05dd29a1e250065420b8f8fb4a70d03888899a44363bd40b3aac18f3af5e99b5

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2024, 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05dd29a1e250065420b8f8fb4a70d03888899a44363bd40b3aac18f3af5e99b5.exe
Size

390KB
MD5

16245e49bced9fab47e0cf74466e754f
SHA1

92ba74be5ac82fe1f207465d34752eb8919aaf04
SHA256

05dd29a1e250065420b8f8fb4a70d03888899a44363bd40b3aac18f3af5e99b5
SHA512

8f8ce481ddad70d903315085420c206d970e3b8f8439cd1f29e8d18de9b770b05b980a7fdd7456dd90842f2dd8603c05726d0c166bcda68f71ef3367585a9135
SSDEEP

6144:m3DZfXJWv/4p6CbArLAZ26RQSFSTHAjhV:gDZxW+g426RQS2IhV

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Miemjaci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgimcebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chbnia32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdnidn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibnccmbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eocenh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmabdibj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfembo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikpaldog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmdina32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehgqln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eekaebcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdhfhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbmhlihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icifbang.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgmha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmkfhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddbbeade.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hecmijim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpnchp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhlejnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcagkdba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmhale32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fchddejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfngap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hofdacke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfoiokfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Elppfmoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdgdgnbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Alfkbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpoefk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Himldi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qloebdig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blpnib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llemdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipkhdeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llcpoo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jefbfgig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe

Executes dropped EXE 64 IoCs

pid	Process
1312	Pgmcqggf.exe
4804	Paegjl32.exe
4900	Pjmlbbdg.exe
2116	Qnkdhpjn.exe
1904	Qloebdig.exe
4140	Acjjfggb.exe
8	Ajdbcano.exe
4696	Aanjpk32.exe
2652	Aldomc32.exe
2380	Aelcfilb.exe
1136	Alfkbc32.exe
1172	Abpcon32.exe
4032	Aeopki32.exe
2460	Alhhhcal.exe
2008	Aaepqjpd.exe
3964	Bdhfhe32.exe
512	Blpnib32.exe
4392	Bjbndobo.exe
3236	Behbag32.exe
1032	Bldgdago.exe
776	Bhkhibmc.exe
3720	Boepel32.exe
3188	Chpada32.exe
3568	Cknnpm32.exe
536	Chbnia32.exe
1344	Clpgpp32.exe
2740	Cehkhecb.exe
3496	Dekhneap.exe
1808	Dldpkoil.exe
3164	Dboigi32.exe
2696	Ddbbeade.exe
4560	Dlijfneg.exe
1556	Dddojq32.exe
1488	Dkoggkjo.exe
3056	Dceohhja.exe
4304	Dhbgqohi.exe
3668	Echknh32.exe
3644	Edihepnm.exe
228	Elppfmoo.exe
2424	Ecjhcg32.exe
1348	Eeidoc32.exe
2404	Ehgqln32.exe
2316	Eoaihhlp.exe
1048	Eekaebcm.exe
2228	Ehimanbq.exe
4880	Ekhjmiad.exe
4400	Eocenh32.exe
3036	Eabbjc32.exe
3676	Edpnfo32.exe
4296	Elgfgl32.exe
3096	Ecandfpd.exe
1168	Fohoigfh.exe
2032	Fafkecel.exe
4468	Fllpbldb.exe
2388	Faihkbci.exe
4248	Fdgdgnbm.exe
3760	Flnlhk32.exe
3260	Fchddejl.exe
1128	Ffgqqaip.exe
1892	Flqimk32.exe
968	Fckajehi.exe
4416	Fdlnbm32.exe
1520	Flceckoj.exe
2120	Foabofnn.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dboigi32.exe	Dldpkoil.exe
File created	C:\Windows\SysWOW64\Kmijbcpl.exe	Kimnbd32.exe
File created	C:\Windows\SysWOW64\Pfhfan32.exe	Pcijeb32.exe
File opened for modification	C:\Windows\SysWOW64\Eocenh32.exe	Ekhjmiad.exe
File created	C:\Windows\SysWOW64\Gcddpdpo.exe	Gmjlcj32.exe
File created	C:\Windows\SysWOW64\Jcefno32.exe	Jlnnmb32.exe
File created	C:\Windows\SysWOW64\Lmdina32.exe	Lboeaifi.exe
File opened for modification	C:\Windows\SysWOW64\Mmnldp32.exe	Megdccmb.exe
File opened for modification	C:\Windows\SysWOW64\Cknnpm32.exe	Chpada32.exe
File created	C:\Windows\SysWOW64\Icifbang.exe	Ikbnacmd.exe
File created	C:\Windows\SysWOW64\Gpaekf32.dll	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Gofkje32.exe	Glhonj32.exe
File created	C:\Windows\SysWOW64\Dekhneap.exe	Cehkhecb.exe
File created	C:\Windows\SysWOW64\Kipkhdeq.exe	Kbfbkj32.exe
File opened for modification	C:\Windows\SysWOW64\Likjcbkc.exe	Lgmngglp.exe
File opened for modification	C:\Windows\SysWOW64\Lpebpm32.exe	Likjcbkc.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Edihepnm.exe	Echknh32.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bebblb32.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Banllbdn.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Icplcpgo.exe	Ipdqba32.exe
File created	C:\Windows\SysWOW64\Gijloo32.dll	Klgqcqkl.exe
File opened for modification	C:\Windows\SysWOW64\Kfoafi32.exe	Kdqejn32.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Ooojbbid.dll	Aminee32.exe
File created	C:\Windows\SysWOW64\Eeijge32.dll	Alhhhcal.exe
File created	C:\Windows\SysWOW64\Bldgdago.exe	Behbag32.exe
File created	C:\Windows\SysWOW64\Iihqganf.dll	Lboeaifi.exe
File created	C:\Windows\SysWOW64\Pghdbegp.dll	Alfkbc32.exe
File opened for modification	C:\Windows\SysWOW64\Gcagkdba.exe	Gofkje32.exe
File created	C:\Windows\SysWOW64\Npibja32.dll	Ipdqba32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Qdldlm32.dll	Pgmcqggf.exe
File opened for modification	C:\Windows\SysWOW64\Lgmngglp.exe	Ldoaklml.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Behbag32.exe	Bjbndobo.exe
File created	C:\Windows\SysWOW64\Kpjcdn32.exe	Kmkfhc32.exe
File created	C:\Windows\SysWOW64\Lnlden32.dll	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Blpnib32.exe	Bdhfhe32.exe
File created	C:\Windows\SysWOW64\Hijooifk.exe	Hbpgbo32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Fchddejl.exe	Flnlhk32.exe
File opened for modification	C:\Windows\SysWOW64\Mpoefk32.exe	Mlcifmbl.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Kdnidn32.exe	Klgqcqkl.exe
File opened for modification	C:\Windows\SysWOW64\Nepgjaeg.exe	Ncbknfed.exe
File opened for modification	C:\Windows\SysWOW64\Fdgdgnbm.exe	Faihkbci.exe
File opened for modification	C:\Windows\SysWOW64\Lbmhlihl.exe	Llcpoo32.exe
File opened for modification	C:\Windows\SysWOW64\Nljofl32.exe	Nepgjaeg.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Ecandfpd.exe	Elgfgl32.exe
File created	C:\Windows\SysWOW64\Gnchkk32.dll	Ibnccmbo.exe
File created	C:\Windows\SysWOW64\Fllpbldb.exe	Fafkecel.exe
File opened for modification	C:\Windows\SysWOW64\Fbpnkama.exe	Foabofnn.exe
File created	C:\Windows\SysWOW64\Jcjpfk32.dll	Lgmngglp.exe
File opened for modification	C:\Windows\SysWOW64\Hmjdjgjo.exe	Hecmijim.exe
File created	C:\Windows\SysWOW64\Afomjffg.dll	Imfdff32.exe
File opened for modification	C:\Windows\SysWOW64\Nckndeni.exe	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Oadacmff.dll	Oncofm32.exe
File created	C:\Windows\SysWOW64\Edpnfo32.exe	Eabbjc32.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
9892	9836	WerFault.exe	423

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijcoimpn.dll"	Gcagkdba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gdcdbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hofdacke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmkfhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncmlocln.dll"	Kdgljmcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oggacefk.dll"	Ffgqqaip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iledokkp.dll"	Imakkfdg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfeopj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hofdacke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laffdj32.dll"	Himldi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdeflhhf.dll"	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jihdea32.dll"	Edihepnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aainof32.dll"	Ekhjmiad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcojed32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdejo32.dll"	Ikbnacmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eohipl32.dll"	Nnlhfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eabbjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clhkicgk.dll"	Gdcdbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfcicmqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfelggh.dll"	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oalnaifk.dll"	Flceckoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngknngal.dll"	Gkhbdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hihbijhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gilnhifk.dll"	Ligqhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncbhll32.dll"	Hkikkeeo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klimip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdgljmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpaekf32.dll"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecjhcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olgkhn32.dll"	Eeidoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enoogcin.dll"	Hcpclbfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eheqhpfp.dll"	Iiaephpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jeaikh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dejpjp32.dll"	Foabofnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipdqba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopbjik.dll"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acjjfggb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dekhneap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Miemjaci.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3712 wrote to memory of 1312	3712	05dd29a1e250065420b8f8fb4a70d03888899a44363bd40b3aac18f3af5e99b5.exe	85
PID 3712 wrote to memory of 1312	3712	05dd29a1e250065420b8f8fb4a70d03888899a44363bd40b3aac18f3af5e99b5.exe	85
PID 3712 wrote to memory of 1312	3712	05dd29a1e250065420b8f8fb4a70d03888899a44363bd40b3aac18f3af5e99b5.exe	85
PID 1312 wrote to memory of 4804	1312	Pgmcqggf.exe	86
PID 1312 wrote to memory of 4804	1312	Pgmcqggf.exe	86
PID 1312 wrote to memory of 4804	1312	Pgmcqggf.exe	86
PID 4804 wrote to memory of 4900	4804	Paegjl32.exe	87
PID 4804 wrote to memory of 4900	4804	Paegjl32.exe	87
PID 4804 wrote to memory of 4900	4804	Paegjl32.exe	87
PID 4900 wrote to memory of 2116	4900	Pjmlbbdg.exe	88
PID 4900 wrote to memory of 2116	4900	Pjmlbbdg.exe	88
PID 4900 wrote to memory of 2116	4900	Pjmlbbdg.exe	88
PID 2116 wrote to memory of 1904	2116	Qnkdhpjn.exe	89
PID 2116 wrote to memory of 1904	2116	Qnkdhpjn.exe	89
PID 2116 wrote to memory of 1904	2116	Qnkdhpjn.exe	89
PID 1904 wrote to memory of 4140	1904	Qloebdig.exe	90
PID 1904 wrote to memory of 4140	1904	Qloebdig.exe	90
PID 1904 wrote to memory of 4140	1904	Qloebdig.exe	90
PID 4140 wrote to memory of 8	4140	Acjjfggb.exe	91
PID 4140 wrote to memory of 8	4140	Acjjfggb.exe	91
PID 4140 wrote to memory of 8	4140	Acjjfggb.exe	91
PID 8 wrote to memory of 4696	8	Ajdbcano.exe	92
PID 8 wrote to memory of 4696	8	Ajdbcano.exe	92
PID 8 wrote to memory of 4696	8	Ajdbcano.exe	92
PID 4696 wrote to memory of 2652	4696	Aanjpk32.exe	93
PID 4696 wrote to memory of 2652	4696	Aanjpk32.exe	93
PID 4696 wrote to memory of 2652	4696	Aanjpk32.exe	93
PID 2652 wrote to memory of 2380	2652	Aldomc32.exe	95
PID 2652 wrote to memory of 2380	2652	Aldomc32.exe	95
PID 2652 wrote to memory of 2380	2652	Aldomc32.exe	95
PID 2380 wrote to memory of 1136	2380	Aelcfilb.exe	96
PID 2380 wrote to memory of 1136	2380	Aelcfilb.exe	96
PID 2380 wrote to memory of 1136	2380	Aelcfilb.exe	96
PID 1136 wrote to memory of 1172	1136	Alfkbc32.exe	97
PID 1136 wrote to memory of 1172	1136	Alfkbc32.exe	97
PID 1136 wrote to memory of 1172	1136	Alfkbc32.exe	97
PID 1172 wrote to memory of 4032	1172	Abpcon32.exe	98
PID 1172 wrote to memory of 4032	1172	Abpcon32.exe	98
PID 1172 wrote to memory of 4032	1172	Abpcon32.exe	98
PID 4032 wrote to memory of 2460	4032	Aeopki32.exe	99
PID 4032 wrote to memory of 2460	4032	Aeopki32.exe	99
PID 4032 wrote to memory of 2460	4032	Aeopki32.exe	99
PID 2460 wrote to memory of 2008	2460	Alhhhcal.exe	100
PID 2460 wrote to memory of 2008	2460	Alhhhcal.exe	100
PID 2460 wrote to memory of 2008	2460	Alhhhcal.exe	100
PID 2008 wrote to memory of 3964	2008	Aaepqjpd.exe	102
PID 2008 wrote to memory of 3964	2008	Aaepqjpd.exe	102
PID 2008 wrote to memory of 3964	2008	Aaepqjpd.exe	102
PID 3964 wrote to memory of 512	3964	Bdhfhe32.exe	103
PID 3964 wrote to memory of 512	3964	Bdhfhe32.exe	103
PID 3964 wrote to memory of 512	3964	Bdhfhe32.exe	103
PID 512 wrote to memory of 4392	512	Blpnib32.exe	105
PID 512 wrote to memory of 4392	512	Blpnib32.exe	105
PID 512 wrote to memory of 4392	512	Blpnib32.exe	105
PID 4392 wrote to memory of 3236	4392	Bjbndobo.exe	106
PID 4392 wrote to memory of 3236	4392	Bjbndobo.exe	106
PID 4392 wrote to memory of 3236	4392	Bjbndobo.exe	106
PID 3236 wrote to memory of 1032	3236	Behbag32.exe	107
PID 3236 wrote to memory of 1032	3236	Behbag32.exe	107
PID 3236 wrote to memory of 1032	3236	Behbag32.exe	107
PID 1032 wrote to memory of 776	1032	Bldgdago.exe	108
PID 1032 wrote to memory of 776	1032	Bldgdago.exe	108
PID 1032 wrote to memory of 776	1032	Bldgdago.exe	108
PID 776 wrote to memory of 3720	776	Bhkhibmc.exe	109

C:\Users\Admin\AppData\Local\Temp\05dd29a1e250065420b8f8fb4a70d03888899a44363bd40b3aac18f3af5e99b5.exe
"C:\Users\Admin\AppData\Local\Temp\05dd29a1e250065420b8f8fb4a70d03888899a44363bd40b3aac18f3af5e99b5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3712
- C:\Windows\SysWOW64\Pgmcqggf.exe
  C:\Windows\system32\Pgmcqggf.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Windows\SysWOW64\Paegjl32.exe
    C:\Windows\system32\Paegjl32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4804
  - - C:\Windows\SysWOW64\Pjmlbbdg.exe
      C:\Windows\system32\Pjmlbbdg.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4900
    - - C:\Windows\SysWOW64\Qnkdhpjn.exe
        
        C:\Windows\system32\Qnkdhpjn.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2116
      - C:\Windows\SysWOW64\Qloebdig.exe
        
        C:\Windows\system32\Qloebdig.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\SysWOW64\Acjjfggb.exe
        
        C:\Windows\system32\Acjjfggb.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Windows\SysWOW64\Ajdbcano.exe
        
        C:\Windows\system32\Ajdbcano.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\Aanjpk32.exe
        
        C:\Windows\system32\Aanjpk32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\Aldomc32.exe
        
        C:\Windows\system32\Aldomc32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Aelcfilb.exe
        
        C:\Windows\system32\Aelcfilb.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Alfkbc32.exe
        
        C:\Windows\system32\Alfkbc32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\SysWOW64\Abpcon32.exe
        
        C:\Windows\system32\Abpcon32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\SysWOW64\Aeopki32.exe
        
        C:\Windows\system32\Aeopki32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\SysWOW64\Alhhhcal.exe
        
        C:\Windows\system32\Alhhhcal.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\Aaepqjpd.exe
        
        C:\Windows\system32\Aaepqjpd.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Bdhfhe32.exe
        
        C:\Windows\system32\Bdhfhe32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\SysWOW64\Blpnib32.exe
        
        C:\Windows\system32\Blpnib32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:512
        
        C:\Windows\SysWOW64\Bjbndobo.exe
        
        C:\Windows\system32\Bjbndobo.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\SysWOW64\Behbag32.exe
        
        C:\Windows\system32\Behbag32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\SysWOW64\Bldgdago.exe
        
        C:\Windows\system32\Bldgdago.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\SysWOW64\Bhkhibmc.exe
        
        C:\Windows\system32\Bhkhibmc.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:776
        
        C:\Windows\SysWOW64\Boepel32.exe
        
        C:\Windows\system32\Boepel32.exe
        23⤵
        Executes dropped EXE
        
        PID:3720
        
        C:\Windows\SysWOW64\Chpada32.exe
        
        C:\Windows\system32\Chpada32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3188
        
        C:\Windows\SysWOW64\Cknnpm32.exe
        
        C:\Windows\system32\Cknnpm32.exe
        25⤵
        Executes dropped EXE
        
        PID:3568
        
        C:\Windows\SysWOW64\Chbnia32.exe
        
        C:\Windows\system32\Chbnia32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:536
        
        C:\Windows\SysWOW64\Clpgpp32.exe
        
        C:\Windows\system32\Clpgpp32.exe
        27⤵
        Executes dropped EXE
        
        PID:1344
        
        C:\Windows\SysWOW64\Cehkhecb.exe
        
        C:\Windows\system32\Cehkhecb.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2740
        
        C:\Windows\SysWOW64\Dekhneap.exe
        
        C:\Windows\system32\Dekhneap.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3496
        
        C:\Windows\SysWOW64\Dldpkoil.exe
        
        C:\Windows\system32\Dldpkoil.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1808
        
        C:\Windows\SysWOW64\Dboigi32.exe
        
        C:\Windows\system32\Dboigi32.exe
        31⤵
        Executes dropped EXE
        
        PID:3164
        
        C:\Windows\SysWOW64\Ddbbeade.exe
        
        C:\Windows\system32\Ddbbeade.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2696
        
        C:\Windows\SysWOW64\Dlijfneg.exe
        
        C:\Windows\system32\Dlijfneg.exe
        33⤵
        Executes dropped EXE
        
        PID:4560
        
        C:\Windows\SysWOW64\Dddojq32.exe
        
        C:\Windows\system32\Dddojq32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Dkoggkjo.exe
        
        C:\Windows\system32\Dkoggkjo.exe
        35⤵
        Executes dropped EXE
        
        PID:1488
        
        C:\Windows\SysWOW64\Dceohhja.exe
        
        C:\Windows\system32\Dceohhja.exe
        36⤵
        Executes dropped EXE
        
        PID:3056
        
        C:\Windows\SysWOW64\Dhbgqohi.exe
        
        C:\Windows\system32\Dhbgqohi.exe
        37⤵
        Executes dropped EXE
        
        PID:4304
        
        C:\Windows\SysWOW64\Echknh32.exe
        
        C:\Windows\system32\Echknh32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3668
        
        C:\Windows\SysWOW64\Edihepnm.exe
        
        C:\Windows\system32\Edihepnm.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Elppfmoo.exe
        
        C:\Windows\system32\Elppfmoo.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:228
        
        C:\Windows\SysWOW64\Ecjhcg32.exe
        
        C:\Windows\system32\Ecjhcg32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Eeidoc32.exe
        
        C:\Windows\system32\Eeidoc32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Ehgqln32.exe
        
        C:\Windows\system32\Ehgqln32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2404
        
        C:\Windows\SysWOW64\Eoaihhlp.exe
        
        C:\Windows\system32\Eoaihhlp.exe
        44⤵
        Executes dropped EXE
        
        PID:2316
        
        C:\Windows\SysWOW64\Eekaebcm.exe
        
        C:\Windows\system32\Eekaebcm.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1048
        
        C:\Windows\SysWOW64\Ehimanbq.exe
        
        C:\Windows\system32\Ehimanbq.exe
        46⤵
        Executes dropped EXE
        
        PID:2228
        
        C:\Windows\SysWOW64\Ekhjmiad.exe
        
        C:\Windows\system32\Ekhjmiad.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Eocenh32.exe
        
        C:\Windows\system32\Eocenh32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4400
        
        C:\Windows\SysWOW64\Eabbjc32.exe
        
        C:\Windows\system32\Eabbjc32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Edpnfo32.exe
        
        C:\Windows\system32\Edpnfo32.exe
        50⤵
        Executes dropped EXE
        
        PID:3676
        
        C:\Windows\SysWOW64\Elgfgl32.exe
        
        C:\Windows\system32\Elgfgl32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4296
        
        C:\Windows\SysWOW64\Ecandfpd.exe
        
        C:\Windows\system32\Ecandfpd.exe
        52⤵
        Executes dropped EXE
        
        PID:3096
        
        C:\Windows\SysWOW64\Fohoigfh.exe
        
        C:\Windows\system32\Fohoigfh.exe
        53⤵
        Executes dropped EXE
        
        PID:1168
        
        C:\Windows\SysWOW64\Fafkecel.exe
        
        C:\Windows\system32\Fafkecel.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2032
        
        C:\Windows\SysWOW64\Fllpbldb.exe
        
        C:\Windows\system32\Fllpbldb.exe
        55⤵
        Executes dropped EXE
        
        PID:4468
        
        C:\Windows\SysWOW64\Faihkbci.exe
        
        C:\Windows\system32\Faihkbci.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2388
        
        C:\Windows\SysWOW64\Fdgdgnbm.exe
        
        C:\Windows\system32\Fdgdgnbm.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4248
        
        C:\Windows\SysWOW64\Flnlhk32.exe
        
        C:\Windows\system32\Flnlhk32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3760
        
        C:\Windows\SysWOW64\Fchddejl.exe
        
        C:\Windows\system32\Fchddejl.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3260
        
        C:\Windows\SysWOW64\Ffgqqaip.exe
        
        C:\Windows\system32\Ffgqqaip.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1128
        
        C:\Windows\SysWOW64\Flqimk32.exe
        
        C:\Windows\system32\Flqimk32.exe
        61⤵
        Executes dropped EXE
        
        PID:1892
        
        C:\Windows\SysWOW64\Fckajehi.exe
        
        C:\Windows\system32\Fckajehi.exe
        62⤵
        Executes dropped EXE
        
        PID:968
        
        C:\Windows\SysWOW64\Fdlnbm32.exe
        
        C:\Windows\system32\Fdlnbm32.exe
        63⤵
        Executes dropped EXE
        
        PID:4416
        
        C:\Windows\SysWOW64\Flceckoj.exe
        
        C:\Windows\system32\Flceckoj.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Foabofnn.exe
        
        C:\Windows\system32\Foabofnn.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Fbpnkama.exe
        
        C:\Windows\system32\Fbpnkama.exe
        66⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\Fdnjgmle.exe
        
        C:\Windows\system32\Fdnjgmle.exe
        67⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\Gkhbdg32.exe
        
        C:\Windows\system32\Gkhbdg32.exe
        68⤵
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Gcojed32.exe
        
        C:\Windows\system32\Gcojed32.exe
        69⤵
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Gfngap32.exe
        
        C:\Windows\system32\Gfngap32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4028
        
        C:\Windows\SysWOW64\Glhonj32.exe
        
        C:\Windows\system32\Glhonj32.exe
        71⤵
        Drops file in System32 directory
        
        PID:4428
        
        C:\Windows\SysWOW64\Gofkje32.exe
        
        C:\Windows\system32\Gofkje32.exe
        72⤵
        Drops file in System32 directory
        
        PID:4100
        
        C:\Windows\SysWOW64\Gcagkdba.exe
        
        C:\Windows\system32\Gcagkdba.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Gdcdbl32.exe
        
        C:\Windows\system32\Gdcdbl32.exe
        74⤵
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Gmjlcj32.exe
        
        C:\Windows\system32\Gmjlcj32.exe
        75⤵
        Drops file in System32 directory
        
        PID:4332
        
        C:\Windows\SysWOW64\Gcddpdpo.exe
        
        C:\Windows\system32\Gcddpdpo.exe
        76⤵
        
        PID:864
        
        C:\Windows\SysWOW64\Gfbploob.exe
        
        C:\Windows\system32\Gfbploob.exe
        77⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\Ghaliknf.exe
        
        C:\Windows\system32\Ghaliknf.exe
        78⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\Gkoiefmj.exe
        
        C:\Windows\system32\Gkoiefmj.exe
        79⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\Gokdeeec.exe
        
        C:\Windows\system32\Gokdeeec.exe
        80⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Gcfqfc32.exe
        
        C:\Windows\system32\Gcfqfc32.exe
        81⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Gfembo32.exe
        
        C:\Windows\system32\Gfembo32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5216
        
        C:\Windows\SysWOW64\Gmoeoidl.exe
        
        C:\Windows\system32\Gmoeoidl.exe
        83⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Gblngpbd.exe
        
        C:\Windows\system32\Gblngpbd.exe
        84⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Gdjjckag.exe
        
        C:\Windows\system32\Gdjjckag.exe
        85⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\Hmabdibj.exe
        
        C:\Windows\system32\Hmabdibj.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5388
        
        C:\Windows\SysWOW64\Hopnqdan.exe
        
        C:\Windows\system32\Hopnqdan.exe
        87⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Hckjacjg.exe
        
        C:\Windows\system32\Hckjacjg.exe
        88⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Hfifmnij.exe
        
        C:\Windows\system32\Hfifmnij.exe
        89⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Hihbijhn.exe
        
        C:\Windows\system32\Hihbijhn.exe
        90⤵
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Hkfoeega.exe
        
        C:\Windows\system32\Hkfoeega.exe
        91⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\Hbpgbo32.exe
        
        C:\Windows\system32\Hbpgbo32.exe
        92⤵
        Drops file in System32 directory
        
        PID:5648
        
        C:\Windows\SysWOW64\Hijooifk.exe
        
        C:\Windows\system32\Hijooifk.exe
        93⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Hkikkeeo.exe
        
        C:\Windows\system32\Hkikkeeo.exe
        94⤵
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Hcpclbfa.exe
        
        C:\Windows\system32\Hcpclbfa.exe
        95⤵
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Hfnphn32.exe
        
        C:\Windows\system32\Hfnphn32.exe
        96⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Himldi32.exe
        
        C:\Windows\system32\Himldi32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Hofdacke.exe
        
        C:\Windows\system32\Hofdacke.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Hecmijim.exe
        
        C:\Windows\system32\Hecmijim.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5944
        
        C:\Windows\SysWOW64\Hmjdjgjo.exe
        
        C:\Windows\system32\Hmjdjgjo.exe
        100⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Hcdmga32.exe
        
        C:\Windows\system32\Hcdmga32.exe
        101⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Hfcicmqp.exe
        
        C:\Windows\system32\Hfcicmqp.exe
        102⤵
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Iiaephpc.exe
        
        C:\Windows\system32\Iiaephpc.exe
        103⤵
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Ikpaldog.exe
        
        C:\Windows\system32\Ikpaldog.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5128
        
        C:\Windows\SysWOW64\Ibjjhn32.exe
        
        C:\Windows\system32\Ibjjhn32.exe
        105⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Iicbehnq.exe
        
        C:\Windows\system32\Iicbehnq.exe
        106⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Ikbnacmd.exe
        
        C:\Windows\system32\Ikbnacmd.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Icifbang.exe
        
        C:\Windows\system32\Icifbang.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5416
        
        C:\Windows\SysWOW64\Ifgbnlmj.exe
        
        C:\Windows\system32\Ifgbnlmj.exe
        109⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Iifokh32.exe
        
        C:\Windows\system32\Iifokh32.exe
        110⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Imakkfdg.exe
        
        C:\Windows\system32\Imakkfdg.exe
        111⤵
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Ickchq32.exe
        
        C:\Windows\system32\Ickchq32.exe
        112⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Ibnccmbo.exe
        
        C:\Windows\system32\Ibnccmbo.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5764
        
        C:\Windows\SysWOW64\Imdgqfbd.exe
        
        C:\Windows\system32\Imdgqfbd.exe
        114⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Ipbdmaah.exe
        
        C:\Windows\system32\Ipbdmaah.exe
        115⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Ibqpimpl.exe
        
        C:\Windows\system32\Ibqpimpl.exe
        116⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Ieolehop.exe
        
        C:\Windows\system32\Ieolehop.exe
        117⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Imfdff32.exe
        
        C:\Windows\system32\Imfdff32.exe
        118⤵
        Drops file in System32 directory
        
        PID:6088
        
        C:\Windows\SysWOW64\Ipdqba32.exe
        
        C:\Windows\system32\Ipdqba32.exe
        119⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Icplcpgo.exe
        
        C:\Windows\system32\Icplcpgo.exe
        120⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Jfoiokfb.exe
        
        C:\Windows\system32\Jfoiokfb.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5372
        
        C:\Windows\SysWOW64\Jeaikh32.exe
        
        C:\Windows\system32\Jeaikh32.exe
        122⤵
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5600
        
        C:\Windows\SysWOW64\Jpgmha32.exe
        
        C:\Windows\system32\Jpgmha32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5628
        
        C:\Windows\SysWOW64\Jfaedkdp.exe
        
        C:\Windows\system32\Jfaedkdp.exe
        125⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        126⤵
        Drops file in System32 directory
        
        PID:5932
        
        C:\Windows\SysWOW64\Jcefno32.exe
        
        C:\Windows\system32\Jcefno32.exe
        127⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        128⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5352
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        130⤵
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        131⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\Jmpgldhg.exe
        
        C:\Windows\system32\Jmpgldhg.exe
        132⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5124
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        134⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5888
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        136⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        137⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        138⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        139⤵
        Drops file in System32 directory
        
        PID:5688
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6180
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        141⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        142⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        143⤵
        Modifies registry class
        
        PID:6304
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        144⤵
        Drops file in System32 directory
        
        PID:6344
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        145⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        146⤵
        Drops file in System32 directory
        
        PID:6440
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        147⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        148⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        149⤵
        Drops file in System32 directory
        
        PID:6568
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6612
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6656
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        152⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        153⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        154⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        155⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        156⤵
        Modifies registry class
        
        PID:6888
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        157⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6972
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7012
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        160⤵
        Modifies registry class
        
        PID:7052
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7088
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        162⤵
        Drops file in System32 directory
        
        PID:7132
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6012
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        164⤵
        Drops file in System32 directory
        
        PID:6268
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        165⤵
        Drops file in System32 directory
        
        PID:6356
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        166⤵
        Drops file in System32 directory
        
        PID:6408
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        167⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        168⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        169⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        170⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        171⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        172⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        173⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        174⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7008
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        176⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        177⤵
        Drops file in System32 directory
        
        PID:7128
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        178⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        179⤵
        Modifies registry class
        
        PID:6328
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        180⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6580
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        182⤵
        Drops file in System32 directory
        
        PID:6684
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6808
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6920
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        185⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        186⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        187⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        188⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        189⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        190⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        191⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        192⤵
        Drops file in System32 directory
        
        PID:912
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        193⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6980
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        194⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        195⤵
        Modifies registry class
        
        PID:6648
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        196⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        197⤵
        Modifies registry class
        
        PID:6472
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        198⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        199⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        200⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        201⤵
        Modifies registry class
        
        PID:7232
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        202⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        203⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        204⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        205⤵
        Drops file in System32 directory
        
        PID:7432
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        206⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        207⤵
        Modifies registry class
        
        PID:7532
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        208⤵
        
        PID:7584
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        209⤵
        
        PID:7636
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        210⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        211⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7740
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        212⤵
        
        PID:7776
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        213⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7820
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        214⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        215⤵
        
        PID:7908
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        216⤵
        
        PID:7956
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        217⤵
        
        PID:8000
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        218⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        219⤵
        
        PID:8088
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        220⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8124
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        221⤵
        
        PID:8164
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        222⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        223⤵
        
        PID:7268
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        224⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        225⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        226⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        227⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        228⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        229⤵
        Drops file in System32 directory
        
        PID:7808
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        230⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7876
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        231⤵
        Modifies registry class
        
        PID:7904
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        232⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7992
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        233⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8084
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        234⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        235⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7116
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        236⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7344
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        237⤵
        Modifies registry class
        
        PID:7540
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        238⤵
        
        PID:7664
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        239⤵
        Modifies registry class
        
        PID:7804
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        240⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7896
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        241⤵
        Drops file in System32 directory
        
        PID:8020
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        242⤵
        
        PID:8120
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        243⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        244⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        245⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        246⤵
        
        PID:7976
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        247⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8160
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        248⤵
        
        PID:7696
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        249⤵
        
        PID:7984
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        250⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7184
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        251⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7728
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        252⤵
        
        PID:7520
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        253⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8112
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        254⤵
        
        PID:8204
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        255⤵
        Modifies registry class
        
        PID:8240
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        256⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8284
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        257⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8332
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        258⤵
        
        PID:8372
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        259⤵
        
        PID:8412
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        260⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8464
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        261⤵
        
        PID:8504
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        262⤵
        
        PID:8548
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        263⤵
        
        PID:8588
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        264⤵
        
        PID:8632
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        265⤵
        Modifies registry class
        
        PID:8680
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        266⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8716
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        267⤵
        
        PID:8760
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        268⤵
        
        PID:8804
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        269⤵
        Drops file in System32 directory
        
        PID:8844
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        270⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:8884
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        271⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8928
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        272⤵
        
        PID:8972
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        273⤵
        Drops file in System32 directory
        
        PID:9012
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        274⤵
        
        PID:9064
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        275⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9104
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        276⤵
        
        PID:9148
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        277⤵
        Drops file in System32 directory
        
        PID:9184
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        278⤵
        
        PID:8200
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        279⤵
        Modifies registry class
        
        PID:8248
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        280⤵
        
        PID:8320
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        281⤵
        
        PID:8396
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        282⤵
        Modifies registry class
        
        PID:8452
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        283⤵
        
        PID:8536
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        284⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8596
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        285⤵
        
        PID:8688
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        286⤵
        
        PID:8752
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        287⤵
        Drops file in System32 directory
        
        PID:8820
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        288⤵
        Drops file in System32 directory
        
        PID:8880
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        289⤵
        
        PID:8944
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        290⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:9028
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        291⤵
        
        PID:9112
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        292⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:9180
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        293⤵
        
        PID:8224
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        294⤵
        
        PID:8300
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        295⤵
        Modifies registry class
        
        PID:7888
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        296⤵
        
        PID:8528
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        297⤵
        Modifies registry class
        
        PID:8648
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        298⤵
        
        PID:8872
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        299⤵
        
        PID:8936
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        300⤵
        
        PID:9056
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        301⤵
        
        PID:9212
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        302⤵
        
        PID:8308
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        303⤵
        
        PID:8444
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        304⤵
        Drops file in System32 directory
        
        PID:8700
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        305⤵
        
        PID:8908
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        306⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:9000
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        307⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        308⤵
        
        PID:8404
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        309⤵
        
        PID:8840
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        310⤵
        
        PID:9080
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        311⤵
        
        PID:8616
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        312⤵
        
        PID:8992
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        313⤵
        Drops file in System32 directory
        
        PID:8348
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        314⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:9232
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        315⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9276
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        316⤵
        
        PID:9320
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        317⤵
        
        PID:9360
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        318⤵
        
        PID:9408
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        319⤵
        
        PID:9444
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        320⤵
        Drops file in System32 directory
        
        PID:9488
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        321⤵
        
        PID:9540
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        322⤵
        
        PID:9576
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        323⤵
        
        PID:9624
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        324⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:9660
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        325⤵
        Drops file in System32 directory
        
        PID:9708
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        326⤵
        
        PID:9752
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        327⤵
        
        PID:9796
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        328⤵
        
        PID:9836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9836 -s 400
        329⤵
        Program crash
        
        PID:9892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 9836 -ip 9836
1⤵
PID:9864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaepqjpd.exe

Filesize
390KB

MD5
72fbd2b99b72c25a37b43826a2255511

SHA1
e9ec2c3e9c4d628593ba4e5ea1ea1df54c261085

SHA256
cd665298cb4dee37fef8cc68e35dc3a1ee55471a917fd011389668247893eefe

SHA512
d4c46912cbd1aed05fc5050643db5ac84b737214968a27cd194e7d42a7f6813ccbc57764a9ca0c9c8ca8e8d7dfe1e6add9112f8e738eed77653cb2e9f5d80b96

Download Submit
C:\Windows\SysWOW64\Aanjpk32.exe

Filesize
390KB

MD5
37c739b599b8ab51c6634da731f47ed2

SHA1
817c3a2d4abf6898f32600c4ce3f064f7f4e0d9c

SHA256
ebefb0596e2990a3cc2259156f60f68cdee5033953125e39710d806c3b83449a

SHA512
deaf00396e36e1ebde9f3cf9a43fff13bdb243fe087f781deefc6ca76abc584a6de65761a4ea24d78de2511ed570a1832941a78a205050860a2df98aa23252f7

Download Submit
C:\Windows\SysWOW64\Abpcon32.exe

Filesize
390KB

MD5
d8683881d3228de62d344ce7b045f6c9

SHA1
b1402a1b547a477f3e35d4a9abd02e186c8212a9

SHA256
41a301d16093f58efed289f45342bb3cac277f8288321afa6c689487f4e24823

SHA512
46223f040889b94796ac5fd0a55a52378ed688da76ac2b3bb6182380a39fc2a0a3cfca30a1a13132224fb6b77fd20cff45ed9dfc83084f0b546ddc52794c2ffa

Download Submit
C:\Windows\SysWOW64\Acjjfggb.exe

Filesize
390KB

MD5
9736ba6753e97c239c32d0c3a2b75fe1

SHA1
4c135357b25e4bc7135180c1d95c1d29523e1da1

SHA256
13b7f1a7a0d6b824feff4402dafceff47bb1aa533750d502e555e6b7e123720f

SHA512
b521569392ebebe8fab05705b287c7924733f599d77729d8b4a72f0513e2ea88301a2c946df79803a95be869885eac8bb941b12e84751f33416b9515254c28a4

Download Submit
C:\Windows\SysWOW64\Aelcfilb.exe

Filesize
390KB

MD5
b6e7f72c58d5520900ffc4a4c066776e

SHA1
1e708c9c22aa1b4fdc495bc0d4ff373a62ddc0ee

SHA256
84258d9337ec0bdab4522e858487d1f7189603ff26ce84915b17bd692d16b240

SHA512
56dffc84c8a5521ddea5ad35c7bf71c7f056c7afae6d3040d567de747f36a96a844e0ed4801d9d0592c189f29139d2b93c9420076222dec0e9452c4b443781c4

Download Submit
C:\Windows\SysWOW64\Aeopki32.exe

Filesize
390KB

MD5
53b8c3e2b92614e0a7ad44d946cb72f8

SHA1
b593a9144f6cf8497edb3ffd3347f2a628ef6e68

SHA256
1b406a013347031fcaa1a5108f4d8dfc9df7a7e073452be12b82b7601cca4120

SHA512
3b27719291699cab99f56687bc8003b46ce4aabdb298b3ef9684d876e5856d3c7aab8a0d03abae20d5b57eeb92e8081997061f6c13105f14c1221d9888791c47

Download Submit
C:\Windows\SysWOW64\Ajdbcano.exe

Filesize
390KB

MD5
5faa2f802d1de818d0a4534f11a6dcca

SHA1
afefcc6dacc1647d431d95f668f6f8fc1222d4e6

SHA256
048760c284740ff5cf71bd01b01039b64dad66ebadd6306ae7a319c0dcb19aa7

SHA512
e28153ab108c83d3f18c446559b9ab4d72e7d6e483e79881f34811ee51cb67e2d0bfcf3f8a0ee2318417eaaac40433fab59ef19f9d950bdb7e619bea9470cc2c

Download Submit
C:\Windows\SysWOW64\Aldomc32.exe

Filesize
390KB

MD5
9c30e50109ceb1ff66c9692f4a621a59

SHA1
4c0b956d7fbc1f209dbceec401d2ca1a5c69090b

SHA256
540a9b804c8d7dc203dac3e11a4b476cbebb7e6deafcf570ea94bc41d479988d

SHA512
ca9925d7353da01ff886a25b9bcedca6561cd65976f2a7a59d95a2bf4277030c2cb296fb19f865528538bd1008c20c6de599f8a82eb469dfd2d680d8b979be6c

Download Submit
C:\Windows\SysWOW64\Alfkbc32.exe

Filesize
390KB

MD5
56d4220343a77d69794f2a64fda4c8f7

SHA1
e7117dbda3f4c7e94908835b10965bac447f32be

SHA256
87d77c04e7002b694ed694eb8b0b74a3e441a2efdddc73367a39ffe2e30eb762

SHA512
25c9a37f22575817a4238e09ff6b1085121f372b52b2f1fcbd350a2510df0d977de6ea5d5f939e51bc6e178954e1f5c5a2bd69dbabc8558ad8489d1241cb3e54

Download Submit
C:\Windows\SysWOW64\Alhhhcal.exe

Filesize
390KB

MD5
a7ee588e010e391c5e855999c334ecb1

SHA1
42649309d6910b2938e37688d913f3420a9e1e1d

SHA256
d8728713989a2057a402849293fb5f1d898f4c57e01291d537cb50839bb2f6dc

SHA512
2bdd7acf547f1a4224cf966df5e67b52d87129881e06da5d7b3e1c21394380c97ae49ed2103c58797db9c63825179901e0684eb700a971c6514e90bb91ac23f5

Download Submit
C:\Windows\SysWOW64\Bdhfhe32.exe

Filesize
390KB

MD5
6f90a90e5b051cdafac2331a7260f05e

SHA1
9d8a926e863093ba367a2d82f3649fb3330d488c

SHA256
b8e4c1f9bc446a5ee171fb630c1a8d517e8850f6151fdc34a4ff821a42c4a9e8

SHA512
59aeb61def32bda279a0448b0e28fc493ee0c23d97519ee4d596c33cdc2f213b9d74194ee49766cb1868c893232cb60846efd096fd3fb33ce84dab0cae54218e

Download Submit
C:\Windows\SysWOW64\Behbag32.exe

Filesize
390KB

MD5
953ac05fbb372aa9a08155ba3348f670

SHA1
1b0279ef9e7ca8a93f3cb83972db02bfd790be83

SHA256
498360653580f21c88f3f0c59e644c29895f57d2bfe748614d69fed0667420ef

SHA512
f3623c0447c3cc0be6e6decd01bf155da940c2d33fcea6e53ab05088d7aa6069da5bcb614f27589cf61a13f8d892bc7bbf778c0d06e78c56f5ac2ebf6ad41b4a

Download Submit
C:\Windows\SysWOW64\Bhkhibmc.exe

Filesize
390KB

MD5
67135949de1539cc28febb720aae2f09

SHA1
eb7497e3067e3d03869525807a24341e4a9179c8

SHA256
51c5d6403bc34ffc64d6a087626ba0d0e320343b259adf491133ad81ece6e4bb

SHA512
568f01bae6d786502503a9a66fa600cd22bbcd1f5d9920f44fc978dcc5de2db94426dcdc39d0ee325c855564a7790a86d329ecaef7d2ea3c2668953ad5082ebc

Download Submit
C:\Windows\SysWOW64\Bjbndobo.exe

Filesize
390KB

MD5
8130ca6265450e3ac9a571bfa964a49f

SHA1
31dc8e6d4203b9ebb26f1271e8ca1b1afb44d33d

SHA256
e1f817870fc2d3a32dc977fbedff14052e139274acad714bf3b98a82edb6d599

SHA512
6258dff9025997e235009ffce10c56d08c9c07f6ee95943b7a5ff0fbbafc45569a4df0579bcb63252aaf454a549b4d48d8572f9dcc4a7092b5f90925cab0f930

Download Submit
C:\Windows\SysWOW64\Bldgdago.exe

Filesize
390KB

MD5
67244e62d4b103d82adcd449110e288d

SHA1
530ec952d7a514530df7fb47856879597b01d70f

SHA256
aa174b7cf1579dd43e4a50107b60e4c98c2335bcf2e60920196a4da83d0b115c

SHA512
42203da05665a76a0393c300c1db3782a1cf0d872931979f82bf1710d7f8f97ae65b085e72bd738cf3b7e41f538ae15f30a2f2b8331d53340c2bf700ded1cd0f

Download Submit
C:\Windows\SysWOW64\Blpnib32.exe

Filesize
390KB

MD5
f79c1a261f395b884aaf992ad85aae02

SHA1
12757bf949731c63e1cdfa8fe99acf07d06f93de

SHA256
ec7939b20c7f0de9740a33f26ed6ba62aa91f614efb19a15ec09262ff511a7f1

SHA512
2e04681edb2500bcf0cd3fcbc4969d4134e7f87c2c8c51e745548c643d02530fed71646c1822912ab572db301fbeb62c5f8efba32ca2722c64b3b07d3f1c5595

Download Submit
C:\Windows\SysWOW64\Boepel32.exe

Filesize
390KB

MD5
9ec5051c757dc53cbde856dede0ee47b

SHA1
af0db82a4ebc08ac4e01f03e5038ccb93af936cf

SHA256
bc9aa3980a9efa25ba0eca4116557b4a3b3b7019e5483d25c5d1f6cbde987af0

SHA512
389fae8a6b426c6250213762d24a1a5a415254307544a9c6d0a67419b6bc2681321b6cf0cfc4cff39d3b6192737e968c723ca222673d8f919d03f48f980e2157

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
390KB

MD5
cec6a76aef787d4e0c9e01238a061cf1

SHA1
a6e316eeb657a6a30c1ef42b5a09074f8964b301

SHA256
52b1d369b022b9ae590dc2052ede1c3788d7e07e5d6b14ea76fb607b4930924f

SHA512
1e1fe3b6b0cb5854cd743fdb6a5af532889e3db88717b2662e604954eef4a25fe746f400f68ee04c9e1826779850871a00fc2507e96271e228d736f30dd4af4c

Download Submit
C:\Windows\SysWOW64\Cehkhecb.exe

Filesize
390KB

MD5
f98ed5dcea431730c1f61e45383ad720

SHA1
72582f07de3f22049dada1de6a05d3842d7f8b3e

SHA256
55265cfb29c52b0ca946617a55c66f53cd86950818008d05506f56fe2946279c

SHA512
4e864ce144748964fc1c632301b5c7dbf5a8a095bb2a5d9088d9e288c0e627159e1ad231b110addc5947fc42cf957d0f6f43b041d881f72a82087dda5933a3da

Download Submit
C:\Windows\SysWOW64\Chbnia32.exe

Filesize
390KB

MD5
c4859679cf023fb4f164e1379c524008

SHA1
5ba48fd13145fcc8e5b44f096b1e28727e983872

SHA256
6739102490108f1505ab3b7452fbc6b96ffcbbf8e892c54a812626fdde36006f

SHA512
ec99a083c68c8f918815d9936922f84d9d806d02838f29cd992983a415fbb6f8a3e6f00fe600fd750903e6b8f058cbabb539526311df48eee53bce3ac740a3c6

Download Submit
C:\Windows\SysWOW64\Chpada32.exe

Filesize
390KB

MD5
2a5360233feee1ea02dd1c72dbb9e87c

SHA1
cac8050eaa0f6df1e20484ec6235a466b94d3cad

SHA256
5b941ff02c829a34c118b7620d471cfa28ac225f7f02f9175216a558ca625f8c

SHA512
0fcba81beede68667b1d1447f51b1475ddbf80aa5ea8c948e9450b778a4b764c837131dec6b44a248ae78364aca324d1990b58b3458bcf53799ed572482d21e4

Download Submit
C:\Windows\SysWOW64\Cknnpm32.exe

Filesize
390KB

MD5
1b3afc82b8b270359d647be47431d6be

SHA1
e3af90932819f6d81d2b5378478b3daa4fb93c6b

SHA256
a1ff469203be32d91b0ea2a558fd80df4a890e17fbebd0592e5083af5285302a

SHA512
1d226185f1e160393f197b5df0c60d58cbabad7e33932bb7650df898c8e4458f54e4903188ef61080372c4c1f0aa90a9e56c84f53b8aad3c6abee47256c56c6e

Download Submit
C:\Windows\SysWOW64\Clpgpp32.exe

Filesize
390KB

MD5
d6be67d60c604ca092b9efc0174d43f1

SHA1
ef71a4969428cd9b59a035881d16954687b844f9

SHA256
8bf97dd3da540856e221d12479aedffeea625807b1495339a39f3d7c8a1ff2b8

SHA512
6773e945c7df8177b001a8e108302aa4db6a032d05889b4295d4ac672c113ec77072965b4f5f8e22b5b1ee5c01ee4972330c5286065c23504ec73eeb1ca92434

Download Submit
C:\Windows\SysWOW64\Dboigi32.exe

Filesize
390KB

MD5
7830a45711580c9d8f2013db6b066ce5

SHA1
cd668c972b6de085cf8f1a8a813188ab00db175c

SHA256
7b1a3b303603c177eff1a581ad7aae4d42492f4abebc66117ee5774c889fd84a

SHA512
6a934a3b962433cb5e06127444781d83d9c8e1783e607b794fb9ac4e8dde6be06dcd4e9058db03a99fb023d052a2f1ff220586e6be4bd17489eade1abdcd04dd

Download Submit
C:\Windows\SysWOW64\Dceohhja.exe

Filesize
390KB

MD5
22fd447ff4cde89f68dd140c4f2c23f8

SHA1
1b57d0c63af44faa40716b80be75352e823d60cb

SHA256
46da2f727086612e82adc6a274b3595924f6cb904cd338087b2c3cb655a1a808

SHA512
5f49a8335563155ff5ceba4ec9eaf3faedc1a9f3fdc5beab9363342f5581436679a7acbe2db59d96749c327401ec68f63a1d98843eb5418aaee744638261ec33

Download Submit
C:\Windows\SysWOW64\Ddbbeade.exe

Filesize
390KB

MD5
8ee58c34975e125386bdaf9bf7314db9

SHA1
2a6237456f8350266a275d0f2a58551adc450edf

SHA256
818ca0d21f563d79209abb2d1eba6dfedb434034029b7c6c4817b47148cf1671

SHA512
d4f8a23c048cf059692cb2409a958c4bda99ce708f9fc5d901093eae2e14d811d3cf4314d6226a3bd3bd4f9fd3c4f1aace05ecf2247ca50b9078bdb9aa5d83b6

Download Submit
C:\Windows\SysWOW64\Dekhneap.exe

Filesize
390KB

MD5
7b5e6a7dcdbe29cac51baf2f8d4f4bdc

SHA1
00a570d91abbee2a45b47a2c4daaf5efa82f6d90

SHA256
732fc8b718716828fc212f6fa70b63420229debfc45ec5e6675d34f759301627

SHA512
d45e666f42adbff3fdcb7d0abb58a987a170e45df66b16b2d1557013756e0130cec5129e10585271ea6b90842200b6f459c6eb7a63a6203359395070098b2350

Download Submit
C:\Windows\SysWOW64\Dldpkoil.exe

Filesize
390KB

MD5
b0475282f65b5eb535d127a7f5f99ef3

SHA1
07e8c5f63a85936ededf87644b736d3535feda86

SHA256
beff4aece33aa171af4439ea6d9394f315f56663d83895444afe3160a858b650

SHA512
dfc1a15f09282cc9e6ef8615accacaa1df6d37f4e00cca0ac2f211e2c8b0fd43ceaec45980db69bc2efbba936ff04aa11397a46f7273eff6212a333484cf96f9

Download Submit
C:\Windows\SysWOW64\Dlijfneg.exe

Filesize
390KB

MD5
281e87478e8d1bf75032dfad4673ebfd

SHA1
df8338f1c7537cd7b1cb207c6273710aabb19ba7

SHA256
7edd3a53ef777e98a23cd6d7f65a7cd19e96be78f535573127da9b0b9feb2883

SHA512
38c246616ca91816c7eaed68fc72045156682bf2858bcec061dcdd2809cc819cd567628d16c2d4f6ab4fff5a90649187f34e088ece3cc28977e9f6e647886b7d

Download Submit
C:\Windows\SysWOW64\Fllpbldb.exe

Filesize
390KB

MD5
76e4c4356bfaacef515ea468aca4e452

SHA1
8888181a0d99e3d59eb6bcda974933ac4be7bd0e

SHA256
606f4a6901306b359e630cc402dc722bd804bb747592334cbbf10d3066344703

SHA512
07ec5782832ce45ac9cef1a1231a32fe293e30e2e005499246ca252ba7fea4c1dec2a82aea8b6559db0640134cf14569313aa6eed2476ee8fc02f0e3796ec743

Download Submit
C:\Windows\SysWOW64\Gfembo32.exe

Filesize
390KB

MD5
f41484070862a15f1f8a85b3b53db938

SHA1
b20ec8e1f07daa419485ab894002cb6602c553b7

SHA256
2858228d4384f067cdf36eb77b4c7d2ac458df42b0ff349f8c8e47cfa08b938a

SHA512
b8fcc1d63a2a70185a572d679cd382a6ee8232977dc454762225180e133816dde2d47b5a7bb4ebc2b5cf8607382b33b09ca37c4ce8cfe5f4689201ff7ce349e0

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
390KB

MD5
6222670e1182365502ff5dba45d9b315

SHA1
76a594a322380280836bccdad1e520738baeaa64

SHA256
0a7702b54a0c3f925447e9cbe0161f65f4fe809f2e181f3e5b2600ff359bfb11

SHA512
87967f1a56a884bdd6703b4b10ab3aa22ee297016ee352fe1db2e2ea31906d7fc604319f047819e10683ee8277c45e76bc2c485e39ad6d38734c7264cf1f1e5e

Download Submit
C:\Windows\SysWOW64\Klgqcqkl.exe

Filesize
390KB

MD5
8acfcf6a0f93827f51c7935fc629827f

SHA1
f763ecf2b0ec4b8c8c9aa9f20bcce7c9a97374ff

SHA256
ee0136b440e7bf0f2df8441ef7a258efc8e0976945fd613a0bdb8ec8c7e4294f

SHA512
e8400e79933e9d72c2f9039fd18e0ba3daf9f2091c82b101ecfd73c62ed0eee02b73b67f5f6532bc23dc35fdbd0617cc2db97fbd39de1f08482a0f8b0c19f9ea

Download Submit
C:\Windows\SysWOW64\Paegjl32.exe

Filesize
390KB

MD5
5a99435f9fcbe84a3f700c859d56a063

SHA1
f089b0bca8f0232abb94f0839f47d05bddc030a7

SHA256
d8aebeef8e51dae90c039556286c7d08e98f67860bc4358776fee7c59c1f6153

SHA512
5cc48f0392ae97d1b5c116f21ee958f706a436cdbf4811c98f98f03e590eeaf5fc38e4c250ae1ab90ec151fb04b7d1d4c0e8a1bc41021adafb08e64882cd3e7b

Download Submit
C:\Windows\SysWOW64\Pgmcqggf.exe

Filesize
390KB

MD5
51fa1575ab6991e710dea31d01620c1d

SHA1
0006e686e508883373dde4c7c933c486b784df08

SHA256
16953b2f272e2c44d11cea075daed657f800358338ae743d9d09da4e60b382b7

SHA512
d0288054343d37d5dc877115fdc0ecab8d38656afe950ef2bc53c73c76c0a2fdb998b8d871239aca74b16f18f273a2479dfcc56dbaef006a0e2e20d3b5288e55

Download Submit
C:\Windows\SysWOW64\Pjmlbbdg.exe

Filesize
390KB

MD5
fae39392a8d33ae72c76bebc9cb1b19e

SHA1
ac9ae8941350e482e70a912348eaaa5cf8fea9b7

SHA256
e3393a6f3558acf045d7bad4021bd2b58d661766962ea0cdbfbbcad778b61c1e

SHA512
145c8d6ba2b167e8aa89e6a508444893558339f35ad85f08b3d6d412b36fb1ce0a990d8715a97572029c57523257004170ea7e021116c2fc9d86a6c0dd85bf4b

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
390KB

MD5
610a1d413a23a755fdede7cd3cf81c10

SHA1
80e310130ed458c20f59ffa2e38d09b1b0b375e4

SHA256
b972c9b36f57b3bab07a6fd58ed42147bd825fd1321fa616bfa64461fc02c2d1

SHA512
a8071a53f1a19ded82cb92dc3a6163720224759e4d001249095e56e09e64b872debad9fe425931f5fcc591d38b2d51cdaa19dbf4f8d0448f615672792b7c09c0

Download Submit
C:\Windows\SysWOW64\Qloebdig.exe

Filesize
390KB

MD5
26ec372e796436aa1045fe2e37063b81

SHA1
3b0cdd7f5dac1cf2b4da24392caaace38e0ace2e

SHA256
9fe07f790e821f6423f4db620b801f254b4368f4b726a1cfb7c530c2ae80dc43

SHA512
09f25485001c883c976629fa72b1ca06996bb66f4bc4ac576ac5bd4e80b11d69818699bc1ab153b129ed63cbf380d8af7647d3933f804f6fa02e1033b0603416

Download Submit
C:\Windows\SysWOW64\Qnkdhpjn.exe

Filesize
390KB

MD5
b113ac0f4daf594e9b0be26ba00a3f73

SHA1
c74bcf1ffd6a8bd4bd9304ae468fb1eb23efa234

SHA256
6bfff6658d66398a8b7fe36148e71fa6de46132a1d58756abf8bb908da51f868

SHA512
2b2847253bb0fb001e30e0134bf252678f4877f40bf4bb3aecc9456473ece70507290b4d26c6e0981265cc6632b9afcf888849be54b512c0559ec6029ece27b2

Download Submit
memory/8-60-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/228-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/512-138-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/536-202-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/776-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1032-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1048-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1128-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1136-94-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1168-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1172-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1312-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1344-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1348-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1488-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1808-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1892-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1904-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2008-122-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2116-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2228-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2380-86-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2388-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2404-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2460-118-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-218-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3036-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3056-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3096-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3164-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3188-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3236-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3260-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3496-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3568-194-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3644-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3676-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3712-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3712-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3712-5-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3720-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3760-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3964-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4032-110-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4140-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4248-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4296-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4304-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-150-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4560-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4696-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4804-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4900-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7516-2203-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8348-2197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8444-2207-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8616-2199-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8648-2213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8700-2206-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8908-2205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/9000-2204-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/9056-2210-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/9212-2209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/9488-2190-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/9540-2189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/9576-2188-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/9624-2187-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/9708-2185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/9796-2183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads