ad4f5f07c66cd9232feff4405dac4bbef20ef2bfba705666574abda4713925f7

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2024, 22:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad4f5f07c66cd9232feff4405dac4bbef20ef2bfba705666574abda4713925f7.exe
Size

1.8MB
MD5

487ac851d958335bbe0b4901831f273b
SHA1

0e8857636a6e97bca8d3f37f7fbac63c9dce449d
SHA256

ad4f5f07c66cd9232feff4405dac4bbef20ef2bfba705666574abda4713925f7
SHA512

f88891e9ddf8b1771bb5c54e146908a5f26610556b3542507ea726fbcea7478d71598d8945eddf46aa15cf3707dba9f9528da2c86730188bd7bd58c34e27f808
SSDEEP

24576:KGpKm2Nys/q1tF1Pm0jdA5uBAdpFZymfDdGsJm1OVmfihT:KG12Nys/q1tF1Pm0jdFmyMPT

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckqbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Modgdicm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahmjjoig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmpkqqj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfehh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cocacl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eoideh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hplbickp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olehhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biadeoce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mepfiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adfnofpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpnnle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibcaknbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jekqmhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljhnlb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phcomcng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bemqih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cohkokgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmkqpkla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Johnamkm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhkfkmmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkpeopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djklmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edmclccp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phodcg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpnnle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbhboolf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hifcgion.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpelhd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpqldc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmklglpn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edmclccp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfiddm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chnlgjlb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmomlnjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enpmld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpdcag32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lqmmmmph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhjckcgi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmepam32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aafemk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmojkj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dannij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnbakghm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hplbickp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hoaojp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qhhpop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ad4f5f07c66cd9232feff4405dac4bbef20ef2bfba705666574abda4713925f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqkpeopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojigdcll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pplobcpp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lemkcnaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdflp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chnbbqpn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cncnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjkaabc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppmcdq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffpicn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aehgnied.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eehicoel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnkpnclp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojdnid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gikdkj32.exe

Executes dropped EXE 64 IoCs

pid	Process
732	Jnnpdg32.exe
2844	Jieagojp.exe
2236	Kflnfcgg.exe
2936	Kbbokdlk.exe
4836	Knlleepl.exe
2064	Lidmhmnp.exe
1240	Lejnmncd.exe
4180	Lemkcnaa.exe
4428	Loeolc32.exe
4980	Llipehgk.exe
1652	Lfodbqfa.exe
4108	Mojhgbdl.exe
1036	Mpieqeko.exe
4412	Mibijk32.exe
3848	Moobbb32.exe
4792	Midfokpm.exe
2776	Mpnnle32.exe
2884	Mekgdl32.exe
3532	Mbognp32.exe
1032	Noehba32.exe
116	Nhnlkfpp.exe
1356	Nebmekoi.exe
1040	Ncfmno32.exe
2368	Nlnbgddc.exe
4752	Ngdfdmdi.exe
3952	Nookip32.exe
1320	Ohgoaehe.exe
4144	Oekpkigo.exe
4520	Olehhc32.exe
3388	Oenlqi32.exe
548	Olgemcli.exe
2036	Oepifi32.exe
864	Phcomcng.exe
2396	Pgdokkfg.exe
2440	Ppmcdq32.exe
3616	Phhhhc32.exe
3628	Pcmlfl32.exe
2652	Pjgebf32.exe
2868	Podmkm32.exe
940	Pjjahe32.exe
2292	Qcbfakec.exe
1828	Qhonib32.exe
4460	Qoifflkg.exe
3432	Qhakoa32.exe
1132	Acgolj32.exe
4652	Ajqgidij.exe
3624	Aqkpeopg.exe
1000	Ajcdnd32.exe
3308	Agiamhdo.exe
3336	Aqaffn32.exe
4088	Afnnnd32.exe
2576	Amhfkopc.exe
4000	Bcbohigp.exe
2812	Bjlgdc32.exe
3244	Bmkcqn32.exe
2432	Bgpgng32.exe
4688	Biadeoce.exe
5124	Boklbi32.exe
5160	Bfedoc32.exe
5196	Bmomlnjk.exe
5232	Bciehh32.exe
5264	Bmbiamhi.exe
5300	Bclang32.exe
5336	Bjfjka32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hlhefcoo.dll	Pmiikh32.exe
File created	C:\Windows\SysWOW64\Pjpfjl32.exe	Pfandnla.exe
File opened for modification	C:\Windows\SysWOW64\Aaoaic32.exe	Amqhbe32.exe
File created	C:\Windows\SysWOW64\Cgqqdeod.exe	Cmklglpn.exe
File created	C:\Windows\SysWOW64\Embccf32.dll	Edmclccp.exe
File created	C:\Windows\SysWOW64\Mamjbp32.dll	Nlfnaicd.exe
File opened for modification	C:\Windows\SysWOW64\Pdkoch32.exe	Pmoiqneg.exe
File created	C:\Windows\SysWOW64\Jekqmhia.exe	Ilcldb32.exe
File created	C:\Windows\SysWOW64\Mjokgg32.exe	Mcecjmkl.exe
File created	C:\Windows\SysWOW64\Eeelnp32.exe	Eoideh32.exe
File opened for modification	C:\Windows\SysWOW64\Kbbokdlk.exe	Kflnfcgg.exe
File created	C:\Windows\SysWOW64\Edmclccp.exe	Eigonjcj.exe
File opened for modification	C:\Windows\SysWOW64\Chnbbqpn.exe	Cnindhpg.exe
File created	C:\Windows\SysWOW64\Gmojkj32.exe	Fnnjmbpm.exe
File opened for modification	C:\Windows\SysWOW64\Nqmfdj32.exe	Mgeakekd.exe
File created	C:\Windows\SysWOW64\Nookip32.exe	Ngdfdmdi.exe
File created	C:\Windows\SysWOW64\Biadeoce.exe	Bgpgng32.exe
File opened for modification	C:\Windows\SysWOW64\Djklmo32.exe	Ddadpdmn.exe
File created	C:\Windows\SysWOW64\Nlcalieg.exe	Meiioonj.exe
File opened for modification	C:\Windows\SysWOW64\Aehgnied.exe	Ahdged32.exe
File opened for modification	C:\Windows\SysWOW64\Mbognp32.exe	Mekgdl32.exe
File created	C:\Windows\SysWOW64\Pfiddm32.exe	Palklf32.exe
File opened for modification	C:\Windows\SysWOW64\Nookip32.exe	Ngdfdmdi.exe
File created	C:\Windows\SysWOW64\Ohgoaehe.exe	Nookip32.exe
File opened for modification	C:\Windows\SysWOW64\Bciehh32.exe	Bmomlnjk.exe
File created	C:\Windows\SysWOW64\Cibmlmeb.exe	Cgqqdeod.exe
File opened for modification	C:\Windows\SysWOW64\Ngdfdmdi.exe	Nlnbgddc.exe
File created	C:\Windows\SysWOW64\Dmkalh32.dll	Fbpchb32.exe
File created	C:\Windows\SysWOW64\Hdbplg32.dll	Fnnjmbpm.exe
File created	C:\Windows\SysWOW64\Qobhkjdi.exe	Qhhpop32.exe
File created	C:\Windows\SysWOW64\Chiblk32.exe	Cncnob32.exe
File created	C:\Windows\SysWOW64\Nlnbgddc.exe	Ncfmno32.exe
File created	C:\Windows\SysWOW64\Bmpdfl32.dll	Ccqkigkp.exe
File created	C:\Windows\SysWOW64\Oeabgdnp.dll	Cidjbmcp.exe
File created	C:\Windows\SysWOW64\Djdflp32.exe	Dcjnoece.exe
File created	C:\Windows\SysWOW64\Nhnlkfpp.exe	Noehba32.exe
File created	C:\Windows\SysWOW64\Oekpkigo.exe	Ohgoaehe.exe
File created	C:\Windows\SysWOW64\Bgpgng32.exe	Bmkcqn32.exe
File created	C:\Windows\SysWOW64\Hohahelb.dll	Hoaojp32.exe
File opened for modification	C:\Windows\SysWOW64\Dannij32.exe	Djdflp32.exe
File opened for modification	C:\Windows\SysWOW64\Qobhkjdi.exe	Qhhpop32.exe
File created	C:\Windows\SysWOW64\Cpglnhad.exe	Cjjcfabm.exe
File opened for modification	C:\Windows\SysWOW64\Cnindhpg.exe	Clgbmp32.exe
File created	C:\Windows\SysWOW64\Aolece32.dll	Fbgihaji.exe
File created	C:\Windows\SysWOW64\Eehmok32.dll	Qobhkjdi.exe
File opened for modification	C:\Windows\SysWOW64\Bjfjka32.exe	Bclang32.exe
File created	C:\Windows\SysWOW64\Ejbbmnnb.exe	Eplnpeol.exe
File opened for modification	C:\Windows\SysWOW64\Meiioonj.exe	Mkadfj32.exe
File opened for modification	C:\Windows\SysWOW64\Ojigdcll.exe	Oaqbkn32.exe
File opened for modification	C:\Windows\SysWOW64\Bepmoh32.exe	Blgifbil.exe
File opened for modification	C:\Windows\SysWOW64\Fimhjl32.exe	Fpdcag32.exe
File created	C:\Windows\SysWOW64\Mjjkaabc.exe	Modgdicm.exe
File created	C:\Windows\SysWOW64\Bdmlme32.dll	Moipoh32.exe
File created	C:\Windows\SysWOW64\Ijdgcpaf.dll	Olehhc32.exe
File created	C:\Windows\SysWOW64\Aojefobm.exe	Aafemk32.exe
File created	C:\Windows\SysWOW64\Ieoacg32.dll	Adfnofpd.exe
File created	C:\Windows\SysWOW64\Fbiipkjk.dll	Mnhkbfme.exe
File created	C:\Windows\SysWOW64\Ebjkfjbc.dll	Ojdnid32.exe
File created	C:\Windows\SysWOW64\Pdkoch32.exe	Pmoiqneg.exe
File created	C:\Windows\SysWOW64\Pbhafkok.dll	Njhgbp32.exe
File created	C:\Windows\SysWOW64\Kejiqphj.dll	Mibijk32.exe
File created	C:\Windows\SysWOW64\Mlkonq32.dll	Fipbdikp.exe
File opened for modification	C:\Windows\SysWOW64\Nmgjia32.exe	Nlfnaicd.exe
File created	C:\Windows\SysWOW64\Ahdged32.exe	Akqfkp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3988	2368	WerFault.exe	377

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeipof32.dll"	Aqaffn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naqbda32.dll"	Bgpgng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efpomccg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfegkoem.dll"	Qhonib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpieqeko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dngjff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfjehbcf.dll"	Iepaaico.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcdibc32.dll"	Chiblk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgolif32.dll"	Agiamhdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eieijp32.dll"	Jpaekqhh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggnadib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbiamhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmennnni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anhejhfp.dll"	Jenmcggo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjldplpd.dll"	Alelqb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjkaabc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oibqpk32.dll"	Neclenfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmmnjnld.dll"	Nnkpnclp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhqndghj.dll"	Bhblllfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qhonib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjgebf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dikpbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffangg32.dll"	Oepifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egneae32.dll"	Bjfjka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnbakghm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdkgabfn.dll"	Enpmld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lidmhmnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mepfiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fopjdidn.dll"	Mnmmboed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnaoodjg.dll"	Cibmlmeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dikpbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmgjia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dibkjmof.dll"	Gikdkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lejnmncd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdqegoi.dll"	Ojgjndno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgcme32.dll"	Blgifbil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bohbhmfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhjckcgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ealkjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nofhmj32.dll"	Ejflhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abklmb32.dll"	Chnbbqpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npdpachh.dll"	Dngjff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqhfnd32.dll"	Hemdlj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipgbdbqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Igdgglfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mamjbp32.dll"	Nlfnaicd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aehgnied.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmklglpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmoiqneg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jenmcggo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omgmeigd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jebiel32.dll"	Nmgjia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enpmld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chnlgjlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcjnoece.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klfaapbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnlhncgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgfl32.dll"	Chdialdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiapmnp.dll"	Cnhgjaml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adfnofpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jieqei32.dll"	ad4f5f07c66cd9232feff4405dac4bbef20ef2bfba705666574abda4713925f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclang32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmeafpab.dll"	Phcomcng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hemdlj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1360 wrote to memory of 732	1360	ad4f5f07c66cd9232feff4405dac4bbef20ef2bfba705666574abda4713925f7.exe	89
PID 1360 wrote to memory of 732	1360	ad4f5f07c66cd9232feff4405dac4bbef20ef2bfba705666574abda4713925f7.exe	89
PID 1360 wrote to memory of 732	1360	ad4f5f07c66cd9232feff4405dac4bbef20ef2bfba705666574abda4713925f7.exe	89
PID 732 wrote to memory of 2844	732	Jnnpdg32.exe	90
PID 732 wrote to memory of 2844	732	Jnnpdg32.exe	90
PID 732 wrote to memory of 2844	732	Jnnpdg32.exe	90
PID 2844 wrote to memory of 2236	2844	Jieagojp.exe	91
PID 2844 wrote to memory of 2236	2844	Jieagojp.exe	91
PID 2844 wrote to memory of 2236	2844	Jieagojp.exe	91
PID 2236 wrote to memory of 2936	2236	Kflnfcgg.exe	92
PID 2236 wrote to memory of 2936	2236	Kflnfcgg.exe	92
PID 2236 wrote to memory of 2936	2236	Kflnfcgg.exe	92
PID 2936 wrote to memory of 4836	2936	Kbbokdlk.exe	94
PID 2936 wrote to memory of 4836	2936	Kbbokdlk.exe	94
PID 2936 wrote to memory of 4836	2936	Kbbokdlk.exe	94
PID 4836 wrote to memory of 2064	4836	Knlleepl.exe	95
PID 4836 wrote to memory of 2064	4836	Knlleepl.exe	95
PID 4836 wrote to memory of 2064	4836	Knlleepl.exe	95
PID 2064 wrote to memory of 1240	2064	Lidmhmnp.exe	96
PID 2064 wrote to memory of 1240	2064	Lidmhmnp.exe	96
PID 2064 wrote to memory of 1240	2064	Lidmhmnp.exe	96
PID 1240 wrote to memory of 4180	1240	Lejnmncd.exe	97
PID 1240 wrote to memory of 4180	1240	Lejnmncd.exe	97
PID 1240 wrote to memory of 4180	1240	Lejnmncd.exe	97
PID 4180 wrote to memory of 4428	4180	Lemkcnaa.exe	98
PID 4180 wrote to memory of 4428	4180	Lemkcnaa.exe	98
PID 4180 wrote to memory of 4428	4180	Lemkcnaa.exe	98
PID 4428 wrote to memory of 4980	4428	Loeolc32.exe	99
PID 4428 wrote to memory of 4980	4428	Loeolc32.exe	99
PID 4428 wrote to memory of 4980	4428	Loeolc32.exe	99
PID 4980 wrote to memory of 1652	4980	Llipehgk.exe	100
PID 4980 wrote to memory of 1652	4980	Llipehgk.exe	100
PID 4980 wrote to memory of 1652	4980	Llipehgk.exe	100
PID 1652 wrote to memory of 4108	1652	Lfodbqfa.exe	101
PID 1652 wrote to memory of 4108	1652	Lfodbqfa.exe	101
PID 1652 wrote to memory of 4108	1652	Lfodbqfa.exe	101
PID 4108 wrote to memory of 1036	4108	Mojhgbdl.exe	102
PID 4108 wrote to memory of 1036	4108	Mojhgbdl.exe	102
PID 4108 wrote to memory of 1036	4108	Mojhgbdl.exe	102
PID 1036 wrote to memory of 4412	1036	Mpieqeko.exe	103
PID 1036 wrote to memory of 4412	1036	Mpieqeko.exe	103
PID 1036 wrote to memory of 4412	1036	Mpieqeko.exe	103
PID 4412 wrote to memory of 3848	4412	Mibijk32.exe	104
PID 4412 wrote to memory of 3848	4412	Mibijk32.exe	104
PID 4412 wrote to memory of 3848	4412	Mibijk32.exe	104
PID 3848 wrote to memory of 4792	3848	Moobbb32.exe	105
PID 3848 wrote to memory of 4792	3848	Moobbb32.exe	105
PID 3848 wrote to memory of 4792	3848	Moobbb32.exe	105
PID 4792 wrote to memory of 2776	4792	Midfokpm.exe	106
PID 4792 wrote to memory of 2776	4792	Midfokpm.exe	106
PID 4792 wrote to memory of 2776	4792	Midfokpm.exe	106
PID 2776 wrote to memory of 2884	2776	Mpnnle32.exe	107
PID 2776 wrote to memory of 2884	2776	Mpnnle32.exe	107
PID 2776 wrote to memory of 2884	2776	Mpnnle32.exe	107
PID 2884 wrote to memory of 3532	2884	Mekgdl32.exe	108
PID 2884 wrote to memory of 3532	2884	Mekgdl32.exe	108
PID 2884 wrote to memory of 3532	2884	Mekgdl32.exe	108
PID 3532 wrote to memory of 1032	3532	Mbognp32.exe	109
PID 3532 wrote to memory of 1032	3532	Mbognp32.exe	109
PID 3532 wrote to memory of 1032	3532	Mbognp32.exe	109
PID 1032 wrote to memory of 116	1032	Noehba32.exe	110
PID 1032 wrote to memory of 116	1032	Noehba32.exe	110
PID 1032 wrote to memory of 116	1032	Noehba32.exe	110
PID 116 wrote to memory of 1356	116	Nhnlkfpp.exe	111

C:\Users\Admin\AppData\Local\Temp\ad4f5f07c66cd9232feff4405dac4bbef20ef2bfba705666574abda4713925f7.exe
"C:\Users\Admin\AppData\Local\Temp\ad4f5f07c66cd9232feff4405dac4bbef20ef2bfba705666574abda4713925f7.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1360
- C:\Windows\SysWOW64\Jnnpdg32.exe
  C:\Windows\system32\Jnnpdg32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:732
- - C:\Windows\SysWOW64\Jieagojp.exe
    C:\Windows\system32\Jieagojp.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\SysWOW64\Kflnfcgg.exe
      C:\Windows\system32\Kflnfcgg.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2236
    - - C:\Windows\SysWOW64\Kbbokdlk.exe
        
        C:\Windows\system32\Kbbokdlk.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2936
      - C:\Windows\SysWOW64\Knlleepl.exe
        
        C:\Windows\system32\Knlleepl.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\Lidmhmnp.exe
        
        C:\Windows\system32\Lidmhmnp.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\Lejnmncd.exe
        
        C:\Windows\system32\Lejnmncd.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\SysWOW64\Lemkcnaa.exe
        
        C:\Windows\system32\Lemkcnaa.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4180
        
        C:\Windows\SysWOW64\Loeolc32.exe
        
        C:\Windows\system32\Loeolc32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\SysWOW64\Llipehgk.exe
        
        C:\Windows\system32\Llipehgk.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\SysWOW64\Lfodbqfa.exe
        
        C:\Windows\system32\Lfodbqfa.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\Mojhgbdl.exe
        
        C:\Windows\system32\Mojhgbdl.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\SysWOW64\Mpieqeko.exe
        
        C:\Windows\system32\Mpieqeko.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\Mibijk32.exe
        
        C:\Windows\system32\Mibijk32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Moobbb32.exe
        
        C:\Windows\system32\Moobbb32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3848
        
        C:\Windows\SysWOW64\Midfokpm.exe
        
        C:\Windows\system32\Midfokpm.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\SysWOW64\Mpnnle32.exe
        
        C:\Windows\system32\Mpnnle32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\Mekgdl32.exe
        
        C:\Windows\system32\Mekgdl32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Mbognp32.exe
        
        C:\Windows\system32\Mbognp32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Windows\SysWOW64\Noehba32.exe
        
        C:\Windows\system32\Noehba32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\SysWOW64\Nhnlkfpp.exe
        
        C:\Windows\system32\Nhnlkfpp.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\SysWOW64\Nebmekoi.exe
        
        C:\Windows\system32\Nebmekoi.exe
        23⤵
        Executes dropped EXE
        
        PID:1356
        
        C:\Windows\SysWOW64\Ncfmno32.exe
        
        C:\Windows\system32\Ncfmno32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1040
        
        C:\Windows\SysWOW64\Nlnbgddc.exe
        
        C:\Windows\system32\Nlnbgddc.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2368
        
        C:\Windows\SysWOW64\Ngdfdmdi.exe
        
        C:\Windows\system32\Ngdfdmdi.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4752
        
        C:\Windows\SysWOW64\Nookip32.exe
        
        C:\Windows\system32\Nookip32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3952
        
        C:\Windows\SysWOW64\Ohgoaehe.exe
        
        C:\Windows\system32\Ohgoaehe.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1320
        
        C:\Windows\SysWOW64\Oekpkigo.exe
        
        C:\Windows\system32\Oekpkigo.exe
        29⤵
        Executes dropped EXE
        
        PID:4144
        
        C:\Windows\SysWOW64\Olehhc32.exe
        
        C:\Windows\system32\Olehhc32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4520
        
        C:\Windows\SysWOW64\Oenlqi32.exe
        
        C:\Windows\system32\Oenlqi32.exe
        31⤵
        Executes dropped EXE
        
        PID:3388
        
        C:\Windows\SysWOW64\Olgemcli.exe
        
        C:\Windows\system32\Olgemcli.exe
        32⤵
        Executes dropped EXE
        
        PID:548
        
        C:\Windows\SysWOW64\Oepifi32.exe
        
        C:\Windows\system32\Oepifi32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Phcomcng.exe
        
        C:\Windows\system32\Phcomcng.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\Pgdokkfg.exe
        
        C:\Windows\system32\Pgdokkfg.exe
        35⤵
        Executes dropped EXE
        
        PID:2396
        
        C:\Windows\SysWOW64\Ppmcdq32.exe
        
        C:\Windows\system32\Ppmcdq32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2440
        
        C:\Windows\SysWOW64\Phhhhc32.exe
        
        C:\Windows\system32\Phhhhc32.exe
        37⤵
        Executes dropped EXE
        
        PID:3616
        
        C:\Windows\SysWOW64\Pcmlfl32.exe
        
        C:\Windows\system32\Pcmlfl32.exe
        38⤵
        Executes dropped EXE
        
        PID:3628
        
        C:\Windows\SysWOW64\Pjgebf32.exe
        
        C:\Windows\system32\Pjgebf32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Podmkm32.exe
        
        C:\Windows\system32\Podmkm32.exe
        40⤵
        Executes dropped EXE
        
        PID:2868
        
        C:\Windows\SysWOW64\Pjjahe32.exe
        
        C:\Windows\system32\Pjjahe32.exe
        41⤵
        Executes dropped EXE
        
        PID:940
        
        C:\Windows\SysWOW64\Qcbfakec.exe
        
        C:\Windows\system32\Qcbfakec.exe
        42⤵
        Executes dropped EXE
        
        PID:2292
        
        C:\Windows\SysWOW64\Qhonib32.exe
        
        C:\Windows\system32\Qhonib32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Qoifflkg.exe
        
        C:\Windows\system32\Qoifflkg.exe
        44⤵
        Executes dropped EXE
        
        PID:4460
        
        C:\Windows\SysWOW64\Qhakoa32.exe
        
        C:\Windows\system32\Qhakoa32.exe
        45⤵
        Executes dropped EXE
        
        PID:3432
        
        C:\Windows\SysWOW64\Acgolj32.exe
        
        C:\Windows\system32\Acgolj32.exe
        46⤵
        Executes dropped EXE
        
        PID:1132
        
        C:\Windows\SysWOW64\Ajqgidij.exe
        
        C:\Windows\system32\Ajqgidij.exe
        47⤵
        Executes dropped EXE
        
        PID:4652
        
        C:\Windows\SysWOW64\Aqkpeopg.exe
        
        C:\Windows\system32\Aqkpeopg.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3624
        
        C:\Windows\SysWOW64\Ajcdnd32.exe
        
        C:\Windows\system32\Ajcdnd32.exe
        49⤵
        Executes dropped EXE
        
        PID:1000
        
        C:\Windows\SysWOW64\Agiamhdo.exe
        
        C:\Windows\system32\Agiamhdo.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3308
        
        C:\Windows\SysWOW64\Aqaffn32.exe
        
        C:\Windows\system32\Aqaffn32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3336
        
        C:\Windows\SysWOW64\Afnnnd32.exe
        
        C:\Windows\system32\Afnnnd32.exe
        52⤵
        Executes dropped EXE
        
        PID:4088
        
        C:\Windows\SysWOW64\Amhfkopc.exe
        
        C:\Windows\system32\Amhfkopc.exe
        53⤵
        Executes dropped EXE
        
        PID:2576
        
        C:\Windows\SysWOW64\Bcbohigp.exe
        
        C:\Windows\system32\Bcbohigp.exe
        54⤵
        Executes dropped EXE
        
        PID:4000
        
        C:\Windows\SysWOW64\Bjlgdc32.exe
        
        C:\Windows\system32\Bjlgdc32.exe
        55⤵
        Executes dropped EXE
        
        PID:2812
        
        C:\Windows\SysWOW64\Bmkcqn32.exe
        
        C:\Windows\system32\Bmkcqn32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3244
        
        C:\Windows\SysWOW64\Bgpgng32.exe
        
        C:\Windows\system32\Bgpgng32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Biadeoce.exe
        
        C:\Windows\system32\Biadeoce.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4688
        
        C:\Windows\SysWOW64\Boklbi32.exe
        
        C:\Windows\system32\Boklbi32.exe
        59⤵
        Executes dropped EXE
        
        PID:5124
        
        C:\Windows\SysWOW64\Bfedoc32.exe
        
        C:\Windows\system32\Bfedoc32.exe
        60⤵
        Executes dropped EXE
        
        PID:5160
        
        C:\Windows\SysWOW64\Bmomlnjk.exe
        
        C:\Windows\system32\Bmomlnjk.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5196
        
        C:\Windows\SysWOW64\Bciehh32.exe
        
        C:\Windows\system32\Bciehh32.exe
        62⤵
        Executes dropped EXE
        
        PID:5232
        
        C:\Windows\SysWOW64\Bmbiamhi.exe
        
        C:\Windows\system32\Bmbiamhi.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Bclang32.exe
        
        C:\Windows\system32\Bclang32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Bjfjka32.exe
        
        C:\Windows\system32\Bjfjka32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Ccnncgmc.exe
        
        C:\Windows\system32\Ccnncgmc.exe
        66⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Cikglnkj.exe
        
        C:\Windows\system32\Cikglnkj.exe
        67⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Ccqkigkp.exe
        
        C:\Windows\system32\Ccqkigkp.exe
        68⤵
        Drops file in System32 directory
        
        PID:5444
        
        C:\Windows\SysWOW64\Cjjcfabm.exe
        
        C:\Windows\system32\Cjjcfabm.exe
        69⤵
        Drops file in System32 directory
        
        PID:5484
        
        C:\Windows\SysWOW64\Cpglnhad.exe
        
        C:\Windows\system32\Cpglnhad.exe
        70⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Cjmpkqqj.exe
        
        C:\Windows\system32\Cjmpkqqj.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5556
        
        C:\Windows\SysWOW64\Cmklglpn.exe
        
        C:\Windows\system32\Cmklglpn.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Cgqqdeod.exe
        
        C:\Windows\system32\Cgqqdeod.exe
        73⤵
        Drops file in System32 directory
        
        PID:5628
        
        C:\Windows\SysWOW64\Cibmlmeb.exe
        
        C:\Windows\system32\Cibmlmeb.exe
        74⤵
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Ccgajfeh.exe
        
        C:\Windows\system32\Ccgajfeh.exe
        75⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Cidjbmcp.exe
        
        C:\Windows\system32\Cidjbmcp.exe
        76⤵
        Drops file in System32 directory
        
        PID:5736
        
        C:\Windows\SysWOW64\Dcjnoece.exe
        
        C:\Windows\system32\Dcjnoece.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Djdflp32.exe
        
        C:\Windows\system32\Djdflp32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5808
        
        C:\Windows\SysWOW64\Dannij32.exe
        
        C:\Windows\system32\Dannij32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5844
        
        C:\Windows\SysWOW64\Dclkee32.exe
        
        C:\Windows\system32\Dclkee32.exe
        80⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Diicml32.exe
        
        C:\Windows\system32\Diicml32.exe
        81⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Dhjckcgi.exe
        
        C:\Windows\system32\Dhjckcgi.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Dikpbl32.exe
        
        C:\Windows\system32\Dikpbl32.exe
        83⤵
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Ddadpdmn.exe
        
        C:\Windows\system32\Ddadpdmn.exe
        84⤵
        Drops file in System32 directory
        
        PID:6020
        
        C:\Windows\SysWOW64\Djklmo32.exe
        
        C:\Windows\system32\Djklmo32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6060
        
        C:\Windows\SysWOW64\Edemkd32.exe
        
        C:\Windows\system32\Edemkd32.exe
        86⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Eibfck32.exe
        
        C:\Windows\system32\Eibfck32.exe
        87⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\Eplnpeol.exe
        
        C:\Windows\system32\Eplnpeol.exe
        88⤵
        Drops file in System32 directory
        
        PID:5068
        
        C:\Windows\SysWOW64\Ejbbmnnb.exe
        
        C:\Windows\system32\Ejbbmnnb.exe
        89⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\Ealkjh32.exe
        
        C:\Windows\system32\Ealkjh32.exe
        90⤵
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\Ehfcfb32.exe
        
        C:\Windows\system32\Ehfcfb32.exe
        91⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\Eigonjcj.exe
        
        C:\Windows\system32\Eigonjcj.exe
        92⤵
        Drops file in System32 directory
        
        PID:1916
        
        C:\Windows\SysWOW64\Edmclccp.exe
        
        C:\Windows\system32\Edmclccp.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5132
        
        C:\Windows\SysWOW64\Ejflhm32.exe
        
        C:\Windows\system32\Ejflhm32.exe
        94⤵
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Ehjlaaig.exe
        
        C:\Windows\system32\Ehjlaaig.exe
        95⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Filiii32.exe
        
        C:\Windows\system32\Filiii32.exe
        96⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Fpeafcfa.exe
        
        C:\Windows\system32\Fpeafcfa.exe
        97⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Ffpicn32.exe
        
        C:\Windows\system32\Ffpicn32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5436
        
        C:\Windows\SysWOW64\Faenpf32.exe
        
        C:\Windows\system32\Faenpf32.exe
        99⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Fipbdikp.exe
        
        C:\Windows\system32\Fipbdikp.exe
        100⤵
        Drops file in System32 directory
        
        PID:5548
        
        C:\Windows\SysWOW64\Fpjjac32.exe
        
        C:\Windows\system32\Fpjjac32.exe
        101⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\Fkpool32.exe
        
        C:\Windows\system32\Fkpool32.exe
        102⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Gijekg32.exe
        
        C:\Windows\system32\Gijekg32.exe
        103⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Lcnmin32.exe
        
        C:\Windows\system32\Lcnmin32.exe
        104⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Mepfiq32.exe
        
        C:\Windows\system32\Mepfiq32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Mnhkbfme.exe
        
        C:\Windows\system32\Mnhkbfme.exe
        106⤵
        Drops file in System32 directory
        
        PID:3540
        
        C:\Windows\SysWOW64\Mcecjmkl.exe
        
        C:\Windows\system32\Mcecjmkl.exe
        107⤵
        Drops file in System32 directory
        
        PID:5064
        
        C:\Windows\SysWOW64\Mjokgg32.exe
        
        C:\Windows\system32\Mjokgg32.exe
        108⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\Meepdp32.exe
        
        C:\Windows\system32\Meepdp32.exe
        109⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Mnmdme32.exe
        
        C:\Windows\system32\Mnmdme32.exe
        110⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Mkadfj32.exe
        
        C:\Windows\system32\Mkadfj32.exe
        111⤵
        Drops file in System32 directory
        
        PID:6008
        
        C:\Windows\SysWOW64\Meiioonj.exe
        
        C:\Windows\system32\Meiioonj.exe
        112⤵
        Drops file in System32 directory
        
        PID:6044
        
        C:\Windows\SysWOW64\Nlcalieg.exe
        
        C:\Windows\system32\Nlcalieg.exe
        113⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Nlfnaicd.exe
        
        C:\Windows\system32\Nlfnaicd.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Nmgjia32.exe
        
        C:\Windows\system32\Nmgjia32.exe
        115⤵
        Modifies registry class
        
        PID:496
        
        C:\Windows\SysWOW64\Neqopnhb.exe
        
        C:\Windows\system32\Neqopnhb.exe
        116⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Neclenfo.exe
        
        C:\Windows\system32\Neclenfo.exe
        117⤵
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\Nnkpnclp.exe
        
        C:\Windows\system32\Nnkpnclp.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Ohcegi32.exe
        
        C:\Windows\system32\Ohcegi32.exe
        119⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\Onnmdcjm.exe
        
        C:\Windows\system32\Onnmdcjm.exe
        120⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\Ojdnid32.exe
        
        C:\Windows\system32\Ojdnid32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5096
        
        C:\Windows\SysWOW64\Oanfen32.exe
        
        C:\Windows\system32\Oanfen32.exe
        122⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\Ojgjndno.exe
        
        C:\Windows\system32\Ojgjndno.exe
        123⤵
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Oaqbkn32.exe
        
        C:\Windows\system32\Oaqbkn32.exe
        124⤵
        Drops file in System32 directory
        
        PID:6016
        
        C:\Windows\SysWOW64\Ojigdcll.exe
        
        C:\Windows\system32\Ojigdcll.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6084
        
        C:\Windows\SysWOW64\Oacoqnci.exe
        
        C:\Windows\system32\Oacoqnci.exe
        126⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\Okkdic32.exe
        
        C:\Windows\system32\Okkdic32.exe
        127⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\Phodcg32.exe
        
        C:\Windows\system32\Phodcg32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:452
        
        C:\Windows\SysWOW64\Pdfehh32.exe
        
        C:\Windows\system32\Pdfehh32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4448
        
        C:\Windows\SysWOW64\Pmoiqneg.exe
        
        C:\Windows\system32\Pmoiqneg.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Pdkoch32.exe
        
        C:\Windows\system32\Pdkoch32.exe
        131⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\Phigif32.exe
        
        C:\Windows\system32\Phigif32.exe
        132⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\Qmepam32.exe
        
        C:\Windows\system32\Qmepam32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1848
        
        C:\Windows\SysWOW64\Qkipkani.exe
        
        C:\Windows\system32\Qkipkani.exe
        134⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\Qeodhjmo.exe
        
        C:\Windows\system32\Qeodhjmo.exe
        135⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Qlimed32.exe
        
        C:\Windows\system32\Qlimed32.exe
        136⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Aafemk32.exe
        
        C:\Windows\system32\Aafemk32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1616
        
        C:\Windows\SysWOW64\Aojefobm.exe
        
        C:\Windows\system32\Aojefobm.exe
        138⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Adfnofpd.exe
        
        C:\Windows\system32\Adfnofpd.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Akqfkp32.exe
        
        C:\Windows\system32\Akqfkp32.exe
        140⤵
        Drops file in System32 directory
        
        PID:928
        
        C:\Windows\SysWOW64\Ahdged32.exe
        
        C:\Windows\system32\Ahdged32.exe
        141⤵
        Drops file in System32 directory
        
        PID:5620
        
        C:\Windows\SysWOW64\Aehgnied.exe
        
        C:\Windows\system32\Aehgnied.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Anclbkbp.exe
        
        C:\Windows\system32\Anclbkbp.exe
        143⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Alelqb32.exe
        
        C:\Windows\system32\Alelqb32.exe
        144⤵
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Bemqih32.exe
        
        C:\Windows\system32\Bemqih32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2136
        
        C:\Windows\SysWOW64\Blgifbil.exe
        
        C:\Windows\system32\Blgifbil.exe
        146⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Bepmoh32.exe
        
        C:\Windows\system32\Bepmoh32.exe
        147⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\Bohbhmfm.exe
        
        C:\Windows\system32\Bohbhmfm.exe
        148⤵
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Bddjpd32.exe
        
        C:\Windows\system32\Bddjpd32.exe
        149⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\Bnmoijje.exe
        
        C:\Windows\system32\Bnmoijje.exe
        150⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Blnoga32.exe
        
        C:\Windows\system32\Blnoga32.exe
        151⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\Bffcpg32.exe
        
        C:\Windows\system32\Bffcpg32.exe
        152⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\Blqllqqa.exe
        
        C:\Windows\system32\Blqllqqa.exe
        153⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\Cdlqqcnl.exe
        
        C:\Windows\system32\Cdlqqcnl.exe
        154⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\Coadnlnb.exe
        
        C:\Windows\system32\Coadnlnb.exe
        155⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\Chiigadc.exe
        
        C:\Windows\system32\Chiigadc.exe
        156⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\Cocacl32.exe
        
        C:\Windows\system32\Cocacl32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6376
        
        C:\Windows\SysWOW64\Clgbmp32.exe
        
        C:\Windows\system32\Clgbmp32.exe
        158⤵
        Drops file in System32 directory
        
        PID:6416
        
        C:\Windows\SysWOW64\Cnindhpg.exe
        
        C:\Windows\system32\Cnindhpg.exe
        159⤵
        Drops file in System32 directory
        
        PID:6460
        
        C:\Windows\SysWOW64\Chnbbqpn.exe
        
        C:\Windows\system32\Chnbbqpn.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6504
        
        C:\Windows\SysWOW64\Cohkokgj.exe
        
        C:\Windows\system32\Cohkokgj.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6568
        
        C:\Windows\SysWOW64\Dnpdegjp.exe
        
        C:\Windows\system32\Dnpdegjp.exe
        162⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\Dnbakghm.exe
        
        C:\Windows\system32\Dnbakghm.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6648
        
        C:\Windows\SysWOW64\Doaneiop.exe
        
        C:\Windows\system32\Doaneiop.exe
        164⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\Dmennnni.exe
        
        C:\Windows\system32\Dmennnni.exe
        165⤵
        Modifies registry class
        
        PID:6752
        
        C:\Windows\SysWOW64\Dngjff32.exe
        
        C:\Windows\system32\Dngjff32.exe
        166⤵
        Modifies registry class
        
        PID:6804
        
        C:\Windows\SysWOW64\Eiloco32.exe
        
        C:\Windows\system32\Eiloco32.exe
        167⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\Efpomccg.exe
        
        C:\Windows\system32\Efpomccg.exe
        168⤵
        Modifies registry class
        
        PID:6896
        
        C:\Windows\SysWOW64\Eoideh32.exe
        
        C:\Windows\system32\Eoideh32.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6936
        
        C:\Windows\SysWOW64\Eeelnp32.exe
        
        C:\Windows\system32\Eeelnp32.exe
        170⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\Ennqfenp.exe
        
        C:\Windows\system32\Ennqfenp.exe
        171⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\Eehicoel.exe
        
        C:\Windows\system32\Eehicoel.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7056
        
        C:\Windows\SysWOW64\Enpmld32.exe
        
        C:\Windows\system32\Enpmld32.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7108
        
        C:\Windows\SysWOW64\Emanjldl.exe
        
        C:\Windows\system32\Emanjldl.exe
        174⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\Ebnfbcbc.exe
        
        C:\Windows\system32\Ebnfbcbc.exe
        175⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\Fbpchb32.exe
        
        C:\Windows\system32\Fbpchb32.exe
        176⤵
        Drops file in System32 directory
        
        PID:6256
        
        C:\Windows\SysWOW64\Fpdcag32.exe
        
        C:\Windows\system32\Fpdcag32.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6324
        
        C:\Windows\SysWOW64\Fimhjl32.exe
        
        C:\Windows\system32\Fimhjl32.exe
        178⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Fnipbc32.exe
        
        C:\Windows\system32\Fnipbc32.exe
        179⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\Fmkqpkla.exe
        
        C:\Windows\system32\Fmkqpkla.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6596
        
        C:\Windows\SysWOW64\Fbgihaji.exe
        
        C:\Windows\system32\Fbgihaji.exe
        181⤵
        Drops file in System32 directory
        
        PID:6676
        
        C:\Windows\SysWOW64\Fnnjmbpm.exe
        
        C:\Windows\system32\Fnnjmbpm.exe
        182⤵
        Drops file in System32 directory
        
        PID:6792
        
        C:\Windows\SysWOW64\Gmojkj32.exe
        
        C:\Windows\system32\Gmojkj32.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6904
        
        C:\Windows\SysWOW64\Gfhndpol.exe
        
        C:\Windows\system32\Gfhndpol.exe
        184⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\Gnepna32.exe
        
        C:\Windows\system32\Gnepna32.exe
        185⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\Gikdkj32.exe
        
        C:\Windows\system32\Gikdkj32.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7160
        
        C:\Windows\SysWOW64\Gpelhd32.exe
        
        C:\Windows\system32\Gpelhd32.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6332
        
        C:\Windows\SysWOW64\Geaepk32.exe
        
        C:\Windows\system32\Geaepk32.exe
        188⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\Gojiiafp.exe
        
        C:\Windows\system32\Gojiiafp.exe
        189⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\Hedafk32.exe
        
        C:\Windows\system32\Hedafk32.exe
        190⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\Hbhboolf.exe
        
        C:\Windows\system32\Hbhboolf.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7144
        
        C:\Windows\SysWOW64\Hplbickp.exe
        
        C:\Windows\system32\Hplbickp.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6500
        
        C:\Windows\SysWOW64\Hffken32.exe
        
        C:\Windows\system32\Hffken32.exe
        193⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\Hoaojp32.exe
        
        C:\Windows\system32\Hoaojp32.exe
        194⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6660
        
        C:\Windows\SysWOW64\Hifcgion.exe
        
        C:\Windows\system32\Hifcgion.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5104
        
        C:\Windows\SysWOW64\Hpqldc32.exe
        
        C:\Windows\system32\Hpqldc32.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2144
        
        C:\Windows\SysWOW64\Hemdlj32.exe
        
        C:\Windows\system32\Hemdlj32.exe
        197⤵
        Modifies registry class
        
        PID:7024
        
        C:\Windows\SysWOW64\Hpchib32.exe
        
        C:\Windows\system32\Hpchib32.exe
        198⤵
        
        PID:7224
        
        C:\Windows\SysWOW64\Iepaaico.exe
        
        C:\Windows\system32\Iepaaico.exe
        199⤵
        Modifies registry class
        
        PID:7260
        
        C:\Windows\SysWOW64\Ipeeobbe.exe
        
        C:\Windows\system32\Ipeeobbe.exe
        200⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\Ibcaknbi.exe
        
        C:\Windows\system32\Ibcaknbi.exe
        201⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7344
        
        C:\Windows\SysWOW64\Iinjhh32.exe
        
        C:\Windows\system32\Iinjhh32.exe
        202⤵
        
        PID:7384
        
        C:\Windows\SysWOW64\Ipgbdbqb.exe
        
        C:\Windows\system32\Ipgbdbqb.exe
        203⤵
        Modifies registry class
        
        PID:7428
        
        C:\Windows\SysWOW64\Igajal32.exe
        
        C:\Windows\system32\Igajal32.exe
        204⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\Ilnbicff.exe
        
        C:\Windows\system32\Ilnbicff.exe
        205⤵
        
        PID:7528
        
        C:\Windows\SysWOW64\Igdgglfl.exe
        
        C:\Windows\system32\Igdgglfl.exe
        206⤵
        Modifies registry class
        
        PID:7564
        
        C:\Windows\SysWOW64\Iplkpa32.exe
        
        C:\Windows\system32\Iplkpa32.exe
        207⤵
        
        PID:7612
        
        C:\Windows\SysWOW64\Ieidhh32.exe
        
        C:\Windows\system32\Ieidhh32.exe
        208⤵
        
        PID:7656
        
        C:\Windows\SysWOW64\Ilcldb32.exe
        
        C:\Windows\system32\Ilcldb32.exe
        209⤵
        Drops file in System32 directory
        
        PID:7708
        
        C:\Windows\SysWOW64\Jekqmhia.exe
        
        C:\Windows\system32\Jekqmhia.exe
        210⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7752
        
        C:\Windows\SysWOW64\Jpaekqhh.exe
        
        C:\Windows\system32\Jpaekqhh.exe
        211⤵
        Modifies registry class
        
        PID:7796
        
        C:\Windows\SysWOW64\Jenmcggo.exe
        
        C:\Windows\system32\Jenmcggo.exe
        212⤵
        Modifies registry class
        
        PID:7836
        
        C:\Windows\SysWOW64\Jofalmmp.exe
        
        C:\Windows\system32\Jofalmmp.exe
        213⤵
        
        PID:7884
        
        C:\Windows\SysWOW64\Johnamkm.exe
        
        C:\Windows\system32\Johnamkm.exe
        214⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7928
        
        C:\Windows\SysWOW64\Jinboekc.exe
        
        C:\Windows\system32\Jinboekc.exe
        215⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\Jgbchj32.exe
        
        C:\Windows\system32\Jgbchj32.exe
        216⤵
        
        PID:8016
        
        C:\Windows\SysWOW64\Kjblje32.exe
        
        C:\Windows\system32\Kjblje32.exe
        217⤵
        
        PID:8076
        
        C:\Windows\SysWOW64\Kckqbj32.exe
        
        C:\Windows\system32\Kckqbj32.exe
        218⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8116
        
        C:\Windows\SysWOW64\Kgiiiidd.exe
        
        C:\Windows\system32\Kgiiiidd.exe
        219⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\Klfaapbl.exe
        
        C:\Windows\system32\Klfaapbl.exe
        220⤵
        Modifies registry class
        
        PID:3680
        
        C:\Windows\SysWOW64\Kcbfcigf.exe
        
        C:\Windows\system32\Kcbfcigf.exe
        221⤵
        
        PID:7324
        
        C:\Windows\SysWOW64\Lfgipd32.exe
        
        C:\Windows\system32\Lfgipd32.exe
        222⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\Lqmmmmph.exe
        
        C:\Windows\system32\Lqmmmmph.exe
        223⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7508
        
        C:\Windows\SysWOW64\Lggejg32.exe
        
        C:\Windows\system32\Lggejg32.exe
        224⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\Lcnfohmi.exe
        
        C:\Windows\system32\Lcnfohmi.exe
        225⤵
        
        PID:7692
        
        C:\Windows\SysWOW64\Ljhnlb32.exe
        
        C:\Windows\system32\Ljhnlb32.exe
        226⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7764
        
        C:\Windows\SysWOW64\Modgdicm.exe
        
        C:\Windows\system32\Modgdicm.exe
        227⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7832
        
        C:\Windows\SysWOW64\Mjjkaabc.exe
        
        C:\Windows\system32\Mjjkaabc.exe
        228⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7924
        
        C:\Windows\SysWOW64\Mogcihaj.exe
        
        C:\Windows\system32\Mogcihaj.exe
        229⤵
        
        PID:7964
        
        C:\Windows\SysWOW64\Mjlhgaqp.exe
        
        C:\Windows\system32\Mjlhgaqp.exe
        230⤵
        
        PID:8064
        
        C:\Windows\SysWOW64\Moipoh32.exe
        
        C:\Windows\system32\Moipoh32.exe
        231⤵
        Drops file in System32 directory
        
        PID:8112
        
        C:\Windows\SysWOW64\Mcgiefen.exe
        
        C:\Windows\system32\Mcgiefen.exe
        232⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\Mnmmboed.exe
        
        C:\Windows\system32\Mnmmboed.exe
        233⤵
        Modifies registry class
        
        PID:7208
        
        C:\Windows\SysWOW64\Mgeakekd.exe
        
        C:\Windows\system32\Mgeakekd.exe
        234⤵
        Drops file in System32 directory
        
        PID:2984
        
        C:\Windows\SysWOW64\Nqmfdj32.exe
        
        C:\Windows\system32\Nqmfdj32.exe
        235⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\Nggnadib.exe
        
        C:\Windows\system32\Nggnadib.exe
        236⤵
        Modifies registry class
        
        PID:7460
        
        C:\Windows\SysWOW64\Njhgbp32.exe
        
        C:\Windows\system32\Njhgbp32.exe
        237⤵
        Drops file in System32 directory
        
        PID:7620
        
        C:\Windows\SysWOW64\Nglhld32.exe
        
        C:\Windows\system32\Nglhld32.exe
        238⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\Npgmpf32.exe
        
        C:\Windows\system32\Npgmpf32.exe
        239⤵
        
        PID:7788
        
        C:\Windows\SysWOW64\Nnhmnn32.exe
        
        C:\Windows\system32\Nnhmnn32.exe
        240⤵
        
        PID:7936
        
        C:\Windows\SysWOW64\Ngqagcag.exe
        
        C:\Windows\system32\Ngqagcag.exe
        241⤵
        
        PID:7968
        
        C:\Windows\SysWOW64\Offnhpfo.exe
        
        C:\Windows\system32\Offnhpfo.exe
        242⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\Oakbehfe.exe
        
        C:\Windows\system32\Oakbehfe.exe
        243⤵
        
        PID:8100
        
        C:\Windows\SysWOW64\Onapdl32.exe
        
        C:\Windows\system32\Onapdl32.exe
        244⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\Opclldhj.exe
        
        C:\Windows\system32\Opclldhj.exe
        245⤵
        
        PID:7192
        
        C:\Windows\SysWOW64\Omgmeigd.exe
        
        C:\Windows\system32\Omgmeigd.exe
        246⤵
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Pfoann32.exe
        
        C:\Windows\system32\Pfoann32.exe
        247⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\Pmiikh32.exe
        
        C:\Windows\system32\Pmiikh32.exe
        248⤵
        Drops file in System32 directory
        
        PID:7464
        
        C:\Windows\SysWOW64\Pfandnla.exe
        
        C:\Windows\system32\Pfandnla.exe
        249⤵
        Drops file in System32 directory
        
        PID:7600
        
        C:\Windows\SysWOW64\Pjpfjl32.exe
        
        C:\Windows\system32\Pjpfjl32.exe
        250⤵
        
        PID:660
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        251⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3956
        
        C:\Windows\SysWOW64\Pjbcplpe.exe
        
        C:\Windows\system32\Pjbcplpe.exe
        252⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\Palklf32.exe
        
        C:\Windows\system32\Palklf32.exe
        253⤵
        Drops file in System32 directory
        
        PID:1576
        
        C:\Windows\SysWOW64\Pfiddm32.exe
        
        C:\Windows\system32\Pfiddm32.exe
        254⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4212
        
        C:\Windows\SysWOW64\Qhhpop32.exe
        
        C:\Windows\system32\Qhhpop32.exe
        255⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8072
        
        C:\Windows\SysWOW64\Qobhkjdi.exe
        
        C:\Windows\system32\Qobhkjdi.exe
        256⤵
        Drops file in System32 directory
        
        PID:3688
        
        C:\Windows\SysWOW64\Qhjmdp32.exe
        
        C:\Windows\system32\Qhjmdp32.exe
        257⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        258⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4456
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        259⤵
        
        PID:7320
        
        C:\Windows\SysWOW64\Adfgdpmi.exe
        
        C:\Windows\system32\Adfgdpmi.exe
        260⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        261⤵
        Drops file in System32 directory
        
        PID:4520
        
        C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        262⤵
        
        PID:7280
        
        C:\Windows\SysWOW64\Bhhiemoj.exe
        
        C:\Windows\system32\Bhhiemoj.exe
        263⤵
        
        PID:7892
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        264⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        265⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8108
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        266⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        267⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\Baegibae.exe
        
        C:\Windows\system32\Baegibae.exe
        268⤵
        
        PID:8152
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        269⤵
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        270⤵
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        271⤵
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        272⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        273⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7736
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        274⤵
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        275⤵
        
        PID:7920
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        276⤵
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Chnlgjlb.exe
        
        C:\Windows\system32\Chnlgjlb.exe
        277⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        278⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 416
        279⤵
        Program crash
        
        PID:3988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2368 -ip 2368
1⤵
PID:3512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ahdged32.exe

Filesize
1.8MB

MD5
e50f88084fa7c7f54e8080e7c6fd048b

SHA1
5c8602f338acce8efa5c6676dc493e0630d3528b

SHA256
a29d4b03fca47b9e6127e461b85a546c91e5ba8b64bb59f2a366a15015ac8187

SHA512
500e48fbd696b6fb4626092a9a04ab2e93a1c43678f5a21aaddf9704672c2d0f3df39423ba2eb7b7daa9677a4b50e49826621acea26c91e1aebe05a32b5c5624

Download Submit
C:\Windows\SysWOW64\Dnpdegjp.exe

Filesize
1.8MB

MD5
0c19bfa328b5da63350836b4f8fba65f

SHA1
5a6408f2b2c23101ece9edfd9eb5998f34d6bf9f

SHA256
8d47653b105f77429fbb9255ea7cd6656fd26b439940270c7f846f058d7bc0e2

SHA512
b32fd51cfffa2543dfc5a0759bcf3a516271d67f1860dc807f49862c8b5d9d3c53be53c2f8541e7ab7885e4a650063835a7dc24c97f60ac564abb61518e19d27

Download Submit
C:\Windows\SysWOW64\Jieagojp.exe

Filesize
1.8MB

MD5
5b10d732d6fe6e59b840e82c14a0d170

SHA1
17dd7aee25470dd1f3078bc14f97bd3971d9bfc8

SHA256
03933ee0c86a40c8e4daca64fcfb32519a057eb447c0d8165d29d129b80fe501

SHA512
1258db274f4ace2c2f70984931b54c20957ee61a6eb4b6e6ab3915091c4be41ed971693abbdd56d8d3f9fbde84eb342fcd2add90703496fcca520eab0c4c7f25

Download Submit
C:\Windows\SysWOW64\Jnnpdg32.exe

Filesize
1.8MB

MD5
5f3e674973335762bb183e8f1bccaafd

SHA1
b0ff71ab8b14855378bb6ab31b49ae5a970e342a

SHA256
b74a584d202ab50b5dd26091174932114f4f2446dc669964009d9234de173b0e

SHA512
eff4543c1e58923c9001e7cb7b02fb326c43e6800a57c81377ac5ab340f680f9a3bc579ace89b873e2c4481aec619283df2c71768078ab907b8089a96205e4d4

Download Submit
C:\Windows\SysWOW64\Kbbokdlk.exe

Filesize
1.3MB

MD5
6eacbe65eac7c8e2f4e052b309d789c2

SHA1
ebb8ce408c13f3dd3becd4158490ca8bfb5f313f

SHA256
24f8f4948be8c7c5b2fecc5ac8a44d2275e9e4962ebddc6d4f446a11cefd3abe

SHA512
3754d7fa9859843a5d2761c0fe364537f8b0c49e8039e23e2cecac016765b437875d7c22a0505e7a5e6843c75a4463ec278e6c55abe4ab7dacb1de5118e313c8

Download Submit
C:\Windows\SysWOW64\Kbbokdlk.exe

Filesize
1.1MB

MD5
3614f4a1e424fd8110cffcc9ae59b583

SHA1
5d7dfdb2a51fafcb725d486312cc869d1f9893a4

SHA256
dcc6983e54f42aa955e8a15e28b291d6e103d47350e15a77a3cca20255f144aa

SHA512
5a40c855781ab6dda5b60f9bc2a9d1ce5caaca9e236bd0a4b9f90a67be302b847f64117cbeba89d6406d6eaed690fa9dae7d94c90eba04ef18f3db3f00e3b5b0

Download Submit
C:\Windows\SysWOW64\Kckqbj32.exe

Filesize
1.8MB

MD5
56cca881ba96ecdba2a326b9d043ab46

SHA1
62bc17efbefabf3787d9f9df4d04a554283056b0

SHA256
7e43f93b19ff5602ee694caf4a9091efc1942d792d18fb31e2983024faf722f0

SHA512
3255de26631026cac2de0b798ce344234fc2aa6477f513c23ff792af49e5c40cba7726f5f15209cebb9505d18f1c8a26ef5b764d8ee6c8c73975ee454ceffa64

Download Submit
C:\Windows\SysWOW64\Kflnfcgg.exe

Filesize
1.8MB

MD5
677ac66e54f5141de2b6e881b3fe49e1

SHA1
8b2f69f88da4b5e011dbf9ff06d8e8f0d350bebe

SHA256
bece79f47864f95ba5236097f535d8167eccad91f9f45822ce258249150c22f8

SHA512
074d5688d85f71caf4e9f42c1580409578a5769e04d4be08344c1e1071c9b5bea674ba3730fef18f7285331f9bab201f08509ab0983651cd762b3e91531cc849

Download Submit
C:\Windows\SysWOW64\Kflnfcgg.exe

Filesize
1.5MB

MD5
e1c499b7bd55afce25817c0e043b9a47

SHA1
55b4f3705b2bb2d4a645123117cf77bd622d7279

SHA256
594887061c1f8613659b373ad277f295928c70ee8aef784b507a07c0ffad18dd

SHA512
d451add08d0ea393ee415a38680acfd71d4ac1c7da59e8834639123682b434e85b9a91e9118c38f5ff49c689cb5852e939fbd335de5b391e26328e3fa5141859

Download Submit
C:\Windows\SysWOW64\Knlleepl.exe

Filesize
960KB

MD5
c32a3ab7f4a3f9a75bc9422e56dcf064

SHA1
25e70012230eb4a47ef01caa31d4ed4fbec9db2a

SHA256
95e5f48885155c587030ec1033fec204adb084f6d3cac6c1e7ad948f0130b551

SHA512
178297bcc2660442b2f032ad347d4000a14179cce2631fb7754a1277759c9f29dfd3a510c4a484ca2b1c84fd589f1a2ca82f50aa265548c9a9f8f2d457b5233c

Download Submit
C:\Windows\SysWOW64\Lejnmncd.exe

Filesize
1.8MB

MD5
84cf3f4d15e7d69cf57a5a4369b24f11

SHA1
99faa90c808eef5059995805edb6e158ee2d839f

SHA256
5d1da4dbfeab89d725f61ad4f61195f4ab0c13baf75c85b2270f44e5dab7a503

SHA512
006d889efad04ae1f5e5e47bc1883a6814e84e53a106460a5bae69e82a7171b132ad32ee87d2515814083e58c1fa9a59499fb7576166a77c3606d1cfbeec18dc

Download Submit
C:\Windows\SysWOW64\Lejnmncd.exe

Filesize
448KB

MD5
f8d5f9bc06e8cf9c9d9ea8dd7ee4da7b

SHA1
4c338a993eff730aa721444c3e59eaa2184e9548

SHA256
a4881258d9289a9a08ca790278d1481c8d2097b9cb424b7f6bce328fe141f287

SHA512
0a77daecf469ef5f16ce181da54d3c0f5ac4ea05b780f213ac8f538806c16bd8892fcb5a59a057fa0ede9b7c62cbbbf13707b5acb94be710b2b5f9e606b8c530

Download Submit
C:\Windows\SysWOW64\Lemkcnaa.exe

Filesize
1.8MB

MD5
47c491d345676c88ba71c0538aacb81d

SHA1
0b8f7947a0516671a6bcb4864ec29ac6623c412e

SHA256
6e1c0902da61d87b66b70b9f342adf1b49589fc79b88eed501a90617041748b9

SHA512
4095eaf9db9ab4a0ec2d17f6f7a0a1643161d5ad64864c467b229b0591bab72d27a73d3f671ab8ad8bb1a3523fd5d0de4e1316879c6085d5be3269c87b80e7fb

Download Submit
C:\Windows\SysWOW64\Lemkcnaa.exe

Filesize
256KB

MD5
deb1db574e86d7b1720471231cca7571

SHA1
bb60362491ec27b33b1b119934af196eab1024ca

SHA256
efe8eca58a55dcc1c56f6911f0be829ec3ad3d1ef9bf47954c1968278694b371

SHA512
1ec75215a0d6bb25fd83f470663db9e69a4ee7e0204343263820b965deba924bc5bbb0f71379e822ddd0b03b7da65946b5212120bf879253cba368876a341d95

Download Submit
C:\Windows\SysWOW64\Lfodbqfa.exe

Filesize
64KB

MD5
3699c9e97e148909be9e0c6167fb1de7

SHA1
6ed81e70c7f6862d31f7a7479dfc264822195811

SHA256
2e318f42ec6031c5471010cc9d6487763643a018e835cf4130937a88df4e9323

SHA512
71e3fa930f54fead4b0f0a632468bd0e87038b0a81377b46d0d7bcfcc3566ea62e5f691e61165176bc192b3b5ce6796cb0bfb866f708bead646953b1d3d8c925

Download Submit
C:\Windows\SysWOW64\Lidmhmnp.exe

Filesize
576KB

MD5
ce744881ff11e9d63d56285c31bad771

SHA1
98d17c1164e782e0720bf93e3623974912c56237

SHA256
98283656403a34d09beb03c6eaeb6747f53c5c1a12b61e673e7445b0f8c100db

SHA512
f55d66ecdc41169cb134fba0dc4b1b7163045c5c6af5692643d3ce21c3c19ab33b443fdc515b697b2aa2ccd3648b4538ac79a84cac31c0db48b5c4695b9c1132

Download Submit
C:\Windows\SysWOW64\Lidmhmnp.exe

Filesize
640KB

MD5
43a1ce81c7eb4fb12ee10e866fbbb5b2

SHA1
d406060e80a7c48ca009f559139afc91be85cea0

SHA256
885ded6053a18af97043c4e7d213c25170c3ee883fa2fa7a26d01fc8c7f00682

SHA512
e15a8321ae136d7a258a5b04d8eb5b615dfe8036c7e83e2ce88f9c6822b186027d0a61b6575309a0d233a65b37725bd60cd6a75b9d49ff84d8207f3274b4fb6d

Download Submit
C:\Windows\SysWOW64\Llipehgk.exe

Filesize
1.8MB

MD5
fe31fcd75ccad3d4fcba3f9b3c86f58d

SHA1
70fc2038c23f0f343d22da16528c6c1712006ebf

SHA256
aca02e81b98288100d0b5123484f8e69f043404d41a4c245c8aac110fe259af4

SHA512
5eca220f6d2488dafc77f30494a9b4d53723908898d98d3654983689d5b41f46f853c68ff2e959b703e921ff36147fa358511c4d321a251c7515adf453278047

Download Submit
C:\Windows\SysWOW64\Llipehgk.exe

Filesize
126KB

MD5
15d2e10e0be287d10b89c4d11c0414ee

SHA1
85e62e167f3d0569f8fa3e9a4438be96d901aee6

SHA256
b7541debae5fef98818e0a5b72d6d4f8437b7955234668ab1d2b5304f946b84e

SHA512
f02cd7fc8027498d1459da5bd4a5f9aea3ea0e97504e4a3f8c85996e8810f8805237f67477c414f63878d5ff73e35e9c2b9d3795731af37cb7580a1979182f70

Download Submit
C:\Windows\SysWOW64\Loeolc32.exe

Filesize
256KB

MD5
12ca46bbb84b4ae57b54575a97b88f0a

SHA1
aedef84b58f91e27201d2a79b1b8c69bcf45da37

SHA256
632500a6ac92ddcc3f989bc0125d2db1f050a9ef6670181138f5dc51100e5fe3

SHA512
0d3943f35df3395d40e521764c717d322a4334baf59402df7383e09cc787755e6124c8de6dacdcecdad4d0d9c7ecb2644e525cf427d62f5bf36d25350c918ce1

Download Submit
C:\Windows\SysWOW64\Loeolc32.exe

Filesize
1.8MB

MD5
f8212ada0e47cc52d12b1f123d2ce75a

SHA1
65978ddff99df08c430ede74ee47369ef24cdfc8

SHA256
5b75eee6acb8d0c900bf4afd88c07d7e335cb8df638d313b5dab32ace7a81ec1

SHA512
589b34d6b347bc3c9de4c170f50be0c7d4ad7fb51ee69016d45505613bda74160972a13d300320b2872c160aa31152c50bf1d89520d428f09752446b824b15c9

Download Submit
C:\Windows\SysWOW64\Mbognp32.exe

Filesize
1.8MB

MD5
51eb126e0a98e19422c3f8c14130227b

SHA1
5d02e907de64e057e8e1d3fa86be0b38a01240c2

SHA256
8d22bbd6622ecef5db09e398d62e9f3c31559fe893cd3e2bdc33f72333669279

SHA512
26a1f23dcdc54809beee07f414d4d8bc87472537cf473df6cd485be6df1963a2efe2f2b49051591d3446d0505f1b62a376d9b5db451bd6675f6d28e39c208293

Download Submit
C:\Windows\SysWOW64\Mekgdl32.exe

Filesize
1.8MB

MD5
be00a36c713695de94feb61cd1a6a125

SHA1
96bbc5d1a68f41fee0293087930cbe3d9c1dd437

SHA256
f10cb6c750c18d987c24efe8bacc6daa56119457f5c1139cedd00fd3a9cce5b9

SHA512
867c7e1359e36cd45cb26ed2352f6bda3a001cacc69ef52a47c86ee9a47ba0f471ca8030262c561448c6ca75bbe2099eda6b3123f46c3cb08d5b2b98f5ae5b95

Download Submit
C:\Windows\SysWOW64\Mekgdl32.exe

Filesize
320KB

MD5
06fa047e07b64c74c81d9bcbafd3e88d

SHA1
a6d6606c781b702c69c9071c1948506f8c04ffe6

SHA256
c032415baa15dbd96c3423ba0521171280f3775762f8f0b3730e650e9e1e7480

SHA512
78f7f017f7b5fd82aedde2459ff5db8b27e1a324e57a4c7702883fc5f0eb85a1d6978e5be4a62f7552fe831a00a175cca72a23394c7c8b5118ebf539f24d8635

Download Submit
C:\Windows\SysWOW64\Mibijk32.exe

Filesize
1.8MB

MD5
16cc49ab9183aa920ffdfcd5d06dfe3b

SHA1
6739e063513912fde590f94c5d6a8043df848e9f

SHA256
ed4260de26eeaa97907f86d53b9acbb20642acf842090504c77d465753632b33

SHA512
f535b1fa9ce8d7f6f5fdb1e31fac697a0108b5635cb7e2947ba716db719124c57631bdc88abdbac00704f68c58b1d826bf98df55060a5059b377dc8d8c077cfc

Download Submit
C:\Windows\SysWOW64\Midfokpm.exe

Filesize
1.8MB

MD5
85db41e0d830042de270386edf4f1dc5

SHA1
77559845bfa62680c6dd0ccd236d8308ea16422f

SHA256
c71c966d1d86b749528550340dd7e438b0cbb31013d3901aaae2066a57878ee0

SHA512
eccc88b54658e297ff4377c203c955dc24264b37c8c7bd5355f1121e204d4480c76131c58a92930599f121c2733b9884ac4984c229ab9f5e04254290ffb602e8

Download Submit
C:\Windows\SysWOW64\Midfokpm.exe

Filesize
448KB

MD5
e60d161b9f3bb264a9edb4102dc2e72a

SHA1
daac0c02dc20f328b42b80a11f39ce014ce237a5

SHA256
5a0f6cefdb197ad2bbb8be60a29dd22265dde7f2f03bb179023289668f530aac

SHA512
f06854bd0a99e9933f407fcaed3c65bd686f86f9fb3383c7bb213efc3d66f967bb4b9c2a7584cbb633ac2366dd4abc7429ad1ee58d9eb8d2753fe80ab12585bd

Download Submit
C:\Windows\SysWOW64\Mojhgbdl.exe

Filesize
1.8MB

MD5
72236a331ddf9b7d77f2191fc32d1df5

SHA1
68098b397b0a5e3c51f5c41d36c54e6edd8a3a7a

SHA256
2aa790943fb151051a992f836c1847402548eca6073303ad607c14403e1f7d73

SHA512
df5128560ed0ec085cc2bd49b8bbea19545a8e2299571c7de0756e339eda9cd767c54054713572945cebd6613bfc1190549592d9f246c082325b856d2133a1f1

Download Submit
C:\Windows\SysWOW64\Moobbb32.exe

Filesize
1.8MB

MD5
124fcf0da9d07a265149526c4732b0c1

SHA1
2afbbf9d052e88bec767ad3832037131c3cf1163

SHA256
e175e08bd52412a1b93cf84acaafb8bce1dbf02c6d2e0b4217b103aed799a3c9

SHA512
67abdca23d13702c03675cfd4175105e20a140c860a1dc939681eaac078f62897f8c48fe3770a4230512418d1dd0b477515c712de21488ff97d1740c21972f5b

Download Submit
C:\Windows\SysWOW64\Mpieqeko.exe

Filesize
1.8MB

MD5
2f003fcb83109e71de03da0c73567f6c

SHA1
68be4bdfd7221572dbb8fffae44a9a3467cb7f91

SHA256
5372192577bf80a97e6d29e3f4d3c3c0fccee2434572a1a6535b7a30f4e3854a

SHA512
ebf5259156460922160013499e7f8b0847301509bc6c22796b4be6238a575ba0dc3fa8ebde66a3ada3031fdc8df349829c34d956549fa5b58d312a0c2cf58c3e

Download Submit
C:\Windows\SysWOW64\Mpieqeko.exe

Filesize
640KB

MD5
229b5cbb24c316bfd5a8086e40df52b8

SHA1
4af19075e92a7a4aa5e3052973c73e7e5ce70732

SHA256
2bf0ee6c7f46116418bcee598536357c8147f86b0760f701617b10eedf6cfda5

SHA512
b0d660974118d84a05f6d26c1366e51bee7248dd56c95cd588f63bcf2f2fad9278be0ddd70ca4ebefeda7b08f79f68d7ad07a4fe7a3301f11d98202c6ccfe17a

Download Submit
C:\Windows\SysWOW64\Mpnnle32.exe

Filesize
1.8MB

MD5
b8f4d4e3bf3a96c7ee2a222aeec8fa39

SHA1
583460d9a80b8ef47b5826fe1d65ba65464c8c17

SHA256
eda3c1581151e75752c84fc5982fefafd4d1aae18d13fbeeb49882feb3244215

SHA512
593ccafe804078a11b33bb484298f5e183737e2f6bab8ef3377251799fa7fee6dc30136731df931ecc0c439c7a9326bd7e26200adb7989952fb596cf7b51b32d

Download Submit
C:\Windows\SysWOW64\Mpnnle32.exe

Filesize
448KB

MD5
dcaa0023351147418bc4331df356bf99

SHA1
27d6a3adf5915492968724aac6462de5b95a6c3b

SHA256
275f9d7dcab7a249b8ad0ba7af6d569daba7ed21ca4ea77861ac8e5d46e307f7

SHA512
fe06e25abf1e72814070adb3ddbd9e6ebe387b2a90044878c34fd9ae5c5254a0f337381e2f75a877c15e00ed5f8c46e70408a96f2f7c401fdb8324737451c9db

Download Submit
C:\Windows\SysWOW64\Ncfmno32.exe

Filesize
1.8MB

MD5
7bd7b8bc2ec972f6b4aa1892e93f3836

SHA1
5da55c7009950d5aedf57f07aca609462ce1b7f6

SHA256
a19337579f036bcf0fde73c4662ae371b35d0a333264b0d3abd601ed4ba18e39

SHA512
b804c7a9dd3113d4b5791a59d7eca3f93c4a24d564f0800ab52139de444763974a8c59ca6db745ae801d140460e12374cafb36e46f6696ccaeda11ea0095c786

Download Submit
C:\Windows\SysWOW64\Nebmekoi.exe

Filesize
1.8MB

MD5
a08a725e1c434123ec3330cb3ae9be9c

SHA1
ff18aaf9e44519aa7c81b4a1bdff6bcd596ae472

SHA256
d8e59ab4f96f4fe61da8d41cb1abf5ddf6f5bc3a1a20027d37a1f47df77d8d60

SHA512
e06d8cf23a3faefd727dd504de4cb97545682f89581b656aa255bff35901f0bd3be1518e0e6e9e64095fd84d3408f7f18fe7912de70694dc82a9923343a23fb6

Download Submit
C:\Windows\SysWOW64\Ngdfdmdi.exe

Filesize
1.8MB

MD5
3958135966bf1e59950444f29e3bfdca

SHA1
103f8526dbdf33c86c0a6682febbcdc01c22f6ba

SHA256
be51c4ab4661faf50f49ca66fa028fb8e0d09256202b2ee7319303b23933bb3d

SHA512
c68ccb0da600aeb7fd57ac0989acf5c6740d8ab58f299d8e95815bf40c7092eba193ce58e3ba02e23f1ef4ca3ebddbc8672ff545049746941ac066bfc58a9cd0

Download Submit
C:\Windows\SysWOW64\Nhnlkfpp.exe

Filesize
1.8MB

MD5
0a957fa2ae2165a231c3430820f1fecd

SHA1
f99ec8f907ae29b91ab1a0e5e11e980fdf30bbbe

SHA256
dfb4d2f1944f7261e3040fbcc47cd3f282da14c3eb14e42510ebbd32c8c9aad6

SHA512
cda6cf7017a189a7a212a4fd5b0ed0e426f9ac6abf0dc9c8ebd429df34b816baa9125ffdac00b4ae036bb833d06a2c1297e0936dab9341518d492fb446a4171e

Download Submit
C:\Windows\SysWOW64\Nlnbgddc.exe

Filesize
111KB

MD5
415317deb4f34e87e5e684dd91475700

SHA1
85d034eb366116d48d581eb9a97d7cffdf61efb2

SHA256
6ba4f685ae5a97ab45c4a638aaf5fd85a750adfd5df29102855171236be42626

SHA512
3797a830383158bcc2ff9d7ed4ad1f9a0d0c8b8f14c74f4df9cac4f7f5e2a4886d5d574b9183621126f24649b34c13b07b4d88c59363a1912937691e67a40679

Download Submit
C:\Windows\SysWOW64\Nlnbgddc.exe

Filesize
1.8MB

MD5
819bc0bb589e2c115fd17220839c5044

SHA1
35864ce8f78a8c58f8c159ec29fd779f6940b017

SHA256
9f836d294a17c94d4d7306f27ac16c3bb4eed77d75bc528a14a0efe1b88a8318

SHA512
896d4e56bbbc122ea20ee3f62b85448edf9ad5841ecb9033a202fb9c014102c2dcde3c3c360a8e9425e04364c7e7af3cbd5317062fa6012d54f60a3145d2fa6f

Download Submit
C:\Windows\SysWOW64\Noehba32.exe

Filesize
1.8MB

MD5
ef33dd212abf604a268c8bb50f4b25ca

SHA1
268c44d4c8586309595189c74280a41c607dfe75

SHA256
eb61be28e5d5ff1553818913c7bafc2ecdd6b8948a4e312d6b8cff01fbfa74b9

SHA512
828c3f27018dca7eb24307d9619a977586e4d9c4c97b0f4430c2f68afb06b0621d6f1d57f2fba24dbc27877a33d20a37af3144ee19fe411d5cb1c5bc2076ddbb

Download Submit
C:\Windows\SysWOW64\Nookip32.exe

Filesize
1.8MB

MD5
0b2d45f46ad2e133e19ae2e7b5a6735e

SHA1
4e31505f649a2b3c0044fa3cc3a0640a87b74069

SHA256
61ec29b95c729ca20d03cd18fee481bdc3c25fa353e9fd56f07a2e42168ad072

SHA512
e450fcb0eac8182d246b435f1df7f53d8bf3267f24efb507a254cfc5dcbde65d8dbd7aa16ceaf6fa95abda003c4c4611a02c63bef43e18975adad13d50661634

Download Submit
C:\Windows\SysWOW64\Oekpkigo.exe

Filesize
1.8MB

MD5
0d6a83371e237ab498a8affa2543321b

SHA1
ffc7dec1f0b7199f2e7d8b90a4688fc87dab5587

SHA256
2e208474b491373239730818f6f0207fea64862cd1084dd3640e78a033ecf4af

SHA512
e9a3105fdf67e919ed7c1e0d47f424a12021bca60d5fd247e9333052f3fc94944a7c3f46814e365ea29254237045b9ace2d4300bd6a0a86c12e091288fa440a6

Download Submit
C:\Windows\SysWOW64\Oenlqi32.exe

Filesize
1.8MB

MD5
b0e54d368246bcd2a915efb914ce8edd

SHA1
25f86186b50cb176367975c4211b322721fad2f2

SHA256
a746c42fa523a8a54e2de73a0080b61e1fe9908716c665fbdee6449fe0c54fed

SHA512
e57a273b0fdb768be3ac6489fef4f4d86548aa11823ac96c807d8f080730fef84dfafecfff93d34c376ebcf47320d2241b20c83a97f7146ca09586816967ca8f

Download Submit
C:\Windows\SysWOW64\Oepifi32.exe

Filesize
1.8MB

MD5
1e30139c54048839a6484af5274f0909

SHA1
cd20a0225a6c16f2078589aa78b9ba9eebec7145

SHA256
06c30bbe0707c99bbab05c6cfc7ac50f0a0b67d8f70fed510099a7091fd492e8

SHA512
4d44ef014a3e314553b40c875e20a23ffc82ec3716ec8db97c1323a7241a5325b358738773c26bae5396855fd6f0f5ec1be91ee407a91dd30c6f39affcf49ebd

Download Submit
C:\Windows\SysWOW64\Oepifi32.exe

Filesize
320KB

MD5
92ea108d315a2ea89f38448a29ef3684

SHA1
e77767dd5ab5e68c36f4ebb9c028285edaa541d1

SHA256
f81bc60af3c326ce57d4b31b1519719ac6d17842d8134a91b4a329fc90c126f7

SHA512
f84ad307cf1022aab070860e617352bf701ac97d0952676d43694d85f82235757f3d25fd3c09e96d3ab0ceb771147e7c3274f20f4313ba2e5a8d617ad5af9e44

Download Submit
C:\Windows\SysWOW64\Ohgoaehe.exe

Filesize
1.8MB

MD5
4b12827b6fb77d5df4e56199ef465e49

SHA1
1a2c84e33a0bc5b08aaba7004f9cb2979615fcb3

SHA256
b19dd8ac967312ff5624679c75a2d1519838767a03e54fc3f2b317c6b54a990f

SHA512
d6bad46782a595b8d8b0ae5b35dca105b1a2ad10b0a56378938aa42cda9c284393107298b023e7d20a6e85f899450c227f572d6eeaa14dfbf5d67ed4b9aae7c0

Download Submit
C:\Windows\SysWOW64\Ohgoaehe.exe

Filesize
42KB

MD5
a982de95be4213c7d03e18ee9a306475

SHA1
21e0fa0c70271a596c53b40aa2b2f9a5e2da6d9a

SHA256
a5f38b8239d95da2d02c5015855801b9813154b122e1b51c59ac110e34350b96

SHA512
7a26f71961943efb5362798365ec7152a7ae9bcd96335469f7544ecda4fe025d6729a9a6c9fe1033266896ebf0c85fc5b760346d56a92f80ab3109f3c445ecef

Download Submit
C:\Windows\SysWOW64\Olehhc32.exe

Filesize
1.8MB

MD5
0fb6c63c424a0cd8a6217ac64ad60bfa

SHA1
2429e9d376d00955d74c3f36f3708c1bac14ccb4

SHA256
ee22513669fa0a6e733a3bbfea5220be14ff8481d377ea8f7c5410ddf31dc795

SHA512
a25bf2b1c65d6b66be4664b757283bfeeea028472c076ab67b7686540c223970b9548523d6675f5156178b82f2228a675e0302801011fa1ba683dd832087c1ba

Download Submit
C:\Windows\SysWOW64\Olgemcli.exe

Filesize
1.8MB

MD5
18c9ce07237d56d4cf779acee17134f1

SHA1
896b2ff6034bbb13c0875226721ca01382d58e60

SHA256
c1f9dc316da9e4bc46794a75b13217f8e8746caef301ba456a9f0c21ab3f033a

SHA512
3eaa4c48d43d7fa364b691ef68c8f57f9999c23759daccafd636772873ccb59a6459d42b5b902c1b7b7d2cb4273b7ac6fb0dde477b8772bc32bf2d794b7a2654

Download Submit
C:\Windows\SysWOW64\Pdkoch32.exe

Filesize
1.8MB

MD5
42f97dfce351b16c10cda26c94ba399c

SHA1
abff0feb627a56002209f745b5449807f1114cd8

SHA256
703f9535ecb5de351bb7ad7e9d63e21bae8926c0910c9aef50115ab08ae77440

SHA512
4e74f4425397abfc7d9691ae2603e22670d565be2d885a67922eb75482064263ae09e895e43e29a94b458e52cccc1fcff255cb993509e0d23f98f21cddd88c89

Download Submit
C:\Windows\SysWOW64\Phodcg32.exe

Filesize
705KB

MD5
c7a3670c2cd6580cc572863cc31375c4

SHA1
be65db2d86798a32fd909746423b290273560d6d

SHA256
49ebe320e7cad7171d89c567eb98d4de0404f6372b4388070b4088dcc2b1bf9d

SHA512
0d2345cf2ce216bfc2875ca9a35791b3a5a37219167075b3e566afdbd9c9d20f94cdec63aa06f007d4544e94cb3d197195e1993d2ee414e3a7a96729776798e3

Download Submit
memory/116-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/548-604-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/732-678-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/732-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/864-606-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/940-613-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1000-621-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1032-593-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1036-586-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1040-596-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1132-618-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1240-61-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1320-600-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1356-595-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1360-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1360-5-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-584-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1828-615-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2036-605-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2064-53-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-684-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2292-614-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-597-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2396-607-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-629-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-608-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-625-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-611-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-590-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2812-627-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2844-20-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2844-683-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2868-612-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-591-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2936-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2936-685-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3244-628-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-622-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3336-623-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3388-603-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3432-617-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3532-592-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3616-609-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3624-620-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3628-610-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3848-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3952-599-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4000-626-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4088-624-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4108-585-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4144-601-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4180-582-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-616-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4520-602-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4652-619-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4688-630-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-598-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4792-589-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-583-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5124-631-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5160-632-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5196-633-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5232-634-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5264-635-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5300-636-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads