0bd96393997a5c83d7ecb7fdf27c4265b5ff930ddd0f92ab1156d4c209703ec8

Analysis

max time kernel
148s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2024, 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0bd96393997a5c83d7ecb7fdf27c4265b5ff930ddd0f92ab1156d4c209703ec8.exe
Size

148KB
MD5

0f2d75ec341f4ee45b31b4a29d22044e
SHA1

6231bfcec7eca6b97f360bcd39908f7ff9afd376
SHA256

0bd96393997a5c83d7ecb7fdf27c4265b5ff930ddd0f92ab1156d4c209703ec8
SHA512

dba7112fce20c20fc2425bcb054e3bc7cda11cf17d901ecd244a784f33a8c08e3e1d1d35d620fe8285a9a90a0707a0f689951e2fdbafa7c5a9dcf780fb230831
SSDEEP

3072:UAr9OONpHJf6CY5OdzOdjKtlDoNQQ9wlHOdj+UCRQKOdj+U:U0OGHJfFKOdzOdkOdezOd

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dphipidf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjlmbnof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akdfndpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkjbgooi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Goipae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfmqapcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbgjmnno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecccmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlipfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjanjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmimll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfjmajbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idkpmgjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmppneal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmppneal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhbahm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlipfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imklncch.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijfbhflj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncpelbap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikejbjip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpjkbcbe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmlbij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imklncch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qifbll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akipic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkgeao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpbgnlfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjbmhfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akdfndpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgdcom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idonlbff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Piepnfnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qimfoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calbnnkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihcclb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijolhg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qifbll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkdlkope.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpoch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbgljf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Habndbpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfoamp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djeegf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdajabdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkdnjd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnampdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blnjecfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elhnhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omhpcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qojeabie.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmpnqj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnoiqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnfoac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghohdk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eplckh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fegiba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfbfmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgbccm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fifomlap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djipbbne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcflch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojhnlh32.exe

Executes dropped EXE 64 IoCs

pid	Process
4776	Mkgmoncl.exe
3140	Ohqpjo32.exe
3692	Oheienli.exe
868	Ofijnbkb.exe
3088	Pmeoqlpl.exe
3672	Qifbll32.exe
1304	Acppddig.exe
1688	Amoknh32.exe
4552	Blnjecfl.exe
1116	Dgdgijhp.exe
760	Fnnimbaj.exe
5100	Ffpcbchm.exe
4476	Gnlenp32.exe
1552	Gdhjpjjd.exe
3356	Hgpibdam.exe
3552	Hmpnqj32.exe
1152	Idkpmgjo.exe
4796	Ienlbf32.exe
4060	Iedbcebd.exe
4180	Jjfdfl32.exe
4540	Kmppneal.exe
4048	Kmbmdeoj.exe
1860	Kaqejcep.exe
4364	Leqkeajd.exe
832	Mgkjch32.exe
3880	Ndmgnkja.exe
4736	Oacdmo32.exe
1168	Pocdba32.exe
2736	Pbfjjlgc.exe
2608	Phbolflm.exe
2684	Qbmpjkqk.exe
3828	Aijeme32.exe
2028	Bichcc32.exe
3784	Bejhhd32.exe
552	Bfieagka.exe
4952	Becknc32.exe
4996	Cfedmfqd.exe
3628	Cblebgfh.exe
5140	Cppelkeb.exe
5180	Cemndbci.exe
5232	Cnebmgjj.exe
5284	Deagoa32.exe
5328	Eeaqfo32.exe
5368	Fbhnec32.exe
5416	Foonjd32.exe
5460	Fifomlap.exe
5500	Fochecog.exe
5544	Fhllni32.exe
5588	Fikihlmj.exe
5636	Gedfblql.exe
5688	Ggdbmoho.exe
5744	Icpecm32.exe
5796	Kcbkpj32.exe
5844	Kcgekjgp.exe
5896	Lpjelibg.exe
5944	Mhefhf32.exe
5984	Mmghklif.exe
6024	Nfdfoala.exe
6068	Nkdlkope.exe
6120	Okiefn32.exe
5148	Oiehhjjp.exe
5268	Pdklebje.exe
2296	Phiekaql.exe
5444	Qnopjfgi.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ajmgof32.exe	Qnopjfgi.exe
File opened for modification	C:\Windows\SysWOW64\Kifcnjpi.exe	Kblkap32.exe
File opened for modification	C:\Windows\SysWOW64\Cnahbk32.exe	Cggpfa32.exe
File opened for modification	C:\Windows\SysWOW64\Khkbcopl.exe	Joikdk32.exe
File created	C:\Windows\SysWOW64\Hppedpkf.exe	Hifmhf32.exe
File created	C:\Windows\SysWOW64\Hdglka32.dll	Hppedpkf.exe
File created	C:\Windows\SysWOW64\Bflajb32.dll	Ffpcbchm.exe
File opened for modification	C:\Windows\SysWOW64\Phiekaql.exe	Pdklebje.exe
File created	C:\Windows\SysWOW64\Hcflch32.exe	Hleneo32.exe
File created	C:\Windows\SysWOW64\Ifmfpgbc.dll	Kdgcne32.exe
File opened for modification	C:\Windows\SysWOW64\Jdajabdc.exe	Imgbdh32.exe
File opened for modification	C:\Windows\SysWOW64\Qbmpjkqk.exe	Phbolflm.exe
File created	C:\Windows\SysWOW64\Ehmibdol.exe	Eelpqi32.exe
File created	C:\Windows\SysWOW64\Peqkdjmm.dll	Fikihlmj.exe
File created	C:\Windows\SysWOW64\Amoknh32.exe	Acppddig.exe
File created	C:\Windows\SysWOW64\Maghkogk.dll	Phbolflm.exe
File created	C:\Windows\SysWOW64\Kcccjf32.dll	Eckfaj32.exe
File opened for modification	C:\Windows\SysWOW64\Imgbdh32.exe	Idonlbff.exe
File opened for modification	C:\Windows\SysWOW64\Nildajdg.exe	Nkhdgfen.exe
File created	C:\Windows\SysWOW64\Okiefn32.exe	Nkdlkope.exe
File opened for modification	C:\Windows\SysWOW64\Gokmfe32.exe	Gechnpid.exe
File created	C:\Windows\SysWOW64\Nnolojhk.exe	Ngedbp32.exe
File created	C:\Windows\SysWOW64\Maommm32.dll	Gkeakl32.exe
File created	C:\Windows\SysWOW64\Jlmlbdad.dll	Qbhnga32.exe
File created	C:\Windows\SysWOW64\Foqacehl.dll	Fanbll32.exe
File created	C:\Windows\SysWOW64\Laacmbkm.exe	Khkbcopl.exe
File opened for modification	C:\Windows\SysWOW64\Eelpqi32.exe	Ejdonq32.exe
File opened for modification	C:\Windows\SysWOW64\Ffhnocfd.exe	Fakfglhm.exe
File opened for modification	C:\Windows\SysWOW64\Plhgdn32.exe	Obhlkjaj.exe
File created	C:\Windows\SysWOW64\Cmpoch32.exe	Cddjofbj.exe
File created	C:\Windows\SysWOW64\Ienlbf32.exe	Idkpmgjo.exe
File opened for modification	C:\Windows\SysWOW64\Mhefhf32.exe	Lpjelibg.exe
File created	C:\Windows\SysWOW64\Fejegaao.exe	Flaaok32.exe
File opened for modification	C:\Windows\SysWOW64\Dqhpjohb.exe	Dqfceoje.exe
File created	C:\Windows\SysWOW64\Bbndhppc.dll	Ofijnbkb.exe
File opened for modification	C:\Windows\SysWOW64\Qpmfklbq.exe	Qdfefkll.exe
File created	C:\Windows\SysWOW64\Mkcjlf32.exe	Laacmbkm.exe
File created	C:\Windows\SysWOW64\Ijolhg32.exe	Icedkn32.exe
File created	C:\Windows\SysWOW64\Cblebgfh.exe	Cfedmfqd.exe
File opened for modification	C:\Windows\SysWOW64\Bgdcom32.exe	Bpjkbcbe.exe
File created	C:\Windows\SysWOW64\Nildajdg.exe	Nkhdgfen.exe
File created	C:\Windows\SysWOW64\Okonpc32.dll	Hjjbmhfg.exe
File created	C:\Windows\SysWOW64\Clbiilpi.dll	Pocdba32.exe
File created	C:\Windows\SysWOW64\Jmkjpklj.dll	Lbgjmnno.exe
File created	C:\Windows\SysWOW64\Bkibdp32.dll	Dphipidf.exe
File created	C:\Windows\SysWOW64\Pgmkbg32.exe	Plhgdn32.exe
File opened for modification	C:\Windows\SysWOW64\Capkim32.exe	Cghgpgqd.exe
File created	C:\Windows\SysWOW64\Modffifb.dll	Plhgdn32.exe
File opened for modification	C:\Windows\SysWOW64\Qbhnga32.exe	Qlnfkgho.exe
File opened for modification	C:\Windows\SysWOW64\Leqkeajd.exe	Kaqejcep.exe
File created	C:\Windows\SysWOW64\Oohcle32.dll	Nfdfoala.exe
File created	C:\Windows\SysWOW64\Dlfkdnlg.dll	Hjfplo32.exe
File created	C:\Windows\SysWOW64\Imgbdh32.exe	Idonlbff.exe
File opened for modification	C:\Windows\SysWOW64\Dphipidf.exe	Dekobaki.exe
File created	C:\Windows\SysWOW64\Jaljaoii.exe	Jbfphh32.exe
File created	C:\Windows\SysWOW64\Ofijnbkb.exe	Oheienli.exe
File created	C:\Windows\SysWOW64\Gmimll32.exe	Fanbll32.exe
File created	C:\Windows\SysWOW64\Ndliin32.exe	Nifele32.exe
File created	C:\Windows\SysWOW64\Plimpg32.exe	Omhpcm32.exe
File created	C:\Windows\SysWOW64\Jjfdfl32.exe	Iedbcebd.exe
File created	C:\Windows\SysWOW64\Ndgpnogo.exe	Nbefolao.exe
File created	C:\Windows\SysWOW64\Godehbed.exe	Eplckh32.exe
File created	C:\Windows\SysWOW64\Fmbbhi32.dll	Hapancai.exe
File created	C:\Windows\SysWOW64\Poohao32.dll	Habndbpf.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4860	5732	WerFault.exe	459

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Angjfh32.dll"	Dfeibf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejdonq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fejegaao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cckmklac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdlcde32.dll"	Ngedbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cakpih32.dll"	Bnoiqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkflpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijmknc32.dll"	Ffcedd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkaqh32.dll"	Cblebgfh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccigpbga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ikjmcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cabgompp.dll"	Nldjnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flplcjpa.dll"	Ghanoeel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejbknnid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gnlenp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epagjcpl.dll"	Qpmfklbq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akkmocjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmkbgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaaepcco.dll"	Hfjmajbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cqghcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipnlpf32.dll"	Fegiba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khlinedh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjapfjnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kcgekjgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnoiqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjhgke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgnolj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqpppi32.dll"	Ejbknnid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffpcbchm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hgpibdam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eapmedef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dekobaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Epjfehbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhkggplm.dll"	Ncpelbap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fikihlmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djdlpdhq.dll"	Bqbohocd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acpkbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofalfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnfbpbof.dll"	Lmjkka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfdep32.dll"	Kipalpoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djeegf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffcedd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffhnocfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pihmcflg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbggkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baokejco.dll"	Fnmqegle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oihkgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kipalpoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oboakhmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kifcnjpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nejbaqgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijpcbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Palkgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Godehbed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oheienli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndmgnkja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egelgoah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdgcne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnnklg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oecnmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kifcnjpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkggfeam.dll"	Lmkbeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kklbop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjbidk32.dll"	Godehbed.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1084 wrote to memory of 4776	1084	0bd96393997a5c83d7ecb7fdf27c4265b5ff930ddd0f92ab1156d4c209703ec8.exe	99
PID 1084 wrote to memory of 4776	1084	0bd96393997a5c83d7ecb7fdf27c4265b5ff930ddd0f92ab1156d4c209703ec8.exe	99
PID 1084 wrote to memory of 4776	1084	0bd96393997a5c83d7ecb7fdf27c4265b5ff930ddd0f92ab1156d4c209703ec8.exe	99
PID 4776 wrote to memory of 3140	4776	Mkgmoncl.exe	100
PID 4776 wrote to memory of 3140	4776	Mkgmoncl.exe	100
PID 4776 wrote to memory of 3140	4776	Mkgmoncl.exe	100
PID 3140 wrote to memory of 3692	3140	Ohqpjo32.exe	101
PID 3140 wrote to memory of 3692	3140	Ohqpjo32.exe	101
PID 3140 wrote to memory of 3692	3140	Ohqpjo32.exe	101
PID 3692 wrote to memory of 868	3692	Oheienli.exe	102
PID 3692 wrote to memory of 868	3692	Oheienli.exe	102
PID 3692 wrote to memory of 868	3692	Oheienli.exe	102
PID 868 wrote to memory of 3088	868	Ofijnbkb.exe	104
PID 868 wrote to memory of 3088	868	Ofijnbkb.exe	104
PID 868 wrote to memory of 3088	868	Ofijnbkb.exe	104
PID 3088 wrote to memory of 3672	3088	Pmeoqlpl.exe	105
PID 3088 wrote to memory of 3672	3088	Pmeoqlpl.exe	105
PID 3088 wrote to memory of 3672	3088	Pmeoqlpl.exe	105
PID 3672 wrote to memory of 1304	3672	Qifbll32.exe	106
PID 3672 wrote to memory of 1304	3672	Qifbll32.exe	106
PID 3672 wrote to memory of 1304	3672	Qifbll32.exe	106
PID 1304 wrote to memory of 1688	1304	Acppddig.exe	107
PID 1304 wrote to memory of 1688	1304	Acppddig.exe	107
PID 1304 wrote to memory of 1688	1304	Acppddig.exe	107
PID 1688 wrote to memory of 4552	1688	Amoknh32.exe	108
PID 1688 wrote to memory of 4552	1688	Amoknh32.exe	108
PID 1688 wrote to memory of 4552	1688	Amoknh32.exe	108
PID 4552 wrote to memory of 1116	4552	Blnjecfl.exe	109
PID 4552 wrote to memory of 1116	4552	Blnjecfl.exe	109
PID 4552 wrote to memory of 1116	4552	Blnjecfl.exe	109
PID 1116 wrote to memory of 760	1116	Dgdgijhp.exe	110
PID 1116 wrote to memory of 760	1116	Dgdgijhp.exe	110
PID 1116 wrote to memory of 760	1116	Dgdgijhp.exe	110
PID 760 wrote to memory of 5100	760	Fnnimbaj.exe	111
PID 760 wrote to memory of 5100	760	Fnnimbaj.exe	111
PID 760 wrote to memory of 5100	760	Fnnimbaj.exe	111
PID 5100 wrote to memory of 4476	5100	Ffpcbchm.exe	112
PID 5100 wrote to memory of 4476	5100	Ffpcbchm.exe	112
PID 5100 wrote to memory of 4476	5100	Ffpcbchm.exe	112
PID 4476 wrote to memory of 1552	4476	Gnlenp32.exe	114
PID 4476 wrote to memory of 1552	4476	Gnlenp32.exe	114
PID 4476 wrote to memory of 1552	4476	Gnlenp32.exe	114
PID 1552 wrote to memory of 3356	1552	Gdhjpjjd.exe	115
PID 1552 wrote to memory of 3356	1552	Gdhjpjjd.exe	115
PID 1552 wrote to memory of 3356	1552	Gdhjpjjd.exe	115
PID 3356 wrote to memory of 3552	3356	Hgpibdam.exe	116
PID 3356 wrote to memory of 3552	3356	Hgpibdam.exe	116
PID 3356 wrote to memory of 3552	3356	Hgpibdam.exe	116
PID 3552 wrote to memory of 1152	3552	Hmpnqj32.exe	117
PID 3552 wrote to memory of 1152	3552	Hmpnqj32.exe	117
PID 3552 wrote to memory of 1152	3552	Hmpnqj32.exe	117
PID 1152 wrote to memory of 4796	1152	Idkpmgjo.exe	119
PID 1152 wrote to memory of 4796	1152	Idkpmgjo.exe	119
PID 1152 wrote to memory of 4796	1152	Idkpmgjo.exe	119
PID 4796 wrote to memory of 4060	4796	Ienlbf32.exe	120
PID 4796 wrote to memory of 4060	4796	Ienlbf32.exe	120
PID 4796 wrote to memory of 4060	4796	Ienlbf32.exe	120
PID 4060 wrote to memory of 4180	4060	Iedbcebd.exe	121
PID 4060 wrote to memory of 4180	4060	Iedbcebd.exe	121
PID 4060 wrote to memory of 4180	4060	Iedbcebd.exe	121
PID 4180 wrote to memory of 4540	4180	Jjfdfl32.exe	122
PID 4180 wrote to memory of 4540	4180	Jjfdfl32.exe	122
PID 4180 wrote to memory of 4540	4180	Jjfdfl32.exe	122
PID 4540 wrote to memory of 4048	4540	Kmppneal.exe	123

C:\Users\Admin\AppData\Local\Temp\0bd96393997a5c83d7ecb7fdf27c4265b5ff930ddd0f92ab1156d4c209703ec8.exe
"C:\Users\Admin\AppData\Local\Temp\0bd96393997a5c83d7ecb7fdf27c4265b5ff930ddd0f92ab1156d4c209703ec8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Windows\SysWOW64\Mkgmoncl.exe
  C:\Windows\system32\Mkgmoncl.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4776
- - C:\Windows\SysWOW64\Ohqpjo32.exe
    C:\Windows\system32\Ohqpjo32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3140
  - - C:\Windows\SysWOW64\Oheienli.exe
      C:\Windows\system32\Oheienli.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3692
    - - C:\Windows\SysWOW64\Ofijnbkb.exe
        
        C:\Windows\system32\Ofijnbkb.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:868
      - C:\Windows\SysWOW64\Pmeoqlpl.exe
        
        C:\Windows\system32\Pmeoqlpl.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\SysWOW64\Qifbll32.exe
        
        C:\Windows\system32\Qifbll32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\SysWOW64\Acppddig.exe
        
        C:\Windows\system32\Acppddig.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\SysWOW64\Amoknh32.exe
        
        C:\Windows\system32\Amoknh32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Blnjecfl.exe
        
        C:\Windows\system32\Blnjecfl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\SysWOW64\Dgdgijhp.exe
        
        C:\Windows\system32\Dgdgijhp.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Windows\SysWOW64\Fnnimbaj.exe
        
        C:\Windows\system32\Fnnimbaj.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\SysWOW64\Ffpcbchm.exe
        
        C:\Windows\system32\Ffpcbchm.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\SysWOW64\Gnlenp32.exe
        
        C:\Windows\system32\Gnlenp32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\SysWOW64\Gdhjpjjd.exe
        
        C:\Windows\system32\Gdhjpjjd.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\Hgpibdam.exe
        
        C:\Windows\system32\Hgpibdam.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3356
        
        C:\Windows\SysWOW64\Hmpnqj32.exe
        
        C:\Windows\system32\Hmpnqj32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\SysWOW64\Idkpmgjo.exe
        
        C:\Windows\system32\Idkpmgjo.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\SysWOW64\Ienlbf32.exe
        
        C:\Windows\system32\Ienlbf32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SysWOW64\Iedbcebd.exe
        
        C:\Windows\system32\Iedbcebd.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\SysWOW64\Jjfdfl32.exe
        
        C:\Windows\system32\Jjfdfl32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4180
        
        C:\Windows\SysWOW64\Kmppneal.exe
        
        C:\Windows\system32\Kmppneal.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\SysWOW64\Kmbmdeoj.exe
        
        C:\Windows\system32\Kmbmdeoj.exe
        23⤵
        Executes dropped EXE
        
        PID:4048
        
        C:\Windows\SysWOW64\Kaqejcep.exe
        
        C:\Windows\system32\Kaqejcep.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1860
        
        C:\Windows\SysWOW64\Leqkeajd.exe
        
        C:\Windows\system32\Leqkeajd.exe
        25⤵
        Executes dropped EXE
        
        PID:4364
        
        C:\Windows\SysWOW64\Mgkjch32.exe
        
        C:\Windows\system32\Mgkjch32.exe
        26⤵
        Executes dropped EXE
        
        PID:832
        
        C:\Windows\SysWOW64\Ndmgnkja.exe
        
        C:\Windows\system32\Ndmgnkja.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3880
        
        C:\Windows\SysWOW64\Oacdmo32.exe
        
        C:\Windows\system32\Oacdmo32.exe
        28⤵
        Executes dropped EXE
        
        PID:4736
        
        C:\Windows\SysWOW64\Pocdba32.exe
        
        C:\Windows\system32\Pocdba32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1168
        
        C:\Windows\SysWOW64\Pbfjjlgc.exe
        
        C:\Windows\system32\Pbfjjlgc.exe
        30⤵
        Executes dropped EXE
        
        PID:2736
        
        C:\Windows\SysWOW64\Phbolflm.exe
        
        C:\Windows\system32\Phbolflm.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2608
        
        C:\Windows\SysWOW64\Qbmpjkqk.exe
        
        C:\Windows\system32\Qbmpjkqk.exe
        32⤵
        Executes dropped EXE
        
        PID:2684
        
        C:\Windows\SysWOW64\Aijeme32.exe
        
        C:\Windows\system32\Aijeme32.exe
        33⤵
        Executes dropped EXE
        
        PID:3828
        
        C:\Windows\SysWOW64\Bichcc32.exe
        
        C:\Windows\system32\Bichcc32.exe
        34⤵
        Executes dropped EXE
        
        PID:2028
        
        C:\Windows\SysWOW64\Bejhhd32.exe
        
        C:\Windows\system32\Bejhhd32.exe
        35⤵
        Executes dropped EXE
        
        PID:3784
        
        C:\Windows\SysWOW64\Bfieagka.exe
        
        C:\Windows\system32\Bfieagka.exe
        36⤵
        Executes dropped EXE
        
        PID:552
        
        C:\Windows\SysWOW64\Becknc32.exe
        
        C:\Windows\system32\Becknc32.exe
        37⤵
        Executes dropped EXE
        
        PID:4952
        
        C:\Windows\SysWOW64\Cfedmfqd.exe
        
        C:\Windows\system32\Cfedmfqd.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4996
        
        C:\Windows\SysWOW64\Cblebgfh.exe
        
        C:\Windows\system32\Cblebgfh.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Cppelkeb.exe
        
        C:\Windows\system32\Cppelkeb.exe
        40⤵
        Executes dropped EXE
        
        PID:5140
        
        C:\Windows\SysWOW64\Cemndbci.exe
        
        C:\Windows\system32\Cemndbci.exe
        41⤵
        Executes dropped EXE
        
        PID:5180
        
        C:\Windows\SysWOW64\Cnebmgjj.exe
        
        C:\Windows\system32\Cnebmgjj.exe
        42⤵
        Executes dropped EXE
        
        PID:5232
        
        C:\Windows\SysWOW64\Deagoa32.exe
        
        C:\Windows\system32\Deagoa32.exe
        43⤵
        Executes dropped EXE
        
        PID:5284
        
        C:\Windows\SysWOW64\Eeaqfo32.exe
        
        C:\Windows\system32\Eeaqfo32.exe
        44⤵
        Executes dropped EXE
        
        PID:5328
        
        C:\Windows\SysWOW64\Fbhnec32.exe
        
        C:\Windows\system32\Fbhnec32.exe
        45⤵
        Executes dropped EXE
        
        PID:5368
        
        C:\Windows\SysWOW64\Foonjd32.exe
        
        C:\Windows\system32\Foonjd32.exe
        46⤵
        Executes dropped EXE
        
        PID:5416
        
        C:\Windows\SysWOW64\Fifomlap.exe
        
        C:\Windows\system32\Fifomlap.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5460
        
        C:\Windows\SysWOW64\Fochecog.exe
        
        C:\Windows\system32\Fochecog.exe
        48⤵
        Executes dropped EXE
        
        PID:5500
        
        C:\Windows\SysWOW64\Fhllni32.exe
        
        C:\Windows\system32\Fhllni32.exe
        49⤵
        Executes dropped EXE
        
        PID:5544
        
        C:\Windows\SysWOW64\Fikihlmj.exe
        
        C:\Windows\system32\Fikihlmj.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Gedfblql.exe
        
        C:\Windows\system32\Gedfblql.exe
        51⤵
        Executes dropped EXE
        
        PID:5636
        
        C:\Windows\SysWOW64\Ggdbmoho.exe
        
        C:\Windows\system32\Ggdbmoho.exe
        52⤵
        Executes dropped EXE
        
        PID:5688
        
        C:\Windows\SysWOW64\Icpecm32.exe
        
        C:\Windows\system32\Icpecm32.exe
        53⤵
        Executes dropped EXE
        
        PID:5744
        
        C:\Windows\SysWOW64\Kcbkpj32.exe
        
        C:\Windows\system32\Kcbkpj32.exe
        54⤵
        Executes dropped EXE
        
        PID:5796
        
        C:\Windows\SysWOW64\Kcgekjgp.exe
        
        C:\Windows\system32\Kcgekjgp.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Lpjelibg.exe
        
        C:\Windows\system32\Lpjelibg.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5896
        
        C:\Windows\SysWOW64\Mhefhf32.exe
        
        C:\Windows\system32\Mhefhf32.exe
        57⤵
        Executes dropped EXE
        
        PID:5944
        
        C:\Windows\SysWOW64\Mmghklif.exe
        
        C:\Windows\system32\Mmghklif.exe
        58⤵
        Executes dropped EXE
        
        PID:5984
        
        C:\Windows\SysWOW64\Nfdfoala.exe
        
        C:\Windows\system32\Nfdfoala.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:6024
        
        C:\Windows\SysWOW64\Nkdlkope.exe
        
        C:\Windows\system32\Nkdlkope.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:6068
        
        C:\Windows\SysWOW64\Okiefn32.exe
        
        C:\Windows\system32\Okiefn32.exe
        61⤵
        Executes dropped EXE
        
        PID:6120
        
        C:\Windows\SysWOW64\Oiehhjjp.exe
        
        C:\Windows\system32\Oiehhjjp.exe
        62⤵
        Executes dropped EXE
        
        PID:5148
        
        C:\Windows\SysWOW64\Pdklebje.exe
        
        C:\Windows\system32\Pdklebje.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5268
        
        C:\Windows\SysWOW64\Phiekaql.exe
        
        C:\Windows\system32\Phiekaql.exe
        64⤵
        Executes dropped EXE
        
        PID:2296
        
        C:\Windows\SysWOW64\Qnopjfgi.exe
        
        C:\Windows\system32\Qnopjfgi.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5444
        
        C:\Windows\SysWOW64\Ajmgof32.exe
        
        C:\Windows\system32\Ajmgof32.exe
        66⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Ajodef32.exe
        
        C:\Windows\system32\Ajodef32.exe
        67⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\Bhbahm32.exe
        
        C:\Windows\system32\Bhbahm32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3428
        
        C:\Windows\SysWOW64\Bnoiqd32.exe
        
        C:\Windows\system32\Bnoiqd32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Bjhgke32.exe
        
        C:\Windows\system32\Bjhgke32.exe
        70⤵
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Bqbohocd.exe
        
        C:\Windows\system32\Bqbohocd.exe
        71⤵
        Modifies registry class
        
        PID:3524
        
        C:\Windows\SysWOW64\Bnfoac32.exe
        
        C:\Windows\system32\Bnfoac32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3436
        
        C:\Windows\SysWOW64\Bkjpkg32.exe
        
        C:\Windows\system32\Bkjpkg32.exe
        73⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Cqghcn32.exe
        
        C:\Windows\system32\Cqghcn32.exe
        74⤵
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Cjomldfp.exe
        
        C:\Windows\system32\Cjomldfp.exe
        75⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Cjaiac32.exe
        
        C:\Windows\system32\Cjaiac32.exe
        76⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Calbnnkj.exe
        
        C:\Windows\system32\Calbnnkj.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5980
        
        C:\Windows\SysWOW64\Cghgpgqd.exe
        
        C:\Windows\system32\Cghgpgqd.exe
        78⤵
        Drops file in System32 directory
        
        PID:6036
        
        C:\Windows\SysWOW64\Capkim32.exe
        
        C:\Windows\system32\Capkim32.exe
        79⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Djipbbne.exe
        
        C:\Windows\system32\Djipbbne.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:956
        
        C:\Windows\SysWOW64\Dabhomea.exe
        
        C:\Windows\system32\Dabhomea.exe
        81⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Ejdonq32.exe
        
        C:\Windows\system32\Ejdonq32.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Eelpqi32.exe
        
        C:\Windows\system32\Eelpqi32.exe
        83⤵
        Drops file in System32 directory
        
        PID:5484
        
        C:\Windows\SysWOW64\Ehmibdol.exe
        
        C:\Windows\system32\Ehmibdol.exe
        84⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Fbggkl32.exe
        
        C:\Windows\system32\Fbggkl32.exe
        85⤵
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Gbcffk32.exe
        
        C:\Windows\system32\Gbcffk32.exe
        86⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Gehice32.exe
        
        C:\Windows\system32\Gehice32.exe
        87⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Gkeakl32.exe
        
        C:\Windows\system32\Gkeakl32.exe
        88⤵
        Drops file in System32 directory
        
        PID:5832
        
        C:\Windows\SysWOW64\Hleneo32.exe
        
        C:\Windows\system32\Hleneo32.exe
        89⤵
        Drops file in System32 directory
        
        PID:5924
        
        C:\Windows\SysWOW64\Hcflch32.exe
        
        C:\Windows\system32\Hcflch32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6056
        
        C:\Windows\SysWOW64\Ikejbjip.exe
        
        C:\Windows\system32\Ikejbjip.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5172
        
        C:\Windows\SysWOW64\Jbghpc32.exe
        
        C:\Windows\system32\Jbghpc32.exe
        92⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Jhqqlmba.exe
        
        C:\Windows\system32\Jhqqlmba.exe
        93⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\Joobdfei.exe
        
        C:\Windows\system32\Joobdfei.exe
        94⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\Jjgcgo32.exe
        
        C:\Windows\system32\Jjgcgo32.exe
        95⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\Kbbhka32.exe
        
        C:\Windows\system32\Kbbhka32.exe
        96⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\Kmhlijpm.exe
        
        C:\Windows\system32\Kmhlijpm.exe
        97⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Kjlmbnof.exe
        
        C:\Windows\system32\Kjlmbnof.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6052
        
        C:\Windows\SysWOW64\Kiajck32.exe
        
        C:\Windows\system32\Kiajck32.exe
        99⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\Kicfijal.exe
        
        C:\Windows\system32\Kicfijal.exe
        100⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\Kblkap32.exe
        
        C:\Windows\system32\Kblkap32.exe
        101⤵
        Drops file in System32 directory
        
        PID:2112
        
        C:\Windows\SysWOW64\Kifcnjpi.exe
        
        C:\Windows\system32\Kifcnjpi.exe
        102⤵
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Lopkkdgf.exe
        
        C:\Windows\system32\Lopkkdgf.exe
        103⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Ljephmgl.exe
        
        C:\Windows\system32\Ljephmgl.exe
        104⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Lkflpe32.exe
        
        C:\Windows\system32\Lkflpe32.exe
        105⤵
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Lbcabo32.exe
        
        C:\Windows\system32\Lbcabo32.exe
        106⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Lmheph32.exe
        
        C:\Windows\system32\Lmheph32.exe
        107⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\Lmkbeg32.exe
        
        C:\Windows\system32\Lmkbeg32.exe
        108⤵
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Lbgjmnno.exe
        
        C:\Windows\system32\Lbgjmnno.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5716
        
        C:\Windows\SysWOW64\Mfjlolpp.exe
        
        C:\Windows\system32\Mfjlolpp.exe
        110⤵
        
        PID:688
        
        C:\Windows\SysWOW64\Mmdekf32.exe
        
        C:\Windows\system32\Mmdekf32.exe
        111⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\Mjjbjjdd.exe
        
        C:\Windows\system32\Mjjbjjdd.exe
        112⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\Nbefolao.exe
        
        C:\Windows\system32\Nbefolao.exe
        113⤵
        Drops file in System32 directory
        
        PID:5736
        
        C:\Windows\SysWOW64\Ndgpnogo.exe
        
        C:\Windows\system32\Ndgpnogo.exe
        114⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\Nidhffef.exe
        
        C:\Windows\system32\Nidhffef.exe
        115⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Nifele32.exe
        
        C:\Windows\system32\Nifele32.exe
        116⤵
        Drops file in System32 directory
        
        PID:6148
        
        C:\Windows\SysWOW64\Ndliin32.exe
        
        C:\Windows\system32\Ndliin32.exe
        117⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\Njfafhjf.exe
        
        C:\Windows\system32\Njfafhjf.exe
        118⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\Odnfonag.exe
        
        C:\Windows\system32\Odnfonag.exe
        119⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\Ojhnlh32.exe
        
        C:\Windows\system32\Ojhnlh32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6320
        
        C:\Windows\SysWOW64\Ojkkah32.exe
        
        C:\Windows\system32\Ojkkah32.exe
        121⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\Ollgiplp.exe
        
        C:\Windows\system32\Ollgiplp.exe
        122⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\Ofalfi32.exe
        
        C:\Windows\system32\Ofalfi32.exe
        123⤵
        Modifies registry class
        
        PID:6456
        
        C:\Windows\SysWOW64\Olndnp32.exe
        
        C:\Windows\system32\Olndnp32.exe
        124⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\Obhlkjaj.exe
        
        C:\Windows\system32\Obhlkjaj.exe
        125⤵
        Drops file in System32 directory
        
        PID:6540
        
        C:\Windows\SysWOW64\Plhgdn32.exe
        
        C:\Windows\system32\Plhgdn32.exe
        126⤵
        Drops file in System32 directory
        
        PID:6580
        
        C:\Windows\SysWOW64\Pgmkbg32.exe
        
        C:\Windows\system32\Pgmkbg32.exe
        127⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\Pcdlghgl.exe
        
        C:\Windows\system32\Pcdlghgl.exe
        128⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\Qkmqne32.exe
        
        C:\Windows\system32\Qkmqne32.exe
        129⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\Qdfefkll.exe
        
        C:\Windows\system32\Qdfefkll.exe
        130⤵
        Drops file in System32 directory
        
        PID:6796
        
        C:\Windows\SysWOW64\Qpmfklbq.exe
        
        C:\Windows\system32\Qpmfklbq.exe
        131⤵
        Modifies registry class
        
        PID:6852
        
        C:\Windows\SysWOW64\Akdfndpd.exe
        
        C:\Windows\system32\Akdfndpd.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6924
        
        C:\Windows\SysWOW64\Acpkbf32.exe
        
        C:\Windows\system32\Acpkbf32.exe
        133⤵
        Modifies registry class
        
        PID:6972
        
        C:\Windows\SysWOW64\Alhpkldp.exe
        
        C:\Windows\system32\Alhpkldp.exe
        134⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\Akipic32.exe
        
        C:\Windows\system32\Akipic32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7064
        
        C:\Windows\SysWOW64\Aljmal32.exe
        
        C:\Windows\system32\Aljmal32.exe
        136⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\Akkmocjl.exe
        
        C:\Windows\system32\Akkmocjl.exe
        137⤵
        Modifies registry class
        
        PID:6168
        
        C:\Windows\SysWOW64\Cddjofbj.exe
        
        C:\Windows\system32\Cddjofbj.exe
        138⤵
        Drops file in System32 directory
        
        PID:6232
        
        C:\Windows\SysWOW64\Cmpoch32.exe
        
        C:\Windows\system32\Cmpoch32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6304
        
        C:\Windows\SysWOW64\Ccigpbga.exe
        
        C:\Windows\system32\Ccigpbga.exe
        140⤵
        Modifies registry class
        
        PID:6384
        
        C:\Windows\SysWOW64\Cggpfa32.exe
        
        C:\Windows\system32\Cggpfa32.exe
        141⤵
        Drops file in System32 directory
        
        PID:6464
        
        C:\Windows\SysWOW64\Cnahbk32.exe
        
        C:\Windows\system32\Cnahbk32.exe
        142⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\Dcnqkb32.exe
        
        C:\Windows\system32\Dcnqkb32.exe
        143⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\Djhiglji.exe
        
        C:\Windows\system32\Djhiglji.exe
        144⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\Ddnmeejo.exe
        
        C:\Windows\system32\Ddnmeejo.exe
        145⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\Dkgeao32.exe
        
        C:\Windows\system32\Dkgeao32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6716
        
        C:\Windows\SysWOW64\Ddpjjd32.exe
        
        C:\Windows\system32\Ddpjjd32.exe
        147⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\Dkjbgooi.exe
        
        C:\Windows\system32\Dkjbgooi.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6864
        
        C:\Windows\SysWOW64\Dmknog32.exe
        
        C:\Windows\system32\Dmknog32.exe
        149⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\Dgqblp32.exe
        
        C:\Windows\system32\Dgqblp32.exe
        150⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\Dqigee32.exe
        
        C:\Windows\system32\Dqigee32.exe
        151⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\Dnmgni32.exe
        
        C:\Windows\system32\Dnmgni32.exe
        152⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\Egelgoah.exe
        
        C:\Windows\system32\Egelgoah.exe
        153⤵
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Eghimo32.exe
        
        C:\Windows\system32\Eghimo32.exe
        154⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\Eapmedef.exe
        
        C:\Windows\system32\Eapmedef.exe
        155⤵
        Modifies registry class
        
        PID:6392
        
        C:\Windows\SysWOW64\Ekeacmel.exe
        
        C:\Windows\system32\Ekeacmel.exe
        156⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Ecafgo32.exe
        
        C:\Windows\system32\Ecafgo32.exe
        157⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\Elhnhm32.exe
        
        C:\Windows\system32\Elhnhm32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4472
        
        C:\Windows\SysWOW64\Ecccmo32.exe
        
        C:\Windows\system32\Ecccmo32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6728
        
        C:\Windows\SysWOW64\Emlgedge.exe
        
        C:\Windows\system32\Emlgedge.exe
        160⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\Flmhclod.exe
        
        C:\Windows\system32\Flmhclod.exe
        161⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\Fmndkd32.exe
        
        C:\Windows\system32\Fmndkd32.exe
        162⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\Fhchhm32.exe
        
        C:\Windows\system32\Fhchhm32.exe
        163⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\Fnmqegle.exe
        
        C:\Windows\system32\Fnmqegle.exe
        164⤵
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\Fegiba32.exe
        
        C:\Windows\system32\Fegiba32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6400
        
        C:\Windows\SysWOW64\Flaaok32.exe
        
        C:\Windows\system32\Flaaok32.exe
        166⤵
        Drops file in System32 directory
        
        PID:6488
        
        C:\Windows\SysWOW64\Fejegaao.exe
        
        C:\Windows\system32\Fejegaao.exe
        167⤵
        Modifies registry class
        
        PID:6664
        
        C:\Windows\SysWOW64\Fdobhm32.exe
        
        C:\Windows\system32\Fdobhm32.exe
        168⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\Fjikeg32.exe
        
        C:\Windows\system32\Fjikeg32.exe
        169⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\Gaccbaeq.exe
        
        C:\Windows\system32\Gaccbaeq.exe
        170⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\Ghmkol32.exe
        
        C:\Windows\system32\Ghmkol32.exe
        171⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Gaepgacn.exe
        
        C:\Windows\system32\Gaepgacn.exe
        172⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\Ghohdk32.exe
        
        C:\Windows\system32\Ghohdk32.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2524
        
        C:\Windows\SysWOW64\Goipae32.exe
        
        C:\Windows\system32\Goipae32.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6992
        
        C:\Windows\SysWOW64\Gechnpid.exe
        
        C:\Windows\system32\Gechnpid.exe
        175⤵
        Drops file in System32 directory
        
        PID:6160
        
        C:\Windows\SysWOW64\Gokmfe32.exe
        
        C:\Windows\system32\Gokmfe32.exe
        176⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\Gmqjga32.exe
        
        C:\Windows\system32\Gmqjga32.exe
        177⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\Gdkbdllj.exe
        
        C:\Windows\system32\Gdkbdllj.exe
        178⤵
        
        PID:116
        
        C:\Windows\SysWOW64\Gkdjaf32.exe
        
        C:\Windows\system32\Gkdjaf32.exe
        179⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\Hmecba32.exe
        
        C:\Windows\system32\Hmecba32.exe
        180⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\Hdokok32.exe
        
        C:\Windows\system32\Hdokok32.exe
        181⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\Hmhphqoe.exe
        
        C:\Windows\system32\Hmhphqoe.exe
        182⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\Hdahek32.exe
        
        C:\Windows\system32\Hdahek32.exe
        183⤵
        
        PID:760
        
        C:\Windows\SysWOW64\Hlipfh32.exe
        
        C:\Windows\system32\Hlipfh32.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2276
        
        C:\Windows\SysWOW64\Hddejjdo.exe
        
        C:\Windows\system32\Hddejjdo.exe
        185⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\Hknmgd32.exe
        
        C:\Windows\system32\Hknmgd32.exe
        186⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\Hahedoci.exe
        
        C:\Windows\system32\Hahedoci.exe
        187⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\Iajbinaf.exe
        
        C:\Windows\system32\Iajbinaf.exe
        188⤵
        
        PID:7256
        
        C:\Windows\SysWOW64\Iehkpmgl.exe
        
        C:\Windows\system32\Iehkpmgl.exe
        189⤵
        
        PID:7312
        
        C:\Windows\SysWOW64\Ihicah32.exe
        
        C:\Windows\system32\Ihicah32.exe
        190⤵
        
        PID:7372
        
        C:\Windows\SysWOW64\Ioclnblj.exe
        
        C:\Windows\system32\Ioclnblj.exe
        191⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\Ikjmcc32.exe
        
        C:\Windows\system32\Ikjmcc32.exe
        192⤵
        Modifies registry class
        
        PID:7456
        
        C:\Windows\SysWOW64\Idbalhho.exe
        
        C:\Windows\system32\Idbalhho.exe
        193⤵
        
        PID:7528
        
        C:\Windows\SysWOW64\Jojboa32.exe
        
        C:\Windows\system32\Jojboa32.exe
        194⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\Jhbfgflc.exe
        
        C:\Windows\system32\Jhbfgflc.exe
        195⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\Jnoopm32.exe
        
        C:\Windows\system32\Jnoopm32.exe
        196⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\Khlinedh.exe
        
        C:\Windows\system32\Khlinedh.exe
        197⤵
        Modifies registry class
        
        PID:7716
        
        C:\Windows\SysWOW64\Knhbflbp.exe
        
        C:\Windows\system32\Knhbflbp.exe
        198⤵
        
        PID:7776
        
        C:\Windows\SysWOW64\Kklbop32.exe
        
        C:\Windows\system32\Kklbop32.exe
        199⤵
        Modifies registry class
        
        PID:7828
        
        C:\Windows\SysWOW64\Kfbfmi32.exe
        
        C:\Windows\system32\Kfbfmi32.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7892
        
        C:\Windows\SysWOW64\Kdgcne32.exe
        
        C:\Windows\system32\Kdgcne32.exe
        201⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7940
        
        C:\Windows\SysWOW64\Lofjam32.exe
        
        C:\Windows\system32\Lofjam32.exe
        202⤵
        
        PID:7984
        
        C:\Windows\SysWOW64\Lmjkka32.exe
        
        C:\Windows\system32\Lmjkka32.exe
        203⤵
        Modifies registry class
        
        PID:8048
        
        C:\Windows\SysWOW64\Mfiedfmd.exe
        
        C:\Windows\system32\Mfiedfmd.exe
        204⤵
        
        PID:8128
        
        C:\Windows\SysWOW64\Moajmk32.exe
        
        C:\Windows\system32\Moajmk32.exe
        205⤵
        
        PID:8168
        
        C:\Windows\SysWOW64\Nkkggl32.exe
        
        C:\Windows\system32\Nkkggl32.exe
        206⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\Nfpled32.exe
        
        C:\Windows\system32\Nfpled32.exe
        207⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\Nmjdaoni.exe
        
        C:\Windows\system32\Nmjdaoni.exe
        208⤵
        
        PID:7276
        
        C:\Windows\SysWOW64\Nbgljf32.exe
        
        C:\Windows\system32\Nbgljf32.exe
        209⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7332
        
        C:\Windows\SysWOW64\Nnnmogae.exe
        
        C:\Windows\system32\Nnnmogae.exe
        210⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\Nmommn32.exe
        
        C:\Windows\system32\Nmommn32.exe
        211⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\Nnpjdfpb.exe
        
        C:\Windows\system32\Nnpjdfpb.exe
        212⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\Nejbaqgo.exe
        
        C:\Windows\system32\Nejbaqgo.exe
        213⤵
        Modifies registry class
        
        PID:7504
        
        C:\Windows\SysWOW64\Nldjnk32.exe
        
        C:\Windows\system32\Nldjnk32.exe
        214⤵
        Modifies registry class
        
        PID:7564
        
        C:\Windows\SysWOW64\Obnbjdfi.exe
        
        C:\Windows\system32\Obnbjdfi.exe
        215⤵
        
        PID:7652
        
        C:\Windows\SysWOW64\Oihkgo32.exe
        
        C:\Windows\system32\Oihkgo32.exe
        216⤵
        Modifies registry class
        
        PID:7676
        
        C:\Windows\SysWOW64\Opbcdieb.exe
        
        C:\Windows\system32\Opbcdieb.exe
        217⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\Oflkqc32.exe
        
        C:\Windows\system32\Oflkqc32.exe
        218⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\Opdpih32.exe
        
        C:\Windows\system32\Opdpih32.exe
        219⤵
        
        PID:7856
        
        C:\Windows\SysWOW64\Omhpcm32.exe
        
        C:\Windows\system32\Omhpcm32.exe
        220⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7992
        
        C:\Windows\SysWOW64\Plimpg32.exe
        
        C:\Windows\system32\Plimpg32.exe
        221⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\Pfoamp32.exe
        
        C:\Windows\system32\Pfoamp32.exe
        222⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7688
        
        C:\Windows\SysWOW64\Qojeabie.exe
        
        C:\Windows\system32\Qojeabie.exe
        223⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8112
        
        C:\Windows\SysWOW64\Qlnfkgho.exe
        
        C:\Windows\system32\Qlnfkgho.exe
        224⤵
        Drops file in System32 directory
        
        PID:8184
        
        C:\Windows\SysWOW64\Qbhnga32.exe
        
        C:\Windows\system32\Qbhnga32.exe
        225⤵
        Drops file in System32 directory
        
        PID:7356
        
        C:\Windows\SysWOW64\Bpjkbcbe.exe
        
        C:\Windows\system32\Bpjkbcbe.exe
        226⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7436
        
        C:\Windows\SysWOW64\Bgdcom32.exe
        
        C:\Windows\system32\Bgdcom32.exe
        227⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7544
        
        C:\Windows\SysWOW64\Bnnklg32.exe
        
        C:\Windows\system32\Bnnklg32.exe
        228⤵
        Modifies registry class
        
        PID:7660
        
        C:\Windows\SysWOW64\Boohcpgm.exe
        
        C:\Windows\system32\Boohcpgm.exe
        229⤵
        
        PID:7788
        
        C:\Windows\SysWOW64\Bpaacblm.exe
        
        C:\Windows\system32\Bpaacblm.exe
        230⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\Ccajdmin.exe
        
        C:\Windows\system32\Ccajdmin.exe
        231⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\Cngnbfid.exe
        
        C:\Windows\system32\Cngnbfid.exe
        232⤵
        
        PID:8032
        
        C:\Windows\SysWOW64\Cpfkna32.exe
        
        C:\Windows\system32\Cpfkna32.exe
        233⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\Cgpcklpd.exe
        
        C:\Windows\system32\Cgpcklpd.exe
        234⤵
        
        PID:7196
        
        C:\Windows\SysWOW64\Clohhbli.exe
        
        C:\Windows\system32\Clohhbli.exe
        235⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\Cpmqoqbp.exe
        
        C:\Windows\system32\Cpmqoqbp.exe
        236⤵
        
        PID:7328
        
        C:\Windows\SysWOW64\Cckmklac.exe
        
        C:\Windows\system32\Cckmklac.exe
        237⤵
        Modifies registry class
        
        PID:7408
        
        C:\Windows\SysWOW64\Djeegf32.exe
        
        C:\Windows\system32\Djeegf32.exe
        238⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7616
        
        C:\Windows\SysWOW64\Dncnnd32.exe
        
        C:\Windows\system32\Dncnnd32.exe
        239⤵
        
        PID:7708
        
        C:\Windows\SysWOW64\Dodjemee.exe
        
        C:\Windows\system32\Dodjemee.exe
        240⤵
        
        PID:7884
        
        C:\Windows\SysWOW64\Dgnolj32.exe
        
        C:\Windows\system32\Dgnolj32.exe
        241⤵
        Modifies registry class
        
        PID:1280
        
        C:\Windows\SysWOW64\Dqfceoje.exe
        
        C:\Windows\system32\Dqfceoje.exe
        242⤵
        Drops file in System32 directory
        
        PID:1560
        
        C:\Windows\SysWOW64\Dqhpjohb.exe
        
        C:\Windows\system32\Dqhpjohb.exe
        243⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\Dfeibf32.exe
        
        C:\Windows\system32\Dfeibf32.exe
        244⤵
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Eckfaj32.exe
        
        C:\Windows\system32\Eckfaj32.exe
        245⤵
        Drops file in System32 directory
        
        PID:632
        
        C:\Windows\SysWOW64\Enajobbf.exe
        
        C:\Windows\system32\Enajobbf.exe
        246⤵
        
        PID:7588
        
        C:\Windows\SysWOW64\Ecnbgian.exe
        
        C:\Windows\system32\Ecnbgian.exe
        247⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\Ecpomiok.exe
        
        C:\Windows\system32\Ecpomiok.exe
        248⤵
        
        PID:7864
        
        C:\Windows\SysWOW64\Enfcjb32.exe
        
        C:\Windows\system32\Enfcjb32.exe
        249⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Ffahnd32.exe
        
        C:\Windows\system32\Ffahnd32.exe
        250⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\Fqfmlm32.exe
        
        C:\Windows\system32\Fqfmlm32.exe
        251⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\Ffcedd32.exe
        
        C:\Windows\system32\Ffcedd32.exe
        252⤵
        Modifies registry class
        
        PID:3784
        
        C:\Windows\SysWOW64\Fmmmqnaf.exe
        
        C:\Windows\system32\Fmmmqnaf.exe
        253⤵
        
        PID:112
        
        C:\Windows\SysWOW64\Fjanjb32.exe
        
        C:\Windows\system32\Fjanjb32.exe
        254⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3552
        
        C:\Windows\SysWOW64\Fakfglhm.exe
        
        C:\Windows\system32\Fakfglhm.exe
        255⤵
        Drops file in System32 directory
        
        PID:1220
        
        C:\Windows\SysWOW64\Ffhnocfd.exe
        
        C:\Windows\system32\Ffhnocfd.exe
        256⤵
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\Fanbll32.exe
        
        C:\Windows\system32\Fanbll32.exe
        257⤵
        Drops file in System32 directory
        
        PID:984
        
        C:\Windows\SysWOW64\Gmimll32.exe
        
        C:\Windows\system32\Gmimll32.exe
        258⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5496
        
        C:\Windows\SysWOW64\Gfaaebnj.exe
        
        C:\Windows\system32\Gfaaebnj.exe
        259⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\Ghanoeel.exe
        
        C:\Windows\system32\Ghanoeel.exe
        260⤵
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Gjagapbn.exe
        
        C:\Windows\system32\Gjagapbn.exe
        261⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Gpnoigpe.exe
        
        C:\Windows\system32\Gpnoigpe.exe
        262⤵
        
        PID:7444
        
        C:\Windows\SysWOW64\Hfhgfaha.exe
        
        C:\Windows\system32\Hfhgfaha.exe
        263⤵
        
        PID:7836
        
        C:\Windows\SysWOW64\Hjfplo32.exe
        
        C:\Windows\system32\Hjfplo32.exe
        264⤵
        Drops file in System32 directory
        
        PID:5464
        
        C:\Windows\SysWOW64\Hfmqapcl.exe
        
        C:\Windows\system32\Hfmqapcl.exe
        265⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5156
        
        C:\Windows\SysWOW64\Hmginjki.exe
        
        C:\Windows\system32\Hmginjki.exe
        266⤵
        
        PID:7448
        
        C:\Windows\SysWOW64\Hdaajd32.exe
        
        C:\Windows\system32\Hdaajd32.exe
        267⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Hnfehm32.exe
        
        C:\Windows\system32\Hnfehm32.exe
        268⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Hmlbij32.exe
        
        C:\Windows\system32\Hmlbij32.exe
        269⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8044
        
        C:\Windows\SysWOW64\Ijpcbn32.exe
        
        C:\Windows\system32\Ijpcbn32.exe
        270⤵
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Iajkohmj.exe
        
        C:\Windows\system32\Iajkohmj.exe
        271⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\Ihcclb32.exe
        
        C:\Windows\system32\Ihcclb32.exe
        272⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5140
        
        C:\Windows\SysWOW64\Ionlhlld.exe
        
        C:\Windows\system32\Ionlhlld.exe
        273⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Ihfpabbd.exe
        
        C:\Windows\system32\Ihfpabbd.exe
        274⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\Iandjg32.exe
        
        C:\Windows\system32\Iandjg32.exe
        275⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Ikgicmpe.exe
        
        C:\Windows\system32\Ikgicmpe.exe
        276⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Idonlbff.exe
        
        C:\Windows\system32\Idonlbff.exe
        277⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8244
        
        C:\Windows\SysWOW64\Imgbdh32.exe
        
        C:\Windows\system32\Imgbdh32.exe
        278⤵
        Drops file in System32 directory
        
        PID:8284
        
        C:\Windows\SysWOW64\Jdajabdc.exe
        
        C:\Windows\system32\Jdajabdc.exe
        279⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8324
        
        C:\Windows\SysWOW64\Jkkbnl32.exe
        
        C:\Windows\system32\Jkkbnl32.exe
        280⤵
        
        PID:8376
        
        C:\Windows\SysWOW64\Jgbccm32.exe
        
        C:\Windows\system32\Jgbccm32.exe
        281⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8412
        
        C:\Windows\SysWOW64\Joikdk32.exe
        
        C:\Windows\system32\Joikdk32.exe
        282⤵
        Drops file in System32 directory
        
        PID:8488
        
        C:\Windows\SysWOW64\Khkbcopl.exe
        
        C:\Windows\system32\Khkbcopl.exe
        283⤵
        Drops file in System32 directory
        
        PID:8536
        
        C:\Windows\SysWOW64\Laacmbkm.exe
        
        C:\Windows\system32\Laacmbkm.exe
        284⤵
        Drops file in System32 directory
        
        PID:8608
        
        C:\Windows\SysWOW64\Mkcjlf32.exe
        
        C:\Windows\system32\Mkcjlf32.exe
        285⤵
        
        PID:8676
        
        C:\Windows\SysWOW64\Nkhdgfen.exe
        
        C:\Windows\system32\Nkhdgfen.exe
        286⤵
        Drops file in System32 directory
        
        PID:8712
        
        C:\Windows\SysWOW64\Nildajdg.exe
        
        C:\Windows\system32\Nildajdg.exe
        287⤵
        
        PID:8772
        
        C:\Windows\SysWOW64\Ndbefkjk.exe
        
        C:\Windows\system32\Ndbefkjk.exe
        288⤵
        
        PID:8840
        
        C:\Windows\SysWOW64\Oecnmi32.exe
        
        C:\Windows\system32\Oecnmi32.exe
        289⤵
        Modifies registry class
        
        PID:8916
        
        C:\Windows\SysWOW64\Palkgi32.exe
        
        C:\Windows\system32\Palkgi32.exe
        290⤵
        Modifies registry class
        
        PID:8956
        
        C:\Windows\SysWOW64\Piepnfnj.exe
        
        C:\Windows\system32\Piepnfnj.exe
        291⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9004
        
        C:\Windows\SysWOW64\Ppphkq32.exe
        
        C:\Windows\system32\Ppphkq32.exe
        292⤵
        
        PID:9052
        
        C:\Windows\SysWOW64\Pihmcflg.exe
        
        C:\Windows\system32\Pihmcflg.exe
        293⤵
        Modifies registry class
        
        PID:9116
        
        C:\Windows\SysWOW64\Qimfoe32.exe
        
        C:\Windows\system32\Qimfoe32.exe
        294⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9188
        
        C:\Windows\SysWOW64\Qbggmk32.exe
        
        C:\Windows\system32\Qbggmk32.exe
        295⤵
        
        PID:8200
        
        C:\Windows\SysWOW64\Albikp32.exe
        
        C:\Windows\system32\Albikp32.exe
        296⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\Aaoadg32.exe
        
        C:\Windows\system32\Aaoadg32.exe
        297⤵
        
        PID:8320
        
        C:\Windows\SysWOW64\Appaangd.exe
        
        C:\Windows\system32\Appaangd.exe
        298⤵
        
        PID:8344
        
        C:\Windows\SysWOW64\Aemjjeek.exe
        
        C:\Windows\system32\Aemjjeek.exe
        299⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Bpidhmoi.exe
        
        C:\Windows\system32\Bpidhmoi.exe
        300⤵
        
        PID:8512
        
        C:\Windows\SysWOW64\Baojkdqb.exe
        
        C:\Windows\system32\Baojkdqb.exe
        301⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\Cpbgnlfo.exe
        
        C:\Windows\system32\Cpbgnlfo.exe
        302⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7920
        
        C:\Windows\SysWOW64\Cadcfd32.exe
        
        C:\Windows\system32\Cadcfd32.exe
        303⤵
        
        PID:8672
        
        C:\Windows\SysWOW64\Dcjfpfnh.exe
        
        C:\Windows\system32\Dcjfpfnh.exe
        304⤵
        
        PID:8752
        
        C:\Windows\SysWOW64\Dpnfjjla.exe
        
        C:\Windows\system32\Dpnfjjla.exe
        305⤵
        
        PID:8812
        
        C:\Windows\SysWOW64\Dekobaki.exe
        
        C:\Windows\system32\Dekobaki.exe
        306⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Dphipidf.exe
        
        C:\Windows\system32\Dphipidf.exe
        307⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5292
        
        C:\Windows\SysWOW64\Epjfehbd.exe
        
        C:\Windows\system32\Epjfehbd.exe
        308⤵
        Modifies registry class
        
        PID:8992
        
        C:\Windows\SysWOW64\Ejbknnid.exe
        
        C:\Windows\system32\Ejbknnid.exe
        309⤵
        Modifies registry class
        
        PID:9044
        
        C:\Windows\SysWOW64\Eplckh32.exe
        
        C:\Windows\system32\Eplckh32.exe
        310⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5148
        
        C:\Windows\SysWOW64\Godehbed.exe
        
        C:\Windows\system32\Godehbed.exe
        311⤵
        Modifies registry class
        
        PID:8820
        
        C:\Windows\SysWOW64\Gcbnopkj.exe
        
        C:\Windows\system32\Gcbnopkj.exe
        312⤵
        
        PID:8272
        
        C:\Windows\SysWOW64\Gfqjkljn.exe
        
        C:\Windows\system32\Gfqjkljn.exe
        313⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Gmkbgf32.exe
        
        C:\Windows\system32\Gmkbgf32.exe
        314⤵
        Modifies registry class
        
        PID:8424
        
        C:\Windows\SysWOW64\Gfcgpkhk.exe
        
        C:\Windows\system32\Gfcgpkhk.exe
        315⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\Gmmome32.exe
        
        C:\Windows\system32\Gmmome32.exe
        316⤵
        
        PID:7952
        
        C:\Windows\SysWOW64\Gjapfjnb.exe
        
        C:\Windows\system32\Gjapfjnb.exe
        317⤵
        Modifies registry class
        
        PID:7192
        
        C:\Windows\SysWOW64\Hifmhf32.exe
        
        C:\Windows\system32\Hifmhf32.exe
        318⤵
        Drops file in System32 directory
        
        PID:5744
        
        C:\Windows\SysWOW64\Hppedpkf.exe
        
        C:\Windows\system32\Hppedpkf.exe
        319⤵
        Drops file in System32 directory
        
        PID:5348
        
        C:\Windows\SysWOW64\Hfjmajbc.exe
        
        C:\Windows\system32\Hfjmajbc.exe
        320⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8636
        
        C:\Windows\SysWOW64\Hapancai.exe
        
        C:\Windows\system32\Hapancai.exe
        321⤵
        Drops file in System32 directory
        
        PID:5796
        
        C:\Windows\SysWOW64\Habndbpf.exe
        
        C:\Windows\system32\Habndbpf.exe
        322⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8708
        
        C:\Windows\SysWOW64\Hjjbmhfg.exe
        
        C:\Windows\system32\Hjjbmhfg.exe
        323⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8756
        
        C:\Windows\SysWOW64\Hcbgen32.exe
        
        C:\Windows\system32\Hcbgen32.exe
        324⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Imklncch.exe
        
        C:\Windows\system32\Imklncch.exe
        325⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5884
        
        C:\Windows\SysWOW64\Icedkn32.exe
        
        C:\Windows\system32\Icedkn32.exe
        326⤵
        Drops file in System32 directory
        
        PID:5932
        
        C:\Windows\SysWOW64\Ijolhg32.exe
        
        C:\Windows\system32\Ijolhg32.exe
        327⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5936
        
        C:\Windows\SysWOW64\Ipldpo32.exe
        
        C:\Windows\system32\Ipldpo32.exe
        328⤵
        
        PID:8876
        
        C:\Windows\SysWOW64\Iakajagl.exe
        
        C:\Windows\system32\Iakajagl.exe
        329⤵
        
        PID:8964
        
        C:\Windows\SysWOW64\Ipqnknld.exe
        
        C:\Windows\system32\Ipqnknld.exe
        330⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Ijfbhflj.exe
        
        C:\Windows\system32\Ijfbhflj.exe
        331⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6088
        
        C:\Windows\SysWOW64\Ibagmiie.exe
        
        C:\Windows\system32\Ibagmiie.exe
        332⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\Jinloboo.exe
        
        C:\Windows\system32\Jinloboo.exe
        333⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Jbfphh32.exe
        
        C:\Windows\system32\Jbfphh32.exe
        334⤵
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\Jaljaoii.exe
        
        C:\Windows\system32\Jaljaoii.exe
        335⤵
        
        PID:8332
        
        C:\Windows\SysWOW64\Kkdnjd32.exe
        
        C:\Windows\system32\Kkdnjd32.exe
        336⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5700
        
        C:\Windows\SysWOW64\Kipalpoj.exe
        
        C:\Windows\system32\Kipalpoj.exe
        337⤵
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Lckbje32.exe
        
        C:\Windows\system32\Lckbje32.exe
        338⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Lgkhec32.exe
        
        C:\Windows\system32\Lgkhec32.exe
        339⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6048
        
        C:\Windows\SysWOW64\Laqlclga.exe
        
        C:\Windows\system32\Laqlclga.exe
        340⤵
        
        PID:8704
        
        C:\Windows\SysWOW64\Lpfidh32.exe
        
        C:\Windows\system32\Lpfidh32.exe
        341⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Ncpelbap.exe
        
        C:\Windows\system32\Ncpelbap.exe
        342⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6024
        
        C:\Windows\SysWOW64\Naaejj32.exe
        
        C:\Windows\system32\Naaejj32.exe
        343⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Nnjbdj32.exe
        
        C:\Windows\system32\Nnjbdj32.exe
        344⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\Ngedbp32.exe
        
        C:\Windows\system32\Ngedbp32.exe
        345⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:9148
        
        C:\Windows\SysWOW64\Nnolojhk.exe
        
        C:\Windows\system32\Nnolojhk.exe
        346⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\Ocnampdp.exe
        
        C:\Windows\system32\Ocnampdp.exe
        347⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:956
        
        C:\Windows\SysWOW64\Oboakhmo.exe
        
        C:\Windows\system32\Oboakhmo.exe
        348⤵
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Obdkfg32.exe
        
        C:\Windows\system32\Obdkfg32.exe
        349⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\Peddhb32.exe
        
        C:\Windows\system32\Peddhb32.exe
        350⤵
        
        PID:8448
        
        C:\Windows\SysWOW64\Pqkdmc32.exe
        
        C:\Windows\system32\Pqkdmc32.exe
        351⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5732 -s 400
        352⤵
        Program crash
        
        PID:4860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
1⤵
PID:5256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5732 -ip 5732
1⤵
PID:5296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acppddig.exe

Filesize
148KB

MD5
5ee992a6d0a2813904feb74150a17669

SHA1
92d8b892cc3b04658578dfadf4aeaafb159d1302

SHA256
965f41fcef02d3f5c35d2558958a7ee62df45546c4c2af535ccfee52fd68a00e

SHA512
255796f107eacb6231f6349a4450f8036123c1c80b2342ec1c1dff4f38554fd620177a2def198809fd59d08ec8abce35d6370d43289cd4096c2aefa1be142146

Download Submit
C:\Windows\SysWOW64\Aijeme32.exe

Filesize
148KB

MD5
6d5df72f4af56a2887fcd62c98d0937f

SHA1
8c97944bf086890d984c4be1a3c661467df7e3ca

SHA256
b6783696214b31e1c5e1c718f647d48f1606849159ddf343784ef3fa4a488d5c

SHA512
20546ed6274ef37a2092d76af4202cbcac8400eab84fc130bbe3db424ff785e5049c4a324e4233bd0cf70169538b79c23cc48dbb4523240250f54312456d0942

Download Submit
C:\Windows\SysWOW64\Amoknh32.exe

Filesize
148KB

MD5
2d219e51dc85a4ced9859f243e97f9bf

SHA1
7fb09e4e647d0f22604154724fe18461a7091190

SHA256
33843c7d90a5be69b15194f2d6be4054542cb308ae1afdac17a92f9617337fe0

SHA512
4e03c8d6431d4a17ce20d4f237de4c492c5a51d59edf90bc656630212d611663e4cc163e94ca6968a291c13b9e78e099a993c8663f587e001bb417dfb058ced1

Download Submit
C:\Windows\SysWOW64\Bfieagka.exe

Filesize
148KB

MD5
d435f2b367304bcfda20d636dbf73cac

SHA1
5f79665d024211c21a8c19761fa2d9f1b52ab2a2

SHA256
a34d8ae0f392c5ab931ae3cff0202da338933c1fa729a938392e0014958e20f4

SHA512
4072cf7aab72f905d96e0b918f52d9106d507491b2a26eb903312b9c4bec901e08b923a2809024e3617ebaad0978793183fdf83314b871f2c4b868962096d48f

Download Submit
C:\Windows\SysWOW64\Blnjecfl.exe

Filesize
148KB

MD5
804247e1ffbe9bd480fc6e6be4731527

SHA1
ff252dcb6785867d276455b5e10ea1410c11028f

SHA256
2673f168716c6e5db9466911e84513daedb2a16644f0fa82d2f117566930354d

SHA512
7edeaa35c9b46d451bb5ee333daa5ee9ec8afe55a0788b87fd1bb5b16b6838f4a21c91991870946e4f1c6a1cc483805a020d577f64c48c9dea4960aea7d842b6

Download Submit
C:\Windows\SysWOW64\Bnfoac32.exe

Filesize
148KB

MD5
9b218771ad1c4fab32f8be406dc423de

SHA1
eadd7a345bba482d959eb4cb3a9cf6d14b440d4d

SHA256
6813f0e55df81bdf972fa84c07db4641d677dd21ed17dbe50ec109c40186bd38

SHA512
0c1aa7e2023df45d8817a8b4e4bb903fe06f69f63290b91fc3390ddef7b23608269f2294c92a6507c85e81fdb5379a5b2615396aa59bbaf254c5c86ada8bc322

Download Submit
C:\Windows\SysWOW64\Cppelkeb.exe

Filesize
148KB

MD5
b3c30d128e77e03dee368e2363f38fe0

SHA1
68814ac2778fadbf02ffd95a1fb2c369a3f8680a

SHA256
919fd56140df57c74093e57d5ce2327453ef979088b2edac9913e2d6a493560a

SHA512
61395ea9bc9b32ee8fe948ba528b5f0c1579a3dba7b552ba5e379d9f2e1f2591b8b9dd1326ea75c32df8c6d566786001f4490f522958896d4c983b03a35056ae

Download Submit
C:\Windows\SysWOW64\Dgdgijhp.exe

Filesize
148KB

MD5
4b420999eca7a664f4e1192c52c8fc77

SHA1
ca492501ae58af05e4ddc0e27852072cc59364c6

SHA256
8137597d1bef86a317af823ddc0a0185b72ec72402c28d6489a35fb88f381689

SHA512
04a073fbbb168228425508b2f9c326b0f7b6ae76af9f8f67b9dc997d1d0f5c07708a99cbbc5fae4fcb31ba6aa5b58c99f5abe694d6fd6f409ce6347aa7f77bba

Download Submit
C:\Windows\SysWOW64\Ffpcbchm.exe

Filesize
148KB

MD5
a05bd795667614f39b3520c05c6ca185

SHA1
4e31223e07bdab96814f6129e3da0e0e1067ec62

SHA256
103f22626a60e1967b2b7fac8ec22a05cf6c1f77215c1bd46f7cf20b726c4b14

SHA512
4e40377216e8e75c36548fdf0a97ca664ef71a9022fcb7d5740f773d775a3d5812eb95bb651dcba9a4bacf98de0bf04c1475e0a42f9ea5290b856bc446561108

Download Submit
C:\Windows\SysWOW64\Fikihlmj.exe

Filesize
148KB

MD5
b15d7c802ebe70d0fe9e7b24e79fa316

SHA1
9548cc7adfa77c9272e423fc83236b89d0475631

SHA256
9cdcd40f0fd075363d0fb42d5a7aecc71058c0abcde156ac0e2e814eb33c4263

SHA512
26bb2871a7e369ac8aba9bd684a3991bc076fe27c49b732839da5e296062014a8835ec8ce06cc0aea9d3fc05b01c829e5935f4b16eb8b8a38756c345e38b8135

Download Submit
C:\Windows\SysWOW64\Fnnimbaj.exe

Filesize
148KB

MD5
9c009784e231943fef69c16f44723f9c

SHA1
df246e4296d6b054491f8017ce65bcfaa2c87456

SHA256
6f5b77e5572291ea3f0c8aaf0dc130c2c956b2521a24fb327511fc90fc96c37a

SHA512
170a81c372d2575ed05e327102a392cbe8aac9f1ab837e4943a6ba20235f5a04980ab321cfb1bb399192eb425566be7e264d096f3b56d786ffdce550562afca1

Download Submit
C:\Windows\SysWOW64\Foonjd32.exe

Filesize
148KB

MD5
1406d154cc367b50c8c8b39b754377d0

SHA1
daef6541fe8c091a31143ed55f61bf898e20c826

SHA256
07eb24736fed0c35cabdca2e80e3fec21c78eb8ae19eee0f52ce918cfcbe2b5f

SHA512
7f5b93cf201cc8fed554329974dac2151c0627831a24269fddca4b812de5d3dcc915baacea5e44d07a2da3225d1893eb7661e92d7a612e9974862fc985f7d3da

Download Submit
C:\Windows\SysWOW64\Gdhjpjjd.exe

Filesize
148KB

MD5
21c7b6c611ccb9797118fd6afbc1b1ae

SHA1
831d88a0dc6f6f12d9233c052f63e31eb51cad25

SHA256
90c7e7a5e6d7c2985ba79bc7384848b6aedc0afd29496389f4aed690015f7126

SHA512
b95f7962f2b9eb08e50574f1dbcaad53b07193ef97b7bf17de9e68d1c836212edae976d046981d088280580efc9e112d0e459ada5c996ac3219546d8d047b3c9

Download Submit
C:\Windows\SysWOW64\Gnlenp32.exe

Filesize
148KB

MD5
e88dbc7213667f4744f8666203591f97

SHA1
0d3652c1dd17a214163b611012201126f013652f

SHA256
330bf8980a86a50bf7eb702f1fd6a62a00ed26ce593fee26fdb9baf5ada0ab35

SHA512
cf4e382a1d4af7fb2f45ab1918cba4fc174425c31453483dc21be075958de16cf4ab07b8cff056a4eba6b4c37a9fe5252512409b2250ad25d400088b28d9113d

Download Submit
C:\Windows\SysWOW64\Hgpibdam.exe

Filesize
148KB

MD5
b56d7558b0625477aa81e5da67389ab0

SHA1
77db7ecc719d73bdf90ed8c3b07b88dfdfb70936

SHA256
9a0160c4ea2c13739927358ab410186730437b543199ef6cd831a4d0fc8489a7

SHA512
27d16e0bf44b69e392d5810e20c9a3a52bbe36d677ee94ed0c48c4682425503de017c2ca07f4d969b5340f75ac25025267011d47edaf8f4f841672447961bf31

Download Submit
C:\Windows\SysWOW64\Hmlbij32.exe

Filesize
148KB

MD5
cf5efb6d86449ad400940de7066d30c8

SHA1
c5977d0b1b3b7875d5c7d39960a4cfd2d355c8d0

SHA256
34ec47421c74c610fa53f52ce5bbd282c43df529ae3446844b8943f1e360107a

SHA512
4dd3d517f7e6a4d62b497a8177a9e8cc10d0bbd3718c7bf1255bc9d8fcbb282208ebfea7803df67ebddea53684310d07992c14486568a7a2af0ddc7506597f18

Download Submit
C:\Windows\SysWOW64\Hmpnqj32.exe

Filesize
148KB

MD5
1f2a2f53ea12b63ad4b129231b24ff2b

SHA1
8a214a5015b1a4b470ac0dc6ded6f7a8a58583b9

SHA256
84b0d7b7b119b19e57399762b3d658827c93e37c0ec88d028a18944fd4808721

SHA512
4d38e256ad13af23095f6753494df69a4380322df6ae1571a6dcc580cfcaa6fa29192c86dd919ac4ad25d2cb31f6a005d8f18467054c04d31be1809601526370

Download Submit
C:\Windows\SysWOW64\Idkpmgjo.exe

Filesize
148KB

MD5
b17aee4a4d6a3716367781e867c7b503

SHA1
89ac898f7c2ed4184c323ae26f0eb9526adf33c3

SHA256
f1560f882e56f860afb6c0463d14eab3c9f867dac7e493dda9b14348090d63c1

SHA512
a4b2cf34cea6088aab3a16841138f49b61820538b6b06a3ecd96b1e0e77372a32a0cbbd4b173a01555e9da93c70f050ce242e2b7117d405d508ce963bae98fdf

Download Submit
C:\Windows\SysWOW64\Iedbcebd.exe

Filesize
148KB

MD5
492f441db7d99a61745ba898f7ab402c

SHA1
786e2a9738baa262a99c61c0222aa5a94dcb67c7

SHA256
2ec2484f381c94adbe24dc46b376c17344e2c9f9dda1a9965aa26bbe99029553

SHA512
9c1e7e5e5600a0efbb92663faa93bb454340c92a591f9084ad6b26d624a3e72eb183c4a0f34ba5984338a49be50b3ecdb0e2faab90512a91eb832424319d9fef

Download Submit
C:\Windows\SysWOW64\Ienlbf32.exe

Filesize
148KB

MD5
9b36fbb705bfd65c118a55cfeded7b42

SHA1
fe1d4a0c32d92577437bca4a7f990109e0934c0f

SHA256
cdf2491d627a99d52042a95899ee96ff0773196a7a05a86a796ca3280b000f4a

SHA512
ceb91907936c78fa06d40b45baca56e12a7a8ec68c3362cc39a32effce5c1a88d4ae7076f18c5f73d175369b183e77a23a4ad891df2227005c8df16b4768aaa5

Download Submit
C:\Windows\SysWOW64\Jjfdfl32.exe

Filesize
148KB

MD5
ea925d301281c6e9a6ace33bd95144af

SHA1
f582be254f45ddc1e459a39deb2b821080d5e070

SHA256
e8451aac964a9ac121c0b0bce72b448b34eade0413b1379da391d6f832a243d8

SHA512
ec6060c6e64de6fef319478848f8f817979023b7f2fe14125d3899f456685fcad225bbd6d07fec76dfa40faf4c2743745835ce6db1e0b18a68a3e34a3ed553af

Download Submit
C:\Windows\SysWOW64\Kaqejcep.exe

Filesize
148KB

MD5
a2a3f8d4114aac3ab9981e0c380a8988

SHA1
754c262cc9a57b67187e03b23667821554e9f5e5

SHA256
dfd2ffc72da5b5dfe280713fc8ea3150ef2c26e04356d3e1e02e48ddbb374fab

SHA512
57c7f162bca68cfbac8ca244e691dc58152a53257616d9ecdf45cb5552bf3280b3aaaf73e431d53febb764f1b7157b842c157f5193b86ce5c7aaca1cbf7ae884

Download Submit
C:\Windows\SysWOW64\Kmbmdeoj.exe

Filesize
148KB

MD5
a12539fd746b7aaa0c6e516876079262

SHA1
e63459b3e080bd642f8b4501db208efb83d893e2

SHA256
a814c45c777368309dd27f778e42199e18114c07050edae9c58f435bb7f8531a

SHA512
f00123c7bc7baff2408c090f6c376978a453659e052ff59925935d5b049bde01526154dde9bfe222d1370d006d1dc67e038fde2fb826e336b579328276a5da6f

Download Submit
C:\Windows\SysWOW64\Kmppneal.exe

Filesize
148KB

MD5
d0d9ec36cf7720b8edccf9c6f193706c

SHA1
d022de11b8de28d189b81f62b21f207c47518a8e

SHA256
b4f99f11367da413b889b8ebca01237cb3ba5dd8d3c1d3bd70d57517a9ac2824

SHA512
ba4872725408c8900e3a7bfdb9b830e45ac7f4321cd04ded0656906abdd79b770a003fb11db65a6d9f3e7d9ec3e87101ae99d0ff7f60f4c419435bb93e08aaf0

Download Submit
C:\Windows\SysWOW64\Leqkeajd.exe

Filesize
148KB

MD5
778657010c76a5e11ea5a8aa8c72cda0

SHA1
a49c3c01fdc6d17ea3aac370cd138b5fb8344c05

SHA256
8e52c490e922df74cdc988bdb55aa717764d7cbf9f1502fc283d64aea9a21c9f

SHA512
c21d7a603300b84a951fa24899476c7c50e0c6a40b47acd7951a4567be6542ac1a01d87c9d6bfe0b8d5a992c1e69ff3229f6bd6b9448a75e1cf6894ea0358e5e

Download Submit
C:\Windows\SysWOW64\Mgkjch32.exe

Filesize
148KB

MD5
22e1338ba2fb72ffa25a911233762777

SHA1
3a513e40d00fc37f8b849422d90a04cdd60f6342

SHA256
73a388f2a2bcf4b45c8220b76d6bff84a3cc49d0252cfbac984a5e27f35d0782

SHA512
f8cd0db7c9df567c18929be3de6e0d45f5ec337d5110f2494f9aab38ba666d226fe91ba909c4e87e14ec645cc7fd2fd897eee7beb769e35fbc0eb5a94e3f2244

Download Submit
C:\Windows\SysWOW64\Mkgmoncl.exe

Filesize
148KB

MD5
539b371d212cc049272e57d4a3dc56e8

SHA1
b5a8a273d33d806dc42169a9e3d3eb16fb3b8f63

SHA256
2031f811e1f2e7ade1002779c40690a7915a286f5db0ebb2c6034189f6e0053e

SHA512
5c6d76b5f0dde74e604cc62d333269ff85c629c724f60304134c187fa5b4d090f22b09d71b1b8599638f3c7ed9790cf8e8e14156dc217dbc8fb43be18afea080

Download Submit
C:\Windows\SysWOW64\Mmghklif.exe

Filesize
148KB

MD5
3ca4eda1fcce60495988083d8d79f310

SHA1
30038b6c195a7997966f9fa258a709b5955e4764

SHA256
b12406582cc2bcd628f132d4dd57c49d194a164dda61ce1c517d8ebd07908e94

SHA512
f1742cc7d142b5bcb1e48481a32881ca74b7a15dc6f091dfc4b1e70487701f700e12c3920bf7eedf41d7995419667e5bfb7240b923b2d977cbd40a9ba2866e29

Download Submit
C:\Windows\SysWOW64\Ndmgnkja.exe

Filesize
148KB

MD5
3b451b7e6a9f65d446363255aee19cd2

SHA1
c7136e2a3d9f66aa6be55ac04efd8561089de14d

SHA256
521b1a975419f8ea8ce7e049b60a2b6a4a4c6f01e5a08d645303d05ff0459a7e

SHA512
5beaa633fdcc535f5eaf3c28adb8449919a5362ec4cc79451459ad962449ef48e387e53363a937ba693e9d1ba03148bcfadabedc084cd4702c1e7f1f3828d364

Download Submit
C:\Windows\SysWOW64\Nidhffef.exe

Filesize
148KB

MD5
c0757cc7fc8f9d0dc4bfaa19106057dd

SHA1
198bcbb62d54920ed8f3cf3d8e75a6c39f799e13

SHA256
daee014ec8cb55b2988429f3b3fc3528a7454db18c295c73f36da94823c2745c

SHA512
d72c08c10cd6636c7c253bffc590fb67dce3ee48e7acffed4e7c17073bef1d0c7d1798ea139dae7b1a312eef7d02d688480d0031ed57cd59887adca0c246b158

Download Submit
C:\Windows\SysWOW64\Oacdmo32.exe

Filesize
148KB

MD5
91fbd6ae80b78833a8d644c9dc5d2453

SHA1
55e63fe27261f847d9eeb9356bfe7298da2a2002

SHA256
0e13bc1c74550213d320bfeffc413441e1c1e3d73aa81709f76c27c38c050d6a

SHA512
3482126d5e24092167e3ea13403ea0ecd72dfdc4380ee722b6d91d821405c99e2e27bd6a3c8bf1a72c17c29b6b581c731e841186edab939a01bee16076ff6677

Download Submit
C:\Windows\SysWOW64\Ofijnbkb.exe

Filesize
148KB

MD5
ac3538db8129879771e0c8a8bf68b569

SHA1
64f82a9f26a3293f5cd571554ab7fecbdd9efb90

SHA256
929e00f2a216e3f42854f707bb7f61c617fdd1ffddf9a80ade0750b0da20e5bc

SHA512
7329b7dd6cf03033a2d9740339ef4024a39e9c42577c61164fc024a88847b8369ee34dd8a946919feeaa5b6e7648bd4ecfaa0b4ecaa404fa5bfc75df8b59c305

Download Submit
C:\Windows\SysWOW64\Oheienli.exe

Filesize
148KB

MD5
b389010e22624ce31393bb2cd8f6e778

SHA1
8d7a17228c623aba5ef5f44b5a9a261517d33850

SHA256
a4fa42f8567d11c6bfb8e9862629eba0b0afa9436feb5851735a84bb6c01d8b9

SHA512
6584e75c700ad3387044186aaf744dbf762ac1bd401bd30ebb6ace8c323ab6bffc0872fc414c1f8e3b9b6fef4be123fb64b1b6a86f3bc10fdca692a307d51a43

Download Submit
C:\Windows\SysWOW64\Ohqpjo32.exe

Filesize
148KB

MD5
2848dd6be633acc8d7838b4605730d12

SHA1
24221a58def96ffa46bd7d41299a7818a9f92a5d

SHA256
ad82ea281c3584f75aa1ac1fc2e01f9b6d16a24723b3dd4066042925777bde74

SHA512
ab10d1272040c28e8bdbdbd72201d95713f5d19bef1dc3e87228c910093492524bf9a89dc2a666742122e507c3a24e3cdac923d22c14aa7521e259f446a424a5

Download Submit
C:\Windows\SysWOW64\Pbfjjlgc.exe

Filesize
148KB

MD5
11e95869ed1de6f1eb1c7a071077a4db

SHA1
2fbe45f11e91e83f8660faa2991bae263a927ec2

SHA256
9732cd2207d2fcd7a7a5bcf82dd134705912ee6ba60cc9780af9c6267d9bcff5

SHA512
6511073f0c5fd6b4145b8009cf6d6b1b59279d5f56abd824e18fb970cbdf43f88943b9c1c2340c9a19eca65ddf9b96c15ed342640a734b5b8cd53354ed724352

Download Submit
C:\Windows\SysWOW64\Phbolflm.exe

Filesize
148KB

MD5
51197c21c54a8c3931bf5d23eda60bb5

SHA1
2d19a33eeeeaad6f58a8df1aa8fc003f5c21679a

SHA256
247c7f570f156cf4981dac823859392fce37f5d6ec0308a491b6d6ac8b3efd50

SHA512
00c8c4035f022716a6dd4f63f165c5f5e85a0c4e79b9cf7ac96ce8249f90c0ea7be786e5d572bca655ec9fd3f0e61d95170fc81397cb37dca661557707c873b7

Download Submit
C:\Windows\SysWOW64\Pmeoqlpl.exe

Filesize
148KB

MD5
bec8e735b9a99fff81820a325e08f919

SHA1
430d44bac15c2b41a33ac2fbfb9546be453f18a5

SHA256
14967bb8100c4e501c274a3bf01e050f32c3b11704709c6e1b8fee02ccf5a3d9

SHA512
f73134c4fbfa311e83ba03a28b2af6e21df4ba3e664540c03d743713d26a3a5c06f630bf6a529319fc2ddbadbab35c450efd85c9e79b42e749431e3befaa5835

Download Submit
C:\Windows\SysWOW64\Pocdba32.exe

Filesize
148KB

MD5
610548fdb2f7f929824eef871b911379

SHA1
1ccbf83036b1c7d59da9e4d746978d1c7231f901

SHA256
4578b09d4cc65b5ac3a15a1ce67bf86cd98605ddf7536553f51c2fa50df26d4f

SHA512
d706f321b0c320377827e654fc1d739956c177c699c86d5bdce9fcfcc89b39f68ef324dfa2e39d7d9bcbf9a0ecb2cb3e9b42e853005012808be362fc2a2f6af2

Download Submit
C:\Windows\SysWOW64\Qbmpjkqk.exe

Filesize
148KB

MD5
c202382c580b281a2d584ebb6b8c73a3

SHA1
de48781ed4c5eb7c6d5060de58a263c00055659f

SHA256
abfc4304b32c2d86695d48b9b172de02a8404076917c93fa0f63b0aff5ff3414

SHA512
60d1764802d0788402b81df8bf29aa387531f2c015a921c06f720e4d92aaf5d250253c3dedd18e30369e4be48b99a810cb37f80019fab9b5a562c6021c8bfa54

Download Submit
C:\Windows\SysWOW64\Qifbll32.exe

Filesize
148KB

MD5
c7b50e09e0512e2beb366987a67303a9

SHA1
13c58bfec23bfb191df6be060663aae499160154

SHA256
250de3477a63a76bc04d90368f178d5f3d8c6139937bd049c439c161bd7617be

SHA512
a52135b26987494b22d647aef3c36d3756dbe5f14821ebc992b7bc6b18cb976871f88220dfa377c7a2f08d5a2420cfb116e51f57b25aa655e3be6f152ba5a091

Download Submit
memory/552-289-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/760-91-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/832-203-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/868-37-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1084-2-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1084-0-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1084-81-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1152-139-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1168-231-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1304-58-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1552-114-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1688-66-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1860-187-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2028-272-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2608-248-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2684-255-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2736-244-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3088-41-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3140-17-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3356-123-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3552-131-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3628-303-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3672-50-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3692-25-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3784-278-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3828-270-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3880-212-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4048-178-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4060-154-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4180-162-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4364-195-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4476-106-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4540-170-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4552-77-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4736-227-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4776-10-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4796-146-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4952-291-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4996-297-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5100-98-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5140-309-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5148-468-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5180-315-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5232-321-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5268-471-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5284-331-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5328-340-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5368-341-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5416-352-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5460-354-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5500-365-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5544-367-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5588-380-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5636-382-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5688-395-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5744-403-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5796-411-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5844-419-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5896-421-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5944-428-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5984-434-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/6024-445-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/6068-453-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/6120-463-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads