33e723ddc327970be2cb901bd10771216083cd9651f2630c6f882395114e39f1

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33e723ddc327970be2cb901bd10771216083cd9651f2630c6f882395114e39f1.exe
Size

833KB
MD5

a87f6161645cf6e2e9a0fe7364bff87b
SHA1

7d4386c260af89241de7e88ddf2f53c392a98daf
SHA256

33e723ddc327970be2cb901bd10771216083cd9651f2630c6f882395114e39f1
SHA512

78ddba6b658bc74031120f0686faa39ffcfb86630572eb181b98daa078174a3b9845c664debab942d83412bc7578cc2d427de644621086f6bcf194f0f96cb295
SSDEEP

24576:NNAZdXHfNIVIIVy2jU13fS2hEYM9RIPqcNaAarJWw6j0dFZg0ZktGlIOfSJbuIsg:MZdXeFjC3a2hEY2RIPqcNaAarJWwq0d6

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekcgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlkfbocp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlkfbocp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcfbkpab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oblmdhdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cihclh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpkmal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iafkld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebhglj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofmdio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhjhmhhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eleepoob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efgemb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdnhih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efgemb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbloglj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpkdjofm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipdndloi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhanngbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pidabppl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeddnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahgjejhd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dqpfmlce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkogiikb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eleepoob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iafkld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhnojl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Keifdpif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbfcmhpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpgdai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljceqb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpkdjofm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jldbpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbepme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Noppeaed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocgkan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcclld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmikeaap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmjdm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjidgkog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pplhhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aokkahlo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dakikoom.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpjjmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmoohe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djcoai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjohde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cncnob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiphjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Plejdkmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfpdin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npepkf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njjdho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qhjmdp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehpadhll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fganqbgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Codhnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eiaoid32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmfnpa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lqhdbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkphhgfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llcghg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmhbqbae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbekii32.exe

Executes dropped EXE 64 IoCs

pid	Process
4572	Kgopidgf.exe
5064	Knkekn32.exe
384	Leenhhdn.exe
5116	Ljbfpo32.exe
368	Legjmh32.exe
1752	Oblmdhdo.exe
1672	Ooejohhq.exe
1616	Oeaoab32.exe
4136	Pkogiikb.exe
228	Pidabppl.exe
2372	Plejdkmm.exe
5092	Pemomqcn.exe
3596	Qlggjk32.exe
4616	Qikgco32.exe
2896	Qcclld32.exe
3324	Ajndioga.exe
3528	Aojlaeei.exe
2932	Aeddnp32.exe
4376	Akamff32.exe
4800	Aakebqbj.exe
3500	Ahenokjf.exe
1944	Akcjkfij.exe
1688	Ahgjejhd.exe
2292	Bkkple32.exe
4508	Bfpdin32.exe
3208	Bkmmaeap.exe
4344	Bfbaonae.exe
5012	Bokehc32.exe
4364	Bhcjqinf.exe
4900	Bcinna32.exe
2328	Bmabggdm.exe
1480	Bbnkonbd.exe
4048	Cihclh32.exe
2360	Cobkhb32.exe
1296	Cijpahho.exe
2184	Codhnb32.exe
3100	Cfnqklgh.exe
3268	Ccbadp32.exe
4920	Cioilg32.exe
2192	Ccdnjp32.exe
2120	Ciafbg32.exe
1512	Dbjkkl32.exe
1636	Dmoohe32.exe
3552	Djcoai32.exe
5144	Dkdliame.exe
5180	Dfjpfj32.exe
5216	Dpbdopck.exe
5252	Djhimica.exe
5288	Dmfeidbe.exe
5324	Dcpmen32.exe
5360	Djjebh32.exe
5396	Dpgnjo32.exe
5432	Ejlbhh32.exe
5468	Emkndc32.exe
5500	Ebhglj32.exe
5536	Eiaoid32.exe
5584	Eplgeokq.exe
5636	Elbhjp32.exe
5692	Eleepoob.exe
5744	Efjimhnh.exe
5800	Fcniglmb.exe
5860	Fmfnpa32.exe
5928	Fmikeaap.exe
5964	Fbfcmhpg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hjcakafa.dll	Lhenai32.exe
File opened for modification	C:\Windows\SysWOW64\Ljceqb32.exe	Lomqcjie.exe
File created	C:\Windows\SysWOW64\Dhbmpk32.dll	Djcoai32.exe
File created	C:\Windows\SysWOW64\Aokkahlo.exe	Ahaceo32.exe
File created	C:\Windows\SysWOW64\Fqeioiam.exe	Fdnhih32.exe
File created	C:\Windows\SysWOW64\Glllagck.dll	Lakfeodm.exe
File created	C:\Windows\SysWOW64\Pjpfjl32.exe	Pdenmbkk.exe
File created	C:\Windows\SysWOW64\Ehpadhll.exe	Eqiibjlj.exe
File created	C:\Windows\SysWOW64\Jecampmk.dll	Ciafbg32.exe
File opened for modification	C:\Windows\SysWOW64\Aakebqbj.exe	Akamff32.exe
File created	C:\Windows\SysWOW64\Ddhnoefl.dll	Oeaoab32.exe
File created	C:\Windows\SysWOW64\Bkmmaeap.exe	Bfpdin32.exe
File created	C:\Windows\SysWOW64\Ojqcnhkl.exe	Ocgkan32.exe
File created	C:\Windows\SysWOW64\Kgopidgf.exe	33e723ddc327970be2cb901bd10771216083cd9651f2630c6f882395114e39f1.exe
File created	C:\Windows\SysWOW64\Jpbjfjci.exe	Jemfhacc.exe
File opened for modification	C:\Windows\SysWOW64\Jpbjfjci.exe	Jemfhacc.exe
File created	C:\Windows\SysWOW64\Mqjbddpl.exe	Mjpjgj32.exe
File created	C:\Windows\SysWOW64\Epopbo32.dll	Baannc32.exe
File opened for modification	C:\Windows\SysWOW64\Fffhifdk.exe	Fjohde32.exe
File opened for modification	C:\Windows\SysWOW64\Emkndc32.exe	Ejlbhh32.exe
File opened for modification	C:\Windows\SysWOW64\Ipdndloi.exe	Iijfhbhl.exe
File created	C:\Windows\SysWOW64\Ekjali32.dll	Iamamcop.exe
File opened for modification	C:\Windows\SysWOW64\Ciafbg32.exe	Ccdnjp32.exe
File created	C:\Windows\SysWOW64\Glhimp32.exe	Gbpedjnb.exe
File opened for modification	C:\Windows\SysWOW64\Fnkfmm32.exe	Fganqbgg.exe
File created	C:\Windows\SysWOW64\Fbbnpn32.dll	Mjlalkmd.exe
File created	C:\Windows\SysWOW64\Fjohde32.exe	Fbfcmhpg.exe
File created	C:\Windows\SysWOW64\Bdlgcp32.dll	Ocaebc32.exe
File created	C:\Windows\SysWOW64\Pkoaeldi.dll	Bhpofl32.exe
File created	C:\Windows\SysWOW64\Jeapcq32.exe	Jbccge32.exe
File created	C:\Windows\SysWOW64\Pfigmnlg.dll	Nijqcf32.exe
File opened for modification	C:\Windows\SysWOW64\Eleepoob.exe	Elbhjp32.exe
File created	C:\Windows\SysWOW64\Hbgkei32.exe	Hioflcbj.exe
File created	C:\Windows\SysWOW64\Oblmdhdo.exe	Legjmh32.exe
File created	C:\Windows\SysWOW64\Peaggfjj.dll	Ljhnlb32.exe
File opened for modification	C:\Windows\SysWOW64\Nceefd32.exe	Nnhmnn32.exe
File created	C:\Windows\SysWOW64\Gpolbo32.exe	Gejhef32.exe
File created	C:\Windows\SysWOW64\Jhnhbn32.dll	Ejlbhh32.exe
File created	C:\Windows\SysWOW64\Odaodc32.dll	Gbpedjnb.exe
File created	C:\Windows\SysWOW64\Dgegjnih.dll	Oanokhdb.exe
File created	C:\Windows\SysWOW64\Kebkgjkg.dll	Nqcejcha.exe
File created	C:\Windows\SysWOW64\Cobkhb32.exe	Cihclh32.exe
File created	C:\Windows\SysWOW64\Dmncdk32.dll	Bogkmgba.exe
File created	C:\Windows\SysWOW64\Ofmdio32.exe	Oaplqh32.exe
File created	C:\Windows\SysWOW64\Minqeaad.dll	Lqhdbm32.exe
File created	C:\Windows\SysWOW64\Fmbdpnaj.dll	Gejhef32.exe
File created	C:\Windows\SysWOW64\Lgbloglj.exe	Lqhdbm32.exe
File created	C:\Windows\SysWOW64\Epllglpf.dll	Dpgnjo32.exe
File created	C:\Windows\SysWOW64\Emkndc32.exe	Ejlbhh32.exe
File opened for modification	C:\Windows\SysWOW64\Njjdho32.exe	Npepkf32.exe
File opened for modification	C:\Windows\SysWOW64\Ihkjno32.exe	Hnbeeiji.exe
File created	C:\Windows\SysWOW64\Bgnpek32.dll	Lllagh32.exe
File created	C:\Windows\SysWOW64\Mlgbnc32.dll	Bkkple32.exe
File created	C:\Windows\SysWOW64\Dkekjdck.exe	Dqpfmlce.exe
File opened for modification	C:\Windows\SysWOW64\Ilphdlqh.exe	Iefphb32.exe
File created	C:\Windows\SysWOW64\Ljpaqmgb.exe	Lojmcdgl.exe
File created	C:\Windows\SysWOW64\Boihcf32.exe	Bhpofl32.exe
File created	C:\Windows\SysWOW64\Ocgkan32.exe	Ojnfihmo.exe
File created	C:\Windows\SysWOW64\Fknofqcc.dll	Pjlcjf32.exe
File created	C:\Windows\SysWOW64\Efeifngp.dll	Elbhjp32.exe
File created	C:\Windows\SysWOW64\Bcinna32.exe	Bhcjqinf.exe
File created	C:\Windows\SysWOW64\Dpgnjo32.exe	Djjebh32.exe
File created	C:\Windows\SysWOW64\Ibfnqmpf.exe	Feoodn32.exe
File opened for modification	C:\Windows\SysWOW64\Ljbfpo32.exe	Leenhhdn.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8808	2536	WerFault.exe	376

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kihgqfld.dll"	Gaqhjggp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klggli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmaciefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbekbm32.dll"	Leenhhdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmoohe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epllglpf.dll"	Dpgnjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkjfaikb.dll"	Ocgkan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cobkhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cioilg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocgbld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ihkjno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Picoja32.dll"	Iafkld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihqiqn32.dll"	33e723ddc327970be2cb901bd10771216083cd9651f2630c6f882395114e39f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fopjdidn.dll"	Mmhgmmbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnafno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpojkp32.dll"	Bpkdjofm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmlijb32.dll"	Pemomqcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efjimhnh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lobjni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeclnmik.dll"	Lpepbgbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pemomqcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekcgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpqgeihg.dll"	Pbekii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeichoo.dll"	Cfnqklgh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lopmii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojqcnhkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odibfg32.dll"	Pbcncibp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcegclgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Palklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpfoag32.dll"	Cocjiehd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipdndloi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jemfhacc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfnqklgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhenai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmaciefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gggikgqe.dll"	Ncbafoge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blnfhilh.dll"	Hioflcbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dicdcemd.dll"	Nnafno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npdhdlin.dll"	Ehndnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghfedh32.dll"	Fqeioiam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iafkld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Emkndc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmgilf32.dll"	Mcfbkpab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpmomo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Keifdpif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpepbgbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhanngbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Legjmh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imkbnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dojqjdbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olekop32.dll"	Hnbeeiji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhjhmhhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljalni32.dll"	Bbnkonbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejlbhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipbehfom.dll"	Ibhkfm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkhgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcapicdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpbodmjl.dll"	Aeddnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klinjgke.dll"	Akamff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bllbaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngidlo32.dll"	Lopmii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akblfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Codhnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilphdlqh.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4036 wrote to memory of 4572	4036	33e723ddc327970be2cb901bd10771216083cd9651f2630c6f882395114e39f1.exe	94
PID 4036 wrote to memory of 4572	4036	33e723ddc327970be2cb901bd10771216083cd9651f2630c6f882395114e39f1.exe	94
PID 4036 wrote to memory of 4572	4036	33e723ddc327970be2cb901bd10771216083cd9651f2630c6f882395114e39f1.exe	94
PID 4572 wrote to memory of 5064	4572	Kgopidgf.exe	95
PID 4572 wrote to memory of 5064	4572	Kgopidgf.exe	95
PID 4572 wrote to memory of 5064	4572	Kgopidgf.exe	95
PID 5064 wrote to memory of 384	5064	Knkekn32.exe	96
PID 5064 wrote to memory of 384	5064	Knkekn32.exe	96
PID 5064 wrote to memory of 384	5064	Knkekn32.exe	96
PID 384 wrote to memory of 5116	384	Leenhhdn.exe	97
PID 384 wrote to memory of 5116	384	Leenhhdn.exe	97
PID 384 wrote to memory of 5116	384	Leenhhdn.exe	97
PID 5116 wrote to memory of 368	5116	Ljbfpo32.exe	98
PID 5116 wrote to memory of 368	5116	Ljbfpo32.exe	98
PID 5116 wrote to memory of 368	5116	Ljbfpo32.exe	98
PID 368 wrote to memory of 1752	368	Legjmh32.exe	99
PID 368 wrote to memory of 1752	368	Legjmh32.exe	99
PID 368 wrote to memory of 1752	368	Legjmh32.exe	99
PID 1752 wrote to memory of 1672	1752	Oblmdhdo.exe	100
PID 1752 wrote to memory of 1672	1752	Oblmdhdo.exe	100
PID 1752 wrote to memory of 1672	1752	Oblmdhdo.exe	100
PID 1672 wrote to memory of 1616	1672	Ooejohhq.exe	101
PID 1672 wrote to memory of 1616	1672	Ooejohhq.exe	101
PID 1672 wrote to memory of 1616	1672	Ooejohhq.exe	101
PID 1616 wrote to memory of 4136	1616	Oeaoab32.exe	102
PID 1616 wrote to memory of 4136	1616	Oeaoab32.exe	102
PID 1616 wrote to memory of 4136	1616	Oeaoab32.exe	102
PID 4136 wrote to memory of 228	4136	Pkogiikb.exe	103
PID 4136 wrote to memory of 228	4136	Pkogiikb.exe	103
PID 4136 wrote to memory of 228	4136	Pkogiikb.exe	103
PID 228 wrote to memory of 2372	228	Pidabppl.exe	104
PID 228 wrote to memory of 2372	228	Pidabppl.exe	104
PID 228 wrote to memory of 2372	228	Pidabppl.exe	104
PID 2372 wrote to memory of 5092	2372	Plejdkmm.exe	105
PID 2372 wrote to memory of 5092	2372	Plejdkmm.exe	105
PID 2372 wrote to memory of 5092	2372	Plejdkmm.exe	105
PID 5092 wrote to memory of 3596	5092	Pemomqcn.exe	106
PID 5092 wrote to memory of 3596	5092	Pemomqcn.exe	106
PID 5092 wrote to memory of 3596	5092	Pemomqcn.exe	106
PID 3596 wrote to memory of 4616	3596	Qlggjk32.exe	108
PID 3596 wrote to memory of 4616	3596	Qlggjk32.exe	108
PID 3596 wrote to memory of 4616	3596	Qlggjk32.exe	108
PID 4616 wrote to memory of 2896	4616	Qikgco32.exe	109
PID 4616 wrote to memory of 2896	4616	Qikgco32.exe	109
PID 4616 wrote to memory of 2896	4616	Qikgco32.exe	109
PID 2896 wrote to memory of 3324	2896	Qcclld32.exe	110
PID 2896 wrote to memory of 3324	2896	Qcclld32.exe	110
PID 2896 wrote to memory of 3324	2896	Qcclld32.exe	110
PID 3324 wrote to memory of 3528	3324	Ajndioga.exe	111
PID 3324 wrote to memory of 3528	3324	Ajndioga.exe	111
PID 3324 wrote to memory of 3528	3324	Ajndioga.exe	111
PID 3528 wrote to memory of 2932	3528	Aojlaeei.exe	112
PID 3528 wrote to memory of 2932	3528	Aojlaeei.exe	112
PID 3528 wrote to memory of 2932	3528	Aojlaeei.exe	112
PID 2932 wrote to memory of 4376	2932	Aeddnp32.exe	113
PID 2932 wrote to memory of 4376	2932	Aeddnp32.exe	113
PID 2932 wrote to memory of 4376	2932	Aeddnp32.exe	113
PID 4376 wrote to memory of 4800	4376	Akamff32.exe	114
PID 4376 wrote to memory of 4800	4376	Akamff32.exe	114
PID 4376 wrote to memory of 4800	4376	Akamff32.exe	114
PID 4800 wrote to memory of 3500	4800	Aakebqbj.exe	115
PID 4800 wrote to memory of 3500	4800	Aakebqbj.exe	115
PID 4800 wrote to memory of 3500	4800	Aakebqbj.exe	115
PID 3500 wrote to memory of 1944	3500	Ahenokjf.exe	116

C:\Users\Admin\AppData\Local\Temp\33e723ddc327970be2cb901bd10771216083cd9651f2630c6f882395114e39f1.exe
"C:\Users\Admin\AppData\Local\Temp\33e723ddc327970be2cb901bd10771216083cd9651f2630c6f882395114e39f1.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4036
- C:\Windows\SysWOW64\Kgopidgf.exe
  C:\Windows\system32\Kgopidgf.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Windows\SysWOW64\Knkekn32.exe
    C:\Windows\system32\Knkekn32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5064
  - - C:\Windows\SysWOW64\Leenhhdn.exe
      C:\Windows\system32\Leenhhdn.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:384
    - - C:\Windows\SysWOW64\Ljbfpo32.exe
        
        C:\Windows\system32\Ljbfpo32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5116
      - C:\Windows\SysWOW64\Legjmh32.exe
        
        C:\Windows\system32\Legjmh32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:368
        
        C:\Windows\SysWOW64\Oblmdhdo.exe
        
        C:\Windows\system32\Oblmdhdo.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\Ooejohhq.exe
        
        C:\Windows\system32\Ooejohhq.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Oeaoab32.exe
        
        C:\Windows\system32\Oeaoab32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\SysWOW64\Pkogiikb.exe
        
        C:\Windows\system32\Pkogiikb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4136
        
        C:\Windows\SysWOW64\Pidabppl.exe
        
        C:\Windows\system32\Pidabppl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\SysWOW64\Plejdkmm.exe
        
        C:\Windows\system32\Plejdkmm.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\SysWOW64\Pemomqcn.exe
        
        C:\Windows\system32\Pemomqcn.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\Qlggjk32.exe
        
        C:\Windows\system32\Qlggjk32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\SysWOW64\Qikgco32.exe
        
        C:\Windows\system32\Qikgco32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\SysWOW64\Qcclld32.exe
        
        C:\Windows\system32\Qcclld32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\SysWOW64\Ajndioga.exe
        
        C:\Windows\system32\Ajndioga.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\SysWOW64\Aojlaeei.exe
        
        C:\Windows\system32\Aojlaeei.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Windows\SysWOW64\Aeddnp32.exe
        
        C:\Windows\system32\Aeddnp32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Akamff32.exe
        
        C:\Windows\system32\Akamff32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\SysWOW64\Aakebqbj.exe
        
        C:\Windows\system32\Aakebqbj.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\SysWOW64\Ahenokjf.exe
        
        C:\Windows\system32\Ahenokjf.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Windows\SysWOW64\Akcjkfij.exe
        
        C:\Windows\system32\Akcjkfij.exe
        23⤵
        Executes dropped EXE
        
        PID:1944
        
        C:\Windows\SysWOW64\Ahgjejhd.exe
        
        C:\Windows\system32\Ahgjejhd.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1688
        
        C:\Windows\SysWOW64\Bkkple32.exe
        
        C:\Windows\system32\Bkkple32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2292
        
        C:\Windows\SysWOW64\Bfpdin32.exe
        
        C:\Windows\system32\Bfpdin32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4508
        
        C:\Windows\SysWOW64\Bkmmaeap.exe
        
        C:\Windows\system32\Bkmmaeap.exe
        27⤵
        Executes dropped EXE
        
        PID:3208
        
        C:\Windows\SysWOW64\Bfbaonae.exe
        
        C:\Windows\system32\Bfbaonae.exe
        28⤵
        Executes dropped EXE
        
        PID:4344
        
        C:\Windows\SysWOW64\Bokehc32.exe
        
        C:\Windows\system32\Bokehc32.exe
        29⤵
        Executes dropped EXE
        
        PID:5012
        
        C:\Windows\SysWOW64\Bhcjqinf.exe
        
        C:\Windows\system32\Bhcjqinf.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4364
        
        C:\Windows\SysWOW64\Bcinna32.exe
        
        C:\Windows\system32\Bcinna32.exe
        31⤵
        Executes dropped EXE
        
        PID:4900
        
        C:\Windows\SysWOW64\Bmabggdm.exe
        
        C:\Windows\system32\Bmabggdm.exe
        32⤵
        Executes dropped EXE
        
        PID:2328
        
        C:\Windows\SysWOW64\Bbnkonbd.exe
        
        C:\Windows\system32\Bbnkonbd.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Cihclh32.exe
        
        C:\Windows\system32\Cihclh32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4048
        
        C:\Windows\SysWOW64\Cobkhb32.exe
        
        C:\Windows\system32\Cobkhb32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Cijpahho.exe
        
        C:\Windows\system32\Cijpahho.exe
        36⤵
        Executes dropped EXE
        
        PID:1296
        
        C:\Windows\SysWOW64\Codhnb32.exe
        
        C:\Windows\system32\Codhnb32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Cfnqklgh.exe
        
        C:\Windows\system32\Cfnqklgh.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3100
        
        C:\Windows\SysWOW64\Ccbadp32.exe
        
        C:\Windows\system32\Ccbadp32.exe
        39⤵
        Executes dropped EXE
        
        PID:3268
        
        C:\Windows\SysWOW64\Cioilg32.exe
        
        C:\Windows\system32\Cioilg32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Ccdnjp32.exe
        
        C:\Windows\system32\Ccdnjp32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2192
        
        C:\Windows\SysWOW64\Ciafbg32.exe
        
        C:\Windows\system32\Ciafbg32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2120
        
        C:\Windows\SysWOW64\Dbjkkl32.exe
        
        C:\Windows\system32\Dbjkkl32.exe
        43⤵
        Executes dropped EXE
        
        PID:1512
        
        C:\Windows\SysWOW64\Dmoohe32.exe
        
        C:\Windows\system32\Dmoohe32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Djcoai32.exe
        
        C:\Windows\system32\Djcoai32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3552
        
        C:\Windows\SysWOW64\Dkdliame.exe
        
        C:\Windows\system32\Dkdliame.exe
        46⤵
        Executes dropped EXE
        
        PID:5144
        
        C:\Windows\SysWOW64\Dfjpfj32.exe
        
        C:\Windows\system32\Dfjpfj32.exe
        47⤵
        Executes dropped EXE
        
        PID:5180
        
        C:\Windows\SysWOW64\Dpbdopck.exe
        
        C:\Windows\system32\Dpbdopck.exe
        48⤵
        Executes dropped EXE
        
        PID:5216
        
        C:\Windows\SysWOW64\Djhimica.exe
        
        C:\Windows\system32\Djhimica.exe
        49⤵
        Executes dropped EXE
        
        PID:5252
        
        C:\Windows\SysWOW64\Dmfeidbe.exe
        
        C:\Windows\system32\Dmfeidbe.exe
        50⤵
        Executes dropped EXE
        
        PID:5288
        
        C:\Windows\SysWOW64\Dcpmen32.exe
        
        C:\Windows\system32\Dcpmen32.exe
        51⤵
        Executes dropped EXE
        
        PID:5324
        
        C:\Windows\SysWOW64\Djjebh32.exe
        
        C:\Windows\system32\Djjebh32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5360
        
        C:\Windows\SysWOW64\Dpgnjo32.exe
        
        C:\Windows\system32\Dpgnjo32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Ejlbhh32.exe
        
        C:\Windows\system32\Ejlbhh32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Emkndc32.exe
        
        C:\Windows\system32\Emkndc32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Ebhglj32.exe
        
        C:\Windows\system32\Ebhglj32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5500
        
        C:\Windows\SysWOW64\Eiaoid32.exe
        
        C:\Windows\system32\Eiaoid32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5536
        
        C:\Windows\SysWOW64\Eplgeokq.exe
        
        C:\Windows\system32\Eplgeokq.exe
        58⤵
        Executes dropped EXE
        
        PID:5584
        
        C:\Windows\SysWOW64\Elbhjp32.exe
        
        C:\Windows\system32\Elbhjp32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5636
        
        C:\Windows\SysWOW64\Eleepoob.exe
        
        C:\Windows\system32\Eleepoob.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5692
        
        C:\Windows\SysWOW64\Efjimhnh.exe
        
        C:\Windows\system32\Efjimhnh.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Fcniglmb.exe
        
        C:\Windows\system32\Fcniglmb.exe
        62⤵
        Executes dropped EXE
        
        PID:5800
        
        C:\Windows\SysWOW64\Fmfnpa32.exe
        
        C:\Windows\system32\Fmfnpa32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5860
        
        C:\Windows\SysWOW64\Fmikeaap.exe
        
        C:\Windows\system32\Fmikeaap.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5928
        
        C:\Windows\SysWOW64\Fbfcmhpg.exe
        
        C:\Windows\system32\Fbfcmhpg.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5964
        
        C:\Windows\SysWOW64\Fjohde32.exe
        
        C:\Windows\system32\Fjohde32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6028
        
        C:\Windows\SysWOW64\Fffhifdk.exe
        
        C:\Windows\system32\Fffhifdk.exe
        67⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Gdjibj32.exe
        
        C:\Windows\system32\Gdjibj32.exe
        68⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Pocpfphe.exe
        
        C:\Windows\system32\Pocpfphe.exe
        69⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Bllbaa32.exe
        
        C:\Windows\system32\Bllbaa32.exe
        70⤵
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Efgemb32.exe
        
        C:\Windows\system32\Efgemb32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5380
        
        C:\Windows\SysWOW64\Feoodn32.exe
        
        C:\Windows\system32\Feoodn32.exe
        72⤵
        Drops file in System32 directory
        
        PID:5452
        
        C:\Windows\SysWOW64\Ibfnqmpf.exe
        
        C:\Windows\system32\Ibfnqmpf.exe
        73⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\Imkbnf32.exe
        
        C:\Windows\system32\Imkbnf32.exe
        74⤵
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Ibhkfm32.exe
        
        C:\Windows\system32\Ibhkfm32.exe
        75⤵
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Lqhdbm32.exe
        
        C:\Windows\system32\Lqhdbm32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1360
        
        C:\Windows\SysWOW64\Lgbloglj.exe
        
        C:\Windows\system32\Lgbloglj.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5684
        
        C:\Windows\SysWOW64\Llodgnja.exe
        
        C:\Windows\system32\Llodgnja.exe
        78⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Lomqcjie.exe
        
        C:\Windows\system32\Lomqcjie.exe
        79⤵
        Drops file in System32 directory
        
        PID:5844
        
        C:\Windows\SysWOW64\Ljceqb32.exe
        
        C:\Windows\system32\Ljceqb32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5872
        
        C:\Windows\SysWOW64\Lopmii32.exe
        
        C:\Windows\system32\Lopmii32.exe
        81⤵
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Ljeafb32.exe
        
        C:\Windows\system32\Ljeafb32.exe
        82⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Lobjni32.exe
        
        C:\Windows\system32\Lobjni32.exe
        83⤵
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Ljhnlb32.exe
        
        C:\Windows\system32\Ljhnlb32.exe
        84⤵
        Drops file in System32 directory
        
        PID:6136
        
        C:\Windows\SysWOW64\Mgloefco.exe
        
        C:\Windows\system32\Mgloefco.exe
        85⤵
        
        PID:432
        
        C:\Windows\SysWOW64\Mmhgmmbf.exe
        
        C:\Windows\system32\Mmhgmmbf.exe
        86⤵
        Modifies registry class
        
        PID:4196
        
        C:\Windows\SysWOW64\Mgeakekd.exe
        
        C:\Windows\system32\Mgeakekd.exe
        87⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Nqmfdj32.exe
        
        C:\Windows\system32\Nqmfdj32.exe
        88⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Nnafno32.exe
        
        C:\Windows\system32\Nnafno32.exe
        89⤵
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Ngjkfd32.exe
        
        C:\Windows\system32\Ngjkfd32.exe
        90⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\Nncccnol.exe
        
        C:\Windows\system32\Nncccnol.exe
        91⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\Npepkf32.exe
        
        C:\Windows\system32\Npepkf32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5628
        
        C:\Windows\SysWOW64\Njjdho32.exe
        
        C:\Windows\system32\Njjdho32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5672
        
        C:\Windows\SysWOW64\Nadleilm.exe
        
        C:\Windows\system32\Nadleilm.exe
        94⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Nnhmnn32.exe
        
        C:\Windows\system32\Nnhmnn32.exe
        95⤵
        Drops file in System32 directory
        
        PID:5948
        
        C:\Windows\SysWOW64\Nceefd32.exe
        
        C:\Windows\system32\Nceefd32.exe
        96⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Onkidm32.exe
        
        C:\Windows\system32\Onkidm32.exe
        97⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Ocgbld32.exe
        
        C:\Windows\system32\Ocgbld32.exe
        98⤵
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Ompfej32.exe
        
        C:\Windows\system32\Ompfej32.exe
        99⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        100⤵
        Drops file in System32 directory
        
        PID:3136
        
        C:\Windows\SysWOW64\Ofkgcobj.exe
        
        C:\Windows\system32\Ofkgcobj.exe
        101⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Oaplqh32.exe
        
        C:\Windows\system32\Oaplqh32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5564
        
        C:\Windows\SysWOW64\Ofmdio32.exe
        
        C:\Windows\system32\Ofmdio32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5740
        
        C:\Windows\SysWOW64\Ocaebc32.exe
        
        C:\Windows\system32\Ocaebc32.exe
        104⤵
        Drops file in System32 directory
        
        PID:6064
        
        C:\Windows\SysWOW64\Pjkmomfn.exe
        
        C:\Windows\system32\Pjkmomfn.exe
        105⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\Pccahbmn.exe
        
        C:\Windows\system32\Pccahbmn.exe
        106⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Pjmjdm32.exe
        
        C:\Windows\system32\Pjmjdm32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4512
        
        C:\Windows\SysWOW64\Pdenmbkk.exe
        
        C:\Windows\system32\Pdenmbkk.exe
        108⤵
        Drops file in System32 directory
        
        PID:5776
        
        C:\Windows\SysWOW64\Pjpfjl32.exe
        
        C:\Windows\system32\Pjpfjl32.exe
        109⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        110⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\Pjbcplpe.exe
        
        C:\Windows\system32\Pjbcplpe.exe
        111⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\Palklf32.exe
        
        C:\Windows\system32\Palklf32.exe
        112⤵
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Pfiddm32.exe
        
        C:\Windows\system32\Pfiddm32.exe
        113⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\Pmblagmf.exe
        
        C:\Windows\system32\Pmblagmf.exe
        114⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Qjfmkk32.exe
        
        C:\Windows\system32\Qjfmkk32.exe
        115⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Qhjmdp32.exe
        
        C:\Windows\system32\Qhjmdp32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6188
        
        C:\Windows\SysWOW64\Qmgelf32.exe
        
        C:\Windows\system32\Qmgelf32.exe
        117⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\Ahaceo32.exe
        
        C:\Windows\system32\Ahaceo32.exe
        118⤵
        Drops file in System32 directory
        
        PID:6272
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6316
        
        C:\Windows\SysWOW64\Akblfj32.exe
        
        C:\Windows\system32\Akblfj32.exe
        120⤵
        Modifies registry class
        
        PID:6356
        
        C:\Windows\SysWOW64\Aaldccip.exe
        
        C:\Windows\system32\Aaldccip.exe
        121⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\Agimkk32.exe
        
        C:\Windows\system32\Agimkk32.exe
        122⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        123⤵
        
        PID:6476
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        124⤵
        Drops file in System32 directory
        
        PID:6516
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        125⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        126⤵
        Drops file in System32 directory
        
        PID:6604
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        127⤵
        Drops file in System32 directory
        
        PID:6648
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        128⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\Bpkdjofm.exe
        
        C:\Windows\system32\Bpkdjofm.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6728
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6768
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        131⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        132⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        133⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6940
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        135⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        136⤵
        Modifies registry class
        
        PID:7024
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        137⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        138⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        139⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\Chnlgjlb.exe
        
        C:\Windows\system32\Chnlgjlb.exe
        140⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        141⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        142⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        143⤵
        Modifies registry class
        
        PID:6388
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6468
        
        C:\Windows\SysWOW64\Dgeenfog.exe
        
        C:\Windows\system32\Dgeenfog.exe
        145⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\Dakikoom.exe
        
        C:\Windows\system32\Dakikoom.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6640
        
        C:\Windows\SysWOW64\Dhdbhifj.exe
        
        C:\Windows\system32\Dhdbhifj.exe
        147⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\Dkcndeen.exe
        
        C:\Windows\system32\Dkcndeen.exe
        148⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\Dqpfmlce.exe
        
        C:\Windows\system32\Dqpfmlce.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6836
        
        C:\Windows\SysWOW64\Dkekjdck.exe
        
        C:\Windows\system32\Dkekjdck.exe
        150⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\Dkhgod32.exe
        
        C:\Windows\system32\Dkhgod32.exe
        151⤵
        Modifies registry class
        
        PID:7020
        
        C:\Windows\SysWOW64\Eqdpgk32.exe
        
        C:\Windows\system32\Eqdpgk32.exe
        152⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\Egohdegl.exe
        
        C:\Windows\system32\Egohdegl.exe
        153⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\Ebdlangb.exe
        
        C:\Windows\system32\Ebdlangb.exe
        154⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\Ehndnh32.exe
        
        C:\Windows\system32\Ehndnh32.exe
        155⤵
        Modifies registry class
        
        PID:6376
        
        C:\Windows\SysWOW64\Eklajcmc.exe
        
        C:\Windows\system32\Eklajcmc.exe
        156⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\Eqiibjlj.exe
        
        C:\Windows\system32\Eqiibjlj.exe
        157⤵
        Drops file in System32 directory
        
        PID:6584
        
        C:\Windows\SysWOW64\Ehpadhll.exe
        
        C:\Windows\system32\Ehpadhll.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6712
        
        C:\Windows\SysWOW64\Eojiqb32.exe
        
        C:\Windows\system32\Eojiqb32.exe
        159⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\Edgbii32.exe
        
        C:\Windows\system32\Edgbii32.exe
        160⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\Ekajec32.exe
        
        C:\Windows\system32\Ekajec32.exe
        161⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\Eqncnj32.exe
        
        C:\Windows\system32\Eqncnj32.exe
        162⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\Ekcgkb32.exe
        
        C:\Windows\system32\Ekcgkb32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6524
        
        C:\Windows\SysWOW64\Fbmohmoh.exe
        
        C:\Windows\system32\Fbmohmoh.exe
        164⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\Fgjhpcmo.exe
        
        C:\Windows\system32\Fgjhpcmo.exe
        165⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\Fbplml32.exe
        
        C:\Windows\system32\Fbplml32.exe
        166⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\Fdnhih32.exe
        
        C:\Windows\system32\Fdnhih32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6508
        
        C:\Windows\SysWOW64\Fqeioiam.exe
        
        C:\Windows\system32\Fqeioiam.exe
        168⤵
        Modifies registry class
        
        PID:6216
        
        C:\Windows\SysWOW64\Fofilp32.exe
        
        C:\Windows\system32\Fofilp32.exe
        169⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\Fqgedh32.exe
        
        C:\Windows\system32\Fqgedh32.exe
        170⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\Fganqbgg.exe
        
        C:\Windows\system32\Fganqbgg.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6780
        
        C:\Windows\SysWOW64\Fnkfmm32.exe
        
        C:\Windows\system32\Fnkfmm32.exe
        172⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\Fkofga32.exe
        
        C:\Windows\system32\Fkofga32.exe
        173⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\Gnnccl32.exe
        
        C:\Windows\system32\Gnnccl32.exe
        174⤵
        
        PID:7244
        
        C:\Windows\SysWOW64\Gicgpelg.exe
        
        C:\Windows\system32\Gicgpelg.exe
        175⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\Gpmomo32.exe
        
        C:\Windows\system32\Gpmomo32.exe
        176⤵
        Modifies registry class
        
        PID:7348
        
        C:\Windows\SysWOW64\Gejhef32.exe
        
        C:\Windows\system32\Gejhef32.exe
        177⤵
        Drops file in System32 directory
        
        PID:7396
        
        C:\Windows\SysWOW64\Gpolbo32.exe
        
        C:\Windows\system32\Gpolbo32.exe
        178⤵
        
        PID:7460
        
        C:\Windows\SysWOW64\Gaqhjggp.exe
        
        C:\Windows\system32\Gaqhjggp.exe
        179⤵
        Modifies registry class
        
        PID:7504
        
        C:\Windows\SysWOW64\Glfmgp32.exe
        
        C:\Windows\system32\Glfmgp32.exe
        180⤵
        
        PID:7552
        
        C:\Windows\SysWOW64\Gbpedjnb.exe
        
        C:\Windows\system32\Gbpedjnb.exe
        181⤵
        Drops file in System32 directory
        
        PID:7600
        
        C:\Windows\SysWOW64\Glhimp32.exe
        
        C:\Windows\system32\Glhimp32.exe
        182⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\Gbbajjlp.exe
        
        C:\Windows\system32\Gbbajjlp.exe
        183⤵
        
        PID:7692
        
        C:\Windows\SysWOW64\Geanfelc.exe
        
        C:\Windows\system32\Geanfelc.exe
        184⤵
        
        PID:7744
        
        C:\Windows\SysWOW64\Hlkfbocp.exe
        
        C:\Windows\system32\Hlkfbocp.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7792
        
        C:\Windows\SysWOW64\Hbenoi32.exe
        
        C:\Windows\system32\Hbenoi32.exe
        186⤵
        
        PID:7832
        
        C:\Windows\SysWOW64\Hioflcbj.exe
        
        C:\Windows\system32\Hioflcbj.exe
        187⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7928
        
        C:\Windows\SysWOW64\Hbgkei32.exe
        
        C:\Windows\system32\Hbgkei32.exe
        188⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\Hnbeeiji.exe
        
        C:\Windows\system32\Hnbeeiji.exe
        189⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8028
        
        C:\Windows\SysWOW64\Ihkjno32.exe
        
        C:\Windows\system32\Ihkjno32.exe
        190⤵
        Modifies registry class
        
        PID:8076
        
        C:\Windows\SysWOW64\Inebjihf.exe
        
        C:\Windows\system32\Inebjihf.exe
        191⤵
        
        PID:8128
        
        C:\Windows\SysWOW64\Iijfhbhl.exe
        
        C:\Windows\system32\Iijfhbhl.exe
        192⤵
        Drops file in System32 directory
        
        PID:8176
        
        C:\Windows\SysWOW64\Ipdndloi.exe
        
        C:\Windows\system32\Ipdndloi.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7236
        
        C:\Windows\SysWOW64\Iafkld32.exe
        
        C:\Windows\system32\Iafkld32.exe
        194⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7280
        
        C:\Windows\SysWOW64\Ilkoim32.exe
        
        C:\Windows\system32\Ilkoim32.exe
        195⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\Iiopca32.exe
        
        C:\Windows\system32\Iiopca32.exe
        196⤵
        
        PID:7496
        
        C:\Windows\SysWOW64\Ipihpkkd.exe
        
        C:\Windows\system32\Ipihpkkd.exe
        197⤵
        
        PID:7536
        
        C:\Windows\SysWOW64\Iefphb32.exe
        
        C:\Windows\system32\Iefphb32.exe
        198⤵
        Drops file in System32 directory
        
        PID:7640
        
        C:\Windows\SysWOW64\Ilphdlqh.exe
        
        C:\Windows\system32\Ilphdlqh.exe
        199⤵
        Modifies registry class
        
        PID:7736
        
        C:\Windows\SysWOW64\Iamamcop.exe
        
        C:\Windows\system32\Iamamcop.exe
        200⤵
        Drops file in System32 directory
        
        PID:7812
        
        C:\Windows\SysWOW64\Jhgiim32.exe
        
        C:\Windows\system32\Jhgiim32.exe
        201⤵
        
        PID:7888
        
        C:\Windows\SysWOW64\Jblmgf32.exe
        
        C:\Windows\system32\Jblmgf32.exe
        202⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\Jldbpl32.exe
        
        C:\Windows\system32\Jldbpl32.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8084
        
        C:\Windows\SysWOW64\Jemfhacc.exe
        
        C:\Windows\system32\Jemfhacc.exe
        204⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8136
        
        C:\Windows\SysWOW64\Jpbjfjci.exe
        
        C:\Windows\system32\Jpbjfjci.exe
        205⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\Jadgnb32.exe
        
        C:\Windows\system32\Jadgnb32.exe
        206⤵
        
        PID:7328
        
        C:\Windows\SysWOW64\Jhnojl32.exe
        
        C:\Windows\system32\Jhnojl32.exe
        207⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7452
        
        C:\Windows\SysWOW64\Jbccge32.exe
        
        C:\Windows\system32\Jbccge32.exe
        208⤵
        Drops file in System32 directory
        
        PID:7628
        
        C:\Windows\SysWOW64\Jeapcq32.exe
        
        C:\Windows\system32\Jeapcq32.exe
        209⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\Jpgdai32.exe
        
        C:\Windows\system32\Jpgdai32.exe
        210⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7952
        
        C:\Windows\SysWOW64\Jbepme32.exe
        
        C:\Windows\system32\Jbepme32.exe
        211⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8052
        
        C:\Windows\SysWOW64\Kiphjo32.exe
        
        C:\Windows\system32\Kiphjo32.exe
        212⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8188
        
        C:\Windows\SysWOW64\Klndfj32.exe
        
        C:\Windows\system32\Klndfj32.exe
        213⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\Kakmna32.exe
        
        C:\Windows\system32\Kakmna32.exe
        214⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\Kibeoo32.exe
        
        C:\Windows\system32\Kibeoo32.exe
        215⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\Kplmliko.exe
        
        C:\Windows\system32\Kplmliko.exe
        216⤵
        
        PID:8064
        
        C:\Windows\SysWOW64\Keifdpif.exe
        
        C:\Windows\system32\Keifdpif.exe
        217⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8124
        
        C:\Windows\SysWOW64\Klbnajqc.exe
        
        C:\Windows\system32\Klbnajqc.exe
        218⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\Kcmfnd32.exe
        
        C:\Windows\system32\Kcmfnd32.exe
        219⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\Klggli32.exe
        
        C:\Windows\system32\Klggli32.exe
        220⤵
        Modifies registry class
        
        PID:8072
        
        C:\Windows\SysWOW64\Kcapicdj.exe
        
        C:\Windows\system32\Kcapicdj.exe
        221⤵
        Modifies registry class
        
        PID:7512
        
        C:\Windows\SysWOW64\Likhem32.exe
        
        C:\Windows\system32\Likhem32.exe
        222⤵
        
        PID:7984
        
        C:\Windows\SysWOW64\Lpepbgbd.exe
        
        C:\Windows\system32\Lpepbgbd.exe
        223⤵
        Modifies registry class
        
        PID:7732
        
        C:\Windows\SysWOW64\Lebijnak.exe
        
        C:\Windows\system32\Lebijnak.exe
        224⤵
        
        PID:8196
        
        C:\Windows\SysWOW64\Lllagh32.exe
        
        C:\Windows\system32\Lllagh32.exe
        225⤵
        Drops file in System32 directory
        
        PID:8248
        
        C:\Windows\SysWOW64\Lojmcdgl.exe
        
        C:\Windows\system32\Lojmcdgl.exe
        226⤵
        Drops file in System32 directory
        
        PID:8296
        
        C:\Windows\SysWOW64\Ljpaqmgb.exe
        
        C:\Windows\system32\Ljpaqmgb.exe
        227⤵
        
        PID:8336
        
        C:\Windows\SysWOW64\Lpjjmg32.exe
        
        C:\Windows\system32\Lpjjmg32.exe
        228⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8380
        
        C:\Windows\SysWOW64\Lakfeodm.exe
        
        C:\Windows\system32\Lakfeodm.exe
        229⤵
        Drops file in System32 directory
        
        PID:8420
        
        C:\Windows\SysWOW64\Lhenai32.exe
        
        C:\Windows\system32\Lhenai32.exe
        230⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8464
        
        C:\Windows\SysWOW64\Lplfcf32.exe
        
        C:\Windows\system32\Lplfcf32.exe
        231⤵
        
        PID:8504
        
        C:\Windows\SysWOW64\Lfiokmkc.exe
        
        C:\Windows\system32\Lfiokmkc.exe
        232⤵
        
        PID:8544
        
        C:\Windows\SysWOW64\Llcghg32.exe
        
        C:\Windows\system32\Llcghg32.exe
        233⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8588
        
        C:\Windows\SysWOW64\Mapppn32.exe
        
        C:\Windows\system32\Mapppn32.exe
        234⤵
        
        PID:8624
        
        C:\Windows\SysWOW64\Mhjhmhhd.exe
        
        C:\Windows\system32\Mhjhmhhd.exe
        235⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8676
        
        C:\Windows\SysWOW64\Mcoljagj.exe
        
        C:\Windows\system32\Mcoljagj.exe
        236⤵
        
        PID:8720
        
        C:\Windows\SysWOW64\Mjidgkog.exe
        
        C:\Windows\system32\Mjidgkog.exe
        237⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8760
        
        C:\Windows\SysWOW64\Mofmobmo.exe
        
        C:\Windows\system32\Mofmobmo.exe
        238⤵
        
        PID:8812
        
        C:\Windows\SysWOW64\Mjlalkmd.exe
        
        C:\Windows\system32\Mjlalkmd.exe
        239⤵
        Drops file in System32 directory
        
        PID:8852
        
        C:\Windows\SysWOW64\Mcdeeq32.exe
        
        C:\Windows\system32\Mcdeeq32.exe
        240⤵
        
        PID:8896
        
        C:\Windows\SysWOW64\Mhanngbl.exe
        
        C:\Windows\system32\Mhanngbl.exe
        241⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8940
        
        C:\Windows\SysWOW64\Mcfbkpab.exe
        
        C:\Windows\system32\Mcfbkpab.exe
        242⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8980
        
        C:\Windows\SysWOW64\Mjpjgj32.exe
        
        C:\Windows\system32\Mjpjgj32.exe
        243⤵
        Drops file in System32 directory
        
        PID:9020
        
        C:\Windows\SysWOW64\Mqjbddpl.exe
        
        C:\Windows\system32\Mqjbddpl.exe
        244⤵
        
        PID:9064
        
        C:\Windows\SysWOW64\Nfgklkoc.exe
        
        C:\Windows\system32\Nfgklkoc.exe
        245⤵
        
        PID:9100
        
        C:\Windows\SysWOW64\Nmaciefp.exe
        
        C:\Windows\system32\Nmaciefp.exe
        246⤵
        Modifies registry class
        
        PID:9140
        
        C:\Windows\SysWOW64\Noppeaed.exe
        
        C:\Windows\system32\Noppeaed.exe
        247⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9180
        
        C:\Windows\SysWOW64\Nhhdnf32.exe
        
        C:\Windows\system32\Nhhdnf32.exe
        248⤵
        
        PID:8212
        
        C:\Windows\SysWOW64\Noblkqca.exe
        
        C:\Windows\system32\Noblkqca.exe
        249⤵
        
        PID:8276
        
        C:\Windows\SysWOW64\Nijqcf32.exe
        
        C:\Windows\system32\Nijqcf32.exe
        250⤵
        Drops file in System32 directory
        
        PID:8376
        
        C:\Windows\SysWOW64\Ncpeaoih.exe
        
        C:\Windows\system32\Ncpeaoih.exe
        251⤵
        
        PID:8428
        
        C:\Windows\SysWOW64\Nqcejcha.exe
        
        C:\Windows\system32\Nqcejcha.exe
        252⤵
        Drops file in System32 directory
        
        PID:4036
        
        C:\Windows\SysWOW64\Ncbafoge.exe
        
        C:\Windows\system32\Ncbafoge.exe
        253⤵
        Modifies registry class
        
        PID:3316
        
        C:\Windows\SysWOW64\Ooibkpmi.exe
        
        C:\Windows\system32\Ooibkpmi.exe
        254⤵
        
        PID:8552
        
        C:\Windows\SysWOW64\Ojnfihmo.exe
        
        C:\Windows\system32\Ojnfihmo.exe
        255⤵
        Drops file in System32 directory
        
        PID:384
        
        C:\Windows\SysWOW64\Ocgkan32.exe
        
        C:\Windows\system32\Ocgkan32.exe
        256⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Ojqcnhkl.exe
        
        C:\Windows\system32\Ojqcnhkl.exe
        257⤵
        Modifies registry class
        
        PID:8756
        
        C:\Windows\SysWOW64\Oqklkbbi.exe
        
        C:\Windows\system32\Oqklkbbi.exe
        258⤵
        
        PID:8820
        
        C:\Windows\SysWOW64\Ojcpdg32.exe
        
        C:\Windows\system32\Ojcpdg32.exe
        259⤵
        
        PID:8880
        
        C:\Windows\SysWOW64\Oophlo32.exe
        
        C:\Windows\system32\Oophlo32.exe
        260⤵
        
        PID:8948
        
        C:\Windows\SysWOW64\Oihmedma.exe
        
        C:\Windows\system32\Oihmedma.exe
        261⤵
        
        PID:9004
        
        C:\Windows\SysWOW64\Ocnabm32.exe
        
        C:\Windows\system32\Ocnabm32.exe
        262⤵
        
        PID:9088
        
        C:\Windows\SysWOW64\Oikjkc32.exe
        
        C:\Windows\system32\Oikjkc32.exe
        263⤵
        
        PID:9176
        
        C:\Windows\SysWOW64\Pbcncibp.exe
        
        C:\Windows\system32\Pbcncibp.exe
        264⤵
        Modifies registry class
        
        PID:9212
        
        C:\Windows\SysWOW64\Pmhbqbae.exe
        
        C:\Windows\system32\Pmhbqbae.exe
        265⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8388
        
        C:\Windows\SysWOW64\Pbekii32.exe
        
        C:\Windows\system32\Pbekii32.exe
        266⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8404
        
        C:\Windows\SysWOW64\Pjlcjf32.exe
        
        C:\Windows\system32\Pjlcjf32.exe
        267⤵
        Drops file in System32 directory
        
        PID:8500
        
        C:\Windows\SysWOW64\Pafkgphl.exe
        
        C:\Windows\system32\Pafkgphl.exe
        268⤵
        
        PID:8576
        
        C:\Windows\SysWOW64\Pcegclgp.exe
        
        C:\Windows\system32\Pcegclgp.exe
        269⤵
        Modifies registry class
        
        PID:8652
        
        C:\Windows\SysWOW64\Piapkbeg.exe
        
        C:\Windows\system32\Piapkbeg.exe
        270⤵
        
        PID:8732
        
        C:\Windows\SysWOW64\Pplhhm32.exe
        
        C:\Windows\system32\Pplhhm32.exe
        271⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8864
        
        C:\Windows\SysWOW64\Pfepdg32.exe
        
        C:\Windows\system32\Pfepdg32.exe
        272⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\Pmphaaln.exe
        
        C:\Windows\system32\Pmphaaln.exe
        273⤵
        
        PID:9076
        
        C:\Windows\SysWOW64\Ppnenlka.exe
        
        C:\Windows\system32\Ppnenlka.exe
        274⤵
        
        PID:9108
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        275⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 404
        276⤵
        Program crash
        
        PID:8808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2536 -ip 2536
1⤵
PID:4148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4488 --field-trial-handle=2432,i,12161922670941700748,3348345705955601576,262144 --variations-seed-version /prefetch:8
1⤵
PID:4748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aakebqbj.exe

Filesize
833KB

MD5
0e09690c94a7408f6842c72e48b200b1

SHA1
339fd15eb7fafc2f3789d8c7f498c03cb9d05fd0

SHA256
5dacb0aea10619c6987ba09c8612f4210abfa89b1603d0ebe62219f00d92ed23

SHA512
6b26502d512ab52ef0e108a5a6c8d5cf58efc6982f1ce8488a9d05ca1ffc4b81d737df81c1494c73d39376b33c1b258cca2a7e7fedbddff368a1f283e5075b9a

Download Submit
C:\Windows\SysWOW64\Aakebqbj.exe

Filesize
128KB

MD5
76455cc83eeda7f44ba777d3bf15848a

SHA1
bac8867f18beea93a30d05bca644db0e9afe1bcf

SHA256
5bf9047fa7922c698fb3d0253ac2d76519f976199aa2ad926fd6697a8836640a

SHA512
6d7eb051f1bd0b82add33f2ce3362716e0a76c89d1ef8e2929bd905d02fb61390646369c396676f84d50d553210124a36ced82e7b372fd0b0489b81d285b7003

Download Submit
C:\Windows\SysWOW64\Aeddnp32.exe

Filesize
833KB

MD5
eac89d7f5dafd99f8050139393ee205a

SHA1
46cda91457daab44c105979ef3c40443fe8a19b9

SHA256
07f1e559b6c2447fc7b2ee47459d3b43eea7e20c658816ee6d204b3363d1a59b

SHA512
d2160d40eaeb66740229f25eb9dafbc9f2e46a9bb62ef969e75a59ac1659fe61682e020656a1ba7479ff6000fadd7da6c3913c590b5b27d1221b0cfa381127c9

Download Submit
C:\Windows\SysWOW64\Ahenokjf.exe

Filesize
833KB

MD5
f8dbbe0f0417641c27921b3e37b1ccae

SHA1
0fbc846b9bda57b22084e38b022c9af84bce58f0

SHA256
db2689c6d161d01ae7f4890e6eceb2f7295bed8a22324f40ca1521b35b7e39b5

SHA512
23e165abb93a399dd5985732a73129105faf36c8c149b3efec923e534dac9eb019fb17e578f484b9087b0bb22bd7a62dc9ff34f3875240458362338c51461f9f

Download Submit
C:\Windows\SysWOW64\Ahenokjf.exe

Filesize
128KB

MD5
396075b3d3a5e0fd08aa1ca808d4f7ea

SHA1
f58f3d170ac899a9f72b7939306c6b912569a286

SHA256
1ad449e409ff77432cc1fa8f16240004ce07b1ded5188dbd8c1dbd90d89a6127

SHA512
c8cfafae32f91848596d70f25c95f5a7be5c6f9d4af1ee801f2db272cb9a430db2df02de5fb28cd45bfce1221f5602e2ee517184e8ab5e1ba198877851a46ef7

Download Submit
C:\Windows\SysWOW64\Ahgjejhd.exe

Filesize
833KB

MD5
d83aa848c7e48d72b94a471b0ff4d65c

SHA1
952f1cd80412b6652889a9744ad6de1f7037aeaf

SHA256
02546e766f54afc26d0cf7f2f8e103d2178d75cbcccf2d1fdaa8ac1e83884acc

SHA512
b96e64a277e339e80eaa4b4951acdb478009bbb75a633aa5d6b93f68075177ca6daefa8a90c7a1dd0b2f1514744b759e37aac464ca9325cb29efc9bdf2da8215

Download Submit
C:\Windows\SysWOW64\Ajndioga.exe

Filesize
833KB

MD5
295a0d3db9d8f38c78d2ef6bfc4e3771

SHA1
c05114fa23aabf882eb42861306d53d3346330c5

SHA256
7e78db08ee000ae2c3268f65a508540befbaf85c840fcbc50ac6aa15ac4c406a

SHA512
6e70b77ed3f1bc89b9438582de6f5f801254951622512bb37f3e2f3a1d4ef90ff9a1d55b799b5db642b6e97221c14917220ad17db7b69b15fa7b3c5e1aab3b72

Download Submit
C:\Windows\SysWOW64\Ajndioga.exe

Filesize
512KB

MD5
b90de728d056a57758a442dc9d66bbd2

SHA1
b93f93992fc6abdb941d1b9f28e6c50f5693fe23

SHA256
c239c09b643814ebd6f2128512da33fd2c0ceee51a05eadfe2ff7cab3e3190a0

SHA512
dcab7694602f7616bef7d64c02cb67151108c4d6350936a3f5c6e5c52326862bb3535bdc7897aad3a09f5bff958d4ea733954043f59f4238b6bce8ef99eb95b7

Download Submit
C:\Windows\SysWOW64\Akamff32.exe

Filesize
833KB

MD5
ea883f7a876b9bfaad376a407f099912

SHA1
3ddb1d7b373c8984af96fad18c20219ac1a08f8a

SHA256
196c9e1b489128993a240405ff13a1cdefadd9b96a76a009eaacec7901a99dca

SHA512
02168717076224671ef5a44f3774062f9257e23e90e5a77495e2a5e1160a3af30cb58e92c42ab2856e87265726946bc2a66c7750c84fe9bc0be15efb4ddcd796

Download Submit
C:\Windows\SysWOW64\Akcjkfij.exe

Filesize
64KB

MD5
590de2088e1415da9e5386bbfb00508c

SHA1
53d88a3f3eebd2d5d57063235fee36ff9edd8213

SHA256
c20af637bed5f253cdccb6b5c1c6147d02421975502b431973c725f06e84020a

SHA512
38d7f89d7805a2fff2524934a9cb3f068b4f901fdb77635db1a75128537689fe26f9d014c3114a6eb153492cea3a455bcce80f4709cbd131f02757e163b410f0

Download Submit
C:\Windows\SysWOW64\Aojlaeei.exe

Filesize
833KB

MD5
f3ce5b886ee50d9c562e1f40a25433a7

SHA1
eb598255f02247d6b75f4ebf04f2cf7f30a4a52e

SHA256
f4da6f9f21bc1f6344a7ff98fbbb1eea77a4e9152fc8a5347ea1855dba53bbe2

SHA512
8477096a8aeebdcbd6e89b3e9a32b66c938ed416195c67d9ebc87d64c4aecab836973ecbb259854caca075f05c00a6ae064a72846522318233218bd600eec702

Download Submit
C:\Windows\SysWOW64\Aojlaeei.exe

Filesize
384KB

MD5
308ddc74591f5bb9cf6541583bd7fc22

SHA1
d4deacf5e83259738f6728feca09eb2597529632

SHA256
c3bf9067486fcf5652845e5acd959401e64f062583303792d44561c8c8956877

SHA512
c82cfc9c4b9de645cfb9ceaff6169a005c78b79bc9a2b9219eeacaf57839c095bc47a4108cb1e74baf6a48a598ea1879a5377381208c3825abb9ece366c3041e

Download Submit
C:\Windows\SysWOW64\Aokkahlo.exe

Filesize
833KB

MD5
5970d51caa647fb448b6601ac0a68e30

SHA1
8bec2382156a6f065976fcabcad1bbf421d369db

SHA256
786ab4a2ecdba7bdc6a3a5f6b7bda17e93bc73546bab7ee692f6d65640f5b6b6

SHA512
0b099572b734f426398daf30525a385cddedc3309980f79e5ece33170a6a17a41550649469e7c3c77e1184b4f297f897f07944a2705c6da2679caea340582bef

Download Submit
C:\Windows\SysWOW64\Bbnkonbd.exe

Filesize
833KB

MD5
053b240ae2fe4184dbfa1a4c88ba8330

SHA1
075b91ab7c7597f228b39135f5e1dd16e36df546

SHA256
79cd7947564b2239bd782a477ad81374a99ad1b3cb1dcd46f62690daab8fb7b9

SHA512
324a6edaa555adc2b28b45d5d48abe1343f44a6a42bf6c4e0fe41e49ff4024e6f316b4d4d4de256c33c4c8cba9505f4ea67b97d260ea8a8d38bd5b662553f3d2

Download Submit
C:\Windows\SysWOW64\Bcinna32.exe

Filesize
833KB

MD5
72b2670b095c1725c38bd597d9ac6e1b

SHA1
14eb3150defac6aeafc33c26fcedb1453ad2e4a1

SHA256
52a9eb25ca9f316c0b12c20bbfa8cb02a4ea400a1609ed06291fff94d7f1160b

SHA512
480f68040f4b15de0ca6beb9ab267572de3d03c4d634022ace1e99982ef07d305f5779b67844b4824457da5a4f27fc52c391fe6f432aea4a7d56c6ef7385c452

Download Submit
C:\Windows\SysWOW64\Bfbaonae.exe

Filesize
833KB

MD5
0e65961734a77c1dc45add2fa86ac459

SHA1
22e6a88b2a4218acbc87fa99b18bf0fccd067157

SHA256
01e400ebd6e723d02a4e29fad5ec833e7f6636a4b6b475cd06986c4b831c02d9

SHA512
0fb2eda25d82bba609bde2c47228c6fbbde31a3c8dc4d6d34bfa66f36a3d86bf4151d53e13c0feaa26564cca6f41480cddce1ef99458d359b4c129960aa81651

Download Submit
C:\Windows\SysWOW64\Bfpdin32.exe

Filesize
833KB

MD5
56df74655e2f7d34f78bdf80dbd69b72

SHA1
cac538d9f9e3203d46a9d7e1740435a463e2c971

SHA256
32095a1276805312562254052651dbb6eb617f3c5fca9a1f460984cf2bc58476

SHA512
f6d27e0a635ec1f58b8e8fb1683f1fb4ad0006d4c785fbb411721631402a9f9ced7acd23c9f7428d40146fa1bda448050915ff8a1a3490185fcca2e31bab30a1

Download Submit
C:\Windows\SysWOW64\Bhcjqinf.exe

Filesize
833KB

MD5
a3c5b0a3db3e131d56367ac554d9f021

SHA1
96abed26efda4380ad129a74342a58b06cb6b14a

SHA256
92f36f705125821229b3605b033f76e7ac130847abd949fc3dab48a539031b79

SHA512
88fc592a9727bee00fa7274ecb454adb5914f60455657f345fcca722834cf2445425c4ee85c69305b52ba35027381f1d6cb0485ae6c4878b7716a270f20a84e9

Download Submit
C:\Windows\SysWOW64\Bkkple32.exe

Filesize
833KB

MD5
e7074600fc45bed632d986b737c51777

SHA1
06333833ca00e2fd8b48104098081b72f4f6ea3a

SHA256
df18fb540418d09518138494443f018d1809f31440e76163b8b940876a07bdef

SHA512
44c6568a1e0895f7cb95404f898a892fc744a358f8be887aeb97f748b03c374833df44492e4715cb4e45205de6a74d89dd085ab7d74bc2d732fa4e1a23a1822b

Download Submit
C:\Windows\SysWOW64\Bkkple32.exe

Filesize
768KB

MD5
9872ffd9a6758b8da470e37eed780861

SHA1
c895763e7291d032a28ae451205c4ffdc2cb77b4

SHA256
c5a22ca9a28369f6ee28b7a1fbbdebcd640ee119caa80abcbc1194db0928c024

SHA512
28185f72555e644a1e5b0ec30724799686c5765c186880518a95f35467564d9b306ab7e1f4a6f3bc0c5696afb3cd8239c4bbb6fd31a61cb0bc536281d48af46c

Download Submit
C:\Windows\SysWOW64\Bkmmaeap.exe

Filesize
833KB

MD5
1bbbc0929f580dfdfee27dab557a7b01

SHA1
b95a13580d61ba45705585313666128777f6237a

SHA256
dae8f658a3752e8826191433075df642c916ee168338cc89c911530dc69a0879

SHA512
669594ea1bb828b0940c7755bad2bd2aa2f2157bc4bc9c338cae4ec58a95d51e3f2862d88b7e5dbd702c8771f488900d8b14dfa0bd46bf6ebe1449b48c608d48

Download Submit
C:\Windows\SysWOW64\Bkmmaeap.exe

Filesize
768KB

MD5
6b5b2e301e24b53c7d7060c651ca543b

SHA1
d80310396fb4894fc4ae130832b1f3c96d0c8875

SHA256
917831057573d7d8a71748b2cf06ca1b5e39297fc79e0cfa2efa828bd06edc06

SHA512
fdeefcff6794977fdcc561df846fc1e005220ae21a34ad20806ad7c4dd67e5f6bd603fe4f3f7e5c803724d6e5f7eac19fd3feb92d6b6ec1716ee85a11f79acfd

Download Submit
C:\Windows\SysWOW64\Bkphhgfc.exe

Filesize
833KB

MD5
5da7c648c61c341ff944468a64cd0ad0

SHA1
d9995b2c37187c0a9d62eed591541aee7e69c023

SHA256
c20224b5ae9547ca455487f094f44a8f0a38cea0efb2cd30c2fab0f0a4bbe5ed

SHA512
186648e6405648791904960396dae56d510a42e97178da67a6da84bba7e64df2c1129f4b926fe5e0adf7a9d788f93d50900018436e31968645f31d67827ebd17

Download Submit
C:\Windows\SysWOW64\Bmabggdm.exe

Filesize
833KB

MD5
b71c4ab8d993eee3cd50258ccb835f29

SHA1
0ef88a09b44f4f20ace9f82c302c1492ffdf34b2

SHA256
e9a5d26db23b991ebc146925a71f6b478ac9bfe51e7d71f06aa4c540f8b4d26f

SHA512
2887ec95f7c9adabebccb92529988218e46fb6235551837d7c5bb0f7d14310b2bc6f32a4665f91133b93216c0bc042981505b5b9a0b5e1417678dbd5aa86f6b7

Download Submit
C:\Windows\SysWOW64\Bogkmgba.exe

Filesize
833KB

MD5
11c325cc9fdbf789d309c220d81979be

SHA1
c5ad2fd3db6c29273268dbb4723a6afd4be029ea

SHA256
4e3808cd057dde1e82770599c40d55847fcbbe173bd1786767949c8400989af8

SHA512
9240ea8ee058d8f788e2dcc2446c176990b7a5562bb55c22f32ebf2f33367ff09f9d58bd88ac86c16c0963a126522899867913dacaf2bdb5d8da5c331182fdc9

Download Submit
C:\Windows\SysWOW64\Bokehc32.exe

Filesize
833KB

MD5
719a4f7f885f09d1d92a3e9d5c5afe60

SHA1
8cf4b4953626f571e84640fd2dd066093f42b4bf

SHA256
c876c7503184a60ad43099b6cc82beb7eb16431155eea220bfb05fb392cfe654

SHA512
bddc0cea715881daf2f079362dde9451ee3e4f4d458c81e41ec1af152e55bf68b8fa00e7a4fb472cbb6f279fb8f0a40395eaaabf922f4a88df572cf092e4518a

Download Submit
C:\Windows\SysWOW64\Dkekjdck.exe

Filesize
576KB

MD5
dee55d56ef3c233b437b79888cf46ee0

SHA1
2d986140e3b74e55f3c279a7cc6a71bce051da76

SHA256
e2802223f8393505e83f1490756c3deb044ee8f7e33ae727c6b5eb3ccee7d08f

SHA512
e486186a767ff9a8e300ba90e63fc689587ab9587d8008b23479303f07f1260800e527017f559439bc37495d20c92c9b9c8ef4b61def07d04e0b3da1b2c911cb

Download Submit
C:\Windows\SysWOW64\Imkbnf32.exe

Filesize
833KB

MD5
b1a6f29f523182df38344fd35a824ef0

SHA1
0a7c038199a2e2ffc2195c517a3ff8e7d6f9cfbb

SHA256
eb763c6512c506b43e5eecd417583f8beeb661fa697333d5523fd6c586108284

SHA512
d6991ea7f7bd2b3be7221b5e8210d9507583a60f6c143b80379bb0bfc4b3b76a5310069e3825f86c31a0cb7289a478df97028c21a5d604087ed00bc2d1fc3eaa

Download Submit
C:\Windows\SysWOW64\Kgopidgf.exe

Filesize
833KB

MD5
ed4f0215db63c9306f3de6911714e8f1

SHA1
782ae31c0ffdb12ebc5065466d176bf2358d8b85

SHA256
1d62950b7a6ac3cde96af542d65d78f1858e792def81592f0bbe3c26f4d65441

SHA512
b830b04f30521b66ef47a9a6494071f479343556fdea5e9e612802882f24c58a6a3c022d769a8ebc91523dce3e8d335a92a36e00cd46475061840ffa8a8cf6f0

Download Submit
C:\Windows\SysWOW64\Knkekn32.exe

Filesize
833KB

MD5
d2e04e0707e3390daa6fc6b91fe27cf4

SHA1
3e399f9419f94d673ba11e531d214b47aa4e1a7c

SHA256
e637d67329de5698db2f710eb71d163eb1bc42f7001796eae865cf5ee129534f

SHA512
a3565b643d4f6b69b59feff31b3b01f0768eb3a027ea4f69aadfc1288dfa8fec95f8f5e206c844691f00bda0d85f51626d9670360e75a8a65b770bb0f691fb0b

Download Submit
C:\Windows\SysWOW64\Leenhhdn.exe

Filesize
833KB

MD5
8c51dfc37e011b64cb240f87a4a18202

SHA1
c066be8b5cb87a610282641c4e5524a62e4c55fe

SHA256
0aa03097b9bee009f55c690106d83e514320b323eaef3b0a764fc741a9c5f298

SHA512
19a52deae5102e73ff50fd4a371dd5db4912b4175dca098f823951d478193519f74b8061fda72b6842789788388a0103a41bde34f173a177cbea574dff872a83

Download Submit
C:\Windows\SysWOW64\Legjmh32.exe

Filesize
833KB

MD5
4a84e4ea94d177b7bb4b78ba0bbe1905

SHA1
5739d02dd31052a7e39bae9d13d8716df4243016

SHA256
65b78bef9db807ada565ec71ba3e1a28fd44a833e5744b4ec58c4c2c02de352f

SHA512
53991a2a8bdf581bd54901e14a67e2aeb268594c51e7ea0497be943ee50a10261767c9de1c45a489298ae0a075480b1aafbc38a743d5d5d92661315726223bdf

Download Submit
C:\Windows\SysWOW64\Ljbfpo32.exe

Filesize
833KB

MD5
82dc9dc255c3125e86c39d0acaebd2f1

SHA1
91478e1511ec4410d51635340dbfe86ed9de1523

SHA256
6b60a2265c3bd86cb50d831f90c55d5876c44f303ef9cf52703efe6613f6cd59

SHA512
efba0a3166b29fc2f97221acb39b43d685bad044dccaba0f15d68c3488f1a9a9b4c7522f0541bd878a56096151dd47d974a6dc17e21cba7b669d8795a47a118e

Download Submit
C:\Windows\SysWOW64\Mgloefco.exe

Filesize
833KB

MD5
f322019e6c52a7957be0899b1523f281

SHA1
01f93b58734d8ce328fb631f694816f3f542c133

SHA256
aceebd9f67097fc96aff9d5639a1e81c82370cda628ce3447a336ee8f7b7e3a8

SHA512
e421b7dfe718272fccc94f04888f9092ea07cefd23f4d443b4c55a1390033419694a4687a1c2329f7feccabfc1badeeee24f852010160a008e5a97bd650d386e

Download Submit
C:\Windows\SysWOW64\Nadleilm.exe

Filesize
833KB

MD5
5d65360e21f671e0770be1621fcc1c8c

SHA1
2a732eee5d3e074a2eb76fd2b4a4ff4066299228

SHA256
fbdc1ab7b90dd03ecedaac797dc12deefcdaa2b9c91bd4eac97dc1c6100b2d62

SHA512
13612eafdde47d5f4c706c7ce499caee57c939f5528ab30b52cc6492764727237c0ca872273cfee23c6e6cf200a82d95f47258b522552150b3988b321a5532e5

Download Submit
C:\Windows\SysWOW64\Nqmfdj32.exe

Filesize
833KB

MD5
4dc6044613b42d6e5edfd8a4aff8554c

SHA1
dd186b35ba1c0bb09d7b94a8bfae2b5aa880ca4b

SHA256
b267f0d9d517e8fbe4d3db3125c7b1fca6b51799a9614d1769500dac20e20803

SHA512
fceec6c0381afa199c4e8c973d53206e647d9fcd0a429bf9c9e9bcc0100a2c8522d34be862190e1a6af0fc4d2f358be1f2560fafc6865dc1e8944711bfb2f692

Download Submit
C:\Windows\SysWOW64\Oblmdhdo.exe

Filesize
833KB

MD5
c31fc41383d0376139b5a70cc054ec9b

SHA1
14258ddb890316c4b436f2fe1a06166823f93aad

SHA256
fcd0038930161effc9f975b47184430aad30088a41f30ef49bc3c650bb2c1aba

SHA512
73a341c452a138701639c6062d4f816cbbb96fe060f8283167275bd432dd3ce41c8b59bdebd894388fadb74df3f066241e6bf0cde652fb39f082c2e2c31f507e

Download Submit
C:\Windows\SysWOW64\Oeaoab32.exe

Filesize
833KB

MD5
8212953a67a59588b57df2938a276d48

SHA1
104048fcf5384085da4804292bd04ecbc513daf0

SHA256
1ef92c66ce6a3ef91b9fac07d9922bad0ee8f83a1362d94b6402b31d69ce5904

SHA512
ccc0e113b738bbee77697600c387f2c9e143b58b18c9641ae58c66039dc3062e9e910e1a0c9cb873b55ebaf3531281854c645cc085f2f9d65389162b5106fc53

Download Submit
C:\Windows\SysWOW64\Ofmdio32.exe

Filesize
64KB

MD5
bfa871316653c49a3ed68a93a302f4f7

SHA1
4aaa1a2bb2eeffd8df9416b0a58a3e3e3704b9f5

SHA256
30f369745b54c85b3eb36487d4890e851a7c5511dacfdaa2abfa871dad837724

SHA512
a60d36cb37bfdc2aa2eec23eab3fa3575bba6c4bdf6b4cf9f920f56b427823b93cc51fb06efd77a642e5886538676ff95a660411cd471540cac8258271a569bc

Download Submit
C:\Windows\SysWOW64\Ojcpdg32.exe

Filesize
833KB

MD5
60a4fe4efb2c51d24e8ea5c79ad176aa

SHA1
ed936c9fcc93e8c27b8a212919a0c1fa93027af4

SHA256
ba5c68479e511ffc8f41636e3f4881dff901d33bbab885ee9839571505639cf0

SHA512
41f9f7d7675bb03020fd5dfddffa06dc1c3941a3fa12ba0b7c5b4031b56f82844bb6fb634fe01040afec0ebf4d79f767eae0ff0c24e80b95c2de5adfd5beb987

Download Submit
C:\Windows\SysWOW64\Ooejohhq.exe

Filesize
833KB

MD5
bba422b94e4f875d95166dd3c591a36f

SHA1
ca7defa264ce2da3786f3e1fcf679969bfff0521

SHA256
68ac6bf782c613833016f433022a23866415c7b0dedf0a5df6c34d24dc4d2abd

SHA512
8b7b4eee68ec1c0828d4d034c3ea635d068ae2ae8c11a6cd785fc754f3b8b4c308cf2f627fa14ebaeba1a5724466a9642cfbaa6323471db169a3e104b1bf7a1a

Download Submit
C:\Windows\SysWOW64\Pemomqcn.exe

Filesize
833KB

MD5
b626d2a2a65b677892db14bc3f9d944e

SHA1
e13e4e0df06b54d12207642adc437620f70f6fc7

SHA256
0fbd4ee68f6d2003c172b9ab50e6d734e6eb81b9eca0fcf47b65ee9d7112381b

SHA512
6e0650c2671b90d9d1ee6e8b32530ca25ce85a987c3772a9cfb25e518c83264a9720ae94055f272e69b2bf413b0c4c2a4838ba9fc0b29dd05dbf19bf03adeff6

Download Submit
C:\Windows\SysWOW64\Pidabppl.exe

Filesize
833KB

MD5
7e107774527746b29a38ad67e258440d

SHA1
e621345046f497296b888455c7d9211a86f3baec

SHA256
6ac4a23803b6ab8baf7a5f2805a443dc5f79128dd35527ead8f9c87124e02a05

SHA512
07c5bac10aabb5d61bd77bacda79ed7a023747d0b1b0fb0b6e1d19664b222bbefa47d427ceee9d2cff97adc941648a8370beb823c0da600af7337cd954426681

Download Submit
C:\Windows\SysWOW64\Pkogiikb.exe

Filesize
833KB

MD5
908962d686bda64ed12f397046d4c71e

SHA1
04fd532bc4c16e12b3bdd83741db6bcd78dde88f

SHA256
9400746ccf51dd7c1545cdbe088462a7943a7851a35979c30b129726d2e1c4ab

SHA512
f617610a65d63dacda1073caf6c48d8c23fce7a9397e8ae390107234a303b13d78ba8927c2c7419fe7d65819be9d6e47f403100e8a6af5097c092f5865076807

Download Submit
C:\Windows\SysWOW64\Plejdkmm.exe

Filesize
833KB

MD5
6e32a4c240e39709389bcd73a8a59f11

SHA1
4824e8fdaf748095f40c32d32898960b55922348

SHA256
39c52ef66da01bb6a6179533ec47d94932c74367bde06e6afe14f836f010c594

SHA512
097caa46d01910234cd752b43531f4c0c56c26c2402060c51f170ef41302bc89307ba8b381547ee8aae8373d3d270f8e504521f557f8e09731f97123290049f2

Download Submit
C:\Windows\SysWOW64\Pmhbqbae.exe

Filesize
833KB

MD5
44467f99dfeda7f3923e31307164f55e

SHA1
96e1ef48c08954524d0b735e04f973bbd487fa32

SHA256
4cecd766d0a3fea773112e06ee90b4ce0c1208bd8aab5ed1a556d51789095be8

SHA512
cfba5e25910a4859bd3153b0a049ded55c78fec3e4a2a35315bca03b2c3e2e08549678a3aa7ba3ffa8905fd17b31cf31325b36b9b0114b3bc38e326e73553b66

Download Submit
C:\Windows\SysWOW64\Qcclld32.exe

Filesize
833KB

MD5
b12aa8a3371e45cf46c1100b31002215

SHA1
23bb34bec9220580a0b53603c2b021ddb6c1531e

SHA256
cb7f28610a4c169b7ded2b8ada0171e237eeb132b7b0efcde7d81aed252dad2e

SHA512
c74e4683783c4b687daeec2bba797429e0591e3c2aece0fa04707d2d428804b5d0b01c28e4c2708a051129747b56bc37e6d9967c3d1b6c3bef752d046f17994e

Download Submit
C:\Windows\SysWOW64\Qcclld32.exe

Filesize
512KB

MD5
2954a87a8f00113ed14afcac0c51787d

SHA1
3e5fc5b50fb9b884b94c4837bb477d4176beba7e

SHA256
209c42b320e4057087415fa7acd22dd7a6ed36c8f8eb803aee71e615a873daa2

SHA512
ec6ebec41b1fd179826f129d4bfcb417f5bda2bd12c5845588089f436ab15a665f46ee24e0e6f1ab2d4158d0cc3b05af2fa93e408ecb7a20943b82552f4bbf72

Download Submit
C:\Windows\SysWOW64\Qikgco32.exe

Filesize
833KB

MD5
684c668d166f1a51f2a5e75cb4c15bd3

SHA1
cefbea5fd6227e7863d8cf1612bd0352fddd8ae0

SHA256
b8214f74520df555cdc5e5f7f2c9ebe89b542930247ec70143eae9db624e30b9

SHA512
e54479ee3deef79290e0512996d55ad525e4f15043e765da121648fd1f6252f712e77c41ef88b36a6394aac91038a33abe84e00a950ea66917872326807f8b50

Download Submit
C:\Windows\SysWOW64\Qikgco32.exe

Filesize
704KB

MD5
cc6198fa666ab622763601925388695a

SHA1
3ea187f7410fd874e6ab64f87abaef3f8f688441

SHA256
0a087761b8ad15f0cadcb91db6a052be833cd796adbe80c857d3707a7d1a92bf

SHA512
7b4a78371efd9e4e10dfd128a5106bc67c0a17a91acb1b06320452778496c534cebdf9ac4f004d76d593279874647380493d287641d52e871da4a22d48c7a356

Download Submit
C:\Windows\SysWOW64\Qlggjk32.exe

Filesize
833KB

MD5
850408399cec8b1a3a3fef4bd9df7489

SHA1
828754844a0c5ac61d5fe3291f1dc7c9c233b862

SHA256
8359fd3a63c5bd9b0832c828b04dc768a6693bb659a1f3e67b670a28ff4c10a0

SHA512
4ad962cd42e26e937e1488129a378ee80ed3f40d155f692f470f17cda834b9b33677428c67798418c0135e9f8ca643830a16ca39d1929a3c4bd66b3824d7aefe

Download Submit
C:\Windows\SysWOW64\Qlggjk32.exe

Filesize
768KB

MD5
a55a41b5ca4d4b9d2eec7cc6a2b622b8

SHA1
642048e1e22523644cbe70fb70b3aeb2c5f7661f

SHA256
4923b1cfeb00a858d00dece3d96834a4b034229c14264a17ddb5900a57bfd05e

SHA512
50cd9d8b348cad988253f6e84f927f41b50944e2dafbdc54cc53e643c1d55e48d2722e2ca195c6acc251d4764959ee90322bf8b10369ed6a16e2388d08ca6ef0

Download Submit
memory/228-87-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/368-44-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/384-25-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1296-420-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1480-411-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1512-437-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1616-65-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1636-438-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1672-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1688-388-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1752-48-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1944-382-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2120-431-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2184-421-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2192-430-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2292-389-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2328-406-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2360-418-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2372-90-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2896-455-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2932-368-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3100-422-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3208-396-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3268-423-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3324-361-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3500-381-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3528-367-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3552-439-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3596-109-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4036-1-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4036-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4036-81-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4048-413-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4136-73-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4344-397-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4364-403-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4376-373-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4508-390-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4572-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4616-118-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4800-375-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4900-405-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4920-424-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5012-398-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5064-17-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5092-102-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5116-37-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5144-440-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5180-444-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5216-445-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5252-446-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5288-447-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5324-448-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5360-449-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5396-450-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5432-451-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5468-452-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5500-453-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5536-454-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5584-456-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5636-457-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5692-458-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5744-459-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5800-460-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads