7b81de1ffdad97459ab5f95fc3e64644fb5d94e18860de4d40cb0c8540e9d3b8

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24/04/2024, 23:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7b81de1ffdad97459ab5f95fc3e64644fb5d94e18860de4d40cb0c8540e9d3b8.exe
Size

208KB
MD5

2cf789a2b0c8e0d79b12706318ee3ae0
SHA1

0fde3f75e0a619dc24dfb52cf66912f0b3300813
SHA256

7b81de1ffdad97459ab5f95fc3e64644fb5d94e18860de4d40cb0c8540e9d3b8
SHA512

68b71c7706606f012da850cafb77dbceae0142b827cebcfd35e7b34df83b50a4dac419828cdcccd07a83d21b8a212a71c3165afcac928da7959b99a0a779d97c
SSDEEP

3072:XOoJcGiZaj6+JB8M6m9jqLsFmsdYXmLlcJVIZen+Vcv2JBwwRBkBnReP2+x7zqgU:XO6cGiZaj6MB8MhjwszeXmr8SeNpgg

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pamiaboj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fikbocki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klahfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eidbij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fechomko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lflbkcll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afgacokc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mepfiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmbanbmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjellmbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baannc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cggimh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohpkmn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aknifq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Feoodn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bphgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emdajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oodcdb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmmmfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljeafb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfmcfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liqihglg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnldla32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfeeabda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfqlfb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfgcakon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efjimhnh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pehngkcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hidgai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	7b81de1ffdad97459ab5f95fc3e64644fb5d94e18860de4d40cb0c8540e9d3b8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbnkonbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgqfdnah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjnqh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmeede32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnnkgl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljhefhha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahbjoe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fimhjl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phedhmhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omnjojpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfoann32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dikihe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbjoeojc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phajna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnnkgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ooqqdi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmkgkapm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Komhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibfnqmpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgnffj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdmfllhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oemefcap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkbocbog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idfaefkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kqfngd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aphnnafb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnoddcef.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hplicjok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jngbjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jniood32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjiipk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aamknj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bakgoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jofalmmp.exe

Executes dropped EXE 64 IoCs

pid	Process
4464	Dannij32.exe
3124	Dfmcfp32.exe
848	Dfoplpla.exe
1600	Dfamapjo.exe
4652	Ejpfhnpe.exe
1480	Eplnpeol.exe
5108	Eidbij32.exe
1352	Embkoi32.exe
4004	Jgadgf32.exe
4136	Kqpoakco.exe
4756	Knflpoqf.exe
5088	Kkmioc32.exe
1536	Liqihglg.exe
212	Lgffic32.exe
3748	Ljgpkonp.exe
4076	Ljilqnlm.exe
4644	Ljkifn32.exe
4508	Mniallpq.exe
2784	Mnlnbl32.exe
2036	Mnnkgl32.exe
2316	Mjellmbp.exe
4980	Nobdbkhf.exe
1440	Njiegl32.exe
1704	Nbcjnilj.exe
3008	Nknobkje.exe
5072	Niakfbpa.exe
4808	Objpoh32.exe
3932	Ooqqdi32.exe
384	Ohiemobf.exe
1132	Oemefcap.exe
3224	Obafpg32.exe
4524	Ohnohn32.exe
2856	Ohpkmn32.exe
4140	Pedlgbkh.exe
2504	Pakllc32.exe
4536	Phedhmhi.exe
2804	Pamiaboj.exe
4792	Papfgbmg.exe
1552	Pocfpf32.exe
2232	Afgacokc.exe
1788	Aanbhp32.exe
2180	Akffafgg.exe
2456	Ajggomog.exe
1212	Abbkcpma.exe
216	Boflmdkk.exe
4328	Bhoqeibl.exe
3896	Bjnmpl32.exe
2464	Bbiado32.exe
3860	Bkafmd32.exe
2320	Bjbfklei.exe
3984	Bbnkonbd.exe
3652	Ckilmcgb.exe
3436	Ckkiccep.exe
2844	Ccdnjp32.exe
1192	Ciafbg32.exe
4952	Djqblj32.exe
928	Dkbocbog.exe
1772	Dfgcakon.exe
724	Dkdliame.exe
3048	Dikihe32.exe
1120	Dfoiaj32.exe
3308	Dpgnjo32.exe
3484	Emkndc32.exe
452	Efepbi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Iebngial.exe	Ipeeobbe.exe
File created	C:\Windows\SysWOW64\Qkicbhla.dll	Cdmfllhn.exe
File created	C:\Windows\SysWOW64\Knflpoqf.exe	Kqpoakco.exe
File created	C:\Windows\SysWOW64\Mebcop32.exe	Mepfiq32.exe
File created	C:\Windows\SysWOW64\Qmepam32.exe	Pldcjeia.exe
File opened for modification	C:\Windows\SysWOW64\Dokgdkeh.exe	Cdecgbfa.exe
File created	C:\Windows\SysWOW64\Obafpg32.exe	Oemefcap.exe
File created	C:\Windows\SysWOW64\Belqaa32.dll	Fmkgkapm.exe
File opened for modification	C:\Windows\SysWOW64\Nmipdk32.exe	Npepkf32.exe
File created	C:\Windows\SysWOW64\Panhbfep.exe	Phfcipoo.exe
File created	C:\Windows\SysWOW64\Eciplm32.exe	Efepbi32.exe
File opened for modification	C:\Windows\SysWOW64\Ddgplado.exe	Dokgdkeh.exe
File created	C:\Windows\SysWOW64\Bhoqeibl.exe	Boflmdkk.exe
File created	C:\Windows\SysWOW64\Plbfdekd.exe	Pehngkcg.exe
File created	C:\Windows\SysWOW64\Qfgllk32.dll	Hpchib32.exe
File opened for modification	C:\Windows\SysWOW64\Akpoaj32.exe	Aknbkjfh.exe
File opened for modification	C:\Windows\SysWOW64\Hlpfhe32.exe	Hbhboolf.exe
File opened for modification	C:\Windows\SysWOW64\Dfamapjo.exe	Dfoplpla.exe
File created	C:\Windows\SysWOW64\Beaalgij.dll	Eplnpeol.exe
File created	C:\Windows\SysWOW64\Jdfjld32.exe	Jgbjbp32.exe
File opened for modification	C:\Windows\SysWOW64\Ffceip32.exe	Flmqlg32.exe
File created	C:\Windows\SysWOW64\Okilfdgl.dll	Dannij32.exe
File created	C:\Windows\SysWOW64\Eegiklal.dll	Mebcop32.exe
File created	C:\Windows\SysWOW64\Dafmjm32.dll	Iebngial.exe
File opened for modification	C:\Windows\SysWOW64\Mqkiok32.exe	Mfeeabda.exe
File opened for modification	C:\Windows\SysWOW64\Plbfdekd.exe	Pehngkcg.exe
File created	C:\Windows\SysWOW64\Pldcjeia.exe	Paoollik.exe
File created	C:\Windows\SysWOW64\Jiglnf32.exe	Ickglm32.exe
File opened for modification	C:\Windows\SysWOW64\Dfmcfp32.exe	Dannij32.exe
File opened for modification	C:\Windows\SysWOW64\Cbbnpg32.exe	Cleegp32.exe
File created	C:\Windows\SysWOW64\Cjijid32.dll	Njhgbp32.exe
File opened for modification	C:\Windows\SysWOW64\Ipeeobbe.exe	Iepaaico.exe
File opened for modification	C:\Windows\SysWOW64\Ljgpkonp.exe	Lgffic32.exe
File opened for modification	C:\Windows\SysWOW64\Kcndbp32.exe	Kkconn32.exe
File created	C:\Windows\SysWOW64\Cjibekmc.dll	Nlcalieg.exe
File created	C:\Windows\SysWOW64\Jfniqp32.dll	Oodcdb32.exe
File created	C:\Windows\SysWOW64\Hdehni32.exe	Gbfldf32.exe
File opened for modification	C:\Windows\SysWOW64\Eppjfgcp.exe	Dbpjaeoc.exe
File created	C:\Windows\SysWOW64\Ipgijcij.dll	Kfpcoefj.exe
File created	C:\Windows\SysWOW64\Omjbpn32.dll	Dgcihgaj.exe
File created	C:\Windows\SysWOW64\Apedgj32.dll	Boflmdkk.exe
File opened for modification	C:\Windows\SysWOW64\Efjimhnh.exe	Eifhdd32.exe
File created	C:\Windows\SysWOW64\Bhnikc32.exe	Badanigc.exe
File opened for modification	C:\Windows\SysWOW64\Bedgjgkg.exe	Bojomm32.exe
File opened for modification	C:\Windows\SysWOW64\Cdmfllhn.exe	Ckebcg32.exe
File opened for modification	C:\Windows\SysWOW64\Emdajb32.exe	Efjimhnh.exe
File created	C:\Windows\SysWOW64\Qjalckog.dll	Qlgpod32.exe
File created	C:\Windows\SysWOW64\Jofalmmp.exe	Jmeede32.exe
File created	C:\Windows\SysWOW64\Mfeeabda.exe	Mokmdh32.exe
File created	C:\Windows\SysWOW64\Qemhbj32.exe	Qmepam32.exe
File created	C:\Windows\SysWOW64\Aanbhp32.exe	Afgacokc.exe
File created	C:\Windows\SysWOW64\Nmnpml32.dll	Emkndc32.exe
File created	C:\Windows\SysWOW64\Idfaefkd.exe	Hplicjok.exe
File created	C:\Windows\SysWOW64\Ilafiihp.exe	Idfaefkd.exe
File created	C:\Windows\SysWOW64\Eifhdd32.exe	Eciplm32.exe
File created	C:\Windows\SysWOW64\Dikihe32.exe	Dkdliame.exe
File created	C:\Windows\SysWOW64\Nbkdke32.dll	Kkconn32.exe
File created	C:\Windows\SysWOW64\Mmbanbmg.exe	Mmpdhboj.exe
File opened for modification	C:\Windows\SysWOW64\Phdnngdn.exe	Pmoiqneg.exe
File opened for modification	C:\Windows\SysWOW64\Cacckp32.exe	Cgnomg32.exe
File created	C:\Windows\SysWOW64\Ckilmcgb.exe	Bbnkonbd.exe
File opened for modification	C:\Windows\SysWOW64\Addaif32.exe	Aogiap32.exe
File created	C:\Windows\SysWOW64\Kmdpiacg.dll	Bddjpd32.exe
File created	C:\Windows\SysWOW64\Ljilqnlm.exe	Ljgpkonp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
9176	9084	WerFault.exe	379

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bddjpd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbfldf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilafiihp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bemqih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omnjojpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eidbij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfklem32.dll"	Aamknj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Niakfbpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnkbcj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdmfllhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liqihglg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ememkjeq.dll"	Jdfjld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljeafb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfglbe32.dll"	Lkalplel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbjoeojc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpibgp32.dll"	Ofhknodl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmggfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hoaojp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Glgcbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmeigg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgnomg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpnmbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odoogi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chglab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbpjaeoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpabibmg.dll"	Hidgai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfaemp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbkofn32.dll"	Qhhpop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkdliame.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkmkkjko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bphgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkdliame.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oogpjbbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fimhjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oodcdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cacckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbbnpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjafgpmo.dll"	Fmcjpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omgmeigd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjibekmc.dll"	Nlcalieg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pldcjeia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddgplado.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipjoja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmikeaap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adikdfna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmkqgckn.dll"	Lfbped32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmipdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mioaanec.dll"	Aaoaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mchppmij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlkfjqib.dll"	Ncabfkqo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efepbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmheim32.dll"	Emdajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmkgkapm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llmhaold.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljhefhha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Plbfdekd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockkandf.dll"	Qemhbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhnikc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ciafbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjdaodja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnafno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npbceggm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amqhbe32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 4464	3404	7b81de1ffdad97459ab5f95fc3e64644fb5d94e18860de4d40cb0c8540e9d3b8.exe	91
PID 3404 wrote to memory of 4464	3404	7b81de1ffdad97459ab5f95fc3e64644fb5d94e18860de4d40cb0c8540e9d3b8.exe	91
PID 3404 wrote to memory of 4464	3404	7b81de1ffdad97459ab5f95fc3e64644fb5d94e18860de4d40cb0c8540e9d3b8.exe	91
PID 4464 wrote to memory of 3124	4464	Dannij32.exe	92
PID 4464 wrote to memory of 3124	4464	Dannij32.exe	92
PID 4464 wrote to memory of 3124	4464	Dannij32.exe	92
PID 3124 wrote to memory of 848	3124	Dfmcfp32.exe	93
PID 3124 wrote to memory of 848	3124	Dfmcfp32.exe	93
PID 3124 wrote to memory of 848	3124	Dfmcfp32.exe	93
PID 848 wrote to memory of 1600	848	Dfoplpla.exe	94
PID 848 wrote to memory of 1600	848	Dfoplpla.exe	94
PID 848 wrote to memory of 1600	848	Dfoplpla.exe	94
PID 1600 wrote to memory of 4652	1600	Dfamapjo.exe	95
PID 1600 wrote to memory of 4652	1600	Dfamapjo.exe	95
PID 1600 wrote to memory of 4652	1600	Dfamapjo.exe	95
PID 4652 wrote to memory of 1480	4652	Ejpfhnpe.exe	96
PID 4652 wrote to memory of 1480	4652	Ejpfhnpe.exe	96
PID 4652 wrote to memory of 1480	4652	Ejpfhnpe.exe	96
PID 1480 wrote to memory of 5108	1480	Eplnpeol.exe	97
PID 1480 wrote to memory of 5108	1480	Eplnpeol.exe	97
PID 1480 wrote to memory of 5108	1480	Eplnpeol.exe	97
PID 5108 wrote to memory of 1352	5108	Eidbij32.exe	98
PID 5108 wrote to memory of 1352	5108	Eidbij32.exe	98
PID 5108 wrote to memory of 1352	5108	Eidbij32.exe	98
PID 1352 wrote to memory of 4004	1352	Embkoi32.exe	99
PID 1352 wrote to memory of 4004	1352	Embkoi32.exe	99
PID 1352 wrote to memory of 4004	1352	Embkoi32.exe	99
PID 4004 wrote to memory of 4136	4004	Jgadgf32.exe	100
PID 4004 wrote to memory of 4136	4004	Jgadgf32.exe	100
PID 4004 wrote to memory of 4136	4004	Jgadgf32.exe	100
PID 4136 wrote to memory of 4756	4136	Kqpoakco.exe	101
PID 4136 wrote to memory of 4756	4136	Kqpoakco.exe	101
PID 4136 wrote to memory of 4756	4136	Kqpoakco.exe	101
PID 4756 wrote to memory of 5088	4756	Knflpoqf.exe	102
PID 4756 wrote to memory of 5088	4756	Knflpoqf.exe	102
PID 4756 wrote to memory of 5088	4756	Knflpoqf.exe	102
PID 5088 wrote to memory of 1536	5088	Kkmioc32.exe	103
PID 5088 wrote to memory of 1536	5088	Kkmioc32.exe	103
PID 5088 wrote to memory of 1536	5088	Kkmioc32.exe	103
PID 1536 wrote to memory of 212	1536	Liqihglg.exe	104
PID 1536 wrote to memory of 212	1536	Liqihglg.exe	104
PID 1536 wrote to memory of 212	1536	Liqihglg.exe	104
PID 212 wrote to memory of 3748	212	Lgffic32.exe	105
PID 212 wrote to memory of 3748	212	Lgffic32.exe	105
PID 212 wrote to memory of 3748	212	Lgffic32.exe	105
PID 3748 wrote to memory of 4076	3748	Ljgpkonp.exe	106
PID 3748 wrote to memory of 4076	3748	Ljgpkonp.exe	106
PID 3748 wrote to memory of 4076	3748	Ljgpkonp.exe	106
PID 4076 wrote to memory of 4644	4076	Ljilqnlm.exe	107
PID 4076 wrote to memory of 4644	4076	Ljilqnlm.exe	107
PID 4076 wrote to memory of 4644	4076	Ljilqnlm.exe	107
PID 4644 wrote to memory of 4508	4644	Ljkifn32.exe	108
PID 4644 wrote to memory of 4508	4644	Ljkifn32.exe	108
PID 4644 wrote to memory of 4508	4644	Ljkifn32.exe	108
PID 4508 wrote to memory of 2784	4508	Mniallpq.exe	109
PID 4508 wrote to memory of 2784	4508	Mniallpq.exe	109
PID 4508 wrote to memory of 2784	4508	Mniallpq.exe	109
PID 2784 wrote to memory of 2036	2784	Mnlnbl32.exe	110
PID 2784 wrote to memory of 2036	2784	Mnlnbl32.exe	110
PID 2784 wrote to memory of 2036	2784	Mnlnbl32.exe	110
PID 2036 wrote to memory of 2316	2036	Mnnkgl32.exe	111
PID 2036 wrote to memory of 2316	2036	Mnnkgl32.exe	111
PID 2036 wrote to memory of 2316	2036	Mnnkgl32.exe	111
PID 2316 wrote to memory of 4980	2316	Mjellmbp.exe	112

C:\Users\Admin\AppData\Local\Temp\7b81de1ffdad97459ab5f95fc3e64644fb5d94e18860de4d40cb0c8540e9d3b8.exe
"C:\Users\Admin\AppData\Local\Temp\7b81de1ffdad97459ab5f95fc3e64644fb5d94e18860de4d40cb0c8540e9d3b8.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Windows\SysWOW64\Dannij32.exe
  C:\Windows\system32\Dannij32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4464
- - C:\Windows\SysWOW64\Dfmcfp32.exe
    C:\Windows\system32\Dfmcfp32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3124
  - - C:\Windows\SysWOW64\Dfoplpla.exe
      C:\Windows\system32\Dfoplpla.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:848
    - - C:\Windows\SysWOW64\Dfamapjo.exe
        
        C:\Windows\system32\Dfamapjo.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1600
      - C:\Windows\SysWOW64\Ejpfhnpe.exe
        
        C:\Windows\system32\Ejpfhnpe.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\SysWOW64\Eplnpeol.exe
        
        C:\Windows\system32\Eplnpeol.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\Eidbij32.exe
        
        C:\Windows\system32\Eidbij32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\Embkoi32.exe
        
        C:\Windows\system32\Embkoi32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\SysWOW64\Jgadgf32.exe
        
        C:\Windows\system32\Jgadgf32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Windows\SysWOW64\Kqpoakco.exe
        
        C:\Windows\system32\Kqpoakco.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4136
        
        C:\Windows\SysWOW64\Knflpoqf.exe
        
        C:\Windows\system32\Knflpoqf.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\SysWOW64\Kkmioc32.exe
        
        C:\Windows\system32\Kkmioc32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\SysWOW64\Liqihglg.exe
        
        C:\Windows\system32\Liqihglg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\SysWOW64\Lgffic32.exe
        
        C:\Windows\system32\Lgffic32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\SysWOW64\Ljgpkonp.exe
        
        C:\Windows\system32\Ljgpkonp.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3748
        
        C:\Windows\SysWOW64\Ljilqnlm.exe
        
        C:\Windows\system32\Ljilqnlm.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\SysWOW64\Ljkifn32.exe
        
        C:\Windows\system32\Ljkifn32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4644
        
        C:\Windows\SysWOW64\Mniallpq.exe
        
        C:\Windows\system32\Mniallpq.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\SysWOW64\Mnlnbl32.exe
        
        C:\Windows\system32\Mnlnbl32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\SysWOW64\Mnnkgl32.exe
        
        C:\Windows\system32\Mnnkgl32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Mjellmbp.exe
        
        C:\Windows\system32\Mjellmbp.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Nobdbkhf.exe
        
        C:\Windows\system32\Nobdbkhf.exe
        23⤵
        Executes dropped EXE
        
        PID:4980
        
        C:\Windows\SysWOW64\Njiegl32.exe
        
        C:\Windows\system32\Njiegl32.exe
        24⤵
        Executes dropped EXE
        
        PID:1440
        
        C:\Windows\SysWOW64\Nbcjnilj.exe
        
        C:\Windows\system32\Nbcjnilj.exe
        25⤵
        Executes dropped EXE
        
        PID:1704
        
        C:\Windows\SysWOW64\Nknobkje.exe
        
        C:\Windows\system32\Nknobkje.exe
        26⤵
        Executes dropped EXE
        
        PID:3008
        
        C:\Windows\SysWOW64\Niakfbpa.exe
        
        C:\Windows\system32\Niakfbpa.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Objpoh32.exe
        
        C:\Windows\system32\Objpoh32.exe
        28⤵
        Executes dropped EXE
        
        PID:4808
        
        C:\Windows\SysWOW64\Ooqqdi32.exe
        
        C:\Windows\system32\Ooqqdi32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3932
        
        C:\Windows\SysWOW64\Ohiemobf.exe
        
        C:\Windows\system32\Ohiemobf.exe
        30⤵
        Executes dropped EXE
        
        PID:384
        
        C:\Windows\SysWOW64\Oemefcap.exe
        
        C:\Windows\system32\Oemefcap.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1132
        
        C:\Windows\SysWOW64\Obafpg32.exe
        
        C:\Windows\system32\Obafpg32.exe
        32⤵
        Executes dropped EXE
        
        PID:3224
        
        C:\Windows\SysWOW64\Ohnohn32.exe
        
        C:\Windows\system32\Ohnohn32.exe
        33⤵
        Executes dropped EXE
        
        PID:4524
        
        C:\Windows\SysWOW64\Ohpkmn32.exe
        
        C:\Windows\system32\Ohpkmn32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2856
        
        C:\Windows\SysWOW64\Pedlgbkh.exe
        
        C:\Windows\system32\Pedlgbkh.exe
        35⤵
        Executes dropped EXE
        
        PID:4140
        
        C:\Windows\SysWOW64\Pakllc32.exe
        
        C:\Windows\system32\Pakllc32.exe
        36⤵
        Executes dropped EXE
        
        PID:2504
        
        C:\Windows\SysWOW64\Phedhmhi.exe
        
        C:\Windows\system32\Phedhmhi.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4536
        
        C:\Windows\SysWOW64\Pamiaboj.exe
        
        C:\Windows\system32\Pamiaboj.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2804
        
        C:\Windows\SysWOW64\Papfgbmg.exe
        
        C:\Windows\system32\Papfgbmg.exe
        39⤵
        Executes dropped EXE
        
        PID:4792
        
        C:\Windows\SysWOW64\Pocfpf32.exe
        
        C:\Windows\system32\Pocfpf32.exe
        40⤵
        Executes dropped EXE
        
        PID:1552
        
        C:\Windows\SysWOW64\Afgacokc.exe
        
        C:\Windows\system32\Afgacokc.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2232
        
        C:\Windows\SysWOW64\Aanbhp32.exe
        
        C:\Windows\system32\Aanbhp32.exe
        42⤵
        Executes dropped EXE
        
        PID:1788
        
        C:\Windows\SysWOW64\Akffafgg.exe
        
        C:\Windows\system32\Akffafgg.exe
        43⤵
        Executes dropped EXE
        
        PID:2180
        
        C:\Windows\SysWOW64\Ajggomog.exe
        
        C:\Windows\system32\Ajggomog.exe
        44⤵
        Executes dropped EXE
        
        PID:2456
        
        C:\Windows\SysWOW64\Abbkcpma.exe
        
        C:\Windows\system32\Abbkcpma.exe
        45⤵
        Executes dropped EXE
        
        PID:1212
        
        C:\Windows\SysWOW64\Boflmdkk.exe
        
        C:\Windows\system32\Boflmdkk.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:216
        
        C:\Windows\SysWOW64\Bhoqeibl.exe
        
        C:\Windows\system32\Bhoqeibl.exe
        47⤵
        Executes dropped EXE
        
        PID:4328
        
        C:\Windows\SysWOW64\Bjnmpl32.exe
        
        C:\Windows\system32\Bjnmpl32.exe
        48⤵
        Executes dropped EXE
        
        PID:3896
        
        C:\Windows\SysWOW64\Bbiado32.exe
        
        C:\Windows\system32\Bbiado32.exe
        49⤵
        Executes dropped EXE
        
        PID:2464
        
        C:\Windows\SysWOW64\Bkafmd32.exe
        
        C:\Windows\system32\Bkafmd32.exe
        50⤵
        Executes dropped EXE
        
        PID:3860
        
        C:\Windows\SysWOW64\Bjbfklei.exe
        
        C:\Windows\system32\Bjbfklei.exe
        51⤵
        Executes dropped EXE
        
        PID:2320
        
        C:\Windows\SysWOW64\Bbnkonbd.exe
        
        C:\Windows\system32\Bbnkonbd.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3984
        
        C:\Windows\SysWOW64\Ckilmcgb.exe
        
        C:\Windows\system32\Ckilmcgb.exe
        53⤵
        Executes dropped EXE
        
        PID:3652
        
        C:\Windows\SysWOW64\Ckkiccep.exe
        
        C:\Windows\system32\Ckkiccep.exe
        54⤵
        Executes dropped EXE
        
        PID:3436
        
        C:\Windows\SysWOW64\Ccdnjp32.exe
        
        C:\Windows\system32\Ccdnjp32.exe
        55⤵
        Executes dropped EXE
        
        PID:2844
        
        C:\Windows\SysWOW64\Ciafbg32.exe
        
        C:\Windows\system32\Ciafbg32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\Djqblj32.exe
        
        C:\Windows\system32\Djqblj32.exe
        57⤵
        Executes dropped EXE
        
        PID:4952
        
        C:\Windows\SysWOW64\Dkbocbog.exe
        
        C:\Windows\system32\Dkbocbog.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:928
        
        C:\Windows\SysWOW64\Dfgcakon.exe
        
        C:\Windows\system32\Dfgcakon.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1772
        
        C:\Windows\SysWOW64\Dkdliame.exe
        
        C:\Windows\system32\Dkdliame.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:724
        
        C:\Windows\SysWOW64\Dikihe32.exe
        
        C:\Windows\system32\Dikihe32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3048
        
        C:\Windows\SysWOW64\Dfoiaj32.exe
        
        C:\Windows\system32\Dfoiaj32.exe
        62⤵
        Executes dropped EXE
        
        PID:1120
        
        C:\Windows\SysWOW64\Dpgnjo32.exe
        
        C:\Windows\system32\Dpgnjo32.exe
        63⤵
        Executes dropped EXE
        
        PID:3308
        
        C:\Windows\SysWOW64\Emkndc32.exe
        
        C:\Windows\system32\Emkndc32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3484
        
        C:\Windows\SysWOW64\Efepbi32.exe
        
        C:\Windows\system32\Efepbi32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Eciplm32.exe
        
        C:\Windows\system32\Eciplm32.exe
        66⤵
        Drops file in System32 directory
        
        PID:4800
        
        C:\Windows\SysWOW64\Eifhdd32.exe
        
        C:\Windows\system32\Eifhdd32.exe
        67⤵
        Drops file in System32 directory
        
        PID:1624
        
        C:\Windows\SysWOW64\Efjimhnh.exe
        
        C:\Windows\system32\Efjimhnh.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4468
        
        C:\Windows\SysWOW64\Emdajb32.exe
        
        C:\Windows\system32\Emdajb32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Fikbocki.exe
        
        C:\Windows\system32\Fikbocki.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1656
        
        C:\Windows\SysWOW64\Fmikeaap.exe
        
        C:\Windows\system32\Fmikeaap.exe
        71⤵
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Fbfcmhpg.exe
        
        C:\Windows\system32\Fbfcmhpg.exe
        72⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\Fmkgkapm.exe
        
        C:\Windows\system32\Fmkgkapm.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Ffclcgfn.exe
        
        C:\Windows\system32\Ffclcgfn.exe
        74⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\Fbjmhh32.exe
        
        C:\Windows\system32\Fbjmhh32.exe
        75⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\Gpnmbl32.exe
        
        C:\Windows\system32\Gpnmbl32.exe
        76⤵
        Modifies registry class
        
        PID:3548
        
        C:\Windows\SysWOW64\Gjdaodja.exe
        
        C:\Windows\system32\Gjdaodja.exe
        77⤵
        Modifies registry class
        
        PID:812
        
        C:\Windows\SysWOW64\Glgjlm32.exe
        
        C:\Windows\system32\Glgjlm32.exe
        78⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\Gmggfp32.exe
        
        C:\Windows\system32\Gmggfp32.exe
        79⤵
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Gfokoelp.exe
        
        C:\Windows\system32\Gfokoelp.exe
        80⤵
        
        PID:360
        
        C:\Windows\SysWOW64\Glldgljg.exe
        
        C:\Windows\system32\Glldgljg.exe
        81⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\Gbfldf32.exe
        
        C:\Windows\system32\Gbfldf32.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Hdehni32.exe
        
        C:\Windows\system32\Hdehni32.exe
        83⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\Hkpqkcpd.exe
        
        C:\Windows\system32\Hkpqkcpd.exe
        84⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\Hplicjok.exe
        
        C:\Windows\system32\Hplicjok.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5116
        
        C:\Windows\SysWOW64\Idfaefkd.exe
        
        C:\Windows\system32\Idfaefkd.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3732
        
        C:\Windows\SysWOW64\Ilafiihp.exe
        
        C:\Windows\system32\Ilafiihp.exe
        87⤵
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Jgbjbp32.exe
        
        C:\Windows\system32\Jgbjbp32.exe
        88⤵
        Drops file in System32 directory
        
        PID:5132
        
        C:\Windows\SysWOW64\Jdfjld32.exe
        
        C:\Windows\system32\Jdfjld32.exe
        89⤵
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Kqmkae32.exe
        
        C:\Windows\system32\Kqmkae32.exe
        90⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Kkconn32.exe
        
        C:\Windows\system32\Kkconn32.exe
        91⤵
        Drops file in System32 directory
        
        PID:5276
        
        C:\Windows\SysWOW64\Kcndbp32.exe
        
        C:\Windows\system32\Kcndbp32.exe
        92⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Kqbdldnq.exe
        
        C:\Windows\system32\Kqbdldnq.exe
        93⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Kjjiej32.exe
        
        C:\Windows\system32\Kjjiej32.exe
        94⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Kkjeomld.exe
        
        C:\Windows\system32\Kkjeomld.exe
        95⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Kqfngd32.exe
        
        C:\Windows\system32\Kqfngd32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5500
        
        C:\Windows\SysWOW64\Lgqfdnah.exe
        
        C:\Windows\system32\Lgqfdnah.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5540
        
        C:\Windows\SysWOW64\Lnjnqh32.exe
        
        C:\Windows\system32\Lnjnqh32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5588
        
        C:\Windows\SysWOW64\Ljaoeini.exe
        
        C:\Windows\system32\Ljaoeini.exe
        99⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Lkalplel.exe
        
        C:\Windows\system32\Lkalplel.exe
        100⤵
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Lggldm32.exe
        
        C:\Windows\system32\Lggldm32.exe
        101⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Lmdemd32.exe
        
        C:\Windows\system32\Lmdemd32.exe
        102⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Ljhefhha.exe
        
        C:\Windows\system32\Ljhefhha.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Mcqjon32.exe
        
        C:\Windows\system32\Mcqjon32.exe
        104⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Mepfiq32.exe
        
        C:\Windows\system32\Mepfiq32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5908
        
        C:\Windows\SysWOW64\Mebcop32.exe
        
        C:\Windows\system32\Mebcop32.exe
        106⤵
        Drops file in System32 directory
        
        PID:5944
        
        C:\Windows\SysWOW64\Mkmkkjko.exe
        
        C:\Windows\system32\Mkmkkjko.exe
        107⤵
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Mchppmij.exe
        
        C:\Windows\system32\Mchppmij.exe
        108⤵
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Mmpdhboj.exe
        
        C:\Windows\system32\Mmpdhboj.exe
        109⤵
        Drops file in System32 directory
        
        PID:6084
        
        C:\Windows\SysWOW64\Mmbanbmg.exe
        
        C:\Windows\system32\Mmbanbmg.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6128
        
        C:\Windows\SysWOW64\Nlcalieg.exe
        
        C:\Windows\system32\Nlcalieg.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Nmenca32.exe
        
        C:\Windows\system32\Nmenca32.exe
        112⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Ngjbaj32.exe
        
        C:\Windows\system32\Ngjbaj32.exe
        113⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Nndjndbh.exe
        
        C:\Windows\system32\Nndjndbh.exe
        114⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Ncabfkqo.exe
        
        C:\Windows\system32\Ncabfkqo.exe
        115⤵
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Nagpeo32.exe
        
        C:\Windows\system32\Nagpeo32.exe
        116⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Odoogi32.exe
        
        C:\Windows\system32\Odoogi32.exe
        117⤵
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Oodcdb32.exe
        
        C:\Windows\system32\Oodcdb32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Oacoqnci.exe
        
        C:\Windows\system32\Oacoqnci.exe
        119⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Oogpjbbb.exe
        
        C:\Windows\system32\Oogpjbbb.exe
        120⤵
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Pmlmkn32.exe
        
        C:\Windows\system32\Pmlmkn32.exe
        121⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Phaahggp.exe
        
        C:\Windows\system32\Phaahggp.exe
        122⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Pmoiqneg.exe
        
        C:\Windows\system32\Pmoiqneg.exe
        123⤵
        Drops file in System32 directory
        
        PID:6000
        
        C:\Windows\SysWOW64\Phdnngdn.exe
        
        C:\Windows\system32\Phdnngdn.exe
        124⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Ponfka32.exe
        
        C:\Windows\system32\Ponfka32.exe
        125⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Pehngkcg.exe
        
        C:\Windows\system32\Pehngkcg.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5192
        
        C:\Windows\SysWOW64\Plbfdekd.exe
        
        C:\Windows\system32\Plbfdekd.exe
        127⤵
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Paoollik.exe
        
        C:\Windows\system32\Paoollik.exe
        128⤵
        Drops file in System32 directory
        
        PID:5396
        
        C:\Windows\SysWOW64\Pldcjeia.exe
        
        C:\Windows\system32\Pldcjeia.exe
        129⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Qmepam32.exe
        
        C:\Windows\system32\Qmepam32.exe
        130⤵
        Drops file in System32 directory
        
        PID:5628
        
        C:\Windows\SysWOW64\Qemhbj32.exe
        
        C:\Windows\system32\Qemhbj32.exe
        131⤵
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Qlgpod32.exe
        
        C:\Windows\system32\Qlgpod32.exe
        132⤵
        Drops file in System32 directory
        
        PID:5872
        
        C:\Windows\SysWOW64\Qhmqdemc.exe
        
        C:\Windows\system32\Qhmqdemc.exe
        133⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Aogiap32.exe
        
        C:\Windows\system32\Aogiap32.exe
        134⤵
        Drops file in System32 directory
        
        PID:6096
        
        C:\Windows\SysWOW64\Addaif32.exe
        
        C:\Windows\system32\Addaif32.exe
        135⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Aknifq32.exe
        
        C:\Windows\system32\Aknifq32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5264
        
        C:\Windows\SysWOW64\Aahbbkaq.exe
        
        C:\Windows\system32\Aahbbkaq.exe
        137⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Ahbjoe32.exe
        
        C:\Windows\system32\Ahbjoe32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5720
        
        C:\Windows\SysWOW64\Anobgl32.exe
        
        C:\Windows\system32\Anobgl32.exe
        139⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Adikdfna.exe
        
        C:\Windows\system32\Adikdfna.exe
        140⤵
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Aamknj32.exe
        
        C:\Windows\system32\Aamknj32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Albpkc32.exe
        
        C:\Windows\system32\Albpkc32.exe
        142⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Anclbkbp.exe
        
        C:\Windows\system32\Anclbkbp.exe
        143⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Alelqb32.exe
        
        C:\Windows\system32\Alelqb32.exe
        144⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\Bemqih32.exe
        
        C:\Windows\system32\Bemqih32.exe
        145⤵
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Bkjiao32.exe
        
        C:\Windows\system32\Bkjiao32.exe
        146⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Badanigc.exe
        
        C:\Windows\system32\Badanigc.exe
        147⤵
        Drops file in System32 directory
        
        PID:5780
        
        C:\Windows\SysWOW64\Bhnikc32.exe
        
        C:\Windows\system32\Bhnikc32.exe
        148⤵
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Bnkbcj32.exe
        
        C:\Windows\system32\Bnkbcj32.exe
        149⤵
        Modifies registry class
        
        PID:5832
        
        C:\Windows\SysWOW64\Bddjpd32.exe
        
        C:\Windows\system32\Bddjpd32.exe
        150⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6160
        
        C:\Windows\SysWOW64\Bojomm32.exe
        
        C:\Windows\system32\Bojomm32.exe
        151⤵
        Drops file in System32 directory
        
        PID:6200
        
        C:\Windows\SysWOW64\Bedgjgkg.exe
        
        C:\Windows\system32\Bedgjgkg.exe
        152⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\Bakgoh32.exe
        
        C:\Windows\system32\Bakgoh32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6288
        
        C:\Windows\SysWOW64\Ckclhn32.exe
        
        C:\Windows\system32\Ckclhn32.exe
        154⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Chglab32.exe
        
        C:\Windows\system32\Chglab32.exe
        155⤵
        Modifies registry class
        
        PID:6400
        
        C:\Windows\SysWOW64\Cndeii32.exe
        
        C:\Windows\system32\Cndeii32.exe
        156⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\Cleegp32.exe
        
        C:\Windows\system32\Cleegp32.exe
        157⤵
        Drops file in System32 directory
        
        PID:6484
        
        C:\Windows\SysWOW64\Cbbnpg32.exe
        
        C:\Windows\system32\Cbbnpg32.exe
        158⤵
        Modifies registry class
        
        PID:6524
        
        C:\Windows\SysWOW64\Chlflabp.exe
        
        C:\Windows\system32\Chlflabp.exe
        159⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\Chnbbqpn.exe
        
        C:\Windows\system32\Chnbbqpn.exe
        160⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\Cdecgbfa.exe
        
        C:\Windows\system32\Cdecgbfa.exe
        161⤵
        Drops file in System32 directory
        
        PID:6664
        
        C:\Windows\SysWOW64\Dokgdkeh.exe
        
        C:\Windows\system32\Dokgdkeh.exe
        162⤵
        Drops file in System32 directory
        
        PID:6708
        
        C:\Windows\SysWOW64\Ddgplado.exe
        
        C:\Windows\system32\Ddgplado.exe
        163⤵
        Modifies registry class
        
        PID:6744
        
        C:\Windows\SysWOW64\Dkahilkl.exe
        
        C:\Windows\system32\Dkahilkl.exe
        164⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\Dmadco32.exe
        
        C:\Windows\system32\Dmadco32.exe
        165⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\Dbnmke32.exe
        
        C:\Windows\system32\Dbnmke32.exe
        166⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\Dbpjaeoc.exe
        
        C:\Windows\system32\Dbpjaeoc.exe
        167⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6928
        
        C:\Windows\SysWOW64\Eppjfgcp.exe
        
        C:\Windows\system32\Eppjfgcp.exe
        168⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\Efjbcakl.exe
        
        C:\Windows\system32\Efjbcakl.exe
        169⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\Fmcjpl32.exe
        
        C:\Windows\system32\Fmcjpl32.exe
        170⤵
        Modifies registry class
        
        PID:7048
        
        C:\Windows\SysWOW64\Fneggdhg.exe
        
        C:\Windows\system32\Fneggdhg.exe
        171⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\Feoodn32.exe
        
        C:\Windows\system32\Feoodn32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7132
        
        C:\Windows\SysWOW64\Fligqhga.exe
        
        C:\Windows\system32\Fligqhga.exe
        173⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Ffnknafg.exe
        
        C:\Windows\system32\Ffnknafg.exe
        174⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\Fimhjl32.exe
        
        C:\Windows\system32\Fimhjl32.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6280
        
        C:\Windows\SysWOW64\Fpgpgfmh.exe
        
        C:\Windows\system32\Fpgpgfmh.exe
        176⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\Fechomko.exe
        
        C:\Windows\system32\Fechomko.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6428
        
        C:\Windows\SysWOW64\Flmqlg32.exe
        
        C:\Windows\system32\Flmqlg32.exe
        178⤵
        Drops file in System32 directory
        
        PID:6508
        
        C:\Windows\SysWOW64\Ffceip32.exe
        
        C:\Windows\system32\Ffceip32.exe
        179⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Fmmmfj32.exe
        
        C:\Windows\system32\Fmmmfj32.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6652
        
        C:\Windows\SysWOW64\Gfhndpol.exe
        
        C:\Windows\system32\Gfhndpol.exe
        181⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\Gmafajfi.exe
        
        C:\Windows\system32\Gmafajfi.exe
        182⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\Gncchb32.exe
        
        C:\Windows\system32\Gncchb32.exe
        183⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\Gemkelcd.exe
        
        C:\Windows\system32\Gemkelcd.exe
        184⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\Glgcbf32.exe
        
        C:\Windows\system32\Glgcbf32.exe
        185⤵
        Modifies registry class
        
        PID:6988
        
        C:\Windows\SysWOW64\Geohklaa.exe
        
        C:\Windows\system32\Geohklaa.exe
        186⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\Glipgf32.exe
        
        C:\Windows\system32\Glipgf32.exe
        187⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\Gbchdp32.exe
        
        C:\Windows\system32\Gbchdp32.exe
        188⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\Gimqajgh.exe
        
        C:\Windows\system32\Gimqajgh.exe
        189⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\Hipmfjee.exe
        
        C:\Windows\system32\Hipmfjee.exe
        190⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\Hbhboolf.exe
        
        C:\Windows\system32\Hbhboolf.exe
        191⤵
        Drops file in System32 directory
        
        PID:6492
        
        C:\Windows\SysWOW64\Hlpfhe32.exe
        
        C:\Windows\system32\Hlpfhe32.exe
        192⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\Hbjoeojc.exe
        
        C:\Windows\system32\Hbjoeojc.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6704
        
        C:\Windows\SysWOW64\Hidgai32.exe
        
        C:\Windows\system32\Hidgai32.exe
        194⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6828
        
        C:\Windows\SysWOW64\Hoaojp32.exe
        
        C:\Windows\system32\Hoaojp32.exe
        195⤵
        Modifies registry class
        
        PID:6168
        
        C:\Windows\SysWOW64\Hiipmhmk.exe
        
        C:\Windows\system32\Hiipmhmk.exe
        196⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\Hpchib32.exe
        
        C:\Windows\system32\Hpchib32.exe
        197⤵
        Drops file in System32 directory
        
        PID:7116
        
        C:\Windows\SysWOW64\Iepaaico.exe
        
        C:\Windows\system32\Iepaaico.exe
        198⤵
        Drops file in System32 directory
        
        PID:6320
        
        C:\Windows\SysWOW64\Ipeeobbe.exe
        
        C:\Windows\system32\Ipeeobbe.exe
        199⤵
        Drops file in System32 directory
        
        PID:6440
        
        C:\Windows\SysWOW64\Iebngial.exe
        
        C:\Windows\system32\Iebngial.exe
        200⤵
        Drops file in System32 directory
        
        PID:6632
        
        C:\Windows\SysWOW64\Ibfnqmpf.exe
        
        C:\Windows\system32\Ibfnqmpf.exe
        201⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6832
        
        C:\Windows\SysWOW64\Ipjoja32.exe
        
        C:\Windows\system32\Ipjoja32.exe
        202⤵
        Modifies registry class
        
        PID:7036
        
        C:\Windows\SysWOW64\Ickglm32.exe
        
        C:\Windows\system32\Ickglm32.exe
        203⤵
        Drops file in System32 directory
        
        PID:6208
        
        C:\Windows\SysWOW64\Jiglnf32.exe
        
        C:\Windows\system32\Jiglnf32.exe
        204⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\Jpaekqhh.exe
        
        C:\Windows\system32\Jpaekqhh.exe
        205⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\Jmeede32.exe
        
        C:\Windows\system32\Jmeede32.exe
        206⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6960
        
        C:\Windows\SysWOW64\Jofalmmp.exe
        
        C:\Windows\system32\Jofalmmp.exe
        207⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6452
        
        C:\Windows\SysWOW64\Jngbjd32.exe
        
        C:\Windows\system32\Jngbjd32.exe
        208⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6760
        
        C:\Windows\SysWOW64\Jcdjbk32.exe
        
        C:\Windows\system32\Jcdjbk32.exe
        209⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\Jniood32.exe
        
        C:\Windows\system32\Jniood32.exe
        210⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6912
        
        C:\Windows\SysWOW64\Jjpode32.exe
        
        C:\Windows\system32\Jjpode32.exe
        211⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\Komhll32.exe
        
        C:\Windows\system32\Komhll32.exe
        212⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7184
        
        C:\Windows\SysWOW64\Klahfp32.exe
        
        C:\Windows\system32\Klahfp32.exe
        213⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7232
        
        C:\Windows\SysWOW64\Kckqbj32.exe
        
        C:\Windows\system32\Kckqbj32.exe
        214⤵
        
        PID:7272
        
        C:\Windows\SysWOW64\Kjgeedch.exe
        
        C:\Windows\system32\Kjgeedch.exe
        215⤵
        
        PID:7312
        
        C:\Windows\SysWOW64\Kodnmkap.exe
        
        C:\Windows\system32\Kodnmkap.exe
        216⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\Kjjbjd32.exe
        
        C:\Windows\system32\Kjjbjd32.exe
        217⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\Kfpcoefj.exe
        
        C:\Windows\system32\Kfpcoefj.exe
        218⤵
        Drops file in System32 directory
        
        PID:7432
        
        C:\Windows\SysWOW64\Lfbped32.exe
        
        C:\Windows\system32\Lfbped32.exe
        219⤵
        Modifies registry class
        
        PID:7472
        
        C:\Windows\SysWOW64\Llmhaold.exe
        
        C:\Windows\system32\Llmhaold.exe
        220⤵
        Modifies registry class
        
        PID:7516
        
        C:\Windows\SysWOW64\Lnldla32.exe
        
        C:\Windows\system32\Lnldla32.exe
        221⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7560
        
        C:\Windows\SysWOW64\Ljeafb32.exe
        
        C:\Windows\system32\Ljeafb32.exe
        222⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7604
        
        C:\Windows\SysWOW64\Lflbkcll.exe
        
        C:\Windows\system32\Lflbkcll.exe
        223⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7636
        
        C:\Windows\SysWOW64\Mjjkaabc.exe
        
        C:\Windows\system32\Mjjkaabc.exe
        224⤵
        
        PID:7684
        
        C:\Windows\SysWOW64\Mfqlfb32.exe
        
        C:\Windows\system32\Mfqlfb32.exe
        225⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7724
        
        C:\Windows\SysWOW64\Mqfpckhm.exe
        
        C:\Windows\system32\Mqfpckhm.exe
        226⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\Mokmdh32.exe
        
        C:\Windows\system32\Mokmdh32.exe
        227⤵
        Drops file in System32 directory
        
        PID:7812
        
        C:\Windows\SysWOW64\Mfeeabda.exe
        
        C:\Windows\system32\Mfeeabda.exe
        228⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7856
        
        C:\Windows\SysWOW64\Mqkiok32.exe
        
        C:\Windows\system32\Mqkiok32.exe
        229⤵
        
        PID:7892
        
        C:\Windows\SysWOW64\Mfhbga32.exe
        
        C:\Windows\system32\Mfhbga32.exe
        230⤵
        
        PID:7936
        
        C:\Windows\SysWOW64\Nnafno32.exe
        
        C:\Windows\system32\Nnafno32.exe
        231⤵
        Modifies registry class
        
        PID:7980
        
        C:\Windows\SysWOW64\Npbceggm.exe
        
        C:\Windows\system32\Npbceggm.exe
        232⤵
        Modifies registry class
        
        PID:8020
        
        C:\Windows\SysWOW64\Njhgbp32.exe
        
        C:\Windows\system32\Njhgbp32.exe
        233⤵
        Drops file in System32 directory
        
        PID:8056
        
        C:\Windows\SysWOW64\Npepkf32.exe
        
        C:\Windows\system32\Npepkf32.exe
        234⤵
        Drops file in System32 directory
        
        PID:8104
        
        C:\Windows\SysWOW64\Nmipdk32.exe
        
        C:\Windows\system32\Nmipdk32.exe
        235⤵
        Modifies registry class
        
        PID:8152
        
        C:\Windows\SysWOW64\Nfaemp32.exe
        
        C:\Windows\system32\Nfaemp32.exe
        236⤵
        Modifies registry class
        
        PID:7172
        
        C:\Windows\SysWOW64\Nagiji32.exe
        
        C:\Windows\system32\Nagiji32.exe
        237⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\Nceefd32.exe
        
        C:\Windows\system32\Nceefd32.exe
        238⤵
        Modifies registry class
        
        PID:7284
        
        C:\Windows\SysWOW64\Omnjojpo.exe
        
        C:\Windows\system32\Omnjojpo.exe
        239⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7360
        
        C:\Windows\SysWOW64\Ogcnmc32.exe
        
        C:\Windows\system32\Ogcnmc32.exe
        240⤵
        
        PID:7428
        
        C:\Windows\SysWOW64\Oakbehfe.exe
        
        C:\Windows\system32\Oakbehfe.exe
        241⤵
        
        PID:7528
        
        C:\Windows\SysWOW64\Ofhknodl.exe
        
        C:\Windows\system32\Ofhknodl.exe
        242⤵
        Modifies registry class
        
        PID:7572
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        243⤵
        
        PID:7652
        
        C:\Windows\SysWOW64\Ojfcdnjc.exe
        
        C:\Windows\system32\Ojfcdnjc.exe
        244⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\Ogjdmbil.exe
        
        C:\Windows\system32\Ogjdmbil.exe
        245⤵
        
        PID:7780
        
        C:\Windows\SysWOW64\Omgmeigd.exe
        
        C:\Windows\system32\Omgmeigd.exe
        246⤵
        Modifies registry class
        
        PID:7852
        
        C:\Windows\SysWOW64\Pfoann32.exe
        
        C:\Windows\system32\Pfoann32.exe
        247⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7972
        
        C:\Windows\SysWOW64\Pccahbmn.exe
        
        C:\Windows\system32\Pccahbmn.exe
        248⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        249⤵
        
        PID:8112
        
        C:\Windows\SysWOW64\Phajna32.exe
        
        C:\Windows\system32\Phajna32.exe
        250⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8172
        
        C:\Windows\SysWOW64\Paiogf32.exe
        
        C:\Windows\system32\Paiogf32.exe
        251⤵
        
        PID:7240
        
        C:\Windows\SysWOW64\Phcgcqab.exe
        
        C:\Windows\system32\Phcgcqab.exe
        252⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\Pnmopk32.exe
        
        C:\Windows\system32\Pnmopk32.exe
        253⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        254⤵
        Drops file in System32 directory
        
        PID:7668
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        255⤵
        
        PID:7832
        
        C:\Windows\SysWOW64\Qhhpop32.exe
        
        C:\Windows\system32\Qhhpop32.exe
        256⤵
        Modifies registry class
        
        PID:7924
        
        C:\Windows\SysWOW64\Qmeigg32.exe
        
        C:\Windows\system32\Qmeigg32.exe
        257⤵
        Modifies registry class
        
        PID:8088
        
        C:\Windows\SysWOW64\Qhjmdp32.exe
        
        C:\Windows\system32\Qhjmdp32.exe
        258⤵
        
        PID:7224
        
        C:\Windows\SysWOW64\Qjiipk32.exe
        
        C:\Windows\system32\Qjiipk32.exe
        259⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7388
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        260⤵
        
        PID:7732
        
        C:\Windows\SysWOW64\Akkffkhk.exe
        
        C:\Windows\system32\Akkffkhk.exe
        261⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        262⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8144
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        263⤵
        Drops file in System32 directory
        
        PID:7776
        
        C:\Windows\SysWOW64\Akpoaj32.exe
        
        C:\Windows\system32\Akpoaj32.exe
        264⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\Apmhiq32.exe
        
        C:\Windows\system32\Apmhiq32.exe
        265⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        266⤵
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        267⤵
        Modifies registry class
        
        PID:7876
        
        C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        268⤵
        
        PID:8200
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        269⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8248
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        270⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8292
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        271⤵
        
        PID:8344
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        272⤵
        
        PID:8380
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        273⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8436
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        274⤵
        
        PID:8472
        
        C:\Windows\SysWOW64\Bpkdjofm.exe
        
        C:\Windows\system32\Bpkdjofm.exe
        275⤵
        
        PID:8524
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        276⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8568
        
        C:\Windows\SysWOW64\Cggimh32.exe
        
        C:\Windows\system32\Cggimh32.exe
        277⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8612
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        278⤵
        
        PID:8652
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        279⤵
        Drops file in System32 directory
        
        PID:8696
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        280⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:8736
        
        C:\Windows\SysWOW64\Cnfkdb32.exe
        
        C:\Windows\system32\Cnfkdb32.exe
        281⤵
        
        PID:8776
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        282⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8820
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        283⤵
        Modifies registry class
        
        PID:8868
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        284⤵
        
        PID:8904
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        285⤵
        
        PID:8952
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        286⤵
        Drops file in System32 directory
        
        PID:8996
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        287⤵
        
        PID:9040
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        288⤵
        
        PID:9084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9084 -s 412
        289⤵
        Program crash
        
        PID:9176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 9084 -ip 9084
1⤵
PID:9152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
1⤵
PID:9068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Chnbbqpn.exe

Filesize
208KB

MD5
e483b1b50de301d46576adb84f23f456

SHA1
8f9ca3fd7ac120e70164a3c9e65d6d18a964e3ce

SHA256
3a13242a21eb5537e58fdc709784c84d3b56f1d3093fa4e068ff3b2649812d3c

SHA512
d6505d166afaa162859f169e11cc2458c5911119f8ddad1b0b365845f8d57b5771ba5655528f803faa37272f4aedbf94bc2b17d6e99f26772ed5e255efb01a00

Download Submit
C:\Windows\SysWOW64\Ckilmcgb.exe

Filesize
208KB

MD5
0376578019b33cee39e1228da2209d5d

SHA1
cca025e99e2c86500c4358b28c8e5ccb823a5398

SHA256
8e9d757d28dca3459b62627ec6015ac154c3607dd789d94d55d86e606c8e561d

SHA512
68408b237c7dc4db9ef6621a2d300d75e87cc10cddca6f5d09e2e07629e710c1e79e1f4a05da57a0ca5a2c380f50c41d369c0e5b2870ba29f217fb75b005dade

Download Submit
C:\Windows\SysWOW64\Dannij32.exe

Filesize
208KB

MD5
ba3f5505a0ee36c5c8c4883782c941d6

SHA1
802cbefae4680c7fd73ece2e5230685ce9d8f2bc

SHA256
c791dd8bb93a78d1500bac570dd32869d28cda48de41ce60bf136fcfa2914dfe

SHA512
054f8cdcc18396c89b24bf4862b67f6bc3b7d3b4a5c0d7410d608671ac7051fc391a15fd9eb84c989ffb170bd7a602d007c444c789d6d08a99b45d2c62d99ee1

Download Submit
C:\Windows\SysWOW64\Dfamapjo.exe

Filesize
208KB

MD5
a2823a59a60a7ba8f704ff620a9a330a

SHA1
4448267ee4060b345ddc127261a1716c73f16f6f

SHA256
f18c42437d3b88c51d67b2c84d82c76eb37935f3ba56b4f0e6acf1fe066fddcc

SHA512
095f55eecc8f1e9f2183b22a49a04fd72b7ec3b01dd868f547372c80e9cb1fd9398c1b9b2071e4e3cebf6c48d2f95c59a3da8558ad64e62401ff4731933f6632

Download Submit
C:\Windows\SysWOW64\Dfmcfp32.exe

Filesize
208KB

MD5
7eb9a74dd46fa068660bf07cd7af907f

SHA1
fe4ef9f23d1944984e65a168b66e97beee87f53d

SHA256
5798919caf2a8fc1fa5ebf66e6da1434c10522a23eba365303b1c9ba85e11ebc

SHA512
458a5408ea4ecf817c663949a1474ebd24ab0d75d42bbb21156b621a93d4419b1e7a7d1e575ad033a37843d4b89c604a50d3b2777c9d81f1982a9022be023059

Download Submit
C:\Windows\SysWOW64\Dfoplpla.exe

Filesize
208KB

MD5
a0b682116475c44b7dedd83a54b2fbdb

SHA1
dacead514db20c516eb0af9de08d4385e7929b0d

SHA256
383ed338d238503ca5356e11c0168f6f77d3210847d32634e073a68123beffca

SHA512
35cd18a34506043b1993b5628c1de56cf57c53787bb8b05384d8eacd593bc73fa8dfdbd848885889ccab4d1ef182f9925d3d56e71760aaf007335f568849f2af

Download Submit
C:\Windows\SysWOW64\Eidbij32.exe

Filesize
208KB

MD5
4fe015b0ff38e9d225f090c3086bc29e

SHA1
7b7b447cebf5022be8d1309d8937ce745a4e7fab

SHA256
df25bb063bbf657a91ad29340169ea6632a7df5c521905131d17df7ceaaa4b59

SHA512
a1d1e7d9e0c5347eaa5b66c40996ab1712428f7692cd62ddce44611acd9342087ae75296109d02863216d26d1bb7ea9b547d613c89675fc5b0d10d8bd97141d9

Download Submit
C:\Windows\SysWOW64\Ejpfhnpe.exe

Filesize
208KB

MD5
40a04ee6b6f137fc76d60914f1a348e6

SHA1
58e1649f86bbae091defc2314798c9a3e75369cf

SHA256
6b0c5fae0c8472776baa14a85ec845e576c00ace875b42ac96525e2e68b22351

SHA512
0c989b051f3c8e6284b55ea1e855e4ca4d39a36049a63d76549f3374c498afaa226bbb313bdeba2582c945c478489879383a7ff9b239b149425fcdb3a2fcd679

Download Submit
C:\Windows\SysWOW64\Embkoi32.exe

Filesize
208KB

MD5
a722648d99629e8ddd274649d6168d04

SHA1
36df9d361154deb2e11502eb626be32e1b35b432

SHA256
0ca157c0ea2c70c33f819954580ddbaada64fc05a38b3982955b772d0eade775

SHA512
5431a9515e095bfce5a1a98a779b7b7d30714262d347bbc2a5d2ed4cc0b3132a88c5832d98290a8495df7b337834d59f9123769d74385997ddf7836ec3596d71

Download Submit
C:\Windows\SysWOW64\Eplnpeol.exe

Filesize
208KB

MD5
3c8fd101cb7ad2b150b5bce7713fcf64

SHA1
0283eaa16a26d830fd6fb5392b72a301ca615dab

SHA256
12ea1026a76a4a9635f8602440a74e44b3ff66569bb622d4777dad0338128e4d

SHA512
111af845fa6f649616d0d78dd165afbf6338412632711ba137fc244ba8360f6ec12017e7857a4ae34712ea3624baf1a8ca11c1f51a15bb123cb2ed3402d5b493

Download Submit
C:\Windows\SysWOW64\Fikbocki.exe

Filesize
208KB

MD5
2ba86451939c9c5faf8bf379cff42ad6

SHA1
51fcbddcfb4b95b0cefe84db7bbadb89c5e5cbf6

SHA256
63921495702d066121250753f60b88e9231c680e558e791392a15aa1b56c616c

SHA512
0d5edd744876502a81d44503f24c11f20bc410a9fa700405bac437db3d42283e88d1907c839c98ba7501d5c8d18da013091b1f192348e691d0cbdd6591d15853

Download Submit
C:\Windows\SysWOW64\Jgadgf32.exe

Filesize
64KB

MD5
409b964b2f3ab8d4a52396c6d0d435d7

SHA1
76a72a305637aa40e46e677ba706487481885023

SHA256
2f8cecca6460ed60617d145b11a54e1accdb6aa7955545c3c679d0c70476ab2c

SHA512
9f8a1ada74953e652b51bd8aea553319f5a4e338cc8f2d7724ebf8729fa257cb81962374b06588f0a352c57bf264958935eb9202e65b1c24e70c5ee3b1a2b08f

Download Submit
C:\Windows\SysWOW64\Jgadgf32.exe

Filesize
208KB

MD5
9f3089214e288cd4c660769c2a8af8d4

SHA1
e6d8ced4b4389f2bc05c8df0d82a428cf8960f67

SHA256
ff2847f9484cb50ea801c15f572e414dac648a043dddd79b990ffd4bb14cd51d

SHA512
b9bee273327d46a7010c8224b3f8f842d878b189dba91ad03c680a45920f0ae157f03d22ad0ba0490132fc14ef312d6b9d3f5624ee3f753b5880eddbf804b526

Download Submit
C:\Windows\SysWOW64\Kjjbjd32.exe

Filesize
208KB

MD5
a81deff2ef93e0780bcd984028157a3f

SHA1
3a614f2d0b8fc1c1b7889bbf7a53d080710e89a4

SHA256
f6b5a6b3dd687f5bed1d1c1171cf008472402812b7a0be91f4dcb7aef8fae142

SHA512
e35ed7964da4a4a601c291ecf61c5b9f2b8032721ebe6e327b6a0222ecbb2d574e485e7cadf56ff792109630c6b9fc93dc06dbe2e3694dd1e6e4de7b36bd49f8

Download Submit
C:\Windows\SysWOW64\Kkmioc32.exe

Filesize
208KB

MD5
7a4ec760fbe598737bf27d50f8442041

SHA1
20ba05afa0ba0cae12113acc78a1325bd1e40025

SHA256
c2f6246ec0ceb733a7ffb576b54464b615d80d49b2fc8ed22f61deedbeef8bd2

SHA512
2b765519885ea11a2315e7ab01947b5e0e8c66b6252f75a073ba0e7158def54c2ac261de9ddf4c062a6ed8004d6720861b9a5c247f99e3f8fe88c0815e64da06

Download Submit
C:\Windows\SysWOW64\Knflpoqf.exe

Filesize
208KB

MD5
d55f5ef0faa33cb1301c58bf01eb136e

SHA1
59afe0ad9996de5d58e3cc5ad9eb29861cd1c374

SHA256
0d5bf951267818e7e38a93934bb9ca8985485722faaf9107389412c778de8293

SHA512
3fba3911456d3db276b163883045288d07df4e3ec56d36b74653a2dc06bf142dc459fd2e3db34881601981dde18fb13969310db1fd5e5e822867e85d170af0a4

Download Submit
C:\Windows\SysWOW64\Kqpoakco.exe

Filesize
208KB

MD5
86527fc83236ce7f0a8eccafc1c14412

SHA1
2ed7736109a9788a4435e09cb3e74c833f912c82

SHA256
331b57fdfb6ea4dd983cf5ef6cccd7c3c1058312c2a9bb3e040f972ecd37a061

SHA512
353dee38ae42ecd88aec29e3772dd2477f54cf1ae9f7f6ba5c0cca7e50a482db5321a93d3eaa09292e5972e22b21dc53025f8d90d0e49cab61578309430d3dee

Download Submit
C:\Windows\SysWOW64\Lgffic32.exe

Filesize
208KB

MD5
db3782272f82fbcaf844d8056853c88a

SHA1
bb6ae42296b198587ac3c545975994682df74e2c

SHA256
c7307cbbb26115e0c576ddc47e6783b96cfb987ca761f6b6e762d68eb3e60b85

SHA512
ad59a875525289059587ec21a34d35baa3cb7fef6bf3d6514d7bdb9e7eff0de67459fe1989174df09e795385e00b3b13b278b28ce81197e34b43b0218017faa7

Download Submit
C:\Windows\SysWOW64\Liqihglg.exe

Filesize
208KB

MD5
2de7ec7b818706496ea9ac57058160cc

SHA1
ea914c079c002162fdde1de91783c9be5296e4c5

SHA256
fd78a292491a476134e9bdab5ed850ced32ba9d6d1c86dc9200745361d81d993

SHA512
bb8482a00ba2bae8c0ff16c6235e3c9faa773aaddefd56b942fa3442a5ca05823772a705230c95d741ac9d22943a312cfc3cf2ec120dfb7309533e621800489a

Download Submit
C:\Windows\SysWOW64\Ljgpkonp.exe

Filesize
208KB

MD5
7c9a2fc619e3056fe4e9175c53b21d3a

SHA1
0f7c7058b5d23eec5f6913cfdc26f4ebfaf9c4a7

SHA256
8df06dc76056f04ce2a4572357d755c41248c30a7db4b6ea5a62f33ffb8968a3

SHA512
b7b915ef8247f9e4d24aad949b321c9e2eed036f55e367a85ae8f0a2232c79e44cc278e5695164c9c79c12377375354afe1a990e5b26029984e7f138f38a8bb2

Download Submit
C:\Windows\SysWOW64\Ljilqnlm.exe

Filesize
208KB

MD5
64ab81626941213ca9f63317ce401eb5

SHA1
5a5a7da47d772c7c63283b91c3cc1b16a364a3e9

SHA256
483c5b652e2b2e353e232a5269d04884d8d577f6994bcd042c6197490ec39874

SHA512
63876bc9151e3ba9cfdc3c019482ba5051ec96d8d6698e632619a6027b603d42ddfb789b403d93e9b4a8e0e39bb8d3363d078cd714d657bc584bfd37ce5b6a07

Download Submit
C:\Windows\SysWOW64\Ljkifn32.exe

Filesize
208KB

MD5
651e3ae647f48f8271b31950cbe18144

SHA1
d1520bee405f74e56fca1e06abbd57cfa1fc3eb4

SHA256
0e3e0c78be80e63c18abaa0fa8110d0100f524b6ad361e319a156fba84c547a8

SHA512
10c419aa718033b2ae16e3db4fb85260a9261d528792b02256fd4d6699f973a1e48a64528ecd2f9830275d026b52f08224bf68d422e4691c4f8d9152abf9aec0

Download Submit
C:\Windows\SysWOW64\Mjellmbp.exe

Filesize
208KB

MD5
fdc7447fe17bdb947e265a1e529ad1d3

SHA1
74ce7e482d95d84b46418a4d34fe4b1f8c7790e6

SHA256
fdea0356e114e4481b4ee1d7b8cdbb8d4845960a1b45b538ba9e496e361263ed

SHA512
61b38ed0aaf5f82cab6ef431b34aabf4664faf53d838acc0d51c6e6fc9d3e0b06349482698b21d97f5ae9e3b0b622baac9f861d09ab6b8fca6cd87fa49eb6d9a

Download Submit
C:\Windows\SysWOW64\Mjjkaabc.exe

Filesize
208KB

MD5
e74522327a32cf904f6dc5c899c8f9c9

SHA1
49fbc1329faacae61b7487c9d706e1dfd85bad1a

SHA256
d019fa9ce257612e37314fd8fc8f87b80f1e08c8351ad6de2682be0e8ec3dd95

SHA512
a71a470500eb1c82118813bce1c6ad590b665b3ae42867afa35ec4954121c1564a4310a4723166486e4817285660ed926a29681924e5d7c85a2fdfbce50d6a7d

Download Submit
C:\Windows\SysWOW64\Mniallpq.exe

Filesize
208KB

MD5
cf7f1b9df6e8b1446b5f8c13f5e5f6e6

SHA1
6c297373903aded0a161b9223fb9e15795c5c38b

SHA256
39b12cf53c90f26be7e3ae0383074f5ee0c6b8dbb320e90e94e4c0aa4e7b60ab

SHA512
2a17af4f172ccfaadd96cc2b3cd21d7ba3a34728942a4fadbf9aba4c84d2141c75e1ce5fe54c04060ac49b1f5ed25cf774bb3d3653210550682afe5d46ef8a65

Download Submit
C:\Windows\SysWOW64\Mnlnbl32.exe

Filesize
208KB

MD5
7e7112beeecdc68d814db732b91a56f5

SHA1
3ec7726b288af09f19c8b630eb5d60b38467acbb

SHA256
00bed5df169cacdd76db0ffe867cae6baac1025e6684d3a82a807f53d8944ff5

SHA512
2f0fc8d28ebd10760b6863b4421f8c482b7c2eea92273e63954615fb58f7aa83405b8193557161dfd76be196b4246da1ae8578ed9f11e01bb187b25d812c0093

Download Submit
C:\Windows\SysWOW64\Mnnkgl32.exe

Filesize
208KB

MD5
7def5ad5b014015080a24c9e1ac11d75

SHA1
a6c1f36da5833028581e606b0de97f31bd05abc6

SHA256
c211e93f754c424064c818aea75bbc41ab8758a5058089b9d611d7b626ec9ffa

SHA512
e594c70ce12c72dbee82bcf1868570c1f48899dc8f3f1ca0c6e343b346eb2adb7715ce76caf9af7088aa4e2f05644c73b5ed0b493132c97cc26e7fff5422a65f

Download Submit
C:\Windows\SysWOW64\Nbcjnilj.exe

Filesize
208KB

MD5
e1132f6b03dc9e03a29057aca30896fb

SHA1
44e4311693ad0b42b31898bf343afaeee61f3cff

SHA256
917794a676821f89157103fbc3d6a2fe861416a224d6b2a27c31fdd86f39a316

SHA512
2a154560e64c4456cb621bb472eabfefba4e578a758cf2f468810d492927e3d6540cd5ee04f19d6798dc229c05863b26e9aaf1ab6377524f4517f0e24a6e6ef6

Download Submit
C:\Windows\SysWOW64\Niakfbpa.exe

Filesize
208KB

MD5
07dc0ef909a97019abdbd38b853c38c5

SHA1
5675f97a0ca493687abd8695174fbaf37d942b2c

SHA256
9a882478223c3ab97eb9c8d91e236b3bea930c83db85282c51565258a98e10f1

SHA512
49284a73382453b847e394b363f9c5095242d6795dc03ce2d12eaefc103522578b5599726e8faaa0dade6015c50023d1da39b73dcbed994d11210203facd7238

Download Submit
C:\Windows\SysWOW64\Njiegl32.exe

Filesize
208KB

MD5
3cf9b901057f05c586f9c5b18ab102c2

SHA1
a4e96c8eb8f246bd25892ad1a5c4bd4b0b577702

SHA256
bae3aea34c8808a7793cc9b7aaa7439269a5a6c408145cdef07c274bee836e00

SHA512
f70ee9aef207dbcf4c532dad2d803acf0d906c2d16ee8ba0cc2a1e362fc77ec3acb1186515ecfc49e3a55d6465020c30e5380493b9db7c3caf97780afb0f573d

Download Submit
C:\Windows\SysWOW64\Nknobkje.exe

Filesize
208KB

MD5
4b154d3630b375e76ef7d58ca20a33fc

SHA1
11cac67934fd869a161f69fa850d5b07543bff38

SHA256
fabf1041f78b88cdb771cd4e72f84a7fe6bcc6779bbc6f7c2fde8a0847cc5e2a

SHA512
ce916080f09a660b9ac001085fa2e87479b78b45582b29c1da37b9bc9f249e121707cb96d84321bd16a587bf0c13e8dac7f68e19c3d370e2b58e19a6e572cce6

Download Submit
C:\Windows\SysWOW64\Nobdbkhf.exe

Filesize
208KB

MD5
6fc6502a98cc887c7bee7bfc2dc32ffa

SHA1
c057a224adb70b2952c24bcaf31fda9cb11d6eec

SHA256
25d31ce396385c9d3aba5a6e1fa5e172a3001c8a8768e70a29f2b35901ea5620

SHA512
ccaa1dab1e55c81158e0cf099c9cd795f78517a2e9f852af988adb137de0bd61c8f90343d3f52cbfbe18c479b7bfb9e29d8ecd94bfae234b7398ba073197d1ac

Download Submit
C:\Windows\SysWOW64\Obafpg32.exe

Filesize
208KB

MD5
3dcde1bf0173b00ce0ed9c7fb1b30fad

SHA1
a0df807e0159de6589dbbd4da544edb83304ac78

SHA256
f7d31a8718a704943fd492fa258a9ef9ae4695fa1f46ac069dba917dfb89d6c6

SHA512
dcfe46edd0bc992d79a72ff5c089ce1b17ab03c9ad30200605bb546659954e6b6006cb291045d71c2973aba0213a450e2f2173e9453ef89c94a515a80244a944

Download Submit
C:\Windows\SysWOW64\Objpoh32.exe

Filesize
208KB

MD5
61b8670ea05d2d5a95ffa11b8ee9aac8

SHA1
f2c91dd138442dfc2899cbcb1a624a955972bc83

SHA256
d62cc67898fdebedc6e83ed14bca3ba968d60ca5ab2a2760bd119932172b22fb

SHA512
7f7e2a4f0d152221ae1424993cb70036a9ca028af54ea9fbdd121e857a3aa3e363c519b3e1a3658fd1af670781f5546b05ce594f26b9882d25fa7c1a72594f79

Download Submit
C:\Windows\SysWOW64\Oemefcap.exe

Filesize
208KB

MD5
55fee15a7d54e7bf1859aa0c7029622e

SHA1
617afe67b55e8fd1fcdcfdd406a6e2b5b253afca

SHA256
13868c0eb5e888795e8ff3c751c2928f99c21a0cd41e1433444cf33f767db1af

SHA512
a62ff55261b4b0db6fc820db4d69f6c647fe6aa95ffca5bf4b7a38ae35eb760f968b8b3e5665242e64273a5f0643238292b496081e4cc963c6dfd3f558633ee5

Download Submit
C:\Windows\SysWOW64\Ohiemobf.exe

Filesize
208KB

MD5
e246848c4f52ed39d66eec6a396c4ebf

SHA1
0e99061e9f71640cd7ee3f707d757e50f0390afe

SHA256
b75a22489617d4004fbc8a6f82b61792698e48451257b19e560f917e14a82dec

SHA512
5f7026f202169e5cc2f2873b0c52f8c69097316b94955d08c7de86665c5af55b917486d05815a165224187dd25b7772f05f76c49e5ce1783f1ab8a716f8a1a21

Download Submit
C:\Windows\SysWOW64\Ohnohn32.exe

Filesize
208KB

MD5
fdb0a59f6f8d7f6c3a0c0808d7f10170

SHA1
5f4f93dd8e1ed39b9c5dbae03f57e9a610c0f4e8

SHA256
092a03a88883609e96d52c5fd9c4d16d2dd8a4d29b2734460f7e3ec438a3aa81

SHA512
13fe193e3afb4016e647cae80a1ad609e30e25240c24f2e9b09544c2d32bc079c3b0ebdf0b2e1864dcdec7b209514aae0538c36c296e877a1bf2365550a156c8

Download Submit
C:\Windows\SysWOW64\Ohpkmn32.exe

Filesize
208KB

MD5
6cdf576a61b419e0dba9b4e05a9e0f66

SHA1
99b8388d594ba7a0a65478b2292108c33b8ca186

SHA256
7ac2ed8061b4e4cef99ec12b21d59ab6067bcaaf35325125190c90952645acff

SHA512
81b6ba3a139131bccc7f18abbef060f2987b8142b4a8398d867345b9d57894b9765253efb4209decdd5bb446ed2c17e8ff1cb1465b344970b1bd9d21ee3486fa

Download Submit
C:\Windows\SysWOW64\Ooqqdi32.exe

Filesize
208KB

MD5
e89dfb3f2aed65382990b9312cfc2c34

SHA1
4ecf4d035308306c65070ba0992b4752c1022b61

SHA256
17147065bf3fbd296acd058fa0abea9f626b9df5acea07f53432afb9b63a339e

SHA512
97847b27c3ea8e5d099c5982d28bfcf88a4d61e9a85505cbc8904df6d6bb24ea73649d431acfdf4da8868aea961d07fcbb1101d17d45618ffe9232b130210035

Download Submit
C:\Windows\SysWOW64\Papfgbmg.exe

Filesize
208KB

MD5
acd1ec2fb758f6608ba19072116da392

SHA1
bfce3f88498c3ce8b0341a3f1c09306272636305

SHA256
973a2679acf2d52a8539715b8aa830e88f3cf54d9844d87db0186303e81257b1

SHA512
d5509a3adac942f773b34e3abefc47164c031a5afa3658c6f2b13a3d6dbdfea6be6817f395de3a62c557558a9254935b2127557dec4f222381fc01d7788048cd

Download Submit
memory/212-113-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/216-336-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/384-233-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/724-420-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/848-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/928-408-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1120-436-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1132-242-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1192-396-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1212-330-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1352-64-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1440-186-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1480-49-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1536-105-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1552-300-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1600-33-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1704-194-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1772-418-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1788-312-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2036-164-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2180-318-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2232-306-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2316-170-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2320-366-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2456-324-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2464-358-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2504-276-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2784-153-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2804-288-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2844-394-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2856-264-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3008-202-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3048-426-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3124-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3224-250-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3404-1-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3404-72-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3404-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3436-384-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3652-378-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3748-121-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3860-360-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3896-348-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3932-226-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3984-372-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4004-74-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4076-130-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4136-81-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4140-270-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4328-342-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4464-9-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4508-146-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4524-258-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4536-282-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4644-138-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4652-41-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4756-90-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4792-294-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4808-217-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4952-402-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4980-178-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5072-210-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5088-97-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5108-56-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads