysWOW64\Gcngafol.exe
        
        C:\Windows\system32\Gcngafol.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:8
      - C:\Windows\SysWOW64\Hmkeekag.exe
        
        C:\Windows\system32\Hmkeekag.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\SysWOW64\Igneda32.exe
        
        C:\Windows\system32\Igneda32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\Jelhcd32.exe
        
        C:\Windows\system32\Jelhcd32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\SysWOW64\Ldoafodd.exe
        
        C:\Windows\system32\Ldoafodd.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:496
        
        C:\Windows\SysWOW64\Logbigbg.exe
        
        C:\Windows\system32\Logbigbg.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Maaoaa32.exe
        
        C:\Windows\system32\Maaoaa32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\Nhdicjfp.exe
        
        C:\Windows\system32\Nhdicjfp.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\SysWOW64\Nnabladg.exe
        
        C:\Windows\system32\Nnabladg.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\Oeopnmoa.exe
        
        C:\Windows\system32\Oeopnmoa.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\SysWOW64\Ohpiphlb.exe
        
        C:\Windows\system32\Ohpiphlb.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\Windows\SysWOW64\Poeahaib.exe
        
        C:\Windows\system32\Poeahaib.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\Pdbiphhi.exe
        
        C:\Windows\system32\Pdbiphhi.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\Pgcbbc32.exe
        
        C:\Windows\system32\Pgcbbc32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Anijjkbj.exe
        
        C:\Windows\system32\Anijjkbj.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\SysWOW64\Bomppneg.exe
        
        C:\Windows\system32\Bomppneg.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Bgkaip32.exe
        
        C:\Windows\system32\Bgkaip32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Bgokdomj.exe
        
        C:\Windows\system32\Bgokdomj.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Windows\SysWOW64\Ciaddaaj.exe
        
        C:\Windows\system32\Ciaddaaj.exe
        23⤵
        Executes dropped EXE
        
        PID:872
        
        C:\Windows\SysWOW64\Cejaobel.exe
        
        C:\Windows\system32\Cejaobel.exe
        24⤵
        Executes dropped EXE
        
        PID:3856
        
        C:\Windows\SysWOW64\Cbnbhfde.exe
        
        C:\Windows\system32\Cbnbhfde.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:628
        
        C:\Windows\SysWOW64\Dhbqalle.exe
        
        C:\Windows\system32\Dhbqalle.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2248
        
        C:\Windows\SysWOW64\Dfcqod32.exe
        
        C:\Windows\system32\Dfcqod32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4944
        
        C:\Windows\SysWOW64\Ellicihn.exe
        
        C:\Windows\system32\Ellicihn.exe
        28⤵
        Executes dropped EXE
        
        PID:2152
        
        C:\Windows\SysWOW64\Fghcqq32.exe
        
        C:\Windows\system32\Fghcqq32.exe
        29⤵
        Executes dropped EXE
        
        PID:4332
        
        C:\Windows\SysWOW64\Mjkiephp.exe
        
        C:\Windows\system32\Mjkiephp.exe
        30⤵
        Executes dropped EXE
        
        PID:4032
        
        C:\Windows\SysWOW64\Nhafcd32.exe
        
        C:\Windows\system32\Nhafcd32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3952
        
        C:\Windows\SysWOW64\Nalgbi32.exe
        
        C:\Windows\system32\Nalgbi32.exe
        32⤵
        Executes dropped EXE
        
        PID:840
        
        C:\Windows\SysWOW64\Ngipjp32.exe
        
        C:\Windows\system32\Ngipjp32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4080
        
        C:\Windows\SysWOW64\Ogpfko32.exe
        
        C:\Windows\system32\Ogpfko32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4424
        
        C:\Windows\SysWOW64\Oknnanhj.exe
        
        C:\Windows\system32\Oknnanhj.exe
        35⤵
        Executes dropped EXE
        
        PID:2220
        
        C:\Windows\SysWOW64\Pddokabk.exe
        
        C:\Windows\system32\Pddokabk.exe
        36⤵
        Executes dropped EXE
        
        PID:4052
        
        C:\Windows\SysWOW64\Qkqdnkge.exe
        
        C:\Windows\system32\Qkqdnkge.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Ababkdij.exe
        
        C:\Windows\system32\Ababkdij.exe
        38⤵
        Executes dropped EXE
        
        PID:5140
        
        C:\Windows\SysWOW64\Abflfc32.exe
        
        C:\Windows\system32\Abflfc32.exe
        39⤵
        Executes dropped EXE
        
        PID:5180
        
        C:\Windows\SysWOW64\Bndblcdq.exe
        
        C:\Windows\system32\Bndblcdq.exe
        40⤵
        Executes dropped EXE
        
        PID:5236
        
        C:\Windows\SysWOW64\Cnkilbni.exe
        
        C:\Windows\system32\Cnkilbni.exe
        41⤵
        Executes dropped EXE
        
        PID:5276
        
        C:\Windows\SysWOW64\Cegnol32.exe
        
        C:\Windows\system32\Cegnol32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Dbphcpog.exe
        
        C:\Windows\system32\Dbphcpog.exe
        43⤵
        Executes dropped EXE
        
        PID:5368
        
        C:\Windows\SysWOW64\Dbdano32.exe
        
        C:\Windows\system32\Dbdano32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Dlmegd32.exe
        
        C:\Windows\system32\Dlmegd32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Diafqi32.exe
        
        C:\Windows\system32\Diafqi32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Eangjkkd.exe
        
        C:\Windows\system32\Eangjkkd.exe
        47⤵
        Executes dropped EXE
        
        PID:5540
        
        C:\Windows\SysWOW64\Ejglcq32.exe
        
        C:\Windows\system32\Ejglcq32.exe
        48⤵
        Executes dropped EXE
        
        PID:5580
        
        C:\Windows\SysWOW64\Eliecc32.exe
        
        C:\Windows\system32\Eliecc32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5628
        
        C:\Windows\SysWOW64\Fefcgh32.exe
        
        C:\Windows\system32\Fefcgh32.exe
        50⤵
        Executes dropped EXE
        
        PID:5672
        
        C:\Windows\SysWOW64\Fbjcplhj.exe
        
        C:\Windows\system32\Fbjcplhj.exe
        51⤵
        Executes dropped EXE
        
        PID:5716
        
        C:\Windows\SysWOW64\Geabbfoc.exe
        
        C:\Windows\system32\Geabbfoc.exe
        52⤵
        Executes dropped EXE
        
        PID:5756
        
        C:\Windows\SysWOW64\Giokid32.exe
        
        C:\Windows\system32\Giokid32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5800
        
        C:\Windows\SysWOW64\Gkeakl32.exe
        
        C:\Windows\system32\Gkeakl32.exe
        54⤵
        Executes dropped EXE
        
        PID:5844
        
        C:\Windows\SysWOW64\Hocjaj32.exe
        
        C:\Windows\system32\Hocjaj32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5892
        
        C:\Windows\SysWOW64\Ijdnka32.exe
        
        C:\Windows\system32\Ijdnka32.exe
        56⤵
        Executes dropped EXE
        
        PID:5932
        
        C:\Windows\SysWOW64\Ileflmpb.exe
        
        C:\Windows\system32\Ileflmpb.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Icooig32.exe
        
        C:\Windows\system32\Icooig32.exe
        58⤵
        Executes dropped EXE
        
        PID:6016
        
        C:\Windows\SysWOW64\Ikjcmi32.exe
        
        C:\Windows\system32\Ikjcmi32.exe
        59⤵
        Executes dropped EXE
        
        PID:6056
        
        C:\Windows\SysWOW64\Icdhdfcj.exe
        
        C:\Windows\system32\Icdhdfcj.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Jllmml32.exe
        
        C:\Windows\system32\Jllmml32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:6140
        
        C:\Windows\SysWOW64\Jchaoe32.exe
        
        C:\Windows\system32\Jchaoe32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5172
        
        C:\Windows\SysWOW64\Kbbhka32.exe
        
        C:\Windows\system32\Kbbhka32.exe
        63⤵
        Executes dropped EXE
        
        PID:5216
        
        C:\Windows\SysWOW64\Kcbded32.exe
        
        C:\Windows\system32\Kcbded32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Komoed32.exe
        
        C:\Windows\system32\Komoed32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Lfjchn32.exe
        
        C:\Windows\system32\Lfjchn32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5404
        
        C:\Windows\SysWOW64\Lobhqdec.exe
        
        C:\Windows\system32\Lobhqdec.exe
        67⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Lpgalc32.exe
        
        C:\Windows\system32\Lpgalc32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5576
        
        C:\Windows\SysWOW64\Mlialb32.exe
        
        C:\Windows\system32\Mlialb32.exe
        69⤵
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Nlbdba32.exe
        
        C:\Windows\system32\Nlbdba32.exe
        70⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Njceqili.exe
        
        C:\Windows\system32\Njceqili.exe
        71⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Ofmbkipk.exe
        
        C:\Windows\system32\Ofmbkipk.exe
        72⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Oljkcpnb.exe
        
        C:\Windows\system32\Oljkcpnb.exe
        73⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\Ollgiplp.exe
        
        C:\Windows\system32\Ollgiplp.exe
        74⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Opjponbf.exe
        
        C:\Windows\system32\Opjponbf.exe
        75⤵
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Okodlgbl.exe
        
        C:\Windows\system32\Okodlgbl.exe
        76⤵
        Drops file in System32 directory
        
        PID:5984
        
        C:\Windows\SysWOW64\Pignccea.exe
        
        C:\Windows\system32\Pignccea.exe
        77⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Piikhc32.exe
        
        C:\Windows\system32\Piikhc32.exe
        78⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\Pdoofl32.exe
        
        C:\Windows\system32\Pdoofl32.exe
        79⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\Pkigbfja.exe
        
        C:\Windows\system32\Pkigbfja.exe
        80⤵
        Drops file in System32 directory
        
        PID:5356
        
        C:\Windows\SysWOW64\Pgbdmfnc.exe
        
        C:\Windows\system32\Pgbdmfnc.exe
        81⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Qmlmjq32.exe
        
        C:\Windows\system32\Qmlmjq32.exe
        82⤵
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\Qdhalj32.exe
        
        C:\Windows\system32\Qdhalj32.exe
        83⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Admkgifd.exe
        
        C:\Windows\system32\Admkgifd.exe
        84⤵
        Modifies registry class
        
        PID:1028
        
        C:\Windows\SysWOW64\Akgcdc32.exe
        
        C:\Windows\system32\Akgcdc32.exe
        85⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Acbhhf32.exe
        
        C:\Windows\system32\Acbhhf32.exe
        86⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Bpmobi32.exe
        
        C:\Windows\system32\Bpmobi32.exe
        87⤵
        Drops file in System32 directory
        
        PID:5828
        
        C:\Windows\SysWOW64\Bkbcpb32.exe
        
        C:\Windows\system32\Bkbcpb32.exe
        88⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Bnehgmob.exe
        
        C:\Windows\system32\Bnehgmob.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6008
        
        C:\Windows\SysWOW64\Cgnmpbec.exe
        
        C:\Windows\system32\Cgnmpbec.exe
        90⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\Cklffq32.exe
        
        C:\Windows\system32\Cklffq32.exe
        91⤵
        Drops file in System32 directory
        
        PID:5344
        
        C:\Windows\SysWOW64\Ecoiapdj.exe
        
        C:\Windows\system32\Ecoiapdj.exe
        92⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Emgnje32.exe
        
        C:\Windows\system32\Emgnje32.exe
        93⤵
        Modifies registry class
        
        PID:1100
        
        C:\Windows\SysWOW64\Egoomnin.exe
        
        C:\Windows\system32\Egoomnin.exe
        94⤵
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Fchlhnlo.exe
        
        C:\Windows\system32\Fchlhnlo.exe
        95⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Fjbddh32.exe
        
        C:\Windows\system32\Fjbddh32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5940
        
        C:\Windows\SysWOW64\Gaglma32.exe
        
        C:\Windows\system32\Gaglma32.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\Gkdjaf32.exe
        
        C:\Windows\system32\Gkdjaf32.exe
        98⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\Hldgkiki.exe
        
        C:\Windows\system32\Hldgkiki.exe
        99⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\Hlfcqh32.exe
        
        C:\Windows\system32\Hlfcqh32.exe
        100⤵
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Heohinog.exe
        
        C:\Windows\system32\Heohinog.exe
        101⤵
        Drops file in System32 directory
        
        PID:6036
        
        C:\Windows\SysWOW64\Headon32.exe
        
        C:\Windows\system32\Headon32.exe
        102⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Hecadm32.exe
        
        C:\Windows\system32\Hecadm32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2240
        
        C:\Windows\SysWOW64\Iolfmcbb.exe
        
        C:\Windows\system32\Iolfmcbb.exe
        104⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\Ilbclg32.exe
        
        C:\Windows\system32\Ilbclg32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5160
        
        C:\Windows\SysWOW64\Iejgelej.exe
        
        C:\Windows\system32\Iejgelej.exe
        106⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\Iemdkl32.exe
        
        C:\Windows\system32\Iemdkl32.exe
        107⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Jhbfgflc.exe
        
        C:\Windows\system32\Jhbfgflc.exe
        108⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\Jdiglgbg.exe
        
        C:\Windows\system32\Jdiglgbg.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3900
        
        C:\Windows\SysWOW64\Jookjpam.exe
        
        C:\Windows\system32\Jookjpam.exe
        110⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\Lhelddln.exe
        
        C:\Windows\system32\Lhelddln.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3944
        
        C:\Windows\SysWOW64\Lnfngj32.exe
        
        C:\Windows\system32\Lnfngj32.exe
        112⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\Lilbdcfe.exe
        
        C:\Windows\system32\Lilbdcfe.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1252
        
        C:\Windows\SysWOW64\Meepoc32.exe
        
        C:\Windows\system32\Meepoc32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1892
        
        C:\Windows\SysWOW64\Nfnooe32.exe
        
        C:\Windows\system32\Nfnooe32.exe
        115⤵
        Drops file in System32 directory
        
        PID:4740
        
        C:\Windows\SysWOW64\Neclpamg.exe
        
        C:\Windows\system32\Neclpamg.exe
        116⤵
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Nlpabkba.exe
        
        C:\Windows\system32\Nlpabkba.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8
        
        C:\Windows\SysWOW64\Nmajbnha.exe
        
        C:\Windows\system32\Nmajbnha.exe
        118⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\Ofnhfbjl.exe
        
        C:\Windows\system32\Ofnhfbjl.exe
        119⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\Opgloh32.exe
        
        C:\Windows\system32\Opgloh32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:984
        
        C:\Windows\SysWOW64\Oecego32.exe
        
        C:\Windows\system32\Oecego32.exe
        121⤵
        
        PID:496
        
        C:\Windows\SysWOW64\Olnmdi32.exe
        
        C:\Windows\system32\Olnmdi32.exe
        122⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\Ofcaab32.exe
        
        C:\Windows\system32\Ofcaab32.exe
        123⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Ppeipfdm.exe
        
        C:\Windows\system32\Ppeipfdm.exe
        124⤵
        Drops file in System32 directory
        
        PID:2088
        
        C:\Windows\SysWOW64\Qbeaba32.exe
        
        C:\Windows\system32\Qbeaba32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1092
        
        C:\Windows\SysWOW64\Affgno32.exe
        
        C:\Windows\system32\Affgno32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2140
        
        C:\Windows\SysWOW64\Aiimejap.exe
        
        C:\Windows\system32\Aiimejap.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3276
        
        C:\Windows\SysWOW64\Amgekh32.exe
        
        C:\Windows\system32\Amgekh32.exe
        128⤵
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Begcjjql.exe
        
        C:\Windows\system32\Begcjjql.exe
        129⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Bidlqhgc.exe
        
        C:\Windows\system32\Bidlqhgc.exe
        130⤵
        
        PID:468
        
        C:\Windows\SysWOW64\Bcmqin32.exe
        
        C:\Windows\system32\Bcmqin32.exe
        131⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\Bjgifhep.exe
        
        C:\Windows\system32\Bjgifhep.exe
        132⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\Bodano32.exe
        
        C:\Windows\system32\Bodano32.exe
        133⤵
        Modifies registry class
        
        PID:4184
        
        C:\Windows\SysWOW64\Cnealfkf.exe
        
        C:\Windows\system32\Cnealfkf.exe
        134⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\Cgpcklpd.exe
        
        C:\Windows\system32\Cgpcklpd.exe
        135⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\Cgbppknb.exe
        
        C:\Windows\system32\Cgbppknb.exe
        136⤵
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Cgdlfk32.exe
        
        C:\Windows\system32\Cgdlfk32.exe
        137⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Copajm32.exe
        
        C:\Windows\system32\Copajm32.exe
        138⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\Cfiiggpg.exe
        
        C:\Windows\system32\Cfiiggpg.exe
        139⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\Dgkbfjeg.exe
        
        C:\Windows\system32\Dgkbfjeg.exe
        140⤵
        Drops file in System32 directory
        
        PID:6288
        
        C:\Windows\SysWOW64\Doidql32.exe
        
        C:\Windows\system32\Doidql32.exe
        141⤵
        Modifies registry class
        
        PID:6328
        
        C:\Windows\SysWOW64\Dfclmfhl.exe
        
        C:\Windows\system32\Dfclmfhl.exe
        142⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\Dcglfjgf.exe
        
        C:\Windows\system32\Dcglfjgf.exe
        143⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\Emanepld.exe
        
        C:\Windows\system32\Emanepld.exe
        144⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\Eckfaj32.exe
        
        C:\Windows\system32\Eckfaj32.exe
        145⤵
        Drops file in System32 directory
        
        PID:6536
        
        C:\Windows\SysWOW64\Enfcjb32.exe
        
        C:\Windows\system32\Enfcjb32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6580
        
        C:\Windows\SysWOW64\Fgcang32.exe
        
        C:\Windows\system32\Fgcang32.exe
        147⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\Fjcjpb32.exe
        
        C:\Windows\system32\Fjcjpb32.exe
        148⤵
        Drops file in System32 directory
        
        PID:6692
        
        C:\Windows\SysWOW64\Fapobl32.exe
        
        C:\Windows\system32\Fapobl32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6740
        
        C:\Windows\SysWOW64\Gablgk32.exe
        
        C:\Windows\system32\Gablgk32.exe
        150⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\Gmimll32.exe
        
        C:\Windows\system32\Gmimll32.exe
        151⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\Gfaaebnj.exe
        
        C:\Windows\system32\Gfaaebnj.exe
        152⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\Gagebknp.exe
        
        C:\Windows\system32\Gagebknp.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6912
        
        C:\Windows\SysWOW64\Ghanoeel.exe
        
        C:\Windows\system32\Ghanoeel.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6952
        
        C:\Windows\SysWOW64\Gnkflo32.exe
        
        C:\Windows\system32\Gnkflo32.exe
        155⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\Gplbcgbg.exe
        
        C:\Windows\system32\Gplbcgbg.exe
        156⤵
        Modifies registry class
        
        PID:7044
        
        C:\Windows\SysWOW64\Hanlcjgh.exe
        
        C:\Windows\system32\Hanlcjgh.exe
        157⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\Haphiiee.exe
        
        C:\Windows\system32\Haphiiee.exe
        158⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\Hhjqec32.exe
        
        C:\Windows\system32\Hhjqec32.exe
        159⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\Idfkednq.exe
        
        C:\Windows\system32\Idfkednq.exe
        160⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\Jkkbnl32.exe
        
        C:\Windows\system32\Jkkbnl32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6212
        
        C:\Windows\SysWOW64\Jgbccm32.exe
        
        C:\Windows\system32\Jgbccm32.exe
        162⤵
        
        PID:872
        
        C:\Windows\SysWOW64\Jajdff32.exe
        
        C:\Windows\system32\Jajdff32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1504
        
        C:\Windows\SysWOW64\Jkbhok32.exe
        
        C:\Windows\system32\Jkbhok32.exe
        164⤵
        Drops file in System32 directory
        
        PID:6356
        
        C:\Windows\SysWOW64\Jpoagb32.exe
        
        C:\Windows\system32\Jpoagb32.exe
        165⤵
        Modifies registry class
        
        PID:6424
        
        C:\Windows\SysWOW64\Jgiiclkl.exe
        
        C:\Windows\system32\Jgiiclkl.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6460
        
        C:\Windows\SysWOW64\Knenffqf.exe
        
        C:\Windows\system32\Knenffqf.exe
        167⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6516
        
        C:\Windows\SysWOW64\Kdbchp32.exe
        
        C:\Windows\system32\Kdbchp32.exe
        168⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6556
        
        C:\Windows\SysWOW64\Koggehff.exe
        
        C:\Windows\system32\Koggehff.exe
        169⤵
        
        PID:492
        
        C:\Windows\SysWOW64\Knldfe32.exe
        
        C:\Windows\system32\Knldfe32.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6284
        
        C:\Windows\SysWOW64\Khbhdn32.exe
        
        C:\Windows\system32\Khbhdn32.exe
        171⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\Kolaqh32.exe
        
        C:\Windows\system32\Kolaqh32.exe
        172⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\Lppjnpem.exe
        
        C:\Windows\system32\Lppjnpem.exe
        173⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\Lgibjj32.exe
        
        C:\Windows\system32\Lgibjj32.exe
        174⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\Laofhbmp.exe
        
        C:\Windows\system32\Laofhbmp.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6984
        
        C:\Windows\SysWOW64\Locgagli.exe
        
        C:\Windows\system32\Locgagli.exe
        176⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\Ladpcb32.exe
        
        C:\Windows\system32\Ladpcb32.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7116
        
        C:\Windows\SysWOW64\Lhnhplpg.exe
        
        C:\Windows\system32\Lhnhplpg.exe
        178⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\Mnjqhcno.exe
        
        C:\Windows\system32\Mnjqhcno.exe
        179⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\Mhpeelnd.exe
        
        C:\Windows\system32\Mhpeelnd.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4512
        
        C:\Windows\SysWOW64\Mnmmmbll.exe
        
        C:\Windows\system32\Mnmmmbll.exe
        181⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\Mnojcb32.exe
        
        C:\Windows\system32\Mnojcb32.exe
        182⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\Mggolhaj.exe
        
        C:\Windows\system32\Mggolhaj.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6504
        
        C:\Windows\SysWOW64\Mbmbiqqp.exe
        
        C:\Windows\system32\Mbmbiqqp.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4628
        
        C:\Windows\SysWOW64\Mgjkag32.exe
        
        C:\Windows\system32\Mgjkag32.exe
        185⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\Mbpoop32.exe
        
        C:\Windows\system32\Mbpoop32.exe
        186⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6796
        
        C:\Windows\SysWOW64\Mhihkjfj.exe
        
        C:\Windows\system32\Mhihkjfj.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6980
        
        C:\Windows\SysWOW64\Nbbldp32.exe
        
        C:\Windows\system32\Nbbldp32.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7060
        
        C:\Windows\SysWOW64\Ngodlgka.exe
        
        C:\Windows\system32\Ngodlgka.exe
        189⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\Ndbefkjk.exe
        
        C:\Windows\system32\Ndbefkjk.exe
        190⤵
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Nohicdia.exe
        
        C:\Windows\system32\Nohicdia.exe
        191⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\Ngcngfgl.exe
        
        C:\Windows\system32\Ngcngfgl.exe
        192⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\Negoaj32.exe
        
        C:\Windows\system32\Negoaj32.exe
        193⤵
        Modifies registry class
        
        PID:6764
        
        C:\Windows\SysWOW64\Nbkojo32.exe
        
        C:\Windows\system32\Nbkojo32.exe
        194⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\Onbpop32.exe
        
        C:\Windows\system32\Onbpop32.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1764
        
        C:\Windows\SysWOW64\Ooalibaf.exe
        
        C:\Windows\system32\Ooalibaf.exe
        196⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Oijqbh32.exe
        
        C:\Windows\system32\Oijqbh32.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6732
        
        C:\Windows\SysWOW64\Okkidceh.exe
        
        C:\Windows\system32\Okkidceh.exe
        198⤵
        Drops file in System32 directory
        
        PID:5056
        
        C:\Windows\SysWOW64\Oiojmgcb.exe
        
        C:\Windows\system32\Oiojmgcb.exe
        199⤵
        Drops file in System32 directory
        
        PID:6248
        
        C:\Windows\SysWOW64\Onkbenbi.exe
        
        C:\Windows\system32\Onkbenbi.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6848
        
        C:\Windows\SysWOW64\Oiagcg32.exe
        
        C:\Windows\system32\Oiagcg32.exe
        201⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\Palkgi32.exe
        
        C:\Windows\system32\Palkgi32.exe
        202⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Panhmi32.exe
        
        C:\Windows\system32\Panhmi32.exe
        203⤵
        Modifies registry class
        
        PID:3800
        
        C:\Windows\SysWOW64\Pldljbmn.exe
        
        C:\Windows\system32\Pldljbmn.exe
        204⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\Paqebike.exe
        
        C:\Windows\system32\Paqebike.exe
        205⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\Plfipakk.exe
        
        C:\Windows\system32\Plfipakk.exe
        206⤵
        Drops file in System32 directory
        
        PID:400
        
        C:\Windows\SysWOW64\Pbpall32.exe
        
        C:\Windows\system32\Pbpall32.exe
        207⤵
        
        PID:7196
        
        C:\Windows\SysWOW64\Plifea32.exe
        
        C:\Windows\system32\Plifea32.exe
        208⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\Abnnnjfh.exe
        
        C:\Windows\system32\Abnnnjfh.exe
        209⤵
        Modifies registry class
        
        PID:7384
        
        C:\Windows\SysWOW64\Blbabnbk.exe
        
        C:\Windows\system32\Blbabnbk.exe
        210⤵
        
        PID:7428
        
        C:\Windows\SysWOW64\Bocjdiol.exe
        
        C:\Windows\system32\Bocjdiol.exe
        211⤵
        Drops file in System32 directory
        
        PID:7476
        
        C:\Windows\SysWOW64\Cemcqcgi.exe
        
        C:\Windows\system32\Cemcqcgi.exe
        212⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\Dfphmp32.exe
        
        C:\Windows\system32\Dfphmp32.exe
        213⤵
        Modifies registry class
        
        PID:7612
        
        C:\Windows\SysWOW64\Dfbebpdq.exe
        
        C:\Windows\system32\Dfbebpdq.exe
        214⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\Elojej32.exe
        
        C:\Windows\system32\Elojej32.exe
        215⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\Eckogc32.exe
        
        C:\Windows\system32\Eckogc32.exe
        216⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7828
        
        C:\Windows\SysWOW64\Eqopqh32.exe
        
        C:\Windows\system32\Eqopqh32.exe
        217⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7872
        
        C:\Windows\SysWOW64\Eflhiolf.exe
        
        C:\Windows\system32\Eflhiolf.exe
        218⤵
        Drops file in System32 directory
        
        PID:7932
        
        C:\Windows\SysWOW64\Fcbehbim.exe
        
        C:\Windows\system32\Fcbehbim.exe
        219⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\Fhonpi32.exe
        
        C:\Windows\system32\Fhonpi32.exe
        220⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\Fbgbione.exe
        
        C:\Windows\system32\Fbgbione.exe
        221⤵
        
        PID:8088
        
        C:\Windows\SysWOW64\Fcfocb32.exe
        
        C:\Windows\system32\Fcfocb32.exe
        222⤵
        
        PID:8144
        
        C:\Windows\SysWOW64\Fjqgpl32.exe
        
        C:\Windows\system32\Fjqgpl32.exe
        223⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\Fcikhace.exe
        
        C:\Windows\system32\Fcikhace.exe
        224⤵
        Drops file in System32 directory
        
        PID:7188
        
        C:\Windows\SysWOW64\Foplnb32.exe
        
        C:\Windows\system32\Foplnb32.exe
        225⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\Gbqeonfj.exe
        
        C:\Windows\system32\Gbqeonfj.exe
        226⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7220
        
        C:\Windows\SysWOW64\Gbcaemdg.exe
        
        C:\Windows\system32\Gbcaemdg.exe
        227⤵
        Modifies registry class
        
        PID:7320
        
        C:\Windows\SysWOW64\Gmhfbf32.exe
        
        C:\Windows\system32\Gmhfbf32.exe
        228⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\Giofggia.exe
        
        C:\Windows\system32\Giofggia.exe
        229⤵
        
        PID:7404
        
        C:\Windows\SysWOW64\Gpioca32.exe
        
        C:\Windows\system32\Gpioca32.exe
        230⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\Gjocaj32.exe
        
        C:\Windows\system32\Gjocaj32.exe
        231⤵
        Modifies registry class
        
        PID:7520
        
        C:\Windows\SysWOW64\Gfedfk32.exe
        
        C:\Windows\system32\Gfedfk32.exe
        232⤵
        Drops file in System32 directory
        
        PID:7556
        
        C:\Windows\SysWOW64\Hbldkllm.exe
        
        C:\Windows\system32\Hbldkllm.exe
        233⤵
        Drops file in System32 directory
        
        PID:7592
        
        C:\Windows\SysWOW64\Hppedpkf.exe
        
        C:\Windows\system32\Hppedpkf.exe
        234⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5312
        
        C:\Windows\SysWOW64\Hfjmajbc.exe
        
        C:\Windows\system32\Hfjmajbc.exe
        235⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\Hmdend32.exe
        
        C:\Windows\system32\Hmdend32.exe
        236⤵
        Modifies registry class
        
        PID:7720
        
        C:\Windows\SysWOW64\Hcnnjoam.exe
        
        C:\Windows\system32\Hcnnjoam.exe
        237⤵
        Modifies registry class
        
        PID:7796
        
        C:\Windows\SysWOW64\Habndbpf.exe
        
        C:\Windows\system32\Habndbpf.exe
        238⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7824
        
        C:\Windows\SysWOW64\Hfoflj32.exe
        
        C:\Windows\system32\Hfoflj32.exe
        239⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7916
        
        C:\Windows\SysWOW64\Hmioicek.exe
        
        C:\Windows\system32\Hmioicek.exe
        240⤵
        Drops file in System32 directory
        
        PID:7952
        
        C:\Windows\SysWOW64\Ijmobhdd.exe
        
        C:\Windows\system32\Ijmobhdd.exe
        241⤵
        Modifies registry class
        
        PID:7988
        
        C:\Windows\SysWOW64\Ipihkobl.exe
        
        C:\Windows\system32\Ipihkobl.exe
        242⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Ifcpgiji.exe
        
        C:\Windows\system32\Ifcpgiji.exe
        243⤵
        
        PID:8080
        
        C:\Windows\SysWOW64\Immhdc32.exe
        
        C:\Windows\system32\Immhdc32.exe
        244⤵
        Drops file in System32 directory
        
        PID:8136
        
        C:\Windows\SysWOW64\Iffmmihf.exe
        
        C:\Windows\system32\Iffmmihf.exe
        245⤵
        Drops file in System32 directory
        
        PID:3684
        
        C:\Windows\SysWOW64\Idjmfmgp.exe
        
        C:\Windows\system32\Idjmfmgp.exe
        246⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\Ijfbhflj.exe
        
        C:\Windows\system32\Ijfbhflj.exe
        247⤵
        Drops file in System32 directory
        
        PID:5628
        
        C:\Windows\SysWOW64\Ibagmiie.exe
        
        C:\Windows\system32\Ibagmiie.exe
        248⤵
        Drops file in System32 directory
        
        PID:7304
        
        C:\Windows\SysWOW64\Jikojcaa.exe
        
        C:\Windows\system32\Jikojcaa.exe
        249⤵
        Modifies registry class
        
        PID:7364
        
        C:\Windows\SysWOW64\Jdqcglqh.exe
        
        C:\Windows\system32\Jdqcglqh.exe
        250⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\Jinloboo.exe
        
        C:\Windows\system32\Jinloboo.exe
        251⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Jpjqaldi.exe
        
        C:\Windows\system32\Jpjqaldi.exe
        252⤵
        Modifies registry class
        
        PID:7596
        
        C:\Windows\SysWOW64\Jkaadebl.exe
        
        C:\Windows\system32\Jkaadebl.exe
        253⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Kfhbifgq.exe
        
        C:\Windows\system32\Kfhbifgq.exe
        254⤵
        
        PID:7816
        
        C:\Windows\SysWOW64\Kdlcbjfj.exe
        
        C:\Windows\system32\Kdlcbjfj.exe
        255⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\Kapclned.exe
        
        C:\Windows\system32\Kapclned.exe
        256⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\Kdalni32.exe
        
        C:\Windows\system32\Kdalni32.exe
        257⤵
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Kkkdjcjb.exe
        
        C:\Windows\system32\Kkkdjcjb.exe
        258⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\Kgbepdpf.exe
        
        C:\Windows\system32\Kgbepdpf.exe
        259⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Kagimmol.exe
        
        C:\Windows\system32\Kagimmol.exe
        260⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7572
        
        C:\Windows\SysWOW64\Lajfbmmi.exe
        
        C:\Windows\system32\Lajfbmmi.exe
        261⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5896
        
        C:\Windows\SysWOW64\Liekgo32.exe
        
        C:\Windows\system32\Liekgo32.exe
        262⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Lcmopeae.exe
        
        C:\Windows\system32\Lcmopeae.exe
        263⤵
        Drops file in System32 directory
        
        PID:5932
        
        C:\Windows\SysWOW64\Lnccmnak.exe
        
        C:\Windows\system32\Lnccmnak.exe
        264⤵
        
        PID:7708
        
        C:\Windows\SysWOW64\Lgkhec32.exe
        
        C:\Windows\system32\Lgkhec32.exe
        265⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6060
        
        C:\Windows\SysWOW64\Lpfidh32.exe
        
        C:\Windows\system32\Lpfidh32.exe
        266⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6100
        
        C:\Windows\SysWOW64\Mjqjbn32.exe
        
        C:\Windows\system32\Mjqjbn32.exe
        267⤵
        Drops file in System32 directory
        
        PID:8060
        
        C:\Windows\SysWOW64\Mciokcgg.exe
        
        C:\Windows\system32\Mciokcgg.exe
        268⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5164
        
        C:\Windows\SysWOW64\Mdhkefnj.exe
        
        C:\Windows\system32\Mdhkefnj.exe
        269⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Mkbcbp32.exe
        
        C:\Windows\system32\Mkbcbp32.exe
        270⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Mpoljg32.exe
        
        C:\Windows\system32\Mpoljg32.exe
        271⤵
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Mncmck32.exe
        
        C:\Windows\system32\Mncmck32.exe
        272⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Ncpelbap.exe
        
        C:\Windows\system32\Ncpelbap.exe
        273⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Ndpafe32.exe
        
        C:\Windows\system32\Ndpafe32.exe
        274⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Nacboi32.exe
        
        C:\Windows\system32\Nacboi32.exe
        275⤵
        Modifies registry class
        
        PID:7980
        
        C:\Windows\SysWOW64\Njogdldg.exe
        
        C:\Windows\system32\Njogdldg.exe
        276⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\Nddkaddm.exe
        
        C:\Windows\system32\Nddkaddm.exe
        277⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\Nkncno32.exe
        
        C:\Windows\system32\Nkncno32.exe
        278⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\Nqklfe32.exe
        
        C:\Windows\system32\Nqklfe32.exe
        279⤵
        Modifies registry class
        
        PID:7368
        
        C:\Windows\SysWOW64\Ngedbp32.exe
        
        C:\Windows\system32\Ngedbp32.exe
        280⤵
        Drops file in System32 directory
        
        PID:5676
        
        C:\Windows\SysWOW64\Nnolojhk.exe
        
        C:\Windows\system32\Nnolojhk.exe
        281⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Okcmingd.exe
        
        C:\Windows\system32\Okcmingd.exe
        282⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5612
        
        C:\Windows\SysWOW64\Ojjfpjjj.exe
        
        C:\Windows\system32\Ojjfpjjj.exe
        283⤵
        Modifies registry class
        
        PID:3204
        
        C:\Windows\SysWOW64\Ognginic.exe
        
        C:\Windows\system32\Ognginic.exe
        284⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4104
        
        C:\Windows\SysWOW64\Onhoehpp.exe
        
        C:\Windows\system32\Onhoehpp.exe
        285⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\Ocegnoog.exe
        
        C:\Windows\system32\Ocegnoog.exe
        286⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5988
        
        C:\Windows\SysWOW64\Pqkdmc32.exe
        
        C:\Windows\system32\Pqkdmc32.exe
        287⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5484 -s 408
        288⤵
        Program crash
        
        PID:5788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3276 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
1⤵
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5484 -ip 5484
1⤵
PID:8076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abflfc32.exe

Filesize
443KB

MD5
731e4c2418f8b91dba36960cf81d36fc

SHA1
4989dc479062d7d78fb6720e4db7d289fedc16c5

SHA256
29660889e42b298eeb4a908c018e43430a3cb7b1b2ec7f662ba60d3e7eb1ebaa

SHA512
c123b176e9700adf95caaebd5f21e3945ffe477e3c5ef54c9d6c76f71d4facc8b500fa6bedc751912ef3dcc952c115124c079446f4ce9e7996d85ea777f5ccb5

Download Submit
C:\Windows\SysWOW64\Anijjkbj.exe

Filesize
443KB

MD5
290f9fdac553907c7fcca6944b52bcbb

SHA1
ea9cfec9e851ed0519f00198289151d6c0932b8f

SHA256
da3ded4cc72844556e39a5befa8814a22c4fc4dfcfa6afac18f5d5dbba400f81

SHA512
d8708964bc3dc28ebf4629940454ed1cc82ecbb8ea470400c681318238b41a1d08ec239983e108228bff5f9933ec9325473c835224cff95d034a7b31dfee7ebb

Download Submit
C:\Windows\SysWOW64\Bgkaip32.exe

Filesize
443KB

MD5
9e0123cbb4a9c32705430b8b81c89397

SHA1
489eb348bb556180d6806e485c701d8b06dc3c75

SHA256
9ed9da470034732633524bb7764216c24eb74069c92749ad9b155539449675f4

SHA512
ec9e384566d5a53b7827874337a80fce57f74fa301affa53afcb7759e9267d8e1fe34cecdab311a01879f85a1db3591d7285ec88547c7ecdacfc5ce95072dd8b

Download Submit
C:\Windows\SysWOW64\Bgokdomj.exe

Filesize
443KB

MD5
da4e5df8c946a489deee865a99d70bc7

SHA1
73cc698a18192682d20fefd064942a76a66f6a4f

SHA256
eaa6250c609f231c07ae341995eee779534cbd2f95a0d1d91a04e1c56c59ef40

SHA512
f9ad2936c0c58e8f7bde30581db2542f4d4ca90eaef1b8218a024161969b10071c11d1c3e89d7bd9b1b8d39ebbe58db02e8e2bb5d06590828677bad650d704f0

Download Submit
C:\Windows\SysWOW64\Bomppneg.exe

Filesize
443KB

MD5
bace4a3de4021c2c3018c3b245f9788e

SHA1
ff7d71f5c16e57580a28bf7e69186e993d01e196

SHA256
d7d29f3bc1e26dc5352ee386450fae8848ddaaa0c9c95fb177faea7b1aa98072

SHA512
32410f30e0a64bccf23d7ac249fc5477c66eeb5ddf2251d071f01533e9c3c9b338bcae39f80e33503dce6af9d5206c0d552a55e0bfb4d1d95cda731a17a06490

Download Submit
C:\Windows\SysWOW64\Cbnbhfde.exe

Filesize
443KB

MD5
3187e6208597dd00d5eea6235570143c

SHA1
83bb7377de10093570dd9d955770ce65cbdb067b

SHA256
235aa477e845db519342c287fb353af6142086c8bb6ae9054dfbb2a824ffba4b

SHA512
64d4bf05e2960a01ad1ef3c6eb27e8fcadf2e768aebba6733d923460ae9718e8f3bb1bd2744261496c4a543b381c91c1e20917056e96a56edcc168a0ec8e7325

Download Submit
C:\Windows\SysWOW64\Cejaobel.exe

Filesize
443KB

MD5
f24a42d6180ef9c72a32cd8652d74482

SHA1
7fe9fad175287ac8581c06eba5dc2aea9bcf49f5

SHA256
ec7fe7002ef3b693f4edf930bc9302be44e8e4eb380142c5a04d341208002656

SHA512
6d268a757637577012cbaf5a2bd90634db0e95f88f076b86f38922cd04adba97e9459b6b18e4752bed39675a98c17538a56aeacee758e81232ad165c2708d1b3

Download Submit
C:\Windows\SysWOW64\Ciaddaaj.exe

Filesize
443KB

MD5
dc0e2148d3a38699c1aaddd402086a92

SHA1
467c741cb7b8c9fe43e3f38ca55b4a1816c5ccaa

SHA256
5bde4eb417d8fc29fdb0b3788d39e94e98c872b84ec1638e539a3b53720b1f7a

SHA512
ba555a1f39c92ad06ae8826f66a08c90e9e4eb0544f3839698e5ea47cd8c56527ba18e7b5aabe36f36936e623bd06552eed709180f6cfad8c47c95e17a26068c

Download Submit
C:\Windows\SysWOW64\Cnkilbni.exe

Filesize
443KB

MD5
93ca7e15e849fd45e96128f3737d66b4

SHA1
d83da7781e8b5702b994790be7efdde3630969f0

SHA256
063d306910ac24fb9346179eaca0151b7c7d1c456594286aedbe41849dd10088

SHA512
04056a0d16c6e2f22e5e9eaa3b43d3e12ed3ad825d795ddf6726b8a9c6969bc8ab3a784bede37f5d12e2d1041e4caf58183a61fb7dc3f3c27d4ea7b1b77c9867

Download Submit
C:\Windows\SysWOW64\Dbphcpog.exe

Filesize
443KB

MD5
2764cca1e8c3b626170ad645ab3e479a

SHA1
540b7d331b38285eed3acab22cc74b9fc708ab74

SHA256
ae00b565aff4496dc84e881f4a2dba65093dd444e88ca509e636bfbfbab796ea

SHA512
0491d4754de157bbaa206f13bbb7caf8227b57089550a45aa47ff4200b040d7fe4086c5322177c754729ef6818aaa9eaf142f698d129e2c4cd7592109fb3d53b

Download Submit
C:\Windows\SysWOW64\Dfcqod32.exe

Filesize
443KB

MD5
53e81d953a61772f0b27e3b372bebe19

SHA1
22bb77d9cb43053d18a55563c750b29fb6c3052d

SHA256
9c2cc9f815bacb01480446ab2d97e97c8590a5a76c0645ff224ef81181618e7a

SHA512
dc01ac35c14ab6e04ff156e8cb4a00ce3a3634d0d3d2052a45f1187e0911c0875eab50bdf4b9d2d9bae84bec6fc9c6ac1a7218fe93583a7ae0d104a64b4bc0c3

Download Submit
C:\Windows\SysWOW64\Dhbqalle.exe

Filesize
443KB

MD5
2340dc01d28cb3276551af77fe481dc8

SHA1
f4ae314c09fb29c1a5cd219822c1d1a7ad2f3ab7

SHA256
04225b42c51288bedc9542c9cd74e71b90356b29dbc0cc1e3716fd4c0bf47060

SHA512
f2449ef5368c31fdd0fc47b04379177c5656c31be9a5e8cbdcf8116b29fc5bc497ba28ed3eb16a026f9f577fd9288524373deb799fa8485182d16ac02a25218b

Download Submit
C:\Windows\SysWOW64\Dhbqalle.exe

Filesize
384KB

MD5
4e0aea1b625ab04762b53059b5bfcb2a

SHA1
21cef5c206df3c0c56848f5d527f2acca59bca6d

SHA256
52479262e8588b3209872db3350cd4529f868c92f78b26e93fb87e87336328ff

SHA512
9d0e31775595b714e3c5955d768cbcafdf3ac377a8f74bf4ca53b2e32256261e4a886baee7e144215fd050cc1f5577d8ecc85389062d5813b73fc56b95726a40

Download Submit
C:\Windows\SysWOW64\Ecoaijio.exe

Filesize
443KB

MD5
433b590fd12a8d443ee22614870df8ab

SHA1
8dc51a1a1ecc4c36c9ebcbc52728bd121b1c0627

SHA256
2ff55f66b5239c7197b4ec5c39a4e60253ac6dbcb409a73bd2ef877da321e514

SHA512
a1c516ac92e3f2c431b347489ec4ce44ab0ed50e2e6dfa0ad4400b94c67d11913275b8ab3fbc97818a59b7a3a89925770d1cc40706901d4227683dbf9a4b8a7d

Download Submit
C:\Windows\SysWOW64\Egbdjhlp.exe

Filesize
443KB

MD5
884478bae525967b84fbcf4d8f492296

SHA1
137967b06d842f5b6744d8af1cbf14737c6213ef

SHA256
b1fafad3217d2a61e0123525ec0efad85bf2721eca7992b034aa128ccffd7c0f

SHA512
5234f30150abcfd71b6b84c363a9cacc809640498b9a953b80f641cf15f278b96551c40c4d6a6b18a46b3737a4eafe6b73469add620eb93896928500eda8b9fb

Download Submit
C:\Windows\SysWOW64\Egoomnin.exe

Filesize
443KB

MD5
a02724b661b14a5e92cee10234d120a0

SHA1
bd5aa02505e6febed81d031e1f4f70f053d11424

SHA256
1c17dc088ac307d73a885f4800e7baded8bb576beb647965904365523a919cfa

SHA512
ca8035149ced43dfca9da8e25f2ee3a9810b38fcdd2eed8ec765d8e4a697185ba633f4eccfb43284cdf9f6f09fb8cfe32dc687fd243a575178049cc1392fe1cd

Download Submit
C:\Windows\SysWOW64\Ellicihn.exe

Filesize
443KB

MD5
5154247b82002c408f0748a258029a74

SHA1
8e567ad80b24343e43c9eb403a55f4178e055a83

SHA256
700696a5418e52b1bd52cf88cb8a6e1a3abef0d1b6ffe5de7e3659187f95a42f

SHA512
75678c4aecbe20229eda631d80180d77449b8726d6fd4f0ecd0cbc3dd40b66020941d22a7c63cdefbb6cf911699f205b45cbea5a0cc1254d413cde6ae9d7a5d0

Download Submit
C:\Windows\SysWOW64\Fdadpk32.exe

Filesize
192KB

MD5
5d82a27704e40c02443c221f7062db6c

SHA1
00cfd3b16a5f97b290ad29fc9a37521330e74b27

SHA256
47ce55280884579164897bcdf4b8740a6ba4868fb5cb7d2bb619dc4c35999f91

SHA512
41b2e0899cdcfce6a5cbe9928b0a9656beb2346a7b5ea1534b60f8391c93e31c522a0cfa700062da4dc62747af5d35643450deb063b562c45e60fd1a2d01785f

Download Submit
C:\Windows\SysWOW64\Fdadpk32.exe

Filesize
443KB

MD5
cfc21881c22fc0cae87ece8ace63a4de

SHA1
7c4e8f916a258838f8b7f23d324300403b5f1fc8

SHA256
396c07d0bd9a84e3007a3cc460f5808ac62af23f416640a87bfc833c2e890254

SHA512
9cf7e3937dc6dd2a7d0f54160410e6d16e1223bd68accaeb0edfdff254e861e79d3ab67ce46ce707484dcc3abfddd522fd74a56bddc7290971f9f1cc275ab629

Download Submit
C:\Windows\SysWOW64\Fghcqq32.exe

Filesize
443KB

MD5
f4d575b1dd811d3f6dd410df0518d4a3

SHA1
22d10ccffb86998f28b39fc6582c7241545faf8f

SHA256
14a90d7f1c059db8c3f8fc7293e4c3df99f3e4c4a6df53528e67a9bcc42b03b9

SHA512
2d4ccb6fe73f62a5fa5ea93f3ef007ad1348c52931aa483741077a5cf99dd2a604426a58a312f2c5b9238588df93d62ef93c2a4bf6cbf42a011001a95e09f6a6

Download Submit
C:\Windows\SysWOW64\Gcngafol.exe

Filesize
443KB

MD5
0ce118e4f0b6370bc1ec67033242af82

SHA1
c76d0da1498d629e907f2be48c850d93761e83be

SHA256
4bce2f904c105b3e62173105627b6312a828543fd2c506367e3950021976e0e5

SHA512
ead62d1c9eadca8c2aa2cf825102d68aa735f61fb0d710761c2b995aedfaf64a16117c8a7f0bb06f16abd716d27edfbae7b4c623cab565d0ef1638a33f468597

Download Submit
C:\Windows\SysWOW64\Hmkeekag.exe

Filesize
443KB

MD5
1604335de746980647ed08cf0d10e0da

SHA1
b10a9b9c68d305577670d7bc66a50018e0ba2b5d

SHA256
70e931f7f2cd72fb395022887517fe7739ddad79f5bfb701561f87b9e3b6708c

SHA512
f3aa87584b814eff7be85213f2cb6c798c84895575f3b37a68df03e3daa3e7a7326179b0989fb9cf2a11baff3328095c59d66e458fdf8eeb52dd91e1825e0ebf

Download Submit
C:\Windows\SysWOW64\Igneda32.exe

Filesize
443KB

MD5
0dc34f567ed6a53431d36e4f1bea697e

SHA1
e8c3d604317672faaf8369a711043a66de082756

SHA256
6ff884e310d526afd0b9cfda9bbcc9d4396bc4ae008c039283ac1eaaef1db734

SHA512
82a8327916c3a7aeca0b35817dddd5883692a9699cd46ac1b4fd573280cde4f314a3ddff371b7ddd9f7228d2829eddfdbef65cf8bd4201d2461c9cd2b3c31627

Download Submit
C:\Windows\SysWOW64\Ijfbhflj.exe

Filesize
443KB

MD5
05d718fd67ca4f68a78d9c7fa276bf19

SHA1
79fb04405c03266b5b6b89ee51ae7a747a4e98b6

SHA256
ce6ebd08f273f121235d3f506e255be4ce09cc3b32507ec6e70df6fa2b733ca0

SHA512
9d5dac9ef8e7d82623dd14b009ab07ea4356286b8a8051c8421e2e0f6202ff3223ccbc95a0900652e58f3466be16bd6c5daff1dc50b866f7a2a2e68e879e3223

Download Submit
C:\Windows\SysWOW64\Jelhcd32.exe

Filesize
443KB

MD5
f60d52e87e115b55b5afab2a23b3fa7c

SHA1
12757837aa6ee1ec2df3babe2108bc44904278a4

SHA256
5ce9a0cdc4b153decb018f43e5fef41621b011570a5f66d184d033f19330a768

SHA512
00c7a4c69194df3dd2b819281e6c58c9ee5f3ef4720743fe27631068d70f20ff06eae4d5e81f97110196b56611f03266fe86ec851a8a71eba797c0e738df5203

Download Submit
C:\Windows\SysWOW64\Knenffqf.exe

Filesize
443KB

MD5
b373b6123529dc6943983ddaac90c9f8

SHA1
1a41c35bcf6b9adc27613705a6289250af13883a

SHA256
fab5dd2f2e10645a4b965f8ec7d2f082f09d1a36342ad17c71c942851a965110

SHA512
d6ad5add10e5fc88e52283120beccddb7f346e7a478fd9ee68196a3ded51a2e1a6c7e45e89e48d94f649e46827f58a5b751bccca53aac343f3adccea58301e83

Download Submit
C:\Windows\SysWOW64\Ldoafodd.exe

Filesize
443KB

MD5
7d1dc8df69eff39e42907e1a8cd9c4cb

SHA1
a7462b0da284690932dc3cf089682cd21a0b3f85

SHA256
acb0206f7deca638042466a4abc4b7fb0ec533204796ab22986e1e7c96079124

SHA512
528a8bc573ca530aad35b3d743509edd0c6b65d0148e7b49a3b9f4db53990a03cddab1763da505be7fb39b57ad52565e0f096d1d5aae18c804823cab6c2b996f

Download Submit
C:\Windows\SysWOW64\Locgagli.exe

Filesize
443KB

MD5
de7325f217b5ce570da6641cbf514a9b

SHA1
1da30f706697af7df634554c1d4c43e7fced3c68

SHA256
180e56ad70e50297886d385de4e0a5498a54f78c60c29349eaef2e6afe5603d7

SHA512
f7303383812963a86ed72c8c09f87fb76067c0cd7196fbf8cf911f2f8d59c55abf7a9819bf35cd86e965721a983fe2f0df79cf00015f5d46e93002bef74ab4ca

Download Submit
C:\Windows\SysWOW64\Logbigbg.exe

Filesize
443KB

MD5
06717b89b29215e9f894d4b44fe7a5cf

SHA1
c72aeeb3c236987aeed22857e4d9bc09bfde74b9

SHA256
6e47cfae6c46273ec6ad77f399d2982f21396d4382a032cdbcf2ca61c81ae6a6

SHA512
9c592e701774d1b9a04abe6b0397af819e4f4da3acce21c74d725c598ed058405638eeab53cb8252791ecda3e8346f3b4b148021e6683e418b227d3893528eb8

Download Submit
C:\Windows\SysWOW64\Maaoaa32.exe

Filesize
443KB

MD5
de0c73917fc24a05bff9309a23632d8b

SHA1
0d90c63435d752b9292fb4e7e759fcefe457e807

SHA256
932f51836d91b45978fc7ad13cf32e28a466cd62cd6575eb44152c4f02cf0f1c

SHA512
a52397350c8e128a1d722fa903b9a8eb2138f4b0c6cf8732bdaaca358e5e6820772c99a645d3cd060dab1d400489bf99d75623188b3c66091f71c7e202692508

Download Submit
C:\Windows\SysWOW64\Mjkiephp.exe

Filesize
443KB

MD5
b15b7d0332da794d02c81cee5e3737de

SHA1
76f676fbee10099e004f0537baf5d7576c494745

SHA256
5d8d8d23c40005d96380640d74fcf61158c78a9f2c79cda356c483b2b1043d71

SHA512
3969d9d695c93b2363fa7772bfe8ad00721f7391ee31f4ea5a238467ddf0d9ec899e920b2e07df43ccf9821b64d6f97bfb60f4ae54a248ccd43bf13135297dd8

Download Submit
C:\Windows\SysWOW64\Mnmmmbll.exe

Filesize
443KB

MD5
8a041f6d2d0b4cb7008caeb9fe8d2fb5

SHA1
972f25db98b1be2a12d9f56ffa26761d01e8de4f

SHA256
a9ad8aa37b5eeb9ad62bdc51d233bf9c7730e955589c567beb1d7abf5b49ddf2

SHA512
a49f5cc2199537d3b63a2f7e3ae84f54c4492703d772b621b72bf2916d7d898a43cdf51b6a1567220840f5871c7758eea58e09cba4f56bc881ab34850df5d4a5

Download Submit
C:\Windows\SysWOW64\Nalgbi32.exe

Filesize
443KB

MD5
2ed1011e0f49fd06404ae9c6e7562620

SHA1
dedb87d8c6e1ec1c49eca8bab0fa3e46bbfa874e

SHA256
abef7df633ac4613e9097c3f2abfb1c64cba71e5e25f262008fca0cc776ac020

SHA512
a52bf13a44eac5c78f660db576f7b7b4bbb86bb077857142ccc680a3ea57aed6bf95347384c8df02680aa6b6d7a0db024ad9f7243fd677370ef8536243dcab88

Download Submit
C:\Windows\SysWOW64\Ndpafe32.exe

Filesize
384KB

MD5
e0bbcb83e9424a41d54acba11734dc20

SHA1
7280b0a83ebe61b23cf18146ca9c44dc982d56d9

SHA256
5b3028038e7aed6da1779a57b43e54d06bfd7f9c60efeb127a937fa2501408af

SHA512
f466454bed2f602dcec4a4688e818ba0fa46f9280740e5a9de79d070faf1db23c3a956f494821584d27b015ada335ae2fcd14650f5c79c3f8f9781a3d2f83c0c

Download Submit
C:\Windows\SysWOW64\Ngipjp32.exe

Filesize
443KB

MD5
09fdd8e2ac1a53da8412f4ee0e3c86aa

SHA1
f79a9b669489daa06dbbdcc5ca1839895ebc5ba2

SHA256
7729901c3ce1eef619d39295ef42ee091f63e00e7c27c5cc43f88eac08cdd1db

SHA512
759ec63aa32cafcf6a546b9806e8d7b79f1c1b5c167dbae11d0cb28f5bc4fb50e944784a627ad6c5fd26fa4580227ecb39c0df34a71d200cb558294532d5bc42

Download Submit
C:\Windows\SysWOW64\Nhafcd32.exe

Filesize
443KB

MD5
cb3f721f8742b0312c4a20b906e50215

SHA1
d50128c8aac2f2c5515e8800f0f8e81a567e6c87

SHA256
23f740cb95854233db36202875b27307cdd84c2ea297065c404f104359010ac3

SHA512
df472f8ebaaae238398cd70254eb81676779c232941bc2667aa22ad64cabc96084ebdbbb5d29ece4dafc8170621245c78ad48b3721a4357bc30fa15eaa1dbd13

Download Submit
C:\Windows\SysWOW64\Nhdicjfp.exe

Filesize
443KB

MD5
85bbd5afa17f410b908ac3a770ecc365

SHA1
d983b92fb0488a512b0feed71451418452a3a830

SHA256
fd7034a143634b7dcb126edc976a744b552d5af25a6729347eb067414b98b1cb

SHA512
8d8e11b8f8a75a2ad08b2cfc95e3ee97ca4a23e9c53bf93585960ff66a8d8ce1362f8c012d420dd1972c9fc1496ae2e793ad3898c01f9cb856e464c5f798f465

Download Submit
C:\Windows\SysWOW64\Nnabladg.exe

Filesize
443KB

MD5
1cf50d9faaf511ef519fb928a97c430e

SHA1
b8e8e49f473c0d6ecfb8a91981a85ea9cbd92107

SHA256
3cbc78be627f06a062ad5401727d1d58faea8799b6680f1fc8cbdb38e6973b04

SHA512
687ccb25b1a7ea8e8af34322e2772a3b7a054564550398125a1314ef8c0a40c5c35301f822fdc163df4e5bf5ce6844a97342b09ab985370d6d99f234bac793fd

Download Submit
C:\Windows\SysWOW64\Oeopnmoa.exe

Filesize
443KB

MD5
3e1c16e8febfc89c0b4ecdede3f3f520

SHA1
e73997bddef23ef21905047d08edcf1d5dfdc479

SHA256
fb2c0b320b70c6fee0891db77d0e886bae690294a2420698cee1c57bc1f8582f

SHA512
16e01048e43699ea8db0cad4ad1c320404161a3c396bef12f03d07d8a5eb6f50aeed845efd9b1050eccef64318420464243a66cf5cd7f1b93dcc7ec347606bbc

Download Submit
C:\Windows\SysWOW64\Ohpiphlb.exe

Filesize
443KB

MD5
5607e76472ddfa241aaacde46c3f1278

SHA1
1db32ef9cd13598b7523319895e3915045ae3d12

SHA256
0501b4e4f00161a4afed84c8c338091cc227a3866a20610ac1ccda6628ee5262

SHA512
1d39de052c11ae40cf2460e2dd05b7e0e560db0c21c6a41e1ae681c30bcb5eab0155f56cb97c3801d5356614555c4b1064c298e939c0882270608bab78f58416

Download Submit
C:\Windows\SysWOW64\Ollgiplp.exe

Filesize
443KB

MD5
82d8e55c3175880302ce90a73ba7b14d

SHA1
b3b9164d11ef4a9d2712d8cbccde069fcdff9179

SHA256
3b8e68d337812caf6943fa85c5fa1a1fa4571b228ffeb760a1f696d957bc555e

SHA512
447ba9542e294b199325a80bbe23dcf2915ea174ed87a0c80c8d97dce2b53fae9cf7b78fd1c6bbecdd6554fdb482c7ec323d2c63386a7512537f6e1113db448a

Download Submit
C:\Windows\SysWOW64\Pdbiphhi.exe

Filesize
443KB

MD5
45240ddbd14d746a0dee6b2e133a756a

SHA1
9e3238a4ff9f44b2ca91ea4281ba74cfd9a97d60

SHA256
3da6233c49d866a4c4694fbf8122687d2a3fcfa1ce7f98e675781a8f379c2455

SHA512
078089797d95572848bb6ebe6d90b7755384ed9e3cbb17a9362c17c7c1fc19ac1bbb64540f51e4ee7de6eaf01d747c4b4f453e1133858ad1759011219c4dea5d

Download Submit
C:\Windows\SysWOW64\Pgcbbc32.exe

Filesize
443KB

MD5
e911784ebcc5a1fa8ea6e538141bb496

SHA1
11a2431ecb6998fcd47cb8d17564d4639c80a0a8

SHA256
48f11a463e8fd40332530624fb5fceaa51655565ccc39d6dff0e0f1211b811cf

SHA512
25a6c1c84b48c164266e600d0ac644f60280d3a17812d5ead0772b2ccbe1a755ef3b8c9c37e8cf7bd8810800137dcf4451cff74eb738294063eb5df93f137ff8

Download Submit
C:\Windows\SysWOW64\Poeahaib.exe

Filesize
443KB

MD5
919faee8d18443aa97a3b85d5a596809

SHA1
09266a41c6e42054ee87c5dfae855fb54983a5f7

SHA256
934db5ba54bf8af28311de2832e0bc32ded485c88129be800845ea4344e3953f

SHA512
e9a1f3f64d36ef3b94e763534282856a310ee522a481cd30873599a6a1958c3128dd794dbd4504dd0b0740c85dba01f4774f8986f38c27716fdaee85ea6f062d

Download Submit
memory/8-35-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/336-1-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/336-80-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/336-0-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/496-64-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/628-194-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/840-262-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/848-56-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/852-25-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/872-178-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1348-171-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1504-130-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1536-45-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1752-98-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1820-122-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1984-301-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2080-155-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2092-147-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2152-219-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2220-292-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2248-203-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2676-162-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2824-73-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3028-82-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3856-186-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3952-254-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4032-245-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4052-294-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4080-276-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4196-106-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4208-115-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4276-16-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4332-240-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4424-278-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4436-8-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4740-49-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4944-212-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4980-94-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5028-138-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5140-307-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5172-467-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5180-320-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5236-322-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5276-334-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5328-337-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5368-350-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5408-355-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5452-357-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5500-363-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5540-369-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5580-381-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5628-384-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5672-390-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5716-402-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5756-403-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5800-414-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5844-417-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5892-423-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5932-435-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5968-440-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/6016-446-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/6056-448-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/6096-454-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/6140-465-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads