c4aee7e655dea08a1bf1203d9fc2277230a533e33a3dc2a65c98b1e59c7f4633

Analysis

max time kernel
141s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16/04/2024, 01:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c4aee7e655dea08a1bf1203d9fc2277230a533e33a3dc2a65c98b1e59c7f4633.exe
Size

264KB
MD5

c6b8a8a6133444f06d76906c264bba76
SHA1

dd0a8180710bdeead8575b5c6bb63a650f6ad31f
SHA256

c4aee7e655dea08a1bf1203d9fc2277230a533e33a3dc2a65c98b1e59c7f4633
SHA512

7a201e775f65816ad80ae5cb0ab0c44c19761a65c783ebffa4471ee4af69f9b5a0f03f6a58b0fc3a63d6488ff37dbbfa91b49cf975d3e52105d6e98d43ff18c9
SSDEEP

6144:YnPHa4tpui6yYPaIGck4GJal+O4o0pui6yYPaIGckv:E/pV6yYP4/O4hpV6yYPo

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fjjjgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jlanpfkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bimach32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oeheqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kncaec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgjoif32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgcjfbed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aibibp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Doojec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfpghccm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oheienli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cboibm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amlogfel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcpnhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpcpfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iencmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdkoef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iolhkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fqikob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kopcbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhpnlclc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bpkdjofm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcoljagj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hnmeodjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odgqopeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ockdmmoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fcpakn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gndbie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kncaec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lflbkcll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fohfbpgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nfldgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ockdmmoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbijgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aealll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmennnni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aaldccip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akdilipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ieagmcmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jaqcnl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oloahhki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jphkkpbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ibegfglj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nciopppp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lajokiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cncnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hcedmkmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqncnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lohqnd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdnjfojj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jnedgq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fofilp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkpnga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mohbjkgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmhkflnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aioebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bimach32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c4aee7e655dea08a1bf1203d9fc2277230a533e33a3dc2a65c98b1e59c7f4633.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fqgedh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lohqnd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcfidb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqcejcha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfbmdabh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdbfab32.exe

Executes dropped EXE 64 IoCs

pid	Process
4044	Ncofplba.exe
1532	Neqopnhb.exe
1980	Neclenfo.exe
3616	Nnkpnclp.exe
4036	Oloahhki.exe
4616	Oeheqm32.exe
3192	Cdbfab32.exe
3360	Dkahilkl.exe
2204	Dmennnni.exe
4560	Eofgpikj.exe
3608	Ennqfenp.exe
2568	Fpbflg32.exe
3536	Fngcmcfe.exe
4836	Fiodpl32.exe
4388	Gfhndpol.exe
1136	Gikdkj32.exe
4892	Holfoqcm.exe
2252	Hplbickp.exe
1468	Hpnoncim.exe
3952	Hiipmhmk.exe
4108	Iohejo32.exe
440	Iomoenej.exe
2248	Ilcldb32.exe
748	Jpaekqhh.exe
1020	Jcanll32.exe
4960	Jinboekc.exe
3940	Jphkkpbp.exe
4048	Kpmdfonj.exe
1444	Kncaec32.exe
1756	Kfnfjehl.exe
2412	Kofkbk32.exe
2096	Lnjgfb32.exe
4172	Lqkqhm32.exe
3984	Lmaamn32.exe
1492	Lmdnbn32.exe
2784	Lflbkcll.exe
624	Mgloefco.exe
3632	Mqdcnl32.exe
3056	Moipoh32.exe
4088	Mnjqmpgg.exe
2900	Mcgiefen.exe
4356	Mqkiok32.exe
1620	Nnojho32.exe
2648	Nggnadib.exe
2960	Ncnofeof.exe
4756	Njjdho32.exe
3860	Npgmpf32.exe
4584	Nagiji32.exe
4212	Oaifpi32.exe
3252	Ojajin32.exe
4912	Opnbae32.exe
5020	Ombcji32.exe
1056	Onapdl32.exe
1372	Ofmdio32.exe
3348	Oabhfg32.exe
2128	Pfoann32.exe
2772	Phonha32.exe
4588	Pnifekmd.exe
2308	Pfdjinjo.exe
3328	Pplobcpp.exe
1008	Pmpolgoi.exe
3456	Pjdpelnc.exe
4424	Qobhkjdi.exe
3248	Qfmmplad.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Fqphic32.exe	Fjeplijj.exe
File opened for modification	C:\Windows\SysWOW64\Janghmia.exe	Jlanpfkj.exe
File opened for modification	C:\Windows\SysWOW64\Jaqcnl32.exe	Janghmia.exe
File created	C:\Windows\SysWOW64\Hpnoncim.exe	Hplbickp.exe
File opened for modification	C:\Windows\SysWOW64\Ibegfglj.exe	Ieagmcmq.exe
File opened for modification	C:\Windows\SysWOW64\Fjjjgh32.exe	Fcpakn32.exe
File created	C:\Windows\SysWOW64\Ijiopd32.exe	Ibnjkbog.exe
File created	C:\Windows\SysWOW64\Fklociap.dll	Nlcidopb.exe
File created	C:\Windows\SysWOW64\Adcjop32.exe	Qpeahb32.exe
File opened for modification	C:\Windows\SysWOW64\Fqeioiam.exe	Foclgq32.exe
File created	C:\Windows\SysWOW64\Lmaamn32.exe	Lqkqhm32.exe
File created	C:\Windows\SysWOW64\Enkmfolf.exe	Ebdlangb.exe
File created	C:\Windows\SysWOW64\Gkdpbpih.exe	Gejhef32.exe
File opened for modification	C:\Windows\SysWOW64\Ojnfihmo.exe	Nfqnbjfi.exe
File opened for modification	C:\Windows\SysWOW64\Fqikob32.exe	Fcekfnkb.exe
File created	C:\Windows\SysWOW64\Hgpchp32.dll	Hcljmj32.exe
File created	C:\Windows\SysWOW64\Kpmdfonj.exe	Jphkkpbp.exe
File opened for modification	C:\Windows\SysWOW64\Lnjgfb32.exe	Kofkbk32.exe
File created	C:\Windows\SysWOW64\Jlanpfkj.exe	Jbijgp32.exe
File opened for modification	C:\Windows\SysWOW64\Fiodpl32.exe	Fngcmcfe.exe
File created	C:\Windows\SysWOW64\Khihld32.exe	Kopcbo32.exe
File created	C:\Windows\SysWOW64\Eacdhhjj.dll	Fclhpo32.exe
File opened for modification	C:\Windows\SysWOW64\Dipgpf32.exe	Dllffa32.exe
File created	C:\Windows\SysWOW64\Oloahhki.exe	Nnkpnclp.exe
File created	C:\Windows\SysWOW64\Ljcpchlo.dll	Iomoenej.exe
File opened for modification	C:\Windows\SysWOW64\Phonha32.exe	Pfoann32.exe
File created	C:\Windows\SysWOW64\Inclga32.dll	Hnlodjpa.exe
File opened for modification	C:\Windows\SysWOW64\Klekfinp.exe	Klpakj32.exe
File created	C:\Windows\SysWOW64\Iencmm32.exe	Ijiopd32.exe
File created	C:\Windows\SysWOW64\Ggociklh.dll	Amfhgj32.exe
File created	C:\Windows\SysWOW64\Bclppboi.exe	Aidomjaf.exe
File created	C:\Windows\SysWOW64\Dmennnni.exe	Dkahilkl.exe
File created	C:\Windows\SysWOW64\Olieecnn.dll	Jcanll32.exe
File created	C:\Windows\SysWOW64\Cncnob32.exe	Cnaaib32.exe
File opened for modification	C:\Windows\SysWOW64\Geldkfpi.exe	Gkdpbpih.exe
File created	C:\Windows\SysWOW64\Fldeljei.dll	Mjlalkmd.exe
File created	C:\Windows\SysWOW64\Hccggl32.exe	Gjkbnfha.exe
File created	C:\Windows\SysWOW64\Ichqihli.dll	Apmhiq32.exe
File created	C:\Windows\SysWOW64\Qkhnbpne.dll	Aaldccip.exe
File opened for modification	C:\Windows\SysWOW64\Fgcjfbed.exe	Fohfbpgi.exe
File created	C:\Windows\SysWOW64\Apgqie32.exe	Aealll32.exe
File created	C:\Windows\SysWOW64\Oaifpi32.exe	Nagiji32.exe
File created	C:\Windows\SysWOW64\Gaagdbfm.dll	Onapdl32.exe
File created	C:\Windows\SysWOW64\Pkjdhm32.dll	Apgqie32.exe
File opened for modification	C:\Windows\SysWOW64\Keceoj32.exe	Jjnaaa32.exe
File opened for modification	C:\Windows\SysWOW64\Nfpghccm.exe	Napameoi.exe
File opened for modification	C:\Windows\SysWOW64\Oheienli.exe	Odgqopeb.exe
File opened for modification	C:\Windows\SysWOW64\Jcanll32.exe	Jpaekqhh.exe
File created	C:\Windows\SysWOW64\Jeaiij32.exe	Jhmhpfmi.exe
File created	C:\Windows\SysWOW64\Ggfglb32.exe	Gnnccl32.exe
File opened for modification	C:\Windows\SysWOW64\Bdlfjh32.exe	Bigbmpco.exe
File opened for modification	C:\Windows\SysWOW64\Chkobkod.exe	Cocjiehd.exe
File created	C:\Windows\SysWOW64\Fgcjfbed.exe	Fohfbpgi.exe
File opened for modification	C:\Windows\SysWOW64\Hccggl32.exe	Gjkbnfha.exe
File created	C:\Windows\SysWOW64\Ilcaoaif.dll	Hccggl32.exe
File created	C:\Windows\SysWOW64\Fogpoiia.dll	Lajokiaa.exe
File created	C:\Windows\SysWOW64\Llnnmhfe.exe	Lcfidb32.exe
File created	C:\Windows\SysWOW64\Iankhggi.dll	Mapppn32.exe
File created	C:\Windows\SysWOW64\Klekfinp.exe	Klpakj32.exe
File created	C:\Windows\SysWOW64\Cjgjmg32.dll	Holfoqcm.exe
File opened for modification	C:\Windows\SysWOW64\Ekajec32.exe	Ebifmm32.exe
File created	C:\Windows\SysWOW64\Gimngjie.dll	Ebifmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mepnaf32.exe	Mdpagc32.exe
File opened for modification	C:\Windows\SysWOW64\Pfdjinjo.exe	Pnifekmd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5000	8576	WerFault.exe	381

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kpmdfonj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pnifekmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bpkdjofm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anhaoj32.dll"	Foapaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcfkpjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aidomjaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nflnbh32.dll"	Chdialdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kofdhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lmaamn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daollh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llfgke32.dll"	Kdkoef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjdmlonn.dll"	Clpgkcdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmiadfmi.dll"	Fpbflg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iohejo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mhjhmhhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfedfi32.dll"	Gdgdeppb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Klpjad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Holfoqcm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmpolgoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dolmodpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Loemnnhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ojajin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ofmdio32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cacckp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kofdhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Begndj32.dll"	Fqphic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gcnnllcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gjkbnfha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hcljmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eofgpikj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jcanll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mqdcnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fqgedh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ggfglb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqoloc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmbpjm32.dll"	Ciihjmcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfdkqcmb.dll"	Kocphojh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Neclenfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pfdjinjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ijiopd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jaqcnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Amfhgj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Opnbae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pneclb32.dll"	Gndick32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Odgqopeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnnggcqk.dll"	Pfbmdabh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Clpgkcdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Onapdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqbijpeo.dll"	Oloahhki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njjdho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fqeioiam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eofgpikj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Apmhiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgijpe32.dll"	Bogkmgba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fohfbpgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ieagmcmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ijiopd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lngqkhda.dll"	Pplobcpp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqcejcha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdbfab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gkdpbpih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpqgeihg.dll"	Padnaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bdlfjh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Padnaq32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 4044	4000	c4aee7e655dea08a1bf1203d9fc2277230a533e33a3dc2a65c98b1e59c7f4633.exe	91
PID 4000 wrote to memory of 4044	4000	c4aee7e655dea08a1bf1203d9fc2277230a533e33a3dc2a65c98b1e59c7f4633.exe	91
PID 4000 wrote to memory of 4044	4000	c4aee7e655dea08a1bf1203d9fc2277230a533e33a3dc2a65c98b1e59c7f4633.exe	91
PID 4044 wrote to memory of 1532	4044	Ncofplba.exe	92
PID 4044 wrote to memory of 1532	4044	Ncofplba.exe	92
PID 4044 wrote to memory of 1532	4044	Ncofplba.exe	92
PID 1532 wrote to memory of 1980	1532	Neqopnhb.exe	93
PID 1532 wrote to memory of 1980	1532	Neqopnhb.exe	93
PID 1532 wrote to memory of 1980	1532	Neqopnhb.exe	93
PID 1980 wrote to memory of 3616	1980	Neclenfo.exe	94
PID 1980 wrote to memory of 3616	1980	Neclenfo.exe	94
PID 1980 wrote to memory of 3616	1980	Neclenfo.exe	94
PID 3616 wrote to memory of 4036	3616	Nnkpnclp.exe	95
PID 3616 wrote to memory of 4036	3616	Nnkpnclp.exe	95
PID 3616 wrote to memory of 4036	3616	Nnkpnclp.exe	95
PID 4036 wrote to memory of 4616	4036	Oloahhki.exe	96
PID 4036 wrote to memory of 4616	4036	Oloahhki.exe	96
PID 4036 wrote to memory of 4616	4036	Oloahhki.exe	96
PID 4616 wrote to memory of 3192	4616	Oeheqm32.exe	97
PID 4616 wrote to memory of 3192	4616	Oeheqm32.exe	97
PID 4616 wrote to memory of 3192	4616	Oeheqm32.exe	97
PID 3192 wrote to memory of 3360	3192	Cdbfab32.exe	98
PID 3192 wrote to memory of 3360	3192	Cdbfab32.exe	98
PID 3192 wrote to memory of 3360	3192	Cdbfab32.exe	98
PID 3360 wrote to memory of 2204	3360	Dkahilkl.exe	99
PID 3360 wrote to memory of 2204	3360	Dkahilkl.exe	99
PID 3360 wrote to memory of 2204	3360	Dkahilkl.exe	99
PID 2204 wrote to memory of 4560	2204	Dmennnni.exe	100
PID 2204 wrote to memory of 4560	2204	Dmennnni.exe	100
PID 2204 wrote to memory of 4560	2204	Dmennnni.exe	100
PID 4560 wrote to memory of 3608	4560	Eofgpikj.exe	101
PID 4560 wrote to memory of 3608	4560	Eofgpikj.exe	101
PID 4560 wrote to memory of 3608	4560	Eofgpikj.exe	101
PID 3608 wrote to memory of 2568	3608	Ennqfenp.exe	102
PID 3608 wrote to memory of 2568	3608	Ennqfenp.exe	102
PID 3608 wrote to memory of 2568	3608	Ennqfenp.exe	102
PID 2568 wrote to memory of 3536	2568	Fpbflg32.exe	103
PID 2568 wrote to memory of 3536	2568	Fpbflg32.exe	103
PID 2568 wrote to memory of 3536	2568	Fpbflg32.exe	103
PID 3536 wrote to memory of 4836	3536	Fngcmcfe.exe	104
PID 3536 wrote to memory of 4836	3536	Fngcmcfe.exe	104
PID 3536 wrote to memory of 4836	3536	Fngcmcfe.exe	104
PID 4836 wrote to memory of 4388	4836	Fiodpl32.exe	105
PID 4836 wrote to memory of 4388	4836	Fiodpl32.exe	105
PID 4836 wrote to memory of 4388	4836	Fiodpl32.exe	105
PID 4388 wrote to memory of 1136	4388	Gfhndpol.exe	106
PID 4388 wrote to memory of 1136	4388	Gfhndpol.exe	106
PID 4388 wrote to memory of 1136	4388	Gfhndpol.exe	106
PID 1136 wrote to memory of 4892	1136	Gikdkj32.exe	107
PID 1136 wrote to memory of 4892	1136	Gikdkj32.exe	107
PID 1136 wrote to memory of 4892	1136	Gikdkj32.exe	107
PID 4892 wrote to memory of 2252	4892	Holfoqcm.exe	108
PID 4892 wrote to memory of 2252	4892	Holfoqcm.exe	108
PID 4892 wrote to memory of 2252	4892	Holfoqcm.exe	108
PID 2252 wrote to memory of 1468	2252	Hplbickp.exe	109
PID 2252 wrote to memory of 1468	2252	Hplbickp.exe	109
PID 2252 wrote to memory of 1468	2252	Hplbickp.exe	109
PID 1468 wrote to memory of 3952	1468	Hpnoncim.exe	110
PID 1468 wrote to memory of 3952	1468	Hpnoncim.exe	110
PID 1468 wrote to memory of 3952	1468	Hpnoncim.exe	110
PID 3952 wrote to memory of 4108	3952	Hiipmhmk.exe	111
PID 3952 wrote to memory of 4108	3952	Hiipmhmk.exe	111
PID 3952 wrote to memory of 4108	3952	Hiipmhmk.exe	111
PID 4108 wrote to memory of 440	4108	Iohejo32.exe	112

C:\Users\Admin\AppData\Local\Temp\c4aee7e655dea08a1bf1203d9fc2277230a533e33a3dc2a65c98b1e59c7f4633.exe
"C:\Users\Admin\AppData\Local\Temp\c4aee7e655dea08a1bf1203d9fc2277230a533e33a3dc2a65c98b1e59c7f4633.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Windows\SysWOW64\Ncofplba.exe
  C:\Windows\system32\Ncofplba.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4044
- - C:\Windows\SysWOW64\Neqopnhb.exe
    C:\Windows\system32\Neqopnhb.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1532
  - - C:\Windows\SysWOW64\Neclenfo.exe
      C:\Windows\system32\Neclenfo.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1980
    - - C:\Windows\SysWOW64\Nnkpnclp.exe
        
        C:\Windows\system32\Nnkpnclp.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3616
      - C:\Windows\SysWOW64\Oloahhki.exe
        
        C:\Windows\system32\Oloahhki.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\SysWOW64\Oeheqm32.exe
        
        C:\Windows\system32\Oeheqm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\SysWOW64\Cdbfab32.exe
        
        C:\Windows\system32\Cdbfab32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3192
        
        C:\Windows\SysWOW64\Dkahilkl.exe
        
        C:\Windows\system32\Dkahilkl.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Windows\SysWOW64\Dmennnni.exe
        
        C:\Windows\system32\Dmennnni.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Eofgpikj.exe
        
        C:\Windows\system32\Eofgpikj.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Ennqfenp.exe
        
        C:\Windows\system32\Ennqfenp.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\SysWOW64\Fpbflg32.exe
        
        C:\Windows\system32\Fpbflg32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Fngcmcfe.exe
        
        C:\Windows\system32\Fngcmcfe.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3536
        
        C:\Windows\SysWOW64\Fiodpl32.exe
        
        C:\Windows\system32\Fiodpl32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\Gfhndpol.exe
        
        C:\Windows\system32\Gfhndpol.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\SysWOW64\Gikdkj32.exe
        
        C:\Windows\system32\Gikdkj32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\SysWOW64\Holfoqcm.exe
        
        C:\Windows\system32\Holfoqcm.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\SysWOW64\Hplbickp.exe
        
        C:\Windows\system32\Hplbickp.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\SysWOW64\Hpnoncim.exe
        
        C:\Windows\system32\Hpnoncim.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\Hiipmhmk.exe
        
        C:\Windows\system32\Hiipmhmk.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\Iohejo32.exe
        
        C:\Windows\system32\Iohejo32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\SysWOW64\Iomoenej.exe
        
        C:\Windows\system32\Iomoenej.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:440
        
        C:\Windows\SysWOW64\Ilcldb32.exe
        
        C:\Windows\system32\Ilcldb32.exe
        24⤵
        Executes dropped EXE
        
        PID:2248
        
        C:\Windows\SysWOW64\Jpaekqhh.exe
        
        C:\Windows\system32\Jpaekqhh.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:748
        
        C:\Windows\SysWOW64\Jcanll32.exe
        
        C:\Windows\system32\Jcanll32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1020
        
        C:\Windows\SysWOW64\Jinboekc.exe
        
        C:\Windows\system32\Jinboekc.exe
        27⤵
        Executes dropped EXE
        
        PID:4960
        
        C:\Windows\SysWOW64\Jphkkpbp.exe
        
        C:\Windows\system32\Jphkkpbp.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3940
        
        C:\Windows\SysWOW64\Kpmdfonj.exe
        
        C:\Windows\system32\Kpmdfonj.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4048
        
        C:\Windows\SysWOW64\Kncaec32.exe
        
        C:\Windows\system32\Kncaec32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1444
        
        C:\Windows\SysWOW64\Kfnfjehl.exe
        
        C:\Windows\system32\Kfnfjehl.exe
        31⤵
        Executes dropped EXE
        
        PID:1756
        
        C:\Windows\SysWOW64\Kofkbk32.exe
        
        C:\Windows\system32\Kofkbk32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2412
        
        C:\Windows\SysWOW64\Lnjgfb32.exe
        
        C:\Windows\system32\Lnjgfb32.exe
        33⤵
        Executes dropped EXE
        
        PID:2096
        
        C:\Windows\SysWOW64\Lqkqhm32.exe
        
        C:\Windows\system32\Lqkqhm32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4172
        
        C:\Windows\SysWOW64\Lmaamn32.exe
        
        C:\Windows\system32\Lmaamn32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Lmdnbn32.exe
        
        C:\Windows\system32\Lmdnbn32.exe
        36⤵
        Executes dropped EXE
        
        PID:1492
        
        C:\Windows\SysWOW64\Lflbkcll.exe
        
        C:\Windows\system32\Lflbkcll.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2784
        
        C:\Windows\SysWOW64\Mgloefco.exe
        
        C:\Windows\system32\Mgloefco.exe
        38⤵
        Executes dropped EXE
        
        PID:624
        
        C:\Windows\SysWOW64\Mqdcnl32.exe
        
        C:\Windows\system32\Mqdcnl32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Moipoh32.exe
        
        C:\Windows\system32\Moipoh32.exe
        40⤵
        Executes dropped EXE
        
        PID:3056
        
        C:\Windows\SysWOW64\Mnjqmpgg.exe
        
        C:\Windows\system32\Mnjqmpgg.exe
        41⤵
        Executes dropped EXE
        
        PID:4088
        
        C:\Windows\SysWOW64\Mcgiefen.exe
        
        C:\Windows\system32\Mcgiefen.exe
        42⤵
        Executes dropped EXE
        
        PID:2900
        
        C:\Windows\SysWOW64\Mqkiok32.exe
        
        C:\Windows\system32\Mqkiok32.exe
        43⤵
        Executes dropped EXE
        
        PID:4356
        
        C:\Windows\SysWOW64\Nnojho32.exe
        
        C:\Windows\system32\Nnojho32.exe
        44⤵
        Executes dropped EXE
        
        PID:1620
        
        C:\Windows\SysWOW64\Nggnadib.exe
        
        C:\Windows\system32\Nggnadib.exe
        45⤵
        Executes dropped EXE
        
        PID:2648
        
        C:\Windows\SysWOW64\Ncnofeof.exe
        
        C:\Windows\system32\Ncnofeof.exe
        46⤵
        Executes dropped EXE
        
        PID:2960
        
        C:\Windows\SysWOW64\Njjdho32.exe
        
        C:\Windows\system32\Njjdho32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4756
        
        C:\Windows\SysWOW64\Npgmpf32.exe
        
        C:\Windows\system32\Npgmpf32.exe
        48⤵
        Executes dropped EXE
        
        PID:3860
        
        C:\Windows\SysWOW64\Nagiji32.exe
        
        C:\Windows\system32\Nagiji32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4584
        
        C:\Windows\SysWOW64\Oaifpi32.exe
        
        C:\Windows\system32\Oaifpi32.exe
        50⤵
        Executes dropped EXE
        
        PID:4212
        
        C:\Windows\SysWOW64\Ojajin32.exe
        
        C:\Windows\system32\Ojajin32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\Opnbae32.exe
        
        C:\Windows\system32\Opnbae32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Ombcji32.exe
        
        C:\Windows\system32\Ombcji32.exe
        53⤵
        Executes dropped EXE
        
        PID:5020
        
        C:\Windows\SysWOW64\Onapdl32.exe
        
        C:\Windows\system32\Onapdl32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Ofmdio32.exe
        
        C:\Windows\system32\Ofmdio32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1372
        
        C:\Windows\SysWOW64\Oabhfg32.exe
        
        C:\Windows\system32\Oabhfg32.exe
        56⤵
        Executes dropped EXE
        
        PID:3348
        
        C:\Windows\SysWOW64\Pfoann32.exe
        
        C:\Windows\system32\Pfoann32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2128
        
        C:\Windows\SysWOW64\Phonha32.exe
        
        C:\Windows\system32\Phonha32.exe
        58⤵
        Executes dropped EXE
        
        PID:2772
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Pfdjinjo.exe
        
        C:\Windows\system32\Pfdjinjo.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3328
        
        C:\Windows\SysWOW64\Pmpolgoi.exe
        
        C:\Windows\system32\Pmpolgoi.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1008
        
        C:\Windows\SysWOW64\Pjdpelnc.exe
        
        C:\Windows\system32\Pjdpelnc.exe
        63⤵
        Executes dropped EXE
        
        PID:3456
        
        C:\Windows\SysWOW64\Qobhkjdi.exe
        
        C:\Windows\system32\Qobhkjdi.exe
        64⤵
        Executes dropped EXE
        
        PID:4424
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        65⤵
        Executes dropped EXE
        
        PID:3248
        
        C:\Windows\SysWOW64\Qpeahb32.exe
        
        C:\Windows\system32\Qpeahb32.exe
        66⤵
        Drops file in System32 directory
        
        PID:2760
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        67⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3524
        
        C:\Windows\SysWOW64\Apmhiq32.exe
        
        C:\Windows\system32\Apmhiq32.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:832
        
        C:\Windows\SysWOW64\Aaldccip.exe
        
        C:\Windows\system32\Aaldccip.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3716
        
        C:\Windows\SysWOW64\Akdilipp.exe
        
        C:\Windows\system32\Akdilipp.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4324
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        72⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        73⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        74⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        75⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        76⤵
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        77⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\Bpkdjofm.exe
        
        C:\Windows\system32\Bpkdjofm.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3592
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        79⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        80⤵
        Modifies registry class
        
        PID:764
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        81⤵
        Drops file in System32 directory
        
        PID:3548
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4312
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        83⤵
        
        PID:368
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        84⤵
        Drops file in System32 directory
        
        PID:4760
        
        C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        85⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        86⤵
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        87⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        88⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        89⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Dolmodpi.exe
        
        C:\Windows\system32\Dolmodpi.exe
        90⤵
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Doojec32.exe
        
        C:\Windows\system32\Doojec32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5388
        
        C:\Windows\SysWOW64\Dgjoif32.exe
        
        C:\Windows\system32\Dgjoif32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5436
        
        C:\Windows\SysWOW64\Dbocfo32.exe
        
        C:\Windows\system32\Dbocfo32.exe
        93⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Dkhgod32.exe
        
        C:\Windows\system32\Dkhgod32.exe
        94⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Egohdegl.exe
        
        C:\Windows\system32\Egohdegl.exe
        95⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Ebdlangb.exe
        
        C:\Windows\system32\Ebdlangb.exe
        96⤵
        Drops file in System32 directory
        
        PID:5620
        
        C:\Windows\SysWOW64\Enkmfolf.exe
        
        C:\Windows\system32\Enkmfolf.exe
        97⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Ehpadhll.exe
        
        C:\Windows\system32\Ehpadhll.exe
        98⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Ebifmm32.exe
        
        C:\Windows\system32\Ebifmm32.exe
        99⤵
        Drops file in System32 directory
        
        PID:5752
        
        C:\Windows\SysWOW64\Ekajec32.exe
        
        C:\Windows\system32\Ekajec32.exe
        100⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Eqncnj32.exe
        
        C:\Windows\system32\Eqncnj32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5828
        
        C:\Windows\SysWOW64\Ekcgkb32.exe
        
        C:\Windows\system32\Ekcgkb32.exe
        102⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Fbmohmoh.exe
        
        C:\Windows\system32\Fbmohmoh.exe
        103⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Foapaa32.exe
        
        C:\Windows\system32\Foapaa32.exe
        104⤵
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Fijdjfdb.exe
        
        C:\Windows\system32\Fijdjfdb.exe
        105⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Foclgq32.exe
        
        C:\Windows\system32\Foclgq32.exe
        106⤵
        Drops file in System32 directory
        
        PID:6092
        
        C:\Windows\SysWOW64\Fqeioiam.exe
        
        C:\Windows\system32\Fqeioiam.exe
        107⤵
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Fofilp32.exe
        
        C:\Windows\system32\Fofilp32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5160
        
        C:\Windows\SysWOW64\Fqgedh32.exe
        
        C:\Windows\system32\Fqgedh32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Fohfbpgi.exe
        
        C:\Windows\system32\Fohfbpgi.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Fgcjfbed.exe
        
        C:\Windows\system32\Fgcjfbed.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5372
        
        C:\Windows\SysWOW64\Gnnccl32.exe
        
        C:\Windows\system32\Gnnccl32.exe
        112⤵
        Drops file in System32 directory
        
        PID:5444
        
        C:\Windows\SysWOW64\Ggfglb32.exe
        
        C:\Windows\system32\Ggfglb32.exe
        113⤵
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Gnpphljo.exe
        
        C:\Windows\system32\Gnpphljo.exe
        114⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Gejhef32.exe
        
        C:\Windows\system32\Gejhef32.exe
        115⤵
        Drops file in System32 directory
        
        PID:5672
        
        C:\Windows\SysWOW64\Gkdpbpih.exe
        
        C:\Windows\system32\Gkdpbpih.exe
        116⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Geldkfpi.exe
        
        C:\Windows\system32\Geldkfpi.exe
        117⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Gndick32.exe
        
        C:\Windows\system32\Gndick32.exe
        118⤵
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Geanfelc.exe
        
        C:\Windows\system32\Geanfelc.exe
        119⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Hnlodjpa.exe
        
        C:\Windows\system32\Hnlodjpa.exe
        120⤵
        Drops file in System32 directory
        
        PID:6084
        
        C:\Windows\SysWOW64\Hhdcmp32.exe
        
        C:\Windows\system32\Hhdcmp32.exe
        121⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Hbihjifh.exe
        
        C:\Windows\system32\Hbihjifh.exe
        122⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Hicpgc32.exe
        
        C:\Windows\system32\Hicpgc32.exe
        123⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Haodle32.exe
        
        C:\Windows\system32\Haodle32.exe
        124⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Hemmac32.exe
        
        C:\Windows\system32\Hemmac32.exe
        125⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\Ilfennic.exe
        
        C:\Windows\system32\Ilfennic.exe
        126⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\Ieojgc32.exe
        
        C:\Windows\system32\Ieojgc32.exe
        127⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Ipdndloi.exe
        
        C:\Windows\system32\Ipdndloi.exe
        128⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Ieagmcmq.exe
        
        C:\Windows\system32\Ieagmcmq.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Ibegfglj.exe
        
        C:\Windows\system32\Ibegfglj.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5188
        
        C:\Windows\SysWOW64\Iolhkh32.exe
        
        C:\Windows\system32\Iolhkh32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5432
        
        C:\Windows\SysWOW64\Ihdldn32.exe
        
        C:\Windows\system32\Ihdldn32.exe
        132⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Iamamcop.exe
        
        C:\Windows\system32\Iamamcop.exe
        133⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Jlbejloe.exe
        
        C:\Windows\system32\Jlbejloe.exe
        134⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Jppnpjel.exe
        
        C:\Windows\system32\Jppnpjel.exe
        135⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Jafdcbge.exe
        
        C:\Windows\system32\Jafdcbge.exe
        136⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Kbhmbdle.exe
        
        C:\Windows\system32\Kbhmbdle.exe
        137⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Klpakj32.exe
        
        C:\Windows\system32\Klpakj32.exe
        138⤵
        Drops file in System32 directory
        
        PID:5588
        
        C:\Windows\SysWOW64\Klekfinp.exe
        
        C:\Windows\system32\Klekfinp.exe
        139⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\Kofdhd32.exe
        
        C:\Windows\system32\Kofdhd32.exe
        140⤵
        Modifies registry class
        
        PID:6208
        
        C:\Windows\SysWOW64\Lohqnd32.exe
        
        C:\Windows\system32\Lohqnd32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6292
        
        C:\Windows\SysWOW64\Lcfidb32.exe
        
        C:\Windows\system32\Lcfidb32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6352
        
        C:\Windows\SysWOW64\Llnnmhfe.exe
        
        C:\Windows\system32\Llnnmhfe.exe
        143⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\Lakfeodm.exe
        
        C:\Windows\system32\Lakfeodm.exe
        144⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\Lhenai32.exe
        
        C:\Windows\system32\Lhenai32.exe
        145⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\Lfiokmkc.exe
        
        C:\Windows\system32\Lfiokmkc.exe
        146⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\Mapppn32.exe
        
        C:\Windows\system32\Mapppn32.exe
        147⤵
        Drops file in System32 directory
        
        PID:6584
        
        C:\Windows\SysWOW64\Mhjhmhhd.exe
        
        C:\Windows\system32\Mhjhmhhd.exe
        148⤵
        Modifies registry class
        
        PID:6636
        
        C:\Windows\SysWOW64\Mcoljagj.exe
        
        C:\Windows\system32\Mcoljagj.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6684
        
        C:\Windows\SysWOW64\Mofmobmo.exe
        
        C:\Windows\system32\Mofmobmo.exe
        150⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\Mjlalkmd.exe
        
        C:\Windows\system32\Mjlalkmd.exe
        151⤵
        Drops file in System32 directory
        
        PID:6776
        
        C:\Windows\SysWOW64\Mohidbkl.exe
        
        C:\Windows\system32\Mohidbkl.exe
        152⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\Mjnnbk32.exe
        
        C:\Windows\system32\Mjnnbk32.exe
        153⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\Mcfbkpab.exe
        
        C:\Windows\system32\Mcfbkpab.exe
        154⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\Mhckcgpj.exe
        
        C:\Windows\system32\Mhckcgpj.exe
        155⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\Nciopppp.exe
        
        C:\Windows\system32\Nciopppp.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7016
        
        C:\Windows\SysWOW64\Nhegig32.exe
        
        C:\Windows\system32\Nhegig32.exe
        157⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\Nqoloc32.exe
        
        C:\Windows\system32\Nqoloc32.exe
        158⤵
        Modifies registry class
        
        PID:7096
        
        C:\Windows\SysWOW64\Nfldgk32.exe
        
        C:\Windows\system32\Nfldgk32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7144
        
        C:\Windows\SysWOW64\Nijqcf32.exe
        
        C:\Windows\system32\Nijqcf32.exe
        160⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\Nodiqp32.exe
        
        C:\Windows\system32\Nodiqp32.exe
        161⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\Njjmni32.exe
        
        C:\Windows\system32\Njjmni32.exe
        162⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\Nqcejcha.exe
        
        C:\Windows\system32\Nqcejcha.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6436
        
        C:\Windows\SysWOW64\Nfqnbjfi.exe
        
        C:\Windows\system32\Nfqnbjfi.exe
        164⤵
        Drops file in System32 directory
        
        PID:6512
        
        C:\Windows\SysWOW64\Ojnfihmo.exe
        
        C:\Windows\system32\Ojnfihmo.exe
        165⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\Ookoaokf.exe
        
        C:\Windows\system32\Ookoaokf.exe
        166⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\Ojqcnhkl.exe
        
        C:\Windows\system32\Ojqcnhkl.exe
        167⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\Omalpc32.exe
        
        C:\Windows\system32\Omalpc32.exe
        168⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\Ockdmmoj.exe
        
        C:\Windows\system32\Ockdmmoj.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6956
        
        C:\Windows\SysWOW64\Oikjkc32.exe
        
        C:\Windows\system32\Oikjkc32.exe
        170⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\Pcpnhl32.exe
        
        C:\Windows\system32\Pcpnhl32.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7104
        
        C:\Windows\SysWOW64\Padnaq32.exe
        
        C:\Windows\system32\Padnaq32.exe
        172⤵
        Modifies registry class
        
        PID:7140
        
        C:\Windows\SysWOW64\Pjlcjf32.exe
        
        C:\Windows\system32\Pjlcjf32.exe
        173⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\Adepji32.exe
        
        C:\Windows\system32\Adepji32.exe
        174⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\Aibibp32.exe
        
        C:\Windows\system32\Aibibp32.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6496
        
        C:\Windows\SysWOW64\Ampaho32.exe
        
        C:\Windows\system32\Ampaho32.exe
        176⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\Bigbmpco.exe
        
        C:\Windows\system32\Bigbmpco.exe
        177⤵
        Drops file in System32 directory
        
        PID:6748
        
        C:\Windows\SysWOW64\Bdlfjh32.exe
        
        C:\Windows\system32\Bdlfjh32.exe
        178⤵
        Modifies registry class
        
        PID:6904
        
        C:\Windows\SysWOW64\Ciihjmcj.exe
        
        C:\Windows\system32\Ciihjmcj.exe
        179⤵
        Modifies registry class
        
        PID:6996
        
        C:\Windows\SysWOW64\Cpcpfg32.exe
        
        C:\Windows\system32\Cpcpfg32.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7092
        
        C:\Windows\SysWOW64\Ckidcpjl.exe
        
        C:\Windows\system32\Ckidcpjl.exe
        181⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\Daeifj32.exe
        
        C:\Windows\system32\Daeifj32.exe
        182⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\Dknnoofg.exe
        
        C:\Windows\system32\Dknnoofg.exe
        183⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\Daollh32.exe
        
        C:\Windows\system32\Daollh32.exe
        184⤵
        Modifies registry class
        
        PID:6880
        
        C:\Windows\SysWOW64\Egkddo32.exe
        
        C:\Windows\system32\Egkddo32.exe
        185⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\Egnajocq.exe
        
        C:\Windows\system32\Egnajocq.exe
        186⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\Ecgodpgb.exe
        
        C:\Windows\system32\Ecgodpgb.exe
        187⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\Ekqckmfb.exe
        
        C:\Windows\system32\Ekqckmfb.exe
        188⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Fclhpo32.exe
        
        C:\Windows\system32\Fclhpo32.exe
        189⤵
        Drops file in System32 directory
        
        PID:4800
        
        C:\Windows\SysWOW64\Fjeplijj.exe
        
        C:\Windows\system32\Fjeplijj.exe
        190⤵
        Drops file in System32 directory
        
        PID:6228
        
        C:\Windows\SysWOW64\Fqphic32.exe
        
        C:\Windows\system32\Fqphic32.exe
        191⤵
        Modifies registry class
        
        PID:7204
        
        C:\Windows\SysWOW64\Fncibg32.exe
        
        C:\Windows\system32\Fncibg32.exe
        192⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\Fcpakn32.exe
        
        C:\Windows\system32\Fcpakn32.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7300
        
        C:\Windows\SysWOW64\Fjjjgh32.exe
        
        C:\Windows\system32\Fjjjgh32.exe
        194⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7356
        
        C:\Windows\SysWOW64\Fcbnpnme.exe
        
        C:\Windows\system32\Fcbnpnme.exe
        195⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\Fnhbmgmk.exe
        
        C:\Windows\system32\Fnhbmgmk.exe
        196⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\Fcekfnkb.exe
        
        C:\Windows\system32\Fcekfnkb.exe
        197⤵
        Drops file in System32 directory
        
        PID:7508
        
        C:\Windows\SysWOW64\Fqikob32.exe
        
        C:\Windows\system32\Fqikob32.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7560
        
        C:\Windows\SysWOW64\Gjaphgpl.exe
        
        C:\Windows\system32\Gjaphgpl.exe
        199⤵
        
        PID:7604
        
        C:\Windows\SysWOW64\Gdgdeppb.exe
        
        C:\Windows\system32\Gdgdeppb.exe
        200⤵
        Modifies registry class
        
        PID:7644
        
        C:\Windows\SysWOW64\Gnaecedp.exe
        
        C:\Windows\system32\Gnaecedp.exe
        201⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\Gcnnllcg.exe
        
        C:\Windows\system32\Gcnnllcg.exe
        202⤵
        Modifies registry class
        
        PID:7756
        
        C:\Windows\SysWOW64\Gndbie32.exe
        
        C:\Windows\system32\Gndbie32.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7792
        
        C:\Windows\SysWOW64\Gdnjfojj.exe
        
        C:\Windows\system32\Gdnjfojj.exe
        204⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7836
        
        C:\Windows\SysWOW64\Gjkbnfha.exe
        
        C:\Windows\system32\Gjkbnfha.exe
        205⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7872
        
        C:\Windows\SysWOW64\Hccggl32.exe
        
        C:\Windows\system32\Hccggl32.exe
        206⤵
        Drops file in System32 directory
        
        PID:7920
        
        C:\Windows\SysWOW64\Hnhkdd32.exe
        
        C:\Windows\system32\Hnhkdd32.exe
        207⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\Hcedmkmp.exe
        
        C:\Windows\system32\Hcedmkmp.exe
        208⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8012
        
        C:\Windows\SysWOW64\Hjolie32.exe
        
        C:\Windows\system32\Hjolie32.exe
        209⤵
        
        PID:8056
        
        C:\Windows\SysWOW64\Hnmeodjc.exe
        
        C:\Windows\system32\Hnmeodjc.exe
        210⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8092
        
        C:\Windows\SysWOW64\Hgeihiac.exe
        
        C:\Windows\system32\Hgeihiac.exe
        211⤵
        
        PID:8152
        
        C:\Windows\SysWOW64\Hcljmj32.exe
        
        C:\Windows\system32\Hcljmj32.exe
        212⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6772
        
        C:\Windows\SysWOW64\Ibnjkbog.exe
        
        C:\Windows\system32\Ibnjkbog.exe
        213⤵
        Drops file in System32 directory
        
        PID:7220
        
        C:\Windows\SysWOW64\Ijiopd32.exe
        
        C:\Windows\system32\Ijiopd32.exe
        214⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7308
        
        C:\Windows\SysWOW64\Iencmm32.exe
        
        C:\Windows\system32\Iencmm32.exe
        215⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7436
        
        C:\Windows\SysWOW64\Jbijgp32.exe
        
        C:\Windows\system32\Jbijgp32.exe
        216⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7504
        
        C:\Windows\SysWOW64\Jlanpfkj.exe
        
        C:\Windows\system32\Jlanpfkj.exe
        217⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7600
        
        C:\Windows\SysWOW64\Janghmia.exe
        
        C:\Windows\system32\Janghmia.exe
        218⤵
        Drops file in System32 directory
        
        PID:7708
        
        C:\Windows\SysWOW64\Jaqcnl32.exe
        
        C:\Windows\system32\Jaqcnl32.exe
        219⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7800
        
        C:\Windows\SysWOW64\Jnedgq32.exe
        
        C:\Windows\system32\Jnedgq32.exe
        220⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7864
        
        C:\Windows\SysWOW64\Jhmhpfmi.exe
        
        C:\Windows\system32\Jhmhpfmi.exe
        221⤵
        Drops file in System32 directory
        
        PID:7932
        
        C:\Windows\SysWOW64\Jeaiij32.exe
        
        C:\Windows\system32\Jeaiij32.exe
        222⤵
        
        PID:7992
        
        C:\Windows\SysWOW64\Jjnaaa32.exe
        
        C:\Windows\system32\Jjnaaa32.exe
        223⤵
        Drops file in System32 directory
        
        PID:8084
        
        C:\Windows\SysWOW64\Keceoj32.exe
        
        C:\Windows\system32\Keceoj32.exe
        224⤵
        
        PID:8160
        
        C:\Windows\SysWOW64\Kkpnga32.exe
        
        C:\Windows\system32\Kkpnga32.exe
        225⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7196
        
        C:\Windows\SysWOW64\Klpjad32.exe
        
        C:\Windows\system32\Klpjad32.exe
        226⤵
        Modifies registry class
        
        PID:808
        
        C:\Windows\SysWOW64\Kongmo32.exe
        
        C:\Windows\system32\Kongmo32.exe
        227⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\Kdkoef32.exe
        
        C:\Windows\system32\Kdkoef32.exe
        228⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8024
        
        C:\Windows\SysWOW64\Kopcbo32.exe
        
        C:\Windows\system32\Kopcbo32.exe
        229⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7660
        
        C:\Windows\SysWOW64\Khihld32.exe
        
        C:\Windows\system32\Khihld32.exe
        230⤵
        
        PID:7824
        
        C:\Windows\SysWOW64\Kocphojh.exe
        
        C:\Windows\system32\Kocphojh.exe
        231⤵
        Modifies registry class
        
        PID:7904
        
        C:\Windows\SysWOW64\Kemhei32.exe
        
        C:\Windows\system32\Kemhei32.exe
        232⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\Loemnnhe.exe
        
        C:\Windows\system32\Loemnnhe.exe
        233⤵
        Modifies registry class
        
        PID:8172
        
        C:\Windows\SysWOW64\Lbcedmnl.exe
        
        C:\Windows\system32\Lbcedmnl.exe
        234⤵
        
        PID:7276
        
        C:\Windows\SysWOW64\Lhpnlclc.exe
        
        C:\Windows\system32\Lhpnlclc.exe
        235⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7548
        
        C:\Windows\SysWOW64\Lhbkac32.exe
        
        C:\Windows\system32\Lhbkac32.exe
        236⤵
        
        PID:7704
        
        C:\Windows\SysWOW64\Lajokiaa.exe
        
        C:\Windows\system32\Lajokiaa.exe
        237⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7892
        
        C:\Windows\SysWOW64\Lkcccn32.exe
        
        C:\Windows\system32\Lkcccn32.exe
        238⤵
        
        PID:8000
        
        C:\Windows\SysWOW64\Mdnebc32.exe
        
        C:\Windows\system32\Mdnebc32.exe
        239⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\Mociol32.exe
        
        C:\Windows\system32\Mociol32.exe
        240⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\Mdpagc32.exe
        
        C:\Windows\system32\Mdpagc32.exe
        241⤵
        Drops file in System32 directory
        
        PID:1700
        
        C:\Windows\SysWOW64\Mepnaf32.exe
        
        C:\Windows\system32\Mepnaf32.exe
        242⤵
        
        PID:7596
        
        C:\Windows\SysWOW64\Mohbjkgp.exe
        
        C:\Windows\system32\Mohbjkgp.exe
        243⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7852
        
        C:\Windows\SysWOW64\Mllccpfj.exe
        
        C:\Windows\system32\Mllccpfj.exe
        244⤵
        
        PID:8148
        
        C:\Windows\SysWOW64\Mcfkpjng.exe
        
        C:\Windows\system32\Mcfkpjng.exe
        245⤵
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Nakhaf32.exe
        
        C:\Windows\system32\Nakhaf32.exe
        246⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\Nlqloo32.exe
        
        C:\Windows\system32\Nlqloo32.exe
        247⤵
        
        PID:8132
        
        C:\Windows\SysWOW64\Ncjdki32.exe
        
        C:\Windows\system32\Ncjdki32.exe
        248⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\Nlcidopb.exe
        
        C:\Windows\system32\Nlcidopb.exe
        249⤵
        Drops file in System32 directory
        
        PID:5956
        
        C:\Windows\SysWOW64\Napameoi.exe
        
        C:\Windows\system32\Napameoi.exe
        250⤵
        Drops file in System32 directory
        
        PID:8064
        
        C:\Windows\SysWOW64\Nfpghccm.exe
        
        C:\Windows\system32\Nfpghccm.exe
        251⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7404
        
        C:\Windows\SysWOW64\Ohqpjo32.exe
        
        C:\Windows\system32\Ohqpjo32.exe
        252⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\Odgqopeb.exe
        
        C:\Windows\system32\Odgqopeb.exe
        253⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:8200
        
        C:\Windows\SysWOW64\Oheienli.exe
        
        C:\Windows\system32\Oheienli.exe
        254⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8248
        
        C:\Windows\SysWOW64\Okfbgiij.exe
        
        C:\Windows\system32\Okfbgiij.exe
        255⤵
        
        PID:8308
        
        C:\Windows\SysWOW64\Pdngpo32.exe
        
        C:\Windows\system32\Pdngpo32.exe
        256⤵
        
        PID:8360
        
        C:\Windows\SysWOW64\Pmhkflnj.exe
        
        C:\Windows\system32\Pmhkflnj.exe
        257⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8416
        
        C:\Windows\SysWOW64\Pfbmdabh.exe
        
        C:\Windows\system32\Pfbmdabh.exe
        258⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8480
        
        C:\Windows\SysWOW64\Pbimjb32.exe
        
        C:\Windows\system32\Pbimjb32.exe
        259⤵
        
        PID:8532
        
        C:\Windows\SysWOW64\Amfhgj32.exe
        
        C:\Windows\system32\Amfhgj32.exe
        260⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8568
        
        C:\Windows\SysWOW64\Aealll32.exe
        
        C:\Windows\system32\Aealll32.exe
        261⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8616
        
        C:\Windows\SysWOW64\Apgqie32.exe
        
        C:\Windows\system32\Apgqie32.exe
        262⤵
        Drops file in System32 directory
        
        PID:8656
        
        C:\Windows\SysWOW64\Aioebj32.exe
        
        C:\Windows\system32\Aioebj32.exe
        263⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8696
        
        C:\Windows\SysWOW64\Abgjkpll.exe
        
        C:\Windows\system32\Abgjkpll.exe
        264⤵
        
        PID:8740
        
        C:\Windows\SysWOW64\Abjfqpji.exe
        
        C:\Windows\system32\Abjfqpji.exe
        265⤵
        
        PID:8780
        
        C:\Windows\SysWOW64\Aidomjaf.exe
        
        C:\Windows\system32\Aidomjaf.exe
        266⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8828
        
        C:\Windows\SysWOW64\Bclppboi.exe
        
        C:\Windows\system32\Bclppboi.exe
        267⤵
        
        PID:8888
        
        C:\Windows\SysWOW64\Bcnleb32.exe
        
        C:\Windows\system32\Bcnleb32.exe
        268⤵
        
        PID:8932
        
        C:\Windows\SysWOW64\Bimach32.exe
        
        C:\Windows\system32\Bimach32.exe
        269⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8980
        
        C:\Windows\SysWOW64\Bpgjpb32.exe
        
        C:\Windows\system32\Bpgjpb32.exe
        270⤵
        
        PID:9016
        
        C:\Windows\SysWOW64\Bedbhi32.exe
        
        C:\Windows\system32\Bedbhi32.exe
        271⤵
        
        PID:9064
        
        C:\Windows\SysWOW64\Cfcoblfb.exe
        
        C:\Windows\system32\Cfcoblfb.exe
        272⤵
        
        PID:9104
        
        C:\Windows\SysWOW64\Clpgkcdj.exe
        
        C:\Windows\system32\Clpgkcdj.exe
        273⤵
        Modifies registry class
        
        PID:9140
        
        C:\Windows\SysWOW64\Cidgdg32.exe
        
        C:\Windows\system32\Cidgdg32.exe
        274⤵
        
        PID:9176
        
        C:\Windows\SysWOW64\Cfhhml32.exe
        
        C:\Windows\system32\Cfhhml32.exe
        275⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\Cboibm32.exe
        
        C:\Windows\system32\Cboibm32.exe
        276⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8212
        
        C:\Windows\SysWOW64\Clgmkbna.exe
        
        C:\Windows\system32\Clgmkbna.exe
        277⤵
        
        PID:8264
        
        C:\Windows\SysWOW64\Cbaehl32.exe
        
        C:\Windows\system32\Cbaehl32.exe
        278⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\Dpefaq32.exe
        
        C:\Windows\system32\Dpefaq32.exe
        279⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\Dfonnk32.exe
        
        C:\Windows\system32\Dfonnk32.exe
        280⤵
        
        PID:8348
        
        C:\Windows\SysWOW64\Dllffa32.exe
        
        C:\Windows\system32\Dllffa32.exe
        281⤵
        Drops file in System32 directory
        
        PID:8376
        
        C:\Windows\SysWOW64\Dipgpf32.exe
        
        C:\Windows\system32\Dipgpf32.exe
        282⤵
        
        PID:8444
        
        C:\Windows\SysWOW64\Dmnpfd32.exe
        
        C:\Windows\system32\Dmnpfd32.exe
        283⤵
        
        PID:8496
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        284⤵
        
        PID:8576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8576 -s 412
        285⤵
        Program crash
        
        PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 8576 -ip 8576
1⤵
PID:8720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3836 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
1⤵
PID:440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adcjop32.exe

Filesize
264KB

MD5
061ef2574e32691a1d7e7e92d58ef5e1

SHA1
49e57e96bb0fceb294f01ba2c3c48d56e1f9a2a9

SHA256
222b8dab75952f2fd5ec3b59a5292d9e5ec03ca6688c3dfb3f4428cdcfdde217

SHA512
5bddf330c99f5221fe58977577e37ce08b39d2b6c608b6c3b62a7422655848d7444745b9af1ad8f8409acfcf2b72c5760c41773331efb72412d7861ab72c1bab

Download Submit
C:\Windows\SysWOW64\Aioebj32.exe

Filesize
264KB

MD5
ea394f0ae48954b8dd8c0f59153d6456

SHA1
014414215324679d600d42e33feaee2cee629ab2

SHA256
101362d98e8df54fcff036f02b3f2c2ace603569533e238c0bf2e8aa19eff274

SHA512
a73d4495adafb5e1e22f0273789a15b484659c74ccf3cf4178066230ef83071746416a61839afd60863181a8722f72a930f39aee60dfaf6f0d3d470b95f368e7

Download Submit
C:\Windows\SysWOW64\Akdilipp.exe

Filesize
264KB

MD5
afd38b6cf387187ccf682b5820968ae6

SHA1
2f57fa63a28c88b9431c6aa3db0ac3cb76b4ed10

SHA256
678bcbc8c464201fac4c72d658cdf3b18109279cb2dbc9b9f6ea0a66413bf406

SHA512
1f107751ab8cecc2913b7bc9f8e215ae770d643a88c6b1ab78613cb461cddecd5a4fe6a8ef4bd4edfd246ba74d39b87356601ee361720f7870901c75b1ffcfc0

Download Submit
C:\Windows\SysWOW64\Apmhiq32.exe

Filesize
264KB

MD5
76e39d580a89623f9e159b7217839180

SHA1
5a73f0b9009f7caad1194d597cc8a112733c337f

SHA256
695e0621c08b9df88c571461349578dcb0f6134bceb5965b8438829e0f48faeb

SHA512
c464549a57670978dde89701770b7fbb528f85d79725ba92ef580aa3f4b63512b14d7668e8884a7870129d68098c778081f7054deb604d3d224bc6f89f9308d0

Download Submit
C:\Windows\SysWOW64\Cdbfab32.exe

Filesize
264KB

MD5
f350ada186c09fb8987bdfe77cfade13

SHA1
8c18078ad56fdeab8510f25ac6993741c1f8a345

SHA256
217110e3392bd91e1a30a7a4584f61a17d5c44f6eaeb5e888b9577e212aa9512

SHA512
2a52565a242e7417e1ac246aa392335695f62f53134411df44689b1cc5524ce8d1854c56fe22ac8eaca036fb076a5aefee9a1156d6b43664829203bea75b29eb

Download Submit
C:\Windows\SysWOW64\Cnaaib32.exe

Filesize
264KB

MD5
3ae58162938189ad412eedc0c203ecbd

SHA1
6ef6b016950804a6122b0e31a96b1c9aed877745

SHA256
564ee5fb288ce72b92532f92481aae59e010fcb3993403b654021efd7ef7ac71

SHA512
0e5cf82e27c77b350135e31c7fcb7d9fe361819e534f97cad89040240ce1cf44084c2ec239c15139d8d322caecdeb86d66e2be5037fcfcc5b27d19d89936f75d

Download Submit
C:\Windows\SysWOW64\Dipgpf32.exe

Filesize
264KB

MD5
85ba8047a996a0e04a06b268f10ca49d

SHA1
26c0daa619b98297446633dcb6b65a6ceeef331e

SHA256
1e01f035fac227522a65d8eaa294bf4f4d49a708209c0d503f051685fc6db21c

SHA512
c5eb8ab8b8ac66a03471a748bf272d159c8d5f8a16c6790893b7fc0eeb63e23188129fcbe99dd6096422efab98ed34587ee5e969c7cf8d2b4139f50e6000e4b9

Download Submit
C:\Windows\SysWOW64\Dkahilkl.exe

Filesize
264KB

MD5
2b4514b682bd41343de97eba4b292456

SHA1
ef1656605b0eb4fe369b1cd02fb7120fed24d975

SHA256
717b6fbaa3359d7ae17729f0d3fc1e5191a55eb2661cda21149b138c74fc6138

SHA512
86763fcb8bb8e964c87ae99676a0588ec541e9d140f0afd130825305264e9ac74b5d35a58a2c1f13ddac0b1e9ebf7b9bb1d47d241fe66d94c394843048d5b470

Download Submit
C:\Windows\SysWOW64\Dmennnni.exe

Filesize
264KB

MD5
cafaa27b65d7c0f1791f4b39b43f12e6

SHA1
d343b7580b084b82822f45058e02b1dd647bd6f8

SHA256
0fd101b38065365c98493b5a93218f3d70b05232cfab696bdcdb7bee43a93db2

SHA512
3d9baaa7061d1547c02401c2fd3073f80f53883a5d06b770519f2b35751bc8fca4319fc14f63d26c421641db64476de9b53c4eb03db44fbfb356d425b57992c0

Download Submit
C:\Windows\SysWOW64\Doojec32.exe

Filesize
264KB

MD5
f5a4de3e8616f4ffc2db262daf10689d

SHA1
f2d6d6f797bb06a277dfd4a9e4bda5dc8f9b5cff

SHA256
3e009643c2ddf42531490e7997b34dffa85fdb24cacf11258256c3ca85d5468f

SHA512
99e9a879cd900a46d2783055ad080dc689f72465f68b389106c7d5c8ee096ee960b961accd06909ce0134cebddebbb48a41a53eadb7bd69bbaa17e7e33fd8d3d

Download Submit
C:\Windows\SysWOW64\Ehpadhll.exe

Filesize
264KB

MD5
0b232329c74048023102147da64fe8e6

SHA1
09eb643d6ff8ca06c442f5a33f367f8b5d0d5761

SHA256
5866eb7bde826a221b0eb3e2fb9c8062341300762a95187e0dda6577a70eb175

SHA512
952fdadaee97df7043c042c15ba9df673323ee0ea7f14388342c7a337822be49420a711b9d1ffaa03a0af4ccc4792cce8a9980fb82e5b8de4af156fcc0bbcf43

Download Submit
C:\Windows\SysWOW64\Ennqfenp.exe

Filesize
264KB

MD5
f3a4e714b4df395f84e588bd7195ccb0

SHA1
8cbf033708c1c789a829dfb117c0a430628beb8b

SHA256
775f5bb03f778aa2a5ab71e1455485dc22e3ff0eaf7173d74d63b4cfe20a23f4

SHA512
e702015b2cdec45f10d714adf88253cb3213b8f504ecd99d326cf63e1fa5a7eea4e09d2dfad42aa2f99361f331adc5e140d2818e18c45b9bf750c6ff97348c15

Download Submit
C:\Windows\SysWOW64\Eofgpikj.exe

Filesize
264KB

MD5
714f8ad18af55ca349a758d2c085aa4e

SHA1
0e5dba7b09ee76c9ce27d563e1a6eaf323e38a7b

SHA256
ed04f42970644bef74b579598d8f3c6e2770fb6e29544cdcacaa2c6bd18e40b0

SHA512
fd10b7f5bb870b0d69eea99afe6ba65340d363362079ffa39a9973c5276f86f53670082197deddae5d8391b5ea99730ed88f5df51aee427ed270e23ac2e40a00

Download Submit
C:\Windows\SysWOW64\Fiodpl32.exe

Filesize
264KB

MD5
d9b1b724f96de47a5a8c65fcf43f2d92

SHA1
afa034355aa2cc14a385061e01d10842d52af0d6

SHA256
56c8e8260218a5cbff123f0f270973e4aacfd0fc9a18e6ed3a9f3edb176a779b

SHA512
0536f60e70e229fab4256f2ddc3bd277fffa384b91336b9983e34950efb8f7469faff9dbe374e4d1af253243d315f2e9892634604df899fa805dc982bd2ec487

Download Submit
C:\Windows\SysWOW64\Fngcmcfe.exe

Filesize
264KB

MD5
c3edc26f6fc5190e6e12d94613f75b4e

SHA1
1bb0e5c7a763aa89c883e7b0cd7192d87f2d7185

SHA256
356cbc6e5b2d991692b8e4b5f7338bcffea19f5d648042cad565131d2fdd91f5

SHA512
ebaa2d917bdc618ed9d779465c263987849396faef25a0aad5287a4bc21796b1b624996ce5d5d93849d0547fc18fbfb9691bb5b6c9f25e28987d3906a4ccb299

Download Submit
C:\Windows\SysWOW64\Fpbflg32.exe

Filesize
264KB

MD5
e9f89ce72e06acf5a7c6fcd3cd711b5a

SHA1
b6e223efba9c6de30c90b893b2cb0dd8ad95f242

SHA256
21e0bbb3a8fe75bfbd33c26bd25065dc65b1e5f0ecd0ed9b90fe79c3e2aa4157

SHA512
6eab32bc529ba93e86e8a7acb9db24732d715eefb9068f888feee8f72c0aa489aea741e6800a2bda89c7a2e110bff4348af023f62a6fc19b2df21d1fa94469d7

Download Submit
C:\Windows\SysWOW64\Gfhndpol.exe

Filesize
264KB

MD5
c124ee23c2d31719f7e631075451722a

SHA1
7ba66c8c061a29c9e6bdd7415412edd2b55a19ee

SHA256
90e2f15afea23607e6e1b4ef2bbc6476ab55f0063fc643f617f4d5c2a39516c7

SHA512
c06e4f72229843cab393f570aed8bf507bfc9f44353c677181664caec922ff99e59570fe4e46d7fb4cdc43e9554141a828947a729ac48c7efe9764047cbc0527

Download Submit
C:\Windows\SysWOW64\Gikdkj32.exe

Filesize
264KB

MD5
c8b7da63919f1ff2589a24c75b20be43

SHA1
1f98d3f6992747f28d9381fded42cce51db8ed0e

SHA256
b840ce9bb61fb4606ed45bf2ae2a854c62b2f6465e89b310ba46bc951ea6a02f

SHA512
6edd0e7a2a8c6f1e5688e4b268409f5e5ba26a9ca1288f05e485ea8b9a8c74f391293ff0050a455d5d25f19a0b3bb44a46d4dedd558d9e348ec4bfef1ac60a16

Download Submit
C:\Windows\SysWOW64\Hiipmhmk.exe

Filesize
264KB

MD5
9def1a83e53e59fe6560dd792544d868

SHA1
002bb50f177af3612f8d1dca05afe8b0df8adfbf

SHA256
0e96ba3138dfc223546265e50962ebcaacd275326f1f3ed4bf8472bd3ad52101

SHA512
b5b9ef18711114e9f34e9bb41a45463067b3466f215676c8073a2527c2fcd7797932dad61c80ca9dccfa45f0cb6ceaa32c75ad7a0426cbc6d2a812aae9e8f1da

Download Submit
C:\Windows\SysWOW64\Holfoqcm.exe

Filesize
264KB

MD5
703702cc4ee98c8ec29adcdf5251edd3

SHA1
7e332ba7989499665957a3165dd8a2e8c4b5f122

SHA256
e07d2eef011b867805c64d9cc56f661dfc63b5d632017498d6d41132307b1e4d

SHA512
d43510fba96f4bf34261d184ec90191aedd0f7565f823f35dd2332cc9a92b2f07744b5e9cd5c2097027be584b3c4700e0777390efd1842a4e5c52f57f36d9388

Download Submit
C:\Windows\SysWOW64\Hplbickp.exe

Filesize
264KB

MD5
94cdfdcb72a45f24472a2d4554fd965e

SHA1
0de8527adfa02d291d39788cda5eca9f161e45fb

SHA256
0ec825acafbb6d022aff4a20f0c90956f6a9a69cf947af9b0018bffa315c3461

SHA512
f6515c7e9c05e7c1ae76bf5c66c8e918c1c849b9c4fe6d5a9a725ebba223f5e3738c781f0b30edcbe5691f8845668cc51f6740a21ca09fedec3c0cb4421a1d26

Download Submit
C:\Windows\SysWOW64\Hpnoncim.exe

Filesize
264KB

MD5
cdb366670d4fb2cb4502c7f70823b7bf

SHA1
3b54c4f3f18fdd9d9c800b2b13092f6f7957d550

SHA256
5ec89252949715e5658690c1310b5892a34ff97491c43ddfa47033a45493c564

SHA512
7c95f55216f1a3c7968b878adb2e4b75095fe86d3617470643512ab565928815b24779e387c7852d74fc93f0b0971709941e4b95ae4c2940b65dac02034096a7

Download Submit
C:\Windows\SysWOW64\Ijiopd32.exe

Filesize
64KB

MD5
e7d3354efa7f3d9a50b699152db5430f

SHA1
e10d24f6f53fe2bb72fa2c34b69e7b869ab9a4bd

SHA256
9a7d3daa80a87718d4bf16047dd2bff0e53a6dedc3f6c461f6c228e56dfcb545

SHA512
dec562c95583902e2e587632d049d3e30c6e1eb37e4f22326bf715c6bb76e98e7abfd60f22a7d898351e7b2c357e7e6003f2159d0d1ef10b8c481d29c73d69fb

Download Submit
C:\Windows\SysWOW64\Ilcldb32.exe

Filesize
264KB

MD5
7bbc03ffc961b5d62ee1f51efe363183

SHA1
7aa0050b0dfd249cadb2de816691ec2394085326

SHA256
4b7dfea88d70cb3ac6286f83764e3e44eb4a6e3db0909a90093e7d14dd13bfed

SHA512
18da8d386740337b6c73b357e73e47c68eae2699605edaf73d94123e008d7cb155f3892840651ed31492674254ff4479907a66797f5f4d6e5afb037a6fb0b4b5

Download Submit
C:\Windows\SysWOW64\Iohejo32.exe

Filesize
264KB

MD5
d7f9655c7ca952cdcfb66a15d33947f1

SHA1
22f26375e4957c816b113a3b06f47a1d1cae672c

SHA256
102e1ded606e4073cb060e97198bc85581856f5408b8a870376f2aac26c2bef7

SHA512
67e274c91cda5824a3e3dd592155e6cc8d7290498a3b994696395234782553b5f1e39ee2d9337bce07fd70ff29b998c956759e1ea24c23afcb9b16997f90c05a

Download Submit
C:\Windows\SysWOW64\Iomoenej.exe

Filesize
264KB

MD5
cf11c72e5321529db919e8c6d1a9cc7a

SHA1
06fcb20f4917465c396bbb3f5c3e816933bc24d6

SHA256
d18cc9ab87d234a18ca56447e205473c1be6a7ec5611255d312321a1c65831ae

SHA512
bf5b717b7a3bf55567bc000312697f53f4666e8afe32c70df6c93a1e7385f86dfdfdc37a582b6f20e7f8f7972f9a40f7ffe37d2fea8f98ee1d237a4df59b2ac0

Download Submit
C:\Windows\SysWOW64\Jcanll32.exe

Filesize
264KB

MD5
c2848157ac6314e14b8554d54ad27eb5

SHA1
061478f8c137bbe68b340f6f76484793c49cf68e

SHA256
490f416be3aa0f7c7775962c5a0e23898b309e311d3396e6b4bc31bcb72d26a3

SHA512
339b7a6e33e6eb187886c4ffc0ef3d655ea3a907977184510cccebc8479c817c61db3af082023efd4f3e18567dc6cffe6ef5684eb83be9abb1980c7ce96be95b

Download Submit
C:\Windows\SysWOW64\Jinboekc.exe

Filesize
264KB

MD5
043c3205141c36124b6d476bdfdddbb1

SHA1
8caded84de126d76db78ccbe02eecfcb60d9e4fd

SHA256
85f9e5ce6f0d529f39c5c301a16461fc3942c4d0e1d56c8d128ad4bd2260dbe0

SHA512
6963132aba87895d6de561cfa3ebc621f021cf7187ef8da67573b5e7bfc16e603dd17f357460c40ec98d317a68814f2cb68c790fb60452cc2aad377d403723ed

Download Submit
C:\Windows\SysWOW64\Jpaekqhh.exe

Filesize
264KB

MD5
5f6db351e3e99472d3ce6731203875a1

SHA1
1d86dd83e1682db7456b54a567b3b6b598e0f02c

SHA256
b00a02f9eb5c404ed6aab4ef6f94cadf28e8d4176e2451521c605e97d76f0feb

SHA512
460c01eacef0f5b173512eacf6efcf4c40bde21242ccbbbc07974e2b22e7dd3422ff79882614a43e86b02b87bdf51bfc895c7c036181e5246fc604b5c46a58e4

Download Submit
C:\Windows\SysWOW64\Jphkkpbp.exe

Filesize
264KB

MD5
2410934e0b5e48ff8042d22273b78368

SHA1
9c9e5fce9261dd873ba961fac7186f55c37e250c

SHA256
5821d08277f2110d88b0951f1f23c5813a2b8a3bc7de1fb7940117fd9473ad4b

SHA512
32490804e1a368385396059bc3039d65e1d0a91e7219238df85cc6c54ae542c1ec22135de7840d6578b732ea42e69df679048c3da38154f821551710527f767c

Download Submit
C:\Windows\SysWOW64\Jppnpjel.exe

Filesize
264KB

MD5
c556515ec260842c18eb764bf3598bef

SHA1
ab9c4c6aff739225a0c1b5dd0d7333297f42cfb4

SHA256
eeb3090cbfff5e8fec0b332b3bc62e97e019f3c0af1189a986e1cd91c98eab8a

SHA512
65c5024637306a85bf8ec8c20586027a979196fbb42f2c0535246aa34609ae41fa5a2c3294b5144495293dacc53cd51c28b55c2c58572c4cd2ff86f108bd3b55

Download Submit
C:\Windows\SysWOW64\Kfnfjehl.exe

Filesize
264KB

MD5
2635922da23e35a7e116f60aa217717d

SHA1
b95834cc456c0a883089370406a56d1b37b61a87

SHA256
87b57075cd52e31c33270ea7d02cc96a0307ee5a918be933e5a714fd2684da3f

SHA512
5cc80d2e15fc95e43eb46bbaf45a258568065e56d69ffdf1bd9a6a3009c82f2dec484ee7c5479f6b87c9112793979a6ab29b2823429e7d7427a56ee933daa4ff

Download Submit
C:\Windows\SysWOW64\Kncaec32.exe

Filesize
264KB

MD5
c29b97d3554458bfa9f131360622d96f

SHA1
4752260fac6d9677c9d6925141c8e4191ef91a34

SHA256
9d7f97762515d02e7b2be1a3a53c95292a24600011e5179c7896cb779ae205aa

SHA512
6bd6c16fc8b053f4c7d9528fa7da9b00704d55b0cc4589ad06260b1f6968a3108d43ba1dfb718348b5d4e11e52451114bd8ffbebbb981d7bd23c7f177bc5ae0f

Download Submit
C:\Windows\SysWOW64\Kofkbk32.exe

Filesize
264KB

MD5
b877661b88a4648c38ee578f1ac35399

SHA1
8dffea03f83e95291c4f4f0c5248eb68838602b5

SHA256
fd916de0028a528ea43d7c9d796a635681c8b545cdd6a0f446fc39d8ce30f367

SHA512
9ec821470abc1036c22ec159643a79c682242eee6d133f8b2911ca3d794c48897a238bc898f94a8a8f5a5f0aabfaeacf876b7212280c7565fa5c5c276a1272ca

Download Submit
C:\Windows\SysWOW64\Kpmdfonj.exe

Filesize
264KB

MD5
96bb9a522f2b1389fe93b44d43817d27

SHA1
262d7aa4f4c5c28ddc7099252c0a1fe8f95a6dbb

SHA256
d140dba429e5f15ebe67f5366616c64c975b1b28d3d359083d2b8c35480b6ed2

SHA512
0d92e3538cb78bc7439b5c7603bb66cffeeffa67cd16b86e61fdd4cba743a6856b0234226ea5d9249a35e3128e69f4f0e51ad1a572dc1f8370895d669561682a

Download Submit
C:\Windows\SysWOW64\Lbcedmnl.exe

Filesize
264KB

MD5
b3040a7d8faf41962c02e6e2c221c940

SHA1
e1566c298180b3f7a954348082425aad1099ef55

SHA256
66af12cc42ea350384493ad12e41a36794267248544604c779a28c43cefc9745

SHA512
bee92cd0be8e5c44dddc5371f825bfb2e37256362abda0da1e4c73ed0365bf5bae8023c8ac70c452f8db70b9721cb68dc4b020ee88db998aec1ecdd22ff23b99

Download Submit
C:\Windows\SysWOW64\Lmaamn32.exe

Filesize
264KB

MD5
01ac73864be6bd7f1161b973d3739e3f

SHA1
437c78d6a639202a89e989b9a20c5fa932d83a04

SHA256
9b9ec5cd08fd7f579c4712324770688f668dd4a3450150322ae532e91100594d

SHA512
fb998ca1a7cd92e0737358de9bdbf9ffcfb3b05688c554f2b968edac666e65afe6d94f80d28ea0e871df5566d275010d5f4f89b10bb0ff1c6a1f5ea8628f79f2

Download Submit
C:\Windows\SysWOW64\Lnjgfb32.exe

Filesize
264KB

MD5
fad65431d726061566aec6ca6c27f365

SHA1
c6f86e433a8c867bacbf0d53ef22c199d4b08bfe

SHA256
e89da554270162a61e1c36d4244d14d2323343b51281047fa1eb0ad77130c808

SHA512
bceeb6e640dde207f950cc9cb7f51286345b08bf6a3af34df2337da41ee30f0610dad727c13b824f7bec4cd8de1c2aa4e5eaf764f038e8e21a6ab6a28ccfc8fe

Download Submit
C:\Windows\SysWOW64\Mdpagc32.exe

Filesize
264KB

MD5
34f8ce751d9b2513f212b04bf88de95b

SHA1
00407f30d1835e4e8921a53ad9fa66ad6240bda8

SHA256
43132f42880cda35f9a81ab6b047573747383f9b0e2cde5a2c1f7cdafdc39576

SHA512
a3a65c46d4d63965592939e7052e73b0770ca774b455d793ba9dd3aacf51f414143cb522306754b0394539ecd916ce46af11d3e5ea2de8426d75de51da074535

Download Submit
C:\Windows\SysWOW64\Mfgdjh32.dll

Filesize
7KB

MD5
66ca2694abf123e9a363038b42832531

SHA1
04d0d3e932ab64d22bf554e1a709b9c922a4b242

SHA256
a1960a4738839d2c73c18ef96740b66d032e57762c5851218c0dd702e16925c2

SHA512
b5381f8f2b98067450c6c92ea9b8d35d53a303d44bacca45c242634a971778e3fafeca2cbd57cb9b8318198fb1033a9404d9323e1b9b2f9a56adf09fc5390460

Download Submit
C:\Windows\SysWOW64\Ncofplba.exe

Filesize
264KB

MD5
90cbd6739a59ce0b05e71d4941d3dca8

SHA1
76053bb7dfd1702df19a89e54fc645bf2544a827

SHA256
c0e677e19076675f6baaa1f1aa997e70c030da40b83aa4d9e77c2a42d0aa2b6a

SHA512
381344ee3484d887909a41c643e7395f953494f3c3b4cbbf93af2b4c5f8d273564e882ca3426eeb7917c43e7c2d363e68028913c1b3f3e53305076f13fc587b1

Download Submit
C:\Windows\SysWOW64\Neclenfo.exe

Filesize
264KB

MD5
2c2cc99d09c92f5f94d05211b67a59ab

SHA1
719d0e2c386378e4a144b61db292be304efbcee5

SHA256
ac2760762ac306e6e09daf5017eae74d45a981a2a56175f8b955f1d360edc9e1

SHA512
b92ede662172548414e750c5ef3c487f8c2daf202989fa77fb41013f1bae18c1ef4ac8cd642fa5648e929283ed18fdb53f71cd28f03e90847f9aa9ee8a95c1a6

Download Submit
C:\Windows\SysWOW64\Neclenfo.exe

Filesize
264KB

MD5
07fb66f043ee9558571999e806c40f97

SHA1
7503348bdeb41470d9a4bc42fcde24fe1b544d4d

SHA256
3c7d068ee6b9bdd88e29819748edc22241cfacff074f8c966351e217f2aa259c

SHA512
7a35a919cceac865bf299c1d0e23e7981b92bc0551c2a92f825f8c34d8cf14157098e5adde684f1fafa72634620f65eb0864058c2368f029c23c90b1e33e6cb2

Download Submit
C:\Windows\SysWOW64\Neqopnhb.exe

Filesize
264KB

MD5
9d9ea08772c322b94fe006c88b18d01b

SHA1
246c4092a251a73e6382b4af5c620420af7a51ee

SHA256
767a5c2e3f2495f968c86da4b07e5ca40dd8bff053da89e48ca93cb903c387bb

SHA512
d62e52eb6b590be0c829b3e07f0b2be9ac3c168b154c328e5edb45127969ae41f83272888340daf96c434cbf815cfee20deb2b7991a18137dde5fb2c8e87821d

Download Submit
C:\Windows\SysWOW64\Nnkpnclp.exe

Filesize
264KB

MD5
9d9adf81b52166373928addc178b4d56

SHA1
843c24e03023e25a19b9675d31b4e16802cf452e

SHA256
3211ff419f115169edd8adbce04a1f832daa4ad8fdef20ea065729a91ac67163

SHA512
9b3a493512e83593c0ec08f20e7aabf02c5f4d2f7b75b4945e1548351a8329712ac9219f9cc4fa7e19234e3fb109e42b5d67f07224af3c1407ba802d4913a089

Download Submit
C:\Windows\SysWOW64\Oeheqm32.exe

Filesize
264KB

MD5
4d71b8b5638340fd9b24c4407d5206ee

SHA1
46b2e37a370326ee33dba87debd5d16566253db9

SHA256
6565c31f37fe3b83de8cb89de39f8e94513fc0e5d794001101e49bad4023f2b3

SHA512
4338890d1d6faf8abbdf6c604c81297c178ac215f0c4ba0bd742c22e1c0ef2e29699898eda7c9e32c81604646158d476f93b04e3ef4d00119ca58ef93390e3b6

Download Submit
C:\Windows\SysWOW64\Oloahhki.exe

Filesize
264KB

MD5
5d5388e2378da4808848326b15839db1

SHA1
b42d63d87ac2ba16b5ebb1a166d73e39cf6348e0

SHA256
d8a07409da8389e8abc517bd7b1344b97055b4e37be312354a1eb276466c4178

SHA512
bf56efd442e3cf06f2903401a967574ae8ae4e7cf637d3b1f36cc4f42f1f2aba6e4c38bda67749c7798b98d9b1daca80f16a62d7705726bc355b92aa0ed5a6a4

Download Submit
C:\Windows\SysWOW64\Pjdpelnc.exe

Filesize
264KB

MD5
334b8202346c88924fd4600adaf7fb47

SHA1
e20bf511a4009a3b5786e7aa9947d2db1518788b

SHA256
837305fabd4d5d0d862cab43b1051c1667c380d130774986229bf9650ddaa34b

SHA512
0ab8b70772afb24874959776e172cdcd0220067ebfadccc26a84d2747b323932c7305e2eae3fdd4beb0f9986ca60fae3fd099e2624c0cf33c2747e2d614e64a1

Download Submit
memory/440-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/624-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/748-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1008-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1020-199-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1056-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1136-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1372-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1444-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1492-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1532-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1532-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1620-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1756-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2096-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2248-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2252-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2308-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2648-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2784-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3056-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3192-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3192-593-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3252-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3328-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3348-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3360-63-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3456-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3536-103-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3608-87-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3616-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3616-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3632-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3860-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3940-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3952-159-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3984-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4000-207-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4000-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4036-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4036-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4044-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4044-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4048-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4088-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4108-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4172-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4212-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4356-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4388-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4424-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4560-79-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4584-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4588-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4616-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4616-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4756-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-111-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4892-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5020-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads