367c0a7190d196ac946987d3e20d825cf006bc632087353b50a14898aaccf2ff

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

367c0a7190d196ac946987d3e20d825cf006bc632087353b50a14898aaccf2ff.exe
Size

64KB
MD5

422804f912f16bdb8b41d2f8261a048b
SHA1

b21f0c553b82978115403e5f09d9b03f49695f46
SHA256

367c0a7190d196ac946987d3e20d825cf006bc632087353b50a14898aaccf2ff
SHA512

f26de7db73247f069f01cbb348704349945b5fc0547cc6ee1edcdeb177be5e4d3bae3986157e619de05f32e968a9ecfd60db1dd4e36a01adbfe223160148ca10
SSDEEP

768:96He8mCbjLh3nvI1D5KFJRyRRF0IuYB8JBea2nCWU7K3KqMqf/1H5WXdnhKStk8+:2efCbj93vI1D6yRRFGYBaBt2vlmly5VP

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckedalaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fchddejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdeqhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klqcioba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdhdajea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkhoae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aldomc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aacckjaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Camphf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aealah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbnafb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkceffcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blfdia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmeobkq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkjlge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajneip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imakkfdg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mchhggno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhikcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boepel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnnjen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cefoce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcfhof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbdbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekcpbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbnafb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjpiha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhpjkojk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcfhof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njciko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbaemi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfngap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdfibe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehimanbq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcmnpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcagkdba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jefbfgig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obfhba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obfhba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdkldb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhlejnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmkfhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdeoemeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjpiha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhpjkojk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkciihgg.exe

Executes dropped EXE 64 IoCs

pid	Process
1388	Ogaceh32.exe
216	Obfhba32.exe
4248	Ogcpjhoq.exe
4148	Ojalgcnd.exe
2884	Odgqdlnj.exe
4616	Pjdilcla.exe
2380	Peimil32.exe
4804	Pkceffcd.exe
2696	Pbmncp32.exe
1472	Pkfblfab.exe
4404	Pndohaqe.exe
4420	Pengdk32.exe
4548	Pkhoae32.exe
4288	Paegjl32.exe
2416	Pkjlge32.exe
2404	Pagdol32.exe
4124	Qgallfcq.exe
2916	Qjpiha32.exe
1568	Qeemej32.exe
4016	Qgciaf32.exe
2528	Qnnanphk.exe
4828	Aegikj32.exe
1888	Agffge32.exe
3304	Anpncp32.exe
4744	Aejfpjne.exe
2864	Aldomc32.exe
4568	Aaqgek32.exe
2384	Acocaf32.exe
3684	Alfkbc32.exe
4728	Aacckjaf.exe
3732	Adapgfqj.exe
2556	Ajkhdp32.exe
3600	Aealah32.exe
4372	Ahoimd32.exe
4556	Ajneip32.exe
2152	Bahmfj32.exe
3216	Bdfibe32.exe
1884	Bjpaooda.exe
1776	Bbgipldd.exe
908	Beeflhdh.exe
2708	Bhdbhcck.exe
4908	Bnnjen32.exe
2492	Behbag32.exe
4904	Bdkcmdhp.exe
220	Bopgjmhe.exe
4808	Baocghgi.exe
4024	Bhikcb32.exe
2008	Bobcpmfc.exe
1816	Baaplhef.exe
892	Bemlmgnp.exe
4100	Blfdia32.exe
1796	Boepel32.exe
4428	Ceoibflm.exe
776	Chmeobkq.exe
2576	Cogmkl32.exe
3960	Ceaehfjj.exe
3632	Clkndpag.exe
4956	Cojjqlpk.exe
2988	Cecbmf32.exe
3180	Ckpjfm32.exe
2524	Cbgbgj32.exe
2368	Cefoce32.exe
3848	Chdkoa32.exe
1116	Conclk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Oncmnnje.dll	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Pflplnlg.exe	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pmidog32.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Coffpf32.dll	Ndcdmikd.exe
File opened for modification	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pmidog32.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Gfpcgpae.exe	Gcagkdba.exe
File created	C:\Windows\SysWOW64\Kfjhkjle.exe	Jcllonma.exe
File opened for modification	C:\Windows\SysWOW64\Lbjlfi32.exe	Klqcioba.exe
File opened for modification	C:\Windows\SysWOW64\Miifeq32.exe	Mlefklpj.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Ogkcpbam.exe	Olfobjbg.exe
File opened for modification	C:\Windows\SysWOW64\Fkciihgg.exe	Flqimk32.exe
File created	C:\Windows\SysWOW64\Aealah32.exe	Ajkhdp32.exe
File opened for modification	C:\Windows\SysWOW64\Hkdbpe32.exe	Gblngpbd.exe
File created	C:\Windows\SysWOW64\Ojleohnl.dll	Kpgfooop.exe
File opened for modification	C:\Windows\SysWOW64\Hfifmnij.exe	Hckjacjg.exe
File created	C:\Windows\SysWOW64\Njqmepik.exe	Ngbpidjh.exe
File created	C:\Windows\SysWOW64\Glgmkm32.dll	Nckndeni.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Qgallfcq.exe	Pagdol32.exe
File created	C:\Windows\SysWOW64\Dnqmalhn.dll	Dbllbibl.exe
File created	C:\Windows\SysWOW64\Iaekmb32.dll	Dbaemi32.exe
File opened for modification	C:\Windows\SysWOW64\Febgea32.exe	Fcckif32.exe
File opened for modification	C:\Windows\SysWOW64\Gcagkdba.exe	Gfngap32.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Mnaela32.dll	Obfhba32.exe
File opened for modification	C:\Windows\SysWOW64\Ajkhdp32.exe	Adapgfqj.exe
File opened for modification	C:\Windows\SysWOW64\Bhdbhcck.exe	Beeflhdh.exe
File created	C:\Windows\SysWOW64\Himldi32.exe	Hkikkeeo.exe
File created	C:\Windows\SysWOW64\Dhcbhjlp.dll	Dldpkoil.exe
File created	C:\Windows\SysWOW64\Naoncahj.dll	Hkikkeeo.exe
File opened for modification	C:\Windows\SysWOW64\Qfcfml32.exe	Qnhahj32.exe
File opened for modification	C:\Windows\SysWOW64\Ahoimd32.exe	Aealah32.exe
File created	C:\Windows\SysWOW64\Foabofnn.exe	Flceckoj.exe
File created	C:\Windows\SysWOW64\Camjdd32.dll	Ojalgcnd.exe
File created	C:\Windows\SysWOW64\Kihgme32.dll	Ahoimd32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Pkfhoiaf.dll	Ojgbfocc.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Jlpkba32.exe	Jefbfgig.exe
File created	C:\Windows\SysWOW64\Pdifoehl.exe	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Ogaceh32.exe	367c0a7190d196ac946987d3e20d825cf006bc632087353b50a14898aaccf2ff.exe
File opened for modification	C:\Windows\SysWOW64\Beeflhdh.exe	Bbgipldd.exe
File created	C:\Windows\SysWOW64\Docmgjhp.exe	Dldpkoil.exe
File opened for modification	C:\Windows\SysWOW64\Pjdilcla.exe	Odgqdlnj.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Gmoeoidl.exe	Gfembo32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Epogol32.dll	Paegjl32.exe
File created	C:\Windows\SysWOW64\Echknh32.exe	Ekacmjgl.exe
File created	C:\Windows\SysWOW64\Naqcfnjk.dll	Fcfhof32.exe
File opened for modification	C:\Windows\SysWOW64\Qnnanphk.exe	Qgciaf32.exe
File created	C:\Windows\SysWOW64\Lcjnop32.dll	Imakkfdg.exe
File created	C:\Windows\SysWOW64\Ampkof32.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Baaplhef.exe	Bobcpmfc.exe
File created	C:\Windows\SysWOW64\Hnigkegh.dll	Clkndpag.exe
File opened for modification	C:\Windows\SysWOW64\Fcckif32.exe	Fkmchi32.exe
File opened for modification	C:\Windows\SysWOW64\Pkhoae32.exe	Pengdk32.exe
File created	C:\Windows\SysWOW64\Laffdj32.dll	Himldi32.exe
File created	C:\Windows\SysWOW64\Bdfibe32.exe	Bahmfj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8816	8716	WerFault.exe	375

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odmkog32.dll"	Ekemhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnbinq32.dll"	Kdeoemeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjhonjco.dll"	Pkjlge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkhoae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajkhdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fkmchi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gokdeeec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmbdbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmijbcpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bahmfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baocghgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bemlmgnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qjpiha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aejfpjne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Docmgjhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hofdacke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgepdkpo.dll"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blfdia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkljak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gblngpbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkikkeeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phfkqkek.dll"	Acocaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcgdgamg.dll"	Cefoce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jeaikh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mchhggno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akalojih.dll"	Cbgbgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eapedd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnaijinl.dll"	Gcagkdba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pengdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ehgqln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neiigifj.dll"	Dedkdcie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfenmm32.dll"	Mgfqmfde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aegikj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdqfah32.dll"	Camphf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dedkdcie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekacmjgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekemhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Febgea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oalnaifk.dll"	Flceckoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibjjhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jefbfgig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnnjen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qeemej32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4232 wrote to memory of 1388	4232	367c0a7190d196ac946987d3e20d825cf006bc632087353b50a14898aaccf2ff.exe	82
PID 4232 wrote to memory of 1388	4232	367c0a7190d196ac946987d3e20d825cf006bc632087353b50a14898aaccf2ff.exe	82
PID 4232 wrote to memory of 1388	4232	367c0a7190d196ac946987d3e20d825cf006bc632087353b50a14898aaccf2ff.exe	82
PID 1388 wrote to memory of 216	1388	Ogaceh32.exe	83
PID 1388 wrote to memory of 216	1388	Ogaceh32.exe	83
PID 1388 wrote to memory of 216	1388	Ogaceh32.exe	83
PID 216 wrote to memory of 4248	216	Obfhba32.exe	84
PID 216 wrote to memory of 4248	216	Obfhba32.exe	84
PID 216 wrote to memory of 4248	216	Obfhba32.exe	84
PID 4248 wrote to memory of 4148	4248	Ogcpjhoq.exe	85
PID 4248 wrote to memory of 4148	4248	Ogcpjhoq.exe	85
PID 4248 wrote to memory of 4148	4248	Ogcpjhoq.exe	85
PID 4148 wrote to memory of 2884	4148	Ojalgcnd.exe	86
PID 4148 wrote to memory of 2884	4148	Ojalgcnd.exe	86
PID 4148 wrote to memory of 2884	4148	Ojalgcnd.exe	86
PID 2884 wrote to memory of 4616	2884	Odgqdlnj.exe	87
PID 2884 wrote to memory of 4616	2884	Odgqdlnj.exe	87
PID 2884 wrote to memory of 4616	2884	Odgqdlnj.exe	87
PID 4616 wrote to memory of 2380	4616	Pjdilcla.exe	89
PID 4616 wrote to memory of 2380	4616	Pjdilcla.exe	89
PID 4616 wrote to memory of 2380	4616	Pjdilcla.exe	89
PID 2380 wrote to memory of 4804	2380	Peimil32.exe	90
PID 2380 wrote to memory of 4804	2380	Peimil32.exe	90
PID 2380 wrote to memory of 4804	2380	Peimil32.exe	90
PID 4804 wrote to memory of 2696	4804	Pkceffcd.exe	91
PID 4804 wrote to memory of 2696	4804	Pkceffcd.exe	91
PID 4804 wrote to memory of 2696	4804	Pkceffcd.exe	91
PID 2696 wrote to memory of 1472	2696	Pbmncp32.exe	93
PID 2696 wrote to memory of 1472	2696	Pbmncp32.exe	93
PID 2696 wrote to memory of 1472	2696	Pbmncp32.exe	93
PID 1472 wrote to memory of 4404	1472	Pkfblfab.exe	94
PID 1472 wrote to memory of 4404	1472	Pkfblfab.exe	94
PID 1472 wrote to memory of 4404	1472	Pkfblfab.exe	94
PID 4404 wrote to memory of 4420	4404	Pndohaqe.exe	95
PID 4404 wrote to memory of 4420	4404	Pndohaqe.exe	95
PID 4404 wrote to memory of 4420	4404	Pndohaqe.exe	95
PID 4420 wrote to memory of 4548	4420	Pengdk32.exe	96
PID 4420 wrote to memory of 4548	4420	Pengdk32.exe	96
PID 4420 wrote to memory of 4548	4420	Pengdk32.exe	96
PID 4548 wrote to memory of 4288	4548	Pkhoae32.exe	97
PID 4548 wrote to memory of 4288	4548	Pkhoae32.exe	97
PID 4548 wrote to memory of 4288	4548	Pkhoae32.exe	97
PID 4288 wrote to memory of 2416	4288	Paegjl32.exe	98
PID 4288 wrote to memory of 2416	4288	Paegjl32.exe	98
PID 4288 wrote to memory of 2416	4288	Paegjl32.exe	98
PID 2416 wrote to memory of 2404	2416	Pkjlge32.exe	99
PID 2416 wrote to memory of 2404	2416	Pkjlge32.exe	99
PID 2416 wrote to memory of 2404	2416	Pkjlge32.exe	99
PID 2404 wrote to memory of 4124	2404	Pagdol32.exe	101
PID 2404 wrote to memory of 4124	2404	Pagdol32.exe	101
PID 2404 wrote to memory of 4124	2404	Pagdol32.exe	101
PID 4124 wrote to memory of 2916	4124	Qgallfcq.exe	102
PID 4124 wrote to memory of 2916	4124	Qgallfcq.exe	102
PID 4124 wrote to memory of 2916	4124	Qgallfcq.exe	102
PID 2916 wrote to memory of 1568	2916	Qjpiha32.exe	103
PID 2916 wrote to memory of 1568	2916	Qjpiha32.exe	103
PID 2916 wrote to memory of 1568	2916	Qjpiha32.exe	103
PID 1568 wrote to memory of 4016	1568	Qeemej32.exe	104
PID 1568 wrote to memory of 4016	1568	Qeemej32.exe	104
PID 1568 wrote to memory of 4016	1568	Qeemej32.exe	104
PID 4016 wrote to memory of 2528	4016	Qgciaf32.exe	105
PID 4016 wrote to memory of 2528	4016	Qgciaf32.exe	105
PID 4016 wrote to memory of 2528	4016	Qgciaf32.exe	105
PID 2528 wrote to memory of 4828	2528	Qnnanphk.exe	106

C:\Users\Admin\AppData\Local\Temp\367c0a7190d196ac946987d3e20d825cf006bc632087353b50a14898aaccf2ff.exe
"C:\Users\Admin\AppData\Local\Temp\367c0a7190d196ac946987d3e20d825cf006bc632087353b50a14898aaccf2ff.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Windows\SysWOW64\Ogaceh32.exe
  C:\Windows\system32\Ogaceh32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Windows\SysWOW64\Obfhba32.exe
    C:\Windows\system32\Obfhba32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:216
  - - C:\Windows\SysWOW64\Ogcpjhoq.exe
      C:\Windows\system32\Ogcpjhoq.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4248
    - - C:\Windows\SysWOW64\Ojalgcnd.exe
        
        C:\Windows\system32\Ojalgcnd.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4148
      - C:\Windows\SysWOW64\Odgqdlnj.exe
        
        C:\Windows\system32\Odgqdlnj.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Pjdilcla.exe
        
        C:\Windows\system32\Pjdilcla.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\SysWOW64\Peimil32.exe
        
        C:\Windows\system32\Peimil32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Pkceffcd.exe
        
        C:\Windows\system32\Pkceffcd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\SysWOW64\Pbmncp32.exe
        
        C:\Windows\system32\Pbmncp32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Pkfblfab.exe
        
        C:\Windows\system32\Pkfblfab.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\Pndohaqe.exe
        
        C:\Windows\system32\Pndohaqe.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\Pengdk32.exe
        
        C:\Windows\system32\Pengdk32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\SysWOW64\Pkhoae32.exe
        
        C:\Windows\system32\Pkhoae32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Paegjl32.exe
        
        C:\Windows\system32\Paegjl32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\SysWOW64\Pkjlge32.exe
        
        C:\Windows\system32\Pkjlge32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Pagdol32.exe
        
        C:\Windows\system32\Pagdol32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Qgallfcq.exe
        
        C:\Windows\system32\Qgallfcq.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4124
        
        C:\Windows\SysWOW64\Qjpiha32.exe
        
        C:\Windows\system32\Qjpiha32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Qeemej32.exe
        
        C:\Windows\system32\Qeemej32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Qgciaf32.exe
        
        C:\Windows\system32\Qgciaf32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\Qnnanphk.exe
        
        C:\Windows\system32\Qnnanphk.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Aegikj32.exe
        
        C:\Windows\system32\Aegikj32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Agffge32.exe
        
        C:\Windows\system32\Agffge32.exe
        24⤵
        Executes dropped EXE
        
        PID:1888
        
        C:\Windows\SysWOW64\Anpncp32.exe
        
        C:\Windows\system32\Anpncp32.exe
        25⤵
        Executes dropped EXE
        
        PID:3304
        
        C:\Windows\SysWOW64\Aejfpjne.exe
        
        C:\Windows\system32\Aejfpjne.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Aldomc32.exe
        
        C:\Windows\system32\Aldomc32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2864
        
        C:\Windows\SysWOW64\Aaqgek32.exe
        
        C:\Windows\system32\Aaqgek32.exe
        28⤵
        Executes dropped EXE
        
        PID:4568
        
        C:\Windows\SysWOW64\Acocaf32.exe
        
        C:\Windows\system32\Acocaf32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Alfkbc32.exe
        
        C:\Windows\system32\Alfkbc32.exe
        30⤵
        Executes dropped EXE
        
        PID:3684
        
        C:\Windows\SysWOW64\Aacckjaf.exe
        
        C:\Windows\system32\Aacckjaf.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4728
        
        C:\Windows\SysWOW64\Adapgfqj.exe
        
        C:\Windows\system32\Adapgfqj.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3732
        
        C:\Windows\SysWOW64\Ajkhdp32.exe
        
        C:\Windows\system32\Ajkhdp32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Aealah32.exe
        
        C:\Windows\system32\Aealah32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3600
        
        C:\Windows\SysWOW64\Ahoimd32.exe
        
        C:\Windows\system32\Ahoimd32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4372
        
        C:\Windows\SysWOW64\Ajneip32.exe
        
        C:\Windows\system32\Ajneip32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4556
        
        C:\Windows\SysWOW64\Bahmfj32.exe
        
        C:\Windows\system32\Bahmfj32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Bdfibe32.exe
        
        C:\Windows\system32\Bdfibe32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3216
        
        C:\Windows\SysWOW64\Bjpaooda.exe
        
        C:\Windows\system32\Bjpaooda.exe
        39⤵
        Executes dropped EXE
        
        PID:1884
        
        C:\Windows\SysWOW64\Bbgipldd.exe
        
        C:\Windows\system32\Bbgipldd.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1776
        
        C:\Windows\SysWOW64\Beeflhdh.exe
        
        C:\Windows\system32\Beeflhdh.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:908
        
        C:\Windows\SysWOW64\Bhdbhcck.exe
        
        C:\Windows\system32\Bhdbhcck.exe
        42⤵
        Executes dropped EXE
        
        PID:2708
        
        C:\Windows\SysWOW64\Bnnjen32.exe
        
        C:\Windows\system32\Bnnjen32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Behbag32.exe
        
        C:\Windows\system32\Behbag32.exe
        44⤵
        Executes dropped EXE
        
        PID:2492
        
        C:\Windows\SysWOW64\Bdkcmdhp.exe
        
        C:\Windows\system32\Bdkcmdhp.exe
        45⤵
        Executes dropped EXE
        
        PID:4904
        
        C:\Windows\SysWOW64\Bopgjmhe.exe
        
        C:\Windows\system32\Bopgjmhe.exe
        46⤵
        Executes dropped EXE
        
        PID:220
        
        C:\Windows\SysWOW64\Baocghgi.exe
        
        C:\Windows\system32\Baocghgi.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Bhikcb32.exe
        
        C:\Windows\system32\Bhikcb32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4024
        
        C:\Windows\SysWOW64\Bobcpmfc.exe
        
        C:\Windows\system32\Bobcpmfc.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2008
        
        C:\Windows\SysWOW64\Baaplhef.exe
        
        C:\Windows\system32\Baaplhef.exe
        50⤵
        Executes dropped EXE
        
        PID:1816
        
        C:\Windows\SysWOW64\Bemlmgnp.exe
        
        C:\Windows\system32\Bemlmgnp.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:892
        
        C:\Windows\SysWOW64\Blfdia32.exe
        
        C:\Windows\system32\Blfdia32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4100
        
        C:\Windows\SysWOW64\Boepel32.exe
        
        C:\Windows\system32\Boepel32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1796
        
        C:\Windows\SysWOW64\Ceoibflm.exe
        
        C:\Windows\system32\Ceoibflm.exe
        54⤵
        Executes dropped EXE
        
        PID:4428
        
        C:\Windows\SysWOW64\Chmeobkq.exe
        
        C:\Windows\system32\Chmeobkq.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:776
        
        C:\Windows\SysWOW64\Cogmkl32.exe
        
        C:\Windows\system32\Cogmkl32.exe
        56⤵
        Executes dropped EXE
        
        PID:2576
        
        C:\Windows\SysWOW64\Ceaehfjj.exe
        
        C:\Windows\system32\Ceaehfjj.exe
        57⤵
        Executes dropped EXE
        
        PID:3960
        
        C:\Windows\SysWOW64\Clkndpag.exe
        
        C:\Windows\system32\Clkndpag.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3632
        
        C:\Windows\SysWOW64\Cojjqlpk.exe
        
        C:\Windows\system32\Cojjqlpk.exe
        59⤵
        Executes dropped EXE
        
        PID:4956
        
        C:\Windows\SysWOW64\Cecbmf32.exe
        
        C:\Windows\system32\Cecbmf32.exe
        60⤵
        Executes dropped EXE
        
        PID:2988
        
        C:\Windows\SysWOW64\Ckpjfm32.exe
        
        C:\Windows\system32\Ckpjfm32.exe
        61⤵
        Executes dropped EXE
        
        PID:3180
        
        C:\Windows\SysWOW64\Cbgbgj32.exe
        
        C:\Windows\system32\Cbgbgj32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Cefoce32.exe
        
        C:\Windows\system32\Cefoce32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Chdkoa32.exe
        
        C:\Windows\system32\Chdkoa32.exe
        64⤵
        Executes dropped EXE
        
        PID:3848
        
        C:\Windows\SysWOW64\Conclk32.exe
        
        C:\Windows\system32\Conclk32.exe
        65⤵
        Executes dropped EXE
        
        PID:1116
        
        C:\Windows\SysWOW64\Camphf32.exe
        
        C:\Windows\system32\Camphf32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\Cdkldb32.exe
        
        C:\Windows\system32\Cdkldb32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1200
        
        C:\Windows\SysWOW64\Ckedalaj.exe
        
        C:\Windows\system32\Ckedalaj.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3028
        
        C:\Windows\SysWOW64\Dbllbibl.exe
        
        C:\Windows\system32\Dbllbibl.exe
        69⤵
        Drops file in System32 directory
        
        PID:2228
        
        C:\Windows\SysWOW64\Ddmhja32.exe
        
        C:\Windows\system32\Ddmhja32.exe
        70⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\Dldpkoil.exe
        
        C:\Windows\system32\Dldpkoil.exe
        71⤵
        Drops file in System32 directory
        
        PID:2940
        
        C:\Windows\SysWOW64\Docmgjhp.exe
        
        C:\Windows\system32\Docmgjhp.exe
        72⤵
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Daaicfgd.exe
        
        C:\Windows\system32\Daaicfgd.exe
        73⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\Dlgmpogj.exe
        
        C:\Windows\system32\Dlgmpogj.exe
        74⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\Dbaemi32.exe
        
        C:\Windows\system32\Dbaemi32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4588
        
        C:\Windows\SysWOW64\Ddbbeade.exe
        
        C:\Windows\system32\Ddbbeade.exe
        76⤵
        
        PID:544
        
        C:\Windows\SysWOW64\Dkljak32.exe
        
        C:\Windows\system32\Dkljak32.exe
        77⤵
        Modifies registry class
        
        PID:3364
        
        C:\Windows\SysWOW64\Dafbne32.exe
        
        C:\Windows\system32\Dafbne32.exe
        78⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\Dhpjkojk.exe
        
        C:\Windows\system32\Dhpjkojk.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3808
        
        C:\Windows\SysWOW64\Dceohhja.exe
        
        C:\Windows\system32\Dceohhja.exe
        80⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\Dedkdcie.exe
        
        C:\Windows\system32\Dedkdcie.exe
        81⤵
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Ddgkpp32.exe
        
        C:\Windows\system32\Ddgkpp32.exe
        82⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\Ekacmjgl.exe
        
        C:\Windows\system32\Ekacmjgl.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3648
        
        C:\Windows\SysWOW64\Echknh32.exe
        
        C:\Windows\system32\Echknh32.exe
        84⤵
        
        PID:888
        
        C:\Windows\SysWOW64\Edihepnm.exe
        
        C:\Windows\system32\Edihepnm.exe
        85⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\Ekcpbj32.exe
        
        C:\Windows\system32\Ekcpbj32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4992
        
        C:\Windows\SysWOW64\Ehgqln32.exe
        
        C:\Windows\system32\Ehgqln32.exe
        87⤵
        Modifies registry class
        
        PID:3392
        
        C:\Windows\SysWOW64\Ekemhj32.exe
        
        C:\Windows\system32\Ekemhj32.exe
        88⤵
        Modifies registry class
        
        PID:3524
        
        C:\Windows\SysWOW64\Eapedd32.exe
        
        C:\Windows\system32\Eapedd32.exe
        89⤵
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Ehimanbq.exe
        
        C:\Windows\system32\Ehimanbq.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1328
        
        C:\Windows\SysWOW64\Eocenh32.exe
        
        C:\Windows\system32\Eocenh32.exe
        91⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\Eemnjbaj.exe
        
        C:\Windows\system32\Eemnjbaj.exe
        92⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\Ehljfnpn.exe
        
        C:\Windows\system32\Ehljfnpn.exe
        93⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\Eofbch32.exe
        
        C:\Windows\system32\Eofbch32.exe
        94⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\Fljcmlfd.exe
        
        C:\Windows\system32\Fljcmlfd.exe
        95⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\Fkmchi32.exe
        
        C:\Windows\system32\Fkmchi32.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Fcckif32.exe
        
        C:\Windows\system32\Fcckif32.exe
        97⤵
        Drops file in System32 directory
        
        PID:4408
        
        C:\Windows\SysWOW64\Febgea32.exe
        
        C:\Windows\system32\Febgea32.exe
        98⤵
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Fhqcam32.exe
        
        C:\Windows\system32\Fhqcam32.exe
        99⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\Fcfhof32.exe
        
        C:\Windows\system32\Fcfhof32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3892
        
        C:\Windows\SysWOW64\Fdgdgnbm.exe
        
        C:\Windows\system32\Fdgdgnbm.exe
        101⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Fhcpgmjf.exe
        
        C:\Windows\system32\Fhcpgmjf.exe
        102⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Fkalchij.exe
        
        C:\Windows\system32\Fkalchij.exe
        103⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Fchddejl.exe
        
        C:\Windows\system32\Fchddejl.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5312
        
        C:\Windows\SysWOW64\Fakdpb32.exe
        
        C:\Windows\system32\Fakdpb32.exe
        105⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Fdialn32.exe
        
        C:\Windows\system32\Fdialn32.exe
        106⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Flqimk32.exe
        
        C:\Windows\system32\Flqimk32.exe
        107⤵
        Drops file in System32 directory
        
        PID:5452
        
        C:\Windows\SysWOW64\Fkciihgg.exe
        
        C:\Windows\system32\Fkciihgg.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5512
        
        C:\Windows\SysWOW64\Fooeif32.exe
        
        C:\Windows\system32\Fooeif32.exe
        109⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Fbnafb32.exe
        
        C:\Windows\system32\Fbnafb32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5628
        
        C:\Windows\SysWOW64\Fdlnbm32.exe
        
        C:\Windows\system32\Fdlnbm32.exe
        111⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Fhgjblfq.exe
        
        C:\Windows\system32\Fhgjblfq.exe
        112⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Flceckoj.exe
        
        C:\Windows\system32\Flceckoj.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Foabofnn.exe
        
        C:\Windows\system32\Foabofnn.exe
        114⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Fcmnpe32.exe
        
        C:\Windows\system32\Fcmnpe32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5860
        
        C:\Windows\SysWOW64\Fbpnkama.exe
        
        C:\Windows\system32\Fbpnkama.exe
        116⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Fhjfhl32.exe
        
        C:\Windows\system32\Fhjfhl32.exe
        117⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\Glebhjlg.exe
        
        C:\Windows\system32\Glebhjlg.exe
        118⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Gododflk.exe
        
        C:\Windows\system32\Gododflk.exe
        119⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Gfngap32.exe
        
        C:\Windows\system32\Gfngap32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6088
        
        C:\Windows\SysWOW64\Gcagkdba.exe
        
        C:\Windows\system32\Gcagkdba.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Gfpcgpae.exe
        
        C:\Windows\system32\Gfpcgpae.exe
        122⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Ghopckpi.exe
        
        C:\Windows\system32\Ghopckpi.exe
        123⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Gkmlofol.exe
        
        C:\Windows\system32\Gkmlofol.exe
        124⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Gbgdlq32.exe
        
        C:\Windows\system32\Gbgdlq32.exe
        125⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Gdeqhl32.exe
        
        C:\Windows\system32\Gdeqhl32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5504
        
        C:\Windows\SysWOW64\Gmlhii32.exe
        
        C:\Windows\system32\Gmlhii32.exe
        127⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Gokdeeec.exe
        
        C:\Windows\system32\Gokdeeec.exe
        128⤵
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Gfembo32.exe
        
        C:\Windows\system32\Gfembo32.exe
        129⤵
        Drops file in System32 directory
        
        PID:5780
        
        C:\Windows\SysWOW64\Gmoeoidl.exe
        
        C:\Windows\system32\Gmoeoidl.exe
        130⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Gblngpbd.exe
        
        C:\Windows\system32\Gblngpbd.exe
        131⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Hkdbpe32.exe
        
        C:\Windows\system32\Hkdbpe32.exe
        132⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Hckjacjg.exe
        
        C:\Windows\system32\Hckjacjg.exe
        133⤵
        Drops file in System32 directory
        
        PID:5548
        
        C:\Windows\SysWOW64\Hfifmnij.exe
        
        C:\Windows\system32\Hfifmnij.exe
        134⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Hihbijhn.exe
        
        C:\Windows\system32\Hihbijhn.exe
        135⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Hkfoeega.exe
        
        C:\Windows\system32\Hkfoeega.exe
        136⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Heocnk32.exe
        
        C:\Windows\system32\Heocnk32.exe
        137⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Hkikkeeo.exe
        
        C:\Windows\system32\Hkikkeeo.exe
        138⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Himldi32.exe
        
        C:\Windows\system32\Himldi32.exe
        139⤵
        Drops file in System32 directory
        
        PID:1520
        
        C:\Windows\SysWOW64\Hofdacke.exe
        
        C:\Windows\system32\Hofdacke.exe
        140⤵
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Hfqlnm32.exe
        
        C:\Windows\system32\Hfqlnm32.exe
        141⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Hioiji32.exe
        
        C:\Windows\system32\Hioiji32.exe
        142⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Immapg32.exe
        
        C:\Windows\system32\Immapg32.exe
        143⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Ibjjhn32.exe
        
        C:\Windows\system32\Ibjjhn32.exe
        144⤵
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Icifbang.exe
        
        C:\Windows\system32\Icifbang.exe
        145⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Ifgbnlmj.exe
        
        C:\Windows\system32\Ifgbnlmj.exe
        146⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Imakkfdg.exe
        
        C:\Windows\system32\Imakkfdg.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5684
        
        C:\Windows\SysWOW64\Ippggbck.exe
        
        C:\Windows\system32\Ippggbck.exe
        148⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Ibnccmbo.exe
        
        C:\Windows\system32\Ibnccmbo.exe
        149⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\Iemppiab.exe
        
        C:\Windows\system32\Iemppiab.exe
        150⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Ibqpimpl.exe
        
        C:\Windows\system32\Ibqpimpl.exe
        151⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Icplcpgo.exe
        
        C:\Windows\system32\Icplcpgo.exe
        152⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\Jeaikh32.exe
        
        C:\Windows\system32\Jeaikh32.exe
        153⤵
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Jlkagbej.exe
        
        C:\Windows\system32\Jlkagbej.exe
        154⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\Jmknaell.exe
        
        C:\Windows\system32\Jmknaell.exe
        155⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\Jcefno32.exe
        
        C:\Windows\system32\Jcefno32.exe
        156⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6280
        
        C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        158⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        159⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        160⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        161⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6500
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6544
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        164⤵
        Drops file in System32 directory
        
        PID:6588
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        165⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        166⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        167⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        168⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        169⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        170⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        171⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        172⤵
        Modifies registry class
        
        PID:6976
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        173⤵
        Drops file in System32 directory
        
        PID:7020
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        174⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7112
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7152
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        177⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6232
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        179⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        180⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        181⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        182⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        183⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        184⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        185⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        186⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6748
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6860
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        189⤵
        Modifies registry class
        
        PID:6940
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7004
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        191⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        192⤵
        Drops file in System32 directory
        
        PID:7140
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        193⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        194⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        195⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        196⤵
        Modifies registry class
        
        PID:6520
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        197⤵
        Modifies registry class
        
        PID:6632
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        198⤵
        Drops file in System32 directory
        
        PID:6684
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        199⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6752
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        200⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        201⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7108
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        203⤵
        Drops file in System32 directory
        
        PID:6236
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        204⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        205⤵
        Drops file in System32 directory
        
        PID:6628
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        206⤵
        Drops file in System32 directory
        
        PID:6788
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        207⤵
        Modifies registry class
        
        PID:6944
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        208⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        209⤵
        Modifies registry class
        
        PID:6448
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        210⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        211⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        212⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        213⤵
        
        PID:964
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        214⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        215⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6808
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        216⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        217⤵
        Modifies registry class
        
        PID:6912
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        218⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        219⤵
        Drops file in System32 directory
        
        PID:7232
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        220⤵
        Drops file in System32 directory
        
        PID:7288
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        221⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7348
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        222⤵
        
        PID:7432
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        223⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7500
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        224⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        225⤵
        Modifies registry class
        
        PID:7620
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        226⤵
        
        PID:7676
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        227⤵
        
        PID:7732
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        228⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        229⤵
        Modifies registry class
        
        PID:7808
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        230⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        231⤵
        Drops file in System32 directory
        
        PID:7920
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        232⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        233⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8020
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        234⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8072
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        235⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8124
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        236⤵
        Modifies registry class
        
        PID:8176
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        237⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        238⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        239⤵
        
        PID:7320
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        240⤵
        Drops file in System32 directory
        
        PID:7492
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        241⤵
        Drops file in System32 directory
        
        PID:7608
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        242⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7672
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        243⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        244⤵
        Modifies registry class
        
        PID:7828
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        245⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7904
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        246⤵
        Drops file in System32 directory
        
        PID:7980
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        247⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        248⤵
        Drops file in System32 directory
        
        PID:8108
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        249⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        250⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7196
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        251⤵
        
        PID:7328
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        252⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        253⤵
        Modifies registry class
        
        PID:7576
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        254⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        255⤵
        
        PID:7832
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        256⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7940
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        257⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        258⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8144
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        259⤵
        
        PID:7224
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        260⤵
        Drops file in System32 directory
        
        PID:7472
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        261⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7656
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        262⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7796
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        263⤵
        Modifies registry class
        
        PID:8032
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        264⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8160
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        265⤵
        
        PID:7404
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        266⤵
        
        PID:7556
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        267⤵
        
        PID:7928
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        268⤵
        Drops file in System32 directory
        
        PID:7316
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        269⤵
        
        PID:7824
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        270⤵
        Modifies registry class
        
        PID:8088
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        271⤵
        Drops file in System32 directory
        
        PID:7916
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        272⤵
        Drops file in System32 directory
        
        PID:7424
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        273⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        274⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8228
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        275⤵
        
        PID:8276
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        276⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8316
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        277⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8364
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        278⤵
        
        PID:8416
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        279⤵
        
        PID:8456
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        280⤵
        
        PID:8500
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        281⤵
        Modifies registry class
        
        PID:8540
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        282⤵
        
        PID:8576
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        283⤵
        
        PID:8628
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        284⤵
        Drops file in System32 directory
        
        PID:8672
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        285⤵
        
        PID:8716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8716 -s 396
        286⤵
        Program crash
        
        PID:8816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 8716 -ip 8716
1⤵
PID:8772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aacckjaf.exe

Filesize
64KB

MD5
06241b7e3b59ba662f5c3c6547a072f7

SHA1
905bdc4742602d31f86c56a2824299613872f322

SHA256
af91b4e733f4161f8d1df8350fe0a36caf5ecb49be905410a2cebc86495ef390

SHA512
07a42e1f69fc6eb13e44fd49dde1a7d6b43b14e25ad1940a71b080b002f22d0da3e9513584b7ed5922626bb817abc06e87f38d68133c4ef4ea927a37d7458d68

Download Submit
C:\Windows\SysWOW64\Aaqgek32.exe

Filesize
64KB

MD5
b4566a2855dc06fbfcc407ca285ecc25

SHA1
4ae0ede5e4c5578bc226fb2991e1c1d3b3f4f040

SHA256
8dcaadee04a9c751edba28d409240abb92c10a9001096e926d96728502543655

SHA512
06e97bdce4bd412b9dcebb4023a7878c8e1825d2c2232a03d19dcfc3bca30de8136e49aed348a90b42e355785ba096e8ddf987a3f901814b3dcb8d8a271a9d07

Download Submit
C:\Windows\SysWOW64\Acocaf32.exe

Filesize
64KB

MD5
b8f8cfe3492becef9e5aff53d2d4b759

SHA1
a8336fdbbd889fa8f40286aff28e3057961396f8

SHA256
5eb883687c21d11f96c13ffc281eb12e0b3947123b67b3ca72ac194c644438a3

SHA512
ba95e3e9247eb5fa3a8369f72a7a70693a6871e5ee4a479a451dfdb8751e09afbd2f0e0afc2c0f5d0619d62ca48b4c845980e3ff53666d718cc43df6e976984e

Download Submit
C:\Windows\SysWOW64\Adapgfqj.exe

Filesize
64KB

MD5
97037065bd879a29d5368f1007f7d0e5

SHA1
879a168b9811b2c942190c42affac4bd4aa8c5ad

SHA256
0094c7c9b22a21a2309c6b29073bccf4d99031548ec9c55fa91403f2197500bc

SHA512
44afa1e474b6523244ef4630c5cd51377c3d0b1e9f94697e03cb58f833fa7e7c3d767e2c40217499a6f1de07cdae07eb5214371405707870cb642c7e1d05f216

Download Submit
C:\Windows\SysWOW64\Aegikj32.exe

Filesize
64KB

MD5
f34e25b7ad89e09fdd5afc225bae989b

SHA1
338873f63ea138838e83b8d1e122d16f32d2c0c0

SHA256
8ecf434a5ba6a0a00c1544d71be1a0556a85e78088afebf4e3a98e65291db5ed

SHA512
9d46700e20c728a47af79900e7145697d448a4eab02c8885c2161be3cd3bdf0d5a0566c8b136badaebf3aa4f39961dab0ba7409c86de62efd262b277c9b4987e

Download Submit
C:\Windows\SysWOW64\Aejfpjne.exe

Filesize
64KB

MD5
b3115181a09429762998025ba51618d0

SHA1
642e17f042385575c99cf251bf835e5459e9336e

SHA256
2c20d00efda8e08ff668d4ea59255dcf3d389ad85838dc8e8740fb2466d0f031

SHA512
088dc9b2a68822a2e6fa5faa7f53e0b33b637170030b0889a20def2306bc60067e328a76391919db3403dc5758a8ac0363527712fcfa9a77c24b79130fac7e6a

Download Submit
C:\Windows\SysWOW64\Agffge32.exe

Filesize
64KB

MD5
e434f479abdd29f7b637c3821d00d659

SHA1
742e0905766b009f0eebff8fab04f9ebcda00872

SHA256
3a2fca721d30b09d8eb061683a772ba7130cbe8e7d32f87c36101edc342d48d2

SHA512
498b197826dae5ba5e5bad465855a6bf39a0697daa0e97643178aa22da047447e0674152caed17658036c519d29baf2977c9914b9e0180ee3e18e1244f431fbd

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
64KB

MD5
079e767a6cdd0ddf9f74a977a6d1365d

SHA1
9c402e3ce5850e576ec024147c5f9f1c39776d87

SHA256
f9e26078deca28fac825909b75d56462503de540d904531013c5f60749f8d1c1

SHA512
f8ce46690369560ed7d131df03641d6fac63f47793106e20f9bd818f52308759fc6e5b3b5f9d3f55bbbc007518cbddf8fadae2e052c475e5d562a945875cffa7

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
64KB

MD5
276bdaf65b3beadaaaa8d3f60cbad639

SHA1
3112c2d5eb2ca18151d4ab8dd34bee54f8988c82

SHA256
be22b9f72de0350f49a3cdfc5ca16969934b8c799efa4f3278d0d306d18ecd58

SHA512
5e973988cb68034f43e6feeeced65e6157a0bc2e4eed00edaee7bc9b4692064b2f3637a72c29bebb0266c3484634dbf2bed1d4e357cf8e61ba4cc52f91e4beb6

Download Submit
C:\Windows\SysWOW64\Ajkhdp32.exe

Filesize
64KB

MD5
e0e52c844ad6bc1b841e64c84759dc79

SHA1
8a2b326d1834c9403b0c7150e7732ce65578a296

SHA256
e25c4137091c06927fc37aeebf7ea23439608fcaa4d4e58ec3b4e11616468560

SHA512
43ee9fba1cb12e7cc8fc7e890b062f6d533ec63bf510cefbe3045be6f931d2082de1cd09c22504ceecf95134e5dd27a40ce9046db9bb8994a3586c8d9a0ba073

Download Submit
C:\Windows\SysWOW64\Aldomc32.exe

Filesize
64KB

MD5
b9966e6fd40aeba7a2a4d3a7ac3e8291

SHA1
2f6dfa0de2c16e07f904b82db90ac4d5b0a360b4

SHA256
b15cd3a4cc7af630f20c02c43f7ae766cbec8b3b3efc2d13fcf1e2d108dfea97

SHA512
7ba1dfaf59828ef01577628b6bcd90f25088c63aef180cfefa0931d594882a7a9c82dc9f285e327e62f2fe8c1bbde418ee76c428ade0a78fad66c2bdf533cde5

Download Submit
C:\Windows\SysWOW64\Alfkbc32.exe

Filesize
64KB

MD5
f139b75ff8473e3009c1bd3c78731f85

SHA1
925ea662be1dfd08159592ce91bde8a9f7bdb3d1

SHA256
0b5dc9ed9a04e6337ec0e492f8ec3622054ed99aa88f6a8bb21a798fbc32e010

SHA512
bfa512a8c6f86bf9e67bee246e7b08b2f7ffdf20b85f237f8130d3d20671cc00d797314d0ba720519634a03843feb6506d013d9cf499c95758c993164024d481

Download Submit
C:\Windows\SysWOW64\Anpncp32.exe

Filesize
64KB

MD5
c901b0ec146138a19cc1067399fbc384

SHA1
cfde7933fcd5b674611f0b3958aa310a440c967c

SHA256
d63298d38eda822e07111cfd76680b1f24ef962b6ee7a70fc7558edc0cc809fc

SHA512
e09799dd7e63b24e5772b2d1522333791593048aad807d62220c5cac70c96cb1f18188c00d9df12a96f46c04b5c38475e7c2ca7f6cb67de663c1ef0809cd152c

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
64KB

MD5
e66ec1df8b072bea80f86e14d768d7b7

SHA1
872549b1b968d3044ec40e2790368769ef402e8a

SHA256
d1a473f67aed31c208e9419446603cfd4e30cc6569a348490ff698a4f1cb6f72

SHA512
dd0b76ae247e628936e3faff338a38b4755117e142296675065d4bc2fa1cea51ebac3970906c99d46aab4e37e3128175a9a3d4924097254587e34bc3ed3b8a7b

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
64KB

MD5
7e32e319abf38c08d3475cd21079d52a

SHA1
e8b96a09e12b0e23c8391fa0cce7528092eedbd9

SHA256
5df27d7e9709c64e8888e4788a634f02eac5a621f1da57672db31bd5e92766e4

SHA512
242b6e734a5df59c8d0f54bb77c54a55fd2f64cf467dcf3a96bea0a2b0cabf101b084f15f57e2bd10afac7a1e45a00ec7ddccd66ec21638476bcdb2202ddc395

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
64KB

MD5
26c5441f30383b4ad2b1f335394df0cb

SHA1
6df1ad65a694d3a481d454548225198f814d45f3

SHA256
db9000a131db8bff5c3c41977528680ebabf1bbe80be8bc16fbeedf961c0a3df

SHA512
d69a36b164d44fca4d2f46696a35207f7564d4a61848c3444834522f1b9812ce815660734178cc11e3bc72251a88ecd9cb4718b9e8e41a42a3dc2b8a7e33eaa5

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
64KB

MD5
6815b1df717435fd53be7d0643f81aa5

SHA1
0b2c29f970f3b7f73cfbadeb34e27611928a3a40

SHA256
a390f8e008ac20c40913d331ebdca8b29b9d61f203f12d52e216b1ca739c9fcb

SHA512
2a3cabf259dcf20fd3687ea0096bba9c3a871a435d784aa87ec077522bc3d1d65fa048c5a75bdda095a240925279e9a0723580849d8ad7c42a9ae9c31da52a61

Download Submit
C:\Windows\SysWOW64\Ddbbeade.exe

Filesize
64KB

MD5
6c5ee4a8a016dfa713b3d7486b17e2c9

SHA1
6aa4b4efca9a10ec8f111a9f1b2dab8c9a3a953c

SHA256
78616f7f43622f0cd2b2dc87831a2c17300bef2462701fdfae3b57133da8f103

SHA512
bdb1eaf42c506c9f386b2d58f9e62ba02b903353e5ef21ae8c004f95818b526497facb86c348d83e3fac61c023e0b424f283ea286d0e450f9b9575241cee498c

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
64KB

MD5
bd5eac0f93aed3554a79f7ce35486927

SHA1
2a583027a75cc6c2d00e048f965ae480c6c49021

SHA256
3a1d955468640cbb0a5ec4f33cb551f187a06fb5cc1390c94c740ec69c33fdf7

SHA512
07a6efa710bc3432ad4916fdf30f9bdd14d038548f73c24f97e23c72fcf623ca1ba32caa2c8c701997ed270d7c17ce84998e1738dd92c112c3a56cf9ecdbe440

Download Submit
C:\Windows\SysWOW64\Dhpjkojk.exe

Filesize
64KB

MD5
061f0938a179bbdb4c6fdb05bf5dbb09

SHA1
8292123aa039086eea4f59bdd660bf83eafa6114

SHA256
6c47984a2bed095303905bc80245d2ecf39836043aa552595ee764e9235f3b64

SHA512
7eef7609449c66169b221ecd0820436ed44a354e3c7a9d1e0a1c363b5710aef3d01e2a27c16953db1c58392f8ea703c0734ea1672e31bc2c3378734e24d1fdea

Download Submit
C:\Windows\SysWOW64\Fkalchij.exe

Filesize
64KB

MD5
2c687db0088996ea48a06d90fec8a135

SHA1
896377781b957a70d3f947a542b9deffabd2986e

SHA256
a34800eb9e91abdca86de6d9ffb804765289f518a6fbec2ad0d27ad29ded1d05

SHA512
12f26c46efc8fed53e423d61bfd11b96f0d84fb523cb0700789b8a30aeb748a5da3f9e9a64e93068ca7074d0a470a1fbdbb21f8e242ba2c4d8a952d6742ac17c

Download Submit
C:\Windows\SysWOW64\Hihbijhn.exe

Filesize
64KB

MD5
b294946742a550d8097805ec8e2ff5e0

SHA1
4266cfd476f71d22925bcd44a19e46e60b61dc40

SHA256
f85dc9fc3e09c1570463a871f2d612b2da6bddad3df326c3a839b65812a0b79b

SHA512
ad9b2ba4e7c2364894cfe282fd31c4bf5cfad401602cd358a684ed49341c3274986d315db48be54c11c92a83fddd1e7b0a6f1e43b94da06c2630def3d8b153d8

Download Submit
C:\Windows\SysWOW64\Hioiji32.exe

Filesize
64KB

MD5
d48dcccd8f1d7c7e2e70fce206ceb631

SHA1
2f6e7adccb0ad71b187314d82203a8cfabbec6d7

SHA256
8f055ba557218e5fe042f7fafe94acf3a51451bcbc50cbda160676f144b286a4

SHA512
c83e421b63173a55b1be985765ecece9864604904aaa39bffbc6aad1886d23ca8ef2de39741ab7c5c1de324e16275d2aa1e6f904b8e4e319de6c313731d76683

Download Submit
C:\Windows\SysWOW64\Hkdbpe32.exe

Filesize
64KB

MD5
e6e400d8322de2a68be4a205a691ac6d

SHA1
5a1922c8ea8edbb25f5d1bbc7355901f14a04da5

SHA256
505b87661786266847a0a01038dff01343dcd701bca60d066095e8eb4c7bf3f3

SHA512
eefb1ce7dd31e49e22fcff1c3b1702ed6065a2c6f281778d798296e883d71200651d9e89d333efa54a9b76fc8f3c04c19de3c68cbceacf86cb86cc5caabe96ac

Download Submit
C:\Windows\SysWOW64\Ibnccmbo.exe

Filesize
64KB

MD5
269956bd504859d65b22a49f48d2563c

SHA1
54554fcb52ad42c0e83bfaaa466f566145d95f66

SHA256
8739267fbee3328bf297af76fddda8703fdede92937fd4baf54c4d64d0ee557e

SHA512
7933cfc9d515a50bedef16d001f8e224a3130fad0e80ff6aa362336bc2f936bb3c340cf9e8b1a8d14d9e6d66423e8b42d23706cd425da6b944974a4f2002e04e

Download Submit
C:\Windows\SysWOW64\Icifbang.exe

Filesize
64KB

MD5
a51d32be1dc7f1a0a5b53170ecd71648

SHA1
613c9923f3e00462e417a706954512194caa5326

SHA256
f40d1f1068518683665c1ce80c6f27fbef448b8b40bfcfc1d51e161e902248c5

SHA512
c50ffe6d4de79ab1e890872929c7d862bf2569222be56b2e198de8acb35d16b717c1f16d154aa834eabaefaff747bf7fd235e636e83999622d5c0bba7cb6d62d

Download Submit
C:\Windows\SysWOW64\Jehokgge.exe

Filesize
64KB

MD5
982be72e0426a6e1a514cefb4ca1a461

SHA1
1a185a76d3b0aa765e3e6d77f1dccac3ea147459

SHA256
a0a52fa971758509ed0c20930628ef95beccb197ead26d36239ab0ee4ad9859b

SHA512
434c78a762d8484fd6aadf0f04c73f0ea499479c9dbcb7b2c51defcb7a89300656f25f0027e8b8c1c71460ead1959eaa16387614706cc7308f3e881d01a242b7

Download Submit
C:\Windows\SysWOW64\Kbaipkbi.exe

Filesize
64KB

MD5
0c36f9ab63f7482b8aab2694186c9d46

SHA1
d6861f2e986c72c310fe23df5a8bdbb8c279d69d

SHA256
d78e4acbe659d4cf547956868da0126422e3cfb76aebe281f92b3dafc92e22a2

SHA512
28192044dd5983ff54a6e5a5e0c529b616cdcdc79940043735a5c721aab6b17a943078e43f5499e3ff5cd753cb69c5a2268f39f5aabfa0347e9241a1692c363f

Download Submit
C:\Windows\SysWOW64\Kdeoemeg.exe

Filesize
64KB

MD5
80141e9799dfd92bd305b8dee8c4ef7a

SHA1
f0e966971384e9c44a39c53e855d0a01a62a3a71

SHA256
0e80aee1a868d60e8033af3678adb486963b9308702550f68cea6bb05c479f59

SHA512
c30f5765124e0708d67d8ef6351a985871a9900093ee64a9ebf8bd642df280997c4efc0bf2ba355aeba181eb71663b4e7ede7a107f29812fdb167ed4c604ee7e

Download Submit
C:\Windows\SysWOW64\Mchhggno.exe

Filesize
64KB

MD5
ab187367b2cf2adccaf4248f63bc8fef

SHA1
acd98045e81c67ba7bdf92c7a03b19da09b767b2

SHA256
3357aa0aab497bd3b7c155dd8cbd65c8f3b584186547706d9bfa28c8de2cb711

SHA512
0880b6f995a5e9b01f67b20a355f8aaf6ad9897c76d413fbfc2b05c6e0ff5613ff74c88b81da3e253054bdb080a6e9443955939d8a08b0c4ef37c6d6084b11b8

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
64KB

MD5
41d132987a9362c3b527e3a1c65bc8c2

SHA1
7812af34fee43dbec6ef2bde2fe8d1871496e91a

SHA256
6fc0a1d861d738ab4add7e86b43d7b7fbd0d958002f02687d40892da7e11f73e

SHA512
f3d4c0689a7f61c057a98f44e4a89f69ddb4f8624fb7c52ea8140ad3f536bbfa02a99cadf43a4ea2f5d5927599b552ca2609b8d533a262cd82b687990a3b334a

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
64KB

MD5
d29f5432b4852d45a92bc11d6fe89b28

SHA1
3576e289acdff6f654cb597eadb886e6ae5aa38a

SHA256
72425f175ded66f4cd78a278347fe9171dab417255e2177716f700b344826c03

SHA512
58759f3fd06311cc083501b2680e889901337a22e3aaf72df6c2ce3dbe47f31543853602d713ddceb4455de3f916d809ff6454c6548dce93805107c7bd7cfce0

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
64KB

MD5
84df82c0bb4d7226d7c72f34edcfa7b9

SHA1
8f9c80fe26ffde34b0934f26133764b7e4af6205

SHA256
f4ecba9b16e17ae2a4f5cafbe9fda81150dc88ca218ef8dc1196c9ab97153986

SHA512
83d63f8815a0e67993851471d921ac46b9cfbd1293159be97e4254a2fc993295e09d85943369b7586019eaa9fb1487e64ade1136240e30d6ae31da7ada3fe398

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
64KB

MD5
f615c97fdf6c8be89dfd0e795f094ff4

SHA1
d929ad269d11352e56af4484e414d5aef4f00920

SHA256
53cfb3184a883d0e6c4a19f7259934ba97859d1e7c8bbef21d10c7acd44635e9

SHA512
b024ee8cdf5cfbd4b81e579d40a10832a3eafd47457af1c034454ca1a723f2111284d5e1d9e99c4dddde0023d4669916f4708e00fd046abce2df96957dbdb940

Download Submit
C:\Windows\SysWOW64\Obfhba32.exe

Filesize
64KB

MD5
b185d50456a3177d54bd23a2413d31af

SHA1
a00c82d2ee77c086985efd5f3be9d3fcc24198fa

SHA256
27ec916bb657cc2b9878c5c98a8bf85ed4c59f5153c3101843e4943a33e2e5d4

SHA512
dbf612207854e5ca7a102901bc3343864d6d1227af05e0103f7e87072384b3f851b250e6bb4a0b9c797d8ca3b470d62a4975855c1072ce7ccdc7aac4031a7a3f

Download Submit
C:\Windows\SysWOW64\Odgqdlnj.exe

Filesize
64KB

MD5
c10cf381b9102593b342ddd4e9364fab

SHA1
cf61f1c5a774c9c6208b67a5dd81326197300a8e

SHA256
f8107e420ab5b62123116cfdd2a76cf68ed6c1cdbde0ea38b18a15a0a0e15989

SHA512
9f531f38caad270916f3d184b75cba1b5ad27cafc527a7d88ef05acbb78d983e871e61439210fd46dec931ea22e2b099b76cecf105b570c923deed2cd1e96655

Download Submit
C:\Windows\SysWOW64\Ogaceh32.exe

Filesize
64KB

MD5
3dee893cbfe4bbdc513806316d5808b5

SHA1
35afc966245bfbcdf1c7926f77b5e03915e34ae0

SHA256
c0c9d5bc3384847ed789c01fb7b0c5fef52f19b1c3e58c4f3a6ab43885d64103

SHA512
e78245a4b32ce403ab242b1b62a33de112bbeb49cbf36dffc7db81e9fe22007ee26495995ad3e5bfd2eb65bb04fb9586d89418bcf9660364ffd0c3199ad545c0

Download Submit
C:\Windows\SysWOW64\Ogcpjhoq.exe

Filesize
64KB

MD5
c94239f963b018c209319aa66389537f

SHA1
551b55d39f4bb6fcfca3d72ad2c8bcd79d3b1540

SHA256
273620e132e0d29eb52b2f4e2f7c14245e66e7ef04fb76b5d454bf9250a5eb9f

SHA512
7644bd551fcf487e251ce82783ccb15f6a566b156503eadb8161b7bd8a64627eeb71a60025a96141e25381411fea1d60f0ac03aa56da420eb0d84a0f1c7d1e27

Download Submit
C:\Windows\SysWOW64\Ojalgcnd.exe

Filesize
64KB

MD5
4b4224d3dcfd6aba4e8eb7f246253d53

SHA1
9b76c27afeaab1728b0134e64995d619e4a8e16f

SHA256
5afe5e1832db7c711a13e6667562ec725d84339ecd8d8b70a24804f029ef760a

SHA512
926fa777335bfcc09714924e7d2d1c6f055695ebd3b9856aa49a9a45ac5512c2ea747668f45895908826689eb010d3642fbb08d29180fde467de27595c64ee96

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
64KB

MD5
be69d6b78e0f00da5974fddb4a6415d1

SHA1
c56be936cc407a90d67a93017f2d0d721cfe519b

SHA256
0b8997b7d680a5913bc098f14b0f4cf941f50fe3eaf36c73fb340d1a9fae6753

SHA512
15c859e86bceea7f6c1fbc4cf88c3fbd0115962d250b44a6dd1aa529490a4a2de840c886e07efd7bdcb4b4e4c44736b7f65a42cbe5482ac7de5f4908ca5a2449

Download Submit
C:\Windows\SysWOW64\Paegjl32.exe

Filesize
64KB

MD5
914bf06353539813551085cefeb9290a

SHA1
44d12661415c06fad82388b10998fa35b1ba25b7

SHA256
a32909f1eb68108c99f17f19f390f7c97f3d8727ed28b6e7dd9298219c416ab5

SHA512
63da419bf31059ecf4b397c44c0b35236b3ad6b0669b08ba58e1d5557bdcb72b11aa3fa4fdaaffc63bbc8b9572dbec8fd439a02e19b3ad9c03f33bbe8223a418

Download Submit
C:\Windows\SysWOW64\Pagdol32.exe

Filesize
64KB

MD5
b86227a94a6b42396530720aef5c33b3

SHA1
4ffd466668034f42bc03b195c3b6181b05db88fe

SHA256
49694d875c8eae79c0224bcfb88aa2060d958406371b8c01b9d4bcd43d17a6d3

SHA512
2e5fa1f44ac69ac1f668c9a8c4d7237a6c00f70ba8ec0c1503fa99475db44960e885c723a6ac078297d9a16a2c5622012dd7d2e378904858b478b393a666884b

Download Submit
C:\Windows\SysWOW64\Pbmncp32.exe

Filesize
64KB

MD5
9b103591317984725ff3e0082408e69d

SHA1
a9bcc576ac0e7aebd059e90168daaa475a20e473

SHA256
484dbe037a28f7c6dd80d35691bc0e703abfcd0448863332ab1369dea516e608

SHA512
10fa71720a097e5c30afec8793aa4f50c376c1e814449f045c30f9434b5482cacae34dc96f0c5d9e6f88803e340707220ec7c17469cf42b862281c0050becb01

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
64KB

MD5
3a639c68238aa443b5369f8bbb26fe28

SHA1
fb1edc2e3c76ced49f75b27878326349d6bf7fd9

SHA256
fdd9b911bc22a308647da0aa0a2e482fa743562e705ee2fcd21b23c5ba9de6f5

SHA512
b8d50dba7e6ae0bb7b0edfa4515f696690f8c2e9434a85ebab1353fe5fbfa1b6c380f0e4a2e50d82ca407b0fededb31d51d22b230a17ed7c9ef3f7fc3e9f0490

Download Submit
C:\Windows\SysWOW64\Peimil32.exe

Filesize
64KB

MD5
aa1e934fd8a1e1f35faf4a5c05c440fa

SHA1
d02bcdc2faa53ccfdc7d084a80ea659efc10cbb0

SHA256
4288892bf23c72e78e7b5ffc094292f2030e8fa74bc72149520e242ded587ec9

SHA512
7e53e6c2702d58dae5097b011d43e67b9d206f1131958886bfb9bba8832d491e1bb7e13046003269309c2fff57b388300231b48e465f2bc369ebf6ca5760a66e

Download Submit
C:\Windows\SysWOW64\Pengdk32.exe

Filesize
64KB

MD5
9f78d295745a928f9f2666c677ade1c1

SHA1
0d7fdb06d8befe2e9e947c15211eb09468d848f7

SHA256
e34ff89d69bd687066a6307dc8f57247e1fab2b5b6b1d1f2abc7227c9785d674

SHA512
34fdaa519dda8c1d96c1cb60d0467f293650d166bfc567504914e15c5f3b67774bc9904b8d2453db7a1d8e582b8b512446a9a47d9becb5a1f6ced7de50f0b863

Download Submit
C:\Windows\SysWOW64\Pjdilcla.exe

Filesize
64KB

MD5
be0bd8b152702a2a19113554ee5e6360

SHA1
12e6e8f5533f254124e5bf611154efd73f360266

SHA256
36f3bb6fd11a4172c6d1c2a79273750247275c10e4fefa763aad36439a6a5520

SHA512
3f7b0704e868b42340becbe9206520eb81d2f7dea43b1a4f7f25d40e87424497d41b1703b15e144b1606b5afb28346a5a237972adb1c501fbe110e658f3db1fa

Download Submit
C:\Windows\SysWOW64\Pkceffcd.exe

Filesize
64KB

MD5
8e9d9c49b944207de125b3f2603aa6a6

SHA1
1a527c8f9947066883e6cc61f4a2ba3cef01be1b

SHA256
3fb4398dcb68d53eac8f8f10eea429a1a52eadadeff204861bfd8dedbb19ef00

SHA512
797539139b07bbd933650e883792e84876cf2e488d96ef05f350f5c864f5bc29e9aeb7c25734d2114e31a416180f169847de8a10bcdaf504c1bcf1ebfe5bcb2c

Download Submit
C:\Windows\SysWOW64\Pkfblfab.exe

Filesize
64KB

MD5
2a0ef264f383b7891fcce8479b23765c

SHA1
29c2c23a35ce916c4128a6c3ff9e61ac3aa43e3e

SHA256
103ac4eb7de1fdba717293cfe24f29e04b6f8f94250985178e44dff91a55a80b

SHA512
dd0ef373af6aed29ab040651a17775403e55cb4224ea113f63eb1bbd55a23aac5f28f10650d58e0296872c9ab603109bd7dc9d155c9ad8f76f19796865200d9d

Download Submit
C:\Windows\SysWOW64\Pkhoae32.exe

Filesize
64KB

MD5
93c4984b9ba800ace64f77009f9ee174

SHA1
c730c285127058edda8f75aebfb39a83a1632a69

SHA256
a8975d1fbe8704826acf0f011227517c556ae737a6ac74057828fced5aa6cccf

SHA512
aaf8049d1b8c2a746d06ec65d03a20b8df6c778649ac759d58801a30387a19a19d4cbd3278bf4c50b6d01dd21d596a500153297829e9a388275a35dc19eb6bcb

Download Submit
C:\Windows\SysWOW64\Pkjlge32.exe

Filesize
64KB

MD5
0ad76e0611817a79d75aec37db1471ad

SHA1
949c8efca7f7308fb5151ae02694211de98bfb4c

SHA256
d037e457a040840dca1ba0b47222460b32b6a27f0be0291685a20160e2762fc7

SHA512
dedf10acf067a04d72816ea4efa9560a12268883003e49ea51478a0c4f559859b0431914833282fe8b3b347382bde292bc8bed97ffb3ed497d7d139779fda3fb

Download Submit
C:\Windows\SysWOW64\Pndohaqe.exe

Filesize
64KB

MD5
a74bdbdfcc1c7b518c855f7959c7a330

SHA1
fc7c2b2d0bc1bd440e6849e7bd0777f7d70b1e80

SHA256
02eb275c32cebd1b0348cc19cb5eb6e4ab690657b50e0233a515ba3c1f106850

SHA512
702af86c9374d152c7417aa7cca8875a8e4188724fb05e6c168ba9e4a4cb350c1ec4a956c411989577859b3a68abc42ac48375a54c23ffbfd8f8ce1958607786

Download Submit
C:\Windows\SysWOW64\Qeemej32.exe

Filesize
64KB

MD5
eaf75fe2176853d11fd3290c66b6537b

SHA1
2aaacec8568d4029725f760cd64db6499f96cc06

SHA256
02609d2143a5f9a1235e0563118e0d7bf1890035bf684ea6089fb9d587c26025

SHA512
f4451a4344c524e81527782907c7ce7aed9eeb15ce9ff09ec7547aeec236266c3d61fb02fe0fc3ba1f11b18abd98b953ef18198be4cc0895a8c24d595d5eacd1

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
64KB

MD5
a8efe0d71c4ecb5ee1a0f5d438389cd6

SHA1
2d79bc4e2d4958585650a00abe97ee774520a567

SHA256
b78f4da18b4eba0961b0ac26ea454e724940923ce52bb84077ab31835d1b3cde

SHA512
619e790f500c7d3af0dae0b12de689630a08b3296dfd698c3fc1c859b7fde1075899e7f8d3f1fae837184af5e03522e450a093bde08469718a7f70f8446ea51f

Download Submit
C:\Windows\SysWOW64\Qgallfcq.exe

Filesize
64KB

MD5
0609463e29f3851939ce9acc897bb3b9

SHA1
b6b7b202d34c7ce5b5fec24c3f02680ae695be6f

SHA256
0a49df646cef27d349e71065a48868d38319284541ce728183499de5061e4a72

SHA512
7957b7e20c25f90fb702cd43f99cb1b32e19441b40f109ca5080f044bab7bb38e1d10e7adee531babab9cd61e4cdb1f728ac4a1afbeee5558dce01ca3cbff2c7

Download Submit
C:\Windows\SysWOW64\Qgciaf32.exe

Filesize
64KB

MD5
c4f47ce77528a72bdea240e3147f3b6a

SHA1
458eeed950aa51cab47dd4ffeb33b339b59a1b79

SHA256
61b9615be5d51e2754ffb59a9a691ab7b5aeaaf10190db0331f11c9922dab622

SHA512
3ae8e872682885fb1c631c8f93e579a46d9a5004c8946f090ea1143b1be2ada23cb30fcabba464e6a9311f5bbd79fad6693553075bbb162d190393448d50d1a2

Download Submit
C:\Windows\SysWOW64\Qjpiha32.exe

Filesize
64KB

MD5
42cd2700240b8e07c04d7d56fb758f83

SHA1
242022f90f09cee576380d3d96757a0a325e9564

SHA256
22c40acc58c31cc0a220db3c90ea3a76bec5c097574a9fa578192aec80964eac

SHA512
bbbb974c622a3c962d1e11f88473e399c4f2d1b37487a79c191ab3b4d70844a7e95ae4eed940c96643e6b9b837e3714727e11d9b0805cb8f50aa42279e3e568f

Download Submit
C:\Windows\SysWOW64\Qnnanphk.exe

Filesize
64KB

MD5
1d1cc261cd31ff31d8bf295f1d1fc0a4

SHA1
f1b627e8f0fff55f9e2c16699d48a5f78065e90e

SHA256
c78b5269c4ccd4aa76615aa2dd70a0320f13b16d22a0d38ff088d70a8db302bf

SHA512
3361f98aedfea4cc0685ad2b2e893f2e31b894db0dc2de1d9bf79ca92149b3df8404707bcc35e7fcef4a1cd78edaf8c529ec8bbc120b3e87adc28649c66b9fcc

Download Submit
memory/216-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/216-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/220-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/544-519-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/776-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/888-572-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/892-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/908-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1116-453-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1200-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1388-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1388-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1472-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1568-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1716-484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1776-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1796-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1816-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1884-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1888-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2008-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2152-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2228-477-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2264-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2380-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2380-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2384-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2388-550-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2404-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2528-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2556-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-44-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-489-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2988-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3028-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3180-429-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3204-578-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3216-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3304-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3364-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3392-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3512-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3600-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3632-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3648-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3684-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3732-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3808-535-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3848-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3864-557-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3960-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4016-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4024-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4100-374-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4124-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4148-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4148-577-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4212-500-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4232-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4232-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4232-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4248-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4248-570-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4288-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4348-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4404-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4420-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4428-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4568-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4588-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4616-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4616-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4712-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4728-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4736-495-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4804-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4808-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4904-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4908-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4956-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads