034b3b38edfc80fcd387057e71b7523f649046fd2482a62f9c0ef5e7852750f0

Analysis

max time kernel
140s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26/04/2024, 10:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8b13eb783cf1f75a4befe67f981513cd.exe
Size

64KB
MD5

8b13eb783cf1f75a4befe67f981513cd
SHA1

73b81f7de3a9faee7b3cbf96b72cd9d6f6b2877a
SHA256

034b3b38edfc80fcd387057e71b7523f649046fd2482a62f9c0ef5e7852750f0
SHA512

6529a33236b73200e0f3dfea58678d0b7217381f421a897d72641623aa30bd539cc65df494022a90cc8ef004ba360e5d9b551c01a6dec065e4b6467a4226e337
SSDEEP

768:Q4AeJC8aP7avz3QehuJjcdnOxlFCU7Kt+A/1H5L6XJ1IwEGp9ThfzyYsHv:QHcaPMz5ij0OLA4XUwXfzwv

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Geqlhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnjdncio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jeilne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkcdfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkofofbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Napameoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgokdomj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdqcglqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nglala32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egjebn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clhbhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmoclg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilbdcfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofjokc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnochl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnbnjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blgddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njceqili.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofhcdlgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onecof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Giacmggo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjdfgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gablgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apeknk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Indkpcdk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhmhpfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odbpij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fefcgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pocpqcpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgijkgeh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hanlcjgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Picchg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lckbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljncnhhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbefolao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dqdgop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gehice32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njceqili.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqaipgal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekljpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofhcdlgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgaiffii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqdlpmce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbiklmhp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjnjjlog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lajfbmmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekljpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edfddl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkeakl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcdbmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlkafdco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lamjbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cadcfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlbdba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obdbqm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpenpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oifppdpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkmlnimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdjhkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meobeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbkfcabb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngodlgka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpgdlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojhijjll.exe

Executes dropped EXE 64 IoCs

pid	Process
2324	Oifppdpd.exe
1416	Pfepdg32.exe
3872	Apeknk32.exe
3884	Aplaoj32.exe
1336	Bpqjjjjl.exe
464	Bmggingc.exe
4372	Baepolni.exe
3792	Cdhffg32.exe
1952	Cmedjl32.exe
3548	Dkkaiphj.exe
3076	Ddfbgelh.exe
3140	Dckoia32.exe
1820	Dncpkjoc.exe
2692	Ekljpm32.exe
1120	Eqkondfl.exe
1616	Fqphic32.exe
1380	Fnffhgon.exe
3796	Ggepalof.exe
116	Gglfbkin.exe
4436	Hkmlnimb.exe
3412	Hchqbkkm.exe
4196	Hbknebqi.exe
4404	Hnbnjc32.exe
5100	Indkpcdk.exe
4636	Inkaqb32.exe
1536	Jlanpfkj.exe
4336	Jejbhk32.exe
4828	Jhmhpfmi.exe
2360	Jlkafdco.exe
1948	Khabke32.exe
2208	Kdhbpf32.exe
1168	Kbjbnnfg.exe
3192	Mlemcq32.exe
4396	Medglemj.exe
3404	Nkcmjlio.exe
4600	Napameoi.exe
1348	Nfnjbdep.exe
1200	Oljoen32.exe
4260	Pdngpo32.exe
3716	Pcbdcf32.exe
1196	Pcijce32.exe
2620	Abpcja32.exe
4268	Acppddig.exe
336	Aioebj32.exe
4344	Bifkcioc.exe
3396	Blgddd32.exe
5056	Cpcila32.exe
2400	Dipgpf32.exe
3856	Dlcmgqdd.exe
3764	Eincadmf.exe
1628	Edfddl32.exe
5032	Fpmeimpn.exe
2248	Fgijkgeh.exe
572	Fcbgfhii.exe
212	Fpfholhc.exe
4612	Gjnlha32.exe
468	Gdhjpjjd.exe
392	Gdmcki32.exe
852	Hnhdjn32.exe
2204	Inhmqlmj.exe
1020	Jjdgal32.exe
4520	Jeilne32.exe
1996	Jjhalkjc.exe
4896	Kdjhkp32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Inkaqb32.exe	Indkpcdk.exe
File opened for modification	C:\Windows\SysWOW64\Jjhalkjc.exe	Jeilne32.exe
File created	C:\Windows\SysWOW64\Djdpbope.dll	Dgaiffii.exe
File created	C:\Windows\SysWOW64\Kbejcm32.dll	Dphipidf.exe
File created	C:\Windows\SysWOW64\Dipgpf32.exe	Cpcila32.exe
File created	C:\Windows\SysWOW64\Pmhaae32.dll	Gehice32.exe
File created	C:\Windows\SysWOW64\Neimao32.dll	Oeekbhif.exe
File created	C:\Windows\SysWOW64\Cmedjl32.exe	Cdhffg32.exe
File created	C:\Windows\SysWOW64\Pfmdgq32.exe	Pocpqcpm.exe
File opened for modification	C:\Windows\SysWOW64\Cediab32.exe	Cpgqik32.exe
File created	C:\Windows\SysWOW64\Hakhcd32.exe	Gfedfk32.exe
File opened for modification	C:\Windows\SysWOW64\Iidiidgj.exe	Iaiddajo.exe
File opened for modification	C:\Windows\SysWOW64\Lckbje32.exe	Lajfbmmi.exe
File created	C:\Windows\SysWOW64\Mboqnm32.exe	Liabjh32.exe
File created	C:\Windows\SysWOW64\Pkigbfja.exe	Pmefiakh.exe
File created	C:\Windows\SysWOW64\Mpdgbkab.exe	Meobeb32.exe
File created	C:\Windows\SysWOW64\Jenhmaeh.dll	Nkhdgfen.exe
File opened for modification	C:\Windows\SysWOW64\Elojej32.exe	Dphipidf.exe
File opened for modification	C:\Windows\SysWOW64\Jjdgal32.exe	Inhmqlmj.exe
File created	C:\Windows\SysWOW64\Ljncnhhk.exe	Kdjhkp32.exe
File created	C:\Windows\SysWOW64\Hicgcm32.dll	Lkcaeige.exe
File created	C:\Windows\SysWOW64\Gdmcki32.exe	Gdhjpjjd.exe
File created	C:\Windows\SysWOW64\Cqoecpej.dll	Gablgk32.exe
File created	C:\Windows\SysWOW64\Gceaofmc.exe	Gfodpbpl.exe
File created	C:\Windows\SysWOW64\Lomkin32.dll	Hhhdpd32.exe
File created	C:\Windows\SysWOW64\Cmjninol.dll	Ljncnhhk.exe
File opened for modification	C:\Windows\SysWOW64\Cjdfgc32.exe	Cnkilbni.exe
File opened for modification	C:\Windows\SysWOW64\Liekgo32.exe	Lckbje32.exe
File opened for modification	C:\Windows\SysWOW64\Nglala32.exe	Nqaipgal.exe
File opened for modification	C:\Windows\SysWOW64\Pjalpida.exe	Odbgbb32.exe
File opened for modification	C:\Windows\SysWOW64\Kdpmmf32.exe	Khimhefk.exe
File opened for modification	C:\Windows\SysWOW64\Lilbdcfe.exe	Lnfngj32.exe
File created	C:\Windows\SysWOW64\Meobeb32.exe	Lfpcngdo.exe
File opened for modification	C:\Windows\SysWOW64\Nqdlpmce.exe	Nkhdgfen.exe
File created	C:\Windows\SysWOW64\Ipjobhcc.dll	Elojej32.exe
File created	C:\Windows\SysWOW64\Ojjfpjjj.exe	Ojhijjll.exe
File created	C:\Windows\SysWOW64\Apeknk32.exe	Pfepdg32.exe
File opened for modification	C:\Windows\SysWOW64\Gglfbkin.exe	Ggepalof.exe
File opened for modification	C:\Windows\SysWOW64\Inhmqlmj.exe	Hnhdjn32.exe
File created	C:\Windows\SysWOW64\Oakjnnap.exe	Odbpij32.exe
File created	C:\Windows\SysWOW64\Ockhfbgl.dll	Anqfepaj.exe
File created	C:\Windows\SysWOW64\Bchgnoai.exe	Abmhbplf.exe
File created	C:\Windows\SysWOW64\Jdhigk32.exe	Jibejb32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncno32.exe	Nqioqf32.exe
File created	C:\Windows\SysWOW64\Hkglgq32.dll	Mlemcq32.exe
File created	C:\Windows\SysWOW64\Lgopog32.dll	Idjmfmgp.exe
File opened for modification	C:\Windows\SysWOW64\Jibejb32.exe	Jpjqaldi.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmjlio.exe	Medglemj.exe
File created	C:\Windows\SysWOW64\Lpibmbek.dll	Lnikmjdm.exe
File opened for modification	C:\Windows\SysWOW64\Meobeb32.exe	Lfpcngdo.exe
File created	C:\Windows\SysWOW64\Gfodpbpl.exe	Gablgk32.exe
File opened for modification	C:\Windows\SysWOW64\Ommjnlnd.exe	Omkmhlpf.exe
File created	C:\Windows\SysWOW64\Lplgpkah.dll	Picchg32.exe
File created	C:\Windows\SysWOW64\Fcdbmb32.exe	Eqalfgll.exe
File created	C:\Windows\SysWOW64\Khihgadg.dll	Pfepdg32.exe
File created	C:\Windows\SysWOW64\Hobcgdjm.exe	Gkbnkfei.exe
File opened for modification	C:\Windows\SysWOW64\Khmoionj.exe	Jmlkpgia.exe
File created	C:\Windows\SysWOW64\Ngodlgka.exe	Nqdlpmce.exe
File opened for modification	C:\Windows\SysWOW64\Nohicdia.exe	Ninafj32.exe
File opened for modification	C:\Windows\SysWOW64\Cchikf32.exe	Clnanlhn.exe
File created	C:\Windows\SysWOW64\Egccmi32.dll	Nlbdba32.exe
File created	C:\Windows\SysWOW64\Benoof32.dll	Hpenpp32.exe
File opened for modification	C:\Windows\SysWOW64\Hnhdjn32.exe	Gdmcki32.exe
File created	C:\Windows\SysWOW64\Cpahpn32.dll	Mcdepd32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
924	2692	WerFault.exe	376
3692	2692	WerFault.exe	376

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Joaojf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Obfpejcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egjebn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcdepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blgddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jebfjp32.dll"	Njceqili.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igokfd32.dll"	Pmefiakh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennofanf.dll"	Mbkfcabb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hnbnjc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fpfholhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnginbho.dll"	Qdipag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bonkjk32.dll"	Bifblbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelfjmce.dll"	Hobcgdjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imofip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jgbccm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cadcfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpqjjjjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ggepalof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fpfholhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbdjgnel.dll"	Gkcdfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liekgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ggepalof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inoeep32.dll"	Fmbnfcam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocdddddp.dll"	Ihfglhfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdgbkab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abgcqjhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eppobi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dphipidf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqbnpknn.dll"	Giacmggo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpgdlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjnlha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Phlikg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkfnoi32.dll"	Gkeakl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmdbil32.dll"	Mboqnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dlcmgqdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjklcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jeilne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofhcdlgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nohicdia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nglala32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obmeeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbjbnnfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epiaig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchknl32.dll"	Fefcgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpqcoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dlicflic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfljn32.dll"	Jphkfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jlkafdco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkglgq32.dll"	Mlemcq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fpmeimpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbhbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibagmiie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgilho32.dll"	Dncpkjoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cieonn32.dll"	Pdngpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imdnon32.dll"	Cpcila32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akljinhl.dll"	Pjalpida.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkcdfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilcjgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aneppo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chnlbndj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pocpqcpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idjdqc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmohojgf.dll"	Bidefbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbgdjmhm.dll"	Iiffoc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4696 wrote to memory of 2324	4696	8b13eb783cf1f75a4befe67f981513cd.exe	91
PID 4696 wrote to memory of 2324	4696	8b13eb783cf1f75a4befe67f981513cd.exe	91
PID 4696 wrote to memory of 2324	4696	8b13eb783cf1f75a4befe67f981513cd.exe	91
PID 2324 wrote to memory of 1416	2324	Oifppdpd.exe	92
PID 2324 wrote to memory of 1416	2324	Oifppdpd.exe	92
PID 2324 wrote to memory of 1416	2324	Oifppdpd.exe	92
PID 1416 wrote to memory of 3872	1416	Pfepdg32.exe	93
PID 1416 wrote to memory of 3872	1416	Pfepdg32.exe	93
PID 1416 wrote to memory of 3872	1416	Pfepdg32.exe	93
PID 3872 wrote to memory of 3884	3872	Apeknk32.exe	94
PID 3872 wrote to memory of 3884	3872	Apeknk32.exe	94
PID 3872 wrote to memory of 3884	3872	Apeknk32.exe	94
PID 3884 wrote to memory of 1336	3884	Aplaoj32.exe	95
PID 3884 wrote to memory of 1336	3884	Aplaoj32.exe	95
PID 3884 wrote to memory of 1336	3884	Aplaoj32.exe	95
PID 1336 wrote to memory of 464	1336	Bpqjjjjl.exe	96
PID 1336 wrote to memory of 464	1336	Bpqjjjjl.exe	96
PID 1336 wrote to memory of 464	1336	Bpqjjjjl.exe	96
PID 464 wrote to memory of 4372	464	Bmggingc.exe	97
PID 464 wrote to memory of 4372	464	Bmggingc.exe	97
PID 464 wrote to memory of 4372	464	Bmggingc.exe	97
PID 4372 wrote to memory of 3792	4372	Baepolni.exe	98
PID 4372 wrote to memory of 3792	4372	Baepolni.exe	98
PID 4372 wrote to memory of 3792	4372	Baepolni.exe	98
PID 3792 wrote to memory of 1952	3792	Cdhffg32.exe	99
PID 3792 wrote to memory of 1952	3792	Cdhffg32.exe	99
PID 3792 wrote to memory of 1952	3792	Cdhffg32.exe	99
PID 1952 wrote to memory of 3548	1952	Cmedjl32.exe	100
PID 1952 wrote to memory of 3548	1952	Cmedjl32.exe	100
PID 1952 wrote to memory of 3548	1952	Cmedjl32.exe	100
PID 3548 wrote to memory of 3076	3548	Dkkaiphj.exe	101
PID 3548 wrote to memory of 3076	3548	Dkkaiphj.exe	101
PID 3548 wrote to memory of 3076	3548	Dkkaiphj.exe	101
PID 3076 wrote to memory of 3140	3076	Ddfbgelh.exe	102
PID 3076 wrote to memory of 3140	3076	Ddfbgelh.exe	102
PID 3076 wrote to memory of 3140	3076	Ddfbgelh.exe	102
PID 3140 wrote to memory of 1820	3140	Dckoia32.exe	103
PID 3140 wrote to memory of 1820	3140	Dckoia32.exe	103
PID 3140 wrote to memory of 1820	3140	Dckoia32.exe	103
PID 1820 wrote to memory of 2692	1820	Dncpkjoc.exe	104
PID 1820 wrote to memory of 2692	1820	Dncpkjoc.exe	104
PID 1820 wrote to memory of 2692	1820	Dncpkjoc.exe	104
PID 2692 wrote to memory of 1120	2692	Ekljpm32.exe	105
PID 2692 wrote to memory of 1120	2692	Ekljpm32.exe	105
PID 2692 wrote to memory of 1120	2692	Ekljpm32.exe	105
PID 1120 wrote to memory of 1616	1120	Eqkondfl.exe	106
PID 1120 wrote to memory of 1616	1120	Eqkondfl.exe	106
PID 1120 wrote to memory of 1616	1120	Eqkondfl.exe	106
PID 1616 wrote to memory of 1380	1616	Fqphic32.exe	107
PID 1616 wrote to memory of 1380	1616	Fqphic32.exe	107
PID 1616 wrote to memory of 1380	1616	Fqphic32.exe	107
PID 1380 wrote to memory of 3796	1380	Fnffhgon.exe	108
PID 1380 wrote to memory of 3796	1380	Fnffhgon.exe	108
PID 1380 wrote to memory of 3796	1380	Fnffhgon.exe	108
PID 3796 wrote to memory of 116	3796	Ggepalof.exe	109
PID 3796 wrote to memory of 116	3796	Ggepalof.exe	109
PID 3796 wrote to memory of 116	3796	Ggepalof.exe	109
PID 116 wrote to memory of 4436	116	Gglfbkin.exe	110
PID 116 wrote to memory of 4436	116	Gglfbkin.exe	110
PID 116 wrote to memory of 4436	116	Gglfbkin.exe	110
PID 4436 wrote to memory of 3412	4436	Hkmlnimb.exe	111
PID 4436 wrote to memory of 3412	4436	Hkmlnimb.exe	111
PID 4436 wrote to memory of 3412	4436	Hkmlnimb.exe	111
PID 3412 wrote to memory of 4196	3412	Hchqbkkm.exe	112

C:\Users\Admin\AppData\Local\Temp\8b13eb783cf1f75a4befe67f981513cd.exe
"C:\Users\Admin\AppData\Local\Temp\8b13eb783cf1f75a4befe67f981513cd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4696
- C:\Windows\SysWOW64\Oifppdpd.exe
  C:\Windows\system32\Oifppdpd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\SysWOW64\Pfepdg32.exe
    C:\Windows\system32\Pfepdg32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1416
  - - C:\Windows\SysWOW64\Apeknk32.exe
      C:\Windows\system32\Apeknk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3872
    - - C:\Windows\SysWOW64\Aplaoj32.exe
        
        C:\Windows\system32\Aplaoj32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3884
      - C:\Windows\SysWOW64\Bpqjjjjl.exe
        
        C:\Windows\system32\Bpqjjjjl.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\SysWOW64\Bmggingc.exe
        
        C:\Windows\system32\Bmggingc.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\SysWOW64\Baepolni.exe
        
        C:\Windows\system32\Baepolni.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\SysWOW64\Cdhffg32.exe
        
        C:\Windows\system32\Cdhffg32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3792
        
        C:\Windows\SysWOW64\Cmedjl32.exe
        
        C:\Windows\system32\Cmedjl32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Dkkaiphj.exe
        
        C:\Windows\system32\Dkkaiphj.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\SysWOW64\Ddfbgelh.exe
        
        C:\Windows\system32\Ddfbgelh.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3076
        
        C:\Windows\SysWOW64\Dckoia32.exe
        
        C:\Windows\system32\Dckoia32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Windows\SysWOW64\Dncpkjoc.exe
        
        C:\Windows\system32\Dncpkjoc.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\Ekljpm32.exe
        
        C:\Windows\system32\Ekljpm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\Eqkondfl.exe
        
        C:\Windows\system32\Eqkondfl.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\SysWOW64\Fqphic32.exe
        
        C:\Windows\system32\Fqphic32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\SysWOW64\Fnffhgon.exe
        
        C:\Windows\system32\Fnffhgon.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\SysWOW64\Ggepalof.exe
        
        C:\Windows\system32\Ggepalof.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3796
        
        C:\Windows\SysWOW64\Gglfbkin.exe
        
        C:\Windows\system32\Gglfbkin.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\SysWOW64\Hkmlnimb.exe
        
        C:\Windows\system32\Hkmlnimb.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\Hchqbkkm.exe
        
        C:\Windows\system32\Hchqbkkm.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3412
        
        C:\Windows\SysWOW64\Hbknebqi.exe
        
        C:\Windows\system32\Hbknebqi.exe
        23⤵
        Executes dropped EXE
        
        PID:4196
        
        C:\Windows\SysWOW64\Hnbnjc32.exe
        
        C:\Windows\system32\Hnbnjc32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Indkpcdk.exe
        
        C:\Windows\system32\Indkpcdk.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5100
        
        C:\Windows\SysWOW64\Inkaqb32.exe
        
        C:\Windows\system32\Inkaqb32.exe
        26⤵
        Executes dropped EXE
        
        PID:4636
        
        C:\Windows\SysWOW64\Jlanpfkj.exe
        
        C:\Windows\system32\Jlanpfkj.exe
        27⤵
        Executes dropped EXE
        
        PID:1536
        
        C:\Windows\SysWOW64\Jejbhk32.exe
        
        C:\Windows\system32\Jejbhk32.exe
        28⤵
        Executes dropped EXE
        
        PID:4336
        
        C:\Windows\SysWOW64\Jhmhpfmi.exe
        
        C:\Windows\system32\Jhmhpfmi.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4828
        
        C:\Windows\SysWOW64\Jlkafdco.exe
        
        C:\Windows\system32\Jlkafdco.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Khabke32.exe
        
        C:\Windows\system32\Khabke32.exe
        31⤵
        Executes dropped EXE
        
        PID:1948
        
        C:\Windows\SysWOW64\Kdhbpf32.exe
        
        C:\Windows\system32\Kdhbpf32.exe
        32⤵
        Executes dropped EXE
        
        PID:2208
        
        C:\Windows\SysWOW64\Kbjbnnfg.exe
        
        C:\Windows\system32\Kbjbnnfg.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1168
        
        C:\Windows\SysWOW64\Mlemcq32.exe
        
        C:\Windows\system32\Mlemcq32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3192
        
        C:\Windows\SysWOW64\Medglemj.exe
        
        C:\Windows\system32\Medglemj.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4396
        
        C:\Windows\SysWOW64\Nkcmjlio.exe
        
        C:\Windows\system32\Nkcmjlio.exe
        36⤵
        Executes dropped EXE
        
        PID:3404
        
        C:\Windows\SysWOW64\Napameoi.exe
        
        C:\Windows\system32\Napameoi.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4600
        
        C:\Windows\SysWOW64\Nfnjbdep.exe
        
        C:\Windows\system32\Nfnjbdep.exe
        38⤵
        Executes dropped EXE
        
        PID:1348
        
        C:\Windows\SysWOW64\Oljoen32.exe
        
        C:\Windows\system32\Oljoen32.exe
        39⤵
        Executes dropped EXE
        
        PID:1200
        
        C:\Windows\SysWOW64\Pdngpo32.exe
        
        C:\Windows\system32\Pdngpo32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4260
        
        C:\Windows\SysWOW64\Pcbdcf32.exe
        
        C:\Windows\system32\Pcbdcf32.exe
        41⤵
        Executes dropped EXE
        
        PID:3716
        
        C:\Windows\SysWOW64\Pcijce32.exe
        
        C:\Windows\system32\Pcijce32.exe
        42⤵
        Executes dropped EXE
        
        PID:1196
        
        C:\Windows\SysWOW64\Abpcja32.exe
        
        C:\Windows\system32\Abpcja32.exe
        43⤵
        Executes dropped EXE
        
        PID:2620
        
        C:\Windows\SysWOW64\Acppddig.exe
        
        C:\Windows\system32\Acppddig.exe
        44⤵
        Executes dropped EXE
        
        PID:4268
        
        C:\Windows\SysWOW64\Aioebj32.exe
        
        C:\Windows\system32\Aioebj32.exe
        45⤵
        Executes dropped EXE
        
        PID:336
        
        C:\Windows\SysWOW64\Bifkcioc.exe
        
        C:\Windows\system32\Bifkcioc.exe
        46⤵
        Executes dropped EXE
        
        PID:4344
        
        C:\Windows\SysWOW64\Blgddd32.exe
        
        C:\Windows\system32\Blgddd32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3396
        
        C:\Windows\SysWOW64\Cpcila32.exe
        
        C:\Windows\system32\Cpcila32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Dipgpf32.exe
        
        C:\Windows\system32\Dipgpf32.exe
        49⤵
        Executes dropped EXE
        
        PID:2400
        
        C:\Windows\SysWOW64\Dlcmgqdd.exe
        
        C:\Windows\system32\Dlcmgqdd.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3856
        
        C:\Windows\SysWOW64\Eincadmf.exe
        
        C:\Windows\system32\Eincadmf.exe
        51⤵
        Executes dropped EXE
        
        PID:3764
        
        C:\Windows\SysWOW64\Edfddl32.exe
        
        C:\Windows\system32\Edfddl32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1628
        
        C:\Windows\SysWOW64\Fpmeimpn.exe
        
        C:\Windows\system32\Fpmeimpn.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5032
        
        C:\Windows\SysWOW64\Fgijkgeh.exe
        
        C:\Windows\system32\Fgijkgeh.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2248
        
        C:\Windows\SysWOW64\Fcbgfhii.exe
        
        C:\Windows\system32\Fcbgfhii.exe
        55⤵
        Executes dropped EXE
        
        PID:572
        
        C:\Windows\SysWOW64\Fpfholhc.exe
        
        C:\Windows\system32\Fpfholhc.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:212
        
        C:\Windows\SysWOW64\Gjnlha32.exe
        
        C:\Windows\system32\Gjnlha32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Gdhjpjjd.exe
        
        C:\Windows\system32\Gdhjpjjd.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:468
        
        C:\Windows\SysWOW64\Gdmcki32.exe
        
        C:\Windows\system32\Gdmcki32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:392
        
        C:\Windows\SysWOW64\Hnhdjn32.exe
        
        C:\Windows\system32\Hnhdjn32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:852
        
        C:\Windows\SysWOW64\Inhmqlmj.exe
        
        C:\Windows\system32\Inhmqlmj.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2204
        
        C:\Windows\SysWOW64\Jjdgal32.exe
        
        C:\Windows\system32\Jjdgal32.exe
        62⤵
        Executes dropped EXE
        
        PID:1020
        
        C:\Windows\SysWOW64\Jeilne32.exe
        
        C:\Windows\system32\Jeilne32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Jjhalkjc.exe
        
        C:\Windows\system32\Jjhalkjc.exe
        64⤵
        Executes dropped EXE
        
        PID:1996
        
        C:\Windows\SysWOW64\Kdjhkp32.exe
        
        C:\Windows\system32\Kdjhkp32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4896
        
        C:\Windows\SysWOW64\Ljncnhhk.exe
        
        C:\Windows\system32\Ljncnhhk.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3956
        
        C:\Windows\SysWOW64\Mgkjch32.exe
        
        C:\Windows\system32\Mgkjch32.exe
        67⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\Nnoefagj.exe
        
        C:\Windows\system32\Nnoefagj.exe
        68⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\Odbpij32.exe
        
        C:\Windows\system32\Odbpij32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1876
        
        C:\Windows\SysWOW64\Oakjnnap.exe
        
        C:\Windows\system32\Oakjnnap.exe
        70⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Ofhcdlgg.exe
        
        C:\Windows\system32\Ofhcdlgg.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Phlikg32.exe
        
        C:\Windows\system32\Phlikg32.exe
        72⤵
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Poeahaib.exe
        
        C:\Windows\system32\Poeahaib.exe
        73⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Pdbiphhi.exe
        
        C:\Windows\system32\Pdbiphhi.exe
        74⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Qdipag32.exe
        
        C:\Windows\system32\Qdipag32.exe
        75⤵
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Qoocnpag.exe
        
        C:\Windows\system32\Qoocnpag.exe
        76⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Agjhbbob.exe
        
        C:\Windows\system32\Agjhbbob.exe
        77⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Abgcqjhp.exe
        
        C:\Windows\system32\Abgcqjhp.exe
        78⤵
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Bkfmjnii.exe
        
        C:\Windows\system32\Bkfmjnii.exe
        79⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Bgokdomj.exe
        
        C:\Windows\system32\Bgokdomj.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5588
        
        C:\Windows\SysWOW64\Deokja32.exe
        
        C:\Windows\system32\Deokja32.exe
        81⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Dlicflic.exe
        
        C:\Windows\system32\Dlicflic.exe
        82⤵
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Dbehienn.exe
        
        C:\Windows\system32\Dbehienn.exe
        83⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Eppobi32.exe
        
        C:\Windows\system32\Eppobi32.exe
        84⤵
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Epiaig32.exe
        
        C:\Windows\system32\Epiaig32.exe
        85⤵
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Cnkilbni.exe
        
        C:\Windows\system32\Cnkilbni.exe
        86⤵
        Drops file in System32 directory
        
        PID:6028
        
        C:\Windows\SysWOW64\Cjdfgc32.exe
        
        C:\Windows\system32\Cjdfgc32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6072
        
        C:\Windows\SysWOW64\Dgaiffii.exe
        
        C:\Windows\system32\Dgaiffii.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6112
        
        C:\Windows\SysWOW64\Eacaej32.exe
        
        C:\Windows\system32\Eacaej32.exe
        89⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Fefcgh32.exe
        
        C:\Windows\system32\Fefcgh32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Fblpflfg.exe
        
        C:\Windows\system32\Fblpflfg.exe
        91⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Giokid32.exe
        
        C:\Windows\system32\Giokid32.exe
        92⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Gkcdfl32.exe
        
        C:\Windows\system32\Gkcdfl32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Gehice32.exe
        
        C:\Windows\system32\Gehice32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5832
        
        C:\Windows\SysWOW64\Gkeakl32.exe
        
        C:\Windows\system32\Gkeakl32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Gaoihfoo.exe
        
        C:\Windows\system32\Gaoihfoo.exe
        96⤵
        
        PID:400
        
        C:\Windows\SysWOW64\Hhlnjpdi.exe
        
        C:\Windows\system32\Hhlnjpdi.exe
        97⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Hepoddcc.exe
        
        C:\Windows\system32\Hepoddcc.exe
        98⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Ilcjgm32.exe
        
        C:\Windows\system32\Ilcjgm32.exe
        99⤵
        Modifies registry class
        
        PID:4208
        
        C:\Windows\SysWOW64\Ifphkbep.exe
        
        C:\Windows\system32\Ifphkbep.exe
        100⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\Joaojf32.exe
        
        C:\Windows\system32\Joaojf32.exe
        101⤵
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Kkofofbb.exe
        
        C:\Windows\system32\Kkofofbb.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3548
        
        C:\Windows\SysWOW64\Kkabefqp.exe
        
        C:\Windows\system32\Kkabefqp.exe
        103⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Kmaooihb.exe
        
        C:\Windows\system32\Kmaooihb.exe
        104⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\Lobhqdec.exe
        
        C:\Windows\system32\Lobhqdec.exe
        105⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Lkiiee32.exe
        
        C:\Windows\system32\Lkiiee32.exe
        106⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\Lcpqgbkj.exe
        
        C:\Windows\system32\Lcpqgbkj.exe
        107⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Lbenho32.exe
        
        C:\Windows\system32\Lbenho32.exe
        108⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\Liabjh32.exe
        
        C:\Windows\system32\Liabjh32.exe
        109⤵
        Drops file in System32 directory
        
        PID:5628
        
        C:\Windows\SysWOW64\Mboqnm32.exe
        
        C:\Windows\system32\Mboqnm32.exe
        110⤵
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Mlgegcng.exe
        
        C:\Windows\system32\Mlgegcng.exe
        111⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Nbefolao.exe
        
        C:\Windows\system32\Nbefolao.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5868
        
        C:\Windows\SysWOW64\Ndgpnogo.exe
        
        C:\Windows\system32\Ndgpnogo.exe
        113⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Nlbdba32.exe
        
        C:\Windows\system32\Nlbdba32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1380
        
        C:\Windows\SysWOW64\Njceqili.exe
        
        C:\Windows\system32\Njceqili.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3836
        
        C:\Windows\SysWOW64\Ofooqinh.exe
        
        C:\Windows\system32\Ofooqinh.exe
        116⤵
        
        PID:876
        
        C:\Windows\SysWOW64\Obfpejcl.exe
        
        C:\Windows\system32\Obfpejcl.exe
        117⤵
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Plcmiofg.exe
        
        C:\Windows\system32\Plcmiofg.exe
        118⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\Pmefiakh.exe
        
        C:\Windows\system32\Pmefiakh.exe
        119⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Pkigbfja.exe
        
        C:\Windows\system32\Pkigbfja.exe
        120⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\Qmlmjq32.exe
        
        C:\Windows\system32\Qmlmjq32.exe
        121⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\Anqfepaj.exe
        
        C:\Windows\system32\Anqfepaj.exe
        122⤵
        Drops file in System32 directory
        
        PID:5296
        
        C:\Windows\SysWOW64\Aneppo32.exe
        
        C:\Windows\system32\Aneppo32.exe
        123⤵
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Bdmdng32.exe
        
        C:\Windows\system32\Bdmdng32.exe
        124⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Ekahhn32.exe
        
        C:\Windows\system32\Ekahhn32.exe
        125⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\Ejfeij32.exe
        
        C:\Windows\system32\Ejfeij32.exe
        126⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Eapmedef.exe
        
        C:\Windows\system32\Eapmedef.exe
        127⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\Egjebn32.exe
        
        C:\Windows\system32\Egjebn32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Eglbhnkp.exe
        
        C:\Windows\system32\Eglbhnkp.exe
        129⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Flmhclod.exe
        
        C:\Windows\system32\Flmhclod.exe
        130⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\Fmbnfcam.exe
        
        C:\Windows\system32\Fmbnfcam.exe
        131⤵
        Modifies registry class
        
        PID:1256
        
        C:\Windows\SysWOW64\Fdmfcn32.exe
        
        C:\Windows\system32\Fdmfcn32.exe
        132⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\Fjfnphpf.exe
        
        C:\Windows\system32\Fjfnphpf.exe
        133⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\Geqlhp32.exe
        
        C:\Windows\system32\Geqlhp32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1348
        
        C:\Windows\SysWOW64\Gokmfe32.exe
        
        C:\Windows\system32\Gokmfe32.exe
        135⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\Gkbnkfei.exe
        
        C:\Windows\system32\Gkbnkfei.exe
        136⤵
        Drops file in System32 directory
        
        PID:5228
        
        C:\Windows\SysWOW64\Hobcgdjm.exe
        
        C:\Windows\system32\Hobcgdjm.exe
        137⤵
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Hecadm32.exe
        
        C:\Windows\system32\Hecadm32.exe
        138⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Imofip32.exe
        
        C:\Windows\system32\Imofip32.exe
        139⤵
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Imabnofj.exe
        
        C:\Windows\system32\Imabnofj.exe
        140⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Ihfglhfp.exe
        
        C:\Windows\system32\Ihfglhfp.exe
        141⤵
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Jhbfgflc.exe
        
        C:\Windows\system32\Jhbfgflc.exe
        142⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Khimhefk.exe
        
        C:\Windows\system32\Khimhefk.exe
        143⤵
        Drops file in System32 directory
        
        PID:5856
        
        C:\Windows\SysWOW64\Kdpmmf32.exe
        
        C:\Windows\system32\Kdpmmf32.exe
        144⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\Kbkdgj32.exe
        
        C:\Windows\system32\Kbkdgj32.exe
        145⤵
        
        PID:820
        
        C:\Windows\SysWOW64\Lnfngj32.exe
        
        C:\Windows\system32\Lnfngj32.exe
        146⤵
        Drops file in System32 directory
        
        PID:2236
        
        C:\Windows\SysWOW64\Lilbdcfe.exe
        
        C:\Windows\system32\Lilbdcfe.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:436
        
        C:\Windows\SysWOW64\Lnikmjdm.exe
        
        C:\Windows\system32\Lnikmjdm.exe
        148⤵
        Drops file in System32 directory
        
        PID:4512
        
        C:\Windows\SysWOW64\Lfpcngdo.exe
        
        C:\Windows\system32\Lfpcngdo.exe
        149⤵
        Drops file in System32 directory
        
        PID:5100
        
        C:\Windows\SysWOW64\Meobeb32.exe
        
        C:\Windows\system32\Meobeb32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5928
        
        C:\Windows\SysWOW64\Mpdgbkab.exe
        
        C:\Windows\system32\Mpdgbkab.exe
        151⤵
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Ofjokc32.exe
        
        C:\Windows\system32\Ofjokc32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5084
        
        C:\Windows\SysWOW64\Onecof32.exe
        
        C:\Windows\system32\Onecof32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4776
        
        C:\Windows\SysWOW64\Oeoklp32.exe
        
        C:\Windows\system32\Oeoklp32.exe
        154⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\Omkmhlpf.exe
        
        C:\Windows\system32\Omkmhlpf.exe
        155⤵
        Drops file in System32 directory
        
        PID:1204
        
        C:\Windows\SysWOW64\Ommjnlnd.exe
        
        C:\Windows\system32\Ommjnlnd.exe
        156⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\Pocpqcpm.exe
        
        C:\Windows\system32\Pocpqcpm.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Pfmdgq32.exe
        
        C:\Windows\system32\Pfmdgq32.exe
        158⤵
        
        PID:224
        
        C:\Windows\SysWOW64\Qibfdkgh.exe
        
        C:\Windows\system32\Qibfdkgh.exe
        159⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\Abmhbplf.exe
        
        C:\Windows\system32\Abmhbplf.exe
        160⤵
        Drops file in System32 directory
        
        PID:404
        
        C:\Windows\SysWOW64\Bchgnoai.exe
        
        C:\Windows\system32\Bchgnoai.exe
        161⤵
        
        PID:848
        
        C:\Windows\SysWOW64\Bjgifhep.exe
        
        C:\Windows\system32\Bjgifhep.exe
        162⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Bleebc32.exe
        
        C:\Windows\system32\Bleebc32.exe
        163⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\Clhbhc32.exe
        
        C:\Windows\system32\Clhbhc32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5040
        
        C:\Windows\SysWOW64\Cjbhbf32.exe
        
        C:\Windows\system32\Cjbhbf32.exe
        165⤵
        Modifies registry class
        
        PID:3660
        
        C:\Windows\SysWOW64\Cckmklac.exe
        
        C:\Windows\system32\Cckmklac.exe
        166⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Dqdgop32.exe
        
        C:\Windows\system32\Dqdgop32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5104
        
        C:\Windows\SysWOW64\Dnjdncio.exe
        
        C:\Windows\system32\Dnjdncio.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5272
        
        C:\Windows\SysWOW64\Dcglfjgf.exe
        
        C:\Windows\system32\Dcglfjgf.exe
        169⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\Emanepld.exe
        
        C:\Windows\system32\Emanepld.exe
        170⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Eggbbhkj.exe
        
        C:\Windows\system32\Eggbbhkj.exe
        171⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Fnofpqff.exe
        
        C:\Windows\system32\Fnofpqff.exe
        172⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\Fapobl32.exe
        
        C:\Windows\system32\Fapobl32.exe
        173⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\Gablgk32.exe
        
        C:\Windows\system32\Gablgk32.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6060
        
        C:\Windows\SysWOW64\Gfodpbpl.exe
        
        C:\Windows\system32\Gfodpbpl.exe
        175⤵
        Drops file in System32 directory
        
        PID:3292
        
        C:\Windows\SysWOW64\Gceaofmc.exe
        
        C:\Windows\system32\Gceaofmc.exe
        176⤵
        
        PID:232
        
        C:\Windows\SysWOW64\Hanlcjgh.exe
        
        C:\Windows\system32\Hanlcjgh.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5520
        
        C:\Windows\SysWOW64\Hhhdpd32.exe
        
        C:\Windows\system32\Hhhdpd32.exe
        178⤵
        Drops file in System32 directory
        
        PID:5656
        
        C:\Windows\SysWOW64\Idjdqc32.exe
        
        C:\Windows\system32\Idjdqc32.exe
        179⤵
        Modifies registry class
        
        PID:4240
        
        C:\Windows\SysWOW64\Jgpfmncg.exe
        
        C:\Windows\system32\Jgpfmncg.exe
        180⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\Jphkfc32.exe
        
        C:\Windows\system32\Jphkfc32.exe
        181⤵
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Jgbccm32.exe
        
        C:\Windows\system32\Jgbccm32.exe
        182⤵
        Modifies registry class
        
        PID:3136
        
        C:\Windows\SysWOW64\Jmlkpgia.exe
        
        C:\Windows\system32\Jmlkpgia.exe
        183⤵
        Drops file in System32 directory
        
        PID:5712
        
        C:\Windows\SysWOW64\Khmoionj.exe
        
        C:\Windows\system32\Khmoionj.exe
        184⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Lkcaeige.exe
        
        C:\Windows\system32\Lkcaeige.exe
        185⤵
        Drops file in System32 directory
        
        PID:3552
        
        C:\Windows\SysWOW64\Lamjbc32.exe
        
        C:\Windows\system32\Lamjbc32.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5384
        
        C:\Windows\SysWOW64\Lhiodm32.exe
        
        C:\Windows\system32\Lhiodm32.exe
        187⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\Mhbakk32.exe
        
        C:\Windows\system32\Mhbakk32.exe
        188⤵
        
        PID:8
        
        C:\Windows\SysWOW64\Moljgeco.exe
        
        C:\Windows\system32\Moljgeco.exe
        189⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\Mbkfcabb.exe
        
        C:\Windows\system32\Mbkfcabb.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Mggolhaj.exe
        
        C:\Windows\system32\Mggolhaj.exe
        191⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\Mdnlkl32.exe
        
        C:\Windows\system32\Mdnlkl32.exe
        192⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Nkhdgfen.exe
        
        C:\Windows\system32\Nkhdgfen.exe
        193⤵
        Drops file in System32 directory
        
        PID:1168
        
        C:\Windows\SysWOW64\Nqdlpmce.exe
        
        C:\Windows\system32\Nqdlpmce.exe
        194⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5396
        
        C:\Windows\SysWOW64\Ngodlgka.exe
        
        C:\Windows\system32\Ngodlgka.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5428
        
        C:\Windows\SysWOW64\Nbdijpjh.exe
        
        C:\Windows\system32\Nbdijpjh.exe
        196⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Ninafj32.exe
        
        C:\Windows\system32\Ninafj32.exe
        197⤵
        Drops file in System32 directory
        
        PID:5624
        
        C:\Windows\SysWOW64\Nohicdia.exe
        
        C:\Windows\system32\Nohicdia.exe
        198⤵
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Niqnli32.exe
        
        C:\Windows\system32\Niqnli32.exe
        199⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\Nnmfdpni.exe
        
        C:\Windows\system32\Nnmfdpni.exe
        200⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\Obdbqm32.exe
        
        C:\Windows\system32\Obdbqm32.exe
        201⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5592
        
        C:\Windows\SysWOW64\Oeekbhif.exe
        
        C:\Windows\system32\Oeekbhif.exe
        202⤵
        Drops file in System32 directory
        
        PID:5976
        
        C:\Windows\SysWOW64\Pbiklmhp.exe
        
        C:\Windows\system32\Pbiklmhp.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2308
        
        C:\Windows\SysWOW64\Picchg32.exe
        
        C:\Windows\system32\Picchg32.exe
        204⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5588
        
        C:\Windows\SysWOW64\Pbndgl32.exe
        
        C:\Windows\system32\Pbndgl32.exe
        205⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Qhofjbnl.exe
        
        C:\Windows\system32\Qhofjbnl.exe
        206⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\Albikp32.exe
        
        C:\Windows\system32\Albikp32.exe
        207⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\Bbhqdhnm.exe
        
        C:\Windows\system32\Bbhqdhnm.exe
        208⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\Bhdilold.exe
        
        C:\Windows\system32\Bhdilold.exe
        209⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\Bidefbcg.exe
        
        C:\Windows\system32\Bidefbcg.exe
        210⤵
        Modifies registry class
        
        PID:6216
        
        C:\Windows\SysWOW64\Bifblbad.exe
        
        C:\Windows\system32\Bifblbad.exe
        211⤵
        Modifies registry class
        
        PID:6260
        
        C:\Windows\SysWOW64\Cadcfd32.exe
        
        C:\Windows\system32\Cadcfd32.exe
        212⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6304
        
        C:\Windows\SysWOW64\Chnlbndj.exe
        
        C:\Windows\system32\Chnlbndj.exe
        213⤵
        Modifies registry class
        
        PID:6360
        
        C:\Windows\SysWOW64\Cpgqik32.exe
        
        C:\Windows\system32\Cpgqik32.exe
        214⤵
        Drops file in System32 directory
        
        PID:6400
        
        C:\Windows\SysWOW64\Cediab32.exe
        
        C:\Windows\system32\Cediab32.exe
        215⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\Clnanlhn.exe
        
        C:\Windows\system32\Clnanlhn.exe
        216⤵
        Drops file in System32 directory
        
        PID:6484
        
        C:\Windows\SysWOW64\Cchikf32.exe
        
        C:\Windows\system32\Cchikf32.exe
        217⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\Dpqcoj32.exe
        
        C:\Windows\system32\Dpqcoj32.exe
        218⤵
        Modifies registry class
        
        PID:6608
        
        C:\Windows\SysWOW64\Dphipidf.exe
        
        C:\Windows\system32\Dphipidf.exe
        219⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6652
        
        C:\Windows\SysWOW64\Elojej32.exe
        
        C:\Windows\system32\Elojej32.exe
        220⤵
        Drops file in System32 directory
        
        PID:6704
        
        C:\Windows\SysWOW64\Efgono32.exe
        
        C:\Windows\system32\Efgono32.exe
        221⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\Elagjihh.exe
        
        C:\Windows\system32\Elagjihh.exe
        222⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\Eqopqh32.exe
        
        C:\Windows\system32\Eqopqh32.exe
        223⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\Ebplhp32.exe
        
        C:\Windows\system32\Ebplhp32.exe
        224⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\Eqalfgll.exe
        
        C:\Windows\system32\Eqalfgll.exe
        225⤵
        Drops file in System32 directory
        
        PID:6988
        
        C:\Windows\SysWOW64\Fcdbmb32.exe
        
        C:\Windows\system32\Fcdbmb32.exe
        226⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7028
        
        C:\Windows\SysWOW64\Fjnjjlog.exe
        
        C:\Windows\system32\Fjnjjlog.exe
        227⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7076
        
        C:\Windows\SysWOW64\Fqhbgf32.exe
        
        C:\Windows\system32\Fqhbgf32.exe
        228⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\Ffekom32.exe
        
        C:\Windows\system32\Ffekom32.exe
        229⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\Fmoclg32.exe
        
        C:\Windows\system32\Fmoclg32.exe
        230⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6200
        
        C:\Windows\SysWOW64\Fblldn32.exe
        
        C:\Windows\system32\Fblldn32.exe
        231⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\Gqdbbelf.exe
        
        C:\Windows\system32\Gqdbbelf.exe
        232⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\Gjlfkj32.exe
        
        C:\Windows\system32\Gjlfkj32.exe
        233⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\Giacmggo.exe
        
        C:\Windows\system32\Giacmggo.exe
        234⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6492
        
        C:\Windows\SysWOW64\Gfedfk32.exe
        
        C:\Windows\system32\Gfedfk32.exe
        235⤵
        Drops file in System32 directory
        
        PID:5980
        
        C:\Windows\SysWOW64\Hakhcd32.exe
        
        C:\Windows\system32\Hakhcd32.exe
        236⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\Hpenpp32.exe
        
        C:\Windows\system32\Hpenpp32.exe
        237⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6740
        
        C:\Windows\SysWOW64\Iaiddajo.exe
        
        C:\Windows\system32\Iaiddajo.exe
        238⤵
        Drops file in System32 directory
        
        PID:6844
        
        C:\Windows\SysWOW64\Iidiidgj.exe
        
        C:\Windows\system32\Iidiidgj.exe
        239⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\Idjmfmgp.exe
        
        C:\Windows\system32\Idjmfmgp.exe
        240⤵
        Drops file in System32 directory
        
        PID:7000
        
        C:\Windows\SysWOW64\Iiffoc32.exe
        
        C:\Windows\system32\Iiffoc32.exe
        241⤵
        Modifies registry class
        
        PID:7036
        
        C:\Windows\SysWOW64\Ipqnknld.exe
        
        C:\Windows\system32\Ipqnknld.exe
        242⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\Ibagmiie.exe
        
        C:\Windows\system32\Ibagmiie.exe
        243⤵
        Modifies registry class
        
        PID:3456
        
        C:\Windows\SysWOW64\Jikojcaa.exe
        
        C:\Windows\system32\Jikojcaa.exe
        244⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Jdqcglqh.exe
        
        C:\Windows\system32\Jdqcglqh.exe
        245⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6288
        
        C:\Windows\SysWOW64\Jjklcf32.exe
        
        C:\Windows\system32\Jjklcf32.exe
        246⤵
        Modifies registry class
        
        PID:6388
        
        C:\Windows\SysWOW64\Jpgdlm32.exe
        
        C:\Windows\system32\Jpgdlm32.exe
        247⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6464
        
        C:\Windows\SysWOW64\Jfalhgni.exe
        
        C:\Windows\system32\Jfalhgni.exe
        248⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Jpjqaldi.exe
        
        C:\Windows\system32\Jpjqaldi.exe
        249⤵
        Drops file in System32 directory
        
        PID:6584
        
        C:\Windows\SysWOW64\Jibejb32.exe
        
        C:\Windows\system32\Jibejb32.exe
        250⤵
        Drops file in System32 directory
        
        PID:5644
        
        C:\Windows\SysWOW64\Jdhigk32.exe
        
        C:\Windows\system32\Jdhigk32.exe
        251⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Jaljaoii.exe
        
        C:\Windows\system32\Jaljaoii.exe
        252⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\Kdalni32.exe
        
        C:\Windows\system32\Kdalni32.exe
        253⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\Kaemgn32.exe
        
        C:\Windows\system32\Kaemgn32.exe
        254⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\Lajfbmmi.exe
        
        C:\Windows\system32\Lajfbmmi.exe
        255⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6932
        
        C:\Windows\SysWOW64\Lckbje32.exe
        
        C:\Windows\system32\Lckbje32.exe
        256⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7016
        
        C:\Windows\SysWOW64\Liekgo32.exe
        
        C:\Windows\system32\Liekgo32.exe
        257⤵
        Modifies registry class
        
        PID:3200
        
        C:\Windows\SysWOW64\Mcdepd32.exe
        
        C:\Windows\system32\Mcdepd32.exe
        258⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6340
        
        C:\Windows\SysWOW64\Mciokcgg.exe
        
        C:\Windows\system32\Mciokcgg.exe
        259⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Mnochl32.exe
        
        C:\Windows\system32\Mnochl32.exe
        260⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6560
        
        C:\Windows\SysWOW64\Mcklac32.exe
        
        C:\Windows\system32\Mcklac32.exe
        261⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Mnapnl32.exe
        
        C:\Windows\system32\Mnapnl32.exe
        262⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\Mcnhfb32.exe
        
        C:\Windows\system32\Mcnhfb32.exe
        263⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\Mjhqcmjo.exe
        
        C:\Windows\system32\Mjhqcmjo.exe
        264⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\Nqaipgal.exe
        
        C:\Windows\system32\Nqaipgal.exe
        265⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6908
        
        C:\Windows\SysWOW64\Nglala32.exe
        
        C:\Windows\system32\Nglala32.exe
        266⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Njogdldg.exe
        
        C:\Windows\system32\Njogdldg.exe
        267⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\Nqioqf32.exe
        
        C:\Windows\system32\Nqioqf32.exe
        268⤵
        Drops file in System32 directory
        
        PID:5208
        
        C:\Windows\SysWOW64\Nkncno32.exe
        
        C:\Windows\system32\Nkncno32.exe
        269⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\Nnolojhk.exe
        
        C:\Windows\system32\Nnolojhk.exe
        270⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\Obmeeh32.exe
        
        C:\Windows\system32\Obmeeh32.exe
        271⤵
        Modifies registry class
        
        PID:6328
        
        C:\Windows\SysWOW64\Ojhijjll.exe
        
        C:\Windows\system32\Ojhijjll.exe
        272⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5920
        
        C:\Windows\SysWOW64\Ojjfpjjj.exe
        
        C:\Windows\system32\Ojjfpjjj.exe
        273⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\Odpjmcjp.exe
        
        C:\Windows\system32\Odpjmcjp.exe
        274⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\Ojmcej32.exe
        
        C:\Windows\system32\Ojmcej32.exe
        275⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\Odbgbb32.exe
        
        C:\Windows\system32\Odbgbb32.exe
        276⤵
        Drops file in System32 directory
        
        PID:7136
        
        C:\Windows\SysWOW64\Pjalpida.exe
        
        C:\Windows\system32\Pjalpida.exe
        277⤵
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Pqkdmc32.exe
        
        C:\Windows\system32\Pqkdmc32.exe
        278⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 400
        279⤵
        Program crash
        
        PID:924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 400
        279⤵
        Program crash
        
        PID:3692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4064 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
1⤵
PID:5780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2692 -ip 2692
1⤵
PID:7064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Apeknk32.exe

Filesize
64KB

MD5
43142ff6eece8388cc14bd2b4935c40c

SHA1
9ea1c384367010f8da04ed7419024ce077360112

SHA256
b76122b311891810e314d88de9f91e6f32a845b24368d926156b761ad123953d

SHA512
1edc9f9bb1ebf59b583632baae4ad6cf12b106e5989108703a8827709e6bec00fc452d6466cb0ba1e3e67bbc09d75dfad91b6b5208ad76bb5a2d27e5806b0132

Download Submit
C:\Windows\SysWOW64\Aplaoj32.exe

Filesize
64KB

MD5
4d10e8a6c7de8a61e59ba1ab9cb80f2c

SHA1
3faa2d73294f0cccf0d1c9a6338aaa762e5c5bd6

SHA256
9ad760d55b0ea5fe05280d223a6a664c5e164712d54eee055f96d9c5dcffa749

SHA512
24a26f295b8517602d3fe5fecb934f5efdecca6f3809cd44dd6cc2d6d0219ac2bec90d0e8e9a1804661d3e657dd6b423c7ace781bd68d24bad7c8d69d0d6ef50

Download Submit
C:\Windows\SysWOW64\Baepolni.exe

Filesize
64KB

MD5
2bd8da5c1933e03440661aed5bb47d48

SHA1
bb0af48b1194736d29c5509647429d5bf5a7e8ad

SHA256
7ac6912ff4e47915dad77318ddadf040c42357cd23970094097dbce9c11c5b41

SHA512
24a6c2b72742702a430fef66da5548f3168903faeb3803d5cfad9dde38107731c664b30f209323959bc170aa7b119775f83033a8ea03c0e41413b9c358686766

Download Submit
C:\Windows\SysWOW64\Bidefbcg.exe

Filesize
64KB

MD5
a78377e7850d9f340af1ceb8bf97c9de

SHA1
fae2f1126cd002ebcec10821d23264a4969cedb2

SHA256
10892c1f4de7ed947abdcce8f70c4e806c22cc52c44b88d71b67d8733f3022b1

SHA512
795390c45862ae51a5e54ba2557449141f3de4a776612cff0da8be1f4fdc7d5dfe1a3413d67f558214f9fdf294c74f9762d46e5f596969940a09072873880db1

Download Submit
C:\Windows\SysWOW64\Bmggingc.exe

Filesize
64KB

MD5
b37a5d428acf578986e8487dd6392b01

SHA1
4f0ab5fc0d6a8efd0b0194f96b0e481975bad22c

SHA256
07befad1a3330ba68dee387277c0ba8a031ba1e3d598610a069e1af90dd1eed0

SHA512
6bbcc61dffb47f2714f72080cecd1f6ed709c6105bdfc7d2e1d4907e4c15f343d161b7287a7e8760c9da45a5f770950b3cb1b08fe01b5adde1f68f7a431bf4d5

Download Submit
C:\Windows\SysWOW64\Bpqjjjjl.exe

Filesize
64KB

MD5
96afd727b0ef96e1a063bbd7ff03fee8

SHA1
6d8a6a0a5cafadc42542de5297d4f80b961ac8cf

SHA256
8dbf079c5fad078ca6b9bf9255146b8f9d7fa16861cc91371250d25af320b771

SHA512
5a39716c953037ab2304ae21f10f7a45333918728c51c747608ffd477f7edb7a296e1c52fe5cc7be56a9814bc37d96bcb7ca24f82a5979051437adcb785e8470

Download Submit
C:\Windows\SysWOW64\Cdhffg32.exe

Filesize
64KB

MD5
7ac2ec29cb240f19e2f2dfcfae3f0da3

SHA1
81480e3a0795b729044c400bd1e2d6d81ea6ee82

SHA256
ee05c6ab9cad41059635684e06fcab451f0dd8ffb074528f0153f113105d38c4

SHA512
bd4e371aa33e67bc3d4f79960b90c2ee783d81e99152277786570b8d63a8bb6a30259c6995809d1147ed817eadeda95205e8d94388afb2bbe363dcc8d7dce600

Download Submit
C:\Windows\SysWOW64\Cjdfgc32.exe

Filesize
64KB

MD5
1b54a564e2e2d9142807bb342eb21794

SHA1
0678982a59cd37328ab7349139140b5c5c876b33

SHA256
b05f522d6d3a5147cc3349809461747fc63b6bec561240879ca39f27a5627c98

SHA512
c41efbf62c87ebf60d66344e865fed0318ef6244e4fd8bd69ad47e2fa272b6085a2aeb091bc6e43c27e4b6072d41799bcce5c352c5706e8abf15cff9109d3c51

Download Submit
C:\Windows\SysWOW64\Cmedjl32.exe

Filesize
64KB

MD5
ea1312466b9a0d63dbfcd461073fe61e

SHA1
07e8bd1437fec84c9c83838f4fbd75c84ed9db28

SHA256
f300d4c93f91734fa2d849f76851e1e6bc490dd0d0eea24663faf73eb5658def

SHA512
74df63be91eb9d1c336cce69863d75ef890c6d4bdbbe1495ba5a02761c33dc99262dc238b94b30dee2735b56c28211e83477015443c9505e4ee8ed297a2b08ba

Download Submit
C:\Windows\SysWOW64\Dckoia32.exe

Filesize
64KB

MD5
99db91cd3b358c020c9cfa0056261b7e

SHA1
5f74f23724041e108cc2c69c2d988bb7f39a7a45

SHA256
90886f4f4f55ef7206beabf2cdde1e4323857fa3d4e725f5d06cda2a289705ac

SHA512
3437175f58905eb8dac0dfc09ce2829c291cde8e7571fc663afc192a72ba311383df2b2a8926e51d2a047a375d4eb9f686803930c7bfd9b786db362b608d5439

Download Submit
C:\Windows\SysWOW64\Ddfbgelh.exe

Filesize
64KB

MD5
d2e6e8b03de91fad7f50586ba23fd530

SHA1
43093dfb0a96650d0591db31d487d208227e04df

SHA256
305f469ab601cab340b0c43653c8c9ec93a0badc657205c4388a0325313dbb83

SHA512
a8c4c645e91ee61474376a000210ec0f9b2e3dc4cb3015bf794f4767903f5d46fe778be03d25cee6e593fec28c4aea79c76cc3c6345a5c434c6b3989e43e102e

Download Submit
C:\Windows\SysWOW64\Dkkaiphj.exe

Filesize
64KB

MD5
d7f96ef3895ba932e3d0ca380a586214

SHA1
a8caaa1a08e5bcf167595df8e73ed32b6de4d99a

SHA256
857cd3c294a7f9b0de67519958b8ea3fdc349ddb757e4b6ebbc190debdca3ecf

SHA512
2aad1fcb391a787b1b84e0c87fdfbbf75d9f4787c8acf0a194bf01484ec69fa67a57d0d957d26bf82c1c265705a94d8630925bac80b58030d1bd6611bb982eb7

Download Submit
C:\Windows\SysWOW64\Dncpkjoc.exe

Filesize
64KB

MD5
a9a2105d1b6ba925cf6cd7dadbf1a9a7

SHA1
b1e1931e1851893d49ab595e84c1149c84e7e53e

SHA256
835ad7610e07fa7dcd6709b355be845800c6396f98836204b978371876b44793

SHA512
1835d5431d50ea42055bc1e9eccd27c1e394b8d01d0356dafba4878ab5f0670b4ceb4878af77534abfdbe5e225ab1e67fcb872e241ac3184a34d0d13be18a853

Download Submit
C:\Windows\SysWOW64\Edfddl32.exe

Filesize
64KB

MD5
811c41d52544de9be85e3e354acf9039

SHA1
df64339b71505128ce94483746d2c76abbaf81d3

SHA256
ac8b18858207b404ed933dcb675e892c0793fd63db6501bf9c37159e1281cf48

SHA512
a771479ff6f9d6fdb783cd88a415a21316e0ac2442e64e67d971b811dfd6868ecf3a43142e802565033492157e9425b42fba86106e5b01a39c601961b2395399

Download Submit
C:\Windows\SysWOW64\Ekljpm32.exe

Filesize
64KB

MD5
059362f6075e4f3e4040cd768c6ad2d0

SHA1
e9b835d7e941ec94a9ef315eb39f840a003a09c4

SHA256
e94a669adf99e031040d00c88d1097b86f060e8161a8fd49c1d5a3053b4364e8

SHA512
d2a27f967cf9c4adfb10335618ba4736a0fb01c6b92424279c4f42615d9439f1a981711262a5b99971984393c6382109e94b65294d8f30a10da4488dce2005c5

Download Submit
C:\Windows\SysWOW64\Emanepld.exe

Filesize
64KB

MD5
63b2e6e2da53c45a2ae6c25afc15f3f4

SHA1
c385fd65e95fd6f5ce7e6611003f3d3fdcee1d92

SHA256
89afcec17c23ab8c76e9aad7a77eed5baae83face7fd6d2c8756a144f47ba267

SHA512
60bc3eb7b26b294ac41525bea2cc95870136ef7c23369379cfcfcfe7f212c26feec313919cb06e797cbb633cd522ff71557f00d3a9211f2a8af33e3791513c17

Download Submit
C:\Windows\SysWOW64\Eqkondfl.exe

Filesize
64KB

MD5
fa344551f256cf2f32b2091a5844503c

SHA1
f7bdb6965037c040e8615815b770736ceea360ad

SHA256
2adf1fb83509d611770e4c56f3276d575b8ef4709e48b85df2ff118a3ef450f8

SHA512
40db63f31c4efcf3ebd496631cc872b4d78f4293eda775c9f1912c52df7650beb017e6704d6b7ccc4a2ccb037e6a7d08d0b4a6a3f1bc42bada413f51ccb794ad

Download Submit
C:\Windows\SysWOW64\Fcbgfhii.exe

Filesize
64KB

MD5
7185bd8320bb31fcf854f18a5d58875f

SHA1
aac854e55d5a2ac54ef39f5b98965aecf232f955

SHA256
c8a300db4a1355a553acdc68d02cff6b1a91f1fec8500b08c05483a055184ca0

SHA512
cfada108270e4b9739c5686ca22fdbd054d3692ec678ae63b9aaecfecd58f761b61895ee3377856d77b8021f358b175266704783867bc45469dbce7e3dbf08f4

Download Submit
C:\Windows\SysWOW64\Fnffhgon.exe

Filesize
64KB

MD5
90c361b384d4e6c6903d0ade2fe0ae84

SHA1
0e6df9dde983a49177fe5103275fe9385dc2f01a

SHA256
d4ba3a122a745ca5e1ef9409d13430700d6730ba2424af4181aa8d82ac7aa039

SHA512
296f9cccdcf43cde11a842a3594357643a3dc25c83f71a6637ed36d741bae02474f9268ecaca31c1c33f25f12568b25af1dc71df07677384bc73918504ffd995

Download Submit
C:\Windows\SysWOW64\Fqphic32.exe

Filesize
64KB

MD5
45a2060f99d32727c2a6bf97f74d7b29

SHA1
243c7968a3995c0cfafd0562e4caf498514561a4

SHA256
3556675ce91bda6eaf92cf7dad91395940ca7899c59770fe89362bc7f2cc6c4f

SHA512
eedd38db28ce23f1e4dd4b12c6f80630fe96d10c3fc4557dea35a9af782749da010dcd4d199d63af5faf608d72df240f07245ca2879a68cf7c66830d333b25d0

Download Submit
C:\Windows\SysWOW64\Gablgk32.exe

Filesize
64KB

MD5
aa86569d4c27d953aa035c984dd8a93a

SHA1
8c1fe2352e2c5094a0c8dfc6c3476ba2e3fc3af0

SHA256
a77f46b2ce4ae948c14ff83ab79879164f27b2c0bbe908082e6665827b9fb8c8

SHA512
c97f78f2fbc701ddb935629da023a520052709b0028796f2ead2dc970156bf01565c3eca5d3849f9d8f39681d19503e72fb64e730fcdefbc4682b200b4c1f82c

Download Submit
C:\Windows\SysWOW64\Gehice32.exe

Filesize
64KB

MD5
cf6baf80aaeeb48a21c0345b74115d66

SHA1
216f6037ec0431becbf9df79241f9a0434d83bc0

SHA256
7b1406a0fe26913b2534e8c5ae0cfeb6c653f1b62909efd9dec9451df8c3b25e

SHA512
10cc989e468605ddc0e7c653e5c1b858744f725c51b2f0b221c6c5ee671097b61e3a73a6113c88f7f547aec790faa65388c54ece4d445037603822f4bec3957d

Download Submit
C:\Windows\SysWOW64\Ggepalof.exe

Filesize
64KB

MD5
c030b96668f136bb8c429e25535bcba7

SHA1
ff2ceabc0fd889623bd86b7ac140dc78a8eadbbd

SHA256
76853c6c2fb00a9867744d41c45d777bcc83e6b1f2d6c5c8cdabfd169ce18b6d

SHA512
6cdec0e83ebea13535831bca0d2e6d9a65f33640712971191cc698ec617c7e62eb7ca90fe38ff198f7b55f61c134e73e95704c53440df39bee309ff3b358e7c6

Download Submit
C:\Windows\SysWOW64\Gglfbkin.exe

Filesize
64KB

MD5
9216dabbbfc6796b81642eb9640d75fa

SHA1
dfd04981fe77f4dee3c6edd90d2022deff408c36

SHA256
9860cdc2a5d104141f2275cc567ecf23559a7ba11b7b3cf27ca8681c3ec90b08

SHA512
a4d208df19805ccbffabc0a6e4fbb661a7697f3e30bd10757e5ead8ff702ebb9f7c40a78859a79233160845782260d9aacbd77c0e2167a3352c2dea2cf9465ce

Download Submit
C:\Windows\SysWOW64\Hbknebqi.exe

Filesize
64KB

MD5
b8cc8cd9fa324c798bab95919f13d8ca

SHA1
fded4565b2fed126f71c0bc884a6f548f426ba1f

SHA256
16dc8783508e85eef71c3ec01f31a367dfc13feac84fcfe7d77c5fe93214fdbb

SHA512
2f5a09d58c8610b5913cef20a9571b211a7746d1142c109434c3b56a4cbc6dcfdac4c9e99a4bad368d1e34d4db11402abe619d4abf6be19ec8ce2c86308c7e1a

Download Submit
C:\Windows\SysWOW64\Hchqbkkm.exe

Filesize
64KB

MD5
8a7bd31fdb9610b71307c1f37c128a08

SHA1
701e185dd6580c3afe6f1c4880f58895e8938833

SHA256
8d96d8c722b1760ab51743b2ec90def427771376f579bad696695d3bd9400a30

SHA512
a1d5d8ddf9c1f55cbb12c59916e7f17df4c316836d845029abc1cfeaf51b9cc6c5d530e68067405ad912932e40f7956131c91b162b311f6e859d8f6549b14b28

Download Submit
C:\Windows\SysWOW64\Hhlnjpdi.exe

Filesize
64KB

MD5
b1482fd40588927201290ab2c89e34a4

SHA1
9f0e91431726194689d419bd0754ea67f726be62

SHA256
4ada6269d46928d2a551181bd4cb5e4c1ce679792b76a0460ececc34820d2fe4

SHA512
4375eac7338bae7e40cca2032cf1e7fe853229eb540c3915bd8f165a3a0f78efe1f6226b4f8e3b5f157b9914d593ee0075cdb033eaa9e805ef981d94b0c93289

Download Submit
C:\Windows\SysWOW64\Hkmlnimb.exe

Filesize
64KB

MD5
908e1a90126b0ef7280c20b56afa0b96

SHA1
8a679f5fa05e08fe5d4a9619927576afbfd0a52a

SHA256
fdafb33fe590e91a67a25eac6547bea65f8b9de958c198c791c68f1f45396dc4

SHA512
6d3a07e392a29983a7c967854092369fc6450b449f33d950587da38d1f126054e833c9e3ade3e2fb9767e688466f68767ecb18f4e0470a06e17004540f05a97d

Download Submit
C:\Windows\SysWOW64\Hnbnjc32.exe

Filesize
64KB

MD5
50cb8ccc2c309faabc04040f7046f4ff

SHA1
a2241c2aec9ac9bdf1ffbf6bc7d73a5e2e5e8612

SHA256
b83bfcefc81d02e8ca917e63ada617abc70d6064702c018d63edd341bb82778f

SHA512
9f6dc34db9573e3652d3ae2b0d2054036e0cb80275039572bdb1733538399af0998d5848a7bc2851b4ada5f2cb9ba6db86de2984ef6cdbe50595754e9953e12c

Download Submit
C:\Windows\SysWOW64\Ihfglhfp.exe

Filesize
64KB

MD5
1f0c3b7f30fc7eeb5d7609f35d6486aa

SHA1
c5f57dcf53d725b8fbf043a2da8dba4d94ac4472

SHA256
f1cddf7408edf2cdc05ba253c6324af4b049c87c3a48d475e3c43a170f830fab

SHA512
3d9bc2117863343b57bf05862bac9bbe241098cfa66317971fb2a2bcd0565710dc15b88abde4b01a6d7eba27b2f28454f05335a9b13e9b1874c59c3cec5d696c

Download Submit
C:\Windows\SysWOW64\Indkpcdk.exe

Filesize
64KB

MD5
d27a22a207df1c91d2470dda774a9286

SHA1
910b364f751de9880cfbf3761eaa28d7b2207b45

SHA256
a1bfa03ddb5206a0ab0cd6899719c9f3376fcea7302197a957e03842eca6eac6

SHA512
42be6b951c181b5b1d2a9f75e4e0dbb2a1bbf5b6806e8918429cedfa8e5c63eea7e5119692f16847e3062c495ad094a169a5041f18039f1bf55361400944d10f

Download Submit
C:\Windows\SysWOW64\Inkaqb32.exe

Filesize
64KB

MD5
114d88bd6095e067b03858cefb0eb3a7

SHA1
d455c6eb51ab9963a0bb0bf893dbc89dcd7ee210

SHA256
5f8bc11a61a1d1c2a49d2d9a8b439cb976e4ad16c77b7aae464e41fa31ff12f7

SHA512
29bef83edde347766323cef3c064db925e2ceb2ad9557ef77fc2b37bdcbd80fdf9213bbcc2764eb55b5ff8839be5e9cdd58cb7aeece6a96d41aebf3d69e8ec4a

Download Submit
C:\Windows\SysWOW64\Jaljaoii.exe

Filesize
64KB

MD5
1f639c11963bda8d58df83e6339571ea

SHA1
0189253fcc9fd80619b05591c2c7d88fec439bc2

SHA256
7decdd989463d6ba1b5eb72e96ee72d3f3528c6d0f26158e5c8b45461c043096

SHA512
a1edfe0f61b0471ec4ca36d471726eb7a4deb1daf1a2e32417dd536fbb2b7f0a315cbba708da7cd59eea452f878a12397e43a4dac6297b5c0eb552d5babef3ec

Download Submit
C:\Windows\SysWOW64\Jejbhk32.exe

Filesize
64KB

MD5
120bd0a6ef8912eacc02dad505b7c95d

SHA1
aac46031ece5b66351eba1dec1c5f2a90edb4537

SHA256
dbc0067004c9e8a747ddee68d88df9aca263b3555b91efd144521885ad34287c

SHA512
3d4f8dcc4162b0ea42be501d834c53f310c48f49e63ad93ccf8d0192d8d65d0d054f16bd39bd7da6773c5a945430eab4b7286304a44b828e9aad4fdd61bb06ce

Download Submit
C:\Windows\SysWOW64\Jhmhpfmi.exe

Filesize
64KB

MD5
2659af7431a6667a0d382c44a9a9aca2

SHA1
8d6f8571ae5dc6dcfb5dc3ac23dab46a7b1198df

SHA256
7def080e94a5f9f8b6aad8753c1bc6451c0739f5316d646ccd6bb98e2cda59b0

SHA512
61045e5dc1ff004c3743aece19eb14ca7f725bd0d6814c09a9957016ccd6a448bf54e257fbd4af6342dc42208c6b87e1e9fce248e15d3e94a929db83ce795613

Download Submit
C:\Windows\SysWOW64\Jlanpfkj.exe

Filesize
64KB

MD5
9a022c157b12072d1827e3180fdc5ee7

SHA1
3205e3dad4a413b660b1aa7b6f46d934a4f2f7d0

SHA256
f9e94f56b97935f687d2b38cf9bbeca4a973ba8dbeb451cdb35866498374aafc

SHA512
708dcdbe990d75cc65e47a340386ab21f1cdf4a85963b79fcbda38282ae23a63ad688cddb5c4ce4b758f259a8de45571fa58a846bbc23bd13e1b2ee6fbf8fdba

Download Submit
C:\Windows\SysWOW64\Jlkafdco.exe

Filesize
64KB

MD5
7aa95e971e807f1e5ad2062795f059d5

SHA1
a7dd42774238e962e79e07b2ec6c181d6742c44f

SHA256
4876ae7ad2e8007989787d8a2691f74d45c071c3aa98545173b1d1d1a40ebc07

SHA512
3b7181032316ac668eaabff2929dfefe064e0a197e9dd27d744904ddf210df22dfc76f6d1a8ec2d0a8daf8f73cb6203d8737f7413c8ecc6521e4329dca6b6dd3

Download Submit
C:\Windows\SysWOW64\Jmlkpgia.exe

Filesize
64KB

MD5
9d3016654030412ebeba8a40ae69c630

SHA1
39f7be9bd4be09acacde5e9c7e5c53737c9468a2

SHA256
c0649083dacae882b079f9c59b7138b8230e39df1b95e3440b77963cd59c7750

SHA512
456ff8f24060a96d73dfef1e7cf36a892fffc16be1432489d3bd6f49cb127e1e5ad98fe1ba47bae7bd889a70476f657f4eb534828b8e8aae07c21b5983612dde

Download Submit
C:\Windows\SysWOW64\Kbjbnnfg.exe

Filesize
64KB

MD5
060b0736cfc8906ba4789ece4fb140c0

SHA1
4930a2112126d5cd6885d82d2f6b6d9f9cd39bb6

SHA256
c036dbfd85f8b3ddc2b464922bed6d150a2bb2aaace2f0b449755eeb584867ec

SHA512
f5900710df5e94d027b1ad9db43fab2644824f6207a8645ccba214cd63d59df5b91635088ce734b422f9b0a98115dd09719e6be80067928fce42e33a0e389159

Download Submit
C:\Windows\SysWOW64\Kdhbpf32.exe

Filesize
64KB

MD5
38fc4bfa847a4223d6057e48f4db4ed2

SHA1
1ca10631ea0697183ddc1c6da94c26bc360c45e0

SHA256
fbabf816a379037fe9fa4e42d86bb6b8661e900ec3e13926de39f46fb657536a

SHA512
c2286c34ac32bee8e9d7050a86d8220e1e5ac027f1249fd9676d751d1cffc3139b4c746a51d8a7798d54b47e240efdaf84b20517dcb12b8dfd4ffddc3d62b5ec

Download Submit
C:\Windows\SysWOW64\Khabke32.exe

Filesize
64KB

MD5
2c185af70048bfc4f7fca42dd86eeeb4

SHA1
6e34b7a589e46d2764808bfcd3527ab39ec8ad67

SHA256
5f6a10c6c2f51aba5a8100c493ffac68204db78a5d744f845b8386024227b2d3

SHA512
8bee6cdc0301373741fd6c65d1dd5e7412bcca9ca920be16a5c08a8113e4ffde2f68634fd66815c753e4c70418ceb07f75c1c2e7d08eb96b160461b245ddc2d4

Download Submit
C:\Windows\SysWOW64\Mlemcq32.exe

Filesize
64KB

MD5
9c4632439d6fab1e25b4baf8ce42a771

SHA1
b3543bfd848717bf86a614a8fb9df2157d3b94b1

SHA256
8c31673cbbecd4ada0a6f270aa6744e7b782ad6dbbcac64d5f424539046a6740

SHA512
786b808e4dbad65c4697a2c4f4002f835f7ec4e7c89d3e0b3f5298bf6ad61cbcc023d1be5a7d24df32bc32f6edc88d2313e3c47b55974b57b3f82dc331ae4307

Download Submit
C:\Windows\SysWOW64\Oakjnnap.exe

Filesize
64KB

MD5
f07fb95c8751f27a6c5bd14344a41962

SHA1
d483aaffdabd44dacba0cda1102c1b6a457d9895

SHA256
dae38a7762287da49188e0398a0315af40f6cb8d4de0f246ddaf89c0794f3684

SHA512
0830f2e6ebf071abca32d791aaed8fbe40f7a5d02669e0eaa385fae0223bb08bf32e989d78dc69a86d070e90714b5b3b7204ed8d414fef01b2ba11ded208f6d4

Download Submit
C:\Windows\SysWOW64\Oifppdpd.exe

Filesize
64KB

MD5
bde5d626f0f8b25dac2f354f708e1f00

SHA1
e92c0c3492cdc430abc1fe2e268fb3f19749059c

SHA256
51aba64e90399e33bb714b2a7b31abb54ecdc4bab2e4bfb003fb3d7f9a28afe6

SHA512
fbada25e913169a77dcf653725a6fcbed37b98753b5286067aebbc2c052da7a796fa0e2d7bd525621b1caa30355c1c21c9a42aadb4bef0a1e662585368c855db

Download Submit
C:\Windows\SysWOW64\Pfepdg32.exe

Filesize
64KB

MD5
d4f310b65321dd36773d0b3b01838a9f

SHA1
74b8861cd5ba034db478e56c8de56fa884e92f1d

SHA256
689cb2e69ce60174ec8e8c746804e2870bc7d232fef4164a8966cee84f37e80d

SHA512
c76c6081abf9b1682bb6dd61f5b1cd7391a6a00105b1b89e7ebda1a9d59f11abb33824fa51186146b30e5ba3a194ad4edd98e66f0978a760859708fc34e2466b

Download Submit
C:\Windows\SysWOW64\Pkigbfja.exe

Filesize
64KB

MD5
2a0397f029a96bb5e0fe780f2dcf1e1d

SHA1
3fa1eadbe777e62bfd7c1211a306eb52a7d81793

SHA256
17091dbbeacca011af9bc75fede61a0552ea78aa4bc4bc0fb71d6f7c55e5993c

SHA512
e834f35b72f1eeaf61a6866f19578365be7600578b26a3fdaf10d7e3170fd09846c4b2e5f5e0b20dd7e52912080a6dec534476041a9a330536af2e5ec0bbca7b

Download Submit
C:\Windows\SysWOW64\Qoocnpag.exe

Filesize
64KB

MD5
f66a1f6754719f176c2a7f86f1a93f0a

SHA1
9e03af039e519d2d02befc461765dcf3a8c3ecb6

SHA256
f34ae6f1a3590bd39c20c02322577c3c68cfbfbedb46adf57ef4c982b79ff841

SHA512
bba5cb6e6b1fe0b71c5875db6f5793191c06b2dccfda9b621e476627f4fd5e88bf6579245738c351fb466a61c8d764892b8e67647ee6373872c22adc8bb28002

Download Submit
memory/116-432-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/116-153-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/212-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/336-338-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/392-437-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/464-49-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/464-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/468-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/572-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/852-449-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1020-459-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1120-386-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1120-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1168-258-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1196-314-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1200-294-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1336-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1336-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1348-288-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1380-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1380-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1416-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1416-313-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1536-452-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1536-210-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1616-399-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1616-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1628-391-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1820-105-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1820-372-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1948-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1948-242-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1952-354-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1952-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1996-480-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2204-458-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2208-479-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2208-250-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2248-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2324-306-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2324-9-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2360-234-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2360-473-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2400-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2620-320-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2692-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2692-377-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3076-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3076-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3140-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3140-369-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3192-264-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3396-355-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3404-276-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3412-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3412-445-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3548-357-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3548-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3716-311-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3764-380-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3792-353-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3792-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3796-425-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3796-145-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3856-378-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3872-332-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3872-25-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3884-333-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3884-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4196-177-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4196-446-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4260-300-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4268-326-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4336-217-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4336-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4344-345-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4372-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4372-348-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4396-270-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4404-447-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4404-185-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4436-438-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4436-160-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4520-465-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4600-282-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4612-423-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4636-451-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4636-201-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4696-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4696-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4696-1-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4828-226-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4828-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5032-397-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5056-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5100-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5100-194-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads