e5caaf9252aad7be7213d2fbac8154b57f17a0762fc9fb31e808f03d81c4a015

Analysis

max time kernel
100s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 05:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

017e61939eaeae3ba40ba18e65e7f139.exe
Size

80KB
MD5

017e61939eaeae3ba40ba18e65e7f139
SHA1

7b8aa2c6cda7b84e45d45cb098345dcfdacc0226
SHA256

e5caaf9252aad7be7213d2fbac8154b57f17a0762fc9fb31e808f03d81c4a015
SHA512

628ca4dbdfbee922a9292456f2dc67239e0a4aa94d441e1a081b9abffaf881b76237a791587b30340a7be9078190630ab53d2abb66bf030f44f0a6eeed896678
SSDEEP

1536:xkdproKTCdxD2SugH+RXXGbDBv5YMkhohBE8VGh:udproK29ugHoXGvBhUAEQGh

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lepncd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acocaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmhja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecandfpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liddbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmknaell.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfmepi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfankifm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnlhfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eepjpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcmnpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkmlofol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdeqhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmgfda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfhdlh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdmpcdfm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elppfmoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kiidgeki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjcdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hijooifk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifgbnlmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doqpak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eolpmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekjfcipa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcckif32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eefhjc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfoafi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmbmibhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acocaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abpcon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baocghgi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cacmah32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdiooblp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecandfpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfifmnij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eepjpb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fooeif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfpcgpae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmmjgejj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbpnkama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghopckpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbgdlq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe

Executes dropped EXE 64 IoCs

pid	Process
3040	Alabgd32.exe
3076	Abkjdnoa.exe
4868	Ahhblemi.exe
4536	Ajfoiqll.exe
4752	Acocaf32.exe
2780	Alfkbc32.exe
836	Abpcon32.exe
4640	Aeopki32.exe
4740	Alhhhcal.exe
1428	Angddopp.exe
2388	Aaepqjpd.exe
3516	Adcmmeog.exe
4400	Alkdnboj.exe
1124	Becifhfj.exe
2212	Bnlnon32.exe
4716	Bdhfhe32.exe
1880	Balfaiil.exe
4532	Bdkcmdhp.exe
4604	Bjdkjo32.exe
4156	Baocghgi.exe
1916	Bdmpcdfm.exe
4012	Bldgdago.exe
3288	Bjghpn32.exe
1792	Baaplhef.exe
1848	Blfdia32.exe
3472	Cacmah32.exe
5096	Ceoibflm.exe
3524	Chmeobkq.exe
2076	Cogmkl32.exe
2128	Ceaehfjj.exe
2548	Cknnpm32.exe
4972	Cahfmgoo.exe
1332	Cecbmf32.exe
4328	Ckpjfm32.exe
1596	Cajcbgml.exe
4548	Cdiooblp.exe
2952	Ckcgkldl.exe
2312	Cehkhecb.exe
4524	Chghdqbf.exe
116	Doqpak32.exe
2364	Daolnf32.exe
1520	Ddmhja32.exe
2996	Dldpkoil.exe
4324	Docmgjhp.exe
8	Daaicfgd.exe
4396	Ddpeoafg.exe
1624	Dlgmpogj.exe
4992	Dbaemi32.exe
4636	Deoaid32.exe
1568	Dhnnep32.exe
4372	Dohfbj32.exe
1064	Dafbne32.exe
2944	Dhpjkojk.exe
720	Dkoggkjo.exe
1964	Dahode32.exe
4540	Ekacmjgl.exe
2004	Eolpmi32.exe
4288	Eaklidoi.exe
1576	Eefhjc32.exe
1628	Elppfmoo.exe
2932	Ekcpbj32.exe
4316	Elbmlmml.exe
3932	Ekemhj32.exe
2664	Eoaihhlp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gdeqhl32.exe	Gbgdlq32.exe
File opened for modification	C:\Windows\SysWOW64\Iikhfg32.exe	Ibqpimpl.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Alabgd32.exe	017e61939eaeae3ba40ba18e65e7f139.exe
File opened for modification	C:\Windows\SysWOW64\Gdhmnlcj.exe	Gcfqfc32.exe
File created	C:\Windows\SysWOW64\Codqon32.dll	Nljofl32.exe
File opened for modification	C:\Windows\SysWOW64\Kfmepi32.exe	Kpbmco32.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Ainpbi32.dll	Gmoeoidl.exe
File created	C:\Windows\SysWOW64\Hfnphn32.exe	Hcpclbfa.exe
File opened for modification	C:\Windows\SysWOW64\Jfhlejnh.exe	Jcioiood.exe
File opened for modification	C:\Windows\SysWOW64\Flnlhk32.exe	Fhcpgmjf.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Ipnjab32.exe	Imoneg32.exe
File opened for modification	C:\Windows\SysWOW64\Nljofl32.exe	Nilcjp32.exe
File created	C:\Windows\SysWOW64\Chempj32.dll	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Memcpg32.dll	Jidklf32.exe
File created	C:\Windows\SysWOW64\Kfckahdj.exe	Kpjcdn32.exe
File created	C:\Windows\SysWOW64\Hflheb32.dll	Lmdina32.exe
File created	C:\Windows\SysWOW64\Hjjgia32.dll	017e61939eaeae3ba40ba18e65e7f139.exe
File created	C:\Windows\SysWOW64\Dejpjp32.dll	Fcmnpe32.exe
File created	C:\Windows\SysWOW64\Eifbkgjd.dll	Jimekgff.exe
File opened for modification	C:\Windows\SysWOW64\Fdnjgmle.exe	Fbpnkama.exe
File created	C:\Windows\SysWOW64\Neimdg32.dll	Megdccmb.exe
File created	C:\Windows\SysWOW64\Fhccdhqf.dll	Kfankifm.exe
File created	C:\Windows\SysWOW64\Qgqeappe.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Kdcbom32.exe	Klljnp32.exe
File created	C:\Windows\SysWOW64\Ampkof32.exe	Ajanck32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Eekaebcm.exe	Eoaihhlp.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Ajfhnjhq.exe
File opened for modification	C:\Windows\SysWOW64\Ghopckpi.exe	Gfpcgpae.exe
File opened for modification	C:\Windows\SysWOW64\Hfifmnij.exe	Hckjacjg.exe
File opened for modification	C:\Windows\SysWOW64\Ocgmpccl.exe	Oddmdf32.exe
File opened for modification	C:\Windows\SysWOW64\Meiaib32.exe	Mdhdajea.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Edbklofb.exe	Eepjpb32.exe
File created	C:\Windows\SysWOW64\Ibjjhn32.exe	Ikpaldog.exe
File created	C:\Windows\SysWOW64\Jcbihpel.exe	Jpgmha32.exe
File created	C:\Windows\SysWOW64\Aihbcp32.dll	Mplhql32.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Bjghpn32.exe	Bldgdago.exe
File created	C:\Windows\SysWOW64\Fcckif32.exe	Fkmchi32.exe
File opened for modification	C:\Windows\SysWOW64\Iifokh32.exe	Ifgbnlmj.exe
File created	C:\Windows\SysWOW64\Mgagbf32.exe	Lllcen32.exe
File opened for modification	C:\Windows\SysWOW64\Mmpijp32.exe	Meiaib32.exe
File opened for modification	C:\Windows\SysWOW64\Elgfgl32.exe	Eemnjbaj.exe
File created	C:\Windows\SysWOW64\Fdnjgmle.exe	Fbpnkama.exe
File opened for modification	C:\Windows\SysWOW64\Ibqpimpl.exe	Imdgqfbd.exe
File opened for modification	C:\Windows\SysWOW64\Eemnjbaj.exe	Ecoangbg.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Fafkecel.exe	Fcckif32.exe
File created	C:\Windows\SysWOW64\Gbmgladp.dll	Ngpccdlj.exe
File created	C:\Windows\SysWOW64\Nphhmj32.exe	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Ejnjpohk.dll	Klljnp32.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
9668	9560	WerFault.exe	441

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dlgmpogj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdhfhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dahode32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqoieqhe.dll"	Ekemhj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eoaihhlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjljbfog.dll"	Fhemmlhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpqiemge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Megdccmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpnhfhf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Alkdnboj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekjfcipa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elikfp32.dll"	Gokdeeec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnlnon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpaeonmc.dll"	Blfdia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panfqmhb.dll"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aecqac32.dll"	Chmeobkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfgefhai.dll"	Hcmgfbhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipnjab32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cecbmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chghdqbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Flceckoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmjdjgjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eolpmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jihdea32.dll"	Eefhjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpablkhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgdpie32.dll"	Bnlnon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifjodl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hijooifk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekcpbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qciaajej.dll"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fooeif32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkikkeeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lipdae32.dll"	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Angddopp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kboljk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klljnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdcbom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klqcioba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pejjde32.dll"	Elppfmoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edgbbfnk.dll"	Kpjcdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhgfglco.dll"	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cogmkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Flnlhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfnphn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdifoehl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 3040	1732	017e61939eaeae3ba40ba18e65e7f139.exe	85
PID 1732 wrote to memory of 3040	1732	017e61939eaeae3ba40ba18e65e7f139.exe	85
PID 1732 wrote to memory of 3040	1732	017e61939eaeae3ba40ba18e65e7f139.exe	85
PID 3040 wrote to memory of 3076	3040	Alabgd32.exe	86
PID 3040 wrote to memory of 3076	3040	Alabgd32.exe	86
PID 3040 wrote to memory of 3076	3040	Alabgd32.exe	86
PID 3076 wrote to memory of 4868	3076	Abkjdnoa.exe	87
PID 3076 wrote to memory of 4868	3076	Abkjdnoa.exe	87
PID 3076 wrote to memory of 4868	3076	Abkjdnoa.exe	87
PID 4868 wrote to memory of 4536	4868	Ahhblemi.exe	88
PID 4868 wrote to memory of 4536	4868	Ahhblemi.exe	88
PID 4868 wrote to memory of 4536	4868	Ahhblemi.exe	88
PID 4536 wrote to memory of 4752	4536	Ajfoiqll.exe	89
PID 4536 wrote to memory of 4752	4536	Ajfoiqll.exe	89
PID 4536 wrote to memory of 4752	4536	Ajfoiqll.exe	89
PID 4752 wrote to memory of 2780	4752	Acocaf32.exe	90
PID 4752 wrote to memory of 2780	4752	Acocaf32.exe	90
PID 4752 wrote to memory of 2780	4752	Acocaf32.exe	90
PID 2780 wrote to memory of 836	2780	Alfkbc32.exe	91
PID 2780 wrote to memory of 836	2780	Alfkbc32.exe	91
PID 2780 wrote to memory of 836	2780	Alfkbc32.exe	91
PID 836 wrote to memory of 4640	836	Abpcon32.exe	92
PID 836 wrote to memory of 4640	836	Abpcon32.exe	92
PID 836 wrote to memory of 4640	836	Abpcon32.exe	92
PID 4640 wrote to memory of 4740	4640	Aeopki32.exe	93
PID 4640 wrote to memory of 4740	4640	Aeopki32.exe	93
PID 4640 wrote to memory of 4740	4640	Aeopki32.exe	93
PID 4740 wrote to memory of 1428	4740	Alhhhcal.exe	94
PID 4740 wrote to memory of 1428	4740	Alhhhcal.exe	94
PID 4740 wrote to memory of 1428	4740	Alhhhcal.exe	94
PID 1428 wrote to memory of 2388	1428	Angddopp.exe	95
PID 1428 wrote to memory of 2388	1428	Angddopp.exe	95
PID 1428 wrote to memory of 2388	1428	Angddopp.exe	95
PID 2388 wrote to memory of 3516	2388	Aaepqjpd.exe	96
PID 2388 wrote to memory of 3516	2388	Aaepqjpd.exe	96
PID 2388 wrote to memory of 3516	2388	Aaepqjpd.exe	96
PID 3516 wrote to memory of 4400	3516	Adcmmeog.exe	97
PID 3516 wrote to memory of 4400	3516	Adcmmeog.exe	97
PID 3516 wrote to memory of 4400	3516	Adcmmeog.exe	97
PID 4400 wrote to memory of 1124	4400	Alkdnboj.exe	98
PID 4400 wrote to memory of 1124	4400	Alkdnboj.exe	98
PID 4400 wrote to memory of 1124	4400	Alkdnboj.exe	98
PID 1124 wrote to memory of 2212	1124	Becifhfj.exe	99
PID 1124 wrote to memory of 2212	1124	Becifhfj.exe	99
PID 1124 wrote to memory of 2212	1124	Becifhfj.exe	99
PID 2212 wrote to memory of 4716	2212	Bnlnon32.exe	100
PID 2212 wrote to memory of 4716	2212	Bnlnon32.exe	100
PID 2212 wrote to memory of 4716	2212	Bnlnon32.exe	100
PID 4716 wrote to memory of 1880	4716	Bdhfhe32.exe	101
PID 4716 wrote to memory of 1880	4716	Bdhfhe32.exe	101
PID 4716 wrote to memory of 1880	4716	Bdhfhe32.exe	101
PID 1880 wrote to memory of 4532	1880	Balfaiil.exe	102
PID 1880 wrote to memory of 4532	1880	Balfaiil.exe	102
PID 1880 wrote to memory of 4532	1880	Balfaiil.exe	102
PID 4532 wrote to memory of 4604	4532	Bdkcmdhp.exe	103
PID 4532 wrote to memory of 4604	4532	Bdkcmdhp.exe	103
PID 4532 wrote to memory of 4604	4532	Bdkcmdhp.exe	103
PID 4604 wrote to memory of 4156	4604	Bjdkjo32.exe	104
PID 4604 wrote to memory of 4156	4604	Bjdkjo32.exe	104
PID 4604 wrote to memory of 4156	4604	Bjdkjo32.exe	104
PID 4156 wrote to memory of 1916	4156	Baocghgi.exe	105
PID 4156 wrote to memory of 1916	4156	Baocghgi.exe	105
PID 4156 wrote to memory of 1916	4156	Baocghgi.exe	105
PID 1916 wrote to memory of 4012	1916	Bdmpcdfm.exe	106

C:\Users\Admin\AppData\Local\Temp\017e61939eaeae3ba40ba18e65e7f139.exe
"C:\Users\Admin\AppData\Local\Temp\017e61939eaeae3ba40ba18e65e7f139.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\SysWOW64\Alabgd32.exe
  C:\Windows\system32\Alabgd32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\SysWOW64\Abkjdnoa.exe
    C:\Windows\system32\Abkjdnoa.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3076
  - - C:\Windows\SysWOW64\Ahhblemi.exe
      C:\Windows\system32\Ahhblemi.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4868
    - - C:\Windows\SysWOW64\Ajfoiqll.exe
        
        C:\Windows\system32\Ajfoiqll.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4536
      - C:\Windows\SysWOW64\Acocaf32.exe
        
        C:\Windows\system32\Acocaf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\SysWOW64\Alfkbc32.exe
        
        C:\Windows\system32\Alfkbc32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Abpcon32.exe
        
        C:\Windows\system32\Abpcon32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:836
        
        C:\Windows\SysWOW64\Aeopki32.exe
        
        C:\Windows\system32\Aeopki32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\Alhhhcal.exe
        
        C:\Windows\system32\Alhhhcal.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\Angddopp.exe
        
        C:\Windows\system32\Angddopp.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\SysWOW64\Aaepqjpd.exe
        
        C:\Windows\system32\Aaepqjpd.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Adcmmeog.exe
        
        C:\Windows\system32\Adcmmeog.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\SysWOW64\Alkdnboj.exe
        
        C:\Windows\system32\Alkdnboj.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\Becifhfj.exe
        
        C:\Windows\system32\Becifhfj.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Windows\SysWOW64\Bnlnon32.exe
        
        C:\Windows\system32\Bnlnon32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Bdhfhe32.exe
        
        C:\Windows\system32\Bdhfhe32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\SysWOW64\Balfaiil.exe
        
        C:\Windows\system32\Balfaiil.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\SysWOW64\Bdkcmdhp.exe
        
        C:\Windows\system32\Bdkcmdhp.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SysWOW64\Bjdkjo32.exe
        
        C:\Windows\system32\Bjdkjo32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\Baocghgi.exe
        
        C:\Windows\system32\Baocghgi.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\SysWOW64\Bdmpcdfm.exe
        
        C:\Windows\system32\Bdmpcdfm.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\SysWOW64\Bldgdago.exe
        
        C:\Windows\system32\Bldgdago.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4012
        
        C:\Windows\SysWOW64\Bjghpn32.exe
        
        C:\Windows\system32\Bjghpn32.exe
        24⤵
        Executes dropped EXE
        
        PID:3288
        
        C:\Windows\SysWOW64\Baaplhef.exe
        
        C:\Windows\system32\Baaplhef.exe
        25⤵
        Executes dropped EXE
        
        PID:1792
        
        C:\Windows\SysWOW64\Blfdia32.exe
        
        C:\Windows\system32\Blfdia32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Cacmah32.exe
        
        C:\Windows\system32\Cacmah32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3472
        
        C:\Windows\SysWOW64\Ceoibflm.exe
        
        C:\Windows\system32\Ceoibflm.exe
        28⤵
        Executes dropped EXE
        
        PID:5096
        
        C:\Windows\SysWOW64\Chmeobkq.exe
        
        C:\Windows\system32\Chmeobkq.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3524
        
        C:\Windows\SysWOW64\Cogmkl32.exe
        
        C:\Windows\system32\Cogmkl32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2076
        
        C:\Windows\SysWOW64\Ceaehfjj.exe
        
        C:\Windows\system32\Ceaehfjj.exe
        31⤵
        Executes dropped EXE
        
        PID:2128
        
        C:\Windows\SysWOW64\Cknnpm32.exe
        
        C:\Windows\system32\Cknnpm32.exe
        32⤵
        Executes dropped EXE
        
        PID:2548
        
        C:\Windows\SysWOW64\Cahfmgoo.exe
        
        C:\Windows\system32\Cahfmgoo.exe
        33⤵
        Executes dropped EXE
        
        PID:4972
        
        C:\Windows\SysWOW64\Cecbmf32.exe
        
        C:\Windows\system32\Cecbmf32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Ckpjfm32.exe
        
        C:\Windows\system32\Ckpjfm32.exe
        35⤵
        Executes dropped EXE
        
        PID:4328
        
        C:\Windows\SysWOW64\Cajcbgml.exe
        
        C:\Windows\system32\Cajcbgml.exe
        36⤵
        Executes dropped EXE
        
        PID:1596
        
        C:\Windows\SysWOW64\Cdiooblp.exe
        
        C:\Windows\system32\Cdiooblp.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4548
        
        C:\Windows\SysWOW64\Ckcgkldl.exe
        
        C:\Windows\system32\Ckcgkldl.exe
        38⤵
        Executes dropped EXE
        
        PID:2952
        
        C:\Windows\SysWOW64\Cehkhecb.exe
        
        C:\Windows\system32\Cehkhecb.exe
        39⤵
        Executes dropped EXE
        
        PID:2312
        
        C:\Windows\SysWOW64\Chghdqbf.exe
        
        C:\Windows\system32\Chghdqbf.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4524
        
        C:\Windows\SysWOW64\Doqpak32.exe
        
        C:\Windows\system32\Doqpak32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:116
        
        C:\Windows\SysWOW64\Daolnf32.exe
        
        C:\Windows\system32\Daolnf32.exe
        42⤵
        Executes dropped EXE
        
        PID:2364
        
        C:\Windows\SysWOW64\Ddmhja32.exe
        
        C:\Windows\system32\Ddmhja32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1520
        
        C:\Windows\SysWOW64\Dldpkoil.exe
        
        C:\Windows\system32\Dldpkoil.exe
        44⤵
        Executes dropped EXE
        
        PID:2996
        
        C:\Windows\SysWOW64\Docmgjhp.exe
        
        C:\Windows\system32\Docmgjhp.exe
        45⤵
        Executes dropped EXE
        
        PID:4324
        
        C:\Windows\SysWOW64\Daaicfgd.exe
        
        C:\Windows\system32\Daaicfgd.exe
        46⤵
        Executes dropped EXE
        
        PID:8
        
        C:\Windows\SysWOW64\Ddpeoafg.exe
        
        C:\Windows\system32\Ddpeoafg.exe
        47⤵
        Executes dropped EXE
        
        PID:4396
        
        C:\Windows\SysWOW64\Dlgmpogj.exe
        
        C:\Windows\system32\Dlgmpogj.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Dbaemi32.exe
        
        C:\Windows\system32\Dbaemi32.exe
        49⤵
        Executes dropped EXE
        
        PID:4992
        
        C:\Windows\SysWOW64\Deoaid32.exe
        
        C:\Windows\system32\Deoaid32.exe
        50⤵
        Executes dropped EXE
        
        PID:4636
        
        C:\Windows\SysWOW64\Dhnnep32.exe
        
        C:\Windows\system32\Dhnnep32.exe
        51⤵
        Executes dropped EXE
        
        PID:1568
        
        C:\Windows\SysWOW64\Dohfbj32.exe
        
        C:\Windows\system32\Dohfbj32.exe
        52⤵
        Executes dropped EXE
        
        PID:4372
        
        C:\Windows\SysWOW64\Dafbne32.exe
        
        C:\Windows\system32\Dafbne32.exe
        53⤵
        Executes dropped EXE
        
        PID:1064
        
        C:\Windows\SysWOW64\Dhpjkojk.exe
        
        C:\Windows\system32\Dhpjkojk.exe
        54⤵
        Executes dropped EXE
        
        PID:2944
        
        C:\Windows\SysWOW64\Dkoggkjo.exe
        
        C:\Windows\system32\Dkoggkjo.exe
        55⤵
        Executes dropped EXE
        
        PID:720
        
        C:\Windows\SysWOW64\Dahode32.exe
        
        C:\Windows\system32\Dahode32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Ekacmjgl.exe
        
        C:\Windows\system32\Ekacmjgl.exe
        57⤵
        Executes dropped EXE
        
        PID:4540
        
        C:\Windows\SysWOW64\Eolpmi32.exe
        
        C:\Windows\system32\Eolpmi32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Eaklidoi.exe
        
        C:\Windows\system32\Eaklidoi.exe
        59⤵
        Executes dropped EXE
        
        PID:4288
        
        C:\Windows\SysWOW64\Eefhjc32.exe
        
        C:\Windows\system32\Eefhjc32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Elppfmoo.exe
        
        C:\Windows\system32\Elppfmoo.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Ekcpbj32.exe
        
        C:\Windows\system32\Ekcpbj32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Elbmlmml.exe
        
        C:\Windows\system32\Elbmlmml.exe
        63⤵
        Executes dropped EXE
        
        PID:4316
        
        C:\Windows\SysWOW64\Ekemhj32.exe
        
        C:\Windows\system32\Ekemhj32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3932
        
        C:\Windows\SysWOW64\Eoaihhlp.exe
        
        C:\Windows\system32\Eoaihhlp.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Eekaebcm.exe
        
        C:\Windows\system32\Eekaebcm.exe
        66⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\Ehimanbq.exe
        
        C:\Windows\system32\Ehimanbq.exe
        67⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\Ekhjmiad.exe
        
        C:\Windows\system32\Ekhjmiad.exe
        68⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\Ecoangbg.exe
        
        C:\Windows\system32\Ecoangbg.exe
        69⤵
        Drops file in System32 directory
        
        PID:3764
        
        C:\Windows\SysWOW64\Eemnjbaj.exe
        
        C:\Windows\system32\Eemnjbaj.exe
        70⤵
        Drops file in System32 directory
        
        PID:4480
        
        C:\Windows\SysWOW64\Elgfgl32.exe
        
        C:\Windows\system32\Elgfgl32.exe
        71⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\Ekjfcipa.exe
        
        C:\Windows\system32\Ekjfcipa.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Ecandfpd.exe
        
        C:\Windows\system32\Ecandfpd.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3276
        
        C:\Windows\SysWOW64\Eepjpb32.exe
        
        C:\Windows\system32\Eepjpb32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4544
        
        C:\Windows\SysWOW64\Edbklofb.exe
        
        C:\Windows\system32\Edbklofb.exe
        75⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\Fkmchi32.exe
        
        C:\Windows\system32\Fkmchi32.exe
        76⤵
        Drops file in System32 directory
        
        PID:2340
        
        C:\Windows\SysWOW64\Fcckif32.exe
        
        C:\Windows\system32\Fcckif32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3144
        
        C:\Windows\SysWOW64\Fafkecel.exe
        
        C:\Windows\system32\Fafkecel.exe
        78⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\Fdegandp.exe
        
        C:\Windows\system32\Fdegandp.exe
        79⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\Fhqcam32.exe
        
        C:\Windows\system32\Fhqcam32.exe
        80⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\Fojlngce.exe
        
        C:\Windows\system32\Fojlngce.exe
        81⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\Faihkbci.exe
        
        C:\Windows\system32\Faihkbci.exe
        82⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\Ffddka32.exe
        
        C:\Windows\system32\Ffddka32.exe
        83⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\Fhcpgmjf.exe
        
        C:\Windows\system32\Fhcpgmjf.exe
        84⤵
        Drops file in System32 directory
        
        PID:1256
        
        C:\Windows\SysWOW64\Flnlhk32.exe
        
        C:\Windows\system32\Flnlhk32.exe
        85⤵
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Fchddejl.exe
        
        C:\Windows\system32\Fchddejl.exe
        86⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\Fdialn32.exe
        
        C:\Windows\system32\Fdialn32.exe
        87⤵
        
        PID:708
        
        C:\Windows\SysWOW64\Fhemmlhc.exe
        
        C:\Windows\system32\Fhemmlhc.exe
        88⤵
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Fooeif32.exe
        
        C:\Windows\system32\Fooeif32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Fbnafb32.exe
        
        C:\Windows\system32\Fbnafb32.exe
        90⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\Fdlnbm32.exe
        
        C:\Windows\system32\Fdlnbm32.exe
        91⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\Flceckoj.exe
        
        C:\Windows\system32\Flceckoj.exe
        92⤵
        Modifies registry class
        
        PID:3756
        
        C:\Windows\SysWOW64\Fkffog32.exe
        
        C:\Windows\system32\Fkffog32.exe
        93⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\Fcmnpe32.exe
        
        C:\Windows\system32\Fcmnpe32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:636
        
        C:\Windows\SysWOW64\Fbpnkama.exe
        
        C:\Windows\system32\Fbpnkama.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3876
        
        C:\Windows\SysWOW64\Fdnjgmle.exe
        
        C:\Windows\system32\Fdnjgmle.exe
        96⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\Glebhjlg.exe
        
        C:\Windows\system32\Glebhjlg.exe
        97⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\Gcojed32.exe
        
        C:\Windows\system32\Gcojed32.exe
        98⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\Gdqgmmjb.exe
        
        C:\Windows\system32\Gdqgmmjb.exe
        99⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\Gkkojgao.exe
        
        C:\Windows\system32\Gkkojgao.exe
        100⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\Gofkje32.exe
        
        C:\Windows\system32\Gofkje32.exe
        101⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\Gfpcgpae.exe
        
        C:\Windows\system32\Gfpcgpae.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1360
        
        C:\Windows\SysWOW64\Ghopckpi.exe
        
        C:\Windows\system32\Ghopckpi.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4272
        
        C:\Windows\SysWOW64\Gkmlofol.exe
        
        C:\Windows\system32\Gkmlofol.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:316
        
        C:\Windows\SysWOW64\Gbgdlq32.exe
        
        C:\Windows\system32\Gbgdlq32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4996
        
        C:\Windows\SysWOW64\Gdeqhl32.exe
        
        C:\Windows\system32\Gdeqhl32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5164
        
        C:\Windows\SysWOW64\Ghaliknf.exe
        
        C:\Windows\system32\Ghaliknf.exe
        107⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Gokdeeec.exe
        
        C:\Windows\system32\Gokdeeec.exe
        108⤵
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Gcfqfc32.exe
        
        C:\Windows\system32\Gcfqfc32.exe
        109⤵
        Drops file in System32 directory
        
        PID:5292
        
        C:\Windows\SysWOW64\Gdhmnlcj.exe
        
        C:\Windows\system32\Gdhmnlcj.exe
        110⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Gmoeoidl.exe
        
        C:\Windows\system32\Gmoeoidl.exe
        111⤵
        Drops file in System32 directory
        
        PID:5376
        
        C:\Windows\SysWOW64\Gomakdcp.exe
        
        C:\Windows\system32\Gomakdcp.exe
        112⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Gblngpbd.exe
        
        C:\Windows\system32\Gblngpbd.exe
        113⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\Gfgjgo32.exe
        
        C:\Windows\system32\Gfgjgo32.exe
        114⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Hmabdibj.exe
        
        C:\Windows\system32\Hmabdibj.exe
        115⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Hckjacjg.exe
        
        C:\Windows\system32\Hckjacjg.exe
        116⤵
        Drops file in System32 directory
        
        PID:5584
        
        C:\Windows\SysWOW64\Hfifmnij.exe
        
        C:\Windows\system32\Hfifmnij.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5620
        
        C:\Windows\SysWOW64\Helfik32.exe
        
        C:\Windows\system32\Helfik32.exe
        118⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Hmcojh32.exe
        
        C:\Windows\system32\Hmcojh32.exe
        119⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Hcmgfbhd.exe
        
        C:\Windows\system32\Hcmgfbhd.exe
        120⤵
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Hbpgbo32.exe
        
        C:\Windows\system32\Hbpgbo32.exe
        121⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Hijooifk.exe
        
        C:\Windows\system32\Hijooifk.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Hkikkeeo.exe
        
        C:\Windows\system32\Hkikkeeo.exe
        123⤵
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Hcpclbfa.exe
        
        C:\Windows\system32\Hcpclbfa.exe
        124⤵
        Drops file in System32 directory
        
        PID:5924
        
        C:\Windows\SysWOW64\Hfnphn32.exe
        
        C:\Windows\system32\Hfnphn32.exe
        125⤵
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Hkkhqd32.exe
        
        C:\Windows\system32\Hkkhqd32.exe
        126⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Hbeqmoji.exe
        
        C:\Windows\system32\Hbeqmoji.exe
        127⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Hecmijim.exe
        
        C:\Windows\system32\Hecmijim.exe
        128⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Hmjdjgjo.exe
        
        C:\Windows\system32\Hmjdjgjo.exe
        129⤵
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\Hcdmga32.exe
        
        C:\Windows\system32\Hcdmga32.exe
        130⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Hfcicmqp.exe
        
        C:\Windows\system32\Hfcicmqp.exe
        131⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Iiaephpc.exe
        
        C:\Windows\system32\Iiaephpc.exe
        132⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Ikpaldog.exe
        
        C:\Windows\system32\Ikpaldog.exe
        133⤵
        Drops file in System32 directory
        
        PID:5408
        
        C:\Windows\SysWOW64\Ibjjhn32.exe
        
        C:\Windows\system32\Ibjjhn32.exe
        134⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Iicbehnq.exe
        
        C:\Windows\system32\Iicbehnq.exe
        135⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Imoneg32.exe
        
        C:\Windows\system32\Imoneg32.exe
        136⤵
        Drops file in System32 directory
        
        PID:5612
        
        C:\Windows\SysWOW64\Ipnjab32.exe
        
        C:\Windows\system32\Ipnjab32.exe
        137⤵
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Icifbang.exe
        
        C:\Windows\system32\Icifbang.exe
        138⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Ifgbnlmj.exe
        
        C:\Windows\system32\Ifgbnlmj.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5820
        
        C:\Windows\SysWOW64\Iifokh32.exe
        
        C:\Windows\system32\Iifokh32.exe
        140⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Ifjodl32.exe
        
        C:\Windows\system32\Ifjodl32.exe
        141⤵
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Iemppiab.exe
        
        C:\Windows\system32\Iemppiab.exe
        142⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Imdgqfbd.exe
        
        C:\Windows\system32\Imdgqfbd.exe
        143⤵
        Drops file in System32 directory
        
        PID:6100
        
        C:\Windows\SysWOW64\Ibqpimpl.exe
        
        C:\Windows\system32\Ibqpimpl.exe
        144⤵
        Drops file in System32 directory
        
        PID:5160
        
        C:\Windows\SysWOW64\Iikhfg32.exe
        
        C:\Windows\system32\Iikhfg32.exe
        145⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Ibcmom32.exe
        
        C:\Windows\system32\Ibcmom32.exe
        146⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Jfoiokfb.exe
        
        C:\Windows\system32\Jfoiokfb.exe
        147⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Jimekgff.exe
        
        C:\Windows\system32\Jimekgff.exe
        148⤵
        Drops file in System32 directory
        
        PID:5572
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        149⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Jpgmha32.exe
        
        C:\Windows\system32\Jpgmha32.exe
        150⤵
        Drops file in System32 directory
        
        PID:5804
        
        C:\Windows\SysWOW64\Jcbihpel.exe
        
        C:\Windows\system32\Jcbihpel.exe
        151⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Jmknaell.exe
        
        C:\Windows\system32\Jmknaell.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6004
        
        C:\Windows\SysWOW64\Jbhfjljd.exe
        
        C:\Windows\system32\Jbhfjljd.exe
        153⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        154⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5384
        
        C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        156⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        157⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        158⤵
        Drops file in System32 directory
        
        PID:5936
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        159⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        160⤵
        Drops file in System32 directory
        
        PID:5340
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        161⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        162⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        163⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        164⤵
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        165⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5452
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        167⤵
        Drops file in System32 directory
        
        PID:5288
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6148
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        169⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        170⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        171⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6308
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        173⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        174⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6392
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        175⤵
        Modifies registry class
        
        PID:6432
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6468
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        177⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        178⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6592
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        180⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        181⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        182⤵
        Modifies registry class
        
        PID:6716
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        183⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        184⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6840
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        186⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        187⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6960
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7008
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        190⤵
        Modifies registry class
        
        PID:7044
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        191⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        192⤵
        Drops file in System32 directory
        
        PID:7140
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        193⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        194⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6280
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6336
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        197⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        198⤵
        
        PID:6476
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        199⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        200⤵
        Drops file in System32 directory
        
        PID:6624
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        201⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        202⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        203⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        204⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6880
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        205⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6952
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        206⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        207⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7068
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        208⤵
        Drops file in System32 directory
        
        PID:7156
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        209⤵
        Drops file in System32 directory
        
        PID:6220
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        210⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        211⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6428
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        212⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        213⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6664
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        214⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        215⤵
        Modifies registry class
        
        PID:6892
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        216⤵
        Modifies registry class
        
        PID:6976
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        217⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        218⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        219⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        220⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        221⤵
        Drops file in System32 directory
        
        PID:6696
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        222⤵
        Drops file in System32 directory
        
        PID:6968
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        223⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        224⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6660
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        225⤵
        Drops file in System32 directory
        
        PID:6940
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        226⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        227⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        228⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        229⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7172
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        230⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        231⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        232⤵
        Modifies registry class
        
        PID:7300
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        233⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        234⤵
        
        PID:7384
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        235⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        236⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        237⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        238⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        239⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7588
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        240⤵
        
        PID:7628
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        241⤵
        
        PID:7664
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        242⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        243⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        244⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        245⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        246⤵
        
        PID:7880
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        247⤵
        
        PID:7920
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        248⤵
        
        PID:7956
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        249⤵
        
        PID:8000
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        250⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        251⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8080
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        252⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8124
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        253⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8168
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        254⤵
        Drops file in System32 directory
        
        PID:7200
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        255⤵
        
        PID:7272
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        256⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        257⤵
        
        PID:7412
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        258⤵
        Modifies registry class
        
        PID:7492
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        259⤵
        
        PID:7576
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        260⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        261⤵
        Modifies registry class
        
        PID:7708
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        262⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7820
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        263⤵
        
        PID:7904
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        264⤵
        
        PID:7984
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        265⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8064
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        266⤵
        Modifies registry class
        
        PID:8136
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        267⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        268⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        269⤵
        
        PID:7540
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        270⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        271⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7912
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        272⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        273⤵
        Modifies registry class
        
        PID:7208
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        274⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        275⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        276⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7900
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        277⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8108
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        278⤵
        
        PID:7448
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        279⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8020
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        280⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        281⤵
        Modifies registry class
        
        PID:7372
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        282⤵
        
        PID:8204
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        283⤵
        Modifies registry class
        
        PID:8244
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        284⤵
        
        PID:8288
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        285⤵
        
        PID:8328
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        286⤵
        Drops file in System32 directory
        
        PID:8364
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        287⤵
        
        PID:8400
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        288⤵
        Drops file in System32 directory
        
        PID:8440
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        289⤵
        
        PID:8488
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        290⤵
        
        PID:8532
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        291⤵
        
        PID:8572
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        292⤵
        
        PID:8608
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        293⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8652
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        294⤵
        
        PID:8700
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        295⤵
        
        PID:8736
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        296⤵
        
        PID:8784
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        297⤵
        
        PID:8820
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        298⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8856
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        299⤵
        
        PID:8900
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        300⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8944
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        301⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8984
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        302⤵
        
        PID:9036
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        303⤵
        
        PID:9080
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        304⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:9124
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        305⤵
        
        PID:9160
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        306⤵
        
        PID:9208
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        307⤵
        Modifies registry class
        
        PID:8232
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        308⤵
        Drops file in System32 directory
        
        PID:8304
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        309⤵
        
        PID:8388
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        310⤵
        Modifies registry class
        
        PID:8476
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        311⤵
        
        PID:8524
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        312⤵
        Drops file in System32 directory
        
        PID:8592
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        313⤵
        
        PID:8648
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        314⤵
        Drops file in System32 directory
        
        PID:8724
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        315⤵
        
        PID:8776
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        316⤵
        
        PID:8848
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        317⤵
        
        PID:8932
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        318⤵
        Modifies registry class
        
        PID:8964
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        319⤵
        
        PID:9016
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        320⤵
        
        PID:9116
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        321⤵
        Modifies registry class
        
        PID:9188
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        322⤵
        
        PID:8224
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        323⤵
        
        PID:8308
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        324⤵
        Modifies registry class
        
        PID:8448
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        325⤵
        
        PID:8560
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        326⤵
        Drops file in System32 directory
        
        PID:8676
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        327⤵
        Modifies registry class
        
        PID:8772
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        328⤵
        Drops file in System32 directory
        
        PID:8908
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        329⤵
        
        PID:9008
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        330⤵
        Modifies registry class
        
        PID:9112
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        331⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        332⤵
        Drops file in System32 directory
        
        PID:8412
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        333⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8520
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        334⤵
        Drops file in System32 directory
        
        PID:8708
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        335⤵
        Modifies registry class
        
        PID:8896
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        336⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:9068
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        337⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8256
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        338⤵
        
        PID:8620
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        339⤵
        
        PID:8884
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        340⤵
        Modifies registry class
        
        PID:9152
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        341⤵
        
        PID:8680
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        342⤵
        
        PID:9156
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        343⤵
        
        PID:8500
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        344⤵
        
        PID:8408
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        345⤵
        
        PID:8744
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        346⤵
        Drops file in System32 directory
        
        PID:9256
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        347⤵
        Drops file in System32 directory
        
        PID:9296
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        348⤵
        
        PID:9332
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        349⤵
        Modifies registry class
        
        PID:9372
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        350⤵
        
        PID:9420
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        351⤵
        
        PID:9468
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        352⤵
        Modifies registry class
        
        PID:9516
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        353⤵
        
        PID:9560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9560 -s 216
        354⤵
        Program crash
        
        PID:9668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 9560 -ip 9560
1⤵
PID:9648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaepqjpd.exe

Filesize
80KB

MD5
275f02e30433332ba582ae9eacec5912

SHA1
7b3309fbba7e81a71ed55e1d0e1220ecb4b2f89a

SHA256
811afac5ca3b00306c4d806c262e7631ad8cb692172d0756f93273b6125033a7

SHA512
d3a8cf26befcb81f77f80cc71fd1c32ab803c6d421fa791505db50ae3a7d0e51d344bd43c85cea29279c823a08973a6124827630e502b10b0cf57a6a542bfa7b

Download Submit
C:\Windows\SysWOW64\Abkjdnoa.exe

Filesize
80KB

MD5
d594d2b14856e8c9fb71e6ac88252a89

SHA1
162910f84e335dc277547293ec9361365a693edc

SHA256
da1eaa03b6f441ef5f93ce95153769e00a8bb68efed6a58eaf64d092cd9fedfd

SHA512
6d94ca3625f1090a1fb319b0939bc3032064123aaf6ada89cc07cdcb96407904bb9ce14a3f8f7a0d8cabbd8e3e8bf50198652c19e469757a4e24a6c5979efa46

Download Submit
C:\Windows\SysWOW64\Abpcon32.exe

Filesize
80KB

MD5
3c59f4991d9cf6b3b9d16826ff56f32d

SHA1
69f34e4fbd9c465809714088536bd7f513020498

SHA256
34832b1aa58eacc89c51d00b7e9f259433a6922d719e851f3548a1de1b9940a3

SHA512
8eb759c84a585252e74396ea3799b8ac4906eb973081148948551ffc55740cbde2d7cd9310c7c1447f1a202f90034267122fbb911c29b9538da4962aff01fd53

Download Submit
C:\Windows\SysWOW64\Acocaf32.exe

Filesize
80KB

MD5
78424b5544a3d85b7f9b2a01e3b7ff36

SHA1
61622c7d2bf2dfbc1972b37d348269c0946ba2e6

SHA256
122d15d9050605ce165073040ec09116a30214b9d05cf576ee5b8c219a40c5f6

SHA512
31276a89259b35151211e57df188124b9ee0372e6cfee967941d18758694f3ecdf05e705589a056c713adfe82ad07d731c46e33ec183d34b0d0e15d1d3ddf4dc

Download Submit
C:\Windows\SysWOW64\Adcmmeog.exe

Filesize
80KB

MD5
27b3554f2e2dc1cf8016f204b136c28d

SHA1
efd0c368f64bb25dccd3e0e7f09336c7bc0f47fb

SHA256
66956794809ed1b7b11b5538d039326992be4e7d7cd0488ef936d2dd33f88760

SHA512
ba795977688696eb0bba1a4355cfe5fc9f53d616e64a3a9f1a180760af27bd680402484b0f358cf12bcabe2b72e06e05a8bf9b5955481bb57ad337229423ce1f

Download Submit
C:\Windows\SysWOW64\Aeopki32.exe

Filesize
80KB

MD5
fecd23d22b8262e2b6dbf43ae7b516e4

SHA1
79fadf4b3a6a973a262685efcaff615ce6ac21f1

SHA256
730e260a04042a5041b1838f5e93d6ddbfd024aa2d24a4852b86d5150fe8594c

SHA512
e3b7ca9f4ba7283002489bab86969a6d2e6aa3d0054e9eee3361a1a0ff364eb77d0e80d26ba92d486862d884eae40139bd363f7a349fb405e940169d2be1e267

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
80KB

MD5
a3d450737ec5bfe34f523ea66673eb53

SHA1
038460f91644b25ae720ef7877fd226824da1fd7

SHA256
ca6535343c35a5f0228e38e48d58be4199dd09fbeff37ec9284b95efeacaf30e

SHA512
e2fdfd4e2435ce32b876b9cd44c98f080f9d9b6fb403cff30292a4fd22cfcecf67aa39dbfafff77a21ca8d87eb9df5d7efb6051185863953580c5d4f4225319b

Download Submit
C:\Windows\SysWOW64\Ahhblemi.exe

Filesize
80KB

MD5
fcdd2399c5d5ece344c047ce709e33e5

SHA1
b9af5f515b0b651b529a42cb61d54578246bce6a

SHA256
a0ca2fea19ea16f34bece7dfbb7756cecf66ac349dd6d41f7410f2af6b295fb0

SHA512
71670f273627b7afc55685379e6fb9380eebaa535cac1f3c1152f897fee366f407d7950d3033e75cc5a713ac188ec79b942125b587efc6d9a550bea35b7da8ba

Download Submit
C:\Windows\SysWOW64\Ajfoiqll.exe

Filesize
80KB

MD5
0825c9f2d6f13a4d0c316cdaf06eae44

SHA1
2b6a7050cf91c37ee35119e7898230ed8916bc02

SHA256
2e532329c97f9f186e0fe871aa42d7efa4f2f3cc7390c2c14915c83984b5bb7d

SHA512
3f8002d84a2802b07a56f19becdff1ee9880ec7231023557cbf258d335db7e9d4d872beaf8a943d485958018dd23bd6d360f6b9d1bf31122fa7e2a9f65b70be4

Download Submit
C:\Windows\SysWOW64\Alabgd32.exe

Filesize
80KB

MD5
a9ddc24a4526ff206aa6b20a8f5bdc86

SHA1
ef008037f1ffe473bd250338dc7df636c7562146

SHA256
59ce1f032c33a944c5c83afb8104ca5a2037c7f00028b713140463704ace019b

SHA512
a1fd13d9df8cd8711cc66d2f241983817ca614a479cabc60a8d26d52ec093e6380d8df530eee482895c28467a577567736ea4ca8641d0f3f1d5bdfe08ebc076e

Download Submit
C:\Windows\SysWOW64\Alfkbc32.exe

Filesize
80KB

MD5
5058a0a748863c4e25ee19fc7fd37136

SHA1
154374227d95af58d9e6b55aa0fcf09e27ecb6ba

SHA256
cd3961e9d9931e18154c6d7278c7582bdc4349ff7e886b8d24bf7d76eae91b9c

SHA512
1575f22bd283f77226bfdcefc7d072a3f7808fd26100733ad54f7ec66ddf276762f45ffebdca3cc37fa17f3bdf0b6933411c4ec6814a7b1e864ef001a02adeb0

Download Submit
C:\Windows\SysWOW64\Alhhhcal.exe

Filesize
80KB

MD5
e906d49b610326ab0fdae7acad31f76d

SHA1
f19b37093c821ec33fafdaa4e2a5adb28b0a9992

SHA256
795c10b957bff8d77433767b0e4e5fc7e056acd756647b3288f74f3b0e693d92

SHA512
4797552030fa3992e23a91b7c7d5f01254670131924268b973a8fcba6a8405a2781bfc7f4f9abc30bc1017f98912fabdbeab952cace01aa1e9c9e7f03043707f

Download Submit
C:\Windows\SysWOW64\Alkdnboj.exe

Filesize
80KB

MD5
8d350aa36cb99ba1bb42a7eeb1f5c28a

SHA1
7d8117b69abf5fea97cc81ba804da1fccab86dce

SHA256
d0f06820e459d113d8bae11bf727391f58f2d66a9cd1d26b177babb8a051af23

SHA512
aabd58110d93a1aab516ba9aed80df649da733e6c98777572538b1100a915a8ffb78746c77fd7623612a0c91676e71c67724b400240c42bac2f6a6f4e6086523

Download Submit
C:\Windows\SysWOW64\Angddopp.exe

Filesize
80KB

MD5
02c972e4d96bfca01df305b92d7921f8

SHA1
e38724444f3d96e2bf21fab221e3da7d274d7a74

SHA256
c9b4c744533ca1325ecbfd3b4f2ba9f4caf154ef7c73307b2c4831c4acc2679c

SHA512
ef3010e2a7708c4386eebf189ae07543431c2de9ade5cb3b7202923a48b4c19bff75aec29dfc78b794f5f766ae4715035619f4c6bdf0363ee8658a8f1a55e8ae

Download Submit
C:\Windows\SysWOW64\Baaplhef.exe

Filesize
80KB

MD5
60a78492bf3ea9d57b487cb93ec3a40d

SHA1
62a05e9edf6b5eca76351019ecac6a35a9c9f054

SHA256
be9eaa16d5d3ec4a7c1d343dec078e0de94ebc04b32ed74e9dc8479b6c8b2980

SHA512
1005ccb4a6b6c021b960dcd8677b176ddda57707030bc8e46c5161291b1a2dc1e186f124a52bb4850a520071a1c0951e1c12890e8656b5e12c5ec3cddd9312c0

Download Submit
C:\Windows\SysWOW64\Balfaiil.exe

Filesize
80KB

MD5
2c6c617528738e18aef687357a96943d

SHA1
84889c017c1b40ef2090cc04d92b182b6ec76c9c

SHA256
e4e3f758aed1561d81fac02024c5145ef497320bb46c0118af3438b152c0af3f

SHA512
3d4b346669780d5b392cac39dc862369e53f33b837960d80d8c01fb88e161a0b37a9d0a4ec6542a0c9c3751e8567dace5d2a57be75bd7e8595c7ece647d66a09

Download Submit
C:\Windows\SysWOW64\Baocghgi.exe

Filesize
80KB

MD5
4246c49cb92298d87f070ca2ffed0ce2

SHA1
9f6633c00dd121ea23753e9749bce9e1e9e4a854

SHA256
efa18b5f4e76a8ed64b5b92c348a0136e5a75ed981d229308fea6dc894385a73

SHA512
9fa0e2618afb8ecde0c454aff52f819de2548e4a66655dea987ca69e67084d9a497b1cfb229beef0d639e0c0ef7ba595e414711c6b62bc4eb282280ef293d1d3

Download Submit
C:\Windows\SysWOW64\Bdhfhe32.exe

Filesize
80KB

MD5
71691141fde9fa671d64c9e00ae746ef

SHA1
e4427c315228faaaf037c45503cc4d71cf2bfd48

SHA256
59f34de333d6fb8a2d0b7cb3b474a9cd2905d9822402d174e5f7431c3aa1c36b

SHA512
5a79c9482b0a3801c4ad1070a33f369f7329e2f1a3ed658ff5c19a486434eaee69d622aa0499fb689311cf27b174efb9d137adf6d6bbee1b16328758ac26b729

Download Submit
C:\Windows\SysWOW64\Bdkcmdhp.exe

Filesize
80KB

MD5
923d98a2a013a95572fd14eade547a90

SHA1
15dc8ec443ec4dd71dc35f3962a89d0ad5ebda04

SHA256
369021a6924928251df904d4d94b0c2b9f9e7d3bfc65c74e12eed473e0aa3d51

SHA512
b97f1aa0e244c652b53e58a345f9583a055c40c3e54eb0ddf6e1b3e8ac66989bba89c8b14f66043c9dfca557268521ae26dd16a3dca58e79307d1c6cbe1a37a6

Download Submit
C:\Windows\SysWOW64\Bdmpcdfm.exe

Filesize
80KB

MD5
fab54044646cc98f6dffb2b2f5c3c0c9

SHA1
e03b3192a47fbff7baecd84313b2a1387948169b

SHA256
535a1ccb301f7283b6c6f57e7fea09cdd3dbc121a1d8a39057db3ff45fd5925e

SHA512
8c5de518558880f7427a0ebacbc2775fefbeca43ff0384bea4a99534b2ab8add0c008c728df86e6672335b927af04ad8aa3901db5c95ba98970aa8b0b60029fa

Download Submit
C:\Windows\SysWOW64\Becifhfj.exe

Filesize
80KB

MD5
9a559db9faa206e22ee2937252eba928

SHA1
b487b0231614894e14572209a1d8fb142d722d7a

SHA256
73cf3ab163086cbbe2260c2e2d0797aa38418ef0c3fa31dd906448f285f708e4

SHA512
275b2400d2dadebd0cc4407f70154fa83e9d18068b332f6b190d064a60da94c7ae44e654ccc2dfdeb899ba2660a086da0eeb44839684a0f1ce3960348685c6f8

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
80KB

MD5
a00a9d058fd2d1534a9f364b6b2e5de9

SHA1
df42e22e00b1983bb3101db1aad3059631ed6f3a

SHA256
7f994f207d60f838d4dfa51b57c750c927c4e878346e674f1a829fcffc338a95

SHA512
248b75b5022160d0b46d5f24ce40e3bbecb34d37050ad3655224e534113a34255e2b618e3ef0a7b22263f64e0768eafbe2ee68d2431aec7f0f3dd5e6173f9cdf

Download Submit
C:\Windows\SysWOW64\Bjdkjo32.exe

Filesize
80KB

MD5
6ebb0ea7daa361ebaa7bb215b2ae1a9f

SHA1
cbd0db5b6144aa11528274dbec6ec564b614ac67

SHA256
32a1e8cc8e0610142e389b6c79afc11bc062f5c4f3dab04bbefd8986f7040411

SHA512
091d1a3a6d9aeef358170dde0a84a29a6b602e3199cbaa80414d2acdfc882fdd420aa8799df81e6a7d6fbc03b540957e6ea8a893067f8d9f75821b4fc7bfbcbb

Download Submit
C:\Windows\SysWOW64\Bjghpn32.exe

Filesize
80KB

MD5
7b71a8710ab626fe86dffd32e3343532

SHA1
206ae776b5392b6fc4ede6e0148af63abde5ef7e

SHA256
fa8539befe1ad8d078427e8a0e3e46bf18638bbf668f7fc92b7171f0dac9562f

SHA512
d0069f242de59899c123e76d96c7f823f9569f1fb7f6bbd5a196ed86e60dcb19c63a9f28097954b1a8d47c3b20f6a80996bdba49e163177403d795c9363690d0

Download Submit
C:\Windows\SysWOW64\Bldgdago.exe

Filesize
80KB

MD5
07e7f545a93e3b42e1bd9f387a12aa9a

SHA1
8a5f55712833f828773e15199ad8139318d0936a

SHA256
d3513bb9c1418b6fd64b18186028d5423c922ce31546180d838fc2cf221817f8

SHA512
d86e3af9ebfa13f01465a34070e28839803a6878753a67ca193d93295aeef473ec13b6f37eb75637d180761628aaa3b1a514817f8b238cc0da8dd5b6fc36e8c9

Download Submit
C:\Windows\SysWOW64\Blfdia32.exe

Filesize
80KB

MD5
d1dbfb80d0277fd2db594d137876be0e

SHA1
f8d0a4ee4f0ee3ff4dd0d7b1c8ea62f666899c7d

SHA256
736d9ff91fe2328bf806573567f066e9f4682b36a89b0e5287a9f12d4d25f4fb

SHA512
4e27310e8f0b3efd8c99739a5d3fd911aa5aa6492cfba3fe323f38b47264f339768b3dbb51fae5fb88937520ad5dde9e1e93484b4a2766bbd75d1d34a0d99849

Download Submit
C:\Windows\SysWOW64\Bnlnon32.exe

Filesize
80KB

MD5
b08ea9817896712c0fe8659ad8f24a80

SHA1
4637e9f6e4232017de9678363334493422690a53

SHA256
ef59caa55d6022bae3471f27cab12d216389e2b88dcf86b5a4e40d9547437bb2

SHA512
a80f3c7fb663a8f79bcf1b2f96790bee472e26a59c84423e72b138b96927803fc06d9fe9743dc90dc0fd7477553baff884540e5817100b9c5ab25dfb5addec64

Download Submit
C:\Windows\SysWOW64\Cacmah32.exe

Filesize
80KB

MD5
6f35a36b88c2b67be54e0f189ea71ae8

SHA1
e1b3177b2d537d23144bde5b3aacebdcdce5d0cc

SHA256
550d9ab885d6c649cfc74f6058c7a702a5be1d85c39c45a4ea90458636c95546

SHA512
9f4f33ca3d12c6705e011dabf6d86cdd2fd7b68c520b74532c94b52766eafede450289907258a903e7949b5b40e7869c1503b5f098c491b6eea8e0005c8fe5dd

Download Submit
C:\Windows\SysWOW64\Cahfmgoo.exe

Filesize
80KB

MD5
5ee8991686c94916c513118a7be384c7

SHA1
87b2a3abeeba2b1928cdc6c6b0f14242f297dcba

SHA256
edf1df748cd7bf23bd2dcee4d464fde8dd5d54d80e4fe846434e0249d6d5c681

SHA512
25114f665df6f36185e142dbf7940e4dbb28c1af908d4ad44fddd9ed9254f55c099fa6f8e1d8e889e21ba1ffa632ac99609ed96bdb23e9fa1d272f6bd91aa0a8

Download Submit
C:\Windows\SysWOW64\Ceaehfjj.exe

Filesize
80KB

MD5
e129afa36dfac825fe56ae9736a77e1d

SHA1
a3fc8fd70b137e30a7b7e0c7f59db907f715f16e

SHA256
12445425e98ffeef3c08630dffe181327e93a261a13164e6f8cc4ad03cbe3143

SHA512
2e1a03ac474ddcba993cfbcd5517121635c1eb179201f0e55a7bb219b2616e5d0d1291a6a71820a12cc9afa29c6f444325fd9449f24c5ab958d385841cdcd6f7

Download Submit
C:\Windows\SysWOW64\Ceoibflm.exe

Filesize
80KB

MD5
bb063ce98797b74f6a883fa683dcd316

SHA1
3acefd38ec4596bbfe250e1ef0ee45bf38c98ed4

SHA256
658481af21ef91e4caf847840164935798dfb1b5199f03eccb224f7c466d7ca8

SHA512
9b5a39b395dfe0b16de0d96752659c26a76ddcf892d6587e084aa592dacff6764faaecc92f64323940e9188544df99c3773d2fc4b09dce11cc272a09fc7de7b0

Download Submit
C:\Windows\SysWOW64\Chmeobkq.exe

Filesize
80KB

MD5
26769e51c9f2e5f789f31135966651f1

SHA1
7e5885f80e862a30f5469cae1681453a177e6e2a

SHA256
7b3379c36c9904b66761a1531dbccd3ffedc06f7f6cdfb6496dde4b337e9e588

SHA512
f71770447945e95665e8e4a65dad001e52bceb99c4bc510d9418ae0989667f108e7ec73a5f0df98f5f21d7ea217405114987868240b9a545de681e2849da0536

Download Submit
C:\Windows\SysWOW64\Cknnpm32.exe

Filesize
80KB

MD5
ff89b04b2e46523e2bf74b5d819fe3ca

SHA1
795b18ddce17005e6f553a96a9255fc3a46e680f

SHA256
0745b044c42d47efc4fadf102ffface7ca2f50aac7e6a80b0056fa611d40b813

SHA512
1bd9b1ed0f0c8714d2403858f8e400712fbb710814586e9f4e31bb862570f38f1b4b3cbdd4e5d09afa94e4465aac7a619b48299c7995cd6eb7698831fcbdc885

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
80KB

MD5
3e5a2ed3ebdd66a86ec468bf227b6d25

SHA1
df1d518a870a015564207977a86f175ca96709b9

SHA256
beba84151296422909458f84e335ab9b84dc118f73820cec8fa24ea1ae689dc1

SHA512
68da094e93207b658c462f2d6a723da90bade488929e1d1c81ad439aa3bf9af90c40da9c790e800db16823799aa6151ff6e88fbd34f744e5d53b46d7fd4d4486

Download Submit
C:\Windows\SysWOW64\Cogmkl32.exe

Filesize
80KB

MD5
d8f9a91e78a94df2d1d24353c7552d16

SHA1
811d29af862632783efc1537bc154a9849ffcf35

SHA256
438b74f3db3e773ee26ab5bb0f688487b837eadb13af2353ad6b9bce59602574

SHA512
2868799649aec2928f6591bc28c401c1c9f4226f9f2f0b7246cee7f33dba433e1c04e18e2c9fd4a4aa9b76abc1d2a880ea151d66f39eaed34056a5a3896075b5

Download Submit
C:\Windows\SysWOW64\Doqpak32.exe

Filesize
80KB

MD5
c855459702bdd0a3938e7c2e324f86a5

SHA1
98c52478c0eb6f5b3e78d8f2f3e83e8017f7c0d8

SHA256
777553dd5475abccf75c3a714f8eeb96dc8e114eeedaae9216dcf3db3b226e07

SHA512
ed0e0da9ad842be31c2dec1c375b2d99ece2fbc7903d620d83d192de28aa8739017968d2c3332adefe9843f271357d0575d6a81bcbeac6e27a668783baaf53eb

Download Submit
C:\Windows\SysWOW64\Ekacmjgl.exe

Filesize
80KB

MD5
98e0d3ecd2c75ff3116fbd570dc044c6

SHA1
88090b5a31516b90596af8d56469cb27dd6f74b3

SHA256
c3b589a76294046b2895f0815e5459c01675cf756e405eb63722b8dd5486722e

SHA512
5afaebe1abdfb8dafc2e673564c2037170af2aa09a78373c2a9df1b92ad9e90d676ef8e6c705f97e7b7f9ae46fcc31f005027e97574789d78c58b030f3ebbc81

Download Submit
C:\Windows\SysWOW64\Elbmlmml.exe

Filesize
80KB

MD5
ad061ff195d34dc666072e418e9e155b

SHA1
28e081775f1a1c826ee01b35fac7d017ee63593a

SHA256
2a203f00c848a79bbb5a4eda13dae504c2e79f5d7eeadd9f2f61cf2625bb0cf6

SHA512
1feff5367473fc2a2f173536e02c9f867c957ce7386946f390ecae380a10efa799662801af6c4c489595b3f291f378922f891b024b8416e516b4527c0b6157d0

Download Submit
C:\Windows\SysWOW64\Fojlngce.exe

Filesize
80KB

MD5
205ce72330493ec60da2beb9abe95359

SHA1
891c55b1c6d7479b6c7c0342ee3a3946893d957b

SHA256
d4cfd5712cae4eff6aec33c88ce3d5309dfd7d97c14d1dbcc26f0e83b6f6eefc

SHA512
be8cf09e98f6feb3dbe2ddd98ee7a31229b8dcf38a31f7dfe5271e49d5051fa409ee6090eaa3ad97fc4c7d76652e8af9a7b873baa218efb10c2c0a1a964e6b6d

Download Submit
C:\Windows\SysWOW64\Ibjjhn32.exe

Filesize
80KB

MD5
bba5c0a2346d2b01691c40c904f17b4e

SHA1
088f10b3b3f782e7e8948732b2e417992c2a32e7

SHA256
09bccff966f01f353ef9826415b78bbe79fdf984affbe7262437ac6a8124e06d

SHA512
9946c75fe912703a1ff8d6f0d76c53929509a15a748f6b62e22db4c3d948b856ac53f80e287520df41919bfe5b227570a8b7931a60104d1aa3718c03062e146d

Download Submit
C:\Windows\SysWOW64\Kdqejn32.exe

Filesize
80KB

MD5
c63c4b4914d6de9f67e39f07b71025f2

SHA1
b50fdc41dadf48a114835219678b17a197ecdc99

SHA256
f1e286d0af3f7b3b77427b0d62b72d99c8cd3a37eaab5720d67454fe9e259fa8

SHA512
18b30e59eabb4cde2ec01e40260496bdfeca7dbe404f1c4dd4e58fa2f139b995fe3c4faf155e6650b3b002630d4f64566a68a90ca8a735574f03e57b663c6b9b

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
80KB

MD5
451d0ba64d1f42a46199ff00bb1356a6

SHA1
aeef4d3cff1ba3f128bdda5956d4bc52af0bb4a7

SHA256
bf0a3811924cc296a2a9d9a63423abae0461376dc002e4465cf3bdfe78999deb

SHA512
e6dcd2c4751035f7f3270d4ad3cc1616741586ba3b25287d0a6b081938d5e1700541d583720f7661f920fd28980a55ae6a1bc51a00fc39b9860d499102ac20f9

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
80KB

MD5
4880ed1b6834b4ff04bd583fa0ac98a5

SHA1
4d46eb10c4de7c833f2582f70617fe164d7a36c2

SHA256
940a6a0cc2f9596636f89b5f53d58fa210594b8848cc96108e52bb3feae8d02d

SHA512
1cafd089dcfa05da2489e40ce2e3d3c05e07c5fa3099e84b148c572cc6536aeab2a3288ca734bcba66d22f185796fb2524d7404bcae160e666a74eaa568c223c

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
80KB

MD5
52ceb289c46fdc133f90d3a7973b1b32

SHA1
5470992fa0822f2a8a7b56f504ddabf833637990

SHA256
cdc9fea637b00187bf844cb12b1232874a0c4534604778622e4b96031bb91575

SHA512
ef134c3dfcf897a063d18efd51f8d68cb816e9d89a02366987c65c1c5e5a7e4f603c35b3e288b0c0387dab310fb53ddd2d15586c06c8f37fb78d9f6143ac0b48

Download Submit
memory/8-334-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/116-304-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/720-388-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/836-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1064-380-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1124-111-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1332-266-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1428-80-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1520-316-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1568-364-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1576-418-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1596-274-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1624-346-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1628-424-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1732-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1792-191-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1848-199-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1880-136-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1916-172-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1964-394-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2004-406-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2076-237-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2128-240-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2212-119-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2312-292-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2364-310-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2388-88-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2548-252-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2780-47-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2932-430-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2944-382-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2952-290-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2996-322-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3040-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3076-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3288-183-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3472-212-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3516-96-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3524-229-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3932-442-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4012-176-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4156-160-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4288-416-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4316-437-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4324-328-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4328-268-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4372-370-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4396-340-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4400-103-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4524-298-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4532-144-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4536-31-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4540-400-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4548-280-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4604-156-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4636-358-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4640-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4716-127-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4740-72-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4752-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4868-24-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4972-260-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4992-352-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5096-220-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads