3c2f0685ac3f382360d5191e395692addc557fde8bfd4ac66baac60ba0e18cdc

Analysis

max time kernel
130s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 20:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c2f0685ac3f382360d5191e395692addc557fde8bfd4ac66baac60ba0e18cdc.exe
Size

304KB
MD5

d8a317f04896b2aa5babad7bba058876
SHA1

d884e91fd0ecb5c7c1993ed1a4f3c2ecf6c360bd
SHA256

3c2f0685ac3f382360d5191e395692addc557fde8bfd4ac66baac60ba0e18cdc
SHA512

d44a2da6575ebebd1f50c854b7edced8d6c5b231bd11a89cbd10a5e4f91acdcf51c4d2ce32ebe535eca8ccfc8787ece4b5b83d47e8e3259398b50a17fea40b7e
SSDEEP

6144:jIgZqa8IRoB3Yt3XbaHJUByvZ6Mxv5Rar3O6B9fZSLhZmzbByvZ6MxE:jI5V/6t3XGCByvNv54B9f01ZmHByvNE

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcifkf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qklmpalf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bllbaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jilfifme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kjgeedch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bemqih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifmqfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ickglm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpdnjple.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmiikh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfkqjmdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnangaoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nmbjcljl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngjkfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahdpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aaenbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhbebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jofalmmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmfkhmdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojajin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Adcjop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgnffj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mmpmnl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pffgom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	3c2f0685ac3f382360d5191e395692addc557fde8bfd4ac66baac60ba0e18cdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jenmcggo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kcmmhj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfjfecno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aoalgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emmdom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mmfkhmdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfnoqc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mokmdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amqhbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Omegjomb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chiigadc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lqhdbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ljhnlb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Paiogf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdhkcb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olicnfco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgnbdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocohmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmjdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ohhnbhok.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iebngial.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcpcdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nclbpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdbpgl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmpcbhji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ofhknodl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omegjomb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oogpjbbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jenmcggo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdhkcb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Camddhoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emanjldl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahaceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amnlme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oaplqh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bddjpd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnmoijje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Clchbqoo.exe

Executes dropped EXE 64 IoCs

pid	Process
3216	Ohhnbhok.exe
4800	Omegjomb.exe
5028	Olicnfco.exe
4952	Oogpjbbb.exe
4660	Peahgl32.exe
3940	Pkpmdbfd.exe
4140	Ponfka32.exe
3976	Popbpqjh.exe
1976	Pejkmk32.exe
4512	Qoelkp32.exe
4864	Qklmpalf.exe
2160	Aeaanjkl.exe
3500	Alkijdci.exe
3016	Adfnofpd.exe
1688	Akqfkp32.exe
3044	Aajohjon.exe
1500	Ahdged32.exe
2064	Aonoao32.exe
2936	Adkgje32.exe
3700	Aoalgn32.exe
3512	Aekddhcb.exe
2720	Ahippdbe.exe
4804	Bochmn32.exe
4600	Bemqih32.exe
4388	Blgifbil.exe
2296	Bnhenj32.exe
5024	Bdbnjdfg.exe
4984	Bklfgo32.exe
2696	Bnkbcj32.exe
1020	Bddjpd32.exe
4508	Bllbaa32.exe
3648	Bnmoijje.exe
4948	Bedgjgkg.exe
4992	Bhbcfbjk.exe
3400	Bkaobnio.exe
3084	Bakgoh32.exe
620	Bdickcpo.exe
1200	Blqllqqa.exe
4232	Cnahdi32.exe
3636	Camddhoi.exe
2776	Cdlqqcnl.exe
4492	Clchbqoo.exe
3056	Coadnlnb.exe
1476	Cndeii32.exe
2080	Cfkmkf32.exe
1084	Chiigadc.exe
1828	Ckhecmcf.exe
416	Cnfaohbj.exe
4704	Cfnjpfcl.exe
4368	Chlflabp.exe
596	Ckjbhmad.exe
5092	Cofnik32.exe
4300	Cbdjeg32.exe
4956	Ckmonl32.exe
4632	Dkokcl32.exe
880	Dbicpfdk.exe
3352	Dmohno32.exe
5056	Dmcain32.exe
1812	Dflfac32.exe
4276	Dmennnni.exe
1112	Emhkdmlg.exe
2616	Eofgpikj.exe
5152	Ebdcld32.exe
5184	Eiokinbk.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pejkmk32.exe	Popbpqjh.exe
File created	C:\Windows\SysWOW64\Pjkmomfn.exe	Ocaebc32.exe
File opened for modification	C:\Windows\SysWOW64\Qmeigg32.exe	Qfkqjmdg.exe
File opened for modification	C:\Windows\SysWOW64\Amjbbfgo.exe	Afpjel32.exe
File created	C:\Windows\SysWOW64\Mmhgmmbf.exe	Mfnoqc32.exe
File created	C:\Windows\SysWOW64\Dkbnla32.dll	Bahdob32.exe
File created	C:\Windows\SysWOW64\Khfclo32.dll	Cbdjeg32.exe
File opened for modification	C:\Windows\SysWOW64\Qoelkp32.exe	Pejkmk32.exe
File created	C:\Windows\SysWOW64\Nqpcjj32.exe	Njfkmphe.exe
File created	C:\Windows\SysWOW64\Oogpjbbb.exe	Olicnfco.exe
File created	C:\Windows\SysWOW64\Aekddhcb.exe	Aoalgn32.exe
File created	C:\Windows\SysWOW64\Hebqnm32.dll	Iohejo32.exe
File opened for modification	C:\Windows\SysWOW64\Adhdjpjf.exe	Amnlme32.exe
File created	C:\Windows\SysWOW64\Adfnofpd.exe	Alkijdci.exe
File opened for modification	C:\Windows\SysWOW64\Lqhdbm32.exe	Ljnlecmp.exe
File created	C:\Windows\SysWOW64\Iblhpckf.dll	Lnldla32.exe
File opened for modification	C:\Windows\SysWOW64\Jofalmmp.exe	Jlgepanl.exe
File opened for modification	C:\Windows\SysWOW64\Ocohmc32.exe	Oaplqh32.exe
File created	C:\Windows\SysWOW64\Bdickcpo.exe	Bakgoh32.exe
File opened for modification	C:\Windows\SysWOW64\Qpeahb32.exe	Qmgelf32.exe
File created	C:\Windows\SysWOW64\Aijjhbli.dll	Chfegk32.exe
File created	C:\Windows\SysWOW64\Godcje32.dll	Qpcecb32.exe
File created	C:\Windows\SysWOW64\Jljbeali.exe	Jilfifme.exe
File created	C:\Windows\SysWOW64\Bhgbbckh.dll	Npgmpf32.exe
File opened for modification	C:\Windows\SysWOW64\Bkphhgfc.exe	Bhblllfo.exe
File created	C:\Windows\SysWOW64\Gpojkp32.dll	Bhblllfo.exe
File created	C:\Windows\SysWOW64\Kjeiodek.exe	Koodbl32.exe
File created	C:\Windows\SysWOW64\Neiqnh32.dll	Bnkbcj32.exe
File created	C:\Windows\SysWOW64\Bhhiemoj.exe	Aaoaic32.exe
File created	C:\Windows\SysWOW64\Hkajlm32.dll	Aeaanjkl.exe
File opened for modification	C:\Windows\SysWOW64\Qklmpalf.exe	Qoelkp32.exe
File created	C:\Windows\SysWOW64\Imkbnf32.exe	Iedjmioj.exe
File opened for modification	C:\Windows\SysWOW64\Bkaobnio.exe	Bhbcfbjk.exe
File created	C:\Windows\SysWOW64\Gceegdko.dll	Camddhoi.exe
File created	C:\Windows\SysWOW64\Kgkfnh32.exe	Kpanan32.exe
File created	C:\Windows\SysWOW64\Bnoddcef.exe	Bkphhgfc.exe
File created	C:\Windows\SysWOW64\Kolfbd32.dll	Bnoddcef.exe
File created	C:\Windows\SysWOW64\Mfbjdgmg.dll	Dmennnni.exe
File created	C:\Windows\SysWOW64\Efblbbqd.exe	Enkdaepb.exe
File opened for modification	C:\Windows\SysWOW64\Eicedn32.exe	Efeihb32.exe
File created	C:\Windows\SysWOW64\Imnocf32.exe	Igdgglfl.exe
File created	C:\Windows\SysWOW64\Kofmfi32.dll	Ocgbld32.exe
File opened for modification	C:\Windows\SysWOW64\Pccahbmn.exe	Pmiikh32.exe
File created	C:\Windows\SysWOW64\Mmpmnl32.exe	Mnmmboed.exe
File opened for modification	C:\Windows\SysWOW64\Hmkigh32.exe	Hfaajnfb.exe
File created	C:\Windows\SysWOW64\Dddjmo32.dll	Pmblagmf.exe
File opened for modification	C:\Windows\SysWOW64\Chlflabp.exe	Cfnjpfcl.exe
File created	C:\Windows\SysWOW64\Jhglpo32.dll	Coadnlnb.exe
File created	C:\Windows\SysWOW64\Bhlkdj32.dll	Popbpqjh.exe
File created	C:\Windows\SysWOW64\Lgdidgjg.exe	Lqkqhm32.exe
File created	C:\Windows\SysWOW64\Gadiippo.dll	Oabhfg32.exe
File created	C:\Windows\SysWOW64\Adkgje32.exe	Aonoao32.exe
File created	C:\Windows\SysWOW64\Aonoao32.exe	Ahdged32.exe
File opened for modification	C:\Windows\SysWOW64\Bgnffj32.exe	Bpdnjple.exe
File created	C:\Windows\SysWOW64\Knenkbio.exe	Kgkfnh32.exe
File created	C:\Windows\SysWOW64\Hhlpmmgb.dll	Kgkfnh32.exe
File created	C:\Windows\SysWOW64\Glfdiedd.dll	Dhbebj32.exe
File opened for modification	C:\Windows\SysWOW64\Cndeii32.exe	Coadnlnb.exe
File created	C:\Windows\SysWOW64\Pqknpl32.dll	Hfcnpn32.exe
File opened for modification	C:\Windows\SysWOW64\Pmlfqh32.exe	Pjmjdm32.exe
File created	C:\Windows\SysWOW64\Alkijdci.exe	Aeaanjkl.exe
File created	C:\Windows\SysWOW64\Jmbhoeid.exe	Jekqmhia.exe
File created	C:\Windows\SysWOW64\Ojnkocdc.dll	Mgnlkfal.exe
File opened for modification	C:\Windows\SysWOW64\Ngjkfd32.exe	Nqpcjj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8200	9060	WerFault.exe	370

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eanmnefk.dll"	Lqkqhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofonqd32.dll"	Oogpjbbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afpjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcdibc32.dll"	Ckgohf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aaoaic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aonoao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klkfenfk.dll"	Geaepk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hmpcbhji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ickglm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Popbpqjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jefjbddd.dll"	Jenmcggo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mmfkhmdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leilnmkp.dll"	Mnmmboed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ahaceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpejkd32.dll"	Gemkelcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmophg32.dll"	Ifmqfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gofdmmgd.dll"	Bnmoijje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oakbehfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhdbgapf.dll"	Pmiikh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qfmmplad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Adkqoohc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ponfka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eicedn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ekaapi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mmhgmmbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mmkdcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ebdcld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffiipfmi.dll"	Emanjldl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ocgbld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bkphhgfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijilflah.dll"	Cdpcal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfbjdgmg.dll"	Dmennnni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ojajin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pkpmdbfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bdbnjdfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bklfgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Flfkkhid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kigcfhbi.dll"	Hoeieolb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhglpo32.dll"	Coadnlnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ombnni32.dll"	Lqhdbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieoigp32.dll"	Ahdpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmgagk32.dll"	Mmfkhmdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pdmdnadc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqppgj32.dll"	Boenhgdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdimqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqknpl32.dll"	Hfcnpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kpcjgnhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnocia32.dll"	Mmmqhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Apjkcadp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjinodke.dll"	Adkgje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Blgifbil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bkaobnio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cofnik32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iebngial.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhlpmmgb.dll"	Kgkfnh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngjkfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ckebcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kldbpfio.dll"	Ekaapi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olieecnn.dll"	Johnamkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jinboekc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Adhdjpjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Alkijdci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iedjmioj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eadhip32.dll"	Ckhecmcf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 3216	2040	3c2f0685ac3f382360d5191e395692addc557fde8bfd4ac66baac60ba0e18cdc.exe	90
PID 2040 wrote to memory of 3216	2040	3c2f0685ac3f382360d5191e395692addc557fde8bfd4ac66baac60ba0e18cdc.exe	90
PID 2040 wrote to memory of 3216	2040	3c2f0685ac3f382360d5191e395692addc557fde8bfd4ac66baac60ba0e18cdc.exe	90
PID 3216 wrote to memory of 4800	3216	Ohhnbhok.exe	91
PID 3216 wrote to memory of 4800	3216	Ohhnbhok.exe	91
PID 3216 wrote to memory of 4800	3216	Ohhnbhok.exe	91
PID 4800 wrote to memory of 5028	4800	Omegjomb.exe	92
PID 4800 wrote to memory of 5028	4800	Omegjomb.exe	92
PID 4800 wrote to memory of 5028	4800	Omegjomb.exe	92
PID 5028 wrote to memory of 4952	5028	Olicnfco.exe	93
PID 5028 wrote to memory of 4952	5028	Olicnfco.exe	93
PID 5028 wrote to memory of 4952	5028	Olicnfco.exe	93
PID 4952 wrote to memory of 4660	4952	Oogpjbbb.exe	94
PID 4952 wrote to memory of 4660	4952	Oogpjbbb.exe	94
PID 4952 wrote to memory of 4660	4952	Oogpjbbb.exe	94
PID 4660 wrote to memory of 3940	4660	Peahgl32.exe	95
PID 4660 wrote to memory of 3940	4660	Peahgl32.exe	95
PID 4660 wrote to memory of 3940	4660	Peahgl32.exe	95
PID 3940 wrote to memory of 4140	3940	Pkpmdbfd.exe	96
PID 3940 wrote to memory of 4140	3940	Pkpmdbfd.exe	96
PID 3940 wrote to memory of 4140	3940	Pkpmdbfd.exe	96
PID 4140 wrote to memory of 3976	4140	Ponfka32.exe	97
PID 4140 wrote to memory of 3976	4140	Ponfka32.exe	97
PID 4140 wrote to memory of 3976	4140	Ponfka32.exe	97
PID 3976 wrote to memory of 1976	3976	Popbpqjh.exe	98
PID 3976 wrote to memory of 1976	3976	Popbpqjh.exe	98
PID 3976 wrote to memory of 1976	3976	Popbpqjh.exe	98
PID 1976 wrote to memory of 4512	1976	Pejkmk32.exe	100
PID 1976 wrote to memory of 4512	1976	Pejkmk32.exe	100
PID 1976 wrote to memory of 4512	1976	Pejkmk32.exe	100
PID 4512 wrote to memory of 4864	4512	Qoelkp32.exe	101
PID 4512 wrote to memory of 4864	4512	Qoelkp32.exe	101
PID 4512 wrote to memory of 4864	4512	Qoelkp32.exe	101
PID 4864 wrote to memory of 2160	4864	Qklmpalf.exe	102
PID 4864 wrote to memory of 2160	4864	Qklmpalf.exe	102
PID 4864 wrote to memory of 2160	4864	Qklmpalf.exe	102
PID 2160 wrote to memory of 3500	2160	Aeaanjkl.exe	103
PID 2160 wrote to memory of 3500	2160	Aeaanjkl.exe	103
PID 2160 wrote to memory of 3500	2160	Aeaanjkl.exe	103
PID 3500 wrote to memory of 3016	3500	Alkijdci.exe	104
PID 3500 wrote to memory of 3016	3500	Alkijdci.exe	104
PID 3500 wrote to memory of 3016	3500	Alkijdci.exe	104
PID 3016 wrote to memory of 1688	3016	Adfnofpd.exe	105
PID 3016 wrote to memory of 1688	3016	Adfnofpd.exe	105
PID 3016 wrote to memory of 1688	3016	Adfnofpd.exe	105
PID 1688 wrote to memory of 3044	1688	Akqfkp32.exe	106
PID 1688 wrote to memory of 3044	1688	Akqfkp32.exe	106
PID 1688 wrote to memory of 3044	1688	Akqfkp32.exe	106
PID 3044 wrote to memory of 1500	3044	Aajohjon.exe	107
PID 3044 wrote to memory of 1500	3044	Aajohjon.exe	107
PID 3044 wrote to memory of 1500	3044	Aajohjon.exe	107
PID 1500 wrote to memory of 2064	1500	Ahdged32.exe	108
PID 1500 wrote to memory of 2064	1500	Ahdged32.exe	108
PID 1500 wrote to memory of 2064	1500	Ahdged32.exe	108
PID 2064 wrote to memory of 2936	2064	Aonoao32.exe	109
PID 2064 wrote to memory of 2936	2064	Aonoao32.exe	109
PID 2064 wrote to memory of 2936	2064	Aonoao32.exe	109
PID 2936 wrote to memory of 3700	2936	Adkgje32.exe	110
PID 2936 wrote to memory of 3700	2936	Adkgje32.exe	110
PID 2936 wrote to memory of 3700	2936	Adkgje32.exe	110
PID 3700 wrote to memory of 3512	3700	Aoalgn32.exe	111
PID 3700 wrote to memory of 3512	3700	Aoalgn32.exe	111
PID 3700 wrote to memory of 3512	3700	Aoalgn32.exe	111
PID 3512 wrote to memory of 2720	3512	Aekddhcb.exe	112

C:\Users\Admin\AppData\Local\Temp\3c2f0685ac3f382360d5191e395692addc557fde8bfd4ac66baac60ba0e18cdc.exe
"C:\Users\Admin\AppData\Local\Temp\3c2f0685ac3f382360d5191e395692addc557fde8bfd4ac66baac60ba0e18cdc.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\SysWOW64\Ohhnbhok.exe
  C:\Windows\system32\Ohhnbhok.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3216
- - C:\Windows\SysWOW64\Omegjomb.exe
    C:\Windows\system32\Omegjomb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4800
  - - C:\Windows\SysWOW64\Olicnfco.exe
      C:\Windows\system32\Olicnfco.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:5028
    - - C:\Windows\SysWOW64\Oogpjbbb.exe
        
        C:\Windows\system32\Oogpjbbb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4952
      - C:\Windows\SysWOW64\Peahgl32.exe
        
        C:\Windows\system32\Peahgl32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\SysWOW64\Pkpmdbfd.exe
        
        C:\Windows\system32\Pkpmdbfd.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\SysWOW64\Ponfka32.exe
        
        C:\Windows\system32\Ponfka32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Windows\SysWOW64\Popbpqjh.exe
        
        C:\Windows\system32\Popbpqjh.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\SysWOW64\Pejkmk32.exe
        
        C:\Windows\system32\Pejkmk32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Qoelkp32.exe
        
        C:\Windows\system32\Qoelkp32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\SysWOW64\Qklmpalf.exe
        
        C:\Windows\system32\Qklmpalf.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\Aeaanjkl.exe
        
        C:\Windows\system32\Aeaanjkl.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Alkijdci.exe
        
        C:\Windows\system32\Alkijdci.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Windows\SysWOW64\Adfnofpd.exe
        
        C:\Windows\system32\Adfnofpd.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Akqfkp32.exe
        
        C:\Windows\system32\Akqfkp32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Aajohjon.exe
        
        C:\Windows\system32\Aajohjon.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\Ahdged32.exe
        
        C:\Windows\system32\Ahdged32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\SysWOW64\Aonoao32.exe
        
        C:\Windows\system32\Aonoao32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\Adkgje32.exe
        
        C:\Windows\system32\Adkgje32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\SysWOW64\Aoalgn32.exe
        
        C:\Windows\system32\Aoalgn32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\SysWOW64\Aekddhcb.exe
        
        C:\Windows\system32\Aekddhcb.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\SysWOW64\Ahippdbe.exe
        
        C:\Windows\system32\Ahippdbe.exe
        23⤵
        Executes dropped EXE
        
        PID:2720
        
        C:\Windows\SysWOW64\Bochmn32.exe
        
        C:\Windows\system32\Bochmn32.exe
        24⤵
        Executes dropped EXE
        
        PID:4804
        
        C:\Windows\SysWOW64\Bemqih32.exe
        
        C:\Windows\system32\Bemqih32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4600
        
        C:\Windows\SysWOW64\Blgifbil.exe
        
        C:\Windows\system32\Blgifbil.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Bnhenj32.exe
        
        C:\Windows\system32\Bnhenj32.exe
        27⤵
        Executes dropped EXE
        
        PID:2296
        
        C:\Windows\SysWOW64\Bdbnjdfg.exe
        
        C:\Windows\system32\Bdbnjdfg.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Bklfgo32.exe
        
        C:\Windows\system32\Bklfgo32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\Bnkbcj32.exe
        
        C:\Windows\system32\Bnkbcj32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2696
        
        C:\Windows\SysWOW64\Bddjpd32.exe
        
        C:\Windows\system32\Bddjpd32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1020
        
        C:\Windows\SysWOW64\Bllbaa32.exe
        
        C:\Windows\system32\Bllbaa32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4508
        
        C:\Windows\SysWOW64\Bnmoijje.exe
        
        C:\Windows\system32\Bnmoijje.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3648
        
        C:\Windows\SysWOW64\Bedgjgkg.exe
        
        C:\Windows\system32\Bedgjgkg.exe
        34⤵
        Executes dropped EXE
        
        PID:4948
        
        C:\Windows\SysWOW64\Bhbcfbjk.exe
        
        C:\Windows\system32\Bhbcfbjk.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4992
        
        C:\Windows\SysWOW64\Bkaobnio.exe
        
        C:\Windows\system32\Bkaobnio.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3400
        
        C:\Windows\SysWOW64\Bakgoh32.exe
        
        C:\Windows\system32\Bakgoh32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3084
        
        C:\Windows\SysWOW64\Bdickcpo.exe
        
        C:\Windows\system32\Bdickcpo.exe
        38⤵
        Executes dropped EXE
        
        PID:620
        
        C:\Windows\SysWOW64\Blqllqqa.exe
        
        C:\Windows\system32\Blqllqqa.exe
        39⤵
        Executes dropped EXE
        
        PID:1200
        
        C:\Windows\SysWOW64\Cnahdi32.exe
        
        C:\Windows\system32\Cnahdi32.exe
        40⤵
        Executes dropped EXE
        
        PID:4232
        
        C:\Windows\SysWOW64\Camddhoi.exe
        
        C:\Windows\system32\Camddhoi.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3636
        
        C:\Windows\SysWOW64\Cdlqqcnl.exe
        
        C:\Windows\system32\Cdlqqcnl.exe
        42⤵
        Executes dropped EXE
        
        PID:2776
        
        C:\Windows\SysWOW64\Clchbqoo.exe
        
        C:\Windows\system32\Clchbqoo.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4492
        
        C:\Windows\SysWOW64\Coadnlnb.exe
        
        C:\Windows\system32\Coadnlnb.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Cndeii32.exe
        
        C:\Windows\system32\Cndeii32.exe
        45⤵
        Executes dropped EXE
        
        PID:1476
        
        C:\Windows\SysWOW64\Cfkmkf32.exe
        
        C:\Windows\system32\Cfkmkf32.exe
        46⤵
        Executes dropped EXE
        
        PID:2080
        
        C:\Windows\SysWOW64\Chiigadc.exe
        
        C:\Windows\system32\Chiigadc.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1084
        
        C:\Windows\SysWOW64\Ckhecmcf.exe
        
        C:\Windows\system32\Ckhecmcf.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Cnfaohbj.exe
        
        C:\Windows\system32\Cnfaohbj.exe
        49⤵
        Executes dropped EXE
        
        PID:416
        
        C:\Windows\SysWOW64\Cfnjpfcl.exe
        
        C:\Windows\system32\Cfnjpfcl.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4704
        
        C:\Windows\SysWOW64\Chlflabp.exe
        
        C:\Windows\system32\Chlflabp.exe
        51⤵
        Executes dropped EXE
        
        PID:4368
        
        C:\Windows\SysWOW64\Ckjbhmad.exe
        
        C:\Windows\system32\Ckjbhmad.exe
        52⤵
        Executes dropped EXE
        
        PID:596
        
        C:\Windows\SysWOW64\Cofnik32.exe
        
        C:\Windows\system32\Cofnik32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Cbdjeg32.exe
        
        C:\Windows\system32\Cbdjeg32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4300
        
        C:\Windows\SysWOW64\Ckmonl32.exe
        
        C:\Windows\system32\Ckmonl32.exe
        55⤵
        Executes dropped EXE
        
        PID:4956
        
        C:\Windows\SysWOW64\Dkokcl32.exe
        
        C:\Windows\system32\Dkokcl32.exe
        56⤵
        Executes dropped EXE
        
        PID:4632
        
        C:\Windows\SysWOW64\Dbicpfdk.exe
        
        C:\Windows\system32\Dbicpfdk.exe
        57⤵
        Executes dropped EXE
        
        PID:880
        
        C:\Windows\SysWOW64\Dmohno32.exe
        
        C:\Windows\system32\Dmohno32.exe
        58⤵
        Executes dropped EXE
        
        PID:3352
        
        C:\Windows\SysWOW64\Dmcain32.exe
        
        C:\Windows\system32\Dmcain32.exe
        59⤵
        Executes dropped EXE
        
        PID:5056
        
        C:\Windows\SysWOW64\Dflfac32.exe
        
        C:\Windows\system32\Dflfac32.exe
        60⤵
        Executes dropped EXE
        
        PID:1812
        
        C:\Windows\SysWOW64\Dmennnni.exe
        
        C:\Windows\system32\Dmennnni.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4276
        
        C:\Windows\SysWOW64\Emhkdmlg.exe
        
        C:\Windows\system32\Emhkdmlg.exe
        62⤵
        Executes dropped EXE
        
        PID:1112
        
        C:\Windows\SysWOW64\Eofgpikj.exe
        
        C:\Windows\system32\Eofgpikj.exe
        63⤵
        Executes dropped EXE
        
        PID:2616
        
        C:\Windows\SysWOW64\Ebdcld32.exe
        
        C:\Windows\system32\Ebdcld32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Eiokinbk.exe
        
        C:\Windows\system32\Eiokinbk.exe
        65⤵
        Executes dropped EXE
        
        PID:5184
        
        C:\Windows\SysWOW64\Ekmhejao.exe
        
        C:\Windows\system32\Ekmhejao.exe
        66⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Enkdaepb.exe
        
        C:\Windows\system32\Enkdaepb.exe
        67⤵
        Drops file in System32 directory
        
        PID:5256
        
        C:\Windows\SysWOW64\Efblbbqd.exe
        
        C:\Windows\system32\Efblbbqd.exe
        68⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Emmdom32.exe
        
        C:\Windows\system32\Emmdom32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5332
        
        C:\Windows\SysWOW64\Ennqfenp.exe
        
        C:\Windows\system32\Ennqfenp.exe
        70⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Efeihb32.exe
        
        C:\Windows\system32\Efeihb32.exe
        71⤵
        Drops file in System32 directory
        
        PID:5400
        
        C:\Windows\SysWOW64\Eicedn32.exe
        
        C:\Windows\system32\Eicedn32.exe
        72⤵
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Ekaapi32.exe
        
        C:\Windows\system32\Ekaapi32.exe
        73⤵
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Enpmld32.exe
        
        C:\Windows\system32\Enpmld32.exe
        74⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Eejeiocj.exe
        
        C:\Windows\system32\Eejeiocj.exe
        75⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Emanjldl.exe
        
        C:\Windows\system32\Emanjldl.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Enbjad32.exe
        
        C:\Windows\system32\Enbjad32.exe
        77⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Efjbcakl.exe
        
        C:\Windows\system32\Efjbcakl.exe
        78⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Flfkkhid.exe
        
        C:\Windows\system32\Flfkkhid.exe
        79⤵
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Gbnoiqdq.exe
        
        C:\Windows\system32\Gbnoiqdq.exe
        80⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Gemkelcd.exe
        
        C:\Windows\system32\Gemkelcd.exe
        81⤵
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Gmdcfidg.exe
        
        C:\Windows\system32\Gmdcfidg.exe
        82⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Gbalopbn.exe
        
        C:\Windows\system32\Gbalopbn.exe
        83⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Gikdkj32.exe
        
        C:\Windows\system32\Gikdkj32.exe
        84⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\Goglcahb.exe
        
        C:\Windows\system32\Goglcahb.exe
        85⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\Geaepk32.exe
        
        C:\Windows\system32\Geaepk32.exe
        86⤵
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Gpgind32.exe
        
        C:\Windows\system32\Gpgind32.exe
        87⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Hfaajnfb.exe
        
        C:\Windows\system32\Hfaajnfb.exe
        88⤵
        Drops file in System32 directory
        
        PID:5240
        
        C:\Windows\SysWOW64\Hmkigh32.exe
        
        C:\Windows\system32\Hmkigh32.exe
        89⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Holfoqcm.exe
        
        C:\Windows\system32\Holfoqcm.exe
        90⤵
        
        PID:652
        
        C:\Windows\SysWOW64\Hfcnpn32.exe
        
        C:\Windows\system32\Hfcnpn32.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Hibjli32.exe
        
        C:\Windows\system32\Hibjli32.exe
        92⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Hplbickp.exe
        
        C:\Windows\system32\Hplbickp.exe
        93⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Hffken32.exe
        
        C:\Windows\system32\Hffken32.exe
        94⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Hmpcbhji.exe
        
        C:\Windows\system32\Hmpcbhji.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Hoaojp32.exe
        
        C:\Windows\system32\Hoaojp32.exe
        96⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Hfhgkmpj.exe
        
        C:\Windows\system32\Hfhgkmpj.exe
        97⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\Hmbphg32.exe
        
        C:\Windows\system32\Hmbphg32.exe
        98⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Hlepcdoa.exe
        
        C:\Windows\system32\Hlepcdoa.exe
        99⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\Hbohpn32.exe
        
        C:\Windows\system32\Hbohpn32.exe
        100⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\Hemdlj32.exe
        
        C:\Windows\system32\Hemdlj32.exe
        101⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Hoeieolb.exe
        
        C:\Windows\system32\Hoeieolb.exe
        102⤵
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Ifmqfm32.exe
        
        C:\Windows\system32\Ifmqfm32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Iliinc32.exe
        
        C:\Windows\system32\Iliinc32.exe
        104⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Iohejo32.exe
        
        C:\Windows\system32\Iohejo32.exe
        105⤵
        Drops file in System32 directory
        
        PID:5320
        
        C:\Windows\SysWOW64\Iebngial.exe
        
        C:\Windows\system32\Iebngial.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Imiehfao.exe
        
        C:\Windows\system32\Imiehfao.exe
        107⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Iojbpo32.exe
        
        C:\Windows\system32\Iojbpo32.exe
        108⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Iedjmioj.exe
        
        C:\Windows\system32\Iedjmioj.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Imkbnf32.exe
        
        C:\Windows\system32\Imkbnf32.exe
        110⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Iomoenej.exe
        
        C:\Windows\system32\Iomoenej.exe
        111⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\Igdgglfl.exe
        
        C:\Windows\system32\Igdgglfl.exe
        112⤵
        Drops file in System32 directory
        
        PID:5988
        
        C:\Windows\SysWOW64\Imnocf32.exe
        
        C:\Windows\system32\Imnocf32.exe
        113⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\Ickglm32.exe
        
        C:\Windows\system32\Ickglm32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Iidphgcn.exe
        
        C:\Windows\system32\Iidphgcn.exe
        115⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Ilcldb32.exe
        
        C:\Windows\system32\Ilcldb32.exe
        116⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Jcmdaljn.exe
        
        C:\Windows\system32\Jcmdaljn.exe
        117⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Jekqmhia.exe
        
        C:\Windows\system32\Jekqmhia.exe
        118⤵
        Drops file in System32 directory
        
        PID:3580
        
        C:\Windows\SysWOW64\Jmbhoeid.exe
        
        C:\Windows\system32\Jmbhoeid.exe
        119⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Jpaekqhh.exe
        
        C:\Windows\system32\Jpaekqhh.exe
        120⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\Jenmcggo.exe
        
        C:\Windows\system32\Jenmcggo.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Jlgepanl.exe
        
        C:\Windows\system32\Jlgepanl.exe
        122⤵
        Drops file in System32 directory
        
        PID:5732
        
        C:\Windows\SysWOW64\Jofalmmp.exe
        
        C:\Windows\system32\Jofalmmp.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5208
        
        C:\Windows\SysWOW64\Jilfifme.exe
        
        C:\Windows\system32\Jilfifme.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5688
        
        C:\Windows\SysWOW64\Jljbeali.exe
        
        C:\Windows\system32\Jljbeali.exe
        125⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Johnamkm.exe
        
        C:\Windows\system32\Johnamkm.exe
        126⤵
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Jinboekc.exe
        
        C:\Windows\system32\Jinboekc.exe
        127⤵
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Jphkkpbp.exe
        
        C:\Windows\system32\Jphkkpbp.exe
        128⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\Jgbchj32.exe
        
        C:\Windows\system32\Jgbchj32.exe
        129⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Jjpode32.exe
        
        C:\Windows\system32\Jjpode32.exe
        130⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\Kcidmkpq.exe
        
        C:\Windows\system32\Kcidmkpq.exe
        131⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\Kegpifod.exe
        
        C:\Windows\system32\Kegpifod.exe
        132⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\Knnhjcog.exe
        
        C:\Windows\system32\Knnhjcog.exe
        133⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Koodbl32.exe
        
        C:\Windows\system32\Koodbl32.exe
        134⤵
        Drops file in System32 directory
        
        PID:6460
        
        C:\Windows\SysWOW64\Kjeiodek.exe
        
        C:\Windows\system32\Kjeiodek.exe
        135⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\Kcmmhj32.exe
        
        C:\Windows\system32\Kcmmhj32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6564
        
        C:\Windows\SysWOW64\Kjgeedch.exe
        
        C:\Windows\system32\Kjgeedch.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6608
        
        C:\Windows\SysWOW64\Kpanan32.exe
        
        C:\Windows\system32\Kpanan32.exe
        138⤵
        Drops file in System32 directory
        
        PID:6648
        
        C:\Windows\SysWOW64\Kgkfnh32.exe
        
        C:\Windows\system32\Kgkfnh32.exe
        139⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6696
        
        C:\Windows\SysWOW64\Knenkbio.exe
        
        C:\Windows\system32\Knenkbio.exe
        140⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\Kpcjgnhb.exe
        
        C:\Windows\system32\Kpcjgnhb.exe
        141⤵
        Modifies registry class
        
        PID:6788
        
        C:\Windows\SysWOW64\Kgnbdh32.exe
        
        C:\Windows\system32\Kgnbdh32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6832
        
        C:\Windows\SysWOW64\Kjlopc32.exe
        
        C:\Windows\system32\Kjlopc32.exe
        143⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\Lljklo32.exe
        
        C:\Windows\system32\Lljklo32.exe
        144⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\Lcdciiec.exe
        
        C:\Windows\system32\Lcdciiec.exe
        145⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\Ljnlecmp.exe
        
        C:\Windows\system32\Ljnlecmp.exe
        146⤵
        Drops file in System32 directory
        
        PID:7000
        
        C:\Windows\SysWOW64\Lqhdbm32.exe
        
        C:\Windows\system32\Lqhdbm32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7048
        
        C:\Windows\SysWOW64\Lokdnjkg.exe
        
        C:\Windows\system32\Lokdnjkg.exe
        148⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\Lfeljd32.exe
        
        C:\Windows\system32\Lfeljd32.exe
        149⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Lnldla32.exe
        
        C:\Windows\system32\Lnldla32.exe
        150⤵
        Drops file in System32 directory
        
        PID:5736
        
        C:\Windows\SysWOW64\Lqkqhm32.exe
        
        C:\Windows\system32\Lqkqhm32.exe
        151⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6212
        
        C:\Windows\SysWOW64\Lgdidgjg.exe
        
        C:\Windows\system32\Lgdidgjg.exe
        152⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\Ljceqb32.exe
        
        C:\Windows\system32\Ljceqb32.exe
        153⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\Lmaamn32.exe
        
        C:\Windows\system32\Lmaamn32.exe
        154⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\Lckiihok.exe
        
        C:\Windows\system32\Lckiihok.exe
        155⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\Lfjfecno.exe
        
        C:\Windows\system32\Lfjfecno.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6632
        
        C:\Windows\SysWOW64\Lnangaoa.exe
        
        C:\Windows\system32\Lnangaoa.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6680
        
        C:\Windows\SysWOW64\Lgibpf32.exe
        
        C:\Windows\system32\Lgibpf32.exe
        158⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\Ljhnlb32.exe
        
        C:\Windows\system32\Ljhnlb32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6872
        
        C:\Windows\SysWOW64\Mmfkhmdi.exe
        
        C:\Windows\system32\Mmfkhmdi.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6952
        
        C:\Windows\SysWOW64\Mcpcdg32.exe
        
        C:\Windows\system32\Mcpcdg32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7036
        
        C:\Windows\SysWOW64\Mfnoqc32.exe
        
        C:\Windows\system32\Mfnoqc32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7120
        
        C:\Windows\SysWOW64\Mmhgmmbf.exe
        
        C:\Windows\system32\Mmhgmmbf.exe
        163⤵
        Modifies registry class
        
        PID:6160
        
        C:\Windows\SysWOW64\Mogcihaj.exe
        
        C:\Windows\system32\Mogcihaj.exe
        164⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\Mgnlkfal.exe
        
        C:\Windows\system32\Mgnlkfal.exe
        165⤵
        Drops file in System32 directory
        
        PID:6500
        
        C:\Windows\SysWOW64\Mfqlfb32.exe
        
        C:\Windows\system32\Mfqlfb32.exe
        166⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Mmkdcm32.exe
        
        C:\Windows\system32\Mmkdcm32.exe
        167⤵
        Modifies registry class
        
        PID:6976
        
        C:\Windows\SysWOW64\Mcelpggq.exe
        
        C:\Windows\system32\Mcelpggq.exe
        168⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\Mmmqhl32.exe
        
        C:\Windows\system32\Mmmqhl32.exe
        169⤵
        Modifies registry class
        
        PID:6260
        
        C:\Windows\SysWOW64\Mokmdh32.exe
        
        C:\Windows\system32\Mokmdh32.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6456
        
        C:\Windows\SysWOW64\Mgbefe32.exe
        
        C:\Windows\system32\Mgbefe32.exe
        171⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\Mnmmboed.exe
        
        C:\Windows\system32\Mnmmboed.exe
        172⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6232
        
        C:\Windows\SysWOW64\Mmpmnl32.exe
        
        C:\Windows\system32\Mmpmnl32.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6572
        
        C:\Windows\SysWOW64\Mcifkf32.exe
        
        C:\Windows\system32\Mcifkf32.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7096
        
        C:\Windows\SysWOW64\Mjcngpjh.exe
        
        C:\Windows\system32\Mjcngpjh.exe
        175⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\Nmbjcljl.exe
        
        C:\Windows\system32\Nmbjcljl.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6672
        
        C:\Windows\SysWOW64\Nclbpf32.exe
        
        C:\Windows\system32\Nclbpf32.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7192
        
        C:\Windows\SysWOW64\Njfkmphe.exe
        
        C:\Windows\system32\Njfkmphe.exe
        178⤵
        Drops file in System32 directory
        
        PID:7232
        
        C:\Windows\SysWOW64\Nqpcjj32.exe
        
        C:\Windows\system32\Nqpcjj32.exe
        179⤵
        Drops file in System32 directory
        
        PID:7276
        
        C:\Windows\SysWOW64\Ngjkfd32.exe
        
        C:\Windows\system32\Ngjkfd32.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7328
        
        C:\Windows\SysWOW64\Nmfcok32.exe
        
        C:\Windows\system32\Nmfcok32.exe
        181⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\Nglhld32.exe
        
        C:\Windows\system32\Nglhld32.exe
        182⤵
        
        PID:7428
        
        C:\Windows\SysWOW64\Nmipdk32.exe
        
        C:\Windows\system32\Nmipdk32.exe
        183⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\Npgmpf32.exe
        
        C:\Windows\system32\Npgmpf32.exe
        184⤵
        Drops file in System32 directory
        
        PID:7516
        
        C:\Windows\SysWOW64\Nnhmnn32.exe
        
        C:\Windows\system32\Nnhmnn32.exe
        185⤵
        
        PID:7560
        
        C:\Windows\SysWOW64\Npiiffqe.exe
        
        C:\Windows\system32\Npiiffqe.exe
        186⤵
        
        PID:7604
        
        C:\Windows\SysWOW64\Nfcabp32.exe
        
        C:\Windows\system32\Nfcabp32.exe
        187⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\Oaifpi32.exe
        
        C:\Windows\system32\Oaifpi32.exe
        188⤵
        
        PID:7696
        
        C:\Windows\SysWOW64\Ocgbld32.exe
        
        C:\Windows\system32\Ocgbld32.exe
        189⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7736
        
        C:\Windows\SysWOW64\Ojajin32.exe
        
        C:\Windows\system32\Ojajin32.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7776
        
        C:\Windows\SysWOW64\Oakbehfe.exe
        
        C:\Windows\system32\Oakbehfe.exe
        191⤵
        Modifies registry class
        
        PID:7824
        
        C:\Windows\SysWOW64\Ofhknodl.exe
        
        C:\Windows\system32\Ofhknodl.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7864
        
        C:\Windows\SysWOW64\Ombcji32.exe
        
        C:\Windows\system32\Ombcji32.exe
        193⤵
        
        PID:7904
        
        C:\Windows\SysWOW64\Onapdl32.exe
        
        C:\Windows\system32\Onapdl32.exe
        194⤵
        
        PID:7944
        
        C:\Windows\SysWOW64\Oaplqh32.exe
        
        C:\Windows\system32\Oaplqh32.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7984
        
        C:\Windows\SysWOW64\Ocohmc32.exe
        
        C:\Windows\system32\Ocohmc32.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8024
        
        C:\Windows\SysWOW64\Ofmdio32.exe
        
        C:\Windows\system32\Ofmdio32.exe
        197⤵
        
        PID:8068
        
        C:\Windows\SysWOW64\Oabhfg32.exe
        
        C:\Windows\system32\Oabhfg32.exe
        198⤵
        Drops file in System32 directory
        
        PID:8108
        
        C:\Windows\SysWOW64\Ocaebc32.exe
        
        C:\Windows\system32\Ocaebc32.exe
        199⤵
        Drops file in System32 directory
        
        PID:8152
        
        C:\Windows\SysWOW64\Pjkmomfn.exe
        
        C:\Windows\system32\Pjkmomfn.exe
        200⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\Pmiikh32.exe
        
        C:\Windows\system32\Pmiikh32.exe
        201⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7224
        
        C:\Windows\SysWOW64\Pccahbmn.exe
        
        C:\Windows\system32\Pccahbmn.exe
        202⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\Pjmjdm32.exe
        
        C:\Windows\system32\Pjmjdm32.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7388
        
        C:\Windows\SysWOW64\Pmlfqh32.exe
        
        C:\Windows\system32\Pmlfqh32.exe
        204⤵
        
        PID:7460
        
        C:\Windows\SysWOW64\Pdenmbkk.exe
        
        C:\Windows\system32\Pdenmbkk.exe
        205⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\Pfdjinjo.exe
        
        C:\Windows\system32\Pfdjinjo.exe
        206⤵
        
        PID:7596
        
        C:\Windows\SysWOW64\Paiogf32.exe
        
        C:\Windows\system32\Paiogf32.exe
        207⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7664
        
        C:\Windows\SysWOW64\Pdhkcb32.exe
        
        C:\Windows\system32\Pdhkcb32.exe
        208⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7720
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        209⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7788
        
        C:\Windows\SysWOW64\Pnmopk32.exe
        
        C:\Windows\system32\Pnmopk32.exe
        210⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\Palklf32.exe
        
        C:\Windows\system32\Palklf32.exe
        211⤵
        
        PID:7928
        
        C:\Windows\SysWOW64\Pdjgha32.exe
        
        C:\Windows\system32\Pdjgha32.exe
        212⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\Pfiddm32.exe
        
        C:\Windows\system32\Pfiddm32.exe
        213⤵
        
        PID:8116
        
        C:\Windows\SysWOW64\Pmblagmf.exe
        
        C:\Windows\system32\Pmblagmf.exe
        214⤵
        Drops file in System32 directory
        
        PID:8148
        
        C:\Windows\SysWOW64\Pdmdnadc.exe
        
        C:\Windows\system32\Pdmdnadc.exe
        215⤵
        Modifies registry class
        
        PID:6504
        
        C:\Windows\SysWOW64\Qfkqjmdg.exe
        
        C:\Windows\system32\Qfkqjmdg.exe
        216⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7348
        
        C:\Windows\SysWOW64\Qmeigg32.exe
        
        C:\Windows\system32\Qmeigg32.exe
        217⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\Qpcecb32.exe
        
        C:\Windows\system32\Qpcecb32.exe
        218⤵
        Drops file in System32 directory
        
        PID:7512
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        219⤵
        Modifies registry class
        
        PID:7636
        
        C:\Windows\SysWOW64\Qmgelf32.exe
        
        C:\Windows\system32\Qmgelf32.exe
        220⤵
        Drops file in System32 directory
        
        PID:7724
        
        C:\Windows\SysWOW64\Qpeahb32.exe
        
        C:\Windows\system32\Qpeahb32.exe
        221⤵
        
        PID:7856
        
        C:\Windows\SysWOW64\Afpjel32.exe
        
        C:\Windows\system32\Afpjel32.exe
        222⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7932
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        223⤵
        
        PID:8096
        
        C:\Windows\SysWOW64\Aaenbd32.exe
        
        C:\Windows\system32\Aaenbd32.exe
        224⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7172
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        225⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7284
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        226⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        227⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\Apjkcadp.exe
        
        C:\Windows\system32\Apjkcadp.exe
        228⤵
        Modifies registry class
        
        PID:7804
        
        C:\Windows\SysWOW64\Ahaceo32.exe
        
        C:\Windows\system32\Ahaceo32.exe
        229⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8036
        
        C:\Windows\SysWOW64\Akpoaj32.exe
        
        C:\Windows\system32\Akpoaj32.exe
        230⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        231⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7704
        
        C:\Windows\SysWOW64\Adhdjpjf.exe
        
        C:\Windows\system32\Adhdjpjf.exe
        232⤵
        Modifies registry class
        
        PID:7972
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        233⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7612
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        234⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7216
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        235⤵
        Modifies registry class
        
        PID:7504
        
        C:\Windows\SysWOW64\Akdilipp.exe
        
        C:\Windows\system32\Akdilipp.exe
        236⤵
        
        PID:8204
        
        C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        237⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8244
        
        C:\Windows\SysWOW64\Bhhiemoj.exe
        
        C:\Windows\system32\Bhhiemoj.exe
        238⤵
        
        PID:8288
        
        C:\Windows\SysWOW64\Bobabg32.exe
        
        C:\Windows\system32\Bobabg32.exe
        239⤵
        
        PID:8328
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        240⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8368
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        241⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8408
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        242⤵
        Modifies registry class
        
        PID:8444
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        243⤵
        
        PID:8496
        
        C:\Windows\SysWOW64\Bdagpnbk.exe
        
        C:\Windows\system32\Bdagpnbk.exe
        244⤵
        
        PID:8536
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        245⤵
        
        PID:8580
        
        C:\Windows\SysWOW64\Bmjkic32.exe
        
        C:\Windows\system32\Bmjkic32.exe
        246⤵
        
        PID:8624
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        247⤵
        
        PID:8668
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        248⤵
        
        PID:8712
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        249⤵
        
        PID:8756
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        250⤵
        Drops file in System32 directory
        
        PID:8796
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        251⤵
        Drops file in System32 directory
        
        PID:8836
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        252⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8880
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        253⤵
        Drops file in System32 directory
        
        PID:8928
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        254⤵
        Modifies registry class
        
        PID:8968
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        255⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9012
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        256⤵
        
        PID:9048
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        257⤵
        Drops file in System32 directory
        
        PID:9100
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        258⤵
        Modifies registry class
        
        PID:9144
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        259⤵
        
        PID:9188
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        260⤵
        
        PID:7968
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        261⤵
        Modifies registry class
        
        PID:8276
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        262⤵
        
        PID:8352
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        263⤵
        Modifies registry class
        
        PID:8416
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        264⤵
        
        PID:8492
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        265⤵
        
        PID:8568
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        266⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8640
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        267⤵
        
        PID:8696
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        268⤵
        
        PID:8784
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        269⤵
        
        PID:8860
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        270⤵
        
        PID:8920
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        271⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:9000
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        272⤵
        
        PID:9060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9060 -s 412
        273⤵
        Program crash
        
        PID:8200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1416,i,17325488789339133686,9539570259395798500,262144 --variations-seed-version --mojo-platform-channel-handle=4144 /prefetch:8
1⤵
PID:5872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 9060 -ip 9060
1⤵
PID:9196

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv G6q7eiNqu0eBOWroceie+w.0.2
1⤵
PID:9000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aajohjon.exe

Filesize
304KB

MD5
0a128f291a70c1993d8510560bfba88f

SHA1
ac17de6625290b3e827e8e7585c3cce87563a9e4

SHA256
d97702ad1a714ba67ad8b04c62634d667eb4cec1d362f9e0449006f9c101a1a0

SHA512
b1e7411c95c33d0037872678a93988546b9db8a0c17de51eda43fa3da197405ae683e00e07b7220d6586451cc71fdcf0d07fac403f902468cda68b47461859c0

Download Submit
C:\Windows\SysWOW64\Adcjop32.exe

Filesize
304KB

MD5
b2e28681d02d571aa5a159e207093f9b

SHA1
57e162527b7e4206901538d981a7771b60eef8b7

SHA256
0d1cdeaf8c1c0d84d7ee3c6bdeb157f7b89ed3561ed406ccabfb4d2f4fa04338

SHA512
ed0ecb19eac1cc3e0b52d8e1d8f979d18c610bbdb6c19f2180ece816b7f9688dc6002a854d93853c19e9829e3373d41009b65b634cc650c3d76c80e368b6de49

Download Submit
C:\Windows\SysWOW64\Adfnofpd.exe

Filesize
304KB

MD5
9327b8b40d5e84109a0ca1a5aa9d42b6

SHA1
34d8d46c77f45462e36947514ac960508a4505f9

SHA256
94bbe03302136daa14d2c362f3e936956053717882644852ad0d3aa556f23121

SHA512
0d68df3cbc7aae987d5fc86a6caf29325215f6be3abfc537ee341ed80f4b4ce0ec539636e362b2feb859c6b31279f130188f419ce7d575a7cc6a44ab549a5306

Download Submit
C:\Windows\SysWOW64\Adkgje32.exe

Filesize
304KB

MD5
058a2c77bb453b28d93d08aafd2c633a

SHA1
dc44b8a88b499291aa2504ade54989ee77b8a5a9

SHA256
ad2425c6626a20a0d4c14db4e765aff63205c75f109c87b1abb977650b45dc50

SHA512
b7533e4cd80788e24ab715397d09e5e4fe73a4c5a4ac28bc344a9df1b4a7ec5039e829e2eefeb57cc3e939a5a618f63caa0ac5f4f0fcadda64eec04bef3e8e4c

Download Submit
C:\Windows\SysWOW64\Adkqoohc.exe

Filesize
304KB

MD5
5efdf8dcbfd47aaf8274f87950ff0622

SHA1
ed48baa3a9129a0242f95e5dbcd714dde874423e

SHA256
e84c252afcfb7a1aa6648c9650a22dac8252608942973e945d5866980f000344

SHA512
dbb833c061a19f4a2d900c9d1e5910faa6a34f62386480fad03a8df10d3e08764d97082e77461f8828fa0c8f3c06636679ac88ce6d264048aa84209f37e0b103

Download Submit
C:\Windows\SysWOW64\Aeaanjkl.exe

Filesize
304KB

MD5
a58d76ac3312c4ab0fb507c3682eaf02

SHA1
f5e48d46a6e63d7a6f42c24656d72edb542ceb50

SHA256
03e2d5455aff0a688ac845ea70d130c8a4d9dd92ba1fc7a3ccab6bf2f1882388

SHA512
3f25b85167188f003fafa1db5c3a374a0bb64829ac6cb9cacfc845b32bfd5646eeb9fb1d68300fb814d26e49fa63c83c5fa827f861bc8e5cbc67c80d0a20b015

Download Submit
C:\Windows\SysWOW64\Aekddhcb.exe

Filesize
304KB

MD5
940f6d8e89c6d7770de6abb13cd87ce3

SHA1
3ac78bfb34679a47b41868227b3a66beff06cf61

SHA256
a719e4deed0f0088fcd04b2f733988c38cadd1794c40793c3fdde886d09515e6

SHA512
5a9b529df8a029194754f284d05f263f11b78925e3df6b0ecc06124e0583402a9587a44cfeb3ada7526739e0e3ac90f13e072ed0668ffc4ef7808e81716129d5

Download Submit
C:\Windows\SysWOW64\Afpjel32.exe

Filesize
304KB

MD5
9a18d717f246f2c67d0534581a7d783e

SHA1
9b5dfca22cf3812faee02900d3336a0d8b6db713

SHA256
fffbd5ce3c48701052db2f7fec4a9508c2c9a7f3c863129bdbfc18d24393fe2d

SHA512
5958a900cc7ab050d6baf91c82b1dbe5d7cc6055dd70aa3d46abd2a5e8f312e6e6382e18b1f3a2f7fa41e704625e1c9563c8bc034bf4efae9d632db35e7ddf33

Download Submit
C:\Windows\SysWOW64\Ahdged32.exe

Filesize
304KB

MD5
1c689bc11ddabb9a85e1cbae5b08233f

SHA1
09868b6f43693b7c1ebb74c6dac51e7102936ef2

SHA256
45081888ed3e368407fb013d0290ed05b05ee6ed6c8a04f477c715ae5e5b59df

SHA512
6075e8f4c531b105516543325936410a8179110c476bf84706d5ab97cefdedd76773ebb75e51807140bda04e769d071d4236f74e3e6e01a5059b4b7970967401

Download Submit
C:\Windows\SysWOW64\Ahdpjn32.exe

Filesize
192KB

MD5
7c3ba37901a0adee119ad40b654d5ad2

SHA1
0318c59378b89d199f1ade62cb885169a24c1598

SHA256
39f3b3f5730d2b7ca1ac436d20730773ecd689fc725987bc83378d2ab6a632d7

SHA512
4cb6e9781d0eae22974ce724c0b643d1eed17ca7e2e18d6e49ec650181eadae596510691f7072abc37a6cc5a4e1b4afd73c7d6c122afb24f575b713d257d0d1c

Download Submit
C:\Windows\SysWOW64\Ahippdbe.exe

Filesize
304KB

MD5
099b71523e9a7d0408c491937f24f7a1

SHA1
98c95ef6e3374e9bd418a7e219378e804214807b

SHA256
bcde2442f35459a738e56e71eb1bed5c2876d7e875927c383caa1a0567ea83fe

SHA512
13fd6202de3beccef2fb2cde47cad3cff7078e92441fec519b1ef7a466ab4e2758a73d580518acc9f2dd1518e63d9610cc0f858d383b546cb0e2ee5303b2f4a6

Download Submit
C:\Windows\SysWOW64\Akdilipp.exe

Filesize
304KB

MD5
dd7ce24e53c9797f4693e2d5e27cddff

SHA1
bf4849dc3e33401d0cc2dacff98a83e52b04bdfe

SHA256
0fa040400213d05e88ee8506c5f70345bfcac305c3d964ab49847c4fce3f28d0

SHA512
f73c65bf0df3c860df084198993835233b4bbf906d4f2c4795cd9a423ef98acc5daa70f2d07edfb0ec078109cd5582ee573fbd2aadd6f6acacfe63683262363b

Download Submit
C:\Windows\SysWOW64\Akqfkp32.exe

Filesize
304KB

MD5
8c938ff2d58b233d67c1e51344436d59

SHA1
629aa064035c076c937e308d78fb0632b5577a9f

SHA256
8b1e3aae112751dd0140f86ef81397a67f97775167060aeeead851d975ab5853

SHA512
e14e7b7f6a89f671a8dfa652f5e593e9e431deb0b10ea8a2c0d7105e583d7995efd6e5e2f2946d9918f61778b6bbcaca9706c7afe82075246b74f687321a12e2

Download Submit
C:\Windows\SysWOW64\Alkijdci.exe

Filesize
304KB

MD5
c5f25a40b0342259e35781a873ce3485

SHA1
64ca22921af5edee7f18d9016cdf7937917223bf

SHA256
72a0be4a2704c12183b929140e062d07286b2ef09e618a378f1f067b5c70cbe9

SHA512
8482601d1303a888b27f540788ef36e58548bb7f9bec086f0195f756fc86cddb8a6138ec513928c356128653bdbf7a21beab1e4a52390ef7a68e86b7f23e5430

Download Submit
C:\Windows\SysWOW64\Aoalgn32.exe

Filesize
304KB

MD5
ca8f3b3a014953754260b85b48547297

SHA1
876200a45234400f4a58acc42843ba89e9b90fbf

SHA256
41cab0ea1d7d5585c29c64203da1c62e2a2ff50350df86e6ddba86323f38b815

SHA512
2aed0838986fb9182d010c9a64a754d0b7b4f78f534f8e96e1895e4386db59fd62dd54407d33cdcf67dd769cf66e198b3c6fd9ee691c0af740cc2d428431f852

Download Submit
C:\Windows\SysWOW64\Aonoao32.exe

Filesize
304KB

MD5
e748a43b0a11727ab3b03d773983dfb9

SHA1
9b4119cf3f6693ce9713d56d04485e3f2dc52a33

SHA256
5f0a75929e67428b6a424a012488260cdc3f290f54f1d33e2ba0832e7c43e776

SHA512
4ea06071ff8f7f553c6a85a1e831068f61a716794587fd1b7590840063ce85055bbe15359d07d4ffb0dd44d8eb75a04549c4f632599502ddcdf7089104d3f079

Download Submit
C:\Windows\SysWOW64\Bdbnjdfg.exe

Filesize
304KB

MD5
7208cb76e48b6b4d3c5f3aaab1aa879e

SHA1
16bdebdbfc8396f06dc79886ccca003907f5759f

SHA256
22fcdd2fe855ce56f0c1cea92ddf8349376bf20ccf9f21d33a7bd692e018b06d

SHA512
393887332df83b9002f46ea1dcfa4862ad2fbdd6783b1a2fa454fa4d93495ec5bbcfd76345868c283f1f000d79a0a00711c9eed8eed5d37d1876e0370f9c2b80

Download Submit
C:\Windows\SysWOW64\Bddjpd32.exe

Filesize
304KB

MD5
da73894f86b2713f08602af43fa73613

SHA1
4d7bc47e1b7bec6424a5d55b763954546ec5c577

SHA256
00792d59d4eea79f0167a0712bcde9c202d3e586b3580be3f8e36c6b383458f6

SHA512
2b159b29a6dd286e27cdfb9700aea4a0540de1b79a9216096d1eee610addb5565954acd6d144ff8a446069a0fe57738003c32c9f9f166ec5f5baef66fde3caf0

Download Submit
C:\Windows\SysWOW64\Bemqih32.exe

Filesize
304KB

MD5
86cc06dfcdca02cc1ad70b0a4502fe84

SHA1
312c71b07785bcd17c3faff0ea766f3efa1d0020

SHA256
e315d73f31e905fe3c116eebf9c220d5dd902b81cbb4b0d65b4bc2fd036c7dfc

SHA512
419609911ba41155b930ef09a5df3456cfcb798f0d2be362682b0299c453170f16b508c9bf7f68b7a0e00f082065701b69901ae46604efbfb637482edb2e6f1d

Download Submit
C:\Windows\SysWOW64\Bklfgo32.exe

Filesize
304KB

MD5
50bf81c2d103d555499ca53eb5e3854f

SHA1
7a5cd05615d26feefc7ad453cf1dadd0034fa2d8

SHA256
ce6b86b3e8f77a35fadfb2f26cb23a5fb017651b971098a56d98d1021f21e20c

SHA512
9bc57357def506fc9669cd994a431c08f63eb9b956e623b6d7930bdc123f9ada729f141acf8712f357c0e8ff33bb0673f006617445033324e58cfcee737edf33

Download Submit
C:\Windows\SysWOW64\Bklomh32.exe

Filesize
304KB

MD5
2b1bab6ea6e56c842f35397a40e435d3

SHA1
0b3d27df8b5025befa0c09f1e91aaf784c6f84b8

SHA256
975481783d4135641e6054003fdf8af325a735fc79c5321c13555f887ba3fc63

SHA512
58970b8b79488536997b8f0b3d823727e92876e8dbcce3251be7af99b0e0ddb61f1006fb341ec08dfdc2167996788c0128788637952f225d224d8e78e69960dc

Download Submit
C:\Windows\SysWOW64\Blgifbil.exe

Filesize
304KB

MD5
3cc977a417057fe67c1a2ef6ed45991c

SHA1
65e850dbfdc3e85eaa1dc809de99892722acc298

SHA256
cb9a5cd28f69b38e5861f0699874529222a441d30267b18a635032141d4435cc

SHA512
87945c5ad6693c1df872a22be873a8f47ef00142fd58d19087e431d26fd598b072b3a5deea29985c9322007ad0dbc1d4dedae3138e97559cc49e2d479d9f951e

Download Submit
C:\Windows\SysWOW64\Bllbaa32.exe

Filesize
304KB

MD5
e802db52b438f1e5664158f29bc6770f

SHA1
51990330b7878ed9aef01b248a32ae9d59466089

SHA256
cb89518f33b07f579e2157af80316fba1cbdf472a4dc647bf4b9fb03537aaf88

SHA512
fb8ed026fdf8340b7d851a932bf25033c4179416e7634c514cdffc0f6ee623a042450ebbec610265b76e656f9389abb10e61665a252e245880aa64b95281eac9

Download Submit
C:\Windows\SysWOW64\Bnhenj32.exe

Filesize
304KB

MD5
8eda59f78a67cfe0c987ceada4d5ceb7

SHA1
129865b86efc268b4e5fc222a29802301901a723

SHA256
3eef6a7bf1f7ed7ad02bf6c286b1e9d3f1dd7e95b4de0f737e40b1c2828ea034

SHA512
06a2980305e10682c6d8fe8df2da6fa262f164a872cc762989e4f826cc2f1589ea8dfccc50fbccf9d8fbaf30b16d9d8140ea7d69eb0750c62f9ba15fde03de3c

Download Submit
C:\Windows\SysWOW64\Bnkbcj32.exe

Filesize
304KB

MD5
fa473558bf052d0447f19aa1912b115f

SHA1
d5e99cc0a71e0a60a74cf737cf93fc676ee6ff9b

SHA256
c5716aa327967b2ac34607c0a0e1f1a2c11cd8f2a63439eb39012b0fc38471b6

SHA512
0b3f657df09314b92335a3d4b393fd69a7775f082335700b639122d628d2238f145e9ff4c09b1cc544228916c4058dfa1b498864abbe802796fca382b7a823ea

Download Submit
C:\Windows\SysWOW64\Bnmoijje.exe

Filesize
304KB

MD5
034f6043ba04c4d29ae620615b46aee8

SHA1
8d127f07be535e3df517265591469a1465aa2328

SHA256
29c52a17e342ba6ae07d0b8c59813e2c5b6b939fd6f766de4900380fdd286571

SHA512
ad139da42ecbfee848bda37382d996e564c659a974dd833f790d54103dee439617299d0e21e90d01044aa20c8338a9008bd0513c5ebcc7c136492c27b4785841

Download Submit
C:\Windows\SysWOW64\Bobabg32.exe

Filesize
304KB

MD5
12c76c536b97c18eda1dcb2a83cebcf5

SHA1
01d15d4ea5326a3ba259b15fe846ae6fa9f52991

SHA256
c6e495f8aad25918df270ee9e35419552a5689d012ed1b8935ec8d0937418e9b

SHA512
bf19751a93a7a4cc7183510a915c29087f1f3d78b2912b9e0cec5cdf305197e931aea717b4a871b40a271f762490f54e519e2b4d08c6cbd3d599356ac72967c1

Download Submit
C:\Windows\SysWOW64\Bochmn32.exe

Filesize
304KB

MD5
1c947707240dee83b88f2ab9d1e52302

SHA1
2136c5da548592a42d2318e5d050163af2642485

SHA256
e82a4655025445d9428130f829f277eca3e9c508d662660aeed3ea4e964d7ba6

SHA512
d33ab03bb8943589f83074f6428fcaf91e08e62e3967fdb3469911f9ca44560eb4dfc7c9ecb50d3528b777338c32a353d95dd4ef1bbc25d38d8fcfba527dcf68

Download Submit
C:\Windows\SysWOW64\Boihcf32.exe

Filesize
304KB

MD5
3a174e82ffa795d13c01e3d4d3c49777

SHA1
bf2d78bbefbb4efe44cd5129e950b55006bf2b8c

SHA256
f7ef3d46987f47c7c2968d569b99bb49d4ed859a467406d2f9640e0af64be0c9

SHA512
5374e5ffbcf65bdc2b33d5569c5dcafb4b05e8f2d7b1a4bebe673451fc7bc6c5b4e76bf142648219a2278f4b5b7467443894ce230ce89710cf8b056f7d221a9b

Download Submit
C:\Windows\SysWOW64\Caojpaij.exe

Filesize
304KB

MD5
f73868f5daa64562d73dc6fc51d9047e

SHA1
2259d42a3f9859872995994b34d371d8c09e3e24

SHA256
c9b6f42defb9102912dfd47e6967ca78c887ca57c64ccce521fdf4f337dbd55c

SHA512
2e8cd00466e26ef6de3165593fb65f55c7117a122f0c7a5af6568bf684f7458811ed57e53640c5738e243a52a20636429e51dcb8b3a9e8edc29c2bd63186ba69

Download Submit
C:\Windows\SysWOW64\Cdimqm32.exe

Filesize
304KB

MD5
954e737a6bf399023623e8092c021af6

SHA1
d400ef5e302fccf997bd008f9c2e1e13848861dd

SHA256
69a84a82d200a6b22e2f9f32f71df658dae14199fdf0a2154087257b27c20ed7

SHA512
2e15d3038674aca791b2da7c4e193ea6293a6fd587d8964a42352f4c5dbfa6dd30981419398b729f1608ea962e10a9c5581ba56bce06499865c9d8782c31a4e9

Download Submit
C:\Windows\SysWOW64\Ckgohf32.exe

Filesize
304KB

MD5
e6526724732aa05282875beac99b0d92

SHA1
ab1b8179bf43c0fe0ac142146a7ca72cade14d3f

SHA256
0cbd351d9f2f4256497b872f3e765ddcbeeb2a3e8770355a3815d4cfdbc45253

SHA512
8806997d79fc6b87274035c709b2c96fc7705574b10f95fb2a86b4ffaf04ac0c29a70b1f8483472a2f98389f5745bc72a04420b716ee6de82523e72a379a0ee3

Download Submit
C:\Windows\SysWOW64\Cnhgjaml.exe

Filesize
304KB

MD5
4795a82b3fe0d952be31f7e3c4f5be8a

SHA1
793cea301896734f8aaceeffc724f72cc7d318b2

SHA256
f3741e73857e27837b95ef28c8b9ccd90ea1acc6bb454e9c21b5cd763bec279a

SHA512
a9a207dd1045eae51de4019cd5e9100ff064aaa52f83c1a37e7da6d0c9be13e54e498a6e925dc1e237d3bc4e2d92fb56c512cbb9766e0535ac5b30dcca271e8e

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
304KB

MD5
104e372478972591fa18fdee1149369c

SHA1
fe0d6c1e1c1408631e2202c8fac5f4bfcd7ba2c8

SHA256
4db14681b0e5a11e430ef66206a7a6ea015a5535ca7d9dc732b0bff194842c8a

SHA512
2cfd0bc8d8217ce34d03b7100e78f0ceef58af05092ec84a36c8a9155ef5f7339562e6bcaad9c809953bac10780bb7de82657f01353bfb379a1fb293f383bc94

Download Submit
C:\Windows\SysWOW64\Hemdlj32.exe

Filesize
304KB

MD5
0a897e66a3eb771772fa6ee5f84d5c12

SHA1
a8c7b79caf26733a8e0543295b6bc211c6c64a44

SHA256
0dd7b9a005c52bc4fc966e7f5279597e000d2fffe24e5278ddd87eb150a9ac13

SHA512
c54b47f34fdb54fb986a08a757fb784ace6c0d21d3a8a969463795a94cca887518e5e7cc81a077afec0ed3cfcc08573a2f36c8d9efa0a93470aa0ec0e3bdcfe9

Download Submit
C:\Windows\SysWOW64\Hfaajnfb.exe

Filesize
304KB

MD5
379ebddfeffac644c74d21ac4ab19022

SHA1
fe2cb59a1af9ce4b7ba96354e62a0b1ff4cfa036

SHA256
99cdf333f6fbe6f45879f7e20ba766573a84270c1a99c4310f0cb133244c9d56

SHA512
848bc1006cee4b33aa644afa865a05e18c252b4cdd7399a277fbbb0443f5b3b8f2683ae1fe34813c66decfbba571f0c8fc296940bb3c7421ed896980172c816a

Download Submit
C:\Windows\SysWOW64\Ickglm32.exe

Filesize
304KB

MD5
8b9c2213b260ee4ef4cbff9dae87ba4f

SHA1
9380d4362f008cbe691e2b53a953633047a28256

SHA256
2da6d65c42a30a49a98600e9a62013f0c8705a30f7d0e82cf1c08633f8e76235

SHA512
802056cef86f02f0c5bb2acac71e59fc36a068a2915ae106c76583fc933cc43f284a52983d0371ae1c9d56d614758046acce1400a373b9b5744db31ee7449241

Download Submit
C:\Windows\SysWOW64\Jenmcggo.exe

Filesize
304KB

MD5
3b3880cb47874c0e89ce0c388a34d88f

SHA1
b3df558bca8131f771fcb9710b5287bd76d05c1f

SHA256
7bd216f9584aa58b461a5905228796b1240f67db92950753c8b551b7c02e115d

SHA512
2761873c95b31c443fae3330ad98aefc14ada22ec9843e0a9e13300ea7990a735b10092f13f341b6f54cce721f7d141f6664083815ee6896cb2f6178bb7c351b

Download Submit
C:\Windows\SysWOW64\Kjeiodek.exe

Filesize
304KB

MD5
cca6a0bd0b0f300ea7ce815ba79d5f89

SHA1
a752bfb4f4eebf239ac65a9990a9451d4a5e6225

SHA256
735a3ad7a3507dcb4850842cd23ce04b0fe2c709cd001d250869cddf8f22bbe3

SHA512
e49591b71267102e57fc83f2507816e536753c3045ca637e1bd294b602dd6f14f52de7fbba041a64f24dcb34e21c210a84d6c97e703e93f9bd95b300ba0d0f9f

Download Submit
C:\Windows\SysWOW64\Mmkdcm32.exe

Filesize
304KB

MD5
7a18e9e9587a3f6ece27e364db2d32f0

SHA1
dae6c65290f38fe50a9a681cae6fd17f8d62a4cb

SHA256
820f8a7b083c0eedf1029afd2720780b2c66fade1558c449ddca42243e3fc451

SHA512
6d5151b1ac982c495613e894f2c0f9412ad71b789a145e115e14ab861f4f09d6a4c1d7349e3a593544e107102b847b174391d5550d888fcfbb7c883afe64b006

Download Submit
C:\Windows\SysWOW64\Ngjkfd32.exe

Filesize
304KB

MD5
0ba21d1c8c6becf537e2b5ceba370e11

SHA1
9e9058df12c9a181d469a4037be13ce133d188d6

SHA256
3d43f5ea4713bf4f48a87da82b3ebd9f2c945b68f914746f4e28350a963f3953

SHA512
fcd3222f939a2cd8f2267a8025042760510a4ce7537da11e3689fea76663365f2965b390f7ca59e7e7b8d9614ed28d173cb7914d51c8121ca265f4523deeccbe

Download Submit
C:\Windows\SysWOW64\Npgmpf32.exe

Filesize
304KB

MD5
e8960316a301cfbde460fa92d9b23988

SHA1
97c2c91894962a6efec29f489a5103ec1978ba3c

SHA256
75118e6fad0f940a0d9bee36e72f9bc1f822637db27b48eb301327de4c150e7c

SHA512
dc31df21063f798d20542cfab6c9273b0790b9583c10d564692891ac6706896b7ffa1382e5b186c7074d0a84ff6346655fb1ac8990fbd86e4ef705329eaf6ea6

Download Submit
C:\Windows\SysWOW64\Oakbehfe.exe

Filesize
304KB

MD5
65ba8d28a06b137104124ed60d9a3373

SHA1
f96fa125b819233cc0428c6b4f63caae2c0c2faa

SHA256
4241e7d9f321be240fb8bc94ce79aae8421bc3c57946f4d76a6ef1d501efc26b

SHA512
b29fa2243477bc84dc8a13a9af130e76f3ebec966e21fa2689a1169b8ec606715ef0aa274a0f71f0d6514aa608208a7a69261be356ec666c51b459de7ab2f279

Download Submit
C:\Windows\SysWOW64\Ofonqd32.dll

Filesize
7KB

MD5
f41b6a03271096715e4d11950c61c51a

SHA1
b7f5522dd56e54c23e9523bd4d042c8e158c57bd

SHA256
4d1f9c95a6960b686c8d7b458181aa0abf6bf49aa8af46a1bd0d0cf0fe264a90

SHA512
8512316cdfaed2ba2315beb31d519b06032fe671c7cc1454f96c92b1c3fcb0b5d624aa2e3d20bc82a180c61ae017d7f8d213c942d7eadb77b7e782b1cb2f443d

Download Submit
C:\Windows\SysWOW64\Ohhnbhok.exe

Filesize
304KB

MD5
9f655c67a15c695ca206b177e8770ec0

SHA1
4fd391084bce593befee520851541b8f177824cf

SHA256
274dab8e34502c9abb5e009352254462af40d36b4e844f49410e67294fea68ee

SHA512
5f496ae2ac15f909272ce52fe4ec9dfe6ede8e4db5743257449b18c332411ccb08ac77ca5e6f93fe15627ae9595663313556b6b68ed853429c16b1a8027dc8c2

Download Submit
C:\Windows\SysWOW64\Olicnfco.exe

Filesize
304KB

MD5
17af65c6656b7154886f7fdcf49c6248

SHA1
617322d32bc4466a1a1b904f28616f18d6764fba

SHA256
d0b04ae212ca13c47f4a0ea9202263060a495332bf32bbcaf84627f53914aa6a

SHA512
8d4252231aa48d03397fd3fdeacfd319f41367d52e9b708535e704bda94bcacbef36e082938974d33da4b2103c9c33e8e105a5a234da8b38e114b2ecc9162cb8

Download Submit
C:\Windows\SysWOW64\Ombcji32.exe

Filesize
304KB

MD5
432d878f5ae2dfa558230d297944eddf

SHA1
8009663f471fe95fe26696d5faa6bae27b785154

SHA256
1ab633b3104d1cbb3d048170b282220f3f4c305987c6aaf2a5ba2782c48c98e4

SHA512
bf79db7d638f03f7cba454b4021e8c69a4c606a079c1b8c2a6268010f9a626f52b0a7ce8105ef7a8fd6cdd5924b84049496765fe304e46235deb4bbf467ef1f5

Download Submit
C:\Windows\SysWOW64\Omegjomb.exe

Filesize
304KB

MD5
e74117337f767cab864f28175d07a044

SHA1
c9c7db2496552e245c78419361acf11de31f54bd

SHA256
95134d88a507b2f7720c9768089ab2f570b72f9277655d4210ac54928df4eed5

SHA512
a365c12904d28e2df691e37d1cde2f567ac7320af9ea9b6b3fb9b9e7c1f21f4d586959777cc7b359f960a20860549e92e81abb1d5cc8ecbb62cc2e130fde545d

Download Submit
C:\Windows\SysWOW64\Oogpjbbb.exe

Filesize
304KB

MD5
26b9529f739680e30f738919ae687b90

SHA1
e90e7fffebff46e92926664b0d4a389336d19f6e

SHA256
fb54282df284da1c7d0417adeae55e9b180a036fa727f17a51c71ce0f9d46c03

SHA512
420786e26458e46587a9dcb3bc2b5ea40e0cbb9a1e34858deba9a321dde55226149f3c52fa5b5d20e8b25f6f3f5a628d849d89a4c5506e27c610839300dfe4ce

Download Submit
C:\Windows\SysWOW64\Pccahbmn.exe

Filesize
304KB

MD5
fbbc36941aec6501404c9eb2f42e939c

SHA1
be48e24590d8b8a90240843eb24abf40f456dd8b

SHA256
2686352469d602b192889633d8449d1aaf1bf7cce62b5cba493d6d9d1b94c1aa

SHA512
808e17e4db982e3126908f99f640ee3a711815d4958082b83b6687c855f7cfc851de264124f222765d58eab28789ea771ac574897f2032e83c9f2aa0908f8a7a

Download Submit
C:\Windows\SysWOW64\Peahgl32.exe

Filesize
304KB

MD5
2810a778d555e99b78dbe445634b3d4f

SHA1
e2dfb24b8f47dfe1fc3bc0db4a94522343fe7974

SHA256
cd14e01112b40baa280cbea756424c4df82c213e541ab76cf93c6ac37fbbe82b

SHA512
0648dfedcfba97dac484484ba4805f7d284463c68bd109166f94426492305e80b34ac832207b5ed98eb0b60e80e4b30b54ace4145b21ab9ecb22247aaf6f1a1a

Download Submit
C:\Windows\SysWOW64\Pejkmk32.exe

Filesize
304KB

MD5
e152e9f121a97e18d98655e174578b08

SHA1
ae3e727253a7c6fbd1863d1d51d591622db8b952

SHA256
e9e7d439292cac3223d41d15456a0362e7bdbbd1c6285e8619bf251c0c819d63

SHA512
57f3ec77fdfbbd3cad78d1b58440db6a95b29f187ac0467cca199af29cd343e4d482442d825a7c7a0a6c9366342077de8932b1be0ba027369ae88c47624f024c

Download Submit
C:\Windows\SysWOW64\Pfdjinjo.exe

Filesize
304KB

MD5
6b98ab6756f641e6f2dcba55b705f79b

SHA1
567ca07d44fa606b8fac53cc96183f8ff9725cf5

SHA256
c092fb8cdb436da4e9beb8ae751feffc19f0e4c2afdcca84b9aa2ecfdbf4c0c3

SHA512
c79e7f1acb336accba1196e94c4302e305f77c2ecb2ed769746e54473c1d63cdae89ce38dee64f46bf33d360509564e50d0011fe0a7479e599c52bd3b9d6aa66

Download Submit
C:\Windows\SysWOW64\Pfiddm32.exe

Filesize
304KB

MD5
06b4e3d22a16259284415a1d59decd32

SHA1
5180465a5de87cffabd303f60fabe5ec70887f8a

SHA256
f58b165dff33a3597a94cf68cea9a819538e729cc5dae85f750c3664764a81a7

SHA512
cdf73f233ab24caee2b2461d9f46a38e6ed6244a9aa39c44ede396f320fd56df37bc3bc98f5a5cffb37b96a359abfbcf4ec464d870e39c51ca862bdf143acc9d

Download Submit
C:\Windows\SysWOW64\Pkpmdbfd.exe

Filesize
304KB

MD5
32d6195c6858485bd40b4e6aa64987fe

SHA1
a5a49d93ffcc26258293715198be1b978c9ebf52

SHA256
117bbf4835a71bdd3dc79e712941f5395fe646fe5f4d774e556541493b5dd908

SHA512
26738b5ce160f12634a2bd1269c325dafc4af364f9bef8184de97e01a50c8cc45b800480df0d25ac84d4a822dc3b595bc4790ea3abe5347bfbdc315c5fecee05

Download Submit
C:\Windows\SysWOW64\Ponfka32.exe

Filesize
304KB

MD5
88a26523b16851243354de66091de28e

SHA1
4d8714df9afb156e992e8064fad08a511f7fe2f0

SHA256
af22c875d06023643329355cbd7191e9f1a6975a087cc06c5c3c9cb0f555931e

SHA512
fdc558b536a2eb58f150391b73a4b5b14a130d21b3262f246229efac0b7c762613890d596959bfa70b30e1bcf06c4bc23b8b1855fbf599191d5818515f0383c0

Download Submit
C:\Windows\SysWOW64\Popbpqjh.exe

Filesize
304KB

MD5
bd8c2c0d5adb09a442415a1eac3b9b82

SHA1
89c784fb09e4bcca974d6b151cb22df9ec830a64

SHA256
dbb3aff235a67d3bf607238e9013502a1872e9b6831779f32f8b926b1704a266

SHA512
705d3cabe432070726e5a146c93981c376ae6f6b880cd344c703fc05df279f5059c8fad86e0477c134e5726cef1e14950c4607d6672b95c498f2db3fb3898c41

Download Submit
C:\Windows\SysWOW64\Qklmpalf.exe

Filesize
304KB

MD5
941b8e6828038dd454c74829ab83b05c

SHA1
48c2bca0e9b8a49102814e77998270ed8d32bfb9

SHA256
5172b8a3138e84e6b1e80a2dcd682a7ca41db03de95205e3bd7acb18c2cb01ee

SHA512
2f3dcac2b37200e790f8b46903bab346af4009f25510e633daf4526f9d7366f60461c3ffeeab66b3842d1bd5a584a1bb4fd4b635d211cba47f6e570116748dcf

Download Submit
C:\Windows\SysWOW64\Qmeigg32.exe

Filesize
304KB

MD5
fcb6a59b22f1a9676cc944dcdf025c49

SHA1
3a7bfc583b656a9b0a2bc4dbf8734d53b98ccff3

SHA256
d3d2187a2de231f7f494fd4f453dbd81c643cbd9c959bf65e50bebfb674c62b8

SHA512
5eae8e1bbf97db864308cbf7ebd5435c2c7ee52c4339c5a9118bc328528a74c717da434ebe4467b3c966073c6d87dfd102f325e9c3baf4d42ce01fba0857471f

Download Submit
C:\Windows\SysWOW64\Qoelkp32.exe

Filesize
304KB

MD5
0b2531078238c72baaea56b4aa2ede8a

SHA1
e4ca73027bb0e5f7be650b06becf4cc3d72a52c9

SHA256
768f816c1b330a795afdda4ea530b6331bcb8663db02822663c462d8306adf2b

SHA512
1b803189b51bcb853f62449ca8a447a48c8b5c4064914bec071f9c9a8722ffcce75a4193ae2ceeda267cc3cd794d5044efc6e1b2c91e59bf3dd42821b0e5bce9

Download Submit
memory/416-402-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/596-405-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/620-390-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/652-602-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/880-410-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1020-374-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1084-400-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1112-510-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1200-392-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1476-398-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1500-135-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1688-125-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1812-422-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1828-401-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1976-71-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2040-0-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2064-149-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2080-399-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2160-101-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2296-365-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2616-514-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2696-368-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2720-355-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2776-395-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2936-352-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3016-117-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3044-133-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3056-397-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3084-389-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3216-8-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3352-414-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3400-385-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3500-104-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3512-354-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3636-394-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3648-376-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3700-353-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3940-47-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3976-68-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4140-55-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4232-393-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4276-509-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4300-407-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4364-574-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4368-404-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4388-359-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4492-396-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4508-375-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4512-80-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4600-358-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4612-573-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4632-409-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4660-40-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4704-403-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4800-15-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4804-357-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4864-93-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4948-377-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4952-36-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4956-408-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4984-367-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4992-383-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5024-366-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5028-28-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5056-416-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5092-406-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5152-516-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5168-580-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5184-517-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5224-518-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5240-586-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5256-520-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5296-521-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5312-592-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5332-522-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5364-523-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5400-524-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5436-525-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5444-609-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5472-526-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5504-610-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5512-527-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5544-528-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5552-620-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5580-529-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5588-622-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5620-530-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5640-628-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5656-531-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5692-634-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5704-532-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5896-543-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5928-547-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/6004-555-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/6056-561-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/6116-562-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads