61d3e5f8aa51266c2d493d9eb5932c7cc9ba0ef96069b6d7b0ffc552897ca008

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2024, 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61d3e5f8aa51266c2d493d9eb5932c7cc9ba0ef96069b6d7b0ffc552897ca008.exe
Size

232KB
MD5

68ca53c412f16dd865c1330003da1d51
SHA1

00fb72bd17e171867096e1b459232e749252a0ba
SHA256

61d3e5f8aa51266c2d493d9eb5932c7cc9ba0ef96069b6d7b0ffc552897ca008
SHA512

7e0bcf1b692bde09ef5469e8ce7dc28a1ad9bd5fd910bbdfb4bc0d4aa5d243e7571dbc7fbd1646e0979e8b852a188ba3d9151dc27578eb0d07800dd175005df9
SSDEEP

3072:F2Pz8Gt9wKnwD6aT5JY7usluTXp6UF5wzec+tZOnU1/s5HH0AU/yRvS3u121Tzlz:FygKwD/Y6s21L7/s50z/Wa3/PNlPX

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dekhneap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flnlhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiefcj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imoneg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jblpek32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oponmilc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abngjnmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chbnia32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iehfdi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpijnqkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehnglm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmijbcpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpablkhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbllbibl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkalchij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlkagbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmknaell.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgallfcq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aacckjaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdmpcdfm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Conclk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehnglm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdlnbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkhbdg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkaejf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jedeph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlbgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gomakdcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdnidn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmbfpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fhjfhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbbgnpgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chghdqbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dekhneap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gohhpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cliaoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imoneg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldanqkki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncfdie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffkjlp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gokdeeec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kemhff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmdqgd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmoahijl.exe

Executes dropped EXE 64 IoCs

pid	Process
5072	Pjkombfj.exe
812	Pbbgnpgl.exe
1696	Peqcjkfp.exe
4432	Pkjlge32.exe
4728	Pnihcq32.exe
4348	Qecppkdm.exe
1304	Qgallfcq.exe
4288	Qeemej32.exe
3860	Qgciaf32.exe
5040	Qjbena32.exe
2064	Anpncp32.exe
3108	Abngjnmo.exe
2072	Ajiknpjj.exe
2764	Aacckjaf.exe
3064	Ahmlgd32.exe
2512	Ajkhdp32.exe
1548	Adcmmeog.exe
4560	Ajneip32.exe
3500	Bjpaooda.exe
4488	Beeflhdh.exe
1816	Bbifelba.exe
4036	Behbag32.exe
2308	Blbknaib.exe
2504	Bdmpcdfm.exe
4376	Bhikcb32.exe
4824	Bbnpqk32.exe
816	Blfdia32.exe
4672	Boepel32.exe
1736	Cliaoq32.exe
3320	Cbcilkjg.exe
5116	Ceaehfjj.exe
4504	Cojjqlpk.exe
2780	Cecbmf32.exe
4676	Chbnia32.exe
2036	Cbgbgj32.exe
1776	Cefoce32.exe
3288	Chdkoa32.exe
644	Conclk32.exe
4544	Cehkhecb.exe
4424	Chghdqbf.exe
2720	Ckedalaj.exe
4360	Dbllbibl.exe
3896	Dekhneap.exe
4592	Dldpkoil.exe
3084	Demecd32.exe
2012	Dhkapp32.exe
4636	Doeiljfn.exe
4772	Dlijfneg.exe
4680	Dohfbj32.exe
2228	Dddojq32.exe
3060	Dhpjkojk.exe
1812	Dceohhja.exe
3976	Dedkdcie.exe
1876	Dhbgqohi.exe
2872	Ekacmjgl.exe
2244	Echknh32.exe
3324	Eefhjc32.exe
5032	Eoolbinc.exe
1336	Edkdkplj.exe
4904	Ehgqln32.exe
1796	Eapedd32.exe
1680	Ecoangbg.exe
4884	Edpnfo32.exe
3544	Elgfgl32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cbeedbdm.dll	Liddbc32.exe
File created	C:\Windows\SysWOW64\Lebkhc32.exe	Ldanqkki.exe
File opened for modification	C:\Windows\SysWOW64\Fafkecel.exe	Fcckif32.exe
File opened for modification	C:\Windows\SysWOW64\Hkkhqd32.exe	Heapdjlp.exe
File opened for modification	C:\Windows\SysWOW64\Ibnccmbo.exe	Ickchq32.exe
File created	C:\Windows\SysWOW64\Dgdelcpg.dll	Jpijnqkp.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Pbbgnpgl.exe	Pjkombfj.exe
File opened for modification	C:\Windows\SysWOW64\Jpppnp32.exe	Jlednamo.exe
File created	C:\Windows\SysWOW64\Kdnidn32.exe	Kmdqgd32.exe
File opened for modification	C:\Windows\SysWOW64\Pmfhig32.exe	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Cbgbgj32.exe	Chbnia32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Dlijfneg.exe	Doeiljfn.exe
File opened for modification	C:\Windows\SysWOW64\Nloiakho.exe	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Panfqmhb.dll	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Gjgfjhqm.dll	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Pjkombfj.exe	61d3e5f8aa51266c2d493d9eb5932c7cc9ba0ef96069b6d7b0ffc552897ca008.exe
File opened for modification	C:\Windows\SysWOW64\Abngjnmo.exe	Anpncp32.exe
File opened for modification	C:\Windows\SysWOW64\Iicbehnq.exe	Iehfdi32.exe
File created	C:\Windows\SysWOW64\Lpqiemge.exe	Lmbmibhb.exe
File created	C:\Windows\SysWOW64\Ickchq32.exe	Ildkgc32.exe
File created	C:\Windows\SysWOW64\Klimip32.exe	Kikame32.exe
File created	C:\Windows\SysWOW64\Donfhp32.dll	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Qgallfcq.exe	Qecppkdm.exe
File created	C:\Windows\SysWOW64\Blfdia32.exe	Bbnpqk32.exe
File created	C:\Windows\SysWOW64\Iedoeq32.dll	Hiefcj32.exe
File opened for modification	C:\Windows\SysWOW64\Ojaelm32.exe	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Ilabfj32.dll	Blfdia32.exe
File created	C:\Windows\SysWOW64\Kmdqgd32.exe	Kemhff32.exe
File opened for modification	C:\Windows\SysWOW64\Mgfqmfde.exe	Mckemg32.exe
File created	C:\Windows\SysWOW64\Pemfincl.dll	Nnjlpo32.exe
File opened for modification	C:\Windows\SysWOW64\Gbgdlq32.exe	Gohhpe32.exe
File created	C:\Windows\SysWOW64\Pglcddpd.dll	Hfifmnij.exe
File created	C:\Windows\SysWOW64\Jlgbon32.dll	Lbjlfi32.exe
File created	C:\Windows\SysWOW64\Ampkof32.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Hbnjmp32.exe	Hopnqdan.exe
File opened for modification	C:\Windows\SysWOW64\Aminee32.exe	Ajkaii32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Fdegandp.exe	Fafkecel.exe
File opened for modification	C:\Windows\SysWOW64\Kefkme32.exe	Kmkfhc32.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Ajkhdp32.exe	Ahmlgd32.exe
File created	C:\Windows\SysWOW64\Fgfkkboc.dll	Eepjpb32.exe
File created	C:\Windows\SysWOW64\Hkkhqd32.exe	Heapdjlp.exe
File created	C:\Windows\SysWOW64\Gijloo32.dll	Kmdqgd32.exe
File opened for modification	C:\Windows\SysWOW64\Nckndeni.exe	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Pcbdco32.dll	Cecbmf32.exe
File created	C:\Windows\SysWOW64\Jcbihpel.exe	Jlkagbej.exe
File opened for modification	C:\Windows\SysWOW64\Kmijbcpl.exe	Kebbafoj.exe
File created	C:\Windows\SysWOW64\Mdjagjco.exe	Mlcifmbl.exe
File created	C:\Windows\SysWOW64\Pjeoglgc.exe	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Ocgmpccl.exe	Onjegled.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
9228	10132	WerFault.exe	450

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnkhmbin.dll"	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eoolbinc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fdialn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbnafb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiopcppf.dll"	Jcbihpel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geplnioe.dll"	Fkalchij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eepjpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oadacmff.dll"	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cojjqlpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Elgfgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Heapdjlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmiciaaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhofmq.dll"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjipjg32.dll"	Qeemej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kipkhdeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkjlge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcbpab32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbceejpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gofkje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jifhaenk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apignbdf.dll"	Ffkjlp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jlpkba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kboljk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbbgnpgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekacmjgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkmlofol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfifmnij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmjdbam.dll"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmfmfg32.dll"	Ecoangbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fkmchi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pglcddpd.dll"	Hfifmnij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iicbehnq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onjegled.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkhbdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lejfpelg.dll"	Hbnjmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfnhlp32.dll"	Jlpkba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbjlfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mchqfb32.dll"	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lemphdgj.dll"	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbifelba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbcilkjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpqiemge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdmpcdfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Miemjaci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cliaoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjhmqf32.dll"	Heapdjlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffddka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lepncd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 5072	4656	61d3e5f8aa51266c2d493d9eb5932c7cc9ba0ef96069b6d7b0ffc552897ca008.exe	89
PID 4656 wrote to memory of 5072	4656	61d3e5f8aa51266c2d493d9eb5932c7cc9ba0ef96069b6d7b0ffc552897ca008.exe	89
PID 4656 wrote to memory of 5072	4656	61d3e5f8aa51266c2d493d9eb5932c7cc9ba0ef96069b6d7b0ffc552897ca008.exe	89
PID 5072 wrote to memory of 812	5072	Pjkombfj.exe	90
PID 5072 wrote to memory of 812	5072	Pjkombfj.exe	90
PID 5072 wrote to memory of 812	5072	Pjkombfj.exe	90
PID 812 wrote to memory of 1696	812	Pbbgnpgl.exe	91
PID 812 wrote to memory of 1696	812	Pbbgnpgl.exe	91
PID 812 wrote to memory of 1696	812	Pbbgnpgl.exe	91
PID 1696 wrote to memory of 4432	1696	Peqcjkfp.exe	92
PID 1696 wrote to memory of 4432	1696	Peqcjkfp.exe	92
PID 1696 wrote to memory of 4432	1696	Peqcjkfp.exe	92
PID 4432 wrote to memory of 4728	4432	Pkjlge32.exe	93
PID 4432 wrote to memory of 4728	4432	Pkjlge32.exe	93
PID 4432 wrote to memory of 4728	4432	Pkjlge32.exe	93
PID 4728 wrote to memory of 4348	4728	Pnihcq32.exe	94
PID 4728 wrote to memory of 4348	4728	Pnihcq32.exe	94
PID 4728 wrote to memory of 4348	4728	Pnihcq32.exe	94
PID 4348 wrote to memory of 1304	4348	Qecppkdm.exe	95
PID 4348 wrote to memory of 1304	4348	Qecppkdm.exe	95
PID 4348 wrote to memory of 1304	4348	Qecppkdm.exe	95
PID 1304 wrote to memory of 4288	1304	Qgallfcq.exe	96
PID 1304 wrote to memory of 4288	1304	Qgallfcq.exe	96
PID 1304 wrote to memory of 4288	1304	Qgallfcq.exe	96
PID 4288 wrote to memory of 3860	4288	Qeemej32.exe	97
PID 4288 wrote to memory of 3860	4288	Qeemej32.exe	97
PID 4288 wrote to memory of 3860	4288	Qeemej32.exe	97
PID 3860 wrote to memory of 5040	3860	Qgciaf32.exe	98
PID 3860 wrote to memory of 5040	3860	Qgciaf32.exe	98
PID 3860 wrote to memory of 5040	3860	Qgciaf32.exe	98
PID 5040 wrote to memory of 2064	5040	Qjbena32.exe	99
PID 5040 wrote to memory of 2064	5040	Qjbena32.exe	99
PID 5040 wrote to memory of 2064	5040	Qjbena32.exe	99
PID 2064 wrote to memory of 3108	2064	Anpncp32.exe	100
PID 2064 wrote to memory of 3108	2064	Anpncp32.exe	100
PID 2064 wrote to memory of 3108	2064	Anpncp32.exe	100
PID 3108 wrote to memory of 2072	3108	Abngjnmo.exe	101
PID 3108 wrote to memory of 2072	3108	Abngjnmo.exe	101
PID 3108 wrote to memory of 2072	3108	Abngjnmo.exe	101
PID 2072 wrote to memory of 2764	2072	Ajiknpjj.exe	103
PID 2072 wrote to memory of 2764	2072	Ajiknpjj.exe	103
PID 2072 wrote to memory of 2764	2072	Ajiknpjj.exe	103
PID 2764 wrote to memory of 3064	2764	Aacckjaf.exe	104
PID 2764 wrote to memory of 3064	2764	Aacckjaf.exe	104
PID 2764 wrote to memory of 3064	2764	Aacckjaf.exe	104
PID 3064 wrote to memory of 2512	3064	Ahmlgd32.exe	105
PID 3064 wrote to memory of 2512	3064	Ahmlgd32.exe	105
PID 3064 wrote to memory of 2512	3064	Ahmlgd32.exe	105
PID 2512 wrote to memory of 1548	2512	Ajkhdp32.exe	107
PID 2512 wrote to memory of 1548	2512	Ajkhdp32.exe	107
PID 2512 wrote to memory of 1548	2512	Ajkhdp32.exe	107
PID 1548 wrote to memory of 4560	1548	Adcmmeog.exe	108
PID 1548 wrote to memory of 4560	1548	Adcmmeog.exe	108
PID 1548 wrote to memory of 4560	1548	Adcmmeog.exe	108
PID 4560 wrote to memory of 3500	4560	Ajneip32.exe	110
PID 4560 wrote to memory of 3500	4560	Ajneip32.exe	110
PID 4560 wrote to memory of 3500	4560	Ajneip32.exe	110
PID 3500 wrote to memory of 4488	3500	Bjpaooda.exe	111
PID 3500 wrote to memory of 4488	3500	Bjpaooda.exe	111
PID 3500 wrote to memory of 4488	3500	Bjpaooda.exe	111
PID 4488 wrote to memory of 1816	4488	Beeflhdh.exe	112
PID 4488 wrote to memory of 1816	4488	Beeflhdh.exe	112
PID 4488 wrote to memory of 1816	4488	Beeflhdh.exe	112
PID 1816 wrote to memory of 4036	1816	Bbifelba.exe	113

C:\Users\Admin\AppData\Local\Temp\61d3e5f8aa51266c2d493d9eb5932c7cc9ba0ef96069b6d7b0ffc552897ca008.exe
"C:\Users\Admin\AppData\Local\Temp\61d3e5f8aa51266c2d493d9eb5932c7cc9ba0ef96069b6d7b0ffc552897ca008.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Windows\SysWOW64\Pjkombfj.exe
  C:\Windows\system32\Pjkombfj.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:5072
- - C:\Windows\SysWOW64\Pbbgnpgl.exe
    C:\Windows\system32\Pbbgnpgl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:812
  - - C:\Windows\SysWOW64\Peqcjkfp.exe
      C:\Windows\system32\Peqcjkfp.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1696
    - - C:\Windows\SysWOW64\Pkjlge32.exe
        
        C:\Windows\system32\Pkjlge32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4432
      - C:\Windows\SysWOW64\Pnihcq32.exe
        
        C:\Windows\system32\Pnihcq32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\SysWOW64\Qecppkdm.exe
        
        C:\Windows\system32\Qecppkdm.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\SysWOW64\Qgallfcq.exe
        
        C:\Windows\system32\Qgallfcq.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\SysWOW64\Qeemej32.exe
        
        C:\Windows\system32\Qeemej32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\SysWOW64\Qgciaf32.exe
        
        C:\Windows\system32\Qgciaf32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Windows\SysWOW64\Qjbena32.exe
        
        C:\Windows\system32\Qjbena32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\SysWOW64\Anpncp32.exe
        
        C:\Windows\system32\Anpncp32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\Abngjnmo.exe
        
        C:\Windows\system32\Abngjnmo.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3108
        
        C:\Windows\SysWOW64\Ajiknpjj.exe
        
        C:\Windows\system32\Ajiknpjj.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\SysWOW64\Aacckjaf.exe
        
        C:\Windows\system32\Aacckjaf.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\Ahmlgd32.exe
        
        C:\Windows\system32\Ahmlgd32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Ajkhdp32.exe
        
        C:\Windows\system32\Ajkhdp32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\Adcmmeog.exe
        
        C:\Windows\system32\Adcmmeog.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\SysWOW64\Ajneip32.exe
        
        C:\Windows\system32\Ajneip32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Bjpaooda.exe
        
        C:\Windows\system32\Bjpaooda.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Windows\SysWOW64\Beeflhdh.exe
        
        C:\Windows\system32\Beeflhdh.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Bbifelba.exe
        
        C:\Windows\system32\Bbifelba.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\SysWOW64\Behbag32.exe
        
        C:\Windows\system32\Behbag32.exe
        23⤵
        Executes dropped EXE
        
        PID:4036
        
        C:\Windows\SysWOW64\Blbknaib.exe
        
        C:\Windows\system32\Blbknaib.exe
        24⤵
        Executes dropped EXE
        
        PID:2308
        
        C:\Windows\SysWOW64\Bdmpcdfm.exe
        
        C:\Windows\system32\Bdmpcdfm.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Bhikcb32.exe
        
        C:\Windows\system32\Bhikcb32.exe
        26⤵
        Executes dropped EXE
        
        PID:4376
        
        C:\Windows\SysWOW64\Bbnpqk32.exe
        
        C:\Windows\system32\Bbnpqk32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4824
        
        C:\Windows\SysWOW64\Blfdia32.exe
        
        C:\Windows\system32\Blfdia32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:816
        
        C:\Windows\SysWOW64\Boepel32.exe
        
        C:\Windows\system32\Boepel32.exe
        29⤵
        Executes dropped EXE
        
        PID:4672
        
        C:\Windows\SysWOW64\Cliaoq32.exe
        
        C:\Windows\system32\Cliaoq32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Cbcilkjg.exe
        
        C:\Windows\system32\Cbcilkjg.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3320
        
        C:\Windows\SysWOW64\Ceaehfjj.exe
        
        C:\Windows\system32\Ceaehfjj.exe
        32⤵
        Executes dropped EXE
        
        PID:5116
        
        C:\Windows\SysWOW64\Cojjqlpk.exe
        
        C:\Windows\system32\Cojjqlpk.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Cecbmf32.exe
        
        C:\Windows\system32\Cecbmf32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2780
        
        C:\Windows\SysWOW64\Chbnia32.exe
        
        C:\Windows\system32\Chbnia32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4676
        
        C:\Windows\SysWOW64\Cbgbgj32.exe
        
        C:\Windows\system32\Cbgbgj32.exe
        36⤵
        Executes dropped EXE
        
        PID:2036
        
        C:\Windows\SysWOW64\Cefoce32.exe
        
        C:\Windows\system32\Cefoce32.exe
        37⤵
        Executes dropped EXE
        
        PID:1776
        
        C:\Windows\SysWOW64\Chdkoa32.exe
        
        C:\Windows\system32\Chdkoa32.exe
        38⤵
        Executes dropped EXE
        
        PID:3288
        
        C:\Windows\SysWOW64\Conclk32.exe
        
        C:\Windows\system32\Conclk32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:644
        
        C:\Windows\SysWOW64\Cehkhecb.exe
        
        C:\Windows\system32\Cehkhecb.exe
        40⤵
        Executes dropped EXE
        
        PID:4544
        
        C:\Windows\SysWOW64\Chghdqbf.exe
        
        C:\Windows\system32\Chghdqbf.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4424
        
        C:\Windows\SysWOW64\Ckedalaj.exe
        
        C:\Windows\system32\Ckedalaj.exe
        42⤵
        Executes dropped EXE
        
        PID:2720
        
        C:\Windows\SysWOW64\Dbllbibl.exe
        
        C:\Windows\system32\Dbllbibl.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4360
        
        C:\Windows\SysWOW64\Dekhneap.exe
        
        C:\Windows\system32\Dekhneap.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3896
        
        C:\Windows\SysWOW64\Dldpkoil.exe
        
        C:\Windows\system32\Dldpkoil.exe
        45⤵
        Executes dropped EXE
        
        PID:4592
        
        C:\Windows\SysWOW64\Demecd32.exe
        
        C:\Windows\system32\Demecd32.exe
        46⤵
        Executes dropped EXE
        
        PID:3084
        
        C:\Windows\SysWOW64\Dhkapp32.exe
        
        C:\Windows\system32\Dhkapp32.exe
        47⤵
        Executes dropped EXE
        
        PID:2012
        
        C:\Windows\SysWOW64\Doeiljfn.exe
        
        C:\Windows\system32\Doeiljfn.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4636
        
        C:\Windows\SysWOW64\Dlijfneg.exe
        
        C:\Windows\system32\Dlijfneg.exe
        49⤵
        Executes dropped EXE
        
        PID:4772
        
        C:\Windows\SysWOW64\Dohfbj32.exe
        
        C:\Windows\system32\Dohfbj32.exe
        50⤵
        Executes dropped EXE
        
        PID:4680
        
        C:\Windows\SysWOW64\Dddojq32.exe
        
        C:\Windows\system32\Dddojq32.exe
        51⤵
        Executes dropped EXE
        
        PID:2228
        
        C:\Windows\SysWOW64\Dhpjkojk.exe
        
        C:\Windows\system32\Dhpjkojk.exe
        52⤵
        Executes dropped EXE
        
        PID:3060
        
        C:\Windows\SysWOW64\Dceohhja.exe
        
        C:\Windows\system32\Dceohhja.exe
        53⤵
        Executes dropped EXE
        
        PID:1812
        
        C:\Windows\SysWOW64\Dedkdcie.exe
        
        C:\Windows\system32\Dedkdcie.exe
        54⤵
        Executes dropped EXE
        
        PID:3976
        
        C:\Windows\SysWOW64\Dhbgqohi.exe
        
        C:\Windows\system32\Dhbgqohi.exe
        55⤵
        Executes dropped EXE
        
        PID:1876
        
        C:\Windows\SysWOW64\Ekacmjgl.exe
        
        C:\Windows\system32\Ekacmjgl.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Echknh32.exe
        
        C:\Windows\system32\Echknh32.exe
        57⤵
        Executes dropped EXE
        
        PID:2244
        
        C:\Windows\SysWOW64\Eefhjc32.exe
        
        C:\Windows\system32\Eefhjc32.exe
        58⤵
        Executes dropped EXE
        
        PID:3324
        
        C:\Windows\SysWOW64\Eoolbinc.exe
        
        C:\Windows\system32\Eoolbinc.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5032
        
        C:\Windows\SysWOW64\Edkdkplj.exe
        
        C:\Windows\system32\Edkdkplj.exe
        60⤵
        Executes dropped EXE
        
        PID:1336
        
        C:\Windows\SysWOW64\Ehgqln32.exe
        
        C:\Windows\system32\Ehgqln32.exe
        61⤵
        Executes dropped EXE
        
        PID:4904
        
        C:\Windows\SysWOW64\Eapedd32.exe
        
        C:\Windows\system32\Eapedd32.exe
        62⤵
        Executes dropped EXE
        
        PID:1796
        
        C:\Windows\SysWOW64\Ecoangbg.exe
        
        C:\Windows\system32\Ecoangbg.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Edpnfo32.exe
        
        C:\Windows\system32\Edpnfo32.exe
        64⤵
        Executes dropped EXE
        
        PID:4884
        
        C:\Windows\SysWOW64\Elgfgl32.exe
        
        C:\Windows\system32\Elgfgl32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3544
        
        C:\Windows\SysWOW64\Ecandfpd.exe
        
        C:\Windows\system32\Ecandfpd.exe
        66⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\Eepjpb32.exe
        
        C:\Windows\system32\Eepjpb32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:728
        
        C:\Windows\SysWOW64\Ehnglm32.exe
        
        C:\Windows\system32\Ehnglm32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4460
        
        C:\Windows\SysWOW64\Fkmchi32.exe
        
        C:\Windows\system32\Fkmchi32.exe
        69⤵
        Modifies registry class
        
        PID:756
        
        C:\Windows\SysWOW64\Fcckif32.exe
        
        C:\Windows\system32\Fcckif32.exe
        70⤵
        Drops file in System32 directory
        
        PID:2508
        
        C:\Windows\SysWOW64\Fafkecel.exe
        
        C:\Windows\system32\Fafkecel.exe
        71⤵
        Drops file in System32 directory
        
        PID:3552
        
        C:\Windows\SysWOW64\Fdegandp.exe
        
        C:\Windows\system32\Fdegandp.exe
        72⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\Fllpbldb.exe
        
        C:\Windows\system32\Fllpbldb.exe
        73⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\Fkopnh32.exe
        
        C:\Windows\system32\Fkopnh32.exe
        74⤵
        
        PID:464
        
        C:\Windows\SysWOW64\Fcfhof32.exe
        
        C:\Windows\system32\Fcfhof32.exe
        75⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\Ffddka32.exe
        
        C:\Windows\system32\Ffddka32.exe
        76⤵
        Modifies registry class
        
        PID:3436
        
        C:\Windows\SysWOW64\Flnlhk32.exe
        
        C:\Windows\system32\Flnlhk32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2356
        
        C:\Windows\SysWOW64\Fkalchij.exe
        
        C:\Windows\system32\Fkalchij.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4756
        
        C:\Windows\SysWOW64\Fchddejl.exe
        
        C:\Windows\system32\Fchddejl.exe
        79⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Ffgqqaip.exe
        
        C:\Windows\system32\Ffgqqaip.exe
        80⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Fdialn32.exe
        
        C:\Windows\system32\Fdialn32.exe
        81⤵
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Flqimk32.exe
        
        C:\Windows\system32\Flqimk32.exe
        82⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Fkciihgg.exe
        
        C:\Windows\system32\Fkciihgg.exe
        83⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Fbnafb32.exe
        
        C:\Windows\system32\Fbnafb32.exe
        84⤵
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Fdlnbm32.exe
        
        C:\Windows\system32\Fdlnbm32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5368
        
        C:\Windows\SysWOW64\Fhgjblfq.exe
        
        C:\Windows\system32\Fhgjblfq.exe
        86⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Fkffog32.exe
        
        C:\Windows\system32\Fkffog32.exe
        87⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Fcmnpe32.exe
        
        C:\Windows\system32\Fcmnpe32.exe
        88⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Ffkjlp32.exe
        
        C:\Windows\system32\Ffkjlp32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Fhjfhl32.exe
        
        C:\Windows\system32\Fhjfhl32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5588
        
        C:\Windows\SysWOW64\Gkhbdg32.exe
        
        C:\Windows\system32\Gkhbdg32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Gdqgmmjb.exe
        
        C:\Windows\system32\Gdqgmmjb.exe
        92⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Gkkojgao.exe
        
        C:\Windows\system32\Gkkojgao.exe
        93⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Gofkje32.exe
        
        C:\Windows\system32\Gofkje32.exe
        94⤵
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Gfpcgpae.exe
        
        C:\Windows\system32\Gfpcgpae.exe
        95⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Ghopckpi.exe
        
        C:\Windows\system32\Ghopckpi.exe
        96⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Gkmlofol.exe
        
        C:\Windows\system32\Gkmlofol.exe
        97⤵
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Gohhpe32.exe
        
        C:\Windows\system32\Gohhpe32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5932
        
        C:\Windows\SysWOW64\Gbgdlq32.exe
        
        C:\Windows\system32\Gbgdlq32.exe
        99⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Gokdeeec.exe
        
        C:\Windows\system32\Gokdeeec.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6020
        
        C:\Windows\SysWOW64\Gcfqfc32.exe
        
        C:\Windows\system32\Gcfqfc32.exe
        101⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Gbiaapdf.exe
        
        C:\Windows\system32\Gbiaapdf.exe
        102⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Gdhmnlcj.exe
        
        C:\Windows\system32\Gdhmnlcj.exe
        103⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\Gkaejf32.exe
        
        C:\Windows\system32\Gkaejf32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5192
        
        C:\Windows\SysWOW64\Gomakdcp.exe
        
        C:\Windows\system32\Gomakdcp.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5276
        
        C:\Windows\SysWOW64\Gblngpbd.exe
        
        C:\Windows\system32\Gblngpbd.exe
        106⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Gdjjckag.exe
        
        C:\Windows\system32\Gdjjckag.exe
        107⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Hiefcj32.exe
        
        C:\Windows\system32\Hiefcj32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5476
        
        C:\Windows\SysWOW64\Hkdbpe32.exe
        
        C:\Windows\system32\Hkdbpe32.exe
        109⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Hopnqdan.exe
        
        C:\Windows\system32\Hopnqdan.exe
        110⤵
        Drops file in System32 directory
        
        PID:5640
        
        C:\Windows\SysWOW64\Hbnjmp32.exe
        
        C:\Windows\system32\Hbnjmp32.exe
        111⤵
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Hfifmnij.exe
        
        C:\Windows\system32\Hfifmnij.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Hihbijhn.exe
        
        C:\Windows\system32\Hihbijhn.exe
        113⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Hmcojh32.exe
        
        C:\Windows\system32\Hmcojh32.exe
        114⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Hcmgfbhd.exe
        
        C:\Windows\system32\Hcmgfbhd.exe
        115⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Hflcbngh.exe
        
        C:\Windows\system32\Hflcbngh.exe
        116⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Hkikkeeo.exe
        
        C:\Windows\system32\Hkikkeeo.exe
        117⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Hfnphn32.exe
        
        C:\Windows\system32\Hfnphn32.exe
        118⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Heapdjlp.exe
        
        C:\Windows\system32\Heapdjlp.exe
        119⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Hkkhqd32.exe
        
        C:\Windows\system32\Hkkhqd32.exe
        120⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Hcbpab32.exe
        
        C:\Windows\system32\Hcbpab32.exe
        121⤵
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Hbeqmoji.exe
        
        C:\Windows\system32\Hbeqmoji.exe
        122⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Hecmijim.exe
        
        C:\Windows\system32\Hecmijim.exe
        123⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Hkmefd32.exe
        
        C:\Windows\system32\Hkmefd32.exe
        124⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\Hcdmga32.exe
        
        C:\Windows\system32\Hcdmga32.exe
        125⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Hbgmcnhf.exe
        
        C:\Windows\system32\Hbgmcnhf.exe
        126⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\Iefioj32.exe
        
        C:\Windows\system32\Iefioj32.exe
        127⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Immapg32.exe
        
        C:\Windows\system32\Immapg32.exe
        128⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Ikpaldog.exe
        
        C:\Windows\system32\Ikpaldog.exe
        129⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\Ibjjhn32.exe
        
        C:\Windows\system32\Ibjjhn32.exe
        130⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Iehfdi32.exe
        
        C:\Windows\system32\Iehfdi32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6080
        
        C:\Windows\SysWOW64\Iicbehnq.exe
        
        C:\Windows\system32\Iicbehnq.exe
        132⤵
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Imoneg32.exe
        
        C:\Windows\system32\Imoneg32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5648
        
        C:\Windows\SysWOW64\Ikbnacmd.exe
        
        C:\Windows\system32\Ikbnacmd.exe
        134⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\Icifbang.exe
        
        C:\Windows\system32\Icifbang.exe
        135⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Iejcji32.exe
        
        C:\Windows\system32\Iejcji32.exe
        136⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Ildkgc32.exe
        
        C:\Windows\system32\Ildkgc32.exe
        137⤵
        Drops file in System32 directory
        
        PID:5524
        
        C:\Windows\SysWOW64\Ickchq32.exe
        
        C:\Windows\system32\Ickchq32.exe
        138⤵
        Drops file in System32 directory
        
        PID:6064
        
        C:\Windows\SysWOW64\Ibnccmbo.exe
        
        C:\Windows\system32\Ibnccmbo.exe
        139⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\Iihkpg32.exe
        
        C:\Windows\system32\Iihkpg32.exe
        140⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\Ilghlc32.exe
        
        C:\Windows\system32\Ilghlc32.exe
        141⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\Ipbdmaah.exe
        
        C:\Windows\system32\Ipbdmaah.exe
        142⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\Ifllil32.exe
        
        C:\Windows\system32\Ifllil32.exe
        143⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Iikhfg32.exe
        
        C:\Windows\system32\Iikhfg32.exe
        144⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\Ilidbbgl.exe
        
        C:\Windows\system32\Ilidbbgl.exe
        145⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\Icplcpgo.exe
        
        C:\Windows\system32\Icplcpgo.exe
        146⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\Jimekgff.exe
        
        C:\Windows\system32\Jimekgff.exe
        147⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\Jlkagbej.exe
        
        C:\Windows\system32\Jlkagbej.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6544
        
        C:\Windows\SysWOW64\Jcbihpel.exe
        
        C:\Windows\system32\Jcbihpel.exe
        149⤵
        Modifies registry class
        
        PID:6584
        
        C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6632
        
        C:\Windows\SysWOW64\Jmknaell.exe
        
        C:\Windows\system32\Jmknaell.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6676
        
        C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6716
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        153⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        154⤵
        Modifies registry class
        
        PID:6804
        
        C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        155⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        156⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        157⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\Jmpgldhg.exe
        
        C:\Windows\system32\Jmpgldhg.exe
        158⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7028
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7080
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        161⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        162⤵
        Modifies registry class
        
        PID:7160
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        163⤵
        Drops file in System32 directory
        
        PID:6188
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        164⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        165⤵
        Modifies registry class
        
        PID:6308
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6408
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6448
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6516
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        169⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        170⤵
        Drops file in System32 directory
        
        PID:6648
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        171⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        172⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        173⤵
        Modifies registry class
        
        PID:6832
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        174⤵
        Drops file in System32 directory
        
        PID:6940
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6984
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        176⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        177⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        178⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        179⤵
        Modifies registry class
        
        PID:6276
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        180⤵
        Drops file in System32 directory
        
        PID:6364
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        181⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        182⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        183⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        184⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        185⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6968
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        186⤵
        Drops file in System32 directory
        
        PID:7100
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        187⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        188⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        189⤵
        Drops file in System32 directory
        
        PID:6744
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        190⤵
        Modifies registry class
        
        PID:6956
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        191⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        192⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        193⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        194⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        195⤵
        Modifies registry class
        
        PID:7148
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6828
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        197⤵
        
        PID:7176
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7216
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        199⤵
        
        PID:7256
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        200⤵
        Modifies registry class
        
        PID:7296
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        201⤵
        
        PID:7336
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7376
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        203⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        204⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        205⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        206⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        207⤵
        
        PID:7584
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        208⤵
        Drops file in System32 directory
        
        PID:7624
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        209⤵
        
        PID:7664
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        210⤵
        Modifies registry class
        
        PID:7700
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        211⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7744
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        212⤵
        Modifies registry class
        
        PID:7792
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        213⤵
        Modifies registry class
        
        PID:7832
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        214⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        215⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7916
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        216⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7956
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        217⤵
        Modifies registry class
        
        PID:7992
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        218⤵
        
        PID:8052
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        219⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8096
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        220⤵
        Modifies registry class
        
        PID:8144
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        221⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        222⤵
        
        PID:7276
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        223⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7360
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        224⤵
        
        PID:7432
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        225⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        226⤵
        
        PID:7576
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        227⤵
        Drops file in System32 directory
        
        PID:7652
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        228⤵
        
        PID:7776
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        229⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7884
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        230⤵
        
        PID:7944
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        231⤵
        Drops file in System32 directory
        
        PID:8044
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        232⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        233⤵
        
        PID:7244
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        234⤵
        
        PID:7372
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        235⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        236⤵
        Drops file in System32 directory
        
        PID:7644
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        237⤵
        
        PID:7864
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        238⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        239⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        240⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        241⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7492
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        242⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7740
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        243⤵
        
        PID:8064
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        244⤵
        Modifies registry class
        
        PID:7320
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        245⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7552
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        246⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        247⤵
        
        PID:7560
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        248⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        249⤵
        
        PID:7936
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        250⤵
        Drops file in System32 directory
        
        PID:8232
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        251⤵
        
        PID:8280
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        252⤵
        
        PID:8320
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        253⤵
        
        PID:8364
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        254⤵
        
        PID:8400
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        255⤵
        
        PID:8444
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        256⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8492
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        257⤵
        Drops file in System32 directory
        
        PID:8532
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        258⤵
        
        PID:8576
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        259⤵
        Modifies registry class
        
        PID:8616
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        260⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8668
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        261⤵
        Modifies registry class
        
        PID:8712
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        262⤵
        Drops file in System32 directory
        
        PID:8748
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        263⤵
        
        PID:8792
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        264⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8840
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        265⤵
        
        PID:8880
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        266⤵
        Drops file in System32 directory
        
        PID:8920
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        267⤵
        Drops file in System32 directory
        
        PID:8964
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        268⤵
        
        PID:9004
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        269⤵
        
        PID:9052
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        270⤵
        
        PID:9096
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        271⤵
        Modifies registry class
        
        PID:9140
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        272⤵
        Drops file in System32 directory
        
        PID:9184
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        273⤵
        
        PID:7192
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        274⤵
        Modifies registry class
        
        PID:8256
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        275⤵
        
        PID:8332
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        276⤵
        Modifies registry class
        
        PID:8376
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        277⤵
        Modifies registry class
        
        PID:8460
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        278⤵
        
        PID:8512
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        279⤵
        
        PID:8604
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        280⤵
        
        PID:8676
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        281⤵
        
        PID:8740
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        282⤵
        
        PID:8836
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        283⤵
        
        PID:8904
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        284⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8956
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        285⤵
        Drops file in System32 directory
        
        PID:9044
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        286⤵
        
        PID:9108
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        287⤵
        
        PID:9180
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        288⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8228
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        289⤵
        
        PID:8340
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        290⤵
        
        PID:8456
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        291⤵
        Modifies registry class
        
        PID:8612
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        292⤵
        
        PID:8692
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        293⤵
        
        PID:8860
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        294⤵
        
        PID:8952
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        295⤵
        
        PID:9080
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        296⤵
        
        PID:9208
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        297⤵
        
        PID:8300
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        298⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8544
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        299⤵
        
        PID:8652
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        300⤵
        
        PID:8888
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        301⤵
        
        PID:9028
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        302⤵
        
        PID:9168
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        303⤵
        
        PID:9316
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        304⤵
        
        PID:9356
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        305⤵
        
        PID:9400
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        306⤵
        
        PID:9444
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        307⤵
        
        PID:9488
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        308⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9540
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        309⤵
        
        PID:9584
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        310⤵
        Drops file in System32 directory
        
        PID:9636
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        311⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:9692
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        312⤵
        
        PID:9736
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        313⤵
        Drops file in System32 directory
        
        PID:9792
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        314⤵
        Modifies registry class
        
        PID:9832
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        315⤵
        Drops file in System32 directory
        
        PID:9884
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        316⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9920
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        317⤵
        
        PID:9972
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        318⤵
        Drops file in System32 directory
        
        PID:10020
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        319⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:10064
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        320⤵
        
        PID:10108
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        321⤵
        Drops file in System32 directory
        
        PID:10144
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        322⤵
        
        PID:10196
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        323⤵
        
        PID:10236
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        324⤵
        Drops file in System32 directory
        
        PID:8344
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        325⤵
        
        PID:8648
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        326⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8916
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        327⤵
        Drops file in System32 directory
        
        PID:9232
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        328⤵
        Drops file in System32 directory
        
        PID:9268
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        329⤵
        
        PID:9304
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        330⤵
        Modifies registry class
        
        PID:9376
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        331⤵
        
        PID:9432
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        332⤵
        Drops file in System32 directory
        
        PID:9500
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        333⤵
        
        PID:9560
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        334⤵
        
        PID:9680
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        335⤵
        Modifies registry class
        
        PID:9720
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        336⤵
        
        PID:9820
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        337⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:9892
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        338⤵
        
        PID:9944
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        339⤵
        
        PID:10004
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        340⤵
        Drops file in System32 directory
        
        PID:10080
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        341⤵
        
        PID:8720
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        342⤵
        
        PID:10232
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        343⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8516
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        344⤵
        
        PID:8816
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        345⤵
        
        PID:9076
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        346⤵
        Modifies registry class
        
        PID:9348
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        347⤵
        Drops file in System32 directory
        
        PID:9428
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        348⤵
        Drops file in System32 directory
        
        PID:6528
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        349⤵
        
        PID:9572
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        350⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9728
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        351⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9776
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        352⤵
        Drops file in System32 directory
        
        PID:9940
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        353⤵
        
        PID:10040
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        354⤵
        
        PID:10132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10132 -s 396
        355⤵
        Program crash
        
        PID:9228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 10132 -ip 10132
1⤵
PID:8588

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:9488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aacckjaf.exe

Filesize
232KB

MD5
3bc4c98eae45b7b1b043a317e0a2536b

SHA1
e56a883f1fa56e357dc2595b2918ee77cfdb740e

SHA256
90c65cf3b52cd983e995a27d638289d6cf8b6587fbbc52d6c348d59332fb920b

SHA512
5bd4fcc068deae35e6e74611a1a7e48562fc4beed120fd93eed25b7adb1aaea7e7361ed0f1c036847b0c6d314f25a9745f0d00f767dd83fc2b242397c42846d2

Download Submit
C:\Windows\SysWOW64\Abngjnmo.exe

Filesize
232KB

MD5
a327de24638ec4134925a2833d926c31

SHA1
eefe8d7723f4100b5873e0517462ce8fafcfa91a

SHA256
95c53216b0d20a3fdf7f827d87630e4a0614b0a4db5a18b6333183872cbdb39c

SHA512
76e0f50bfad35f02b3719f8308c85c45510c6204664be443ecee4fa9b8f033aac68ee5f6638da6a27f33ad5d95f6999894b25770840e4505ae8029597d71029e

Download Submit
C:\Windows\SysWOW64\Adcmmeog.exe

Filesize
232KB

MD5
d6efb2399a2e647d3e612be883638ddd

SHA1
dc930ead67889ce17466c9d8384dc356e857e046

SHA256
cfefa12316da484fa2549c70407201ac4d38b6c541fa64265dc008316d01d388

SHA512
d3e351cf37e4b1e8a670a37e5308b0fd08ca25f6c3f42e674580853e55c9c7d8c808259d097e9ccd9e1fcbb3cda1438e017214b0bf8304cfe597ff6f834e132c

Download Submit
C:\Windows\SysWOW64\Ahmlgd32.exe

Filesize
232KB

MD5
5b6d7db4166148a28dfc4355c0ac4cdb

SHA1
dbe7de64678f432176adaae60634f79c1074cea4

SHA256
c2981502919c838ff08bda35a9e4bacb3554f49597fc919e5da0f507539c79b5

SHA512
c66ec3721ac9df1f379cab10d07d186a7b63b72a167cf87c330e66b8f05c145082c2d21d9d1a0bb32f0dffc1deed6ebc0b2dce662d794fe0b6f1b7523ff28f42

Download Submit
C:\Windows\SysWOW64\Ajiknpjj.exe

Filesize
232KB

MD5
9c11198d5071b92a21d66419f5e74066

SHA1
a1af561f4b0a614bf17f336a31ed28e475a57205

SHA256
7eeda28a98651a7239e0883742712f893bec78e4e4575feb00251e28ad564495

SHA512
3f7bc59293c03168223ccd7b7f7e718a21ddb32ba6cd2ab60ed118ced97666bcffdddd3f2f53d00b61e02dcf1b6ddd90067ff487a3b543a5681a64165b485b02

Download Submit
C:\Windows\SysWOW64\Ajkhdp32.exe

Filesize
232KB

MD5
b1929686127b27cf04bf875dfc739e17

SHA1
b7c974302b538fbc039e0b8a6d0b9479919d4e90

SHA256
02f5f2e01d805779b3cc619af6a362c6b71944a27014f129e81e4d17fe08ab75

SHA512
4fc094b8f7b8cbf77ae3163e8673b2e68bfc196b16c2e1ece78aebca6e964cd0da5cf853991933bae51f393fda43d027a90262d436e7a1ec65bf259329f76ecc

Download Submit
C:\Windows\SysWOW64\Ajneip32.exe

Filesize
232KB

MD5
43aa9737ab0a3d38d876ea88fc780f7c

SHA1
29db7088425d751554b7bda9551743ae17e5fff5

SHA256
c61aeb1b1623d0646aea31216eb9551f842d6300ccfd54aab58bd034a0301506

SHA512
4dad84251eafd13949373e7bf188bda6791aeb4802905ed22c2f6924aef50bff4426976f4e95b2b0b280fc2f8e0930f3c3347cef28ee9d6f87dec7f210ff9230

Download Submit
C:\Windows\SysWOW64\Anpncp32.exe

Filesize
232KB

MD5
466a9dab9f41db6127b1b5151c98e3c1

SHA1
8064b08e3b5efcccaa66ffebb5bfb93bc715d8f6

SHA256
f39e4d5a8cfd8c8aa4b9086dce9bd9132be4118ef863471ad5d3630011c3ab4c

SHA512
d710069024b459f5c96b2f1d8a60854c1f6c19b7010a094e659874f9265c5a65d0b1e7ee0f94f3c4f6f8b475cad5aadcdd0e38145c26830c170e1981eb996ec5

Download Submit
C:\Windows\SysWOW64\Bbifelba.exe

Filesize
232KB

MD5
3ff8d56e002e0f8becc2a6c267dd8c5a

SHA1
c9e3ce52c141f84407976f122f5bd13ec852ca24

SHA256
ec6fd5f08a0a58d7c846f56d4236bebe417e4a0492aeb2bade705dc6f138f6e4

SHA512
7eb633d133c2c52bea7af2607cb250815b774d482babd3a17b647f06f8ec73e6b26ef4f5af8ec1eb9bc6742ed6f5849ec43c1e9dff10d96f30a447fe83f33e8c

Download Submit
C:\Windows\SysWOW64\Bbnpqk32.exe

Filesize
232KB

MD5
b14a3c8dbbcf20e36b93a6be2eea320e

SHA1
e7762f2d3f4139e329b10dac483a874155bc30e6

SHA256
f51a3c5c18c528bd9bcf0a7aff73e884f444d9b3f9f67a0e6242fcedf4765068

SHA512
ef2dfa109f2a4680fb9fd20c9b8d453934595fd905fc55c0f318a891179084f2cd0b3bb4a408e1a457039846912de41740c234d52bef22bbb474554d36b4defb

Download Submit
C:\Windows\SysWOW64\Bdmpcdfm.exe

Filesize
232KB

MD5
cf7bfe4ba7bf8792d47a813676a9a785

SHA1
0cc1d66290c494b725e8eadbf9d915af94947abb

SHA256
8a6a80bdc34a8a64239c4b5f48909542d949fde5fc1a5280cf3e9d5d7db4921e

SHA512
e69260bf76f2a03b6a5e68c14b59df62788a6876808cbf68c67462225f585d061a57943a68c6c26a90fcb16738791d8e6ff9857dfa1ce4727ef597e64f0113d2

Download Submit
C:\Windows\SysWOW64\Beeflhdh.exe

Filesize
232KB

MD5
382697ce75153a5f35eb9de245ef6ad8

SHA1
bd5c74521c84a2db7a330d5f2c74d513c3a3871b

SHA256
25abfefe3e17267537eb612f1cc8dc6a621fe528522c3db7a599ba0e10afcf31

SHA512
b20c269d6427c29de9843163f8e9ee4b1dc56aae4133cebc25cd220fe5962eb4e6278ee39699c8820b48491f49296db43587086197c842cb6fa9b47123a2f5d6

Download Submit
C:\Windows\SysWOW64\Behbag32.exe

Filesize
232KB

MD5
592e7d8acfcca96189a6afe53e431fe6

SHA1
45100a66c6039f97a57d53e5da89231610fb075a

SHA256
c5c01a8229f42707e0e62aa24000bf0d012bf7c1f9d47faa279517c849ced693

SHA512
96412843eb23186c5182168d6d19e95bec918d38aaa395f72edee79aca07d004ec64b94b58f61be84586b8291932220ad320cebe9e0eb971d2a3fef73fa2b7b0

Download Submit
C:\Windows\SysWOW64\Bhikcb32.exe

Filesize
232KB

MD5
44ab94d4e240d80a1dfb9e9d1798791a

SHA1
f4a983a3977b8aa6d636429902e4d0d7ca2d0db4

SHA256
f422552012c1f2490f846214d1e61a0608f3143050880194f84aaf54b05cfb3f

SHA512
e7943bcc730c0ff000d6155c4fc197206d37473bd6839185489ef7f1139a81bb65455e94ba69df89764aef897642104b0b7df9990a8a59293a058bb37c2358c1

Download Submit
C:\Windows\SysWOW64\Bjpaooda.exe

Filesize
232KB

MD5
384836d6b98319af2370cdc9d21aaa3e

SHA1
c28a9e518c341f89abb4c2f182c029ea7af02029

SHA256
c926f61b407950753d0430a4a775b5423796623ba6b2b7e4e771f1b5edcec0f6

SHA512
6a00f5b60dcd67c9e90e8986fcf80a7bc3141f224fc6cbd057323c476f04850587378c0ffaac7567cbbd25b7a6997a65ddce9eadfbdd3fa4aa25d89630c12dc9

Download Submit
C:\Windows\SysWOW64\Blbknaib.exe

Filesize
232KB

MD5
2c91bfe64b68aa039e75f6808dec5acc

SHA1
4ee616bafebea9abb756e41f5e3eb98dc1361c79

SHA256
8453033503f8769a076ab6117a955d6466003fc314c13465851b555192b07a86

SHA512
1cd26444a4001c5c6aba1322322efd7cc790afa0c8bd51970b6016ff6094903341a538333ec61634bf779d4a0186704800d4a761a433698a1fdb772ccddb6a89

Download Submit
C:\Windows\SysWOW64\Blfdia32.exe

Filesize
232KB

MD5
bcf837d0250d5528b3768984b983dd5c

SHA1
a0cfe71bfa0350236b3b610bd2bc1705e9bcaf8c

SHA256
64495972b77b81d937722f28c03ffd9619096880db15c05d41ac2b88ed758cc3

SHA512
0eeb35c25a5de1b6b222a345171f8ebd1da030362c7db488b8471c9be5bbf792435261a434fe1bc8a29befa351e73f5ee804b1a51448132811dc40c8134f443a

Download Submit
C:\Windows\SysWOW64\Boepel32.exe

Filesize
232KB

MD5
de5f39abc04c3311da02f89662ec5c71

SHA1
680675185ffac674675273a088d68f4baa0084ea

SHA256
19be275a0a453142fe4422e58ef299a57060f9f7e355d7b9d6423c54c93f7426

SHA512
8e11c263bccd5c3c46d3161295ef2ef5c123a10454393acc89ca6a28787a8445f2eadde21ad670b3f2871d098ed8c25937b62bcfb4eae6df6737d8e30aee4252

Download Submit
C:\Windows\SysWOW64\Cbcilkjg.exe

Filesize
232KB

MD5
6353b5303b63d743267a7695600dfc9a

SHA1
d6a476e54524495217952c37db60ac3cf5195722

SHA256
35671984d3e2627eb4ef2f4ececce4654f3d32de7c09ec162a3547f6ae2bce02

SHA512
d0a8bdfa3973500c1743559b20494555fb6abdd54c3785e4e27971e2c5109a36ddd6dd329305b51dcfb98e64eb2b869d24b30680288d971b95a0922a27407a8b

Download Submit
C:\Windows\SysWOW64\Ceaehfjj.exe

Filesize
232KB

MD5
b8605622c7fc5b48ec938ff6dff587de

SHA1
9d9912d35c7eb32aa905c227c08a0fc519830a27

SHA256
e97d38f5e7fa6f45bddb6829757a8adef72a71e87ac95f7a761f98917343cd84

SHA512
572a35c6e16ea4ad54488811b0a6e7c365fffa48abaaf15b44379f7f69f2620f03aed2acbeacd27ea43c223d8064945cd9f1e2ce53475c0670a1c070e7994233

Download Submit
C:\Windows\SysWOW64\Cliaoq32.exe

Filesize
232KB

MD5
cd97fb909d4a16b2aa7a7418ca0385c6

SHA1
b33c6de55d189c62ed80bb6143a97e98cd7c2ce1

SHA256
b41451a7042daeeabddddeb344d6b5ae51b5bc5e51181fb03c163ad1eb0dcbcd

SHA512
7a66c97e5e318763b2d955b53c45977811b347ee225cf67dc7b36dc1d87460f811e5dc0d0e2dfaa967ed3882673b6136ac4f78d27f340f2addf77cd2b1a49136

Download Submit
C:\Windows\SysWOW64\Cojjqlpk.exe

Filesize
232KB

MD5
316aa995ef5fbf3448cdaaf1d06d0275

SHA1
cb1ef1f65cd44cb55a4861c6c7c73db2ecb54238

SHA256
e43af71843a32f0a94277a5b3b4e18b83eb0d9f271090e84afb44cedb74b8e76

SHA512
ae47b445b9b88882869473e855ab9f8e783014da155eadc8bb2dd296a603ac8998ffbbb4e4fe00c21e34eb504e4c69eb5841c9af88349abcc2d1d8f388f8b28b

Download Submit
C:\Windows\SysWOW64\Dceohhja.exe

Filesize
232KB

MD5
867c0df46967544777e10cd9846cc74a

SHA1
1c52696a3b348f0f41653ddf942565babc46574f

SHA256
eb32f76d57d96b5657eb600eea123752945b8c7f64d86387dc90af93ba4d418a

SHA512
c5421b820d815ee8c94f33d9694636a819acddcd77055fcd57240d40eb839fe1a9be57ff359359646ad314caff5517d801c5ac2851976e69aa86c5df07fd5d2a

Download Submit
C:\Windows\SysWOW64\Doeiljfn.exe

Filesize
232KB

MD5
d5dac14898e1538264c420faccecd84d

SHA1
a62ca2513a984807267d7ada9d6ed0740c38f497

SHA256
16b9d4105ec8e6c618407e4d4df80066e1743e652f0007307de675a9cf7e74db

SHA512
b9eef70baf8ed8774210503e864b468253d8568a31d46aece61884ba896ee56377b8ed0622c950b00115cf3758bcdd1618f3158fa1a3ed941b8c81fa13646910

Download Submit
C:\Windows\SysWOW64\Ecoangbg.exe

Filesize
232KB

MD5
6f68d9b527973802f3e2bede0c4f6a14

SHA1
dfec06cf8fbb894ff12c624bd69f29e31c80ecbd

SHA256
8dba53926cd87046bb6b5fa8423197eca4f27e2bf6db984e0d0e3ecee269ab19

SHA512
10ef5191278409aa42b04301ec40b38eec6ac512df98409d97dfff156bc43100e024ef868f43a148ed53ae83b4448c3845fb4a4a380e1bad50633d6438a4f7ec

Download Submit
C:\Windows\SysWOW64\Gdqgmmjb.exe

Filesize
232KB

MD5
a7ef9f305087736446df43e63a597e50

SHA1
4bf5dd0e656ddbc7e65a89bc5c14d805f19850bb

SHA256
465cc007a7704e6b601db52119b18fa91953c98400a55e771974776af6117dbe

SHA512
9721eef1431b50979f0020817397b8356bfeb2dcb478278a310431295ef4d6bf0c5093c9ba07dfe3c36e3440682a1cc3845ba0a58639a7c26f205483b073e8cc

Download Submit
C:\Windows\SysWOW64\Hflcbngh.exe

Filesize
232KB

MD5
170d050b4f94b37f94ab822894575476

SHA1
8f1c5f63aac03cb10dfab273297bbe6261449069

SHA256
a5624dffc9a0b203fca5f007f78116b98cdf357b6677655fbd45b53fb88daf77

SHA512
01e16075710ebc8a2d2de8157970945456648b1e2cb0c317d08be295dd1f3372fe1656192e060102cb17dcb47340b2a262915c89e1d466b9347647fc94e56ef3

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
232KB

MD5
989819dd43ba0d050e7f50ee52f2c05c

SHA1
89f4cbb322c02c692d515ae3e72d4d7c6735f4ed

SHA256
39090648eca6eb83f526d0a72de935bdc3876f0be14b313002f2fd92c7466c29

SHA512
5cc7d957a7cac5272cd47b82c54755daf2a2ffb90c1d7498b0c582ae253b15815e593e7cdff92b1421037fa5f53245636a8eec12b9d1aec33e67ba2c41ee4233

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
232KB

MD5
be6eb787ac53389f10b28ff3601e1a65

SHA1
a9896e5bb94f61b2ed80c340b0f6fd1472012fc4

SHA256
efc153a2dbec04e251e367c61986bc0b6f71170c0d53f8e133b2c995f335547a

SHA512
373c8f4e8336ff2de5c99af0b6c2da78db695e6689840ccd0dafa2500644c211921317f679e186d0ec530410f08c9f8b411879724f7d00c75c907496d331fd99

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
232KB

MD5
3b9fa68f64bab6d0382d66889ed3a656

SHA1
911a572e3fe64d1e984af39d0f16c67e5bdf838b

SHA256
d6a44296d8472091704c8fd7030bfe902af0eb2a529ec646ce0ce66b7419ae09

SHA512
7169421428251f4e7f099bd0acce5fafa9cde1054893eb106669480a5b17ae4a3b87c25e761062f0c93a729957a6fe53c3ee106be36bff24a42374e84856483f

Download Submit
C:\Windows\SysWOW64\Pbbgnpgl.exe

Filesize
232KB

MD5
3ddab6121d1379fa1b54f1f8d8d97ae6

SHA1
0106e28060011f7ce3ca08409390fd6ac1dd12a6

SHA256
e7a5b1110846d4ee3594af0373b2933f0d121fd85ee7f5c0bdc16883cd0ffdec

SHA512
46a57740e0ba7565a4d07cffe0aec158463c71c91d7643be66557f518c529b3a651fd8f5fd39691b98e49ca382ff7ff650e6eed6214f9b05362bbaccf9a6961f

Download Submit
C:\Windows\SysWOW64\Peqcjkfp.exe

Filesize
232KB

MD5
ab8f2134e144b2676c9f3f37e55deffa

SHA1
89fd95baf1d65031102defd84c4747c0914c45d2

SHA256
e6d3f798ee6ae8ea508d5114d687a76f865af8e78a7fde5aa592bd4b67c77050

SHA512
1035df454b48ddc6b183dd8872724ba9314733b2a370d5ef86ae6c422968e67caad8bd6d8139d8fbbb83f0eb33ecc92f8ddb3a2925f5c77e9a7284f7c94dab99

Download Submit
C:\Windows\SysWOW64\Pjkombfj.exe

Filesize
232KB

MD5
c6b22a250dcfe1130ad8325c5c8c11e1

SHA1
37dba57b1cf7efa906180f7544e49a9e193f6f8c

SHA256
aad6220d8d9a0880e6e5f0fcea47cdd1faebfe3656eb15829ff14ff62758e407

SHA512
c9296e5bc85dc902e49912527c9dbd97617499c1e60e6a2d35004746f47eddbd8cf84bc9e5aac080963cdb386b5ebf92da94cdb5255bcefce0c6c0faa9b1e5f3

Download Submit
C:\Windows\SysWOW64\Pkjlge32.exe

Filesize
232KB

MD5
8abf98bf59a2521f798494368dc2d290

SHA1
e89c522fdec4b705b2128fb8590cb765a7a73650

SHA256
d362a771dd507f5885cdc58a095d7930e021b7d5512d8abcf2cd77b44708347b

SHA512
62dd70cc4a334c3a04aa13073eaa247bf09c79f4bc44df7c18f6484ae7f137714d376f7a95f633bad25a23442189eae8b34a5a1ea3d83d52acb1867a4f5ecdf8

Download Submit
C:\Windows\SysWOW64\Pnihcq32.exe

Filesize
232KB

MD5
a32fcf6b468f98381ede831da67d0d3e

SHA1
6d753896e05f350a757b61a71c83bede9ea4b523

SHA256
913c2ce94ae2b9f1154f7a99599983e0a9427cdb34be9a8c81d1df1992b24f2b

SHA512
08584daaf292c638c429669656d66859b2aad3b6ee52a3e90c86d5b896ec40dcf848bf1e66e16c4eeba6cdd10327a3b3b6b2f7f8a0b1cffd2357f1e7d35a0eef

Download Submit
C:\Windows\SysWOW64\Qecppkdm.exe

Filesize
232KB

MD5
fed7cd2402014db341fcfa2fb76d4d29

SHA1
3eeb61005cab7d29bb5e92daf91e4ce5f62a4010

SHA256
3c26ad2389321b7c7129f517b59cc9c12744146adccfcbb0430dd909d84060cf

SHA512
0c2e97886f9a7f14d9d5d0f623375f633d8f5bdaaec9dcba69b3a92e207aa38e0e6b880e65078cb7e0493cc2d8019962f41ad86e21631508bb91f5084c118b1f

Download Submit
C:\Windows\SysWOW64\Qecppkdm.exe

Filesize
192KB

MD5
130868af6e81c98c48d52a3078261a92

SHA1
ad8f726d24f241afe7caaaa239d028b679226188

SHA256
41be678ccc92ab3ccd6f5aafa7699906a59af3881224e9c105d55ae1ae9d3781

SHA512
a84fccff71c37f9065ded9608248bb2e42f4fc8587cc34023c098e6f2f61193d328bbca652f1f9615a6f97b3d6aa5568e72abcbe33ceb47f4d01a9a637eb2361

Download Submit
C:\Windows\SysWOW64\Qeemej32.exe

Filesize
232KB

MD5
f75df491b3c6ac34ab9a661ebdf41e2d

SHA1
b785126f5696c3bd53d2a606993659e199d38cf4

SHA256
1426ba678a906452923016670d7a838b7e78822aa81d5b54ec0725e197ed8077

SHA512
96e50d33a8ddcc934dc70f578f74df6837f9bd1c8d88be60e7c0b7b5fc4953369bf6fe5b1de6c50b2b661ce3657941cad53665732fca6332951443506b1ae133

Download Submit
C:\Windows\SysWOW64\Qgallfcq.exe

Filesize
232KB

MD5
a163d425d6c51de4141736d2a5229630

SHA1
dc29fa0cb1b84f929b6df5d2689d96f4166899f0

SHA256
100a10d7a995d4c1ca6af286d297850746334c0006ce69820730ec65a7bbe8d8

SHA512
5468c6c34c0855aaeaae4d041a4b791bfb69876f220eadffca0dbc3e7848024784049b16079e312256f6554569b66327df462746e4ec6ad19b63635d9bc6e2c5

Download Submit
C:\Windows\SysWOW64\Qgallfcq.exe

Filesize
19KB

MD5
6a302cd0356a1031fc033cd9fe9f4b15

SHA1
10c50012fa2b853c35424c386d1c6d29fc3b249c

SHA256
012bf9282d4fc971340091760b6832bf8913ea9d684acabb52d8843659c0c8c0

SHA512
67aebe02894d345e39cc62bca139953fc4e55a06cf10948c28032e4c63043f74252f7e1af88ad53c616380afa3a75e20f09b0c8c5b54495d72cbfcb34d43c42f

Download Submit
C:\Windows\SysWOW64\Qgciaf32.exe

Filesize
232KB

MD5
9e8c0a3b566e12791fdb3cd1ad571e43

SHA1
74649bceddfdc8f3256bce0d15d3d5e496bc6187

SHA256
67bd324e482e7121747d2453d333b751d307539c35a6800ecb4a57c41c6b0e1e

SHA512
9dcbd5707644f21c20c12751c10b7f923600d9acda9cef9c18a638c4b3fc70e7b1712f07893e029cb18dc4fa4bfea48b774937c33aa7b4e6bab770da32e00822

Download Submit
C:\Windows\SysWOW64\Qjbena32.exe

Filesize
232KB

MD5
afd58c1d60fdd99c5d8d88cb1875205c

SHA1
b91092cf65028d433023ff965ca94bcc8b0ba5c2

SHA256
d400890bb41e2878c05832a32d6f7dc1e8bcbd8c0cb9c8d090edda4127d89fae

SHA512
cd8a8ec353e12f3f9e3d1be319b1fe177586b89907ca058ea066bdcb923928f4eb9306888ffa029a062ce96eda8f3361e4c98673203bbcd2ad19f9c2d621ed49

Download Submit
memory/644-296-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/812-20-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/816-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1304-69-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1336-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1548-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1680-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1696-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1736-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1776-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1796-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1812-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1816-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1876-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2012-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2036-279-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2064-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2072-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2228-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2244-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2308-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2504-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2512-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2720-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2764-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2780-266-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2872-398-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3060-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3064-124-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3084-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3108-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3288-288-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3320-243-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3324-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3500-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3860-83-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3896-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3976-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4036-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4288-78-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4348-58-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4360-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4376-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4424-308-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4432-36-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4488-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4504-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4544-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4560-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4592-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4636-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4656-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4672-228-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4676-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4680-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4728-75-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4772-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4824-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4884-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4904-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5032-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5040-84-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5072-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5116-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6528-2366-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/8344-2390-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/8648-2389-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/8720-2373-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/9348-2368-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/9428-2367-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/9560-2381-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/9680-2380-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/9720-2379-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/9776-2363-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/9940-2362-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/9944-2376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/10004-2375-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/10040-2361-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/10132-2360-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads