9fea99dea870e1f7f1becbd2006f9f088dab4a6dc7df28898978d22d10d809f3

Analysis

max time kernel
147s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2024, 01:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9fea99dea870e1f7f1becbd2006f9f088dab4a6dc7df28898978d22d10d809f3.exe
Size

50KB
MD5

6ea28deabb7dad7fa724ad30946b71af
SHA1

7917a58088da99607a85a21f44ce476120b1c3b8
SHA256

9fea99dea870e1f7f1becbd2006f9f088dab4a6dc7df28898978d22d10d809f3
SHA512

9570850ba6bf8a1592ca34aa7d0f00e215da43b7432aa7b7fbff0c335eb97ad7337ad50354af8c62502bea0bcdcab75b87351322cd9b2c6fc5de8145e727fd77
SSDEEP

768:VOoMGGg978mxtYBg9CyHG75XYSZIax5WvDtSY2YjJdF/1H5S:VJGfmv45pIkUQa/f

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dabpnlkp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dakbckbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phbcfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhibni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpedjf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cafpanem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebploj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfofbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffekegon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qiclfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahiigkqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pelaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qhdpll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccfmla32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efikji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebbidj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehlaaddj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aackeqeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bikkml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehlaaddj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbqefhpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfdbojmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djpnohej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qehqepcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aemjpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlgdkeje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dephckaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffekegon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmocba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hadkpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cefemliq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcfebonm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qefdpq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blennh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcfebonm.exe

Executes dropped EXE 64 IoCs

pid	Process
5112	Ppphak32.exe
2428	Pbndmf32.exe
4264	Pelaib32.exe
5080	Phkmem32.exe
1576	Plfiflen.exe
4824	Pneebg32.exe
4532	Pacaoc32.exe
1440	Pijjpp32.exe
4456	Plifll32.exe
4804	Pngbhg32.exe
332	Paendb32.exe
2580	Pimfep32.exe
2276	Plkbak32.exe
704	Pniomgpl.exe
3856	Pahkjbop.exe
1856	Phbcfl32.exe
756	Plmogkoe.exe
1108	Qbggce32.exe
3928	Qefdpq32.exe
5008	Qhdpll32.exe
1128	Qnnhhflf.exe
1732	Qehqepcc.exe
1768	Qiclfo32.exe
3316	Albibj32.exe
1480	Ablaodbm.exe
5052	Aejmkpaq.exe
4292	Ahiigkqd.exe
1936	Aldegj32.exe
1620	Aemjpp32.exe
4344	Algbmjgk.exe
848	Aoeniefo.exe
2528	Aackeqeb.exe
4252	Aikbfnfd.exe
1664	Aliobieh.exe
4876	Aogkoedl.exe
3020	Aafgkpcp.exe
4056	Aimoln32.exe
396	Alkkhi32.exe
1180	Aojhdd32.exe
4632	Abedecjb.exe
2404	Aiolam32.exe
2484	Bbhqjchp.exe
1908	Befmfngc.exe
3904	Bhdibj32.exe
2756	Bpladg32.exe
4140	Bbjmpb32.exe
3860	Bidemmnj.exe
400	Bpnnig32.exe
1424	Bbljeb32.exe
4304	Bekfan32.exe
1852	Bhibni32.exe
1368	Blennh32.exe
1708	Bbofkbbh.exe
3696	Baaggo32.exe
3524	Bhlocipo.exe
1416	Blgkdg32.exe
2488	Bbacqape.exe
3596	Bikkml32.exe
4776	Cpedjf32.exe
1636	Cafpanem.exe
1760	Cimhckeo.exe
5084	Ccfmla32.exe
688	Cipehkcl.exe
4452	Chbedh32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pngbhg32.exe	Plifll32.exe
File created	C:\Windows\SysWOW64\Cefemliq.exe	Cakjmm32.exe
File opened for modification	C:\Windows\SysWOW64\Jpojcf32.exe	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Jigollag.exe	Jkdnpo32.exe
File opened for modification	C:\Windows\SysWOW64\Daifnk32.exe	Dcfebonm.exe
File created	C:\Windows\SysWOW64\Aikbfnfd.exe	Aackeqeb.exe
File created	C:\Windows\SysWOW64\Hbanme32.exe	Hpbaqj32.exe
File opened for modification	C:\Windows\SysWOW64\Ibmmhdhm.exe	Ipnalhii.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Dfdbojmq.exe	Daifnk32.exe
File created	C:\Windows\SysWOW64\Gfcgge32.exe	Goiojk32.exe
File opened for modification	C:\Windows\SysWOW64\Jmpngk32.exe	Jjbako32.exe
File created	C:\Windows\SysWOW64\Aafgkpcp.exe	Aogkoedl.exe
File opened for modification	C:\Windows\SysWOW64\Ffekegon.exe	Fbioei32.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Onkhkpho.dll	Icgqggce.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Qdqjmdmd.dll	Abedecjb.exe
File created	C:\Windows\SysWOW64\Bbofkbbh.exe	Blennh32.exe
File opened for modification	C:\Windows\SysWOW64\Icljbg32.exe	Iannfk32.exe
File created	C:\Windows\SysWOW64\Coagla32.exe	Clckpf32.exe
File created	C:\Windows\SysWOW64\Jqqjmnii.dll	Ebploj32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Miainbfm.dll	Aikbfnfd.exe
File opened for modification	C:\Windows\SysWOW64\Ficgacna.exe	Ffekegon.exe
File opened for modification	C:\Windows\SysWOW64\Haidklda.exe	Hibljoco.exe
File opened for modification	C:\Windows\SysWOW64\Commqb32.exe	Cpjmee32.exe
File created	C:\Windows\SysWOW64\Epopgbia.exe	Ehhgfdho.exe
File created	C:\Windows\SysWOW64\Eoodnhmi.dll	Epopgbia.exe
File opened for modification	C:\Windows\SysWOW64\Fbqefhpm.exe	Fqohnp32.exe
File created	C:\Windows\SysWOW64\Hpbaqj32.exe	Hjfihc32.exe
File opened for modification	C:\Windows\SysWOW64\Qnnhhflf.exe	Qhdpll32.exe
File created	C:\Windows\SysWOW64\Jgegko32.dll	Diihojkb.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Peeafpaf.dll	Gcbnejem.exe
File created	C:\Windows\SysWOW64\Jkageheh.dll	Hadkpm32.exe
File opened for modification	C:\Windows\SysWOW64\Jfdida32.exe	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Ebploj32.exe	Ecmlcmhe.exe
File opened for modification	C:\Windows\SysWOW64\Jdemhe32.exe	Jpjqhgol.exe
File opened for modification	C:\Windows\SysWOW64\Bbofkbbh.exe	Blennh32.exe
File opened for modification	C:\Windows\SysWOW64\Blgkdg32.exe	Bhlocipo.exe
File created	C:\Windows\SysWOW64\Bgadhj32.dll	Cpedjf32.exe
File created	C:\Windows\SysWOW64\Ppgjkamf.dll	Eqfeha32.exe
File created	C:\Windows\SysWOW64\Hjolnb32.exe	Hbhdmd32.exe
File created	C:\Windows\SysWOW64\Phogofep.dll	Icljbg32.exe
File created	C:\Windows\SysWOW64\Dhqaefng.exe	Debeijoc.exe
File created	C:\Windows\SysWOW64\Fqohnp32.exe	Fihqmb32.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Hifqbnpb.dll	Gfqjafdq.exe
File opened for modification	C:\Windows\SysWOW64\Pdgdjjem.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Capchmmb.exe	Coagla32.exe
File created	C:\Windows\SysWOW64\Dcalgo32.exe	Dpcpkc32.exe
File created	C:\Windows\SysWOW64\Kpmkpqcp.dll	Daifnk32.exe
File created	C:\Windows\SysWOW64\Djpnohej.exe	Dfdbojmq.exe
File created	C:\Windows\SysWOW64\Lihoogdd.dll	Ifmcdblq.exe
File opened for modification	C:\Windows\SysWOW64\Dohmlp32.exe	Djlddi32.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Fjnjqfij.exe	Ffbnph32.exe
File created	C:\Windows\SysWOW64\Goiojk32.exe	Giofnacd.exe
File created	C:\Windows\SysWOW64\Ppphak32.exe	9fea99dea870e1f7f1becbd2006f9f088dab4a6dc7df28898978d22d10d809f3.exe
File created	C:\Windows\SysWOW64\Ahiigkqd.exe	Aejmkpaq.exe
File created	C:\Windows\SysWOW64\Dpacfd32.exe	Dhjkdg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
9152	9000	WerFault.exe	380

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pigcma32.dll"	Plifll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmioonpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Algbmjgk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ppphak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aamgnn32.dll"	Bikkml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cakjmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Giacca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpnnig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neahbi32.dll"	Fmmfmbhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdigaehe.dll"	Pbndmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhjkdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ehjdldfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblgaie.dll"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpladg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dendnoah.dll"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdkdqfii.dll"	Dcopbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclhoo32.dll"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcod32.dll"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhngp32.dll"	Dohmlp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifoip32.dll"	Cafpanem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqalmafo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqciba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Himcoo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmmkpmf.dll"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kogbodfe.dll"	Aemjpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbioei32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aafdhf32.dll"	Qhdpll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpgbbq32.dll"	Dakbckbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibooqjdb.dll"	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icnmgkke.dll"	Capchmmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aliobieh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Diihojkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qiclfo32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 5112	2924	9fea99dea870e1f7f1becbd2006f9f088dab4a6dc7df28898978d22d10d809f3.exe	84
PID 2924 wrote to memory of 5112	2924	9fea99dea870e1f7f1becbd2006f9f088dab4a6dc7df28898978d22d10d809f3.exe	84
PID 2924 wrote to memory of 5112	2924	9fea99dea870e1f7f1becbd2006f9f088dab4a6dc7df28898978d22d10d809f3.exe	84
PID 5112 wrote to memory of 2428	5112	Ppphak32.exe	85
PID 5112 wrote to memory of 2428	5112	Ppphak32.exe	85
PID 5112 wrote to memory of 2428	5112	Ppphak32.exe	85
PID 2428 wrote to memory of 4264	2428	Pbndmf32.exe	86
PID 2428 wrote to memory of 4264	2428	Pbndmf32.exe	86
PID 2428 wrote to memory of 4264	2428	Pbndmf32.exe	86
PID 4264 wrote to memory of 5080	4264	Pelaib32.exe	87
PID 4264 wrote to memory of 5080	4264	Pelaib32.exe	87
PID 4264 wrote to memory of 5080	4264	Pelaib32.exe	87
PID 5080 wrote to memory of 1576	5080	Phkmem32.exe	88
PID 5080 wrote to memory of 1576	5080	Phkmem32.exe	88
PID 5080 wrote to memory of 1576	5080	Phkmem32.exe	88
PID 1576 wrote to memory of 4824	1576	Plfiflen.exe	89
PID 1576 wrote to memory of 4824	1576	Plfiflen.exe	89
PID 1576 wrote to memory of 4824	1576	Plfiflen.exe	89
PID 4824 wrote to memory of 4532	4824	Pneebg32.exe	90
PID 4824 wrote to memory of 4532	4824	Pneebg32.exe	90
PID 4824 wrote to memory of 4532	4824	Pneebg32.exe	90
PID 4532 wrote to memory of 1440	4532	Pacaoc32.exe	91
PID 4532 wrote to memory of 1440	4532	Pacaoc32.exe	91
PID 4532 wrote to memory of 1440	4532	Pacaoc32.exe	91
PID 1440 wrote to memory of 4456	1440	Pijjpp32.exe	92
PID 1440 wrote to memory of 4456	1440	Pijjpp32.exe	92
PID 1440 wrote to memory of 4456	1440	Pijjpp32.exe	92
PID 4456 wrote to memory of 4804	4456	Plifll32.exe	93
PID 4456 wrote to memory of 4804	4456	Plifll32.exe	93
PID 4456 wrote to memory of 4804	4456	Plifll32.exe	93
PID 4804 wrote to memory of 332	4804	Pngbhg32.exe	94
PID 4804 wrote to memory of 332	4804	Pngbhg32.exe	94
PID 4804 wrote to memory of 332	4804	Pngbhg32.exe	94
PID 332 wrote to memory of 2580	332	Paendb32.exe	95
PID 332 wrote to memory of 2580	332	Paendb32.exe	95
PID 332 wrote to memory of 2580	332	Paendb32.exe	95
PID 2580 wrote to memory of 2276	2580	Pimfep32.exe	96
PID 2580 wrote to memory of 2276	2580	Pimfep32.exe	96
PID 2580 wrote to memory of 2276	2580	Pimfep32.exe	96
PID 2276 wrote to memory of 704	2276	Plkbak32.exe	97
PID 2276 wrote to memory of 704	2276	Plkbak32.exe	97
PID 2276 wrote to memory of 704	2276	Plkbak32.exe	97
PID 704 wrote to memory of 3856	704	Pniomgpl.exe	98
PID 704 wrote to memory of 3856	704	Pniomgpl.exe	98
PID 704 wrote to memory of 3856	704	Pniomgpl.exe	98
PID 3856 wrote to memory of 1856	3856	Pahkjbop.exe	99
PID 3856 wrote to memory of 1856	3856	Pahkjbop.exe	99
PID 3856 wrote to memory of 1856	3856	Pahkjbop.exe	99
PID 1856 wrote to memory of 756	1856	Phbcfl32.exe	100
PID 1856 wrote to memory of 756	1856	Phbcfl32.exe	100
PID 1856 wrote to memory of 756	1856	Phbcfl32.exe	100
PID 756 wrote to memory of 1108	756	Plmogkoe.exe	101
PID 756 wrote to memory of 1108	756	Plmogkoe.exe	101
PID 756 wrote to memory of 1108	756	Plmogkoe.exe	101
PID 1108 wrote to memory of 3928	1108	Qbggce32.exe	103
PID 1108 wrote to memory of 3928	1108	Qbggce32.exe	103
PID 1108 wrote to memory of 3928	1108	Qbggce32.exe	103
PID 3928 wrote to memory of 5008	3928	Qefdpq32.exe	104
PID 3928 wrote to memory of 5008	3928	Qefdpq32.exe	104
PID 3928 wrote to memory of 5008	3928	Qefdpq32.exe	104
PID 5008 wrote to memory of 1128	5008	Qhdpll32.exe	105
PID 5008 wrote to memory of 1128	5008	Qhdpll32.exe	105
PID 5008 wrote to memory of 1128	5008	Qhdpll32.exe	105
PID 1128 wrote to memory of 1732	1128	Qnnhhflf.exe	106

C:\Users\Admin\AppData\Local\Temp\9fea99dea870e1f7f1becbd2006f9f088dab4a6dc7df28898978d22d10d809f3.exe
"C:\Users\Admin\AppData\Local\Temp\9fea99dea870e1f7f1becbd2006f9f088dab4a6dc7df28898978d22d10d809f3.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\SysWOW64\Ppphak32.exe
  C:\Windows\system32\Ppphak32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5112
- - C:\Windows\SysWOW64\Pbndmf32.exe
    C:\Windows\system32\Pbndmf32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2428
  - - C:\Windows\SysWOW64\Pelaib32.exe
      C:\Windows\system32\Pelaib32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4264
    - - C:\Windows\SysWOW64\Phkmem32.exe
        
        C:\Windows\system32\Phkmem32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5080
      - C:\Windows\SysWOW64\Plfiflen.exe
        
        C:\Windows\system32\Plfiflen.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\SysWOW64\Pneebg32.exe
        
        C:\Windows\system32\Pneebg32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Pacaoc32.exe
        
        C:\Windows\system32\Pacaoc32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SysWOW64\Pijjpp32.exe
        
        C:\Windows\system32\Pijjpp32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\SysWOW64\Plifll32.exe
        
        C:\Windows\system32\Plifll32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\Pngbhg32.exe
        
        C:\Windows\system32\Pngbhg32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\SysWOW64\Paendb32.exe
        
        C:\Windows\system32\Paendb32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:332
        
        C:\Windows\SysWOW64\Pimfep32.exe
        
        C:\Windows\system32\Pimfep32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\SysWOW64\Plkbak32.exe
        
        C:\Windows\system32\Plkbak32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\Pniomgpl.exe
        
        C:\Windows\system32\Pniomgpl.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:704
        
        C:\Windows\SysWOW64\Pahkjbop.exe
        
        C:\Windows\system32\Pahkjbop.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3856
        
        C:\Windows\SysWOW64\Phbcfl32.exe
        
        C:\Windows\system32\Phbcfl32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\SysWOW64\Plmogkoe.exe
        
        C:\Windows\system32\Plmogkoe.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\SysWOW64\Qbggce32.exe
        
        C:\Windows\system32\Qbggce32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\SysWOW64\Qefdpq32.exe
        
        C:\Windows\system32\Qefdpq32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\SysWOW64\Qhdpll32.exe
        
        C:\Windows\system32\Qhdpll32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\Qnnhhflf.exe
        
        C:\Windows\system32\Qnnhhflf.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\SysWOW64\Qehqepcc.exe
        
        C:\Windows\system32\Qehqepcc.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1732
        
        C:\Windows\SysWOW64\Qiclfo32.exe
        
        C:\Windows\system32\Qiclfo32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\Albibj32.exe
        
        C:\Windows\system32\Albibj32.exe
        25⤵
        Executes dropped EXE
        
        PID:3316
        
        C:\Windows\SysWOW64\Ablaodbm.exe
        
        C:\Windows\system32\Ablaodbm.exe
        26⤵
        Executes dropped EXE
        
        PID:1480
        
        C:\Windows\SysWOW64\Aejmkpaq.exe
        
        C:\Windows\system32\Aejmkpaq.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5052
        
        C:\Windows\SysWOW64\Ahiigkqd.exe
        
        C:\Windows\system32\Ahiigkqd.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4292
        
        C:\Windows\SysWOW64\Aldegj32.exe
        
        C:\Windows\system32\Aldegj32.exe
        29⤵
        Executes dropped EXE
        
        PID:1936
        
        C:\Windows\SysWOW64\Aemjpp32.exe
        
        C:\Windows\system32\Aemjpp32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Algbmjgk.exe
        
        C:\Windows\system32\Algbmjgk.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Aoeniefo.exe
        
        C:\Windows\system32\Aoeniefo.exe
        32⤵
        Executes dropped EXE
        
        PID:848
        
        C:\Windows\SysWOW64\Aackeqeb.exe
        
        C:\Windows\system32\Aackeqeb.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2528
        
        C:\Windows\SysWOW64\Aikbfnfd.exe
        
        C:\Windows\system32\Aikbfnfd.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4252
        
        C:\Windows\SysWOW64\Aliobieh.exe
        
        C:\Windows\system32\Aliobieh.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Aogkoedl.exe
        
        C:\Windows\system32\Aogkoedl.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4876
        
        C:\Windows\SysWOW64\Aafgkpcp.exe
        
        C:\Windows\system32\Aafgkpcp.exe
        37⤵
        Executes dropped EXE
        
        PID:3020
        
        C:\Windows\SysWOW64\Aimoln32.exe
        
        C:\Windows\system32\Aimoln32.exe
        38⤵
        Executes dropped EXE
        
        PID:4056
        
        C:\Windows\SysWOW64\Alkkhi32.exe
        
        C:\Windows\system32\Alkkhi32.exe
        39⤵
        Executes dropped EXE
        
        PID:396
        
        C:\Windows\SysWOW64\Aojhdd32.exe
        
        C:\Windows\system32\Aojhdd32.exe
        40⤵
        Executes dropped EXE
        
        PID:1180
        
        C:\Windows\SysWOW64\Abedecjb.exe
        
        C:\Windows\system32\Abedecjb.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4632
        
        C:\Windows\SysWOW64\Aiolam32.exe
        
        C:\Windows\system32\Aiolam32.exe
        42⤵
        Executes dropped EXE
        
        PID:2404
        
        C:\Windows\SysWOW64\Bbhqjchp.exe
        
        C:\Windows\system32\Bbhqjchp.exe
        43⤵
        Executes dropped EXE
        
        PID:2484
        
        C:\Windows\SysWOW64\Befmfngc.exe
        
        C:\Windows\system32\Befmfngc.exe
        44⤵
        Executes dropped EXE
        
        PID:1908
        
        C:\Windows\SysWOW64\Bhdibj32.exe
        
        C:\Windows\system32\Bhdibj32.exe
        45⤵
        Executes dropped EXE
        
        PID:3904
        
        C:\Windows\SysWOW64\Bpladg32.exe
        
        C:\Windows\system32\Bpladg32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2756
        
        C:\Windows\SysWOW64\Bbjmpb32.exe
        
        C:\Windows\system32\Bbjmpb32.exe
        47⤵
        Executes dropped EXE
        
        PID:4140
        
        C:\Windows\SysWOW64\Bidemmnj.exe
        
        C:\Windows\system32\Bidemmnj.exe
        48⤵
        Executes dropped EXE
        
        PID:3860
        
        C:\Windows\SysWOW64\Bpnnig32.exe
        
        C:\Windows\system32\Bpnnig32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Bbljeb32.exe
        
        C:\Windows\system32\Bbljeb32.exe
        50⤵
        Executes dropped EXE
        
        PID:1424
        
        C:\Windows\SysWOW64\Bekfan32.exe
        
        C:\Windows\system32\Bekfan32.exe
        51⤵
        Executes dropped EXE
        
        PID:4304
        
        C:\Windows\SysWOW64\Bhibni32.exe
        
        C:\Windows\system32\Bhibni32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1852
        
        C:\Windows\SysWOW64\Blennh32.exe
        
        C:\Windows\system32\Blennh32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1368
        
        C:\Windows\SysWOW64\Bbofkbbh.exe
        
        C:\Windows\system32\Bbofkbbh.exe
        54⤵
        Executes dropped EXE
        
        PID:1708
        
        C:\Windows\SysWOW64\Baaggo32.exe
        
        C:\Windows\system32\Baaggo32.exe
        55⤵
        Executes dropped EXE
        
        PID:3696
        
        C:\Windows\SysWOW64\Bhlocipo.exe
        
        C:\Windows\system32\Bhlocipo.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3524
        
        C:\Windows\SysWOW64\Blgkdg32.exe
        
        C:\Windows\system32\Blgkdg32.exe
        57⤵
        Executes dropped EXE
        
        PID:1416
        
        C:\Windows\SysWOW64\Bbacqape.exe
        
        C:\Windows\system32\Bbacqape.exe
        58⤵
        Executes dropped EXE
        
        PID:2488
        
        C:\Windows\SysWOW64\Bikkml32.exe
        
        C:\Windows\system32\Bikkml32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Cpedjf32.exe
        
        C:\Windows\system32\Cpedjf32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4776
        
        C:\Windows\SysWOW64\Cafpanem.exe
        
        C:\Windows\system32\Cafpanem.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Cimhckeo.exe
        
        C:\Windows\system32\Cimhckeo.exe
        62⤵
        Executes dropped EXE
        
        PID:1760
        
        C:\Windows\SysWOW64\Ccfmla32.exe
        
        C:\Windows\system32\Ccfmla32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5084
        
        C:\Windows\SysWOW64\Cipehkcl.exe
        
        C:\Windows\system32\Cipehkcl.exe
        64⤵
        Executes dropped EXE
        
        PID:688
        
        C:\Windows\SysWOW64\Chbedh32.exe
        
        C:\Windows\system32\Chbedh32.exe
        65⤵
        Executes dropped EXE
        
        PID:4452
        
        C:\Windows\SysWOW64\Cpjmee32.exe
        
        C:\Windows\system32\Cpjmee32.exe
        66⤵
        Drops file in System32 directory
        
        PID:956
        
        C:\Windows\SysWOW64\Commqb32.exe
        
        C:\Windows\system32\Commqb32.exe
        67⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\Cakjmm32.exe
        
        C:\Windows\system32\Cakjmm32.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Cefemliq.exe
        
        C:\Windows\system32\Cefemliq.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2748
        
        C:\Windows\SysWOW64\Cpljkdig.exe
        
        C:\Windows\system32\Cpljkdig.exe
        70⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\Ccjfgphj.exe
        
        C:\Windows\system32\Ccjfgphj.exe
        71⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\Ceibclgn.exe
        
        C:\Windows\system32\Ceibclgn.exe
        72⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\Clckpf32.exe
        
        C:\Windows\system32\Clckpf32.exe
        73⤵
        Drops file in System32 directory
        
        PID:372
        
        C:\Windows\SysWOW64\Coagla32.exe
        
        C:\Windows\system32\Coagla32.exe
        74⤵
        Drops file in System32 directory
        
        PID:3600
        
        C:\Windows\SysWOW64\Capchmmb.exe
        
        C:\Windows\system32\Capchmmb.exe
        75⤵
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Dhjkdg32.exe
        
        C:\Windows\system32\Dhjkdg32.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Dpacfd32.exe
        
        C:\Windows\system32\Dpacfd32.exe
        77⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\Dcopbp32.exe
        
        C:\Windows\system32\Dcopbp32.exe
        78⤵
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Dabpnlkp.exe
        
        C:\Windows\system32\Dabpnlkp.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4668
        
        C:\Windows\SysWOW64\Diihojkb.exe
        
        C:\Windows\system32\Diihojkb.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Dlgdkeje.exe
        
        C:\Windows\system32\Dlgdkeje.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4940
        
        C:\Windows\SysWOW64\Dpcpkc32.exe
        
        C:\Windows\system32\Dpcpkc32.exe
        82⤵
        Drops file in System32 directory
        
        PID:5160
        
        C:\Windows\SysWOW64\Dcalgo32.exe
        
        C:\Windows\system32\Dcalgo32.exe
        83⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Dadlclim.exe
        
        C:\Windows\system32\Dadlclim.exe
        84⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Dephckaf.exe
        
        C:\Windows\system32\Dephckaf.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5292
        
        C:\Windows\SysWOW64\Djlddi32.exe
        
        C:\Windows\system32\Djlddi32.exe
        86⤵
        Drops file in System32 directory
        
        PID:5336
        
        C:\Windows\SysWOW64\Dohmlp32.exe
        
        C:\Windows\system32\Dohmlp32.exe
        87⤵
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Dagiil32.exe
        
        C:\Windows\system32\Dagiil32.exe
        88⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Debeijoc.exe
        
        C:\Windows\system32\Debeijoc.exe
        89⤵
        Drops file in System32 directory
        
        PID:5468
        
        C:\Windows\SysWOW64\Dhqaefng.exe
        
        C:\Windows\system32\Dhqaefng.exe
        90⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Dllmfd32.exe
        
        C:\Windows\system32\Dllmfd32.exe
        91⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Dcfebonm.exe
        
        C:\Windows\system32\Dcfebonm.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5596
        
        C:\Windows\SysWOW64\Daifnk32.exe
        
        C:\Windows\system32\Daifnk32.exe
        93⤵
        Drops file in System32 directory
        
        PID:5640
        
        C:\Windows\SysWOW64\Dfdbojmq.exe
        
        C:\Windows\system32\Dfdbojmq.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5676
        
        C:\Windows\SysWOW64\Djpnohej.exe
        
        C:\Windows\system32\Djpnohej.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5724
        
        C:\Windows\SysWOW64\Dlojkddn.exe
        
        C:\Windows\system32\Dlojkddn.exe
        96⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\Dakbckbe.exe
        
        C:\Windows\system32\Dakbckbe.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        98⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        99⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5972
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        101⤵
        Drops file in System32 directory
        
        PID:6016
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        102⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        103⤵
        Drops file in System32 directory
        
        PID:6092
        
        C:\Windows\SysWOW64\Ecmlcmhe.exe
        
        C:\Windows\system32\Ecmlcmhe.exe
        104⤵
        Drops file in System32 directory
        
        PID:6128
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5144
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        106⤵
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        107⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        108⤵
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5408
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        110⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5548
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        112⤵
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        113⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        114⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        115⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        116⤵
        Drops file in System32 directory
        
        PID:6000
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        117⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        118⤵
        Drops file in System32 directory
        
        PID:5124
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        119⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        120⤵
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        121⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        122⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5960
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        124⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5236
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        126⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        127⤵
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        128⤵
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        129⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        130⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        131⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        132⤵
        Drops file in System32 directory
        
        PID:5176
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        133⤵
        Drops file in System32 directory
        
        PID:6156
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6200
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        135⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        136⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        137⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6376
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        139⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        140⤵
        Drops file in System32 directory
        
        PID:6468
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        141⤵
        Drops file in System32 directory
        
        PID:6512
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        142⤵
        Drops file in System32 directory
        
        PID:6564
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        143⤵
        Drops file in System32 directory
        
        PID:6604
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        144⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        145⤵
        Modifies registry class
        
        PID:6692
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        146⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        147⤵
        Drops file in System32 directory
        
        PID:6776
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        148⤵
        Drops file in System32 directory
        
        PID:6824
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        149⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        150⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        151⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        152⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        153⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        154⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7132
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        156⤵
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        157⤵
        Modifies registry class
        
        PID:6192
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6272
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        159⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        160⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        161⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        162⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6600
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        164⤵
        Drops file in System32 directory
        
        PID:6680
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        165⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        166⤵
        Drops file in System32 directory
        
        PID:6808
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        167⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        168⤵
        Drops file in System32 directory
        
        PID:6980
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7060
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        170⤵
        Modifies registry class
        
        PID:7140
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        171⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        172⤵
        Drops file in System32 directory
        
        PID:6212
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        173⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        174⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6636
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        176⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6748
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        177⤵
        Drops file in System32 directory
        
        PID:6820
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        178⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        179⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6208
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        181⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        182⤵
        Drops file in System32 directory
        
        PID:6556
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        183⤵
        Modifies registry class
        
        PID:6724
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        184⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        185⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        186⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        187⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        188⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        189⤵
        Modifies registry class
        
        PID:6520
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6872
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        191⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6672
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        192⤵
        Modifies registry class
        
        PID:6792
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        193⤵
        Drops file in System32 directory
        
        PID:7212
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        194⤵
        Modifies registry class
        
        PID:7260
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        195⤵
        Modifies registry class
        
        PID:7304
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        196⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        197⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        198⤵
        
        PID:7428
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        199⤵
        Drops file in System32 directory
        
        PID:7472
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7508
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        201⤵
        
        PID:7552
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        202⤵
        
        PID:7588
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7636
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        204⤵
        
        PID:7676
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        205⤵
        Modifies registry class
        
        PID:7716
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        206⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7780
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        207⤵
        
        PID:7832
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        208⤵
        
        PID:7888
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        209⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7936
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        210⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        211⤵
        
        PID:8016
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        212⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8060
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        213⤵
        Modifies registry class
        
        PID:8100
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        214⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        215⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8184
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        216⤵
        
        PID:7192
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        217⤵
        
        PID:7268
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        218⤵
        Modifies registry class
        
        PID:7328
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        219⤵
        
        PID:7400
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        220⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        221⤵
        Modifies registry class
        
        PID:7544
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        222⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        223⤵
        
        PID:7684
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        224⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        225⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        226⤵
        
        PID:7924
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        227⤵
        
        PID:8004
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        228⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8080
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        229⤵
        Drops file in System32 directory
        
        PID:8172
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        230⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        231⤵
        Modifies registry class
        
        PID:7288
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        232⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7412
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        233⤵
        
        PID:7528
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        234⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7632
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        235⤵
        
        PID:7732
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        236⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7900
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        237⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        238⤵
        
        PID:8108
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        239⤵
        Modifies registry class
        
        PID:6876
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        240⤵
        Drops file in System32 directory
        
        PID:7388
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        241⤵
        Modifies registry class
        
        PID:7520
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        242⤵
        
        PID:7736
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        243⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        244⤵
        Modifies registry class
        
        PID:8124
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        245⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7296
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        246⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7452
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        247⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8000
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        248⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7280
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        249⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        250⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        251⤵
        Modifies registry class
        
        PID:8056
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        252⤵
        
        PID:8132
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        253⤵
        Modifies registry class
        
        PID:8232
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        254⤵
        
        PID:8272
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        255⤵
        
        PID:8316
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        256⤵
        Modifies registry class
        
        PID:8352
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        257⤵
        Modifies registry class
        
        PID:8396
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        258⤵
        
        PID:8440
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        259⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8476
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        260⤵
        
        PID:8504
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        261⤵
        
        PID:8544
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        262⤵
        
        PID:8588
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        263⤵
        Modifies registry class
        
        PID:8624
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        264⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8664
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        265⤵
        
        PID:8712
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        266⤵
        
        PID:8752
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        267⤵
        
        PID:8788
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        268⤵
        Drops file in System32 directory
        
        PID:8828
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        269⤵
        
        PID:8868
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        270⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8908
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        271⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8948
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        272⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8992
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        273⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9040
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        274⤵
        
        PID:9080
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        275⤵
        
        PID:9120
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        276⤵
        
        PID:9164
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        277⤵
        
        PID:9204
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        278⤵
        
        PID:8224
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        279⤵
        Drops file in System32 directory
        
        PID:8296
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        280⤵
        Modifies registry class
        
        PID:8328
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        281⤵
        
        PID:8420
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        282⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8512
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        283⤵
        
        PID:8568
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        284⤵
        Drops file in System32 directory
        
        PID:8652
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        285⤵
        
        PID:8708
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        286⤵
        
        PID:8780
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        287⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:8852
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        288⤵
        Modifies registry class
        
        PID:8924
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        289⤵
        
        PID:9000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9000 -s 400
        290⤵
        Program crash
        
        PID:9152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 9000 -ip 9000
1⤵
PID:9116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aackeqeb.exe

Filesize
50KB

MD5
fb9bccbf5e324e8b8407f6cb389b0934

SHA1
2adcb6db66a0b308055fcd87b88e0c9954d93650

SHA256
d8fc0f28fb817cbd250616d5bec72de04affcfa5139808b0f086dba3f687bdf3

SHA512
4c48e0ba60497bf341e091cf3ce482f21abc524711a52779052cc6627334489c91562545cafd878876c2e72ecb929522996e8634fe2d28466872e8c2f39ed5e6

Download Submit
C:\Windows\SysWOW64\Ablaodbm.exe

Filesize
50KB

MD5
f28cc49ba80b413f2997a13455bdd42b

SHA1
ced629b02e9f4fb10fb4da9edc9be6eb4b7b5144

SHA256
a172ff6cab1834aa0f7356f30d2b315658d20854210e219af695a5822a66a3ea

SHA512
ab997ecdd2e6e8cae71dbda4689ac6eb4830733ddd71a91a9a36857aa396fdabdd25c2583ddbd004c939c82f7940818f0a3600354e78c5b9094352968c726263

Download Submit
C:\Windows\SysWOW64\Aejmkpaq.exe

Filesize
50KB

MD5
48f1b9a254b8830ab13f9331c612290b

SHA1
1c8f664bf4bf6ec5d10c1551a455e296ad8a36fb

SHA256
4d41e384c92b25a80f50dae4fc60f421fd717c7ba81cfadbdebdbc74c82495e8

SHA512
1851b912287951c85fe11c69cdd4e3681c320905fea6fba044ecc191d84e544ea561a2d706cc141c4e806daa6e48b52be65b47a4ee79babf80f07db5e60057a7

Download Submit
C:\Windows\SysWOW64\Aemjpp32.exe

Filesize
50KB

MD5
dacaa31f7a20485ce83783989b707d0d

SHA1
82fc670d8ce64254c0bd25f70fedd6aadf7e990d

SHA256
d2846fa857521c7ad861d56f61315e0a1e35baa867237be5c4599f1ddf5f0f0f

SHA512
15f65cb464d2b927e324638eef0b695b58aaf101450a406b98368e3fd2ca7fd70303fe28ba1c5549100bbd026950426da57ee764144bbfc70c566b97d049e889

Download Submit
C:\Windows\SysWOW64\Ahiigkqd.exe

Filesize
50KB

MD5
f49f87c9d9db1b23cfb21d5eac9cdeee

SHA1
68cd01a2f429f4989e8a006f702d68e1ffee7a2d

SHA256
edcb017439c64b907280e67bbf240749689dc34970c0c803475463e4bc9eac3c

SHA512
2424f4246a2e859d1d32e3c8264f9c57462daf96393cd63893996a069274942147e0401a2cb0b7780b5d23f809de200ad1eef8e1908b1e3e03b208077ffe8c05

Download Submit
C:\Windows\SysWOW64\Albibj32.exe

Filesize
50KB

MD5
13af717a78d375d31113cdb329501d1b

SHA1
eaf28aab2eddc68a1e80e570160ab3aed96b09d6

SHA256
3db9361f8619d40bfeb1692b5466591782a3eba519f1e625115196dbd649d814

SHA512
cbdd7c892e4dac8db76715101813a8ca1cbf585164906c10828a94c819246b4146738583eb4ec17bfecefc10ce556a5e86a528178b1fdc016f969433b0047033

Download Submit
C:\Windows\SysWOW64\Aldegj32.exe

Filesize
50KB

MD5
4b248bf63c9595cb12bc3cd09f2795d3

SHA1
1462f6b9e496bde1a22dddba2f7b2b10a5553b10

SHA256
713a95f0412e38bc7d981fd556a73566ba0d75e4d43f5d3c1c032370f08c09f6

SHA512
4edcf33a0e6042cc5758168994895573141d97022d1837a43a3d9edf16e40a607b91c088808865e471ce31a0095f9faef4c83ba8a41068e17b5fd8cacec7ba29

Download Submit
C:\Windows\SysWOW64\Algbmjgk.exe

Filesize
50KB

MD5
db1f5c77b30bc31fa29c377684b7da7e

SHA1
972ba3b337c64e8d45dc0cc559435f105ede862f

SHA256
e7c801720334fb58363706d2ef70d751e5f68bc3bed65755f9607b4921f8bbf5

SHA512
54a747aaeeed55104e16744d051e558517710c80cf7996a38257515185f4166959ce6388ccc67dca729d252097508f2d8bf8e8b88acf8cb5f0d0da36036d1aae

Download Submit
C:\Windows\SysWOW64\Aoeniefo.exe

Filesize
50KB

MD5
7cdbb2bc42e643af4f18d068a8170366

SHA1
f479da4220c5d0d692d51015bea0fa9dd78ade3d

SHA256
af9d987e80514af9acb8b40a7d47adc48843bddf237a6db8180ee31c3560c03d

SHA512
4cadade481c813fe99434e31bc07dc85013fdde3f92a185438f520e3947e19abb6443f898d045b6471be6e9cefca15b1a7d3894627b3e8354cb89151bc4d5542

Download Submit
C:\Windows\SysWOW64\Bpladg32.exe

Filesize
50KB

MD5
315c8c46bb6c5f595a7afdb6c6fa651f

SHA1
8aad5fc5c47b0a272afa00b980e7bc684d325dd8

SHA256
7230a6e215aaba6fc78b97a2b0f67bf765111ea79642c4aaea0564c1bece4083

SHA512
af7b4fabbfbc18fa716c4122577b1f3be56d2c42ebea2110e31e0e9b686f5e24c5b7ed001c09cc2de1220b721d6759346d4750d55f92856ad4184f402a53ab15

Download Submit
C:\Windows\SysWOW64\Cpljkdig.exe

Filesize
50KB

MD5
1b29a2ab7b65f6c0fd19797e3889a7f0

SHA1
220f819c3d90493dad52d1895d51a25723942251

SHA256
3abaa717e86091757a97b6df0ff5169a5e456c452746ef98d861eda5deaf810c

SHA512
4768ecdb4b8abcf01e1ac19091a4d098eda89231ba2524cab3caf69d4ce589230d201314622340fc7ceb0268ecfe62773f413e5f1c149bf383f8cbc5c1b042e6

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe

Filesize
50KB

MD5
8824fdfce3641ec8b99abbd0c51f5523

SHA1
0af6a07359693ec0a589249558326a5b232b5647

SHA256
d2bfe3e21b50ad5fdf42f6af688fbb0da89b26df8aa17d718cf9afa76f398918

SHA512
f0e934609e48551e702d040526958c453e7b5ae42c68e059421896adc20bf08d7c79f3b1f823d7084f41f5772ce7c9f3d4f3ac162a948e55dd3dc72cb40a1a13

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
50KB

MD5
19623a14177c4e7d265c2e0a5f50e10d

SHA1
dbc921e5a0e6afcfdd77fb0ccd2edc55ef039510

SHA256
cb257aff633949aa0381f98fe8ab5a989e3c0c231619a56d831e86b3d9a5c9ae

SHA512
85c645401498deaf248456092637c39acb727080211e675f4debd8f105dd11347623b30d768b127e9ddd58a759583e05c56a5f32f78686d7582d7386ecf48c7e

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
50KB

MD5
ab9f6296ac0e1a86c202c67c7ffb237f

SHA1
b766bd136bcb2eca2cc8cad7024c58c6c0aba4a0

SHA256
88cdd4ecbb7d4c0bb2d56484c5dab52ae196c95c6ccc2bb72f17adfcda8fc0ad

SHA512
33815bd4133ab8563228be4d09d6242d123e4d4a403c3dee914670f9cbc3c9374a44258678b11e72003d912dd957b09f4d7c0d2c2fd318286edf97e3c1cf8d78

Download Submit
C:\Windows\SysWOW64\Pacaoc32.exe

Filesize
50KB

MD5
bc9aa0c2dbbc39f43ad9badc1420eb52

SHA1
db66b944a08f12776f9da42f377bab22ee7c1e3c

SHA256
1890476364ffba95adc6fe92a0a560bbb6ee7af411ff654f292ad534915286d1

SHA512
85910ea25fec1c4fa400cf3e4aebaec0200dcacdaa017002869db5e7d6c251c8d050d6c29d042b33efbe463fa387ca33c152401bdd4dcc8c017ef609b62a31e7

Download Submit
C:\Windows\SysWOW64\Paendb32.exe

Filesize
50KB

MD5
1fa7483065852fba30167e025a4f5c6d

SHA1
d5370fe6cd95ba36e351db76eac31554f6d3a6cb

SHA256
f4c89c20e62b272a9f15f43d42c7d46488027e5f0509da605f5b0672a87066b4

SHA512
9ee95c42f279d0d1862089f9f9373a943b6dc5ad040be14f7a9ae89088fe68214999ef8929056072e8147b8310194aec2afc602dccb0211c88f7c7b39f027bd0

Download Submit
C:\Windows\SysWOW64\Pahkjbop.exe

Filesize
50KB

MD5
633425843c3cecc906df172b4ca5ce00

SHA1
e5e1ae8f0bf3714517a45a9f5a8501aac5b2c4da

SHA256
a2c56337bcd046d48ec1de02b7ef7acd49eb5d0230db2239962c98d42ac6adba

SHA512
17a87abf35b4b30ebd8ffc3aad5a4a0357dc2cdf2ef5f0da58f6c30ae59d74f9ee9d75d3509d29720e1422eff902c28f46da0122fba6a2fe81d448cf6631b3d2

Download Submit
C:\Windows\SysWOW64\Pbndmf32.exe

Filesize
50KB

MD5
4ab0f7873df72c9a88557bcca7c3a2be

SHA1
b6958d76c545680ac27a8cb6018ea2c3b6e1313e

SHA256
a6103992029999a5347f0925d5625a297dea8185867b6629feb9b8d29f57359f

SHA512
a536415a7459ac504e9649500df29e5e1081c512239687b539bf355d111bca8f477f98f449488e6a4548f7fe7517da3a8ec47f34a10bc36ddde6c0b08719423f

Download Submit
C:\Windows\SysWOW64\Pelaib32.exe

Filesize
50KB

MD5
62a38801e59de52a3c4cf69f7496c334

SHA1
672c74e0c105fb3aad5034e57cea7296d7988bbb

SHA256
33b514ce0f54fa60cbfcdc5139c39829fb4e571b7de9a2f203eb9b0563d6e241

SHA512
9e7257762add8cb7ea43c8465aea6fc2600a4678e1c6a292390b791e09389fbefd925860a725d085ac57ba9abf080dcc64662845f940fbe4d0e7cd3c0c12c823

Download Submit
C:\Windows\SysWOW64\Phbcfl32.exe

Filesize
50KB

MD5
c10f1920e7516b6ce5b8eb0957196a4d

SHA1
bb3f51ab09a573e253a73812e23a78f740b4890f

SHA256
ebcf387cf08eb25d798a6ed74c81c5efd99cf033a8ab3f02cdcae80e8d778733

SHA512
2562f0680cc4d59b299c89643fff4285ab2ce01a8a433d7b0f8b574927d2f9c208780b9dd3531f828a6d9bb791c860cba00a0f00ee30bc580cbf1c5e1738370e

Download Submit
C:\Windows\SysWOW64\Phkmem32.exe

Filesize
50KB

MD5
97d816b193b2d0a26bdb58d8e1eac25f

SHA1
d22ab55351547055ec3539e489b355e6331efa8a

SHA256
3e93ee3fbcea998fae28e9287f46a815be5cf83f234e15cae395033e125d34b5

SHA512
dcf4b25b3372e8729a1b9de763b82d8082327fec1509d50688acd21b450f9d5764eac0abd32bff00d05c3133a2000f59e0f4c6a1fa19e9584766c568ebfe192b

Download Submit
C:\Windows\SysWOW64\Pijjpp32.exe

Filesize
50KB

MD5
39d435533ac4f186a3db6f9e47d27a0a

SHA1
7ce4c5e7274d3fee5a3dbbeb3da2cec312567ba0

SHA256
81c5bcf2db91075663c4be80e3ff5e6654e3a2ddda3a9781ca855b9ae7151a98

SHA512
b516f12c40dad9cdb3d32815692a0286ac3beb6b2b3a2de52211353085aa65bbc219066d161570ec4bf3fa4b1f3d4bc3ce5805ed24bf8f73477bf79d4163fae6

Download Submit
C:\Windows\SysWOW64\Pimfep32.exe

Filesize
50KB

MD5
7522eed796bf3c8ad6b529e72248987f

SHA1
18a4aea12527dfeb15a970276d580c87675483ea

SHA256
9a9401604b7308cb6c11e714474eaedab99d2f93977b09dc1a08ee1c14ce2571

SHA512
12e9fa9c2858d6bf4bbf3cc92627a307b3b89f2fc6fe4507fd8fa3bde66d03f86fec5552fa739662128676ca6ebe60093216544d6009e641b243d6d84d9511a2

Download Submit
C:\Windows\SysWOW64\Plfiflen.exe

Filesize
50KB

MD5
bab0c4e84b7a6b6edd0a48784b55b9dd

SHA1
a3c9e3d858933b81756ab29e5290f4dd9780242e

SHA256
f8363d3655ebb86e23400f2672c86b9bdcd82a27762b5aae0ea647f70338d642

SHA512
603f9d6a7d7c7043f48d50448f9f256120940474ee892796ea3e8be6930a9e9fe14f064c76821e46e04c7b59b2356165b3fa9beccfa1b68f9a98c8c7d7cb049a

Download Submit
C:\Windows\SysWOW64\Plifll32.exe

Filesize
50KB

MD5
8aee533b99436007ea9e45299e3c4d9c

SHA1
0121bd44002662226bfecb2a2b44b40aeebcd898

SHA256
9b3d554558ee996e7ccedbeb678e9b16e504e60ffe8e779b1c685f668279c129

SHA512
db43ab3b99db18c1fec549f2eec58ec5c3826ec32d7a668e170c1785f46c602346a9e299b0ad399af832c169409cd4df1dcea931f9d2d66a60396ad4b1482ecb

Download Submit
C:\Windows\SysWOW64\Plkbak32.exe

Filesize
50KB

MD5
114b1c19f26f1bf0d653800bad4dda65

SHA1
4f2967bda8e020beda1f2ccd3cdd87848a280db8

SHA256
0456b1c94eb391a65c06395ca2d99fd36982698c12d69a9de06b996f8c7eca20

SHA512
09e21e6bf49ac79346c4751b60641cac9fb8516a1c20a7f2d13b8a6bd95b4790426464fc2533bfd0c3976eb609551868263d007c0a9fea508a169d73206478b0

Download Submit
C:\Windows\SysWOW64\Plmogkoe.exe

Filesize
50KB

MD5
854531a8ed0ddfd68f6125c766b74d17

SHA1
4f5fb7e746b95df8772d12b1f21dd91ad9f4ab6e

SHA256
6ad7ed43c01088162214736da7928398da04d011455a23c16b9bd6c9f56b3161

SHA512
eeb3d0c3e525b7756288ed4c1f908e755c10142f2d653ed643176b1cf0054157e1e6fde81305ac98ab4829410ffec17d50b7920e369f882123d794ffbb57a035

Download Submit
C:\Windows\SysWOW64\Pneebg32.exe

Filesize
50KB

MD5
dd1a4f7a3f4ce1c141dbcd6488a59a12

SHA1
e348063f9535c8bdd6c33745b1d6d8b1897daf66

SHA256
c144aa876c2cbc8a11440a733e584663dcac86be8bf707c5b0890ace85ea5c2d

SHA512
935065f00465cefd4f9428552758562443b68af943a27a48868be1eb0d450202779ce3550a81282d5acf739d01f0750cf61e700bff655a9b02b674bfc416217a

Download Submit
C:\Windows\SysWOW64\Pngbhg32.exe

Filesize
50KB

MD5
e998f645dbeb81837d465f4c0feff200

SHA1
a5e02cefa55e4c4abd83b00f6155443c94f77622

SHA256
4ab4c0883c65d81048615dcb15174d0d66417864bd752afaa177dec61e867e22

SHA512
e985881c9ce3701d9c7446110ec90f57151114d94e5e481948268ddd4563de590513f31c6cfc7c6abcceeac2ac4ce2164028182f10633e47e0f6e6c730699ad9

Download Submit
C:\Windows\SysWOW64\Pniomgpl.exe

Filesize
50KB

MD5
a6b66b5a76056f3a8484061f1c596798

SHA1
fed9c523faf6f6bcc0f175c6128bb382ceeba712

SHA256
8c85cbf8f8d8ba7077e5ca8258871ec422b5adfc4a1be8acc7ccf8451b14614d

SHA512
c4fb1ff11525a39fb8a047a90a9b253e39aefc620b2a26c766307e7e51cf0f1123ae9e8595954a54d41ee180d4edb8129df03364e82c3b38ae6d0d0ba8f2586d

Download Submit
C:\Windows\SysWOW64\Ppphak32.exe

Filesize
50KB

MD5
ab6b2f3d66f496d6b8360d31719fd977

SHA1
e2bf2919a73e6d209dc728f9d8aba7311e725ab8

SHA256
2733624bc77219974fcfec9b7338ee3f11d5f9f15807d7a7d87a5244002a152f

SHA512
228085b3e7f7851ed041a1b119f70b74560bae90b96103acbeba84d8872719cfa447ab78f81d600b34f4f1aea85ba252b785c2208e6415993799a22e30e4554a

Download Submit
C:\Windows\SysWOW64\Qbggce32.exe

Filesize
50KB

MD5
e1bc89d404c7a3e4f7ef42e08b9ad3f2

SHA1
42e14c560f76156576399c581a1c6dfda81db10e

SHA256
69c9f119eb17ad06b2724c848a9e3acf0a7900b95d8d8b1977401cddabf7dfdb

SHA512
5553b5e2ed4fc5f7b2848b90f482b91a1a148e39a99265c726c3bc9c3f805f46e660de117d5c5bd309f156ffdcf99d592a081a8cb2532bd047a18b15e3e9bd8b

Download Submit
C:\Windows\SysWOW64\Qefdpq32.exe

Filesize
50KB

MD5
be09aafc5a17a1b9d057bc4c7075c66a

SHA1
07abfc24beb38c9f29e85d90c75d217ffde5a801

SHA256
e15c7890671f75b1647a2e1a82c3a50b407417671b30987e0a639c3655c37ebc

SHA512
216ac6183ba11614df6412b848e0c9e5818a9c49e2d8808ad6346d1539dd00c865e4663c006320e0eacd790a0dc5bc07d5cad0b735fd75a3550437ea8f224b1b

Download Submit
C:\Windows\SysWOW64\Qehqepcc.exe

Filesize
50KB

MD5
5fd69b9a569e2bc3f7b97e6d003d6286

SHA1
23cbdcdeaca3a74854e24596762fbf19b35c1682

SHA256
fe03eec06dd99e55e88e33c5e1f2e469f19d6fb48877fbbe4c2a5f36aafcaab7

SHA512
c168f7c824609408ba5bb0c7932b31fbb6b226a2cbbbc6ff5b1cfce27ac40964dee7be2067497c3d878bb2741c5660fbc6d78b77a8bbed773882370c0cede76d

Download Submit
C:\Windows\SysWOW64\Qhdpll32.exe

Filesize
50KB

MD5
865fd723c22f5029bcd5834e73c64f30

SHA1
e6902330ea100d2167c9feee21fc1adc69bc9d9c

SHA256
7dd6f6daab2d482a55fba73a11183fd701969c9ae86e0718947fe5d6c7141b03

SHA512
c46f2f31fa3ea494366182561e85f28b57185af5d0bed5be256d59175f98afff7c400dc95cd3d43cdbd521a495e281fa6f1fe43918c51ca51df306e094b25d7a

Download Submit
C:\Windows\SysWOW64\Qiclfo32.exe

Filesize
50KB

MD5
04a20e567498a5eb96e4daf6ad54b3af

SHA1
f082d368741185fdc869dae1c204153b23cd1f26

SHA256
c458a2868759fdbe67dcf9e4fb8cf30844d464695fbc4df83bc61d0f056408d6

SHA512
c004934ebee78908c642ffd2c4c37fbde703903ce24b6880b8fc7801f18d59a1b0212ca8b9e7911f36d504096ab26b366738bb215f69748d643826c401e33443

Download Submit
C:\Windows\SysWOW64\Qnnhhflf.exe

Filesize
50KB

MD5
4dce7b0879f7b9a47b088e25491070a6

SHA1
b228d51e0d9ceca2ca1313d9f04e260f5f9e3c66

SHA256
e2cc049c29ac1232d74da5ce95fb69802a63d248a67deaa6430f490fa587e101

SHA512
d58d213a4c17d6ecc4261cb1e5e0c568a9fa4950d3d06a095fd6b3fd7ad6de196212a91f33a250c05b87292e019fc2c9ac261e94c214e63988b165b3e6421549

Download Submit
memory/332-92-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/396-296-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/400-352-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/688-447-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/704-112-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/756-135-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/848-252-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1108-148-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1128-172-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1180-298-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1368-376-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1416-404-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1424-360-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1440-64-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1480-200-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1576-39-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1620-236-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1636-428-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1664-268-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1708-386-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1732-176-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1760-430-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1768-188-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1852-370-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1856-128-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1908-322-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1936-228-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2276-104-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2404-314-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2428-16-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2484-316-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2488-406-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2528-256-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2580-96-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2756-334-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2924-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3020-280-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3316-191-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3524-398-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3596-412-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3696-392-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3856-119-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3860-346-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3904-328-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3928-152-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4056-286-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4140-340-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4252-262-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4264-28-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4292-221-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4304-368-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4344-244-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4456-72-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4532-60-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4632-304-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4776-418-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4804-84-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4824-48-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4876-274-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5008-160-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5052-212-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5080-32-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5084-436-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5112-7-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/6852-1938-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/7288-1937-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/7296-1923-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/7388-1928-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/7616-1946-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/7764-1919-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/7768-1944-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/7900-1932-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/7916-1925-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/7924-1942-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/8024-1931-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/8040-1918-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/8056-1917-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/8132-1916-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/8272-1914-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/8296-1893-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/8328-1892-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/8352-1912-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/8396-1911-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/8420-1891-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/8440-1910-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/8544-1907-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/8568-1889-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/8588-1906-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/8664-1904-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/8852-1885-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/8924-1884-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/9000-1883-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/9080-1898-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/9204-1895-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads