5ab4850d68fb53fdc99e8ab2b2126c6ca676dd9ae23274abf77ad2591ac82eb1

Analysis

max time kernel
142s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ab4850d68fb53fdc99e8ab2b2126c6ca676dd9ae23274abf77ad2591ac82eb1.exe
Size

96KB
MD5

9565eacda4961707ac4e27d37e1aea78
SHA1

96655c1952ceef10903d579f8b57fdd25eeff732
SHA256

5ab4850d68fb53fdc99e8ab2b2126c6ca676dd9ae23274abf77ad2591ac82eb1
SHA512

327bda8a53f4ba20707c2cf476ffc646f18604ad048e4c34e5e86de6ec6c6b350b7c56af3902d6445d4ec75812d707c864ee268736d057d59a7e6a428b77fb65
SSDEEP

1536:chkeEzCgXu1FtCIIS/xoXQwM8i7dO8WatpqHPno1HnaoR8h2ty74S7V+5pUMv84o:chkeEvu1nNIiwDmh76hia4Sp+7H7wWkb

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ekaapi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Geohklaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ifmqfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmhgmmbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdmmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iefgbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aaldccip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgcihgaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhbebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eiloco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Holfoqcm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkhnjk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfhndpol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kcidmkpq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgbefe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdimqm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5ab4850d68fb53fdc99e8ab2b2126c6ca676dd9ae23274abf77ad2591ac82eb1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fiodpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hehkajig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npiiffqe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Offnhpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojhpimhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfoann32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfcfmlp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddnfmqng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hedafk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmfdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqmfdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Opclldhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljqhkckn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ppolhcnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gnepna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iomoenej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcmdaljn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jllokajf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjgaoqm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qobhkjdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aogbfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fpdcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hefnkkkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omdppiif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qobhkjdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baegibae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jnlkedai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kegpifod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iefgbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jcfggkac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kcpjnjii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngndaccj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpcecb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Baannc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ioolkncg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmfkhmdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oghghb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phcgcqab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dheibpje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efpomccg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Glkmmefl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpmdfonj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lokdnjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqfpckhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opclldhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adcjop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Akpoaj32.exe

Executes dropped EXE 64 IoCs

pid	Process
536	Dokgdkeh.exe
4136	Dbicpfdk.exe
2860	Dmohno32.exe
2804	Dkahilkl.exe
3492	Dheibpje.exe
5028	Dnbakghm.exe
3024	Digehphc.exe
4552	Dmcain32.exe
516	Ddnfmqng.exe
3908	Dkhnjk32.exe
3232	Dngjff32.exe
4520	Eiloco32.exe
1084	Ekkkoj32.exe
2580	Efpomccg.exe
448	Emjgim32.exe
4528	Eoideh32.exe
2428	Efblbbqd.exe
696	Emmdom32.exe
544	Ennqfenp.exe
756	Eehicoel.exe
4540	Ekaapi32.exe
4696	Enpmld32.exe
2324	Eejeiocj.exe
4440	Eppjfgcp.exe
2028	Efjbcakl.exe
4052	Fmcjpl32.exe
1040	Fneggdhg.exe
1740	Fijkdmhn.exe
2132	Fpdcag32.exe
3644	Fealin32.exe
2304	Fpgpgfmh.exe
404	Fbelcblk.exe
2984	Fiodpl32.exe
1776	Flmqlg32.exe
216	Fbgihaji.exe
1144	Fmmmfj32.exe
3912	Fpkibf32.exe
1668	Gfeaopqo.exe
2976	Gmojkj32.exe
1916	Gpnfge32.exe
2716	Gfhndpol.exe
1076	Gifkpknp.exe
1108	Gncchb32.exe
2692	Gemkelcd.exe
2644	Gmdcfidg.exe
5024	Gnepna32.exe
1512	Geohklaa.exe
1996	Gmfplibd.exe
5056	Glkmmefl.exe
1272	Gbeejp32.exe
2204	Hedafk32.exe
1980	Hmkigh32.exe
5068	Holfoqcm.exe
956	Hefnkkkj.exe
3272	Hmmfmhll.exe
3992	Hplbickp.exe
4832	Hehkajig.exe
2020	Hmpcbhji.exe
5108	Hoaojp32.exe
3428	Hfhgkmpj.exe
4548	Hmbphg32.exe
3892	Hoclopne.exe
2000	Hiipmhmk.exe
3560	Hlglidlo.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Chnpamkc.dll	Akblfj32.exe
File created	C:\Windows\SysWOW64\Edommp32.dll	Efblbbqd.exe
File created	C:\Windows\SysWOW64\Adfokn32.dll	Geohklaa.exe
File opened for modification	C:\Windows\SysWOW64\Jpaekqhh.exe	Jcmdaljn.exe
File created	C:\Windows\SysWOW64\Binlfp32.dll	Nqbpojnp.exe
File created	C:\Windows\SysWOW64\Cnffoibg.dll	Ojhpimhp.exe
File created	C:\Windows\SysWOW64\Bogkmgba.exe	Bgpcliao.exe
File opened for modification	C:\Windows\SysWOW64\Cgifbhid.exe	Cdkifmjq.exe
File created	C:\Windows\SysWOW64\Moipoh32.exe	Mqfpckhm.exe
File opened for modification	C:\Windows\SysWOW64\Ojomcopk.exe	Ngqagcag.exe
File created	C:\Windows\SysWOW64\Pmblagmf.exe	Pjdpelnc.exe
File created	C:\Windows\SysWOW64\Gbhhlfgd.dll	Bahdob32.exe
File created	C:\Windows\SysWOW64\Mmlmhc32.dll	Cpbjkn32.exe
File created	C:\Windows\SysWOW64\Cgnomg32.exe	Cdpcal32.exe
File opened for modification	C:\Windows\SysWOW64\Bgkiaj32.exe	Bdmmeo32.exe
File created	C:\Windows\SysWOW64\Fbpcnkaj.dll	Gifkpknp.exe
File opened for modification	C:\Windows\SysWOW64\Iefgbh32.exe	Iomoenej.exe
File created	C:\Windows\SysWOW64\Pgpecj32.dll	Kflide32.exe
File created	C:\Windows\SysWOW64\Lokdnjkg.exe	Lnjgfb32.exe
File created	C:\Windows\SysWOW64\Ljqhkckn.exe	Lokdnjkg.exe
File created	C:\Windows\SysWOW64\Jencdebl.dll	Ljhnlb32.exe
File opened for modification	C:\Windows\SysWOW64\Pjdpelnc.exe	Phfcipoo.exe
File opened for modification	C:\Windows\SysWOW64\Fneggdhg.exe	Fmcjpl32.exe
File created	C:\Windows\SysWOW64\Klfaapbl.exe	Kncaec32.exe
File created	C:\Windows\SysWOW64\Mgphpe32.exe	Moipoh32.exe
File created	C:\Windows\SysWOW64\Eignjamf.dll	Adcjop32.exe
File opened for modification	C:\Windows\SysWOW64\Digehphc.exe	Dnbakghm.exe
File created	C:\Windows\SysWOW64\Jdgccn32.dll	Ennqfenp.exe
File opened for modification	C:\Windows\SysWOW64\Boihcf32.exe	Bgbpaipl.exe
File created	C:\Windows\SysWOW64\Kbjodaqj.dll	Fmmmfj32.exe
File created	C:\Windows\SysWOW64\Mkfoeejd.dll	Ogjdmbil.exe
File created	C:\Windows\SysWOW64\Geqnma32.dll	Aagkhd32.exe
File created	C:\Windows\SysWOW64\Fofdocoe.dll	Dkhnjk32.exe
File created	C:\Windows\SysWOW64\Fneggdhg.exe	Fmcjpl32.exe
File created	C:\Windows\SysWOW64\Gpnfge32.exe	Gmojkj32.exe
File opened for modification	C:\Windows\SysWOW64\Jpenfp32.exe	Jngbjd32.exe
File created	C:\Windows\SysWOW64\Mgeakekd.exe	Monjjgkb.exe
File created	C:\Windows\SysWOW64\Jchdqkfl.dll	Nmkmjjaa.exe
File created	C:\Windows\SysWOW64\Hhjamhbn.dll	Ddnfmqng.exe
File created	C:\Windows\SysWOW64\Kcidmkpq.exe	Kpjgaoqm.exe
File opened for modification	C:\Windows\SysWOW64\Kcmmhj32.exe	Kpoalo32.exe
File created	C:\Windows\SysWOW64\Ndikch32.dll	Baegibae.exe
File created	C:\Windows\SysWOW64\Dapgni32.dll	Ahdpjn32.exe
File created	C:\Windows\SysWOW64\Abdkep32.dll	Emmdom32.exe
File created	C:\Windows\SysWOW64\Akpoaj32.exe	Ahaceo32.exe
File opened for modification	C:\Windows\SysWOW64\Qodeajbg.exe	Qfmmplad.exe
File created	C:\Windows\SysWOW64\Dkqaoe32.exe	Dhbebj32.exe
File created	C:\Windows\SysWOW64\Fopjdidn.dll	Monjjgkb.exe
File created	C:\Windows\SysWOW64\Poigcbng.dll	Dkahilkl.exe
File created	C:\Windows\SysWOW64\Appfnncn.dll	Kpmdfonj.exe
File opened for modification	C:\Windows\SysWOW64\Phfcipoo.exe	Ppolhcnm.exe
File created	C:\Windows\SysWOW64\Ilmifh32.dll	Efpomccg.exe
File created	C:\Windows\SysWOW64\Mcbpjg32.exe	Mmhgmmbf.exe
File opened for modification	C:\Windows\SysWOW64\Qfmmplad.exe	Qpcecb32.exe
File opened for modification	C:\Windows\SysWOW64\Kfnfjehl.exe	Kcpjnjii.exe
File created	C:\Windows\SysWOW64\Ocgbld32.exe	Oaifpi32.exe
File opened for modification	C:\Windows\SysWOW64\Opclldhj.exe	Omdppiif.exe
File created	C:\Windows\SysWOW64\Ebcmfjll.dll	Mmfkhmdi.exe
File opened for modification	C:\Windows\SysWOW64\Mgbefe32.exe	Mokmdh32.exe
File opened for modification	C:\Windows\SysWOW64\Ngjkfd32.exe	Ncnofeof.exe
File created	C:\Windows\SysWOW64\Lcimdh32.exe	Lqkqhm32.exe
File created	C:\Windows\SysWOW64\Mgbefe32.exe	Mokmdh32.exe
File created	C:\Windows\SysWOW64\Godcje32.dll	Qpcecb32.exe
File opened for modification	C:\Windows\SysWOW64\Nggnadib.exe	Nopfpgip.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
9200	8912	WerFault.exe	368

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oghghb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mmpmnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fmcjpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lihcbd32.dll"	Ocgbld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqmiic32.dll"	Ifmqfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njjdho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenpmnno.dll"	Offnhpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdmpga32.dll"	Omdppiif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aaoaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofpnmakg.dll"	Enpmld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkoafbld.dll"	Lgdidgjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pigbqakg.dll"	Eejeiocj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnjgfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibingd32.dll"	Fbelcblk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hmkigh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aijqqd32.dll"	Hplbickp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjaabq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhkfkmmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebcneqod.dll"	Efjbcakl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmcckk32.dll"	Jpaekqhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lngqkhda.dll"	Pjbcplpe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Adkqoohc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpabibmg.dll"	Hmpcbhji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncqlkemc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idefqiag.dll"	Lokdnjkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhkfkmmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jngbjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmacdg32.dll"	Knnhjcog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjaabq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pccahbmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fboqkn32.dll"	Lgibpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qpcecb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dddllkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgihjf32.dll"	Dahmfpap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpapmqq.dll"	Digehphc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Difebl32.dll"	Moipoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nadleilm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Baannc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clahmb32.dll"	Lqojclne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fpkibf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Boenhgdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqqpck32.dll"	Fpkibf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eleqaiga.dll"	Mgeakekd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nncccnol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hemikcpm.dll"	Kfpcoefj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgbefe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogekbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgnomg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lokdnjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lnangaoa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngjkfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epopbo32.dll"	Bhkfkmmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hedafk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aaenbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjllddpj.dll"	Bpfkpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kigcfhbi.dll"	Hlglidlo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgelgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnkbkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plikcm32.dll"	Baannc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edommp32.dll"	Efblbbqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljcpchlo.dll"	Iidphgcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jinboekc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kcidmkpq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Adcjop32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 536	2640	5ab4850d68fb53fdc99e8ab2b2126c6ca676dd9ae23274abf77ad2591ac82eb1.exe	90
PID 2640 wrote to memory of 536	2640	5ab4850d68fb53fdc99e8ab2b2126c6ca676dd9ae23274abf77ad2591ac82eb1.exe	90
PID 2640 wrote to memory of 536	2640	5ab4850d68fb53fdc99e8ab2b2126c6ca676dd9ae23274abf77ad2591ac82eb1.exe	90
PID 536 wrote to memory of 4136	536	Dokgdkeh.exe	91
PID 536 wrote to memory of 4136	536	Dokgdkeh.exe	91
PID 536 wrote to memory of 4136	536	Dokgdkeh.exe	91
PID 4136 wrote to memory of 2860	4136	Dbicpfdk.exe	92
PID 4136 wrote to memory of 2860	4136	Dbicpfdk.exe	92
PID 4136 wrote to memory of 2860	4136	Dbicpfdk.exe	92
PID 2860 wrote to memory of 2804	2860	Dmohno32.exe	93
PID 2860 wrote to memory of 2804	2860	Dmohno32.exe	93
PID 2860 wrote to memory of 2804	2860	Dmohno32.exe	93
PID 2804 wrote to memory of 3492	2804	Dkahilkl.exe	94
PID 2804 wrote to memory of 3492	2804	Dkahilkl.exe	94
PID 2804 wrote to memory of 3492	2804	Dkahilkl.exe	94
PID 3492 wrote to memory of 5028	3492	Dheibpje.exe	95
PID 3492 wrote to memory of 5028	3492	Dheibpje.exe	95
PID 3492 wrote to memory of 5028	3492	Dheibpje.exe	95
PID 5028 wrote to memory of 3024	5028	Dnbakghm.exe	96
PID 5028 wrote to memory of 3024	5028	Dnbakghm.exe	96
PID 5028 wrote to memory of 3024	5028	Dnbakghm.exe	96
PID 3024 wrote to memory of 4552	3024	Digehphc.exe	97
PID 3024 wrote to memory of 4552	3024	Digehphc.exe	97
PID 3024 wrote to memory of 4552	3024	Digehphc.exe	97
PID 4552 wrote to memory of 516	4552	Dmcain32.exe	98
PID 4552 wrote to memory of 516	4552	Dmcain32.exe	98
PID 4552 wrote to memory of 516	4552	Dmcain32.exe	98
PID 516 wrote to memory of 3908	516	Ddnfmqng.exe	99
PID 516 wrote to memory of 3908	516	Ddnfmqng.exe	99
PID 516 wrote to memory of 3908	516	Ddnfmqng.exe	99
PID 3908 wrote to memory of 3232	3908	Dkhnjk32.exe	100
PID 3908 wrote to memory of 3232	3908	Dkhnjk32.exe	100
PID 3908 wrote to memory of 3232	3908	Dkhnjk32.exe	100
PID 3232 wrote to memory of 4520	3232	Dngjff32.exe	101
PID 3232 wrote to memory of 4520	3232	Dngjff32.exe	101
PID 3232 wrote to memory of 4520	3232	Dngjff32.exe	101
PID 4520 wrote to memory of 1084	4520	Eiloco32.exe	102
PID 4520 wrote to memory of 1084	4520	Eiloco32.exe	102
PID 4520 wrote to memory of 1084	4520	Eiloco32.exe	102
PID 1084 wrote to memory of 2580	1084	Ekkkoj32.exe	104
PID 1084 wrote to memory of 2580	1084	Ekkkoj32.exe	104
PID 1084 wrote to memory of 2580	1084	Ekkkoj32.exe	104
PID 2580 wrote to memory of 448	2580	Efpomccg.exe	105
PID 2580 wrote to memory of 448	2580	Efpomccg.exe	105
PID 2580 wrote to memory of 448	2580	Efpomccg.exe	105
PID 448 wrote to memory of 4528	448	Emjgim32.exe	106
PID 448 wrote to memory of 4528	448	Emjgim32.exe	106
PID 448 wrote to memory of 4528	448	Emjgim32.exe	106
PID 4528 wrote to memory of 2428	4528	Eoideh32.exe	107
PID 4528 wrote to memory of 2428	4528	Eoideh32.exe	107
PID 4528 wrote to memory of 2428	4528	Eoideh32.exe	107
PID 2428 wrote to memory of 696	2428	Efblbbqd.exe	108
PID 2428 wrote to memory of 696	2428	Efblbbqd.exe	108
PID 2428 wrote to memory of 696	2428	Efblbbqd.exe	108
PID 696 wrote to memory of 544	696	Emmdom32.exe	109
PID 696 wrote to memory of 544	696	Emmdom32.exe	109
PID 696 wrote to memory of 544	696	Emmdom32.exe	109
PID 544 wrote to memory of 756	544	Ennqfenp.exe	110
PID 544 wrote to memory of 756	544	Ennqfenp.exe	110
PID 544 wrote to memory of 756	544	Ennqfenp.exe	110
PID 756 wrote to memory of 4540	756	Eehicoel.exe	111
PID 756 wrote to memory of 4540	756	Eehicoel.exe	111
PID 756 wrote to memory of 4540	756	Eehicoel.exe	111
PID 4540 wrote to memory of 4696	4540	Ekaapi32.exe	112

C:\Users\Admin\AppData\Local\Temp\5ab4850d68fb53fdc99e8ab2b2126c6ca676dd9ae23274abf77ad2591ac82eb1.exe
"C:\Users\Admin\AppData\Local\Temp\5ab4850d68fb53fdc99e8ab2b2126c6ca676dd9ae23274abf77ad2591ac82eb1.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\SysWOW64\Dokgdkeh.exe
  C:\Windows\system32\Dokgdkeh.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Windows\SysWOW64\Dbicpfdk.exe
    C:\Windows\system32\Dbicpfdk.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4136
  - - C:\Windows\SysWOW64\Dmohno32.exe
      C:\Windows\system32\Dmohno32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2860
    - - C:\Windows\SysWOW64\Dkahilkl.exe
        
        C:\Windows\system32\Dkahilkl.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2804
      - C:\Windows\SysWOW64\Dheibpje.exe
        
        C:\Windows\system32\Dheibpje.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\SysWOW64\Dnbakghm.exe
        
        C:\Windows\system32\Dnbakghm.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Digehphc.exe
        
        C:\Windows\system32\Digehphc.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\Dmcain32.exe
        
        C:\Windows\system32\Dmcain32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\SysWOW64\Ddnfmqng.exe
        
        C:\Windows\system32\Ddnfmqng.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:516
        
        C:\Windows\SysWOW64\Dkhnjk32.exe
        
        C:\Windows\system32\Dkhnjk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3908
        
        C:\Windows\SysWOW64\Dngjff32.exe
        
        C:\Windows\system32\Dngjff32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\SysWOW64\Eiloco32.exe
        
        C:\Windows\system32\Eiloco32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\SysWOW64\Ekkkoj32.exe
        
        C:\Windows\system32\Ekkkoj32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\SysWOW64\Efpomccg.exe
        
        C:\Windows\system32\Efpomccg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\SysWOW64\Emjgim32.exe
        
        C:\Windows\system32\Emjgim32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\Eoideh32.exe
        
        C:\Windows\system32\Eoideh32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\SysWOW64\Efblbbqd.exe
        
        C:\Windows\system32\Efblbbqd.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\Emmdom32.exe
        
        C:\Windows\system32\Emmdom32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:696
        
        C:\Windows\SysWOW64\Ennqfenp.exe
        
        C:\Windows\system32\Ennqfenp.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\SysWOW64\Eehicoel.exe
        
        C:\Windows\system32\Eehicoel.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\SysWOW64\Ekaapi32.exe
        
        C:\Windows\system32\Ekaapi32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\SysWOW64\Enpmld32.exe
        
        C:\Windows\system32\Enpmld32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4696
        
        C:\Windows\SysWOW64\Eejeiocj.exe
        
        C:\Windows\system32\Eejeiocj.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Eppjfgcp.exe
        
        C:\Windows\system32\Eppjfgcp.exe
        25⤵
        Executes dropped EXE
        
        PID:4440
        
        C:\Windows\SysWOW64\Efjbcakl.exe
        
        C:\Windows\system32\Efjbcakl.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Fmcjpl32.exe
        
        C:\Windows\system32\Fmcjpl32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Fneggdhg.exe
        
        C:\Windows\system32\Fneggdhg.exe
        28⤵
        Executes dropped EXE
        
        PID:1040
        
        C:\Windows\SysWOW64\Fijkdmhn.exe
        
        C:\Windows\system32\Fijkdmhn.exe
        29⤵
        Executes dropped EXE
        
        PID:1740
        
        C:\Windows\SysWOW64\Fpdcag32.exe
        
        C:\Windows\system32\Fpdcag32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2132
        
        C:\Windows\SysWOW64\Fealin32.exe
        
        C:\Windows\system32\Fealin32.exe
        31⤵
        Executes dropped EXE
        
        PID:3644
        
        C:\Windows\SysWOW64\Fpgpgfmh.exe
        
        C:\Windows\system32\Fpgpgfmh.exe
        32⤵
        Executes dropped EXE
        
        PID:2304
        
        C:\Windows\SysWOW64\Fbelcblk.exe
        
        C:\Windows\system32\Fbelcblk.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Fiodpl32.exe
        
        C:\Windows\system32\Fiodpl32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2984
        
        C:\Windows\SysWOW64\Flmqlg32.exe
        
        C:\Windows\system32\Flmqlg32.exe
        35⤵
        Executes dropped EXE
        
        PID:1776
        
        C:\Windows\SysWOW64\Fbgihaji.exe
        
        C:\Windows\system32\Fbgihaji.exe
        36⤵
        Executes dropped EXE
        
        PID:216
        
        C:\Windows\SysWOW64\Fmmmfj32.exe
        
        C:\Windows\system32\Fmmmfj32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1144
        
        C:\Windows\SysWOW64\Fpkibf32.exe
        
        C:\Windows\system32\Fpkibf32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3912
        
        C:\Windows\SysWOW64\Gfeaopqo.exe
        
        C:\Windows\system32\Gfeaopqo.exe
        39⤵
        Executes dropped EXE
        
        PID:1668
        
        C:\Windows\SysWOW64\Gmojkj32.exe
        
        C:\Windows\system32\Gmojkj32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2976
        
        C:\Windows\SysWOW64\Gpnfge32.exe
        
        C:\Windows\system32\Gpnfge32.exe
        41⤵
        Executes dropped EXE
        
        PID:1916
        
        C:\Windows\SysWOW64\Gfhndpol.exe
        
        C:\Windows\system32\Gfhndpol.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2716
        
        C:\Windows\SysWOW64\Gifkpknp.exe
        
        C:\Windows\system32\Gifkpknp.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1076
        
        C:\Windows\SysWOW64\Gncchb32.exe
        
        C:\Windows\system32\Gncchb32.exe
        44⤵
        Executes dropped EXE
        
        PID:1108
        
        C:\Windows\SysWOW64\Gemkelcd.exe
        
        C:\Windows\system32\Gemkelcd.exe
        45⤵
        Executes dropped EXE
        
        PID:2692
        
        C:\Windows\SysWOW64\Gmdcfidg.exe
        
        C:\Windows\system32\Gmdcfidg.exe
        46⤵
        Executes dropped EXE
        
        PID:2644
        
        C:\Windows\SysWOW64\Gnepna32.exe
        
        C:\Windows\system32\Gnepna32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5024
        
        C:\Windows\SysWOW64\Geohklaa.exe
        
        C:\Windows\system32\Geohklaa.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1512
        
        C:\Windows\SysWOW64\Gmfplibd.exe
        
        C:\Windows\system32\Gmfplibd.exe
        49⤵
        Executes dropped EXE
        
        PID:1996
        
        C:\Windows\SysWOW64\Glkmmefl.exe
        
        C:\Windows\system32\Glkmmefl.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5056
        
        C:\Windows\SysWOW64\Gbeejp32.exe
        
        C:\Windows\system32\Gbeejp32.exe
        51⤵
        Executes dropped EXE
        
        PID:1272
        
        C:\Windows\SysWOW64\Hedafk32.exe
        
        C:\Windows\system32\Hedafk32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\Hmkigh32.exe
        
        C:\Windows\system32\Hmkigh32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Holfoqcm.exe
        
        C:\Windows\system32\Holfoqcm.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5068
        
        C:\Windows\SysWOW64\Hefnkkkj.exe
        
        C:\Windows\system32\Hefnkkkj.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:956
        
        C:\Windows\SysWOW64\Hmmfmhll.exe
        
        C:\Windows\system32\Hmmfmhll.exe
        56⤵
        Executes dropped EXE
        
        PID:3272
        
        C:\Windows\SysWOW64\Hplbickp.exe
        
        C:\Windows\system32\Hplbickp.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Hehkajig.exe
        
        C:\Windows\system32\Hehkajig.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4832
        
        C:\Windows\SysWOW64\Hmpcbhji.exe
        
        C:\Windows\system32\Hmpcbhji.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Hoaojp32.exe
        
        C:\Windows\system32\Hoaojp32.exe
        60⤵
        Executes dropped EXE
        
        PID:5108
        
        C:\Windows\SysWOW64\Hfhgkmpj.exe
        
        C:\Windows\system32\Hfhgkmpj.exe
        61⤵
        Executes dropped EXE
        
        PID:3428
        
        C:\Windows\SysWOW64\Hmbphg32.exe
        
        C:\Windows\system32\Hmbphg32.exe
        62⤵
        Executes dropped EXE
        
        PID:4548
        
        C:\Windows\SysWOW64\Hoclopne.exe
        
        C:\Windows\system32\Hoclopne.exe
        63⤵
        Executes dropped EXE
        
        PID:3892
        
        C:\Windows\SysWOW64\Hiipmhmk.exe
        
        C:\Windows\system32\Hiipmhmk.exe
        64⤵
        Executes dropped EXE
        
        PID:2000
        
        C:\Windows\SysWOW64\Hlglidlo.exe
        
        C:\Windows\system32\Hlglidlo.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3560
        
        C:\Windows\SysWOW64\Ifmqfm32.exe
        
        C:\Windows\system32\Ifmqfm32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Imgicgca.exe
        
        C:\Windows\system32\Imgicgca.exe
        67⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Ipeeobbe.exe
        
        C:\Windows\system32\Ipeeobbe.exe
        68⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Ifomll32.exe
        
        C:\Windows\system32\Ifomll32.exe
        69⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Imiehfao.exe
        
        C:\Windows\system32\Imiehfao.exe
        70⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Iojbpo32.exe
        
        C:\Windows\system32\Iojbpo32.exe
        71⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Iedjmioj.exe
        
        C:\Windows\system32\Iedjmioj.exe
        72⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Imkbnf32.exe
        
        C:\Windows\system32\Imkbnf32.exe
        73⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Iomoenej.exe
        
        C:\Windows\system32\Iomoenej.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5508
        
        C:\Windows\SysWOW64\Iefgbh32.exe
        
        C:\Windows\system32\Iefgbh32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5560
        
        C:\Windows\SysWOW64\Ioolkncg.exe
        
        C:\Windows\system32\Ioolkncg.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5608
        
        C:\Windows\SysWOW64\Igfclkdj.exe
        
        C:\Windows\system32\Igfclkdj.exe
        77⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Iidphgcn.exe
        
        C:\Windows\system32\Iidphgcn.exe
        78⤵
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Ilcldb32.exe
        
        C:\Windows\system32\Ilcldb32.exe
        79⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Jcmdaljn.exe
        
        C:\Windows\system32\Jcmdaljn.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5808
        
        C:\Windows\SysWOW64\Jpaekqhh.exe
        
        C:\Windows\system32\Jpaekqhh.exe
        81⤵
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Jgkmgk32.exe
        
        C:\Windows\system32\Jgkmgk32.exe
        82⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Jmeede32.exe
        
        C:\Windows\system32\Jmeede32.exe
        83⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\Jpcapp32.exe
        
        C:\Windows\system32\Jpcapp32.exe
        84⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Jcanll32.exe
        
        C:\Windows\system32\Jcanll32.exe
        85⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Jngbjd32.exe
        
        C:\Windows\system32\Jngbjd32.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Jpenfp32.exe
        
        C:\Windows\system32\Jpenfp32.exe
        87⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Jinboekc.exe
        
        C:\Windows\system32\Jinboekc.exe
        88⤵
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Jllokajf.exe
        
        C:\Windows\system32\Jllokajf.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5352
        
        C:\Windows\SysWOW64\Jcfggkac.exe
        
        C:\Windows\system32\Jcfggkac.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5448
        
        C:\Windows\SysWOW64\Jedccfqg.exe
        
        C:\Windows\system32\Jedccfqg.exe
        91⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Jnlkedai.exe
        
        C:\Windows\system32\Jnlkedai.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5604
        
        C:\Windows\SysWOW64\Kpjgaoqm.exe
        
        C:\Windows\system32\Kpjgaoqm.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5712
        
        C:\Windows\SysWOW64\Kcidmkpq.exe
        
        C:\Windows\system32\Kcidmkpq.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Kegpifod.exe
        
        C:\Windows\system32\Kegpifod.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5908
        
        C:\Windows\SysWOW64\Knnhjcog.exe
        
        C:\Windows\system32\Knnhjcog.exe
        96⤵
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Kpmdfonj.exe
        
        C:\Windows\system32\Kpmdfonj.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6124
        
        C:\Windows\SysWOW64\Kckqbj32.exe
        
        C:\Windows\system32\Kckqbj32.exe
        98⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Keimof32.exe
        
        C:\Windows\system32\Keimof32.exe
        99⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Knqepc32.exe
        
        C:\Windows\system32\Knqepc32.exe
        100⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Kpoalo32.exe
        
        C:\Windows\system32\Kpoalo32.exe
        101⤵
        Drops file in System32 directory
        
        PID:5648
        
        C:\Windows\SysWOW64\Kcmmhj32.exe
        
        C:\Windows\system32\Kcmmhj32.exe
        102⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Kflide32.exe
        
        C:\Windows\system32\Kflide32.exe
        103⤵
        Drops file in System32 directory
        
        PID:5984
        
        C:\Windows\SysWOW64\Kncaec32.exe
        
        C:\Windows\system32\Kncaec32.exe
        104⤵
        Drops file in System32 directory
        
        PID:6116
        
        C:\Windows\SysWOW64\Klfaapbl.exe
        
        C:\Windows\system32\Klfaapbl.exe
        105⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Kodnmkap.exe
        
        C:\Windows\system32\Kodnmkap.exe
        106⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Kcpjnjii.exe
        
        C:\Windows\system32\Kcpjnjii.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5800
        
        C:\Windows\SysWOW64\Kfnfjehl.exe
        
        C:\Windows\system32\Kfnfjehl.exe
        108⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Klhnfo32.exe
        
        C:\Windows\system32\Klhnfo32.exe
        109⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Kcbfcigf.exe
        
        C:\Windows\system32\Kcbfcigf.exe
        110⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Kfpcoefj.exe
        
        C:\Windows\system32\Kfpcoefj.exe
        111⤵
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Kngkqbgl.exe
        
        C:\Windows\system32\Kngkqbgl.exe
        112⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Lgpoihnl.exe
        
        C:\Windows\system32\Lgpoihnl.exe
        113⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\Lnjgfb32.exe
        
        C:\Windows\system32\Lnjgfb32.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Lokdnjkg.exe
        
        C:\Windows\system32\Lokdnjkg.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Ljqhkckn.exe
        
        C:\Windows\system32\Ljqhkckn.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6160
        
        C:\Windows\SysWOW64\Lqkqhm32.exe
        
        C:\Windows\system32\Lqkqhm32.exe
        117⤵
        Drops file in System32 directory
        
        PID:6204
        
        C:\Windows\SysWOW64\Lcimdh32.exe
        
        C:\Windows\system32\Lcimdh32.exe
        118⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\Lgdidgjg.exe
        
        C:\Windows\system32\Lgdidgjg.exe
        119⤵
        Modifies registry class
        
        PID:6292
        
        C:\Windows\SysWOW64\Lopmii32.exe
        
        C:\Windows\system32\Lopmii32.exe
        120⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Lnangaoa.exe
        
        C:\Windows\system32\Lnangaoa.exe
        121⤵
        Modifies registry class
        
        PID:6384
        
        C:\Windows\SysWOW64\Lqojclne.exe
        
        C:\Windows\system32\Lqojclne.exe
        122⤵
        Modifies registry class
        
        PID:6428
        
        C:\Windows\SysWOW64\Lgibpf32.exe
        
        C:\Windows\system32\Lgibpf32.exe
        123⤵
        Modifies registry class
        
        PID:6472
        
        C:\Windows\SysWOW64\Ljhnlb32.exe
        
        C:\Windows\system32\Ljhnlb32.exe
        124⤵
        Drops file in System32 directory
        
        PID:6516
        
        C:\Windows\SysWOW64\Mmfkhmdi.exe
        
        C:\Windows\system32\Mmfkhmdi.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6560
        
        C:\Windows\SysWOW64\Mfnoqc32.exe
        
        C:\Windows\system32\Mfnoqc32.exe
        126⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\Mmhgmmbf.exe
        
        C:\Windows\system32\Mmhgmmbf.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6640
        
        C:\Windows\SysWOW64\Mcbpjg32.exe
        
        C:\Windows\system32\Mcbpjg32.exe
        128⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\Mnhdgpii.exe
        
        C:\Windows\system32\Mnhdgpii.exe
        129⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\Mqfpckhm.exe
        
        C:\Windows\system32\Mqfpckhm.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6768
        
        C:\Windows\SysWOW64\Moipoh32.exe
        
        C:\Windows\system32\Moipoh32.exe
        131⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6812
        
        C:\Windows\SysWOW64\Mgphpe32.exe
        
        C:\Windows\system32\Mgphpe32.exe
        132⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\Mjodla32.exe
        
        C:\Windows\system32\Mjodla32.exe
        133⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\Mmmqhl32.exe
        
        C:\Windows\system32\Mmmqhl32.exe
        134⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\Mokmdh32.exe
        
        C:\Windows\system32\Mokmdh32.exe
        135⤵
        Drops file in System32 directory
        
        PID:6984
        
        C:\Windows\SysWOW64\Mgbefe32.exe
        
        C:\Windows\system32\Mgbefe32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7028
        
        C:\Windows\SysWOW64\Mjaabq32.exe
        
        C:\Windows\system32\Mjaabq32.exe
        137⤵
        Modifies registry class
        
        PID:7076
        
        C:\Windows\SysWOW64\Mmpmnl32.exe
        
        C:\Windows\system32\Mmpmnl32.exe
        138⤵
        Modifies registry class
        
        PID:7120
        
        C:\Windows\SysWOW64\Monjjgkb.exe
        
        C:\Windows\system32\Monjjgkb.exe
        139⤵
        Drops file in System32 directory
        
        PID:7160
        
        C:\Windows\SysWOW64\Mgeakekd.exe
        
        C:\Windows\system32\Mgeakekd.exe
        140⤵
        Modifies registry class
        
        PID:6188
        
        C:\Windows\SysWOW64\Nnojho32.exe
        
        C:\Windows\system32\Nnojho32.exe
        141⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\Nqmfdj32.exe
        
        C:\Windows\system32\Nqmfdj32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6348
        
        C:\Windows\SysWOW64\Nopfpgip.exe
        
        C:\Windows\system32\Nopfpgip.exe
        143⤵
        Drops file in System32 directory
        
        PID:6408
        
        C:\Windows\SysWOW64\Nggnadib.exe
        
        C:\Windows\system32\Nggnadib.exe
        144⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\Njfkmphe.exe
        
        C:\Windows\system32\Njfkmphe.exe
        145⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\Nqpcjj32.exe
        
        C:\Windows\system32\Nqpcjj32.exe
        146⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\Ncnofeof.exe
        
        C:\Windows\system32\Ncnofeof.exe
        147⤵
        Drops file in System32 directory
        
        PID:6692
        
        C:\Windows\SysWOW64\Ngjkfd32.exe
        
        C:\Windows\system32\Ngjkfd32.exe
        148⤵
        Modifies registry class
        
        PID:6760
        
        C:\Windows\SysWOW64\Nncccnol.exe
        
        C:\Windows\system32\Nncccnol.exe
        149⤵
        Modifies registry class
        
        PID:6824
        
        C:\Windows\SysWOW64\Nqbpojnp.exe
        
        C:\Windows\system32\Nqbpojnp.exe
        150⤵
        Drops file in System32 directory
        
        PID:6892
        
        C:\Windows\SysWOW64\Ncqlkemc.exe
        
        C:\Windows\system32\Ncqlkemc.exe
        151⤵
        Modifies registry class
        
        PID:6968
        
        C:\Windows\SysWOW64\Njjdho32.exe
        
        C:\Windows\system32\Njjdho32.exe
        152⤵
        Modifies registry class
        
        PID:7052
        
        C:\Windows\SysWOW64\Nadleilm.exe
        
        C:\Windows\system32\Nadleilm.exe
        153⤵
        Modifies registry class
        
        PID:7100
        
        C:\Windows\SysWOW64\Ngndaccj.exe
        
        C:\Windows\system32\Ngndaccj.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6192
        
        C:\Windows\SysWOW64\Njmqnobn.exe
        
        C:\Windows\system32\Njmqnobn.exe
        155⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\Nmkmjjaa.exe
        
        C:\Windows\system32\Nmkmjjaa.exe
        156⤵
        Drops file in System32 directory
        
        PID:6392
        
        C:\Windows\SysWOW64\Npiiffqe.exe
        
        C:\Windows\system32\Npiiffqe.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6508
        
        C:\Windows\SysWOW64\Ngqagcag.exe
        
        C:\Windows\system32\Ngqagcag.exe
        158⤵
        Drops file in System32 directory
        
        PID:6596
        
        C:\Windows\SysWOW64\Ojomcopk.exe
        
        C:\Windows\system32\Ojomcopk.exe
        159⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\Omnjojpo.exe
        
        C:\Windows\system32\Omnjojpo.exe
        160⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\Oaifpi32.exe
        
        C:\Windows\system32\Oaifpi32.exe
        161⤵
        Drops file in System32 directory
        
        PID:7040
        
        C:\Windows\SysWOW64\Ocgbld32.exe
        
        C:\Windows\system32\Ocgbld32.exe
        162⤵
        Modifies registry class
        
        PID:6152
        
        C:\Windows\SysWOW64\Offnhpfo.exe
        
        C:\Windows\system32\Offnhpfo.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6308
        
        C:\Windows\SysWOW64\Onmfimga.exe
        
        C:\Windows\system32\Onmfimga.exe
        164⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\Ompfej32.exe
        
        C:\Windows\system32\Ompfej32.exe
        165⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Opnbae32.exe
        
        C:\Windows\system32\Opnbae32.exe
        166⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\Ogekbb32.exe
        
        C:\Windows\system32\Ogekbb32.exe
        167⤵
        Modifies registry class
        
        PID:7048
        
        C:\Windows\SysWOW64\Ojdgnn32.exe
        
        C:\Windows\system32\Ojdgnn32.exe
        168⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\Ombcji32.exe
        
        C:\Windows\system32\Ombcji32.exe
        169⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\Oclkgccf.exe
        
        C:\Windows\system32\Oclkgccf.exe
        170⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\Oghghb32.exe
        
        C:\Windows\system32\Oghghb32.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7156
        
        C:\Windows\SysWOW64\Ojfcdnjc.exe
        
        C:\Windows\system32\Ojfcdnjc.exe
        172⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\Omdppiif.exe
        
        C:\Windows\system32\Omdppiif.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7088
        
        C:\Windows\SysWOW64\Opclldhj.exe
        
        C:\Windows\system32\Opclldhj.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6752
        
        C:\Windows\SysWOW64\Ogjdmbil.exe
        
        C:\Windows\system32\Ogjdmbil.exe
        175⤵
        Drops file in System32 directory
        
        PID:6496
        
        C:\Windows\SysWOW64\Ojhpimhp.exe
        
        C:\Windows\system32\Ojhpimhp.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7176
        
        C:\Windows\SysWOW64\Oabhfg32.exe
        
        C:\Windows\system32\Oabhfg32.exe
        177⤵
        
        PID:7224
        
        C:\Windows\SysWOW64\Ocaebc32.exe
        
        C:\Windows\system32\Ocaebc32.exe
        178⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\Pfoann32.exe
        
        C:\Windows\system32\Pfoann32.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7308
        
        C:\Windows\SysWOW64\Pnfiplog.exe
        
        C:\Windows\system32\Pnfiplog.exe
        180⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        181⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\Pccahbmn.exe
        
        C:\Windows\system32\Pccahbmn.exe
        182⤵
        Modifies registry class
        
        PID:7432
        
        C:\Windows\SysWOW64\Pjmjdm32.exe
        
        C:\Windows\system32\Pjmjdm32.exe
        183⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\Pagbaglh.exe
        
        C:\Windows\system32\Pagbaglh.exe
        184⤵
        
        PID:7520
        
        C:\Windows\SysWOW64\Pdenmbkk.exe
        
        C:\Windows\system32\Pdenmbkk.exe
        185⤵
        
        PID:7560
        
        C:\Windows\SysWOW64\Pfdjinjo.exe
        
        C:\Windows\system32\Pfdjinjo.exe
        186⤵
        
        PID:7600
        
        C:\Windows\SysWOW64\Pnkbkk32.exe
        
        C:\Windows\system32\Pnkbkk32.exe
        187⤵
        Modifies registry class
        
        PID:7644
        
        C:\Windows\SysWOW64\Paiogf32.exe
        
        C:\Windows\system32\Paiogf32.exe
        188⤵
        
        PID:7692
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        189⤵
        
        PID:7736
        
        C:\Windows\SysWOW64\Phcgcqab.exe
        
        C:\Windows\system32\Phcgcqab.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7780
        
        C:\Windows\SysWOW64\Pjbcplpe.exe
        
        C:\Windows\system32\Pjbcplpe.exe
        191⤵
        Modifies registry class
        
        PID:7820
        
        C:\Windows\SysWOW64\Pmpolgoi.exe
        
        C:\Windows\system32\Pmpolgoi.exe
        192⤵
        
        PID:7864
        
        C:\Windows\SysWOW64\Ppolhcnm.exe
        
        C:\Windows\system32\Ppolhcnm.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7912
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        194⤵
        Drops file in System32 directory
        
        PID:7956
        
        C:\Windows\SysWOW64\Pjdpelnc.exe
        
        C:\Windows\system32\Pjdpelnc.exe
        195⤵
        Drops file in System32 directory
        
        PID:7996
        
        C:\Windows\SysWOW64\Pmblagmf.exe
        
        C:\Windows\system32\Pmblagmf.exe
        196⤵
        
        PID:8044
        
        C:\Windows\SysWOW64\Pdmdnadc.exe
        
        C:\Windows\system32\Pdmdnadc.exe
        197⤵
        
        PID:8088
        
        C:\Windows\SysWOW64\Qfkqjmdg.exe
        
        C:\Windows\system32\Qfkqjmdg.exe
        198⤵
        
        PID:8132
        
        C:\Windows\SysWOW64\Qobhkjdi.exe
        
        C:\Windows\system32\Qobhkjdi.exe
        199⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8176
        
        C:\Windows\SysWOW64\Qmeigg32.exe
        
        C:\Windows\system32\Qmeigg32.exe
        200⤵
        
        PID:7184
        
        C:\Windows\SysWOW64\Qpcecb32.exe
        
        C:\Windows\system32\Qpcecb32.exe
        201⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7244
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        202⤵
        Drops file in System32 directory
        
        PID:7360
        
        C:\Windows\SysWOW64\Qodeajbg.exe
        
        C:\Windows\system32\Qodeajbg.exe
        203⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        204⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        205⤵
        
        PID:7556
        
        C:\Windows\SysWOW64\Afpjel32.exe
        
        C:\Windows\system32\Afpjel32.exe
        206⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\Aogbfi32.exe
        
        C:\Windows\system32\Aogbfi32.exe
        207⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7688
        
        C:\Windows\SysWOW64\Aaenbd32.exe
        
        C:\Windows\system32\Aaenbd32.exe
        208⤵
        Modifies registry class
        
        PID:7776
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        209⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7832
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        210⤵
        
        PID:7896
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        211⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\Aagkhd32.exe
        
        C:\Windows\system32\Aagkhd32.exe
        212⤵
        Drops file in System32 directory
        
        PID:8036
        
        C:\Windows\SysWOW64\Adfgdpmi.exe
        
        C:\Windows\system32\Adfgdpmi.exe
        213⤵
        
        PID:8116
        
        C:\Windows\SysWOW64\Ahaceo32.exe
        
        C:\Windows\system32\Ahaceo32.exe
        214⤵
        Drops file in System32 directory
        
        PID:8164
        
        C:\Windows\SysWOW64\Akpoaj32.exe
        
        C:\Windows\system32\Akpoaj32.exe
        215⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7220
        
        C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        216⤵
        
        PID:7320
        
        C:\Windows\SysWOW64\Apmhiq32.exe
        
        C:\Windows\system32\Apmhiq32.exe
        217⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        218⤵
        Drops file in System32 directory
        
        PID:7572
        
        C:\Windows\SysWOW64\Akblfj32.exe
        
        C:\Windows\system32\Akblfj32.exe
        219⤵
        Drops file in System32 directory
        
        PID:7652
        
        C:\Windows\SysWOW64\Aonhghjl.exe
        
        C:\Windows\system32\Aonhghjl.exe
        220⤵
        
        PID:7752
        
        C:\Windows\SysWOW64\Aaldccip.exe
        
        C:\Windows\system32\Aaldccip.exe
        221⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7860
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        222⤵
        Modifies registry class
        
        PID:7948
        
        C:\Windows\SysWOW64\Agimkk32.exe
        
        C:\Windows\system32\Agimkk32.exe
        223⤵
        
        PID:8096
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        224⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        225⤵
        Modifies registry class
        
        PID:7340
        
        C:\Windows\SysWOW64\Bdmmeo32.exe
        
        C:\Windows\system32\Bdmmeo32.exe
        226⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7512
        
        C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        227⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\Bobabg32.exe
        
        C:\Windows\system32\Bobabg32.exe
        228⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        229⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8072
        
        C:\Windows\SysWOW64\Bdojjo32.exe
        
        C:\Windows\system32\Bdojjo32.exe
        230⤵
        
        PID:7200
        
        C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        231⤵
        Modifies registry class
        
        PID:7484
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        232⤵
        Modifies registry class
        
        PID:7808
        
        C:\Windows\SysWOW64\Bmhocd32.exe
        
        C:\Windows\system32\Bmhocd32.exe
        233⤵
        
        PID:8004
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        234⤵
        Modifies registry class
        
        PID:7444
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        235⤵
        
        PID:7848
        
        C:\Windows\SysWOW64\Bgpcliao.exe
        
        C:\Windows\system32\Bgpcliao.exe
        236⤵
        Drops file in System32 directory
        
        PID:7460
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        237⤵
        
        PID:7680
        
        C:\Windows\SysWOW64\Baegibae.exe
        
        C:\Windows\system32\Baegibae.exe
        238⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8156
        
        C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        239⤵
        
        PID:8228
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        240⤵
        Drops file in System32 directory
        
        PID:8272
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        241⤵
        
        PID:8312
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        242⤵
        Drops file in System32 directory
        
        PID:8356
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        243⤵
        
        PID:8396
        
        C:\Windows\SysWOW64\Bgelgi32.exe
        
        C:\Windows\system32\Bgelgi32.exe
        244⤵
        Modifies registry class
        
        PID:8440
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        245⤵
        
        PID:8480
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        246⤵
        
        PID:8516
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        247⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8564
        
        C:\Windows\SysWOW64\Cggimh32.exe
        
        C:\Windows\system32\Cggimh32.exe
        248⤵
        
        PID:8608
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        249⤵
        
        PID:8660
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        250⤵
        Drops file in System32 directory
        
        PID:8700
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        251⤵
        
        PID:8744
        
        C:\Windows\SysWOW64\Coqncejg.exe
        
        C:\Windows\system32\Coqncejg.exe
        252⤵
        
        PID:8792
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        253⤵
        
        PID:8836
        
        C:\Windows\SysWOW64\Cpbjkn32.exe
        
        C:\Windows\system32\Cpbjkn32.exe
        254⤵
        Drops file in System32 directory
        
        PID:8872
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        255⤵
        
        PID:8920
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        256⤵
        
        PID:8960
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        257⤵
        
        PID:9012
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        258⤵
        Drops file in System32 directory
        
        PID:9084
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        259⤵
        Modifies registry class
        
        PID:9144
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        260⤵
        
        PID:9192
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        261⤵
        
        PID:7324
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        262⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8304
        
        C:\Windows\SysWOW64\Chnlgjlb.exe
        
        C:\Windows\system32\Chnlgjlb.exe
        263⤵
        
        PID:8412
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        264⤵
        
        PID:8468
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        265⤵
        Modifies registry class
        
        PID:8552
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        266⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8632
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        267⤵
        
        PID:8696
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        268⤵
        Modifies registry class
        
        PID:8788
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        269⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8832
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        270⤵
        
        PID:8912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8912 -s 424
        271⤵
        Program crash
        
        PID:9200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4372,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=1428 /prefetch:8
1⤵
PID:9004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 8912 -ip 8912
1⤵
PID:9100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ahaceo32.exe

Filesize
96KB

MD5
bb71d607b2885adbb18ee1d150f06a02

SHA1
87f78e3016d53d3523823ca31566c53c87403dc5

SHA256
dab56866c160e9dcf474e2b109fdfde25e0b50be96d00a467e686ff138a1dd0c

SHA512
382a9ff1c055aaac4723f39427621a077d6ef7fc924d918f3416f3f4a807e2f8638966d7d3997027908e5d0665f230a84383dd20fe42ee8b4596e5b64e0005ba

Download Submit
C:\Windows\SysWOW64\Cnaaib32.exe

Filesize
96KB

MD5
3d7439143406899fc40583bfe45ef20d

SHA1
08d8df377d6398bd31e92a1aaeee6544e1f813cb

SHA256
57cec801ccf56ea76d50b5d41124215415f912c2a6267a3a4753e31746a45cee

SHA512
eeff779bda900b67019ff46fae6b803cfe71218fcc0c828c6ac969b64713d5b774d31e925f8a043dc98ebd3e915a0d101c3c383f701e29ccc26e2aa9772d51df

Download Submit
C:\Windows\SysWOW64\Dbicpfdk.exe

Filesize
96KB

MD5
803fe4bf277cc036948c51867e0461e8

SHA1
dc921821576d88b3d794e74d11112120080ac755

SHA256
edfd6088a817ae60fadfba36457f56997243957a241e5b481eeab5389be25707

SHA512
0d9195a4cebc167945771c10567b6c57adcbcba4ca0d61e2a675ed94c6994147334a7c4b99574a82d2c89c35f7b8c18cc3063c8577099c5e686a6764378a23ac

Download Submit
C:\Windows\SysWOW64\Ddnfmqng.exe

Filesize
96KB

MD5
627936b4a8b694b9bcd0b3a2eaf9cfed

SHA1
12a28d48d8549d542e1b1689e9d7e91c4eaf2869

SHA256
154721cd90394ec14bb2c070248de13dce6f7e29eb024a089c68f6ed167a1da9

SHA512
0c4c7e8370691e39f37ad7b3fc231e37fb90a4b6bf1188197d6825d00bedc9f1dd780367c72dadc58bd32dc874122787f051293fc601a62df814f93351ad1b1a

Download Submit
C:\Windows\SysWOW64\Dheibpje.exe

Filesize
96KB

MD5
c57b1045075d96a0dfa43fba3065428c

SHA1
4bdb8bfb814869cdfa3abd6089900d57879f7270

SHA256
c7e31bb1ada76a973abb8744013f60571353a93cffef5cc8797718b20e99d937

SHA512
0451377ac6e8a7577882102560db4f1a02d6a065f08c36a3dc0bf4cdfc218d829b2c07bec4f66c6f3a6a3e7d4f64b2d746ff7ea57b9174dfbcb2296462fe972d

Download Submit
C:\Windows\SysWOW64\Digehphc.exe

Filesize
96KB

MD5
277af3e5b9476297a79a9c6c29acf09c

SHA1
3ed499d9eba6c477697f83c3b7ebf600899797a8

SHA256
8045c310fad0670969843b93b3f6f1f3d77503010b337e94ecc7940c92dc0daa

SHA512
bdc6a8d6d1499831610b94a4965b72228aa2f75265ec10afc2ee310608f7ce37d1b38bbf1739bd5b88444a55b6ce7a781fc267da535fbd97c6f9af7861538355

Download Submit
C:\Windows\SysWOW64\Dkahilkl.exe

Filesize
96KB

MD5
3d6a1ac5f2bc330eda0d50f8acbd3f43

SHA1
da906a5371bc627d74b7dff30396bf211a02fea7

SHA256
5462cd76df618df18374690a00f59c446f2b0e7b012abb374a167c1cf18a55ff

SHA512
fc62b5c9f773a6ce8a5d86a279e9f8644e50132900fe635d923eb8a74cae272b4fdc6136527d478212a5e926e8abee9c50ce2b989f6358fd4def273e17d2c195

Download Submit
C:\Windows\SysWOW64\Dkhnjk32.exe

Filesize
96KB

MD5
7b17b9097c8f6a0ab9d40e21dcc358d3

SHA1
448d201ce69a33fa10ec1c224feffc13db408005

SHA256
368b802bfac110d6d8b32fc55a50310f10e5fc6b854c507e245b0704ed47cb77

SHA512
c40846ceefb6a438dfe2a298e190c3842ccee7b034dc464a2ab91e182a0c21a4e69cee90c7f693afecf35c52d530347dc025387aff161430655e6c1ce5aff1d2

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
96KB

MD5
d39c30ae47e39d4b4716a10f1ec2c2c1

SHA1
00b9a70c962a06acda4d6c127b687f742b55b7e0

SHA256
7c4b2dab5a8c60ee4646939309f76f5697ee911946d54174e9f1f8015873a636

SHA512
43c8f0f9d87a8ea4fc9e5a7e9cf354d2dd39feb9123786bd4069760e138a3e35fdc70b78b9a0114e9a7d5d75b7d1f957fb0a0cbd5237dc5bcad2c57cd769e1c3

Download Submit
C:\Windows\SysWOW64\Dmcain32.exe

Filesize
96KB

MD5
7f787a5000f92907a59184d988fd5bec

SHA1
94332ed75cb9f40832556aa7de68522a2d2b11b3

SHA256
4ab612326a85b7340a1d2c3dd488992256f3e1f425716d2190c4533c75ff7499

SHA512
635adb099c588dcedbc87364c1570c3fd8abe2d959bcb04cc970e0528dcb252af4b5d4d8d2474caad9e304449845e63ffbeeed63b7e3dd478d7b90c2402d4c9a

Download Submit
C:\Windows\SysWOW64\Dmohno32.exe

Filesize
96KB

MD5
65e32ec73cf3a0351682d0d1bc8ea77e

SHA1
2f2fc27de9a4da94874f01793c8d5cce7776597f

SHA256
6d3391b145afabdb828bbfd772681d8ec27ca85ecf7274743b96cd20dbf2f807

SHA512
a802ab315fbc3c364037486e3c19627ef2f6f9ee4c18e1c452b4c3cb4ccc7b9add12dc4c62626ec92b3de4fd5e3f94c7d1ef3e7c81b3e2e47d8c5889f9063afd

Download Submit
C:\Windows\SysWOW64\Dnbakghm.exe

Filesize
96KB

MD5
5fcc0785f7cdfb337024dee6e1376659

SHA1
82d71400aaea95e672b8da5d0d0faa00dc1b1b9c

SHA256
d0da1e48a501a05647e46b58eedc0b4d15f9ce00d5dcef9dba2f96ad322225f0

SHA512
bc43aff7ee6247e5c6b9b4e5b0445cfb292f6c9fc5d14d042b3b756e878f697774313f5ddceff1c4e462b98a42f5f82430afa188f6e7e99d6e302bd4d6e49498

Download Submit
C:\Windows\SysWOW64\Dngjff32.exe

Filesize
96KB

MD5
701c20cd7f1c7270b85bf069be2eb1be

SHA1
f8c576670132a2e32ae72ffeb12d394a219c91d7

SHA256
d5de98c7cae574355a37d2c7e83be56a2290227f9f4347e135fc5954f3a042c2

SHA512
d59fedee0923b88da32bd85354377334ba871a7d1513257a5e9dc0744d0de9f64da5e44f1d159ef5a631931e5c536d0e8405d1e7162f8d246a9a36bc00fd7a43

Download Submit
C:\Windows\SysWOW64\Dokgdkeh.exe

Filesize
96KB

MD5
eaf9e88c24f31ea2936da7adfc872b03

SHA1
72f6816a9ccb6d4cc79bd8ef92b14a043371711e

SHA256
b6f2bee1342d3d7a6257b043dd4ac690f21766e3b018037d25744eddcffde5fd

SHA512
540264bb3c3d53da6af8cc6a43dd5c2c8f5eb00cca6609dd9883438ccaec9316608e7d25a09a0d09af71ab7bdac08aa1701b2afbdbe041ae4d54c3c36c68ec74

Download Submit
C:\Windows\SysWOW64\Eehicoel.exe

Filesize
96KB

MD5
9a420a75a4b111d5dec558b2247378d6

SHA1
668a88b29b6d3dd015079f54210aa9f6a1bf3894

SHA256
207d50ae6349882699809729b253906e409fd3ae906563261c32246110cf674a

SHA512
b244c5794993cf1c2a05e29fd2721951a6329ae943d270e9315e5753a55853d292c7026ae6257f05b0d47a27ab84dc97dc37e615989ea97297eb7c539d1f63d9

Download Submit
C:\Windows\SysWOW64\Eejeiocj.exe

Filesize
96KB

MD5
02878e4b50ced249f7342d7fee9d2bbc

SHA1
34dee3972186c73bc0b35f5d5ef25ef3b76bb292

SHA256
d4a100e1f12ff11bbf47df1a2c40ebcfe28ba3fe1bbb2b6d0b624c112b57ce64

SHA512
7cb260320a673588678085530975efeb16f2eb95d669d1f0e61b04f59f2f2844ea81b3e7232770248f2dfef1bd1ab8a536b662f231d101fd2bde15bcf41494a9

Download Submit
C:\Windows\SysWOW64\Efblbbqd.exe

Filesize
96KB

MD5
586c298ccb6fa08ff0a6200c4c66496a

SHA1
c8a4a321ea8183b5d82051f52fc057369652b9c1

SHA256
761cf88b6ce8d3c44b28fb65f89f19f07ed0d7afd93d856a7c391bfbbabbbd98

SHA512
eed9708db3976e8ad35f8f49831412fa9597963d6e417de1a0fab483c3efe685b9668c621332fd4b26e9be3b187f0044f193bc92cedb98280cefa02da2a2e8fd

Download Submit
C:\Windows\SysWOW64\Efjbcakl.exe

Filesize
96KB

MD5
c993cba33fd61e4427ca57bc2245477c

SHA1
68c30752a1d14ed46f9f4c2329a4029b53411453

SHA256
dd8c1938ca714108dc52d0a1db0106a86067d46fb12bdb719c909c46f8616a3c

SHA512
3234b6a57c86b28f62b4501ea4ae9f73632ba9144d6610d3ae91ddb24873165cf1bd7c5974379c8d093622776001983267edafdfa28149438cb444013915c761

Download Submit
C:\Windows\SysWOW64\Efpomccg.exe

Filesize
96KB

MD5
553116aa33b7f01fcb791514990bdf57

SHA1
cea697389c0905e1dfcd6ecb914260f732fb2fa7

SHA256
15c090004e1b5d8392b14e3061f3532b7648fcb5a8c5972ede97ef2549e36b0a

SHA512
89de5bc12653c836d6dfa5605c7529775890d9e2504dea6a997aa4e7e5fa76decf18fa87d9c493b88c976f0519f938b5106e864ceda422f24ac1ed0cea6df217

Download Submit
C:\Windows\SysWOW64\Eiloco32.exe

Filesize
96KB

MD5
da1a6530eb77a5b1516d6527aba681c7

SHA1
800d7a8dc5bad5173a3d448928cc1606a882c8d3

SHA256
434b6677611cace14786db64d8a97a1c3c038e035f24dfca20624b906a8aca78

SHA512
f2f91424649c6bc8a36a0fea7ba5c7bf2218809aa68499c5414145fb389e892f705f05f0c61b500ad3750e9718782622240b5e6281d74a6cd179ed279fc8f0d0

Download Submit
C:\Windows\SysWOW64\Ekaapi32.exe

Filesize
96KB

MD5
2b050b9461211bd3857e4b546ac361d1

SHA1
c89eeea19ee4b8e133fd134b5b8f45101b2de3e0

SHA256
33c9e5660e966792df3de608dedf1c4cadd227a602cc081ac1508af9e621e358

SHA512
fe5757b2d8d8065affd285bf34b676f9641b8014be8c12d4b866358df5328de59524b17e7f3057255013d4bfcf5b5534d5dc653d13ceca176ca8fd18f263a6f8

Download Submit
C:\Windows\SysWOW64\Ekkkoj32.exe

Filesize
96KB

MD5
e146c6dc0ef8be5741e42fc76dd36d07

SHA1
b97b955d832e1e64d950a01304790f9af1467abf

SHA256
6770611664d84e26a9b765e840cf14cfa8ffa928d2e983aa9a04a39e958b7d3b

SHA512
14db717d25064144123e1d050ee864011b34296a7c718786241e58f162a0a14c909626ae4a6392f4fc4720c1679a8d0aa95ca4d4c6646b4a473293ed380d2f09

Download Submit
C:\Windows\SysWOW64\Emjgim32.exe

Filesize
96KB

MD5
89617d62e988b9485b89eb7db306cf1a

SHA1
330e89ee7b2caba691041e5e62dd4bfb0a0e4937

SHA256
6293af86c86bb44d6bec33e388d609dd2795d17ab7a42eb2fb4cdd234bbbea51

SHA512
08cfbe993a6e76299bec1510147d252b6150a4b4dce55b7ea6c7db5a05a56d1a7a4079f03b959195acaa11fc5f394e564d230066dbc8631193d5f61ed874f2aa

Download Submit
C:\Windows\SysWOW64\Emmdom32.exe

Filesize
96KB

MD5
4c671ad57c70e26e0c2e2654ef45b9bc

SHA1
fcfeee9477a3467194f4969b7aee5a0f4b21eb8e

SHA256
feb9249c9581fa4e279d1c2cc455fd2d127e778ec4cf0d9c82ba8dc03b70ee5d

SHA512
256267cdd0a6055ab2c13b6f510acfadb392e7af43ad533ae233c3a52829a3c520470324a9d2af1041b35db2ea5f84b6bfffe4df4e5d8c2d785894c429871fa2

Download Submit
C:\Windows\SysWOW64\Ennqfenp.exe

Filesize
96KB

MD5
14531a44048317697e6db68961319336

SHA1
0b507c48053401ea8744633cd6f65aa7e0a17532

SHA256
64b83e52ead953f608fa0a6dd1ec3856237e2d9307c4b8906cb557ef2ae73382

SHA512
711eb2d85a324130b31f2fae26a7896f33723e5da52a7190f7c5e4519ed370bc8cc09944507bb5f88f947f72f4642ce9f76122e4a28e6ca4b7d9eef561781ec0

Download Submit
C:\Windows\SysWOW64\Enpmld32.exe

Filesize
96KB

MD5
af684dce2c169dfb130122d499e8c49f

SHA1
34ebebe154c2d82c8bd5a1e8b2c3f29cb8e36a08

SHA256
962ec5f7bbf01fd0424162dd09fcb8a11da825a46e30db5ff5c667934051b7ea

SHA512
8d3214e71170c3338ac58901752feb995385953497973881278c489a963b86ef4aaede8cb2b31bbf9df5a07746cf5f3a4bca0d156579d88ff2d29ed09b61a777

Download Submit
C:\Windows\SysWOW64\Eoideh32.exe

Filesize
96KB

MD5
ea6a188d8947e66725a05b2b5c66657b

SHA1
dfb2ed924d068e700adbc6f2f3990c65c55ae151

SHA256
243694ad22ff3690f4c0525c1f9111b65dc48e0fd296b03fe45c0336ff3c9205

SHA512
c80efbe75850bb45c365f0ccf910e3b60577ddf8bd58dfdc4bcda6849bfe5349dbcd07a6a0301fc96781d28ed8f943a6d6685c5bcc496406b0a0e7aca6dc0fa5

Download Submit
C:\Windows\SysWOW64\Eppjfgcp.exe

Filesize
96KB

MD5
46fd587dd936136967e079f637bd1c7f

SHA1
dd9e585ece0e3bddc453a74754a51231a2fe7dfd

SHA256
b35811ab9901d5127b9e4165749812541d7ab420dd8889505a0e0f5805b9606c

SHA512
46ea769bb09def8fd382b06173aa624a795216ee70c4ff79e1951f649131fd8bd5c94ea56039d81369dbcb5e677ed98ac6e54c2895b6c675e5f2117ce002fa03

Download Submit
C:\Windows\SysWOW64\Fbelcblk.exe

Filesize
96KB

MD5
a20d9fb323f4438a952120c630ba57be

SHA1
22748a7729537624fbc797ddcea5a6c152e4ab48

SHA256
fa3dbc325223267173f8824774d95a963adc1b794589068de01680cbdacc3184

SHA512
5ef7b6b9b410455b64a2d4c60bbf519ab3b1d54654e7f123f6f284d5123a07a9deb8c3d7eb74ac8d2ca4c99a6b2d86c24c019c8c3a2775b2614f6a15a2ab56c9

Download Submit
C:\Windows\SysWOW64\Fealin32.exe

Filesize
96KB

MD5
91d6b6cfe2925b3e164e16bced9762c2

SHA1
b49a01fa92b73ba8dc2f526afaa4809adad6f8aa

SHA256
526f66bab5fbea5d97a4ea62cd55e2d9fbccfccecdfc72b103e3136773c5e191

SHA512
85df29614a62ee7adc03b334751ef2ccd800e6a0d613a51e088a8bb4d232bc48e3977b29a2543122b7f364248879fe3ee4cd225d48570e671eda2408cb06bda1

Download Submit
C:\Windows\SysWOW64\Fijkdmhn.exe

Filesize
96KB

MD5
632f2d7aac098e9c14bbf9490429539b

SHA1
44a28f0a5cd7c41e7cbf5e1c23aa1f6b165c0ac2

SHA256
be56105b500b53a375e3e338c0674440d15ab164695edf07c15a7bf05304c681

SHA512
85467a4e2373238b57e78da6b142a3798be9c72d3aa0df2e7fd9bc13223a7c9fb69420dd22833850035ccc84a029577bc4f0094a249916f63f2543327af5c2e6

Download Submit
C:\Windows\SysWOW64\Fmcjpl32.exe

Filesize
96KB

MD5
9ef42917185728cb378cc229f05020ea

SHA1
2ea97403e6d7e3f35fcb1409c480e5c1638458c6

SHA256
7a0e2f60027697d6b06c78f2c96405b9730a12bda98f6ab2bba41c649e76150a

SHA512
3ee7a1af12e369afff08d054d7a0a6214f4acde0e70688ba905507b24d54d1108e902ddc3b5e86730aced490f979f74b32814b9868da52ec59ca91e293cb55ec

Download Submit
C:\Windows\SysWOW64\Fneggdhg.exe

Filesize
96KB

MD5
ca65a4943d02154cde014c6931582e64

SHA1
0fc291f6c57978ce3b860e49fa3fadabb351f7b1

SHA256
fca0e4887051bc9babf24be7b71c2ed0dcf9cc4a73e77f9733d0281e4dc46f14

SHA512
adbbc85cd2727cec9b3857606e59930e05c925066b78ecc7e67ead57568a4a92557ea5abeb869e7c32ee05cb01ee08edf2374fb27f1f9321b00c1d201cc12fe5

Download Submit
C:\Windows\SysWOW64\Fpdcag32.exe

Filesize
96KB

MD5
bf5e5962bafcba9107d2dee1d68fc676

SHA1
ec7dcba9aebaf912ecd9ce65930387eaef6c7573

SHA256
295f1657acea2deaf9f7bd27be27d7bb965d55885083be162200791207dc48b4

SHA512
de6de5036210fc0a12cffa9ce4f8797ffc4c3bb3aacfe82c28f06380036dfa7fb51ef00d01dcb1dc14d05354372c3e3819dc724e525f39346bad35680fbccc70

Download Submit
C:\Windows\SysWOW64\Fpgpgfmh.exe

Filesize
96KB

MD5
f6793a918b0cbe460cf184c5e6ae1943

SHA1
85199e4eb34ed9bf42165ac26a7147f0bc3cc174

SHA256
4a6bf274730c903a6f6e4012154a531237655b9345631b263769d975744b2f0d

SHA512
304ecbfeca6b60947918138100e27f12c45051ae98034f9db528d9c3a03ae560420437bb2281a441b4e53beeffb69f71d7ea55af3b8bcf4608a16a853fe55fd9

Download Submit
C:\Windows\SysWOW64\Fpkibf32.exe

Filesize
96KB

MD5
001280f190370371fc92d7156e322704

SHA1
38493e04ec862ff27e61abb34ea856b25a3b2195

SHA256
0e5bfad7200ac2ad571cb8c4baeabaf6588261b0b3f568d4a7274f06832b3391

SHA512
84d0070c2033c97e2cc125faefb821e32e20db3be69b5251e6c0b793d8ca374251040c76c584af1b5118a55a35ed36b04a010f6632a8395eba2b7399f8255c87

Download Submit
C:\Windows\SysWOW64\Gifkpknp.exe

Filesize
96KB

MD5
525fae87deabc0fb2228c0fa88594e09

SHA1
d9974a3fc6739b36bf2ec2e2c2802a662ddb35b1

SHA256
050c7a2016d89903b766bf424dced3cfe79cb5a2267e76e023b37743d95971a0

SHA512
d9daef848d8505e5212e2e29ef86bb771c96036384773304062cff2f86ebb7c6c3a81cd16a7b5b2f45dbf68d61f4e1977de2b88ae44bd95dbf11c523d6d1e6af

Download Submit
C:\Windows\SysWOW64\Hfhgkmpj.exe

Filesize
96KB

MD5
840fc821a31703d8925f3223554ee2c4

SHA1
da20ff6b2e60fce06e99213a0e2fe48361b04a96

SHA256
d4502c7e731217bc58626f9db80ec00dbce23b7953e6b52bd14f52143ddc0321

SHA512
ecaa00259f0d8e58e176e3f0e87e2c0b06c42206113a61e2d245e0f2dd794b557483dd7a3af04e8e54358775e9cf30521d9e39e597ca29473525277b44d3f18d

Download Submit
C:\Windows\SysWOW64\Hoclopne.exe

Filesize
96KB

MD5
60bbf7970f91646aada226f953c364f5

SHA1
d99f68273c3c6f39d8c732a779a1e1059c1296c2

SHA256
73746c9a56cf8c09c6f1f68209fa1fabc735924b1a78032a8f388f147e2cb53d

SHA512
b960e3a8cc9eebd309a7d71ef82eb686a69227226faf4e0b74aaf9332709afed8f25fad5b16956384205e83b6605b1fdfcffb5aecef9480b667bb1f5f9d2f346

Download Submit
C:\Windows\SysWOW64\Ipeeobbe.exe

Filesize
96KB

MD5
5dc54b077d1df440d5b8601acadfa20e

SHA1
62527ea49ab28c3e15a73bdcdc4dfb2dc24cbc6a

SHA256
41501f842271e41441f1219252e893565a229f28cea1a7ed7f48606c5585934c

SHA512
db1241cffd503d65c577e442f6fb11408af41acda9fdf000df58032fa649923abc990e9d1b6fb133db6cf04bbe139aaca9f9af91a9c242758cea4f8754c8a91d

Download Submit
C:\Windows\SysWOW64\Knqepc32.exe

Filesize
96KB

MD5
303d6afb18d7bcb422423622f3c832b8

SHA1
df7e7d32f0bf793f728fdd405ba24295322a9293

SHA256
f89f9744a32d16448625d6de1b2ae97dfae75672d87ddcb4ba4e141aa63114a4

SHA512
61e31cf6148df4a5a0e2683e75e449005e47a24536edff519e85bd04a1b6d48978f0c16591b47e90b0fdb23e851a4807fbb55a07edef8a338335bde336229306

Download Submit
C:\Windows\SysWOW64\Ljqhkckn.exe

Filesize
96KB

MD5
1026d123c2a65a9affeda2f40ca0e444

SHA1
3a44dd4bb766da81dfeae45ccb56089cd3dbccb1

SHA256
936582e8a3af92ab6bce325457ff568dd0c886b51d86de028f31a34aa2c0e9f3

SHA512
4b84ef9f12fa90d0f434387378417144ae2d57ff4ffa162f540cd2fc83ae3da438fbeb2717e55cbef64a2c9b58e62af431451535119730b2aa2f03d42c4e5f72

Download Submit
C:\Windows\SysWOW64\Lopmii32.exe

Filesize
96KB

MD5
06c34974e97eabb163d581662e521f25

SHA1
58a9678a0dbe0b7bac1cd15c33a14ba4dbd2feb3

SHA256
f1800e7dccf60626bc3a5a9ee18c6c89f0d049be072e8a89284b4e5ab73e8288

SHA512
269547568a58ade8ac949ead1598eb331e521fa8462aa366ad2c1bf58dee16079a16a8509ac6e499add81e4a93fee4845947af5d3ebe6dc6114e41b53b9bdb5c

Download Submit
C:\Windows\SysWOW64\Mmhgmmbf.exe

Filesize
96KB

MD5
27404f68f599821faee8f01a8107d80b

SHA1
8a6a65a3ec54f1ffd06cfb98a85fdea531251156

SHA256
aab6642984e663e7d2d2e732572627f973456a7549767143cac5f02fd2abc54b

SHA512
47ef1dceb9b9f1a1ffbc68e063d86b39fbc64afed98083f25e88c7b47af66ca694bc2a4fcb7a5f3d1f740ddbce7318b368e735ec28fecf65b882ccbd14cd2e34

Download Submit
C:\Windows\SysWOW64\Njjdho32.exe

Filesize
96KB

MD5
e6b742621bac3873dd3d1585b09ef6c1

SHA1
2f8dc1645b979e5ab49a736970a3902ad7c59085

SHA256
615d85be8a7776816855a32762dca7e712aa801b2c90b483ed8847ba06482b9a

SHA512
d279bf742ae9d4b9dd38ec3118d75c3530b2a314ed97e30c84c9680cbc2dc4b5aee829db12c3362d91bcb6d61da5c176ed2d2a74b27928198ac0044fd965e9f4

Download Submit
C:\Windows\SysWOW64\Poigcbng.dll

Filesize
7KB

MD5
a002273493dbf3d5652b4402725ca191

SHA1
f713c83ba7e4fb7bda7e03db8f574f28827ec59f

SHA256
0dcec9147b3671e57da18680ce4bd0ba6782f5b5ea2e0ddb6df068f558da1e65

SHA512
3c4e37c04a2e9205735ab0808c47ba1bc51bcb18fcde150d8ecbd5b74d2947266d9c1b10721414aa60888ccf49f4e020b63c26519490955fd982ba45473dba7f

Download Submit
C:\Windows\SysWOW64\Qpcecb32.exe

Filesize
96KB

MD5
4e387d875031a9241ea70ee6b8b3ed8e

SHA1
7e49a9efa3d485ac164dadab59bb823b15ec48f4

SHA256
8705b5c40bef980816b71dc20854c1ee9456eb063df064f389439ea90985ac99

SHA512
c254fa908489f0c47ac7ae1ba72645fd65e370f8d09daddabf3ccf9c5aa66c677157320708b245cbb26c338688ceeb361a070fc7d7f2b4ba962622ef79059356

Download Submit
memory/216-274-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/404-255-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/448-120-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/516-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/536-551-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/536-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/544-152-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/696-144-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/756-160-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/956-393-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1040-216-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1076-316-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1084-103-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1108-322-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1144-280-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1272-364-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1512-351-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1668-293-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1740-224-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1776-268-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1916-304-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1980-381-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1996-352-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2000-442-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2020-416-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2028-200-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2132-232-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2204-375-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2304-250-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2324-184-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2428-140-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2580-111-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2640-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2640-544-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2644-339-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2692-332-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2716-310-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2804-571-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2804-32-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2860-24-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2860-564-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2976-298-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2984-262-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3024-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3024-597-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3232-87-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3272-394-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3428-424-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3492-40-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3492-582-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3560-448-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3644-239-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3892-440-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3908-85-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3912-286-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3992-400-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4052-212-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4136-20-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4440-191-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4520-95-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4528-128-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4540-168-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4548-430-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4552-599-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4552-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4696-176-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4832-410-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5024-340-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5028-48-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5028-585-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5056-358-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5068-382-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5108-418-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5132-586-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5168-454-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5212-460-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5236-598-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5252-471-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5296-472-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5340-478-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5380-484-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5428-490-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5468-500-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5508-502-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5560-508-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5608-519-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5660-520-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5704-530-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5748-532-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5808-538-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5860-545-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5920-552-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5964-563-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/6004-565-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/6060-572-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/6128-584-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads