709b1676668000eeb8f96fa8e826ea777e2bc6b57dfcd363efc7b5b2609771cf

Analysis

max time kernel
145s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24-04-2024 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

709b1676668000eeb8f96fa8e826ea777e2bc6b57dfcd363efc7b5b2609771cf.exe
Size

483KB
MD5

152040190ccef1d0bb0074f6714a6965
SHA1

a3f1ea8ef73fd2680b06fae4670d0efaf3fdfc65
SHA256

709b1676668000eeb8f96fa8e826ea777e2bc6b57dfcd363efc7b5b2609771cf
SHA512

7f0dbf0333d0e984d0137056ae488a063dbbaa324994fe5de4c29d863d4f5c46da25a56dc99e4b416cae9076b642986d08ce22539cbe9c2e0abf502c02b0d8c3
SSDEEP

6144:5JzR/zZVVZU5CRVrtv35CPXbo92ynn8sbeWDJk4sNnVCj:vzRlVVzRFbet4OnV

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ammnhilb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cidgdg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnedgq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keceoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klpjad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kefbdjgm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llngbabj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lajokiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blknpdho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiphjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Objkmkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbbkocid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jehfcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpgbgpbe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjaphgpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jogqlpde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kiphjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhckcgpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bboffejp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnhbmgmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aijlgkjq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cplckbmc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqcejcha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjlcjf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgmoigj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Babcil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fflohaij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oghghb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbncbpqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaopoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpjmph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calfpk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Peempn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mqkiok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcapicdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llqjbhdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcfbkpab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkjjdmaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmdmpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjffpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekqckmfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjhmbihg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Infhebbh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgelgi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jadgnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbcignbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpkknmgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddhomdje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmckbjdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hahokfag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hejqldci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hccggl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijmhkchl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iefphb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jddiegbm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldbefe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjodla32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obkahddl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apimodmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afockelf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcnleb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnga32.exe

Executes dropped EXE 64 IoCs

pid	Process
3780	Emanjldl.exe
5068	Fflohaij.exe
4960	Flkdfh32.exe
4772	Fmkqpkla.exe
1188	Gpnfge32.exe
1960	Gmafajfi.exe
4460	Gpelhd32.exe
3540	Gbeejp32.exe
2176	Hbjoeojc.exe
2304	Hpqldc32.exe
2252	Ibfnqmpf.exe
3860	Imnocf32.exe
3900	Lckiihok.exe
4056	Mjjkaabc.exe
3100	Mjodla32.exe
1352	Mqkiok32.exe
4232	Mjcngpjh.exe
2444	Nfjola32.exe
2644	Nfohgqlg.exe
4744	Ngndaccj.exe
2824	Npiiffqe.exe
1624	Omnjojpo.exe
1828	Ompfej32.exe
756	Ofhknodl.exe
1548	Oghghb32.exe
2308	Oaplqh32.exe
1776	Ojhpimhp.exe
1504	Ohlqcagj.exe
4448	Ppgegd32.exe
2172	Pmlfqh32.exe
856	Pdenmbkk.exe
2160	Pnkbkk32.exe
2284	Phcgcqab.exe
2976	Palklf32.exe
220	Phfcipoo.exe
1456	Ahmjjoig.exe
2096	Aaenbd32.exe
2168	Aknbkjfh.exe
2232	Aagkhd32.exe
1648	Ahaceo32.exe
1160	Aajhndkb.exe
1180	Amqhbe32.exe
4944	Amcehdod.exe
2716	Bpdnjple.exe
1772	Bdagpnbk.exe
2656	Bddcenpi.exe
4332	Bahdob32.exe
4464	Bgelgi32.exe
4724	Ckbemgcp.exe
4892	Coqncejg.exe
2108	Cocjiehd.exe
3656	Coegoe32.exe
2916	Dafppp32.exe
228	Dakikoom.exe
4392	Dkcndeen.exe
3452	Dndgfpbo.exe
2100	Enfckp32.exe
2240	Ekjded32.exe
2504	Edbiniff.exe
2044	Eqiibjlj.exe
2964	Ebifmm32.exe
1988	Enpfan32.exe
5076	Fooclapd.exe
932	Figgdg32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mdkgabfn.dll	709b1676668000eeb8f96fa8e826ea777e2bc6b57dfcd363efc7b5b2609771cf.exe
File created	C:\Windows\SysWOW64\Gpelhd32.exe	Gmafajfi.exe
File created	C:\Windows\SysWOW64\Bdocph32.exe	Bboffejp.exe
File created	C:\Windows\SysWOW64\Bllolf32.dll	Ohncdobq.exe
File created	C:\Windows\SysWOW64\Nhegig32.exe	Mhckcgpj.exe
File opened for modification	C:\Windows\SysWOW64\Jhhodg32.exe	Jnpjlajn.exe
File created	C:\Windows\SysWOW64\Mbdpdane.dll	Llpchaqg.exe
File created	C:\Windows\SysWOW64\Jogqlpde.exe	Jdalog32.exe
File created	C:\Windows\SysWOW64\Iocbnhog.dll	Mjodla32.exe
File opened for modification	C:\Windows\SysWOW64\Qamago32.exe	Ppnenlka.exe
File created	C:\Windows\SysWOW64\Ahaceo32.exe	Aagkhd32.exe
File created	C:\Windows\SysWOW64\Infhebbh.exe	Iabglnco.exe
File created	C:\Windows\SysWOW64\Debaqh32.dll	Omcbkl32.exe
File opened for modification	C:\Windows\SysWOW64\Ohlqcagj.exe	Ojhpimhp.exe
File created	C:\Windows\SysWOW64\Amqhbe32.exe	Aajhndkb.exe
File created	C:\Windows\SysWOW64\Lhlgjo32.dll	Fnhbmgmk.exe
File opened for modification	C:\Windows\SysWOW64\Afappe32.exe	Amikgpcc.exe
File created	C:\Windows\SysWOW64\Fobkem32.dll	Apimodmh.exe
File created	C:\Windows\SysWOW64\Bgmioggn.dll	Emanjldl.exe
File created	C:\Windows\SysWOW64\Cgilho32.dll	Ecbeip32.exe
File created	C:\Windows\SysWOW64\Jnedgq32.exe	Jbncbpqd.exe
File created	C:\Windows\SysWOW64\Idbgcb32.dll	Dpgbgpbe.exe
File opened for modification	C:\Windows\SysWOW64\Mljmhflh.exe	Mbdiknlb.exe
File created	C:\Windows\SysWOW64\Pjlcjf32.exe	Oqoefand.exe
File opened for modification	C:\Windows\SysWOW64\Dcibca32.exe	Daeifj32.exe
File created	C:\Windows\SysWOW64\Fdmaoahm.exe	Fjhmbihg.exe
File created	C:\Windows\SysWOW64\Jnpjlajn.exe	Jehfcl32.exe
File created	C:\Windows\SysWOW64\Naefjl32.dll	Dmnpfd32.exe
File created	C:\Windows\SysWOW64\Adnbpqkj.dll	Bpdnjple.exe
File created	C:\Windows\SysWOW64\Papambbb.dll	Enfckp32.exe
File created	C:\Windows\SysWOW64\Nnkoiaif.dll	Njljch32.exe
File opened for modification	C:\Windows\SysWOW64\Afhfaddk.exe	Ampaho32.exe
File created	C:\Windows\SysWOW64\Klbgfc32.exe	Kalcik32.exe
File created	C:\Windows\SysWOW64\Pofhbgmn.exe	Pbbgicnd.exe
File created	C:\Windows\SysWOW64\Lfdqcn32.dll	Ppgegd32.exe
File created	C:\Windows\SysWOW64\Mapppn32.exe	Llcghg32.exe
File created	C:\Windows\SysWOW64\Hlcfmhdo.dll	Hegmlnbp.exe
File created	C:\Windows\SysWOW64\Pnkbkk32.exe	Pdenmbkk.exe
File created	C:\Windows\SysWOW64\Bddcenpi.exe	Bdagpnbk.exe
File opened for modification	C:\Windows\SysWOW64\Jhplpl32.exe	Jadgnb32.exe
File opened for modification	C:\Windows\SysWOW64\Mbdiknlb.exe	Mcoljagj.exe
File created	C:\Windows\SysWOW64\Ghcfpl32.dll	Mhckcgpj.exe
File created	C:\Windows\SysWOW64\Apimodmh.exe	Apgqie32.exe
File created	C:\Windows\SysWOW64\Mjdmlonn.dll	Cplckbmc.exe
File created	C:\Windows\SysWOW64\Mjcngpjh.exe	Mqkiok32.exe
File created	C:\Windows\SysWOW64\Enpfan32.exe	Ebifmm32.exe
File created	C:\Windows\SysWOW64\Iahgad32.exe	Hldiinke.exe
File opened for modification	C:\Windows\SysWOW64\Djgdkk32.exe	Djegekil.exe
File created	C:\Windows\SysWOW64\Eclbio32.dll	Ekqckmfb.exe
File opened for modification	C:\Windows\SysWOW64\Fdmaoahm.exe	Fjhmbihg.exe
File created	C:\Windows\SysWOW64\Omnjojpo.exe	Npiiffqe.exe
File created	C:\Windows\SysWOW64\Gpdkpe32.dll	Lehhqg32.exe
File created	C:\Windows\SysWOW64\Mlemcq32.exe	Mkepineo.exe
File created	C:\Windows\SysWOW64\Qikbaaml.exe	Qjffpe32.exe
File created	C:\Windows\SysWOW64\Hkcbnh32.exe	Hannao32.exe
File opened for modification	C:\Windows\SysWOW64\Pdenmbkk.exe	Pmlfqh32.exe
File opened for modification	C:\Windows\SysWOW64\Ijmhkchl.exe	Infhebbh.exe
File created	C:\Windows\SysWOW64\Anbgamkp.dll	Bpjmph32.exe
File created	C:\Windows\SysWOW64\Pecpknke.exe	Pofhbgmn.exe
File created	C:\Windows\SysWOW64\Ccegac32.dll	Ghojbq32.exe
File created	C:\Windows\SysWOW64\Ibjqaf32.exe	Iefphb32.exe
File created	C:\Windows\SysWOW64\Mbdiknlb.exe	Mcoljagj.exe
File created	C:\Windows\SysWOW64\Jdalog32.exe	Jnedgq32.exe
File created	C:\Windows\SysWOW64\Dkheoa32.dll	Memalfcb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8856	8740	WerFault.exe	367

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amikgpcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipekmlhg.dll"	Bfabmmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghaeocdd.dll"	Ojnfihmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiagoigj.dll"	Cidgdg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ompfej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jadgnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofdqcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbcignbo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfabmmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdlhgpag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nofoki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofbdncaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mddkbbfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inkqjp32.dll"	Ofdqcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdkgabfn.dll"	709b1676668000eeb8f96fa8e826ea777e2bc6b57dfcd363efc7b5b2609771cf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ampaho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnhpfk32.dll"	Djgdkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkefmjcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	709b1676668000eeb8f96fa8e826ea777e2bc6b57dfcd363efc7b5b2609771cf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iefphb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eclbio32.dll"	Ekqckmfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbbgicnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjlcjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nohjfifo.dll"	Piapkbeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpfohk32.dll"	Nfnamjhk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibjqaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnkbkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Phcgcqab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Piifjomf.dll"	Blknpdho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmnpfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qikbaaml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paajfjdm.dll"	Obkahddl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdkapdh.dll"	Mkepineo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjolie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbcedmnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mddkbbfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Peempn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lckiihok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifomef32.dll"	Ompfej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Obkahddl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkcigjel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojnfihmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpljehpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fflohaij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckbemgcp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hejqldci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlcfmhdo.dll"	Hegmlnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blnjecfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpnakk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llkjmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecbeip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkcbnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jhplpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnijfj32.dll"	Ebifmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkphhg32.dll"	Glfmgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clpchk32.dll"	Jadgnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miiepfpf.dll"	Ofijnbkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehhjm32.dll"	Palklf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afhfaddk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hldiinke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbbkocid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofhknodl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 3780	864	709b1676668000eeb8f96fa8e826ea777e2bc6b57dfcd363efc7b5b2609771cf.exe	89
PID 864 wrote to memory of 3780	864	709b1676668000eeb8f96fa8e826ea777e2bc6b57dfcd363efc7b5b2609771cf.exe	89
PID 864 wrote to memory of 3780	864	709b1676668000eeb8f96fa8e826ea777e2bc6b57dfcd363efc7b5b2609771cf.exe	89
PID 3780 wrote to memory of 5068	3780	Emanjldl.exe	90
PID 3780 wrote to memory of 5068	3780	Emanjldl.exe	90
PID 3780 wrote to memory of 5068	3780	Emanjldl.exe	90
PID 5068 wrote to memory of 4960	5068	Fflohaij.exe	91
PID 5068 wrote to memory of 4960	5068	Fflohaij.exe	91
PID 5068 wrote to memory of 4960	5068	Fflohaij.exe	91
PID 4960 wrote to memory of 4772	4960	Flkdfh32.exe	92
PID 4960 wrote to memory of 4772	4960	Flkdfh32.exe	92
PID 4960 wrote to memory of 4772	4960	Flkdfh32.exe	92
PID 4772 wrote to memory of 1188	4772	Fmkqpkla.exe	93
PID 4772 wrote to memory of 1188	4772	Fmkqpkla.exe	93
PID 4772 wrote to memory of 1188	4772	Fmkqpkla.exe	93
PID 1188 wrote to memory of 1960	1188	Gpnfge32.exe	94
PID 1188 wrote to memory of 1960	1188	Gpnfge32.exe	94
PID 1188 wrote to memory of 1960	1188	Gpnfge32.exe	94
PID 1960 wrote to memory of 4460	1960	Gmafajfi.exe	95
PID 1960 wrote to memory of 4460	1960	Gmafajfi.exe	95
PID 1960 wrote to memory of 4460	1960	Gmafajfi.exe	95
PID 4460 wrote to memory of 3540	4460	Gpelhd32.exe	96
PID 4460 wrote to memory of 3540	4460	Gpelhd32.exe	96
PID 4460 wrote to memory of 3540	4460	Gpelhd32.exe	96
PID 3540 wrote to memory of 2176	3540	Gbeejp32.exe	97
PID 3540 wrote to memory of 2176	3540	Gbeejp32.exe	97
PID 3540 wrote to memory of 2176	3540	Gbeejp32.exe	97
PID 2176 wrote to memory of 2304	2176	Hbjoeojc.exe	98
PID 2176 wrote to memory of 2304	2176	Hbjoeojc.exe	98
PID 2176 wrote to memory of 2304	2176	Hbjoeojc.exe	98
PID 2304 wrote to memory of 2252	2304	Hpqldc32.exe	99
PID 2304 wrote to memory of 2252	2304	Hpqldc32.exe	99
PID 2304 wrote to memory of 2252	2304	Hpqldc32.exe	99
PID 2252 wrote to memory of 3860	2252	Ibfnqmpf.exe	100
PID 2252 wrote to memory of 3860	2252	Ibfnqmpf.exe	100
PID 2252 wrote to memory of 3860	2252	Ibfnqmpf.exe	100
PID 3860 wrote to memory of 3900	3860	Imnocf32.exe	101
PID 3860 wrote to memory of 3900	3860	Imnocf32.exe	101
PID 3860 wrote to memory of 3900	3860	Imnocf32.exe	101
PID 3900 wrote to memory of 4056	3900	Lckiihok.exe	102
PID 3900 wrote to memory of 4056	3900	Lckiihok.exe	102
PID 3900 wrote to memory of 4056	3900	Lckiihok.exe	102
PID 4056 wrote to memory of 3100	4056	Mjjkaabc.exe	103
PID 4056 wrote to memory of 3100	4056	Mjjkaabc.exe	103
PID 4056 wrote to memory of 3100	4056	Mjjkaabc.exe	103
PID 3100 wrote to memory of 1352	3100	Mjodla32.exe	104
PID 3100 wrote to memory of 1352	3100	Mjodla32.exe	104
PID 3100 wrote to memory of 1352	3100	Mjodla32.exe	104
PID 1352 wrote to memory of 4232	1352	Mqkiok32.exe	105
PID 1352 wrote to memory of 4232	1352	Mqkiok32.exe	105
PID 1352 wrote to memory of 4232	1352	Mqkiok32.exe	105
PID 4232 wrote to memory of 2444	4232	Mjcngpjh.exe	106
PID 4232 wrote to memory of 2444	4232	Mjcngpjh.exe	106
PID 4232 wrote to memory of 2444	4232	Mjcngpjh.exe	106
PID 2444 wrote to memory of 2644	2444	Nfjola32.exe	107
PID 2444 wrote to memory of 2644	2444	Nfjola32.exe	107
PID 2444 wrote to memory of 2644	2444	Nfjola32.exe	107
PID 2644 wrote to memory of 4744	2644	Nfohgqlg.exe	108
PID 2644 wrote to memory of 4744	2644	Nfohgqlg.exe	108
PID 2644 wrote to memory of 4744	2644	Nfohgqlg.exe	108
PID 4744 wrote to memory of 2824	4744	Ngndaccj.exe	109
PID 4744 wrote to memory of 2824	4744	Ngndaccj.exe	109
PID 4744 wrote to memory of 2824	4744	Ngndaccj.exe	109
PID 2824 wrote to memory of 1624	2824	Npiiffqe.exe	110

C:\Users\Admin\AppData\Local\Temp\709b1676668000eeb8f96fa8e826ea777e2bc6b57dfcd363efc7b5b2609771cf.exe
"C:\Users\Admin\AppData\Local\Temp\709b1676668000eeb8f96fa8e826ea777e2bc6b57dfcd363efc7b5b2609771cf.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:864
- C:\Windows\SysWOW64\Emanjldl.exe
  C:\Windows\system32\Emanjldl.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3780
- - C:\Windows\SysWOW64\Fflohaij.exe
    C:\Windows\system32\Fflohaij.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5068
  - - C:\Windows\SysWOW64\Flkdfh32.exe
      C:\Windows\system32\Flkdfh32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4960
    - - C:\Windows\SysWOW64\Fmkqpkla.exe
        
        C:\Windows\system32\Fmkqpkla.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4772
      - C:\Windows\SysWOW64\Gpnfge32.exe
        
        C:\Windows\system32\Gpnfge32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\SysWOW64\Gmafajfi.exe
        
        C:\Windows\system32\Gmafajfi.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\Gpelhd32.exe
        
        C:\Windows\system32\Gpelhd32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\SysWOW64\Gbeejp32.exe
        
        C:\Windows\system32\Gbeejp32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\SysWOW64\Hbjoeojc.exe
        
        C:\Windows\system32\Hbjoeojc.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\Hpqldc32.exe
        
        C:\Windows\system32\Hpqldc32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\Ibfnqmpf.exe
        
        C:\Windows\system32\Ibfnqmpf.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\SysWOW64\Imnocf32.exe
        
        C:\Windows\system32\Imnocf32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Windows\SysWOW64\Lckiihok.exe
        
        C:\Windows\system32\Lckiihok.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\SysWOW64\Mjjkaabc.exe
        
        C:\Windows\system32\Mjjkaabc.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Windows\SysWOW64\Mjodla32.exe
        
        C:\Windows\system32\Mjodla32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\SysWOW64\Mqkiok32.exe
        
        C:\Windows\system32\Mqkiok32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\SysWOW64\Mjcngpjh.exe
        
        C:\Windows\system32\Mjcngpjh.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4232
        
        C:\Windows\SysWOW64\Nfjola32.exe
        
        C:\Windows\system32\Nfjola32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\Nfohgqlg.exe
        
        C:\Windows\system32\Nfohgqlg.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SysWOW64\Ngndaccj.exe
        
        C:\Windows\system32\Ngndaccj.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Windows\SysWOW64\Npiiffqe.exe
        
        C:\Windows\system32\Npiiffqe.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Omnjojpo.exe
        
        C:\Windows\system32\Omnjojpo.exe
        23⤵
        Executes dropped EXE
        
        PID:1624
        
        C:\Windows\SysWOW64\Ompfej32.exe
        
        C:\Windows\system32\Ompfej32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Ofhknodl.exe
        
        C:\Windows\system32\Ofhknodl.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:756
        
        C:\Windows\SysWOW64\Oghghb32.exe
        
        C:\Windows\system32\Oghghb32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1548
        
        C:\Windows\SysWOW64\Oaplqh32.exe
        
        C:\Windows\system32\Oaplqh32.exe
        27⤵
        Executes dropped EXE
        
        PID:2308
        
        C:\Windows\SysWOW64\Ojhpimhp.exe
        
        C:\Windows\system32\Ojhpimhp.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1776
        
        C:\Windows\SysWOW64\Ohlqcagj.exe
        
        C:\Windows\system32\Ohlqcagj.exe
        29⤵
        Executes dropped EXE
        
        PID:1504
        
        C:\Windows\SysWOW64\Ppgegd32.exe
        
        C:\Windows\system32\Ppgegd32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4448
        
        C:\Windows\SysWOW64\Pmlfqh32.exe
        
        C:\Windows\system32\Pmlfqh32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2172
        
        C:\Windows\SysWOW64\Pdenmbkk.exe
        
        C:\Windows\system32\Pdenmbkk.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:856
        
        C:\Windows\SysWOW64\Pnkbkk32.exe
        
        C:\Windows\system32\Pnkbkk32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Phcgcqab.exe
        
        C:\Windows\system32\Phcgcqab.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Palklf32.exe
        
        C:\Windows\system32\Palklf32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        36⤵
        Executes dropped EXE
        
        PID:220
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        37⤵
        Executes dropped EXE
        
        PID:1456
        
        C:\Windows\SysWOW64\Aaenbd32.exe
        
        C:\Windows\system32\Aaenbd32.exe
        38⤵
        Executes dropped EXE
        
        PID:2096
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        39⤵
        Executes dropped EXE
        
        PID:2168
        
        C:\Windows\SysWOW64\Aagkhd32.exe
        
        C:\Windows\system32\Aagkhd32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2232
        
        C:\Windows\SysWOW64\Ahaceo32.exe
        
        C:\Windows\system32\Ahaceo32.exe
        41⤵
        Executes dropped EXE
        
        PID:1648
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1160
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        43⤵
        Executes dropped EXE
        
        PID:1180
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        44⤵
        Executes dropped EXE
        
        PID:4944
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2716
        
        C:\Windows\SysWOW64\Bdagpnbk.exe
        
        C:\Windows\system32\Bdagpnbk.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1772
        
        C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        47⤵
        Executes dropped EXE
        
        PID:2656
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        48⤵
        Executes dropped EXE
        
        PID:4332
        
        C:\Windows\SysWOW64\Bgelgi32.exe
        
        C:\Windows\system32\Bgelgi32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4464
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4724
        
        C:\Windows\SysWOW64\Coqncejg.exe
        
        C:\Windows\system32\Coqncejg.exe
        51⤵
        Executes dropped EXE
        
        PID:4892
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        52⤵
        Executes dropped EXE
        
        PID:2108
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        53⤵
        Executes dropped EXE
        
        PID:3656
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        54⤵
        Executes dropped EXE
        
        PID:2916
        
        C:\Windows\SysWOW64\Dakikoom.exe
        
        C:\Windows\system32\Dakikoom.exe
        55⤵
        Executes dropped EXE
        
        PID:228
        
        C:\Windows\SysWOW64\Dkcndeen.exe
        
        C:\Windows\system32\Dkcndeen.exe
        56⤵
        Executes dropped EXE
        
        PID:4392
        
        C:\Windows\SysWOW64\Dndgfpbo.exe
        
        C:\Windows\system32\Dndgfpbo.exe
        57⤵
        Executes dropped EXE
        
        PID:3452
        
        C:\Windows\SysWOW64\Enfckp32.exe
        
        C:\Windows\system32\Enfckp32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2100
        
        C:\Windows\SysWOW64\Ekjded32.exe
        
        C:\Windows\system32\Ekjded32.exe
        59⤵
        Executes dropped EXE
        
        PID:2240
        
        C:\Windows\SysWOW64\Edbiniff.exe
        
        C:\Windows\system32\Edbiniff.exe
        60⤵
        Executes dropped EXE
        
        PID:2504
        
        C:\Windows\SysWOW64\Eqiibjlj.exe
        
        C:\Windows\system32\Eqiibjlj.exe
        61⤵
        Executes dropped EXE
        
        PID:2044
        
        C:\Windows\SysWOW64\Ebifmm32.exe
        
        C:\Windows\system32\Ebifmm32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Enpfan32.exe
        
        C:\Windows\system32\Enpfan32.exe
        63⤵
        Executes dropped EXE
        
        PID:1988
        
        C:\Windows\SysWOW64\Fooclapd.exe
        
        C:\Windows\system32\Fooclapd.exe
        64⤵
        Executes dropped EXE
        
        PID:5076
        
        C:\Windows\SysWOW64\Figgdg32.exe
        
        C:\Windows\system32\Figgdg32.exe
        65⤵
        Executes dropped EXE
        
        PID:932
        
        C:\Windows\SysWOW64\Fijdjfdb.exe
        
        C:\Windows\system32\Fijdjfdb.exe
        66⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\Feqeog32.exe
        
        C:\Windows\system32\Feqeog32.exe
        67⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\Fniihmpf.exe
        
        C:\Windows\system32\Fniihmpf.exe
        68⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\Fkmjaa32.exe
        
        C:\Windows\system32\Fkmjaa32.exe
        69⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\Feenjgfq.exe
        
        C:\Windows\system32\Feenjgfq.exe
        70⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\Galoohke.exe
        
        C:\Windows\system32\Galoohke.exe
        71⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\Ganldgib.exe
        
        C:\Windows\system32\Ganldgib.exe
        72⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\Glfmgp32.exe
        
        C:\Windows\system32\Glfmgp32.exe
        73⤵
        Modifies registry class
        
        PID:2352
        
        C:\Windows\SysWOW64\Gpdennml.exe
        
        C:\Windows\system32\Gpdennml.exe
        74⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\Ghojbq32.exe
        
        C:\Windows\system32\Ghojbq32.exe
        75⤵
        Drops file in System32 directory
        
        PID:1416
        
        C:\Windows\SysWOW64\Hahokfag.exe
        
        C:\Windows\system32\Hahokfag.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4660
        
        C:\Windows\SysWOW64\Hpioin32.exe
        
        C:\Windows\system32\Hpioin32.exe
        77⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\Heegad32.exe
        
        C:\Windows\system32\Heegad32.exe
        78⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\Hpkknmgd.exe
        
        C:\Windows\system32\Hpkknmgd.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3180
        
        C:\Windows\SysWOW64\Hehdfdek.exe
        
        C:\Windows\system32\Hehdfdek.exe
        80⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\Hejqldci.exe
        
        C:\Windows\system32\Hejqldci.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\Hldiinke.exe
        
        C:\Windows\system32\Hldiinke.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Iahgad32.exe
        
        C:\Windows\system32\Iahgad32.exe
        83⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\Iefphb32.exe
        
        C:\Windows\system32\Iefphb32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3156
        
        C:\Windows\SysWOW64\Ibjqaf32.exe
        
        C:\Windows\system32\Ibjqaf32.exe
        85⤵
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Jpnakk32.exe
        
        C:\Windows\system32\Jpnakk32.exe
        86⤵
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Jppnpjel.exe
        
        C:\Windows\system32\Jppnpjel.exe
        87⤵
        
        PID:724
        
        C:\Windows\SysWOW64\Jihbip32.exe
        
        C:\Windows\system32\Jihbip32.exe
        88⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\Jadgnb32.exe
        
        C:\Windows\system32\Jadgnb32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Jhplpl32.exe
        
        C:\Windows\system32\Jhplpl32.exe
        90⤵
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Kiphjo32.exe
        
        C:\Windows\system32\Kiphjo32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5216
        
        C:\Windows\SysWOW64\Kpqggh32.exe
        
        C:\Windows\system32\Kpqggh32.exe
        92⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Khlklj32.exe
        
        C:\Windows\system32\Khlklj32.exe
        93⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Kcapicdj.exe
        
        C:\Windows\system32\Kcapicdj.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5340
        
        C:\Windows\SysWOW64\Lhnhajba.exe
        
        C:\Windows\system32\Lhnhajba.exe
        95⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Lojmcdgl.exe
        
        C:\Windows\system32\Lojmcdgl.exe
        96⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Lpjjmg32.exe
        
        C:\Windows\system32\Lpjjmg32.exe
        97⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Llqjbhdc.exe
        
        C:\Windows\system32\Llqjbhdc.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5504
        
        C:\Windows\SysWOW64\Lckboblp.exe
        
        C:\Windows\system32\Lckboblp.exe
        99⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Llcghg32.exe
        
        C:\Windows\system32\Llcghg32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5584
        
        C:\Windows\SysWOW64\Mapppn32.exe
        
        C:\Windows\system32\Mapppn32.exe
        101⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Mcoljagj.exe
        
        C:\Windows\system32\Mcoljagj.exe
        102⤵
        Drops file in System32 directory
        
        PID:5668
        
        C:\Windows\SysWOW64\Mbdiknlb.exe
        
        C:\Windows\system32\Mbdiknlb.exe
        103⤵
        Drops file in System32 directory
        
        PID:5704
        
        C:\Windows\SysWOW64\Mljmhflh.exe
        
        C:\Windows\system32\Mljmhflh.exe
        104⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Mhanngbl.exe
        
        C:\Windows\system32\Mhanngbl.exe
        105⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Mcfbkpab.exe
        
        C:\Windows\system32\Mcfbkpab.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5836
        
        C:\Windows\SysWOW64\Mhckcgpj.exe
        
        C:\Windows\system32\Mhckcgpj.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5880
        
        C:\Windows\SysWOW64\Nhegig32.exe
        
        C:\Windows\system32\Nhegig32.exe
        108⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Nhhdnf32.exe
        
        C:\Windows\system32\Nhhdnf32.exe
        109⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Njgqhicg.exe
        
        C:\Windows\system32\Njgqhicg.exe
        110⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Nfnamjhk.exe
        
        C:\Windows\system32\Nfnamjhk.exe
        111⤵
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Nqcejcha.exe
        
        C:\Windows\system32\Nqcejcha.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6100
        
        C:\Windows\SysWOW64\Njljch32.exe
        
        C:\Windows\system32\Njljch32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Ojnfihmo.exe
        
        C:\Windows\system32\Ojnfihmo.exe
        114⤵
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Objkmkjj.exe
        
        C:\Windows\system32\Objkmkjj.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5248
        
        C:\Windows\SysWOW64\Oiccje32.exe
        
        C:\Windows\system32\Oiccje32.exe
        116⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Ockdmmoj.exe
        
        C:\Windows\system32\Ockdmmoj.exe
        117⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Oqoefand.exe
        
        C:\Windows\system32\Oqoefand.exe
        118⤵
        Drops file in System32 directory
        
        PID:5496
        
        C:\Windows\SysWOW64\Pjlcjf32.exe
        
        C:\Windows\system32\Pjlcjf32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Pafkgphl.exe
        
        C:\Windows\system32\Pafkgphl.exe
        120⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Piapkbeg.exe
        
        C:\Windows\system32\Piapkbeg.exe
        121⤵
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Pfepdg32.exe
        
        C:\Windows\system32\Pfepdg32.exe
        122⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Ppnenlka.exe
        
        C:\Windows\system32\Ppnenlka.exe
        123⤵
        Drops file in System32 directory
        
        PID:5832
        
        C:\Windows\SysWOW64\Qamago32.exe
        
        C:\Windows\system32\Qamago32.exe
        124⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Qjffpe32.exe
        
        C:\Windows\system32\Qjffpe32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5976
        
        C:\Windows\SysWOW64\Qikbaaml.exe
        
        C:\Windows\system32\Qikbaaml.exe
        126⤵
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Afockelf.exe
        
        C:\Windows\system32\Afockelf.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6108
        
        C:\Windows\SysWOW64\Amikgpcc.exe
        
        C:\Windows\system32\Amikgpcc.exe
        128⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Afappe32.exe
        
        C:\Windows\system32\Afappe32.exe
        129⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Aagdnn32.exe
        
        C:\Windows\system32\Aagdnn32.exe
        130⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Ajohfcpj.exe
        
        C:\Windows\system32\Ajohfcpj.exe
        131⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Adgmoigj.exe
        
        C:\Windows\system32\Adgmoigj.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5548
        
        C:\Windows\SysWOW64\Ampaho32.exe
        
        C:\Windows\system32\Ampaho32.exe
        133⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Afhfaddk.exe
        
        C:\Windows\system32\Afhfaddk.exe
        134⤵
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Bboffejp.exe
        
        C:\Windows\system32\Bboffejp.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5852
        
        C:\Windows\SysWOW64\Bdocph32.exe
        
        C:\Windows\system32\Bdocph32.exe
        136⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Babcil32.exe
        
        C:\Windows\system32\Babcil32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6140
        
        C:\Windows\SysWOW64\Bkkhbb32.exe
        
        C:\Windows\system32\Bkkhbb32.exe
        138⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Bdcmkgmm.exe
        
        C:\Windows\system32\Bdcmkgmm.exe
        139⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Bpjmph32.exe
        
        C:\Windows\system32\Bpjmph32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5612
        
        C:\Windows\SysWOW64\Cibain32.exe
        
        C:\Windows\system32\Cibain32.exe
        141⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\Cpljehpo.exe
        
        C:\Windows\system32\Cpljehpo.exe
        142⤵
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Ckbncapd.exe
        
        C:\Windows\system32\Ckbncapd.exe
        143⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Calfpk32.exe
        
        C:\Windows\system32\Calfpk32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5512
        
        C:\Windows\SysWOW64\Cigkdmel.exe
        
        C:\Windows\system32\Cigkdmel.exe
        145⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Cmedjl32.exe
        
        C:\Windows\system32\Cmedjl32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6096
        
        C:\Windows\SysWOW64\Cmgqpkip.exe
        
        C:\Windows\system32\Cmgqpkip.exe
        147⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Ccdihbgg.exe
        
        C:\Windows\system32\Ccdihbgg.exe
        148⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Daeifj32.exe
        
        C:\Windows\system32\Daeifj32.exe
        149⤵
        Drops file in System32 directory
        
        PID:5656
        
        C:\Windows\SysWOW64\Dcibca32.exe
        
        C:\Windows\system32\Dcibca32.exe
        150⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Dickplko.exe
        
        C:\Windows\system32\Dickplko.exe
        151⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Ddhomdje.exe
        
        C:\Windows\system32\Ddhomdje.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6184
        
        C:\Windows\SysWOW64\Djegekil.exe
        
        C:\Windows\system32\Djegekil.exe
        153⤵
        Drops file in System32 directory
        
        PID:6224
        
        C:\Windows\SysWOW64\Djgdkk32.exe
        
        C:\Windows\system32\Djgdkk32.exe
        154⤵
        Modifies registry class
        
        PID:6276
        
        C:\Windows\SysWOW64\Ddmhhd32.exe
        
        C:\Windows\system32\Ddmhhd32.exe
        155⤵
        Modifies registry class
        
        PID:6320
        
        C:\Windows\SysWOW64\Enemaimp.exe
        
        C:\Windows\system32\Enemaimp.exe
        156⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\Ecbeip32.exe
        
        C:\Windows\system32\Ecbeip32.exe
        157⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6400
        
        C:\Windows\SysWOW64\Ekljpm32.exe
        
        C:\Windows\system32\Ekljpm32.exe
        158⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\Ejagaj32.exe
        
        C:\Windows\system32\Ejagaj32.exe
        159⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\Edfknb32.exe
        
        C:\Windows\system32\Edfknb32.exe
        160⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\Ekqckmfb.exe
        
        C:\Windows\system32\Ekqckmfb.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6588
        
        C:\Windows\SysWOW64\Fclhpo32.exe
        
        C:\Windows\system32\Fclhpo32.exe
        162⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\Famhmfkl.exe
        
        C:\Windows\system32\Famhmfkl.exe
        163⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\Fjhmbihg.exe
        
        C:\Windows\system32\Fjhmbihg.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6728
        
        C:\Windows\SysWOW64\Fdmaoahm.exe
        
        C:\Windows\system32\Fdmaoahm.exe
        165⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\Fdpnda32.exe
        
        C:\Windows\system32\Fdpnda32.exe
        166⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\Fnhbmgmk.exe
        
        C:\Windows\system32\Fnhbmgmk.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6868
        
        C:\Windows\SysWOW64\Fnjocf32.exe
        
        C:\Windows\system32\Fnjocf32.exe
        168⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\Gjaphgpl.exe
        
        C:\Windows\system32\Gjaphgpl.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6964
        
        C:\Windows\SysWOW64\Gcjdam32.exe
        
        C:\Windows\system32\Gcjdam32.exe
        170⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\Gkcigjel.exe
        
        C:\Windows\system32\Gkcigjel.exe
        171⤵
        Modifies registry class
        
        PID:7064
        
        C:\Windows\SysWOW64\Gqpapacd.exe
        
        C:\Windows\system32\Gqpapacd.exe
        172⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\Gkefmjcj.exe
        
        C:\Windows\system32\Gkefmjcj.exe
        173⤵
        Modifies registry class
        
        PID:7148
        
        C:\Windows\SysWOW64\Gqbneq32.exe
        
        C:\Windows\system32\Gqbneq32.exe
        174⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\Gbbkocid.exe
        
        C:\Windows\system32\Gbbkocid.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6244
        
        C:\Windows\SysWOW64\Hccggl32.exe
        
        C:\Windows\system32\Hccggl32.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6316
        
        C:\Windows\SysWOW64\Hnhkdd32.exe
        
        C:\Windows\system32\Hnhkdd32.exe
        177⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\Hjolie32.exe
        
        C:\Windows\system32\Hjolie32.exe
        178⤵
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Heepfn32.exe
        
        C:\Windows\system32\Heepfn32.exe
        179⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\Hegmlnbp.exe
        
        C:\Windows\system32\Hegmlnbp.exe
        180⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6596
        
        C:\Windows\SysWOW64\Hannao32.exe
        
        C:\Windows\system32\Hannao32.exe
        181⤵
        Drops file in System32 directory
        
        PID:6688
        
        C:\Windows\SysWOW64\Hkcbnh32.exe
        
        C:\Windows\system32\Hkcbnh32.exe
        182⤵
        Modifies registry class
        
        PID:6760
        
        C:\Windows\SysWOW64\Ielfgmnj.exe
        
        C:\Windows\system32\Ielfgmnj.exe
        183⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\Iabglnco.exe
        
        C:\Windows\system32\Iabglnco.exe
        184⤵
        Drops file in System32 directory
        
        PID:6900
        
        C:\Windows\SysWOW64\Infhebbh.exe
        
        C:\Windows\system32\Infhebbh.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6976
        
        C:\Windows\SysWOW64\Ijmhkchl.exe
        
        C:\Windows\system32\Ijmhkchl.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7056
        
        C:\Windows\SysWOW64\Ihaidhgf.exe
        
        C:\Windows\system32\Ihaidhgf.exe
        187⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Ieeimlep.exe
        
        C:\Windows\system32\Ieeimlep.exe
        188⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\Ijbbfc32.exe
        
        C:\Windows\system32\Ijbbfc32.exe
        189⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\Jehfcl32.exe
        
        C:\Windows\system32\Jehfcl32.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6388
        
        C:\Windows\SysWOW64\Jnpjlajn.exe
        
        C:\Windows\system32\Jnpjlajn.exe
        191⤵
        Drops file in System32 directory
        
        PID:6436
        
        C:\Windows\SysWOW64\Jhhodg32.exe
        
        C:\Windows\system32\Jhhodg32.exe
        192⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\Jbncbpqd.exe
        
        C:\Windows\system32\Jbncbpqd.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6644
        
        C:\Windows\SysWOW64\Jnedgq32.exe
        
        C:\Windows\system32\Jnedgq32.exe
        194⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6804
        
        C:\Windows\SysWOW64\Jdalog32.exe
        
        C:\Windows\system32\Jdalog32.exe
        195⤵
        Drops file in System32 directory
        
        PID:6948
        
        C:\Windows\SysWOW64\Jogqlpde.exe
        
        C:\Windows\system32\Jogqlpde.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7016
        
        C:\Windows\SysWOW64\Jddiegbm.exe
        
        C:\Windows\system32\Jddiegbm.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7136
        
        C:\Windows\SysWOW64\Keceoj32.exe
        
        C:\Windows\system32\Keceoj32.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6240
        
        C:\Windows\SysWOW64\Kkpnga32.exe
        
        C:\Windows\system32\Kkpnga32.exe
        199⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6476
        
        C:\Windows\SysWOW64\Kefbdjgm.exe
        
        C:\Windows\system32\Kefbdjgm.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6612
        
        C:\Windows\SysWOW64\Klpjad32.exe
        
        C:\Windows\system32\Klpjad32.exe
        201⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6920
        
        C:\Windows\SysWOW64\Kalcik32.exe
        
        C:\Windows\system32\Kalcik32.exe
        202⤵
        Drops file in System32 directory
        
        PID:7088
        
        C:\Windows\SysWOW64\Klbgfc32.exe
        
        C:\Windows\system32\Klbgfc32.exe
        203⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\Kaopoj32.exe
        
        C:\Windows\system32\Kaopoj32.exe
        204⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6724
        
        C:\Windows\SysWOW64\Kkgdhp32.exe
        
        C:\Windows\system32\Kkgdhp32.exe
        205⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\Ldbefe32.exe
        
        C:\Windows\system32\Ldbefe32.exe
        206⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6516
        
        C:\Windows\SysWOW64\Lbcedmnl.exe
        
        C:\Windows\system32\Lbcedmnl.exe
        207⤵
        Modifies registry class
        
        PID:6940
        
        C:\Windows\SysWOW64\Llkjmb32.exe
        
        C:\Windows\system32\Llkjmb32.exe
        208⤵
        Modifies registry class
        
        PID:6928
        
        C:\Windows\SysWOW64\Lahbei32.exe
        
        C:\Windows\system32\Lahbei32.exe
        209⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\Llngbabj.exe
        
        C:\Windows\system32\Llngbabj.exe
        210⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7172
        
        C:\Windows\SysWOW64\Lajokiaa.exe
        
        C:\Windows\system32\Lajokiaa.exe
        211⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7224
        
        C:\Windows\SysWOW64\Llpchaqg.exe
        
        C:\Windows\system32\Llpchaqg.exe
        212⤵
        Drops file in System32 directory
        
        PID:7276
        
        C:\Windows\SysWOW64\Lehhqg32.exe
        
        C:\Windows\system32\Lehhqg32.exe
        213⤵
        Drops file in System32 directory
        
        PID:7316
        
        C:\Windows\SysWOW64\Mkepineo.exe
        
        C:\Windows\system32\Mkepineo.exe
        214⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7372
        
        C:\Windows\SysWOW64\Mlemcq32.exe
        
        C:\Windows\system32\Mlemcq32.exe
        215⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\Memalfcb.exe
        
        C:\Windows\system32\Memalfcb.exe
        216⤵
        Drops file in System32 directory
        
        PID:7464
        
        C:\Windows\SysWOW64\Mkjjdmaj.exe
        
        C:\Windows\system32\Mkjjdmaj.exe
        217⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7516
        
        C:\Windows\SysWOW64\Mklfjm32.exe
        
        C:\Windows\system32\Mklfjm32.exe
        218⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\Mddkbbfg.exe
        
        C:\Windows\system32\Mddkbbfg.exe
        219⤵
        Modifies registry class
        
        PID:7620
        
        C:\Windows\SysWOW64\Mcfkpjng.exe
        
        C:\Windows\system32\Mcfkpjng.exe
        220⤵
        
        PID:7660
        
        C:\Windows\SysWOW64\Nkapelka.exe
        
        C:\Windows\system32\Nkapelka.exe
        221⤵
        
        PID:7704
        
        C:\Windows\SysWOW64\Ndidna32.exe
        
        C:\Windows\system32\Ndidna32.exe
        222⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\Nooikj32.exe
        
        C:\Windows\system32\Nooikj32.exe
        223⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\Ndlacapp.exe
        
        C:\Windows\system32\Ndlacapp.exe
        224⤵
        
        PID:7864
        
        C:\Windows\SysWOW64\Nfknmd32.exe
        
        C:\Windows\system32\Nfknmd32.exe
        225⤵
        
        PID:7912
        
        C:\Windows\SysWOW64\Nfnjbdep.exe
        
        C:\Windows\system32\Nfnjbdep.exe
        226⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\Nofoki32.exe
        
        C:\Windows\system32\Nofoki32.exe
        227⤵
        Modifies registry class
        
        PID:8004
        
        C:\Windows\SysWOW64\Ohncdobq.exe
        
        C:\Windows\system32\Ohncdobq.exe
        228⤵
        Drops file in System32 directory
        
        PID:8064
        
        C:\Windows\SysWOW64\Ofbdncaj.exe
        
        C:\Windows\system32\Ofbdncaj.exe
        229⤵
        Modifies registry class
        
        PID:8128
        
        C:\Windows\SysWOW64\Ofdqcc32.exe
        
        C:\Windows\system32\Ofdqcc32.exe
        230⤵
        Modifies registry class
        
        PID:8180
        
        C:\Windows\SysWOW64\Obkahddl.exe
        
        C:\Windows\system32\Obkahddl.exe
        231⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7272
        
        C:\Windows\SysWOW64\Okceaikl.exe
        
        C:\Windows\system32\Okceaikl.exe
        232⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\Ofijnbkb.exe
        
        C:\Windows\system32\Ofijnbkb.exe
        233⤵
        Modifies registry class
        
        PID:7424
        
        C:\Windows\SysWOW64\Omcbkl32.exe
        
        C:\Windows\system32\Omcbkl32.exe
        234⤵
        Drops file in System32 directory
        
        PID:7496
        
        C:\Windows\SysWOW64\Pdngpo32.exe
        
        C:\Windows\system32\Pdngpo32.exe
        235⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\Pbbgicnd.exe
        
        C:\Windows\system32\Pbbgicnd.exe
        236⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7636
        
        C:\Windows\SysWOW64\Pofhbgmn.exe
        
        C:\Windows\system32\Pofhbgmn.exe
        237⤵
        Drops file in System32 directory
        
        PID:7712
        
        C:\Windows\SysWOW64\Pecpknke.exe
        
        C:\Windows\system32\Pecpknke.exe
        238⤵
        
        PID:7788
        
        C:\Windows\SysWOW64\Poidhg32.exe
        
        C:\Windows\system32\Poidhg32.exe
        239⤵
        
        PID:7900
        
        C:\Windows\SysWOW64\Peempn32.exe
        
        C:\Windows\system32\Peempn32.exe
        240⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7968
        
        C:\Windows\SysWOW64\Pokanf32.exe
        
        C:\Windows\system32\Pokanf32.exe
        241⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\Pomncfge.exe
        
        C:\Windows\system32\Pomncfge.exe
        242⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\Qfgfpp32.exe
        
        C:\Windows\system32\Qfgfpp32.exe
        243⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\Qkdohg32.exe
        
        C:\Windows\system32\Qkdohg32.exe
        244⤵
        
        PID:7356
        
        C:\Windows\SysWOW64\Qfjcep32.exe
        
        C:\Windows\system32\Qfjcep32.exe
        245⤵
        
        PID:7460
        
        C:\Windows\SysWOW64\Qmckbjdl.exe
        
        C:\Windows\system32\Qmckbjdl.exe
        246⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7596
        
        C:\Windows\SysWOW64\Qcncodki.exe
        
        C:\Windows\system32\Qcncodki.exe
        247⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\Aijlgkjq.exe
        
        C:\Windows\system32\Aijlgkjq.exe
        248⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7856
        
        C:\Windows\SysWOW64\Acppddig.exe
        
        C:\Windows\system32\Acppddig.exe
        249⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\Apgqie32.exe
        
        C:\Windows\system32\Apgqie32.exe
        250⤵
        Drops file in System32 directory
        
        PID:8112
        
        C:\Windows\SysWOW64\Apimodmh.exe
        
        C:\Windows\system32\Apimodmh.exe
        251⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7264
        
        C:\Windows\SysWOW64\Afceko32.exe
        
        C:\Windows\system32\Afceko32.exe
        252⤵
        
        PID:7444
        
        C:\Windows\SysWOW64\Ammnhilb.exe
        
        C:\Windows\system32\Ammnhilb.exe
        253⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7720
        
        C:\Windows\SysWOW64\Afeban32.exe
        
        C:\Windows\system32\Afeban32.exe
        254⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\Albkieqj.exe
        
        C:\Windows\system32\Albkieqj.exe
        255⤵
        
        PID:8052
        
        C:\Windows\SysWOW64\Bclppboi.exe
        
        C:\Windows\system32\Bclppboi.exe
        256⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\Bcnleb32.exe
        
        C:\Windows\system32\Bcnleb32.exe
        257⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7612
        
        C:\Windows\SysWOW64\Bbcignbo.exe
        
        C:\Windows\system32\Bbcignbo.exe
        258⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7216
        
        C:\Windows\SysWOW64\Blknpdho.exe
        
        C:\Windows\system32\Blknpdho.exe
        259⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Bfabmmhe.exe
        
        C:\Windows\system32\Bfabmmhe.exe
        260⤵
        Modifies registry class
        
        PID:7332
        
        C:\Windows\SysWOW64\Blnjecfl.exe
        
        C:\Windows\system32\Blnjecfl.exe
        261⤵
        Modifies registry class
        
        PID:696
        
        C:\Windows\SysWOW64\Cefoni32.exe
        
        C:\Windows\system32\Cefoni32.exe
        262⤵
        
        PID:7576
        
        C:\Windows\SysWOW64\Cplckbmc.exe
        
        C:\Windows\system32\Cplckbmc.exe
        263⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8220
        
        C:\Windows\SysWOW64\Cidgdg32.exe
        
        C:\Windows\system32\Cidgdg32.exe
        264⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8272
        
        C:\Windows\SysWOW64\Cdjlap32.exe
        
        C:\Windows\system32\Cdjlap32.exe
        265⤵
        
        PID:8332
        
        C:\Windows\SysWOW64\Cdlhgpag.exe
        
        C:\Windows\system32\Cdlhgpag.exe
        266⤵
        Modifies registry class
        
        PID:8380
        
        C:\Windows\SysWOW64\Cmdmpe32.exe
        
        C:\Windows\system32\Cmdmpe32.exe
        267⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8420
        
        C:\Windows\SysWOW64\Cmgjee32.exe
        
        C:\Windows\system32\Cmgjee32.exe
        268⤵
        
        PID:8456
        
        C:\Windows\SysWOW64\Debnjgcp.exe
        
        C:\Windows\system32\Debnjgcp.exe
        269⤵
        
        PID:8516
        
        C:\Windows\SysWOW64\Dpgbgpbe.exe
        
        C:\Windows\system32\Dpgbgpbe.exe
        270⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8568
        
        C:\Windows\SysWOW64\Dmkcpdao.exe
        
        C:\Windows\system32\Dmkcpdao.exe
        271⤵
        
        PID:8612
        
        C:\Windows\SysWOW64\Ddekmo32.exe
        
        C:\Windows\system32\Ddekmo32.exe
        272⤵
        
        PID:8648
        
        C:\Windows\SysWOW64\Dmnpfd32.exe
        
        C:\Windows\system32\Dmnpfd32.exe
        273⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8700
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        274⤵
        
        PID:8740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8740 -s 400
        275⤵
        Program crash
        
        PID:8856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 8740 -ip 8740
1⤵
PID:8816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3804 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:7988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Apgqie32.exe

Filesize
483KB

MD5
81b2f5199b0228dc0af2d34c72df4c6a

SHA1
0c3ca1b6769da9b1a6a3991f957802b4efcfd4a1

SHA256
ccd4a126d7363ad7a2b6554c4a208557a5ae817f29843c00259f4d6c2bd3115c

SHA512
152c8f8a352c0630dcc0e87a2c533e636529377105e7e745550b73d64313326cd7d5d895ec4042509d5916ff13d6201e7bb6b7502bc84c8ba64f770bd3d41860

Download Submit
C:\Windows\SysWOW64\Bboffejp.exe

Filesize
483KB

MD5
f11873fd26b6d27a519bfa7854ba6505

SHA1
b5c494fadc40211c40d65628ca4a01c9904d1452

SHA256
5659b30c3215c2385aa41f668212a78279e56cde43c57665d4f7d46a79b289af

SHA512
98fb5e40dadc4b526ef02e7318a3d1870c6e408a274c99b07a87f6cfb07dbf667a9d06de9beac486890918a84cd3c78085b5e4cec7c68e67c910734a5fce3302

Download Submit
C:\Windows\SysWOW64\Cdjlap32.exe

Filesize
483KB

MD5
cef8800befbb96589a4faeaa53ef5b6d

SHA1
bc782b2927a64393cf058b679b28caddc588f767

SHA256
3bfae611c8ef152be371de230a8f3e4b8f98ee5f5fecd0ff1d9d307df62f5136

SHA512
d8c2fb1f6aafaa8c40ed1dd8d904c39cbd27741bad234d881d41b1624021aa7f8ddb9dc2259138fa3c602f1010ba042eaa4a106066f6edda1530e3c5072c5b30

Download Submit
C:\Windows\SysWOW64\Cdlhgpag.exe

Filesize
128KB

MD5
4c0e38fd2fe0b3b3c7258391fbb0cd2f

SHA1
efd2f3ac6df1f6796c7ff3b41486a4631d3fea52

SHA256
bf1328eb7837cf66b9cb53401c58129fbeea4f91d09186ae6811eefe70322c8d

SHA512
62331a8141b79ed1f09a98dd3943eb138436787770852dd0750fe6476b075e1e563c621f1b43506d945dd9aa92d8344738b2ea1281b86191d0b6d87c4cc9d3c7

Download Submit
C:\Windows\SysWOW64\Cocjiehd.exe

Filesize
483KB

MD5
8f981f3436dc0ca33c36808c3a9b13c3

SHA1
40a02b5df724382fc6e4bcac2b15a983ae77eb7d

SHA256
f8c5f763fa1f1fea27eb22e256204e611ed5a943fdd5d0c34f14c56b4e5ec35b

SHA512
8c182e4607a05c1ac080f74c51bda6e77bb6c89679eac0ea4f384380efd0fdda5677efd27a0778fdfa7f90e8d3de9a0aded05c6e620080db2b4c596bcef55232

Download Submit
C:\Windows\SysWOW64\Dafppp32.exe

Filesize
483KB

MD5
0f225fc96b23189d791dc4f853115a8d

SHA1
4013b501ef79f732ba4372208a790464e50c2414

SHA256
0ac8d79899319eb53617828f6d2ec041ed3d88bc65ba75fd9c3e0c5a63c93fce

SHA512
6579a5888418bcb7e66c60095bd6e93b182608b73c57bad5766c5ab1345ddd702117a7da331d17581e97b7a18508952ed17b7cb5524d89eac5fefe61c334ec74

Download Submit
C:\Windows\SysWOW64\Ekljpm32.exe

Filesize
483KB

MD5
0006f388fc18db47c94f54f75a9d3cdb

SHA1
da508f7f32b7c13a7b3ab236862ae57db2db1f73

SHA256
d237d228e0a3c2995d2c356e4e5817b1b39def91b3daa15250116cc1ed2a1290

SHA512
b1aabaf114dd5f815e48d3a7285100a4a94df3acd82fafce3ad3df9bab53c21b9794919b67ea2d9d97e1530b92a469e6fd912583a4dc7d410a2cfcaa7f8c3820

Download Submit
C:\Windows\SysWOW64\Emanjldl.exe

Filesize
483KB

MD5
d35953c032271ea1e96c9f4ab27a1268

SHA1
7e41a31980c0a544b689b7891bb97f859b7cbc43

SHA256
6dbc661fdb148dfc1cc18f86d397297bc82b9bd0dd9e4480c396b8068aaef14a

SHA512
a7257eae3135228346391e6a1ada3779052831f2ae867c44aa387489f352d824a7391060d76940832035f9058df0d4caf08416a88629feb8591b9ae58dfd7e1c

Download Submit
C:\Windows\SysWOW64\Fflohaij.exe

Filesize
483KB

MD5
6ee9ffa6bf71a6a7d4ca74fe4ec87007

SHA1
fe208b1b3224f9ce99443cf0cf87c45816a842d5

SHA256
35b5f74a0ac593c376e861c68341d5aac757d3b4cdc72e543a632e97cfa9c003

SHA512
8577930a834d3b664018f6e69bcc85d8ac7819a3f7a19e01da70e964e407faf315d10845730014befe4be19edcede29900649b28f7c3ec9cc6f73329f33a35ed

Download Submit
C:\Windows\SysWOW64\Flkdfh32.exe

Filesize
483KB

MD5
d6c54cc8563e1b75c4be597eff036cc5

SHA1
d3d4ed81830c79c1c5af238e3a62dcd2ffce2ee1

SHA256
4a7f3b007efc66c164dbbb8bbcd7cd4e41e10ed98dc6d7a79ddc0a3d9edc70b7

SHA512
3c334eff258a4cc36f671b202b4df9dc23ffab7725010180c7c519ef95b31e0d2b82a55818024af9768fdf0ba84342fc9e80a08fc95ed6d28fc7742cf0ec56d1

Download Submit
C:\Windows\SysWOW64\Fmkqpkla.exe

Filesize
483KB

MD5
d34a36aea77aab6acdd88d2d15b97667

SHA1
edaeae58747fd85b35c2048ca7b692d194041156

SHA256
4aae66f1b23f8391e8bd1b20bba2000df083e6b395087856cc0e60ec372344b6

SHA512
df38c609c4611684098514465bc27581c3f24dcc7b478f8cb47a99052b7c431e07f5f474914d5d3c346d3602375c5c3a115655b51648fdb1e90e44887ba81902

Download Submit
C:\Windows\SysWOW64\Fnhbmgmk.exe

Filesize
483KB

MD5
2a4db346ca1c87928608196b0c6f8da3

SHA1
f31fafe7b1913f1b39f065d46f97e299f2f6191f

SHA256
c205094d58dd2b855d4f993e58a7822bd0f5a942a08dcc2046fc46f6f4497239

SHA512
367ece83b99de40e3d9e8b90beb19ef038cf6b73392173667d4460fab5b6368a6d6e6d7dccd7d5a9afc0c3a3128d20e27505848b0c824713c8841d5a0241487b

Download Submit
C:\Windows\SysWOW64\Fniihmpf.exe

Filesize
483KB

MD5
715d9a4be39fe2b8032759724fa4cf93

SHA1
eef416bb746fd973a29baebf79ed20bfc84e0176

SHA256
0828e7861495b7ddd0d4606199e6b39fae7246c926880b94129f984f119867a6

SHA512
8ab059b295c8329a62dfd1a06d360c78af43df1eeedb4d019352874d9f9738cb90edeae91788c98b08bc1ed5582805ee97c76dfeeaee624784f28784419c6996

Download Submit
C:\Windows\SysWOW64\Ganldgib.exe

Filesize
483KB

MD5
c52b5e13241dee10a1bf9c35f499b69e

SHA1
3cf28b8a408ce313dc430709e6640256d4b15410

SHA256
e272bffcc462966093dad8e5f80521e23cf7132ee8546891b2d8f397ceadd33f

SHA512
8fa2779ffac3dc69a0c06437a326e92b65374302c51f987d0d803bb60e782e9d9310b23e5724e356425f9ec391983c713e06de2796bfac4eb002e80e49574169

Download Submit
C:\Windows\SysWOW64\Gbeejp32.exe

Filesize
483KB

MD5
3ec5ce54d537855f3da04e412f6af093

SHA1
95caa1f36b9d90fa89fb6cd35c9bd64407e75af2

SHA256
e2e134eb4131d599be24ba4db528f47dd98fc5b15d074929029901903c96a0d4

SHA512
4478fd2099bcc63b1b7b2864278bf4be833efb47523a931f1607c31389068844e5917a7ad29ed7b8d4c4ceaebb49e35d66c98c17e8d78a2e98ef2bd461927f79

Download Submit
C:\Windows\SysWOW64\Gmafajfi.exe

Filesize
483KB

MD5
59bffb166e9af5846ff8de5e5acbb8f3

SHA1
a2ba8080f2ced459558d1d052b9f1b5605f59a73

SHA256
39414339f2aebbdeae67362a87f7a57f8228e2e0c610c0c722a09d8b8f1bb8e6

SHA512
a048f50bcf9b154a9d37d43081f5e38c65e1694da18b032e57f29315bb250ac85ac5e3f101913ae01cb48332680b5082c5743e3e98c7890338cd333b03f26e75

Download Submit
C:\Windows\SysWOW64\Gpelhd32.exe

Filesize
483KB

MD5
23c4dcbfb1fb68361b6d81ea1f61fe76

SHA1
1becfb3a1fcadca23d6761aff65fe47771d9834f

SHA256
f504ea09c46e298b3f86de93874f14a1fa25b08df2898df60295b45543bc76fe

SHA512
f8938060182fcbcb8d0036cbfee513cc0c40ab740075950c463f5aabe76f304c8374e8a9860a9dcbae3cd619aa173d77ec1ab168153f44fd53a9f2373e700522

Download Submit
C:\Windows\SysWOW64\Gpnfge32.exe

Filesize
483KB

MD5
30a5e1ec06bbc6457f6ec948de1d8c42

SHA1
43803157bf0d08bf6635b52390c9ca35f13568a6

SHA256
da3a5502945251a3d32b4d6f83e8cab5d81d4b1b45dd845460f47baff79a7271

SHA512
3cf5117cc32c8945a65edb08260015400536f302532eb8b0a2b7163bca8db6353e8a0a007faf72d81cacff167311d79edd6dfee3a955f74c03aa79864b246675

Download Submit
C:\Windows\SysWOW64\Hbjoeojc.exe

Filesize
483KB

MD5
653541c7c88de2e612f67c5f6778ce44

SHA1
824c52c4e295d445e9180262116c094330ecd7bc

SHA256
9748a005975f42ae511fad8e9436bca2f56a3e04e7f9c8b09d06713f0f248b6e

SHA512
bb279d656660f7565e64e698505187945a2a7817b95d658a910d2c620c6ba2fe5c2661e1fbc230d62dedfafefd1f4f131fe515de926c1328f3e61c5d36cdfa4a

Download Submit
C:\Windows\SysWOW64\Hpqldc32.exe

Filesize
483KB

MD5
97efd79644e1d1f3001a90f1da666248

SHA1
55161ddcce2303710f09dddc9f7af41b425ceab5

SHA256
0fa5043ed9a51b596856ce87afb82f5650f963c0cbc81fb9f8356931c6ed1662

SHA512
ad86198b91a6c6a4eab5008fce09b68bce1e6b31b1dffb442d4cae1fad7f968f3f77ed6bebb740f4da56db7463e95535c6ea4ccb4b2f8e301f8b506d38acfbb4

Download Submit
C:\Windows\SysWOW64\Ibfnqmpf.exe

Filesize
483KB

MD5
1dc1ca84a54bc422b70235bcf1482919

SHA1
681d035c1e23f001b90212407c0719cf93ccd31d

SHA256
50204d31b870258a3b272aed8667a85289bc5815ed44890f573b902b44961368

SHA512
5b778a62190ac1fa0046d1a8d96cb698b010388ff6298e4f245a4257212c4bfceb1aedd97f2ad21fa60878ac4527ae0194d562e6f56dfa08d43c8a40189921c7

Download Submit
C:\Windows\SysWOW64\Imnocf32.exe

Filesize
483KB

MD5
827cfe86e21f54fbe09cf207ce0bbded

SHA1
8a6086a8a1ae95d9ac86589ae6433e29b10d6fd6

SHA256
cd683f7c20da91906bbfd0055dfe7e9145689181e94f23bb452d6f6ce73fc1cc

SHA512
19557a2c35d204458e8f1ff637fe4b6162faaab9491e17133410349bc3010d11fd93da7a809d0783bf9259d0c02ce44e2c511f3cd903a09f09efafc065780d22

Download Submit
C:\Windows\SysWOW64\Jadgnb32.exe

Filesize
483KB

MD5
5fe784f6c37a2652995e64be9b258e50

SHA1
f80efb29b6743cd16e015ce1123697d45e4ff264

SHA256
2dcee48a66407bf16f5689196abb5aa553377b8cb6a0ce0b1094938181e09e05

SHA512
60920549b6b9f4fe45f49315a2af660892553f4c4e5d64834a43d17e918f64ec30008f9e4cb1553d60c60541e30fab10214d8254e0e07d7b8dfe7a153bcd678f

Download Submit
C:\Windows\SysWOW64\Jddiegbm.exe

Filesize
483KB

MD5
56c4769f96117f08efab0613b23cc7a8

SHA1
9b0945e9c4b1629c0b042abf12f59127d0cd1298

SHA256
a5f0e6309b1e1f61f0821c8774fcc61518d8e6c838cd4948658176518d82b498

SHA512
814dab9d3b33d214928ec0fb4ed8c5bedd896dbee450ae726b6c9e43d8b8adb18efddd8261d3e94e03da73e47d2305c30e3efe1aba5f171f69155125a4239c67

Download Submit
C:\Windows\SysWOW64\Khlklj32.exe

Filesize
64KB

MD5
e7ccd5d9d53029f3122a50004bfc46c3

SHA1
f044c260b01505bf5d55ee73838fa05e2c034229

SHA256
bb7f503ad1c3333419d95d461513e29b15a2e920176f09c3960944b63297350c

SHA512
47724c54a7fd955d1abff7723566befdd01e0601eba23606a38098a7dc7b7a5f090c0bc690aec444cabdefb64ebd89cc04c4d8d877f51b2a0205f946c75dce12

Download Submit
C:\Windows\SysWOW64\Kkgdhp32.exe

Filesize
483KB

MD5
ba30c95de2ee054f86baf52f9c04b6ba

SHA1
05929998720369b1bf6faa22f033ffd63e7f4b23

SHA256
5e5497c64ed1d04933e756a674691a2c52353ce386b1d0a9f4d613ff8b839f62

SHA512
8f522b69f74f639f5197248b14dd500df23a07a2890b94dd5adb8581535fa8d1689ce9f4dabf179f487c7abc6bf629737976b80468a4b549c4fce1813310fda8

Download Submit
C:\Windows\SysWOW64\Lckiihok.exe

Filesize
483KB

MD5
8b6ddb9782a460713db8150e1fbea832

SHA1
ce7c22c95f80eadefcc4a018d540d11397e04ead

SHA256
be0f2f9a44a60ee125ce9e192145f9ff268a5a26a201d0d07996d7add96469a1

SHA512
f23b7ebcbe0f1f374aa210b29725a6b8af2dc31d92fc487cdd8e7460b7ddd401415f78e89738717f20092932c7c7fbd4121e89e13a751aaa0e2f8316c99843bc

Download Submit
C:\Windows\SysWOW64\Lhnhajba.exe

Filesize
483KB

MD5
f32bb0db4f2e45d644612f675f1f3b68

SHA1
f525c29baf420bbc69276df831bb8bf2b840f6ed

SHA256
723ab5b5381fdd456b1bbb70f794387c7ea27fc77fce3ff8dfd02a415dfecb71

SHA512
b2077c7fb55126751ae1f9b0673b732558a26ab98ecd9ca7bef4ad8d3799b1a28545341794b092e4dcb8ce3d8b4828537d9016f29e1d9a68829bfc9667ec5a05

Download Submit
C:\Windows\SysWOW64\Lojmcdgl.exe

Filesize
483KB

MD5
46398bb505b14108762517768e406115

SHA1
3dcb5376fa3ea9f0bd62009289bbf2335fb5dc87

SHA256
d94bd76e263a805b056dec560ff75a7a10c9225b084d2f803f626a99113d6add

SHA512
03459245c86a3849af847804bd52bd711cc1e35260bdfdeee1b33024758fabf4c93f4f2791f650f3bcb18cbb833a0c31756913a9abdfa63b912ba217fbafe845

Download Submit
C:\Windows\SysWOW64\Mcoljagj.exe

Filesize
483KB

MD5
c1c0dcf627373a715628f5cf3bc606e8

SHA1
42764ce3ac7ba7736bdadedababa20dde5bc9e0f

SHA256
934fd07b5c8e26d7d8ce5acd0c3c6e3a6746831ab2bc3011e501bc522d7d7914

SHA512
25bbebade32d7a9d4c876d1012d551b216482465f6ee14bdba5a66034414d119ecccd077392d10390d1282461f21ad7c8e8468ab532b032a933eb65d5d88dfc2

Download Submit
C:\Windows\SysWOW64\Mjcngpjh.exe

Filesize
483KB

MD5
833283835956f629516023b29d0eabdf

SHA1
30c2ab1fb4ca47656c790c8e8d4797a349037ae3

SHA256
bcb46e0231f3da545b962c4e46fd3f9f7116103bba938c10b158be73ff9b1782

SHA512
c84d940a7024ca4f7cf5bf6ea96d7153a76a448d5d17bd156d9720b99af6b2d1ab851e8d1d13fa21cd5a99c6a90f9cef72f448ef205604d96234eebc22d2976d

Download Submit
C:\Windows\SysWOW64\Mjjkaabc.exe

Filesize
483KB

MD5
0c11e8d4c9814c8aa0407163e076b789

SHA1
450307121c4c37681b6da702744ceb9e1b79383d

SHA256
e22599bd9fb5584c850199f1577619ea11d21d180e1679597a39521577b9c666

SHA512
08e5e28aaa09824f75974821699ea0a7614003a7cb3c03ff4b4dc53fe533edafbd56dd7f8ba3dbc3c68a57a66cd9c6d185bc51d770dd48a594e080e52ba51e1f

Download Submit
C:\Windows\SysWOW64\Mjodla32.exe

Filesize
483KB

MD5
396ea04ae223439c9a27ddf701214f56

SHA1
de2e5db4cb60100cf54b71a800bba8bfaffd0ff3

SHA256
0d41374dcb770f183498f9bfc34187b06960ac7cf22d83189886c46a02aee24b

SHA512
5909d5206d9b6ccf2c4237b79553f198623e2c1aabbd7959bd8af50fd2b1b353f53af98520e2c91715e1ee17be24554c22796a52cd2d4297ab055a1ed9b8a1f8

Download Submit
C:\Windows\SysWOW64\Mqkiok32.exe

Filesize
483KB

MD5
0cb2ed18e7408576990285268d57bdf8

SHA1
aadc9d8e49bcb4dc78aa2ae3f51cb941207e3993

SHA256
896183bbcfd2242f6967c87a5a3f7add50b640cdc5a578cb24226d4a4ca59896

SHA512
f916a4e43c213f0c094a33870736a136d28ed47761e9e3e3b2e24ba7c51d82d1ea60e978c4ce22e5d468c18e9a458382911b5996957dd89df90c5cc44fef26ac

Download Submit
C:\Windows\SysWOW64\Nfjola32.exe

Filesize
483KB

MD5
c6d8f2006aa25e76879e46c0fd1b0b63

SHA1
5f85bb0b4f41e6796d0be9dddaba2627a0a6a5bc

SHA256
7f8a30a1cbd51ee9dd62114618bb1edb951402629ff62e21b3924950a318e93b

SHA512
24c5700735656b5fdcc9e85eb1b43bed0a40ae67370403353066b96eda6a5cb7c46df7be086d77a3bd8ecc19a857a1c506bc8bbe47568136f0964bcf79d1f974

Download Submit
C:\Windows\SysWOW64\Nfohgqlg.exe

Filesize
483KB

MD5
1e04a8babdc8652862f76e14371f203d

SHA1
bb5b9133e7eb37f96730fd9a6f617c4f9ffe2eb9

SHA256
84d22038bcd51d26c64808ce604e9e535e512783b3db096337497b8733f00a5a

SHA512
02dfe5f008ce45cd9cadd70541f9638ea0aac18378bbe098a32dbe5327f47a8774dc8a738507945e2c33250b5276d435b6e4340cbb13c82d6b7b0104583b6a2d

Download Submit
C:\Windows\SysWOW64\Ngndaccj.exe

Filesize
483KB

MD5
ebc30d1ad275206a732399743d852467

SHA1
55ef8ac8c67474f614e7dcf62c7acc6e63834bfe

SHA256
3d0a4a9bf5b3322eb6b3d05e6fb40b0cdc054411a13141d681ac4ff09b1610cc

SHA512
78e3af3c44b04cb773acf648c782a7cfb064e71582d9dcb50b46b433803fa6cb5e844604a9897d12f5bfffd1c8245d293aab92110acfee50ff0838e9c99f8f98

Download Submit
C:\Windows\SysWOW64\Nhegig32.exe

Filesize
483KB

MD5
d639fa9674aba277fe68607243a0b759

SHA1
17e31d9a57241dceb9ecf3d549155ba3e9353821

SHA256
39e7cea717a18ec1e7f92a216557d77326e6753b456c9af4dfbaa1438ec3019a

SHA512
b998cfd55c093ebab181515e50fe9a1f7c1daaaa9f710fb6915b4a8bca78c79ac3868d7eda534909e8bba5b24a13c30088ce08ed6b118fd0245ff3a0a9ad06e7

Download Submit
C:\Windows\SysWOW64\Nkapelka.exe

Filesize
483KB

MD5
cf32d22a7c13f49ffb644ee53f8c39b1

SHA1
205a01e0fb8b6d2e428b4be651643c22568ddbd9

SHA256
9f2dbe62e25f0670db9fe0d7d2f3b5b8a3a825de2f6c68b9b8020652f75cb84d

SHA512
1798758131fdb26f881e522798fd6d095844d07ae181703567d0454b3e7322929bf626035b4326c5b8cdeb6194b9c0fe78a0330e6e3245b14586a2489c50fc8c

Download Submit
C:\Windows\SysWOW64\Npiiffqe.exe

Filesize
483KB

MD5
dd7c182da6a2327007c05f5db3a75ed0

SHA1
0177bbd4c32ad22d098e937c5afb735cffaa194f

SHA256
5adb1ca29c962727acd39e94fd4bc02a337bd7c495c1941f52f2ee28ddc8d750

SHA512
165f569ef98a61860bf837d596f6c87a3c9abbd46c3071bdaa21689ce3b7396f6b5c41f932a2f74e1d3e2bfdec7e2ebb86f48513e32a0bf90b3a10ef4c810339

Download Submit
C:\Windows\SysWOW64\Oaplqh32.exe

Filesize
483KB

MD5
877adaa670b41ce2ba22714ab8c9a2a0

SHA1
be9a8019f53c14a4fe95d4fbcefd1f45d71cf49a

SHA256
c60f931e46b7afd7b5dc350fc6bbd7b3037cfd4cf70d1b9421487ce1299cd544

SHA512
ee2a10af68533e13b442b53e1de8ad7caeaecc58d90578e385e09981dd23063dace46dbc9d27b69d26e4e6b0489f2d1227c05805e190e6d51a781021b3d5da61

Download Submit
C:\Windows\SysWOW64\Oaplqh32.exe

Filesize
483KB

MD5
58a0119a135c55a21b056e9f15fbe2a4

SHA1
2b346260b3daf99a88353b381a3e7235d046f0d1

SHA256
65dc946a63e8dcf79b71567389d92cf3eed344d3f9908297cb0d08dcd0a3977c

SHA512
ca3b5614179eaa63701034c6981aa543e63bcf10d23a757e3abda1b8e7ea766f7ff8f24d918e4a5757afdd1a9b1939074965065da81463f608066ed30b492531

Download Submit
C:\Windows\SysWOW64\Ofhknodl.exe

Filesize
483KB

MD5
11ea7e3c1b44fb0f227c4798b4e359de

SHA1
fd65a4d4678e48901d5f88d43f0b0216d77ce9e0

SHA256
ac7e6ac6f3872946d290152926b17ce6474dde400374ba74dd4665b6337a17dc

SHA512
ee75bd8735a3f37d58eaa5b8ac91bf1affc1b76cb79913bb648e2ed464de0577bbbe4527ecd58c9e31019088ca793c88c300ffc7e63cf1969b88d9d22d1311f6

Download Submit
C:\Windows\SysWOW64\Ohlqcagj.exe

Filesize
483KB

MD5
73be6dcfc7aa55a3b77a721b8a35a462

SHA1
dc050af8edf3117247707cc10e36526955fab9c3

SHA256
87103a84da1e960d531fc7830256df4d0791747a9a5568b62989ccc9f44c00a6

SHA512
f79e252489969f7d0593d8144ab41feb2ba7d93d0f258939d804bfe5c04080a9742fb480d55f086530663dd4002451d97af628666c732e932d82181d493e3c4f

Download Submit
C:\Windows\SysWOW64\Ojhpimhp.exe

Filesize
483KB

MD5
6938b803504166b55dff53c9f3b2a4d5

SHA1
a15973acd75b2ed3d7be599dc9b440f85956cd02

SHA256
3655bce5fd133b6df1c4b1bff35dfd89d16e2df801268f70f3405460d95b81f2

SHA512
ae6d49430727455d595ce433dd8e0abe7100433eefd16a8efde8c13fda442252747ed0e573f9935a8ce1f21d2ba81958029765001c0eb690c39a0c10ea316388

Download Submit
C:\Windows\SysWOW64\Omnjojpo.exe

Filesize
483KB

MD5
8cd0f96b6d7b88617b96bbb30a32c375

SHA1
9d7c2e4acd2939d0b1ac282855c9dea71af66992

SHA256
2df62ecf2a09c4e02063b4b918aef2d505670c73a1cd1a5a480357423ce641d3

SHA512
716bc6a8de898bd5daa204dc5917ea3c39ba947224c101ab309acca3ad5ef3ad6ff47a4e1f2ad695f33a29687323fc3a6748a9f4a7bbdf9a28640fbc2589eb04

Download Submit
C:\Windows\SysWOW64\Ompfej32.exe

Filesize
483KB

MD5
7b70f3763c7310856185f1bf17463645

SHA1
7dd5ed10ea51c950679c24c3f7fcc940951bd278

SHA256
5cc7ec30b460a6f4227857debaee233937b21aee8ed316e3a3acc8778c03fcb6

SHA512
1b0f9057a6718875b5ad568e8b830c5c29f0b4b27f94a45b29978efe0c249ae37fa87341b8e0f42ce7491adb3d4c2b1e9a71948cd7f24d8c1c073568f38e13c6

Download Submit
C:\Windows\SysWOW64\Oqoefand.exe

Filesize
483KB

MD5
b77be985a47deb6d34a535d175f09620

SHA1
cb4c272521490d91a7d5ab81b24ac4af97149aec

SHA256
53519589b5ce8647a061e2783b63aadd54090aab989f04900d84b6f5558b719b

SHA512
738076b207895386a382cbf0739be5e9b7b564e61103e99e167416a84f29d0aeed0e9fa3f9dcaddca756f2ed99b86ff697dc1d88123fbd5f257c6c131ee11de7

Download Submit
C:\Windows\SysWOW64\Pdenmbkk.exe

Filesize
483KB

MD5
e6e470b0f16fc002f65a8b67f4d6da1f

SHA1
bd9e4c71db0d17fbb7880258a9509575e62176f8

SHA256
99258875e60b1717282ef62d3a0b27c8cf66ec4fd30763429868b42584639c1e

SHA512
a040492af3f103295ba4c5ee7eba8290a110b8078429a0b3cedd501ac7e7301148efa5be662839cf790e24284b590ff1b828e2dc4d7917ff7efbd44a6e6efd51

Download Submit
C:\Windows\SysWOW64\Piapkbeg.exe

Filesize
256KB

MD5
7bef90fde1dc90f8a5b5c29e23d1d2af

SHA1
398f4e7cdd66e4fa677bf2a2a13f13a8d45fad15

SHA256
a0d4a9485396c2149850497c1988e9822bb6c6655cbca7400ad5ca9fc221e068

SHA512
48df2552c889020ee0b925c7653ce978e3a2d6de46358782f23187fa22f764f56f40565e627a476759effe319d2f130d0a8e4bddaa782d0169fc6676ede97542

Download Submit
C:\Windows\SysWOW64\Pmlfqh32.exe

Filesize
483KB

MD5
66f68475bb03e184f5145f41ad32ed8b

SHA1
94f681f5228f326807d249496d28f7365e274422

SHA256
a19da8946301d110237388b94d0187d16adfda179812c7a3180f570f901f27a4

SHA512
9812635693e563c3c4a67e090d64f63b027fbfa70a1de990865619e0f4761967cfe3566b78bcb02ed2077a93f6d2301095a494649b4e81413398398df88f1537

Download Submit
C:\Windows\SysWOW64\Pnkbkk32.exe

Filesize
483KB

MD5
2121560b45412ce9a0338228866bcc6a

SHA1
5e7a23acd50d25e504735623b18e053c545612f9

SHA256
300b353595c7c30fd67f304d1abb26fc29c97a26ddd2dee4706e7dcab25ffe8a

SHA512
218e404698874fb6293afb3c685dd5d714c3d135ce2a937a81f108f199151f08f347bd2cfaa49ede39d2d7072ec5aa868364d5aa095a8f1a59b773eaedeeb622

Download Submit
C:\Windows\SysWOW64\Ppgegd32.exe

Filesize
483KB

MD5
a020a5f4ed3bed8565304076a93bdbff

SHA1
34020c7b4d6fa21175b5cad753978611da492194

SHA256
8749df3fb7ef942832d56246861e4923ffccefc4dabb9792d6dee17277e8ff44

SHA512
b798e120d706ceb576d660f6305cb7cc09cdfcd1d19b556df818d1134fb12efa9d868c79c586cfe26fb11ae29ad91604a780141b714a3e7ec5ab1397e950d85d

Download Submit
C:\Windows\SysWOW64\Qjffpe32.exe

Filesize
483KB

MD5
1dd0d1f6ea64508df3b2efdffca0c0b7

SHA1
410a532fb00e5f3d8812a29e2e484037a957a982

SHA256
faf1e735871f51f58ec0d83fd8a6c8031ce35960dde5749a27e5c1993e8fdc79

SHA512
23d465193fc343d1bd0171bb879a6cdd32aabbc0e56c4e8b7747458bdeb81f70ff4db305009ee1cd1249c693f2fce772e3ec10ddb7e18aa2fde59801bce16659

Download Submit
memory/220-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/228-391-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/756-779-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/756-194-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/856-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/864-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/864-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/864-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1160-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1180-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1188-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1188-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1352-712-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1352-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1456-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1504-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1548-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1548-781-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-178-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-766-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1648-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1772-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1776-789-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1776-218-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1828-772-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1828-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-498-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2044-427-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2096-319-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2100-409-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2160-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2168-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2172-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2176-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2176-548-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-415-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2252-569-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2252-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2284-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2304-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2304-562-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2308-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2308-788-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2444-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2444-732-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2504-421-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-739-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2656-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2824-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2824-754-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-433-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2976-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3100-699-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3100-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3452-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3540-523-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3540-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3656-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3780-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3780-445-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3860-648-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3860-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3900-679-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3900-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4056-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4056-686-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4232-138-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4232-725-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4332-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4448-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-511-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4464-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4724-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-750-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4772-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4772-477-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4892-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4944-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5068-452-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5068-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads