e0cd3180e77e746c5ee5616e2969be353b56543e6d0af87cc28e420f2daff5e6

Analysis

max time kernel
132s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-04-2024 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90b4ef7fd9469315f79d8f21ad9aefd1.exe
Size

1.2MB
MD5

90b4ef7fd9469315f79d8f21ad9aefd1
SHA1

6e9d17ef669d4d1efb1d45f5add2a631cf4c9597
SHA256

e0cd3180e77e746c5ee5616e2969be353b56543e6d0af87cc28e420f2daff5e6
SHA512

9b0a87680792083cad8c9f8e2f05ddc57634433fd42d19883f9eaf9fd2e23d491ac5918d252389fc3d2038338fd47f430a2903c0e2d4da520f344eb80f15cdd6
SSDEEP

24576:NeJTeQ/8B7uXfXU4tx5k9KGYlFiWZpsKv2EvZHp3oWiQ4ca:EJTeQ/8B7uXfXU4tx5k9KGYlFiWXLXZQ

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebeapc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoalgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fboecfii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfghlhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beaohcmf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdklebje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkhceh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eaaiahei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffoejkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opfnne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onqdhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbmbgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hccggl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdjhkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohobebig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcaibo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oileakbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkhceh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lechkaga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jggapj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbkfbcpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogjpld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeeomegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bndblcdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eaaiahei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Didjqoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npadcfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdbjhbbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbfmgd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcmeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	90b4ef7fd9469315f79d8f21ad9aefd1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqdlmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmidnm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcghkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfanflne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdpmkhjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnllhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hodqlq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkeldnpi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmjfodne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkamdi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkamdi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmkhjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciaddaaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npadcfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odmbaj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqkhda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgdncplk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oeffnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clffalkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgbonm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cofnik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abhqefpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmfodn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnhkdd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfghlhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebeapc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnknim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beaohcmf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhgccijm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdnkhn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijqmhnko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eimlgnij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqkhda32.exe

Executes dropped EXE 64 IoCs

pid	Process
1760	Dpdaepai.exe
2616	Dimenegi.exe
1868	Ejoomhmi.exe
4284	Gfokoelp.exe
3352	Ggahedjn.exe
1852	Hmpjmn32.exe
3188	Hcpojd32.exe
3552	Hgmgqc32.exe
3980	Igpdfb32.exe
3548	Ijqmhnko.exe
3192	Icnklbmj.exe
4516	Jgnqgqan.exe
4616	Jlmfeg32.exe
5032	Kkeldnpi.exe
2740	Kdpmbc32.exe
4092	Kdbjhbbd.exe
4488	Lcjcnoej.exe
1440	Lmbhgd32.exe
4896	Lmgabcge.exe
4540	Mkjnfkma.exe
528	Meepdp32.exe
2824	Mcjmel32.exe
4452	Nclikl32.exe
3200	Njkkbehl.exe
2844	Nnkpnclp.exe
4988	Olanmgig.exe
1488	Odmbaj32.exe
3544	Oobfob32.exe
4604	Olfghg32.exe
3108	Oeokal32.exe
1992	Omjpeo32.exe
1600	Pddhbipj.exe
4180	Phaahggp.exe
3260	Poliea32.exe
3476	Pefabkej.exe
4884	Plpjoe32.exe
4972	Pmaffnce.exe
3800	Pehngkcg.exe
3308	Plbfdekd.exe
4664	Paoollik.exe
2840	Qhkdof32.exe
2516	Anaomkdb.exe
2672	Aoalgn32.exe
4944	Aekddhcb.exe
4932	Akglloai.exe
4612	Bkjiao32.exe
3948	Bhnikc32.exe
768	Bllbaa32.exe
2264	Bhbcfbjk.exe
4196	Cfkmkf32.exe
4068	Ckhecmcf.exe
3748	Cdpjlb32.exe
4448	Cofnik32.exe
2920	Chnbbqpn.exe
4652	Iafkld32.exe
220	Keifdpif.exe
3344	Nfqnbjfi.exe
5100	Nmjfodne.exe
3740	Ocdnln32.exe
2284	Oiagde32.exe
3792	Ojqcnhkl.exe
2964	Ockdmmoj.exe
3884	Abhqefpg.exe
4900	Ajohfcpj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hhhdjbno.dll	Bhnikc32.exe
File created	C:\Windows\SysWOW64\Pnbmhkia.dll	Apnndj32.exe
File opened for modification	C:\Windows\SysWOW64\Beaohcmf.exe	Bpdfpmoo.exe
File opened for modification	C:\Windows\SysWOW64\Bkhceh32.exe	Bdnkhn32.exe
File opened for modification	C:\Windows\SysWOW64\Icnklbmj.exe	Ijqmhnko.exe
File created	C:\Windows\SysWOW64\Oobfob32.exe	Odmbaj32.exe
File created	C:\Windows\SysWOW64\Iffahdpm.dll	Fjeplijj.exe
File opened for modification	C:\Windows\SysWOW64\Okpkgm32.exe	Opjgidfa.exe
File opened for modification	C:\Windows\SysWOW64\Cnhlgc32.exe	Bgodjiio.exe
File created	C:\Windows\SysWOW64\Aoalgn32.exe	Anaomkdb.exe
File created	C:\Windows\SysWOW64\Pnknim32.exe	Phneqf32.exe
File opened for modification	C:\Windows\SysWOW64\Bfghlhmd.exe	Bkadoo32.exe
File created	C:\Windows\SysWOW64\Bgodjiio.exe	Bqdlmo32.exe
File created	C:\Windows\SysWOW64\Obgbikfp.dll	Bllbaa32.exe
File opened for modification	C:\Windows\SysWOW64\Qghlmbae.exe	Qffoejkg.exe
File opened for modification	C:\Windows\SysWOW64\Ockdmmoj.exe	Ojqcnhkl.exe
File created	C:\Windows\SysWOW64\Cpacqg32.exe	Cbkfbcpb.exe
File created	C:\Windows\SysWOW64\Lmneemaq.exe	Lcealh32.exe
File opened for modification	C:\Windows\SysWOW64\Ppamjcpj.exe	Pjgemi32.exe
File opened for modification	C:\Windows\SysWOW64\Bhnikc32.exe	Bkjiao32.exe
File created	C:\Windows\SysWOW64\Njogfipp.dll	Keifdpif.exe
File opened for modification	C:\Windows\SysWOW64\Pnenchoc.exe	Pgkegn32.exe
File created	C:\Windows\SysWOW64\Bgjjoi32.exe	Bbmbgb32.exe
File created	C:\Windows\SysWOW64\Jkohjl32.dll	Bgjjoi32.exe
File created	C:\Windows\SysWOW64\Gebimmco.exe	Fpeaeedg.exe
File created	C:\Windows\SysWOW64\Opjgidfa.exe	Oiqomj32.exe
File opened for modification	C:\Windows\SysWOW64\Jjhjae32.exe	Jcnbekok.exe
File created	C:\Windows\SysWOW64\Anfmeldl.exe	Adnilfnl.exe
File created	C:\Windows\SysWOW64\Ciaddaaj.exe	Cnlpgibd.exe
File opened for modification	C:\Windows\SysWOW64\Phneqf32.exe	Pbdmdlie.exe
File created	C:\Windows\SysWOW64\Eangjkkd.exe	Dndlba32.exe
File opened for modification	C:\Windows\SysWOW64\Plbfdekd.exe	Pehngkcg.exe
File created	C:\Windows\SysWOW64\Bihice32.dll	Ojqcnhkl.exe
File opened for modification	C:\Windows\SysWOW64\Jifabb32.exe	Jcihjl32.exe
File created	C:\Windows\SysWOW64\Bkamdi32.exe	Bbhhlccb.exe
File created	C:\Windows\SysWOW64\Jlmfeg32.exe	Jgnqgqan.exe
File created	C:\Windows\SysWOW64\Jgobcb32.dll	Khhaanop.exe
File opened for modification	C:\Windows\SysWOW64\Fkgillpj.exe	Fboecfii.exe
File created	C:\Windows\SysWOW64\Ogcike32.exe	Oeamcmmo.exe
File opened for modification	C:\Windows\SysWOW64\Agaoca32.exe	Afpbkicl.exe
File created	C:\Windows\SysWOW64\Iabbeiag.dll	Lgjglg32.exe
File created	C:\Windows\SysWOW64\Oohcle32.dll	Nkboeobh.exe
File created	C:\Windows\SysWOW64\Jnkqlk32.dll	Bbmbgb32.exe
File created	C:\Windows\SysWOW64\Phaahggp.exe	Pddhbipj.exe
File created	C:\Windows\SysWOW64\Apnndj32.exe	Aidehpea.exe
File opened for modification	C:\Windows\SysWOW64\Khcgfo32.exe	Kfanflne.exe
File created	C:\Windows\SysWOW64\Pdnpeh32.exe	Ogjpld32.exe
File created	C:\Windows\SysWOW64\Cnhlgc32.exe	Bgodjiio.exe
File created	C:\Windows\SysWOW64\Fjeplijj.exe	Eqmlccdi.exe
File created	C:\Windows\SysWOW64\Jdeoad32.dll	Ebeapc32.exe
File created	C:\Windows\SysWOW64\Bkhceh32.exe	Bdnkhn32.exe
File created	C:\Windows\SysWOW64\Cjpekc32.dll	Phaahggp.exe
File opened for modification	C:\Windows\SysWOW64\Dajbaika.exe	Dgdncplk.exe
File opened for modification	C:\Windows\SysWOW64\Ekqckmfb.exe	Edfknb32.exe
File created	C:\Windows\SysWOW64\Qjfpkhpm.dll	Gcghkm32.exe
File created	C:\Windows\SysWOW64\Nemchn32.exe	Nkgoke32.exe
File created	C:\Windows\SysWOW64\Eikpan32.exe	Ebagdddp.exe
File created	C:\Windows\SysWOW64\Ldcadhpd.dll	Icnklbmj.exe
File opened for modification	C:\Windows\SysWOW64\Bkjiao32.exe	Akglloai.exe
File created	C:\Windows\SysWOW64\Pehngkcg.exe	Pmaffnce.exe
File created	C:\Windows\SysWOW64\Cofaon32.dll	Geipnl32.exe
File created	C:\Windows\SysWOW64\Qlqidj32.dll	Bkadoo32.exe
File created	C:\Windows\SysWOW64\Eehidffj.dll	Ciaddaaj.exe
File created	C:\Windows\SysWOW64\Lmgabcge.exe	Lmbhgd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4032	3484	WerFault.exe	392

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlqidj32.dll"	Bkadoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fpeaeedg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkefcnhm.dll"	Lapopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdnkhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdockf32.dll"	Nmjfodne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdaile32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ellbmedl.dll"	Clffalkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eangjkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbfmgd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enhifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgqpkip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Meepdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iafkld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdeodj32.dll"	Lmbhgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgflobdk.dll"	Dolinf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hodqlq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlogfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcealh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfjpai32.dll"	Qkqdnkge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Banjnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Camgolnm.dll"	Eaaiahei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahkkhnpg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ockdmmoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nneilmna.dll"	Ggepalof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjkdhaje.dll"	Cfljnejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngklppei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnkpnclp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbfjih32.dll"	Adnilfnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajohfcpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjolie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omjnhiiq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qpmmfbfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goahpc32.dll"	Bkhceh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfilkj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbhhlccb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hohjgpmo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjgemi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnenchoc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	90b4ef7fd9469315f79d8f21ad9aefd1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeeomegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kallod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qemgmmip.dll"	Lndfchdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcjkng32.dll"	Pdpmkhjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjfioj32.dll"	Kplijk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecbeip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjeplijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjbhph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijqmhnko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkjfaikb.dll"	Oiagde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcmgpbjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgjjoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifckkhfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kppbejka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icnklbmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdcebook.dll"	Aoalgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fgmllpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbnnhndk.dll"	Pefabkej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fnhbmgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajdbac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnojqbjp.dll"	Cgejkh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cifmoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgjglg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mklpof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgblkajh.dll"	Akjnnpcf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 1760	1424	90b4ef7fd9469315f79d8f21ad9aefd1.exe	87
PID 1424 wrote to memory of 1760	1424	90b4ef7fd9469315f79d8f21ad9aefd1.exe	87
PID 1424 wrote to memory of 1760	1424	90b4ef7fd9469315f79d8f21ad9aefd1.exe	87
PID 1760 wrote to memory of 2616	1760	Dpdaepai.exe	88
PID 1760 wrote to memory of 2616	1760	Dpdaepai.exe	88
PID 1760 wrote to memory of 2616	1760	Dpdaepai.exe	88
PID 2616 wrote to memory of 1868	2616	Dimenegi.exe	89
PID 2616 wrote to memory of 1868	2616	Dimenegi.exe	89
PID 2616 wrote to memory of 1868	2616	Dimenegi.exe	89
PID 1868 wrote to memory of 4284	1868	Ejoomhmi.exe	90
PID 1868 wrote to memory of 4284	1868	Ejoomhmi.exe	90
PID 1868 wrote to memory of 4284	1868	Ejoomhmi.exe	90
PID 4284 wrote to memory of 3352	4284	Gfokoelp.exe	91
PID 4284 wrote to memory of 3352	4284	Gfokoelp.exe	91
PID 4284 wrote to memory of 3352	4284	Gfokoelp.exe	91
PID 3352 wrote to memory of 1852	3352	Ggahedjn.exe	92
PID 3352 wrote to memory of 1852	3352	Ggahedjn.exe	92
PID 3352 wrote to memory of 1852	3352	Ggahedjn.exe	92
PID 1852 wrote to memory of 3188	1852	Hmpjmn32.exe	93
PID 1852 wrote to memory of 3188	1852	Hmpjmn32.exe	93
PID 1852 wrote to memory of 3188	1852	Hmpjmn32.exe	93
PID 3188 wrote to memory of 3552	3188	Hcpojd32.exe	94
PID 3188 wrote to memory of 3552	3188	Hcpojd32.exe	94
PID 3188 wrote to memory of 3552	3188	Hcpojd32.exe	94
PID 3552 wrote to memory of 3980	3552	Hgmgqc32.exe	95
PID 3552 wrote to memory of 3980	3552	Hgmgqc32.exe	95
PID 3552 wrote to memory of 3980	3552	Hgmgqc32.exe	95
PID 3980 wrote to memory of 3548	3980	Igpdfb32.exe	96
PID 3980 wrote to memory of 3548	3980	Igpdfb32.exe	96
PID 3980 wrote to memory of 3548	3980	Igpdfb32.exe	96
PID 3548 wrote to memory of 3192	3548	Ijqmhnko.exe	97
PID 3548 wrote to memory of 3192	3548	Ijqmhnko.exe	97
PID 3548 wrote to memory of 3192	3548	Ijqmhnko.exe	97
PID 3192 wrote to memory of 4516	3192	Icnklbmj.exe	98
PID 3192 wrote to memory of 4516	3192	Icnklbmj.exe	98
PID 3192 wrote to memory of 4516	3192	Icnklbmj.exe	98
PID 4516 wrote to memory of 4616	4516	Jgnqgqan.exe	99
PID 4516 wrote to memory of 4616	4516	Jgnqgqan.exe	99
PID 4516 wrote to memory of 4616	4516	Jgnqgqan.exe	99
PID 4616 wrote to memory of 5032	4616	Jlmfeg32.exe	100
PID 4616 wrote to memory of 5032	4616	Jlmfeg32.exe	100
PID 4616 wrote to memory of 5032	4616	Jlmfeg32.exe	100
PID 5032 wrote to memory of 2740	5032	Kkeldnpi.exe	101
PID 5032 wrote to memory of 2740	5032	Kkeldnpi.exe	101
PID 5032 wrote to memory of 2740	5032	Kkeldnpi.exe	101
PID 2740 wrote to memory of 4092	2740	Kdpmbc32.exe	102
PID 2740 wrote to memory of 4092	2740	Kdpmbc32.exe	102
PID 2740 wrote to memory of 4092	2740	Kdpmbc32.exe	102
PID 4092 wrote to memory of 4488	4092	Kdbjhbbd.exe	103
PID 4092 wrote to memory of 4488	4092	Kdbjhbbd.exe	103
PID 4092 wrote to memory of 4488	4092	Kdbjhbbd.exe	103
PID 4488 wrote to memory of 1440	4488	Lcjcnoej.exe	104
PID 4488 wrote to memory of 1440	4488	Lcjcnoej.exe	104
PID 4488 wrote to memory of 1440	4488	Lcjcnoej.exe	104
PID 1440 wrote to memory of 4896	1440	Lmbhgd32.exe	105
PID 1440 wrote to memory of 4896	1440	Lmbhgd32.exe	105
PID 1440 wrote to memory of 4896	1440	Lmbhgd32.exe	105
PID 4896 wrote to memory of 4540	4896	Lmgabcge.exe	106
PID 4896 wrote to memory of 4540	4896	Lmgabcge.exe	106
PID 4896 wrote to memory of 4540	4896	Lmgabcge.exe	106
PID 4540 wrote to memory of 528	4540	Mkjnfkma.exe	107
PID 4540 wrote to memory of 528	4540	Mkjnfkma.exe	107
PID 4540 wrote to memory of 528	4540	Mkjnfkma.exe	107
PID 528 wrote to memory of 2824	528	Meepdp32.exe	108

C:\Users\Admin\AppData\Local\Temp\90b4ef7fd9469315f79d8f21ad9aefd1.exe
"C:\Users\Admin\AppData\Local\Temp\90b4ef7fd9469315f79d8f21ad9aefd1.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Windows\SysWOW64\Dpdaepai.exe
  C:\Windows\system32\Dpdaepai.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\SysWOW64\Dimenegi.exe
    C:\Windows\system32\Dimenegi.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\SysWOW64\Ejoomhmi.exe
      C:\Windows\system32\Ejoomhmi.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1868
    - - C:\Windows\SysWOW64\Gfokoelp.exe
        
        C:\Windows\system32\Gfokoelp.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4284
      - C:\Windows\SysWOW64\Ggahedjn.exe
        
        C:\Windows\system32\Ggahedjn.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3352
        
        C:\Windows\SysWOW64\Hmpjmn32.exe
        
        C:\Windows\system32\Hmpjmn32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Windows\SysWOW64\Hcpojd32.exe
        
        C:\Windows\system32\Hcpojd32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\SysWOW64\Hgmgqc32.exe
        
        C:\Windows\system32\Hgmgqc32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\SysWOW64\Igpdfb32.exe
        
        C:\Windows\system32\Igpdfb32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\SysWOW64\Ijqmhnko.exe
        
        C:\Windows\system32\Ijqmhnko.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\SysWOW64\Icnklbmj.exe
        
        C:\Windows\system32\Icnklbmj.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3192
        
        C:\Windows\SysWOW64\Jgnqgqan.exe
        
        C:\Windows\system32\Jgnqgqan.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Jlmfeg32.exe
        
        C:\Windows\system32\Jlmfeg32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\SysWOW64\Kkeldnpi.exe
        
        C:\Windows\system32\Kkeldnpi.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\SysWOW64\Kdpmbc32.exe
        
        C:\Windows\system32\Kdpmbc32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\Kdbjhbbd.exe
        
        C:\Windows\system32\Kdbjhbbd.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\Lcjcnoej.exe
        
        C:\Windows\system32\Lcjcnoej.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Lmbhgd32.exe
        
        C:\Windows\system32\Lmbhgd32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\SysWOW64\Lmgabcge.exe
        
        C:\Windows\system32\Lmgabcge.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Mkjnfkma.exe
        
        C:\Windows\system32\Mkjnfkma.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\SysWOW64\Meepdp32.exe
        
        C:\Windows\system32\Meepdp32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:528
        
        C:\Windows\SysWOW64\Mcjmel32.exe
        
        C:\Windows\system32\Mcjmel32.exe
        23⤵
        Executes dropped EXE
        
        PID:2824
        
        C:\Windows\SysWOW64\Nclikl32.exe
        
        C:\Windows\system32\Nclikl32.exe
        24⤵
        Executes dropped EXE
        
        PID:4452
        
        C:\Windows\SysWOW64\Njkkbehl.exe
        
        C:\Windows\system32\Njkkbehl.exe
        25⤵
        Executes dropped EXE
        
        PID:3200
        
        C:\Windows\SysWOW64\Nnkpnclp.exe
        
        C:\Windows\system32\Nnkpnclp.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Olanmgig.exe
        
        C:\Windows\system32\Olanmgig.exe
        27⤵
        Executes dropped EXE
        
        PID:4988
        
        C:\Windows\SysWOW64\Odmbaj32.exe
        
        C:\Windows\system32\Odmbaj32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1488
        
        C:\Windows\SysWOW64\Oobfob32.exe
        
        C:\Windows\system32\Oobfob32.exe
        29⤵
        Executes dropped EXE
        
        PID:3544
        
        C:\Windows\SysWOW64\Olfghg32.exe
        
        C:\Windows\system32\Olfghg32.exe
        30⤵
        Executes dropped EXE
        
        PID:4604
        
        C:\Windows\SysWOW64\Oeokal32.exe
        
        C:\Windows\system32\Oeokal32.exe
        31⤵
        Executes dropped EXE
        
        PID:3108
        
        C:\Windows\SysWOW64\Omjpeo32.exe
        
        C:\Windows\system32\Omjpeo32.exe
        32⤵
        Executes dropped EXE
        
        PID:1992
        
        C:\Windows\SysWOW64\Pddhbipj.exe
        
        C:\Windows\system32\Pddhbipj.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1600
        
        C:\Windows\SysWOW64\Phaahggp.exe
        
        C:\Windows\system32\Phaahggp.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4180
        
        C:\Windows\SysWOW64\Poliea32.exe
        
        C:\Windows\system32\Poliea32.exe
        35⤵
        Executes dropped EXE
        
        PID:3260
        
        C:\Windows\SysWOW64\Pefabkej.exe
        
        C:\Windows\system32\Pefabkej.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\Plpjoe32.exe
        
        C:\Windows\system32\Plpjoe32.exe
        37⤵
        Executes dropped EXE
        
        PID:4884
        
        C:\Windows\SysWOW64\Pmaffnce.exe
        
        C:\Windows\system32\Pmaffnce.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4972
        
        C:\Windows\SysWOW64\Pehngkcg.exe
        
        C:\Windows\system32\Pehngkcg.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3800
        
        C:\Windows\SysWOW64\Plbfdekd.exe
        
        C:\Windows\system32\Plbfdekd.exe
        40⤵
        Executes dropped EXE
        
        PID:3308
        
        C:\Windows\SysWOW64\Paoollik.exe
        
        C:\Windows\system32\Paoollik.exe
        41⤵
        Executes dropped EXE
        
        PID:4664
        
        C:\Windows\SysWOW64\Qhkdof32.exe
        
        C:\Windows\system32\Qhkdof32.exe
        42⤵
        Executes dropped EXE
        
        PID:2840
        
        C:\Windows\SysWOW64\Anaomkdb.exe
        
        C:\Windows\system32\Anaomkdb.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2516
        
        C:\Windows\SysWOW64\Aoalgn32.exe
        
        C:\Windows\system32\Aoalgn32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Aekddhcb.exe
        
        C:\Windows\system32\Aekddhcb.exe
        45⤵
        Executes dropped EXE
        
        PID:4944
        
        C:\Windows\SysWOW64\Akglloai.exe
        
        C:\Windows\system32\Akglloai.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4932
        
        C:\Windows\SysWOW64\Bkjiao32.exe
        
        C:\Windows\system32\Bkjiao32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4612
        
        C:\Windows\SysWOW64\Bhnikc32.exe
        
        C:\Windows\system32\Bhnikc32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3948
        
        C:\Windows\SysWOW64\Bllbaa32.exe
        
        C:\Windows\system32\Bllbaa32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:768
        
        C:\Windows\SysWOW64\Bhbcfbjk.exe
        
        C:\Windows\system32\Bhbcfbjk.exe
        50⤵
        Executes dropped EXE
        
        PID:2264
        
        C:\Windows\SysWOW64\Cfkmkf32.exe
        
        C:\Windows\system32\Cfkmkf32.exe
        51⤵
        Executes dropped EXE
        
        PID:4196
        
        C:\Windows\SysWOW64\Ckhecmcf.exe
        
        C:\Windows\system32\Ckhecmcf.exe
        52⤵
        Executes dropped EXE
        
        PID:4068
        
        C:\Windows\SysWOW64\Cdpjlb32.exe
        
        C:\Windows\system32\Cdpjlb32.exe
        53⤵
        Executes dropped EXE
        
        PID:3748
        
        C:\Windows\SysWOW64\Cofnik32.exe
        
        C:\Windows\system32\Cofnik32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4448
        
        C:\Windows\SysWOW64\Chnbbqpn.exe
        
        C:\Windows\system32\Chnbbqpn.exe
        55⤵
        Executes dropped EXE
        
        PID:2920
        
        C:\Windows\SysWOW64\Iafkld32.exe
        
        C:\Windows\system32\Iafkld32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4652
        
        C:\Windows\SysWOW64\Keifdpif.exe
        
        C:\Windows\system32\Keifdpif.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:220
        
        C:\Windows\SysWOW64\Nfqnbjfi.exe
        
        C:\Windows\system32\Nfqnbjfi.exe
        58⤵
        Executes dropped EXE
        
        PID:3344
        
        C:\Windows\SysWOW64\Nmjfodne.exe
        
        C:\Windows\system32\Nmjfodne.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Ocdnln32.exe
        
        C:\Windows\system32\Ocdnln32.exe
        60⤵
        Executes dropped EXE
        
        PID:3740
        
        C:\Windows\SysWOW64\Oiagde32.exe
        
        C:\Windows\system32\Oiagde32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Ojqcnhkl.exe
        
        C:\Windows\system32\Ojqcnhkl.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3792
        
        C:\Windows\SysWOW64\Ockdmmoj.exe
        
        C:\Windows\system32\Ockdmmoj.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Abhqefpg.exe
        
        C:\Windows\system32\Abhqefpg.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3884
        
        C:\Windows\SysWOW64\Ajohfcpj.exe
        
        C:\Windows\system32\Ajohfcpj.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4900
        
        C:\Windows\SysWOW64\Aidehpea.exe
        
        C:\Windows\system32\Aidehpea.exe
        66⤵
        Drops file in System32 directory
        
        PID:1552
        
        C:\Windows\SysWOW64\Apnndj32.exe
        
        C:\Windows\system32\Apnndj32.exe
        67⤵
        Drops file in System32 directory
        
        PID:3288
        
        C:\Windows\SysWOW64\Ajdbac32.exe
        
        C:\Windows\system32\Ajdbac32.exe
        68⤵
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\Banjnm32.exe
        
        C:\Windows\system32\Banjnm32.exe
        69⤵
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Bapgdm32.exe
        
        C:\Windows\system32\Bapgdm32.exe
        70⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\Bbdpad32.exe
        
        C:\Windows\system32\Bbdpad32.exe
        71⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\Bmidnm32.exe
        
        C:\Windows\system32\Bmidnm32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2320
        
        C:\Windows\SysWOW64\Bbfmgd32.exe
        
        C:\Windows\system32\Bbfmgd32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\Bmladm32.exe
        
        C:\Windows\system32\Bmladm32.exe
        74⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\Cbkfbcpb.exe
        
        C:\Windows\system32\Cbkfbcpb.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2136
        
        C:\Windows\SysWOW64\Cpacqg32.exe
        
        C:\Windows\system32\Cpacqg32.exe
        76⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\Ciihjmcj.exe
        
        C:\Windows\system32\Ciihjmcj.exe
        77⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\Cgmhcaac.exe
        
        C:\Windows\system32\Cgmhcaac.exe
        78⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\Cmgqpkip.exe
        
        C:\Windows\system32\Cmgqpkip.exe
        79⤵
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Cdaile32.exe
        
        C:\Windows\system32\Cdaile32.exe
        80⤵
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Ddcebe32.exe
        
        C:\Windows\system32\Ddcebe32.exe
        81⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\Dgdncplk.exe
        
        C:\Windows\system32\Dgdncplk.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3104
        
        C:\Windows\SysWOW64\Dajbaika.exe
        
        C:\Windows\system32\Dajbaika.exe
        83⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\Dckoia32.exe
        
        C:\Windows\system32\Dckoia32.exe
        84⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\Dalofi32.exe
        
        C:\Windows\system32\Dalofi32.exe
        85⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\Dkedonpo.exe
        
        C:\Windows\system32\Dkedonpo.exe
        86⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\Dpalgenf.exe
        
        C:\Windows\system32\Dpalgenf.exe
        87⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Egkddo32.exe
        
        C:\Windows\system32\Egkddo32.exe
        88⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Eaaiahei.exe
        
        C:\Windows\system32\Eaaiahei.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Ecbeip32.exe
        
        C:\Windows\system32\Ecbeip32.exe
        90⤵
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Enhifi32.exe
        
        C:\Windows\system32\Enhifi32.exe
        91⤵
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Egpnooan.exe
        
        C:\Windows\system32\Egpnooan.exe
        92⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Eafbmgad.exe
        
        C:\Windows\system32\Eafbmgad.exe
        93⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Ekngemhd.exe
        
        C:\Windows\system32\Ekngemhd.exe
        94⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\Edfknb32.exe
        
        C:\Windows\system32\Edfknb32.exe
        95⤵
        Drops file in System32 directory
        
        PID:5492
        
        C:\Windows\SysWOW64\Ekqckmfb.exe
        
        C:\Windows\system32\Ekqckmfb.exe
        96⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Eqmlccdi.exe
        
        C:\Windows\system32\Eqmlccdi.exe
        97⤵
        Drops file in System32 directory
        
        PID:5568
        
        C:\Windows\SysWOW64\Fjeplijj.exe
        
        C:\Windows\system32\Fjeplijj.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Fqphic32.exe
        
        C:\Windows\system32\Fqphic32.exe
        99⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Fkemfl32.exe
        
        C:\Windows\system32\Fkemfl32.exe
        100⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Fboecfii.exe
        
        C:\Windows\system32\Fboecfii.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5748
        
        C:\Windows\SysWOW64\Fkgillpj.exe
        
        C:\Windows\system32\Fkgillpj.exe
        102⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Fqdbdbna.exe
        
        C:\Windows\system32\Fqdbdbna.exe
        103⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Fgnjqm32.exe
        
        C:\Windows\system32\Fgnjqm32.exe
        104⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Fnhbmgmk.exe
        
        C:\Windows\system32\Fnhbmgmk.exe
        105⤵
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Fdbkja32.exe
        
        C:\Windows\system32\Fdbkja32.exe
        106⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Gcghkm32.exe
        
        C:\Windows\system32\Gcghkm32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6128
        
        C:\Windows\SysWOW64\Gjaphgpl.exe
        
        C:\Windows\system32\Gjaphgpl.exe
        108⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Gqkhda32.exe
        
        C:\Windows\system32\Gqkhda32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5264
        
        C:\Windows\SysWOW64\Ggepalof.exe
        
        C:\Windows\system32\Ggepalof.exe
        110⤵
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Gbkdod32.exe
        
        C:\Windows\system32\Gbkdod32.exe
        111⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Gggmgk32.exe
        
        C:\Windows\system32\Gggmgk32.exe
        112⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Gqpapacd.exe
        
        C:\Windows\system32\Gqpapacd.exe
        113⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Hccggl32.exe
        
        C:\Windows\system32\Hccggl32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3380
        
        C:\Windows\SysWOW64\Hnhkdd32.exe
        
        C:\Windows\system32\Hnhkdd32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5636
        
        C:\Windows\SysWOW64\Hebcao32.exe
        
        C:\Windows\system32\Hebcao32.exe
        116⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Hjolie32.exe
        
        C:\Windows\system32\Hjolie32.exe
        117⤵
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Jmdqbg32.exe
        
        C:\Windows\system32\Jmdqbg32.exe
        118⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Kfanflne.exe
        
        C:\Windows\system32\Kfanflne.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6092
        
        C:\Windows\SysWOW64\Khcgfo32.exe
        
        C:\Windows\system32\Khcgfo32.exe
        120⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Kallod32.exe
        
        C:\Windows\system32\Kallod32.exe
        121⤵
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Kdjhkp32.exe
        
        C:\Windows\system32\Kdjhkp32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5348
        
        C:\Windows\SysWOW64\Khhaanop.exe
        
        C:\Windows\system32\Khhaanop.exe
        123⤵
        Drops file in System32 directory
        
        PID:5432
        
        C:\Windows\SysWOW64\Lndfchdj.exe
        
        C:\Windows\system32\Lndfchdj.exe
        124⤵
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Logbigbg.exe
        
        C:\Windows\system32\Logbigbg.exe
        125⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Lechkaga.exe
        
        C:\Windows\system32\Lechkaga.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5680
        
        C:\Windows\SysWOW64\Lhdqml32.exe
        
        C:\Windows\system32\Lhdqml32.exe
        127⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\Mhhjhlqm.exe
        
        C:\Windows\system32\Mhhjhlqm.exe
        128⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\Mklpof32.exe
        
        C:\Windows\system32\Mklpof32.exe
        129⤵
        Modifies registry class
        
        PID:3576
        
        C:\Windows\SysWOW64\Nkpijfgf.exe
        
        C:\Windows\system32\Nkpijfgf.exe
        130⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\Nehjmnei.exe
        
        C:\Windows\system32\Nehjmnei.exe
        131⤵
        
        PID:452
        
        C:\Windows\SysWOW64\Nkgoke32.exe
        
        C:\Windows\system32\Nkgoke32.exe
        132⤵
        Drops file in System32 directory
        
        PID:3068
        
        C:\Windows\SysWOW64\Nemchn32.exe
        
        C:\Windows\system32\Nemchn32.exe
        133⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\Noehac32.exe
        
        C:\Windows\system32\Noehac32.exe
        134⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Oklifdmi.exe
        
        C:\Windows\system32\Oklifdmi.exe
        135⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\Oeamcmmo.exe
        
        C:\Windows\system32\Oeamcmmo.exe
        136⤵
        Drops file in System32 directory
        
        PID:4564
        
        C:\Windows\SysWOW64\Ogcike32.exe
        
        C:\Windows\system32\Ogcike32.exe
        137⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\Odgjdibf.exe
        
        C:\Windows\system32\Odgjdibf.exe
        138⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\Oeffnl32.exe
        
        C:\Windows\system32\Oeffnl32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3560
        
        C:\Windows\SysWOW64\Onakco32.exe
        
        C:\Windows\system32\Onakco32.exe
        140⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\Ogjpld32.exe
        
        C:\Windows\system32\Ogjpld32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1232
        
        C:\Windows\SysWOW64\Pdnpeh32.exe
        
        C:\Windows\system32\Pdnpeh32.exe
        142⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\Pdpmkhjl.exe
        
        C:\Windows\system32\Pdpmkhjl.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:784
        
        C:\Windows\SysWOW64\Pkjegb32.exe
        
        C:\Windows\system32\Pkjegb32.exe
        144⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\Pbdmdlie.exe
        
        C:\Windows\system32\Pbdmdlie.exe
        145⤵
        Drops file in System32 directory
        
        PID:692
        
        C:\Windows\SysWOW64\Phneqf32.exe
        
        C:\Windows\system32\Phneqf32.exe
        146⤵
        Drops file in System32 directory
        
        PID:768
        
        C:\Windows\SysWOW64\Pnknim32.exe
        
        C:\Windows\system32\Pnknim32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3764
        
        C:\Windows\SysWOW64\Pkonbamc.exe
        
        C:\Windows\system32\Pkonbamc.exe
        148⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\Pdgckg32.exe
        
        C:\Windows\system32\Pdgckg32.exe
        149⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\Qomghp32.exe
        
        C:\Windows\system32\Qomghp32.exe
        150⤵
        
        PID:548
        
        C:\Windows\SysWOW64\Qffoejkg.exe
        
        C:\Windows\system32\Qffoejkg.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5908
        
        C:\Windows\SysWOW64\Qghlmbae.exe
        
        C:\Windows\system32\Qghlmbae.exe
        152⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Qfilkj32.exe
        
        C:\Windows\system32\Qfilkj32.exe
        153⤵
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Andqol32.exe
        
        C:\Windows\system32\Andqol32.exe
        154⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Adnilfnl.exe
        
        C:\Windows\system32\Adnilfnl.exe
        155⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Anfmeldl.exe
        
        C:\Windows\system32\Anfmeldl.exe
        156⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\Afnefieo.exe
        
        C:\Windows\system32\Afnefieo.exe
        157⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\Akjnnpcf.exe
        
        C:\Windows\system32\Akjnnpcf.exe
        158⤵
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Afpbkicl.exe
        
        C:\Windows\system32\Afpbkicl.exe
        159⤵
        Drops file in System32 directory
        
        PID:4896
        
        C:\Windows\SysWOW64\Agaoca32.exe
        
        C:\Windows\system32\Agaoca32.exe
        160⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\Ankgpk32.exe
        
        C:\Windows\system32\Ankgpk32.exe
        161⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\Aeeomegd.exe
        
        C:\Windows\system32\Aeeomegd.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Anncek32.exe
        
        C:\Windows\system32\Anncek32.exe
        163⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\Bkadoo32.exe
        
        C:\Windows\system32\Bkadoo32.exe
        164⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3420
        
        C:\Windows\SysWOW64\Bfghlhmd.exe
        
        C:\Windows\system32\Bfghlhmd.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2676
        
        C:\Windows\SysWOW64\Bkdqdokk.exe
        
        C:\Windows\system32\Bkdqdokk.exe
        166⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\Bihancje.exe
        
        C:\Windows\system32\Bihancje.exe
        167⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\Bpdfpmoo.exe
        
        C:\Windows\system32\Bpdfpmoo.exe
        168⤵
        Drops file in System32 directory
        
        PID:1184
        
        C:\Windows\SysWOW64\Beaohcmf.exe
        
        C:\Windows\system32\Beaohcmf.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4196
        
        C:\Windows\SysWOW64\Bpfcelml.exe
        
        C:\Windows\system32\Bpfcelml.exe
        170⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\Cnlpgibd.exe
        
        C:\Windows\system32\Cnlpgibd.exe
        171⤵
        Drops file in System32 directory
        
        PID:5896
        
        C:\Windows\SysWOW64\Ciaddaaj.exe
        
        C:\Windows\system32\Ciaddaaj.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6136
        
        C:\Windows\SysWOW64\Cnnllhpa.exe
        
        C:\Windows\system32\Cnnllhpa.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1424
        
        C:\Windows\SysWOW64\Cicqja32.exe
        
        C:\Windows\system32\Cicqja32.exe
        174⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Cpmifkgd.exe
        
        C:\Windows\system32\Cpmifkgd.exe
        175⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\Cifmoa32.exe
        
        C:\Windows\system32\Cifmoa32.exe
        176⤵
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Cppelkeb.exe
        
        C:\Windows\system32\Cppelkeb.exe
        177⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\Cfjnhe32.exe
        
        C:\Windows\system32\Cfjnhe32.exe
        178⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\Clffalkf.exe
        
        C:\Windows\system32\Clffalkf.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\Cfljnejl.exe
        
        C:\Windows\system32\Cfljnejl.exe
        180⤵
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Dlicflic.exe
        
        C:\Windows\system32\Dlicflic.exe
        181⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\Deagoa32.exe
        
        C:\Windows\system32\Deagoa32.exe
        182⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\Dbehienn.exe
        
        C:\Windows\system32\Dbehienn.exe
        183⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\Dolinf32.exe
        
        C:\Windows\system32\Dolinf32.exe
        184⤵
        Modifies registry class
        
        PID:1048
        
        C:\Windows\SysWOW64\Dhdmfljb.exe
        
        C:\Windows\system32\Dhdmfljb.exe
        185⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\Didjqoae.exe
        
        C:\Windows\system32\Didjqoae.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6084
        
        C:\Windows\SysWOW64\Dpnbmi32.exe
        
        C:\Windows\system32\Dpnbmi32.exe
        187⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\Eekjep32.exe
        
        C:\Windows\system32\Eekjep32.exe
        188⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Ebagdddp.exe
        
        C:\Windows\system32\Ebagdddp.exe
        189⤵
        Drops file in System32 directory
        
        PID:5032
        
        C:\Windows\SysWOW64\Eikpan32.exe
        
        C:\Windows\system32\Eikpan32.exe
        190⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\Eohhie32.exe
        
        C:\Windows\system32\Eohhie32.exe
        191⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\Eimlgnij.exe
        
        C:\Windows\system32\Eimlgnij.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4632
        
        C:\Windows\SysWOW64\Ebeapc32.exe
        
        C:\Windows\system32\Ebeapc32.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4764
        
        C:\Windows\SysWOW64\Fefjanml.exe
        
        C:\Windows\system32\Fefjanml.exe
        194⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\Foonjd32.exe
        
        C:\Windows\system32\Foonjd32.exe
        195⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Fhgccijm.exe
        
        C:\Windows\system32\Fhgccijm.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5232
        
        C:\Windows\SysWOW64\Fcmgpbjc.exe
        
        C:\Windows\system32\Fcmgpbjc.exe
        197⤵
        Modifies registry class
        
        PID:4616
        
        C:\Windows\SysWOW64\Fgmllpng.exe
        
        C:\Windows\system32\Fgmllpng.exe
        198⤵
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Fpeaeedg.exe
        
        C:\Windows\system32\Fpeaeedg.exe
        199⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Gebimmco.exe
        
        C:\Windows\system32\Gebimmco.exe
        200⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\Gcfjfqah.exe
        
        C:\Windows\system32\Gcfjfqah.exe
        201⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Geipnl32.exe
        
        C:\Windows\system32\Geipnl32.exe
        202⤵
        Drops file in System32 directory
        
        PID:2824
        
        C:\Windows\SysWOW64\Goadfa32.exe
        
        C:\Windows\system32\Goadfa32.exe
        203⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\Gjghdj32.exe
        
        C:\Windows\system32\Gjghdj32.exe
        204⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\Hodqlq32.exe
        
        C:\Windows\system32\Hodqlq32.exe
        205⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Hhleefhe.exe
        
        C:\Windows\system32\Hhleefhe.exe
        206⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\Hcaibo32.exe
        
        C:\Windows\system32\Hcaibo32.exe
        207⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:368
        
        C:\Windows\SysWOW64\Hohjgpmo.exe
        
        C:\Windows\system32\Hohjgpmo.exe
        208⤵
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Hgbonm32.exe
        
        C:\Windows\system32\Hgbonm32.exe
        209⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6100
        
        C:\Windows\SysWOW64\Hlogfd32.exe
        
        C:\Windows\system32\Hlogfd32.exe
        210⤵
        Modifies registry class
        
        PID:6184
        
        C:\Windows\SysWOW64\Hjbhph32.exe
        
        C:\Windows\system32\Hjbhph32.exe
        211⤵
        Modifies registry class
        
        PID:6232
        
        C:\Windows\SysWOW64\Ijedehgm.exe
        
        C:\Windows\system32\Ijedehgm.exe
        212⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\Icminm32.exe
        
        C:\Windows\system32\Icminm32.exe
        213⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\Ijgakgej.exe
        
        C:\Windows\system32\Ijgakgej.exe
        214⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\Ifnbph32.exe
        
        C:\Windows\system32\Ifnbph32.exe
        215⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\Icbbimih.exe
        
        C:\Windows\system32\Icbbimih.exe
        216⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\Iiokacgp.exe
        
        C:\Windows\system32\Iiokacgp.exe
        217⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Ifckkhfi.exe
        
        C:\Windows\system32\Ifckkhfi.exe
        218⤵
        Modifies registry class
        
        PID:6532
        
        C:\Windows\SysWOW64\Iiaggc32.exe
        
        C:\Windows\system32\Iiaggc32.exe
        219⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\Jcihjl32.exe
        
        C:\Windows\system32\Jcihjl32.exe
        220⤵
        Drops file in System32 directory
        
        PID:6620
        
        C:\Windows\SysWOW64\Jifabb32.exe
        
        C:\Windows\system32\Jifabb32.exe
        221⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\Jggapj32.exe
        
        C:\Windows\system32\Jggapj32.exe
        222⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6708
        
        C:\Windows\SysWOW64\Jcnbekok.exe
        
        C:\Windows\system32\Jcnbekok.exe
        223⤵
        Drops file in System32 directory
        
        PID:6748
        
        C:\Windows\SysWOW64\Jjhjae32.exe
        
        C:\Windows\system32\Jjhjae32.exe
        224⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\Jpdbjleo.exe
        
        C:\Windows\system32\Jpdbjleo.exe
        225⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\Kimgba32.exe
        
        C:\Windows\system32\Kimgba32.exe
        226⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\Kaflio32.exe
        
        C:\Windows\system32\Kaflio32.exe
        227⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\Kfcdaehf.exe
        
        C:\Windows\system32\Kfcdaehf.exe
        228⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\Kplijk32.exe
        
        C:\Windows\system32\Kplijk32.exe
        229⤵
        Modifies registry class
        
        PID:6996
        
        C:\Windows\SysWOW64\Kfeagefd.exe
        
        C:\Windows\system32\Kfeagefd.exe
        230⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\Kakednfj.exe
        
        C:\Windows\system32\Kakednfj.exe
        231⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\Kjcjmclj.exe
        
        C:\Windows\system32\Kjcjmclj.exe
        232⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\Kppbejka.exe
        
        C:\Windows\system32\Kppbejka.exe
        233⤵
        Modifies registry class
        
        PID:7164
        
        C:\Windows\SysWOW64\Ljffccjh.exe
        
        C:\Windows\system32\Ljffccjh.exe
        234⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\Lapopm32.exe
        
        C:\Windows\system32\Lapopm32.exe
        235⤵
        Modifies registry class
        
        PID:6244
        
        C:\Windows\SysWOW64\Lgjglg32.exe
        
        C:\Windows\system32\Lgjglg32.exe
        236⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6304
        
        C:\Windows\SysWOW64\Lmfodn32.exe
        
        C:\Windows\system32\Lmfodn32.exe
        237⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6372
        
        C:\Windows\SysWOW64\Lcqgahoe.exe
        
        C:\Windows\system32\Lcqgahoe.exe
        238⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\Limpiomm.exe
        
        C:\Windows\system32\Limpiomm.exe
        239⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\Lipmoo32.exe
        
        C:\Windows\system32\Lipmoo32.exe
        240⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\Lcealh32.exe
        
        C:\Windows\system32\Lcealh32.exe
        241⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6600
        
        C:\Windows\SysWOW64\Lmneemaq.exe
        
        C:\Windows\system32\Lmneemaq.exe
        242⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\Mffjnc32.exe
        
        C:\Windows\system32\Mffjnc32.exe
        243⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\Migcpneb.exe
        
        C:\Windows\system32\Migcpneb.exe
        244⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\Mpqklh32.exe
        
        C:\Windows\system32\Mpqklh32.exe
        245⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\Mdaqhf32.exe
        
        C:\Windows\system32\Mdaqhf32.exe
        246⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\Mmiealgc.exe
        
        C:\Windows\system32\Mmiealgc.exe
        247⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\Ndhgie32.exe
        
        C:\Windows\system32\Ndhgie32.exe
        248⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\Nkboeobh.exe
        
        C:\Windows\system32\Nkboeobh.exe
        249⤵
        Drops file in System32 directory
        
        PID:7112
        
        C:\Windows\SysWOW64\Nkdlkope.exe
        
        C:\Windows\system32\Nkdlkope.exe
        250⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\Npadcfnl.exe
        
        C:\Windows\system32\Npadcfnl.exe
        251⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6228
        
        C:\Windows\SysWOW64\Ngklppei.exe
        
        C:\Windows\system32\Ngklppei.exe
        252⤵
        Modifies registry class
        
        PID:6312
        
        C:\Windows\SysWOW64\Naqqmieo.exe
        
        C:\Windows\system32\Naqqmieo.exe
        253⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\Ohkijc32.exe
        
        C:\Windows\system32\Ohkijc32.exe
        254⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\Oileakbj.exe
        
        C:\Windows\system32\Oileakbj.exe
        255⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6572
        
        C:\Windows\SysWOW64\Opfnne32.exe
        
        C:\Windows\system32\Opfnne32.exe
        256⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6692
        
        C:\Windows\SysWOW64\Omjnhiiq.exe
        
        C:\Windows\system32\Omjnhiiq.exe
        257⤵
        Modifies registry class
        
        PID:6768
        
        C:\Windows\SysWOW64\Ohobebig.exe
        
        C:\Windows\system32\Ohobebig.exe
        258⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1168
        
        C:\Windows\SysWOW64\Oiqomj32.exe
        
        C:\Windows\system32\Oiqomj32.exe
        259⤵
        Drops file in System32 directory
        
        PID:1976
        
        C:\Windows\SysWOW64\Opjgidfa.exe
        
        C:\Windows\system32\Opjgidfa.exe
        260⤵
        Drops file in System32 directory
        
        PID:7132
        
        C:\Windows\SysWOW64\Okpkgm32.exe
        
        C:\Windows\system32\Okpkgm32.exe
        261⤵
        
        PID:492
        
        C:\Windows\SysWOW64\Ohdlpa32.exe
        
        C:\Windows\system32\Ohdlpa32.exe
        262⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\Onqdhh32.exe
        
        C:\Windows\system32\Onqdhh32.exe
        263⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6400
        
        C:\Windows\SysWOW64\Pdklebje.exe
        
        C:\Windows\system32\Pdklebje.exe
        264⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4404
        
        C:\Windows\SysWOW64\Pjgemi32.exe
        
        C:\Windows\system32\Pjgemi32.exe
        265⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6648
        
        C:\Windows\SysWOW64\Ppamjcpj.exe
        
        C:\Windows\system32\Ppamjcpj.exe
        266⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\Pgkegn32.exe
        
        C:\Windows\system32\Pgkegn32.exe
        267⤵
        Drops file in System32 directory
        
        PID:6988
        
        C:\Windows\SysWOW64\Pnenchoc.exe
        
        C:\Windows\system32\Pnenchoc.exe
        268⤵
        Modifies registry class
        
        PID:7108
        
        C:\Windows\SysWOW64\Qpkppbho.exe
        
        C:\Windows\system32\Qpkppbho.exe
        269⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\Qkqdnkge.exe
        
        C:\Windows\system32\Qkqdnkge.exe
        270⤵
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Qpmmfbfl.exe
        
        C:\Windows\system32\Qpmmfbfl.exe
        271⤵
        Modifies registry class
        
        PID:6528
        
        C:\Windows\SysWOW64\Aamipe32.exe
        
        C:\Windows\system32\Aamipe32.exe
        272⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\Agiahlkf.exe
        
        C:\Windows\system32\Agiahlkf.exe
        273⤵
        
        PID:844
        
        C:\Windows\SysWOW64\Aaofedkl.exe
        
        C:\Windows\system32\Aaofedkl.exe
        274⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\Ahkkhnpg.exe
        
        C:\Windows\system32\Ahkkhnpg.exe
        275⤵
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Abdoqd32.exe
        
        C:\Windows\system32\Abdoqd32.exe
        276⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\Agqhik32.exe
        
        C:\Windows\system32\Agqhik32.exe
        277⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\Akopoi32.exe
        
        C:\Windows\system32\Akopoi32.exe
        278⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\Bbhhlccb.exe
        
        C:\Windows\system32\Bbhhlccb.exe
        279⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6204
        
        C:\Windows\SysWOW64\Bkamdi32.exe
        
        C:\Windows\system32\Bkamdi32.exe
        280⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6352
        
        C:\Windows\SysWOW64\Bqnemp32.exe
        
        C:\Windows\system32\Bqnemp32.exe
        281⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\Bkcjjhgp.exe
        
        C:\Windows\system32\Bkcjjhgp.exe
        282⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\Bbmbgb32.exe
        
        C:\Windows\system32\Bbmbgb32.exe
        283⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3628
        
        C:\Windows\SysWOW64\Bgjjoi32.exe
        
        C:\Windows\system32\Bgjjoi32.exe
        284⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\Bndblcdq.exe
        
        C:\Windows\system32\Bndblcdq.exe
        285⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2348
        
        C:\Windows\SysWOW64\Bdnkhn32.exe
        
        C:\Windows\system32\Bdnkhn32.exe
        286⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4260
        
        C:\Windows\SysWOW64\Bkhceh32.exe
        
        C:\Windows\system32\Bkhceh32.exe
        287⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4212
        
        C:\Windows\SysWOW64\Bqdlmo32.exe
        
        C:\Windows\system32\Bqdlmo32.exe
        288⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3384
        
        C:\Windows\SysWOW64\Bgodjiio.exe
        
        C:\Windows\system32\Bgodjiio.exe
        289⤵
        Drops file in System32 directory
        
        PID:6848
        
        C:\Windows\SysWOW64\Cnhlgc32.exe
        
        C:\Windows\system32\Cnhlgc32.exe
        290⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\Cinpdl32.exe
        
        C:\Windows\system32\Cinpdl32.exe
        291⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\Cbfema32.exe
        
        C:\Windows\system32\Cbfema32.exe
        292⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\Cgcmeh32.exe
        
        C:\Windows\system32\Cgcmeh32.exe
        293⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:500
        
        C:\Windows\SysWOW64\Cbiabq32.exe
        
        C:\Windows\system32\Cbiabq32.exe
        294⤵
        
        PID:892
        
        C:\Windows\SysWOW64\Cgejkh32.exe
        
        C:\Windows\system32\Cgejkh32.exe
        295⤵
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Cnpbgajc.exe
        
        C:\Windows\system32\Cnpbgajc.exe
        296⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\Dndlba32.exe
        
        C:\Windows\system32\Dndlba32.exe
        297⤵
        Drops file in System32 directory
        
        PID:980
        
        C:\Windows\SysWOW64\Eangjkkd.exe
        
        C:\Windows\system32\Eangjkkd.exe
        298⤵
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Eldlhckj.exe
        
        C:\Windows\system32\Eldlhckj.exe
        299⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 408
        300⤵
        Program crash
        
        PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3484 -ip 3484
1⤵
PID:488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ajohfcpj.exe

Filesize
1.2MB

MD5
4affa11c6ea09fe0aa7711b27afd3f8c

SHA1
9d4bf2b2089c8d63bac6ad82f8f64caa1efdefce

SHA256
b75a13efd084ada1a2a215963694777fb3a124e89b46164d4fb285d689399b7b

SHA512
3ecb2e865d05242b0a4798894d028b8ef7991a8070e0c3a212ab690ae623f065656142a8cbbef5f14b34cd6bf2d91be015e689c284e1e631f2826f16915744e4

Download Submit
C:\Windows\SysWOW64\Akglloai.exe

Filesize
1.2MB

MD5
78fa2b48c3fbe00a72c86214daae2fc7

SHA1
c15fb0755d5c836cf9947c006383ff5cfcab3b0a

SHA256
e4f1f884732c6d0bfbd6f35c695e7387283c9786d3b33be83233bcec59c2a6dc

SHA512
1dfd7744c711d23c99304c364bcd6baf0a015d8cb4d5a5141138a8c30e40de20ee1112767105ebe71f73f7e98ef5cf020ed724a613dce8c4be85de0bde3bf9f6

Download Submit
C:\Windows\SysWOW64\Banjnm32.exe

Filesize
1.2MB

MD5
1bccdc4004f080d2db7388771dc98883

SHA1
ef6471a0b413e5b34a72feb578196e0cc7cd524c

SHA256
c840d224826d1ca95b801310f4fc22bba6399686feb358287f3dfa5801a29886

SHA512
d72543d7b736a332020c3d2f916cb64a0aa978a5d725d7926708dda34382a920de9052805e1c7623fc73f9000850c44ec3e84ebfb31bedf0462b96b79277f5a1

Download Submit
C:\Windows\SysWOW64\Bihancje.exe

Filesize
1.2MB

MD5
bc8f0299f4fa30ff0ceb6e048123dd6d

SHA1
64b355a4379985095d3d2cf9df8e15596263cc65

SHA256
ed05fd2aab9c98eab3c06fadb5ecf46366b170c8fd68543bf7c4575a8764dae8

SHA512
5394d17be6b77528f46a1b0bdd4fa0ca0e4c2d6ec6a7ec007f79e30e1d0079fa0fc6ddff1e903b8a4dc9e44d771a144b18543cd987f0cdec2ded51a1b7499292

Download Submit
C:\Windows\SysWOW64\Bpfcelml.exe

Filesize
1.2MB

MD5
2ca8415338386d7e87ef7a84ba6b3aa0

SHA1
27ba1a1bccbffd0c225e7087abdbef5182f5fb13

SHA256
b97dd0214683ca16615b66569a63f2d18af4aadca9a39f36ab563b4b4204eaae

SHA512
331dface193608ce1d4b6ef50444ba9c13f02f2922a2800a07f3fef3a1d012413fa491a6fa20aa33446ebb1746913abc83fb53b3154b733e6f187eba40416758

Download Submit
C:\Windows\SysWOW64\Cbkfbcpb.exe

Filesize
1.2MB

MD5
d2ff47ed069058876c531e8197bbda43

SHA1
8cb44e4b2d27400c7ed173b69a26b02aa3becac4

SHA256
913b9c2ec90f3a48eccdd63dfb4476d4a826acedd2603d9c6e00ccbcc7b4d7de

SHA512
ea3e5607a51dff55592146c6474c67ffab592d7699970377d1fdc51eebb10c222fa77fee966c848da1d346bf962cf0f857a4592bdc3269cc0b5f9f144401efe6

Download Submit
C:\Windows\SysWOW64\Ddcebe32.exe

Filesize
1.2MB

MD5
00c986338b284699319ed2c1704b5428

SHA1
1cada2032a9c05d1c95107e3e021af615883077d

SHA256
470483938ab69d8a4ab3b88453916fc558ae2a0cc4fac50b529516a933702a44

SHA512
b78d92f0adeac0025b69bc135c78004168753649f6d252740fb628bd1b1e3ab73e29c11c1b244fc4b6b9811f1ecae876bb27b80a67547fead535257a67286b9f

Download Submit
C:\Windows\SysWOW64\Dhdmfljb.exe

Filesize
1.2MB

MD5
abb91786d1753a9562c698c85f969efe

SHA1
43b7cdde220ac818534f1165312ecbb0254b32d8

SHA256
5a7e9fc8a6451cd74bfb0e4cd12ea7f3dca70ed6a595c5377b4214e7bb3289d9

SHA512
ddde20fe48c70baa8a9068c3d330e7e218979152e3bcd74b1f9b3eaacb75c618f72fcd3288e82977fe715f637f013a1f9416a1c164df3eabcabf87a732380490

Download Submit
C:\Windows\SysWOW64\Dimenegi.exe

Filesize
1.2MB

MD5
c8003a87c5af87210276a74ee6c1f9b4

SHA1
0bbaede1c1c488a7b4cf8fc632e96566ce17f99e

SHA256
54cd8f14d0b8712c4d5db2f0e0055a220446c44aa1bf75eed6ef0f6c5db3bf0f

SHA512
f8319a832c33a5b966388552dd116741882caac1cdf38be2b8fcdd772ea0fbfe4e3c32bcf5b116604217996b37c056df7ef08c13beb2035392365858af7bd584

Download Submit
C:\Windows\SysWOW64\Dlicflic.exe

Filesize
1.2MB

MD5
46ce677a0d4fef759eaa890715ef10f0

SHA1
46c85a5c0e01cfebf714e9c16a2ded04d1daed6c

SHA256
a9a0c816df50315055cb5f873da0cb4cdd387052de0a501d604ecec7ded2d080

SHA512
8dedc62b1dbfdc34f0e27dd3ac547712d9ba5dc6b163531efcf0a4b1e9c370f0d94e1ebc66a9c9a718a9abf1d61598ce66cac1a386fc6900a9251aa8f47b29a9

Download Submit
C:\Windows\SysWOW64\Dndlba32.exe

Filesize
1.2MB

MD5
85f7cc5baff334c02e71f4e4cd5f5918

SHA1
bf9ec6b56e6785d328f856122cf937f73f64eca6

SHA256
5409dce3fe0443c051f2b569073893786ee134caf07c943cacbc24e1ab72277c

SHA512
e03b577168da2c9426aaed2bfcd5d8108d497eefd7f8612fa9ef978ed69c5c7cd5361abea4fbdf6900b46b1072719e4f43796ff1d4d043d9d8a4695ea267fdbb

Download Submit
C:\Windows\SysWOW64\Dpdaepai.exe

Filesize
1.2MB

MD5
9561ff345077f51ef99223fb52d6c6cf

SHA1
b9f40855f14a464260828214addb07dd70e12278

SHA256
8d8f78c363fe29bf8fb701fff9a0d8fdebd53b35ced582786203e234aa30b705

SHA512
059e2ec566cc07e3434648c508954abe58d9a15a08f55b739ca28259d65e88cef849e623d7130912783107c515c406bcc098feb69a8696cf12cf88b6216389cd

Download Submit
C:\Windows\SysWOW64\Ebeapc32.exe

Filesize
1.2MB

MD5
32f054142f7333cdb8cb809ac525447b

SHA1
b3486fd6805d9a7b37f7c0b379318bc64e98ea37

SHA256
e1b43335a29b11cf0c12eb936e664ad25a02917fa49c11933100ee2ee086b257

SHA512
d0d85640202d1c2602e9a3bdb6d7acc7c1d113765c0a2e77f1e503912dd4438e4dc4ba28eabcb22899620e718cdcdcf06d40393e2be1fab69acdc301339702f8

Download Submit
C:\Windows\SysWOW64\Eekjep32.exe

Filesize
1.2MB

MD5
d35b2120a92da26d2ee697742b2f4a5a

SHA1
f7b86dc67eaa5a3462fb3e432fc5991362fbd41b

SHA256
0c0f2607d5f09e3df83d8123a02afc8ed0c92e91848933d48b155488617d4c21

SHA512
2cefc23d9b7fa2e0396816c4a29f6ae2626f2597a20c0bba921b19e28362a699205b602f321f3abb6d4889f10d3c47289adb7bf28170fa2d7e278947c19f9b14

Download Submit
C:\Windows\SysWOW64\Ejoomhmi.exe

Filesize
1.2MB

MD5
f127c4d82ba0f5dcf1f7be656abfc4f5

SHA1
dbbeb418122c10b2d38835c1e5a64159f4e6d5e8

SHA256
a7a3d30f332dce62bfe550aeacf858c83f4faeec424c1cb97344905ad2a28ddd

SHA512
e5a7a4c834748830ef6f91816eac667b0040e764b7fb6c11995736f5b44b8decb76f663cd80c5fdb3d3ee261cb876bc667e9effed5fc3753635098812e634b05

Download Submit
C:\Windows\SysWOW64\Fcmgpbjc.exe

Filesize
1.2MB

MD5
2259890b74821f31fa07a48e74e6c4db

SHA1
fe61e692e56a36a3b2eac9b3aac66b0bf7df31b0

SHA256
2a79353a85616fbb5bf1dd0c949aa94f84bab2eccfb93cab513e4bfdf40312bd

SHA512
b3ed7b380f82542e26bd8de25a583ced9cc7c7f8b55939303d7d13fa3a5c82b4c19933bfd390e4a6005326a6dc6a2e458feea461d9cb288f1ff5c8f5af537b60

Download Submit
C:\Windows\SysWOW64\Gcfjfqah.exe

Filesize
1.2MB

MD5
9db724f55649820a68e67bfe8b2e32f2

SHA1
aca242d483814d3da4912d9cb7d475cc18e1323f

SHA256
166cc42528cdcd19685fcd90223c6b4e155d9f6d3c5af293dd3df56a07bcc2bc

SHA512
20702ded3415d7f439c4939066a57aa59a14be799403fb2abfda890f90c5005a54126c1e673c2e16d8c347fa1c5082567598aae7e1730de77f7735c288c76055

Download Submit
C:\Windows\SysWOW64\Gfokoelp.exe

Filesize
1.2MB

MD5
7bd8d9ff78c4038a6b777ebee3b4897e

SHA1
698313e215333f35e05feb1aa9708fd73b3721eb

SHA256
3a0b1fd85b9f1d29ee9ecdee348ec25a67d1b65bf2a2f2ab8486ad72451e2da9

SHA512
a5464a7f7f373d6b75653fa2f0847ebd5551d164f5e8ff61f7bbbedac95cbc5c9984547a128e8f91d4ef47339822fc9043a7dac1972bc8f1e99af29c68ad5baa

Download Submit
C:\Windows\SysWOW64\Ggahedjn.exe

Filesize
1.2MB

MD5
91485124b6f7eab0dec4534f262fccf4

SHA1
2bb89fb4ba741918cbe875ec4a5d357712edafd7

SHA256
2b7afa07cb1f00bb8b72579a3f24e55db1484d81ae005145f2674769786a38be

SHA512
3bbc7928806e40ba2cae1b25beb791c0d361ec72941d7d56012fb180c3b7f70085c5ac68fd92c58f9ff2b2b3012797b58f32353bc1281150ba632ac87a95abb5

Download Submit
C:\Windows\SysWOW64\Gqpapacd.exe

Filesize
1.2MB

MD5
f192ed72a6ed9c46dc8695c7a65bb007

SHA1
8284af60f0cb8ec355951f467029aafacaa1b5e0

SHA256
7ec2f6c8cb4816bd2b5c12470bdfd72010474c153be59089957595a33050689f

SHA512
5004c0649fb64e6b826ffef6792316c2d7bdfde3769638ef74a6edac6f9b9aabe66bc6278c548cb9eeb9c302f29baac9a91913e7866649e6007ccd074e28f319

Download Submit
C:\Windows\SysWOW64\Hcpojd32.exe

Filesize
1.2MB

MD5
3c8a9294ca9f5821fb138d5775e4c4ee

SHA1
fe1727588ff83ba61c22753f22c5d54a3d39bd07

SHA256
cc6c6b93d2e160ea235003c13b765a2fe89897174bebf6afaefb0b387b51d022

SHA512
98ff66cf3289e56f38af60c5743d4e3c3e84a1304a492f636ff84e86a1a2e6718546c894a4b0d47b5e6693ffe3927aeb1fc7aa7206743b901bbd9950ad23c721

Download Submit
C:\Windows\SysWOW64\Hgmgqc32.exe

Filesize
1.2MB

MD5
0a18127d6f93e3f12d0bffc3dfe3ac6e

SHA1
4df03efeb5bd1c5a7ca9535c9808c32d28c02ad9

SHA256
c59d3451607a47353ec4f968b95b6d843e1eb7311ebeb29aae0c54f42e088975

SHA512
2ec32afe70b9ff7db49b6b114bb499428de491145dd46f1b49ecf3cff06f487fce57dbb0304347dd0221ea731bb37c0cc29129fd8020823bb0677eea3cea61fc

Download Submit
C:\Windows\SysWOW64\Hjbhph32.exe

Filesize
1.2MB

MD5
09404dcd37042c5bb95bccc0be409d27

SHA1
792fcb5aeeca93764179931a921882e56fb5b78c

SHA256
bbea5b1d5ea4b20dba13340b92592a5139240bd12ed03f241b92a7587beb8490

SHA512
707eead33b9dd65bed3ac73b7678f0c1cbf98d47db0cda318a621e330f0c56602b8fb28028c96515515f194cb20d034d05f4abe292448d272d8c818d09d02dce

Download Submit
C:\Windows\SysWOW64\Hmpjmn32.exe

Filesize
1.2MB

MD5
3852b061749c9b7b3d30137b2bf9ff17

SHA1
2ef4e55feb3df319d727b1b7457d7db4fe738f18

SHA256
4c0f37c50406c978d548bcce43959df6972dd0b927f27d2b296063e15e978cc9

SHA512
e2e2cea5523256afa5b6e65ba203ecc1d095ffd9becd89dfc62ae59e847d302c1c69da7696dcfddfeb650820be3937665fa9b2bfe2675af629fe9d4ceb7efa8b

Download Submit
C:\Windows\SysWOW64\Icnklbmj.exe

Filesize
1.2MB

MD5
5eacf06334a2a7de7a156e926f02ef98

SHA1
8dc1e42e171e00adfd205ab806f760f46edad6a3

SHA256
6d0ddba82cdf91773a1bda02eeb4f9f01bb66847e2d6b581bfc494ce75e0d37a

SHA512
a2e980e6df71e980e48103cee3ebc2382ba0d01143b30e35d97f333a7db6a46f3a2cb2d2ae843ccb6c1e610fd620595c2d27119f7f2c5459ee9cd50e71a164ca

Download Submit
C:\Windows\SysWOW64\Igpdfb32.exe

Filesize
1.2MB

MD5
6d27ac66a515aad26d8fd4039c3f9249

SHA1
9fdf5eef3b5adc120be2f6e1ff771d3ff2fc069c

SHA256
2115da422890a9b12b4915a5f2ce5d951792f3b19c362a5c39097d7c4c853de9

SHA512
4845da38091226d4a411f70548d505f2b919856967d236acfa4ced5199e0990a9ff7e53281cd92c51e0fbe5bba5b4d4d4c459486352b46c3d5091109c3f263e5

Download Submit
C:\Windows\SysWOW64\Iiaggc32.exe

Filesize
1.2MB

MD5
8faa42548ccae4d53c0f2610b21af131

SHA1
430bf34ee5f772e652dc72682b22abdd4b814d2e

SHA256
5c66fe77fe6b05c7c750b22d9e5c14a93472679f25d6b81e662c34aa71450f10

SHA512
3b00af9423db56bc05923b972938df1e0bfe45366ffc90fb71efb498d21ef6cca0ff6ac3aea47bba9655f828c1132c9cec5313b66627ecf86f537120a7b6caa6

Download Submit
C:\Windows\SysWOW64\Ijgakgej.exe

Filesize
1.2MB

MD5
30dfc1d35d51049daeae8baf0c4748a4

SHA1
fb150ecb9b21b6c93900b02b8325ff1f7cd3d607

SHA256
0e7ac7ff161c8e6bd02a0197cabdcff51ead03fc57e0d1c5565dcc46c95e8ff7

SHA512
17f2b5eb72630e4615a78be718c8e7b19761b14dd84ddb15a8fd3251983003753ee3d6db62365e305f950339735aca3b88dc76b0e139a0deb59fb4721e7c105c

Download Submit
C:\Windows\SysWOW64\Ijqmhnko.exe

Filesize
1.2MB

MD5
716bfb758f5dc8e997d390819058afef

SHA1
c57063fe4ed20c1ab748238542326ca6c40e7f06

SHA256
1befe945ac3f48b97f8d5cc9762ef52e33ad8359344cea08d8d3046c8141dc75

SHA512
77dd9b561de9db030b50fd236bacaebcd0ad89a6c62174291c3bd04ff92e5acc425822ccb0bb5c5fa3505912a0379cdaa5b043c1465146f81543bfe511802f08

Download Submit
C:\Windows\SysWOW64\Jgnqgqan.exe

Filesize
1.2MB

MD5
a435ab51aa622ba43afe29e7dddfd6ba

SHA1
02ea237cfef38935bba509e2c1bd727a0fc1b018

SHA256
5b92b0b0d6b2dfa17e161d5bfbcefdd47bc55e1a24ed451d6389348d88f232a0

SHA512
df984d1fb576c8a6299f7913120fc4b5d7565a7357e6a74e07ddfd9c324f88bc9c6c8c8b2485bcc36916f195f45b912f03962eaef032220b2d28737556f3eafa

Download Submit
C:\Windows\SysWOW64\Jlmfeg32.exe

Filesize
1.2MB

MD5
5c537650f9594f199889690e8ebf1575

SHA1
2c4ed80877f313f10da7d7a16356ae9c37e94a69

SHA256
2a5ad0dde171f9a323385c177f3355251e2403e1e8dbd4ffa909e0ea2af0892b

SHA512
39e9c6048299b54865508993b98fc629ff5b87d047e65eacfc3a49a91bdeefa7c6b54a91a911b7d56b4fb46293f68f4f299f76811b65a271ad9aa212248eb7a3

Download Submit
C:\Windows\SysWOW64\Kaflio32.exe

Filesize
1.2MB

MD5
a3740485e71022770afb5db5c05880bb

SHA1
e95f0ced315511fe8512fb5244177f3e44b16c49

SHA256
abc0406ea7b3be24f52cc859c041f80130823ae7c3c8c0098d7845be81778465

SHA512
ccb97c9a805faca6eda83f57c11eddea2ca1a47e41e6885d2563a145a1947959444607c1acb04e6a5c4de243d504b4aa6b36878bf07319afaa9bb5d7c40daab2

Download Submit
C:\Windows\SysWOW64\Kdbjhbbd.exe

Filesize
1.2MB

MD5
bec1e827f0ab2395ec363a9d7dc6fade

SHA1
a82f3fef369bb494a0f623e82cf5445ca6316916

SHA256
bb3bb459cb621f3ee31f29f06d6f8daf070cfe1c0063c73b6232628a8531f2c8

SHA512
6a1fa3879e315b71ea9b01cec938bdf26b6afd769d5150e941fa8091446a2241855b04a61758e41fed2178e17ccc3b884f0bde2b72a119bf32e694377e44e60a

Download Submit
C:\Windows\SysWOW64\Kdpmbc32.exe

Filesize
1.2MB

MD5
935e6ae85e9736e69c62748d9815aa63

SHA1
b5d2673e14241a9d837b495bd5a9aeb45f13b673

SHA256
6d39f574d4403b4a6f771e08659c507035041d9a9fec7bc915579c8a806e4970

SHA512
33b7cdb7433d74564827d7e5d341727ed1bedc9d42edbdbe5358f25f039f36e1bfd914ca613855128aba9eae6782eaf723ad60e80bf625a81070c89bf0be233d

Download Submit
C:\Windows\SysWOW64\Kfanflne.exe

Filesize
1.2MB

MD5
507c4b6ca4387538f9d97ab8c6b15da0

SHA1
52acdf9903283d857cf31b44cf69dc5e99c5bf28

SHA256
cccda414da87fe4a67b52e04d3969d16bd4dbb69619f69432c08d6c102d818f3

SHA512
ae951bc651efb0632d239fbaab645b7533082d1d435ad124612ce608de6e4c1975383424b59e8bb1a74751d08f0b9b0f8c8dacd59c3a600b923c03e76466af06

Download Submit
C:\Windows\SysWOW64\Khhaanop.exe

Filesize
1.2MB

MD5
f6459bb561fdfa7c7652506182118587

SHA1
71b646a85ae9756e589090aba76efef72b3d3743

SHA256
b9af8465f723b2d22a559ba4be4bc90b20dace2e00c809044c61975186640963

SHA512
9de771d02c68512825ed159fe12dee28cfaad2e704461f07328da0a7ae2db777f5bf25650a2e694431e3730063824248a3aa613faeb420dc2194c2f43b26f0e6

Download Submit
C:\Windows\SysWOW64\Kkeldnpi.exe

Filesize
1.2MB

MD5
e84a28013d0b563d50388615505aec57

SHA1
2650aa821cc5ac5f2f2e7218a7cdeaed99bc8a07

SHA256
f45c251fa56a25444d01791e304b4f5bee0e203916171db88484b8dfa1f054bc

SHA512
35f0463e9df82f6524113738b7e1f2d24e07c4bd3d00ffb6cc28541eae8519892b20a427ef736e0be8d58c5c4ed57d872499643a7f4eec71ac3cf2589966a0c6

Download Submit
C:\Windows\SysWOW64\Lcjcnoej.exe

Filesize
1.2MB

MD5
bc9d100cfeaf1d99af58845db0df0827

SHA1
febe61ba99a7d6d5d0f18fada960e7711f4fdbbe

SHA256
ed59ab8e04a8717d5735c79e3444d450364035b121101a1053d393c189c6102a

SHA512
da8ec47f315191b9a0f3d1534696d2cfc415217db0923e5cd5152217ae2c5fd09633676b90ac812002277ee385b4b2329f36e4410fdffeb7fa5823abd20ccf88

Download Submit
C:\Windows\SysWOW64\Lhdqml32.exe

Filesize
512KB

MD5
4d8524c5e321f56223af73ebd2bd2e44

SHA1
0001a04fb9a411d12577cf460c77f384ac243714

SHA256
1604f4764d1ae4dd9e652cf698a0b8fb04e7b3699800573861a5ce05cd848153

SHA512
374b0109a03567c5efb50888dafbb78f87fd7a3a9cfba61f60972b307a0fcca59877eaed155d39d86a6563c4517d891ce49ed2b4e30061b508b9760bfe5eee11

Download Submit
C:\Windows\SysWOW64\Lmbhgd32.exe

Filesize
1.2MB

MD5
9212cc1df2c2ea931f3dd130e22c1578

SHA1
34332cdf8c1cbe11195a071cde1d7040c5001707

SHA256
c7c27d6117f489231b27374b1e0f14c25a1d453658e9b1611ef10a0770580cfe

SHA512
62e72fc1278aa764aef7f719cc3439ee9bc41add52a59c512a15462987271bb32c3755938ee45f018217a46b50504d821c6ffd374742223192f88db2f9f3acff

Download Submit
C:\Windows\SysWOW64\Lmgabcge.exe

Filesize
1.2MB

MD5
4064143cc516ddc75da215c8a3d76631

SHA1
d3573cd3fdb519db5d26fda93b29140bea0f4ec4

SHA256
71518313f44c0f760233a7c5b1946c9678bac3f0b5b9efb034f3cea805767f3c

SHA512
b11e558044314d7016ec9df22d0207838f8093dc05312a6c4fe885acf45fa096aac541f64294fa49cd792fc1e464ef5ff68470b98f01aef76d715417438bfc45

Download Submit
C:\Windows\SysWOW64\Lmneemaq.exe

Filesize
1.2MB

MD5
ef4931349f065a298b53bb567e9b236e

SHA1
70c6cde44ac6311bbb94b4de3f84ecabc66f3241

SHA256
5e29d356aed11e5edb92f8aa33e97cc194a090747955d538676ec533f69f211a

SHA512
5c02a6715ebab66aecb997c3d915e5d69d015c6461ffd6f19b991d3556fa0af13ea1f1727a2fe626ae4b2590044321aeedccecb22a81312c66b208f03ff6f5c6

Download Submit
C:\Windows\SysWOW64\Logbigbg.exe

Filesize
1.2MB

MD5
b66c621d5dfc654838b86fb364cb692f

SHA1
3ec2c783867826296c05df98f95c210fa2033bed

SHA256
8e4f98cfe6a446102feeacb40a79c90a04329c82934c8ac986a1b9fd975309e2

SHA512
11d399a709a7e686bea9353b195b371f05becaf56f4c314ab166b604321c54d43af52501ee54e1b82e14ebc7e0021b9dec2d480614a5edf40407377f4022e8d8

Download Submit
C:\Windows\SysWOW64\Mcjmel32.exe

Filesize
1.2MB

MD5
a0ddbdd6d8dd84842aef991d5738f517

SHA1
7d2b1ca33ab73a3abd3d8431355bf91a88777ccd

SHA256
0682da7be64b475626b639262a25b680443be5976072544b621cc95dbc63706e

SHA512
fb67ddaa0966cf1bf7f90a7ae5d8578b5440fba29f131af21cce5940e6762ce152312fc2b93b61f8abc7b4d99ddee4e683eff32294c726bd2a4485205e5ca671

Download Submit
C:\Windows\SysWOW64\Meepdp32.exe

Filesize
1.2MB

MD5
ffc73058be663606f1acef000eca67ed

SHA1
75bb1de77aa6e4d18682b8e3175112c05c639514

SHA256
cf578e210b18d70919fa72e5af961415e6c5dcc7f03808fd6d2641da732ea16b

SHA512
abbeb6be4cdb8832cbd1dd86e394cf409d89db9a6aaff4dd482e69fad990a9a10e3fcac01083cf10840d03414a7de102d1a03c8ad6c06cf35ec33330ab770ca1

Download Submit
C:\Windows\SysWOW64\Mkjnfkma.exe

Filesize
1.2MB

MD5
cd03cd73fcffd8f65a0cbc1ed5bc1650

SHA1
07fdb61521d4de5eab0e4e5fa944aa832bc6b46c

SHA256
f795a7293d98a372e91b9e451d0dd68bc8e1267627291284f7c9649e1bb67f38

SHA512
befc17cc58c840a2e312abf01fe94e70587cd4c827b60fc7fbe8359acf36b12e6cb09e21e444e65fdb10f79f766d198a6350f5d9e920702a3c5ba0e7f4f3c39f

Download Submit
C:\Windows\SysWOW64\Mpqklh32.exe

Filesize
1.2MB

MD5
684a7878df5ec3f6497b13ae10aedb4e

SHA1
5d0ba6a030aa18bbbeded19215c3b1f552e6dea0

SHA256
3f05dbc1d8da8fde8027fd257396e497888bb3e97b2117b566eb3377ffa0e12e

SHA512
107033f905db117a90653a8cb69b7e1af3a09e664460836e246f376a5b4962d55b243520a24102f28864c232aae7429c0fd91fd369bea14941a553629a63fe75

Download Submit
C:\Windows\SysWOW64\Nclikl32.exe

Filesize
1.2MB

MD5
8e26508f84fc175025ae8d039d4f55d6

SHA1
f4a0aca52562dd674944b06ab96f46fa8243d3f3

SHA256
cbfd1ed905f39e382c206b22ebe18861c07608fec20707e53e6e8c6a362e62f0

SHA512
5562cc9a635c156d48f2bae44edddb8a717a1e13f5a99986c3f779e52fb3ca38c5847221914fde79893729ab9b4271fce6b2c6aaaf31684e963201931418131b

Download Submit
C:\Windows\SysWOW64\Njkkbehl.exe

Filesize
1.2MB

MD5
ec8847308ab03805d9c27ec11efab70a

SHA1
b452e6faae6cf39fb21858e6da54643963c6aa70

SHA256
e3e51acf7bb7f1d502b57c5a909a2817d36b1bda009efa9fa36517cb529df143

SHA512
ee3c9469288d6a07f1cab0dabd547e6da47d74593687e0e92743b591b8939ac7aacdd27f74a81b1c127b0dd8b6b81a25016cfb9226d33b258bc4590bbdfb18b9

Download Submit
C:\Windows\SysWOW64\Nkboeobh.exe

Filesize
1.2MB

MD5
b036a024de7d5f4d575e2c18ca09f3e5

SHA1
beea1e64891d284ed130957b45b9df071d0a59a6

SHA256
6e8507ff4e9e503ae795c2eb5a868c9bc5fcbd62800cbe0642cf6d560c3f7cbe

SHA512
b16d28884f7c437e38c1b59904a08e24362b594e977b8863e890b6790106bdb1811a7e532c1e2d5839d3d8e058f6f706fe49ea56b20a460122ee66e7aae1b99d

Download Submit
C:\Windows\SysWOW64\Nmjfodne.exe

Filesize
1.2MB

MD5
f4b2b36218eee9bebf2e41bd0f821d46

SHA1
3e3496998cdbddccf04d0046abbc746c15599438

SHA256
3487fcd1feeeb073ee913ec97934bbd796893ea853e1cb460021456cc5062295

SHA512
417612d7b259eb61ac3aed150242adffa1b6faec55ecac70c54019fd798da2f07a2c2c3be82e26b96dec7332d4408beab6d16de31adbf5bf73e039f3c8b5196d

Download Submit
C:\Windows\SysWOW64\Nnkpnclp.exe

Filesize
1.2MB

MD5
80dbedf2df8798330442ac225f665fdd

SHA1
285331e570a6c706ec916fb30f9c28d25897d8e7

SHA256
3779e4e1df4eb738fbc2164e828d248c684f42810b06ecc96bc07c7d944a6e4e

SHA512
99917796aef3abef9866b9b7a0deba427fafff69a53407fa03f055b79ffd281790e852876f63793bdec45f3d347a3a147ec71587b39949129ee3690e366251ab

Download Submit
C:\Windows\SysWOW64\Ockdmmoj.exe

Filesize
1.2MB

MD5
420c329c22aad48bc3aecfba1f5192c2

SHA1
abfee59a75f1604dc5a2e84e7c1328267aa21ddf

SHA256
49691430591e42cc1018d4a669cf05b09e27a63da8393bd378dd7d7477894b01

SHA512
d7338d8279d50bf040ca8d23fa561f23694d97eeee110ecc2d2959557b726d9f10a47a7a3a8e3c3e8245b6b0b654d3b81f3f76ee13036e47afbc98b94068bf20

Download Submit
C:\Windows\SysWOW64\Odmbaj32.exe

Filesize
1.2MB

MD5
9593b8fd91f0a241aa67159a2443ce8f

SHA1
5a3ef721120140cf853e85ed5120a3a67369529f

SHA256
47be8e9726f7f576632808b2c4e69b8d8a0b956f540ff32fc295b40546502023

SHA512
6ebbab903ac2384b5351f8ae4aacf12509f05fa830251c3295a44d5f68e6d2e2d5df033304681c9d9352d10348e3bbe708effb30f31156e9435fc6378b9177e4

Download Submit
C:\Windows\SysWOW64\Oeffnl32.exe

Filesize
1.2MB

MD5
e21649064edfedc51644402a70d5c612

SHA1
678df79819c8f74aa93276e337dbdbd9095ebca7

SHA256
5a64a953ec8ac6505165254191eaf8542ccda4d8199fc65ce7ef6401fadf221d

SHA512
5b4f818464d68963a27087e295f44780ad7ddf8fc95aad9f135d6b6ce7c5906cfe84f1f2b33273b752d34b30ebf6cf1bda11af44e8d42b4a3d09d7e7f0881630

Download Submit
C:\Windows\SysWOW64\Oeokal32.exe

Filesize
1.2MB

MD5
0e3635dd85b6d97eb3309e8e5d4a37e2

SHA1
0dfd72275f631706e161b3e16d7f8316686e930c

SHA256
cc51b44d05dfcc803d1a873a1a0242cf725fe25d9d0011a5dfefa98efd624b7f

SHA512
983f95bc5a655252e34969533b17868f7cecbcffc461e3a9d8b847880fef043a98ba869925a5ad3f6aca40f88e598b4ea47d33bc7ab9a1add98039d727c28ffa

Download Submit
C:\Windows\SysWOW64\Okpkgm32.exe

Filesize
1.2MB

MD5
73f7bad44527f0611a021582c4847e4c

SHA1
011f9f6be46b7674edc4159c4939224b4551245b

SHA256
0e873856bfbc152c81a672a82495a2008273ea6598965405b7d97cd6fe832581

SHA512
76ead564a43deaf98d5faa8790ac6c338af64dc0204b9329d50cabadf7f87b9c85406c2e45dd4cd61aceac3f38f1ec497801fd4c071a7273c32c5baf41aa9a2a

Download Submit
C:\Windows\SysWOW64\Olanmgig.exe

Filesize
1.2MB

MD5
4b5824ed123cb8ce757a7116a048c23d

SHA1
9d538e1b516e58cd7513b4c27eb76ff116477527

SHA256
36a787c7b476e15dbe2d494ca06d355524d3dcc32586424a4054a9011aa32562

SHA512
53c2f1d3a9a11b6fa85dd8f9a0a8b0fdc26916588195393a4f94ab9386a39c8aba7914495ee3f25317ef9f24ec4d30670d05157db8f567b994db21fd9f394165

Download Submit
C:\Windows\SysWOW64\Olfghg32.exe

Filesize
1.2MB

MD5
8d1090d7de70d8881e3d48f8589242f0

SHA1
0d78c42adc6fb7900f0f747e7ad10c9ac2d98d3e

SHA256
f8729e350bdbc5916e3d4ed5f7e3dda4c05dd3e620e739e43661d3decf44f6dc

SHA512
9e07b6556e02bc20a6f7c2d49e9e3035cb0a99f404591c62acc9036b13f35ffc7d59f6d1fa05c52df918137ff7aab5c5a021e439ddd42126304fd4d1f3067045

Download Submit
C:\Windows\SysWOW64\Omjpeo32.exe

Filesize
1.2MB

MD5
9ebd4517331da366c917be12d7567d3b

SHA1
237a0785b12d1b611dfa7536925282a30af6e993

SHA256
f63625fe76705fd064dcc355d6bd575e5c64ef5e781d332249fc5218eab54b37

SHA512
5523c818280f564be4cca962c12fbf376dd18eae35722028a5898400d9f22663a46b8849802fea716425ed4d592a40f8ff69a5ebb0e67dd79f47450f76bf2e96

Download Submit
C:\Windows\SysWOW64\Oobfob32.exe

Filesize
1.2MB

MD5
839359ddff79b8593b0e7459b11a54e8

SHA1
4c3fdd811cc406445ac6e4e6f31286745ca882ac

SHA256
f35574549f476cf47d9e83aeae83031b4ba7155f9ebd986042d0f2a9ca67388c

SHA512
fccf36946b2c67d1b1243eec0b09e3df2c266a6855536d02be1ece88d86f04ffa55dcc5771a48f06f32655fc62a44ab3f5d83c54233b030e962c2378743fc7d0

Download Submit
C:\Windows\SysWOW64\Pddhbipj.exe

Filesize
1.2MB

MD5
43c9890594bcef1c73a6ba16fc8c4805

SHA1
31b9f7aa379b63b1679aba26c59503abf42b799f

SHA256
6c5c2b17169d8ebf0ff4da8beacf4fcac7ff3fe8b8ecde5d44e7feb719082188

SHA512
c941f10120fad38ee8d2a51f24290b14bfd43354fc860a28077e25076263314575d060b4798089e694ccf9c3a0eec57def5bc0cfa4d478ad913a92498d0b4886

Download Submit
C:\Windows\SysWOW64\Qhkdof32.exe

Filesize
1.2MB

MD5
98926304fd6d1636c7ca77a93fd3d1e9

SHA1
c0eb3c32157905451c057982cfe469b889062e70

SHA256
e46d56364d6c70c1c41adcd1c8bfb5319b43b5d77dc563a9bef5916622a28957

SHA512
223dff6d1e42f56741a11881f403ab264784a6ce8e92cee4a4b63f5ec0cf361d6eecb7f77e2bdfb4fb1fcd3070ab001e26a961e84b014665dd38ed0be60cd305

Download Submit
memory/220-406-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/528-170-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/768-354-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1424-82-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1424-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1424-1-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1440-145-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1488-218-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1600-297-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1760-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1852-53-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1868-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1992-255-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2264-360-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2284-426-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2516-318-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2616-17-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2672-324-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2740-122-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2824-178-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2840-312-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2844-201-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2920-390-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3108-253-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3188-57-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3192-89-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3200-194-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3260-300-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3308-309-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3344-408-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3352-40-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3476-301-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3544-230-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3548-86-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3552-65-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3740-424-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3748-378-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3792-432-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3800-308-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3948-348-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3980-73-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4068-372-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4092-129-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4180-299-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4196-366-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4284-33-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4448-386-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4452-186-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4488-139-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4516-98-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4540-166-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4604-238-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4612-342-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4616-107-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4652-399-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4664-310-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4884-302-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4896-154-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4932-336-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4944-330-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4972-304-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4988-210-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5032-113-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5100-418-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads