dce987a0d6a9d733e42b438cb10de233474ccef00734abceaa463673e9f0a490

Analysis

max time kernel
173s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dce987a0d6a9d733e42b438cb10de233474ccef00734abceaa463673e9f0a490.exe
Size

50KB
MD5

21eeb86f9d923532cc1a0c7f891ffc90
SHA1

e65f778a576b9cc22fcf244941d67906d26fb0c1
SHA256

dce987a0d6a9d733e42b438cb10de233474ccef00734abceaa463673e9f0a490
SHA512

21eb0ce416fda5e310b5389ab4fcb58e4fb6bad3e762f584441c5041def371d26d9717f2c08d3383292e43bebc759709ba59288ad0a4d670a6b603ba78df687e
SSDEEP

768:ZBD2nRHSffE0sx0ZFwbIIBmbyARsW1zR0SKPDFthyyfgC2/1H5:OnQHE0cbrcRsWiFthyYgCs

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Kqhebi32.exeLnlaka32.exeLhkdilag.exeCmbimdfg.exeHfodgpaf.exeKlgeil32.exeHeqkbj32.exeMoopoenp.exeHlkcodoo.exeLlgpjkiq.exeObmdfg32.exeOemmhb32.exeOpenkjoh.exePinbcp32.exeHedahm32.exeMjjhqaln.exeKifghp32.exeNdbnhkfp.exeJodhadia.exeIilcal32.exeKgbmocbi.exeMaadhk32.exeKfhkld32.exeLnocbbig.exeMqejon32.exeMqggdmaf.exeNpmpdmii.exeNkgieiff.exeBlejdqbi.exeNpioml32.exeLfbfha32.exeKcindd32.exeNgqfpijh.exeOfmibe32.exePcgcdnbh.exeHhgbnfbd.exeKiglha32.exePamqcaoo.exeMicomm32.exeLoelffhd.exeOjaobdgi.exeOnfaqghf.exeClggiq32.exeIjhpab32.exeMiehnomn.exeNjmkff32.exeLeapmlhc.exePjhaagcm.exeKpemdf32.exeFbkmfm32.exeJecdfmhk.exeJgbapp32.exeNpijmk32.exeMogeji32.exeNbjkaddk.exeJgnide32.exeKllnig32.exeQjhbdg32.exeOfhpgemm.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kqhebi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnlaka32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhkdilag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmbimdfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfodgpaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klgeil32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Heqkbj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moopoenp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlkcodoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llgpjkiq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obmdfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oemmhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Openkjoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pinbcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hedahm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjhqaln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kifghp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnhkfp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jodhadia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iilcal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbmocbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maadhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfhkld32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnocbbig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mqejon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqggdmaf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npmpdmii.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkgieiff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blejdqbi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npioml32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmbimdfg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfbfha32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcindd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngqfpijh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofmibe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcgcdnbh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhgbnfbd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hedahm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiglha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pamqcaoo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Micomm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Loelffhd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojaobdgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onfaqghf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clggiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijhpab32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miehnomn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njmkff32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leapmlhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkgieiff.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhaagcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpemdf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbkmfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jecdfmhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jgbapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnlaka32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npijmk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mogeji32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbjkaddk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jgnide32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kllnig32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjhbdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofhpgemm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klgeil32.exe

Executes dropped EXE 64 IoCs

Processes:

Hhgbnfbd.exeJgnide32.exeJebimi32.exeJedfci32.exeJffbjajj.exeKgeoddal.exeKmddbk32.exeKfmhkpda.exeKpemdf32.exeKllnig32.exeKedbblgg.exeLhekcgdh.exeMoopoenp.exeMiddlnnf.exeMlbphimj.exeMekdaocj.exeMkhmjeab.exeMhlmcjqk.exeNnifkqoc.exeNdbnhkfp.exeNkmfee32.exeNpioml32.exeNgcgjfcq.exePpjgij32.exePbkqkefk.exeQpoadied.exeQjhbdg32.exeCcaoikej.exeOpfjebdj.exeOklnbkdp.exeEnoabm32.exeFjmhhmcc.exeFcemqc32.exeFjpemmaq.exeFolmedph.exeFgcegapj.exeFhdanifh.exeFlbjdh32.exeGbapbnid.exeGoeplbgm.exeGklqqc32.exeGnmjbojb.exeGfhngagn.exeHghkadoq.exeHmecikmh.exeHfodgpaf.exeIjfclcqp.exeIjhpab32.exeIbhnadhb.exeJbkkfd32.exeJodhadia.exeJdcnok32.exeKkaogd32.exeKpnhok32.exeKghple32.exeKiglha32.exeKlgeil32.exeLfbfha32.exeMgmefhmh.exeMqejon32.exeMqggdmaf.exeMomdej32.exeMiehnomn.exeNijaio32.exe

pid	process
1988	Hhgbnfbd.exe
560	Jgnide32.exe
268	Jebimi32.exe
824	Jedfci32.exe
1880	Jffbjajj.exe
872	Kgeoddal.exe
1824	Kmddbk32.exe
1280	Kfmhkpda.exe
1436	Kpemdf32.exe
1544	Kllnig32.exe
288	Kedbblgg.exe
1984	Lhekcgdh.exe
1564	Moopoenp.exe
1960	Middlnnf.exe
1776	Mlbphimj.exe
1832	Mekdaocj.exe
972	Mkhmjeab.exe
1936	Mhlmcjqk.exe
1932	Nnifkqoc.exe
1624	Ndbnhkfp.exe
1352	Nkmfee32.exe
324	Npioml32.exe
544	Ngcgjfcq.exe
1640	Ppjgij32.exe
928	Pbkqkefk.exe
568	Qpoadied.exe
1560	Qjhbdg32.exe
908	Ccaoikej.exe
1036	Opfjebdj.exe
1728	Oklnbkdp.exe
1100	Enoabm32.exe
832	Fjmhhmcc.exe
1664	Fcemqc32.exe
1540	Fjpemmaq.exe
860	Folmedph.exe
992	Fgcegapj.exe
1500	Fhdanifh.exe
1704	Flbjdh32.exe
764	Gbapbnid.exe
1452	Goeplbgm.exe
1488	Gklqqc32.exe
1948	Gnmjbojb.exe
892	Gfhngagn.exe
2000	Hghkadoq.exe
1340	Hmecikmh.exe
1976	Hfodgpaf.exe
1676	Ijfclcqp.exe
572	Ijhpab32.exe
380	Ibhnadhb.exe
1516	Jbkkfd32.exe
1576	Jodhadia.exe
1492	Jdcnok32.exe
268	Kkaogd32.exe
1168	Kpnhok32.exe
872	Kghple32.exe
552	Kiglha32.exe
1436	Klgeil32.exe
900	Lfbfha32.exe
1444	Mgmefhmh.exe
288	Mqejon32.exe
1832	Mqggdmaf.exe
1700	Momdej32.exe
1740	Miehnomn.exe
624	Nijaio32.exe

Loads dropped DLL 64 IoCs

Processes:

dce987a0d6a9d733e42b438cb10de233474ccef00734abceaa463673e9f0a490.exeHhgbnfbd.exeJgnide32.exeJebimi32.exeJedfci32.exeJffbjajj.exeKgeoddal.exeKmddbk32.exeKfmhkpda.exeKpemdf32.exeKllnig32.exeKedbblgg.exeLhekcgdh.exeMoopoenp.exeMiddlnnf.exeMlbphimj.exeMekdaocj.exeMkhmjeab.exeMhlmcjqk.exeNnifkqoc.exeNdbnhkfp.exeNkmfee32.exeNpioml32.exeNgcgjfcq.exePpjgij32.exePbkqkefk.exeQpoadied.exeQjhbdg32.exeCcaoikej.exeOpfjebdj.exeOklnbkdp.exeEnoabm32.exe

pid	process
2028	dce987a0d6a9d733e42b438cb10de233474ccef00734abceaa463673e9f0a490.exe
2028	dce987a0d6a9d733e42b438cb10de233474ccef00734abceaa463673e9f0a490.exe
1988	Hhgbnfbd.exe
1988	Hhgbnfbd.exe
560	Jgnide32.exe
560	Jgnide32.exe
268	Jebimi32.exe
268	Jebimi32.exe
824	Jedfci32.exe
824	Jedfci32.exe
1880	Jffbjajj.exe
1880	Jffbjajj.exe
872	Kgeoddal.exe
872	Kgeoddal.exe
1824	Kmddbk32.exe
1824	Kmddbk32.exe
1280	Kfmhkpda.exe
1280	Kfmhkpda.exe
1436	Kpemdf32.exe
1436	Kpemdf32.exe
1544	Kllnig32.exe
1544	Kllnig32.exe
288	Kedbblgg.exe
288	Kedbblgg.exe
1984	Lhekcgdh.exe
1984	Lhekcgdh.exe
1564	Moopoenp.exe
1564	Moopoenp.exe
1960	Middlnnf.exe
1960	Middlnnf.exe
1776	Mlbphimj.exe
1776	Mlbphimj.exe
1832	Mekdaocj.exe
1832	Mekdaocj.exe
972	Mkhmjeab.exe
972	Mkhmjeab.exe
1936	Mhlmcjqk.exe
1936	Mhlmcjqk.exe
1932	Nnifkqoc.exe
1932	Nnifkqoc.exe
1624	Ndbnhkfp.exe
1624	Ndbnhkfp.exe
1352	Nkmfee32.exe
1352	Nkmfee32.exe
324	Npioml32.exe
324	Npioml32.exe
544	Ngcgjfcq.exe
544	Ngcgjfcq.exe
1640	Ppjgij32.exe
1640	Ppjgij32.exe
928	Pbkqkefk.exe
928	Pbkqkefk.exe
568	Qpoadied.exe
568	Qpoadied.exe
1560	Qjhbdg32.exe
1560	Qjhbdg32.exe
908	Ccaoikej.exe
908	Ccaoikej.exe
1036	Opfjebdj.exe
1036	Opfjebdj.exe
1728	Oklnbkdp.exe
1728	Oklnbkdp.exe
1100	Enoabm32.exe
1100	Enoabm32.exe

Drops file in System32 directory 64 IoCs

Processes:

Kedbblgg.exeMomdej32.exeIdokiedo.exeCmbimdfg.exeMkhmjeab.exeGklqqc32.exeMdikol32.exeAooqfi32.exeNpioml32.exeGnbmknbo.exeHfgeeo32.exeLeapmlhc.exeNgqfpijh.exeIbhnadhb.exeKghple32.exeMmjabl32.exeLlgpjkiq.exeLogikffa.exePbkqkefk.exeKlgeil32.exeKgbmocbi.exeLhpndk32.exePakdnbaa.exeJbkkfd32.exeGmnqmi32.exePinbcp32.exeMhlmcjqk.exeGoeplbgm.exeIkpqpadg.exeBcjielmk.exeLhekcgdh.exeNagccqda.exeHigngj32.exeAibhnb32.exeBlejdqbi.exeHhgbnfbd.exeKfmhkpda.exeJodhadia.exeIkbmeqbd.exeIaobgjgn.exeLpppejcl.exeMfqiebaa.exeOcceedod.exeLhbjjkkp.exeFcemqc32.exeJgbapp32.exeLgejeh32.exeLpmonmhj.exeNgnjkj32.exeOnfaqghf.exePbfglelj.exeApjcem32.exeChqddach.exeJgnide32.exeJdcnok32.exeIkggpp32.exeLfjhad32.exeKgeoddal.exeFlbjdh32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Lhekcgdh.exe	Kedbblgg.exe
File created	C:\Windows\SysWOW64\Miehnomn.exe	Momdej32.exe
File created	C:\Windows\SysWOW64\Iilcal32.exe	Idokiedo.exe
File opened for modification	C:\Windows\SysWOW64\Cfknfj32.exe	Cmbimdfg.exe
File created	C:\Windows\SysWOW64\Apoogk32.dll	Mkhmjeab.exe
File opened for modification	C:\Windows\SysWOW64\Gnmjbojb.exe	Gklqqc32.exe
File opened for modification	C:\Windows\SysWOW64\Mglqfglb.exe	Mdikol32.exe
File created	C:\Windows\SysWOW64\Kldqianb.dll	Aooqfi32.exe
File created	C:\Windows\SysWOW64\Ngcgjfcq.exe	Npioml32.exe
File opened for modification	C:\Windows\SysWOW64\Gjinpohc.exe	Gnbmknbo.exe
File created	C:\Windows\SysWOW64\Higngj32.exe	Hfgeeo32.exe
File opened for modification	C:\Windows\SysWOW64\Lbeafpfm.exe	Leapmlhc.exe
File created	C:\Windows\SysWOW64\Ojobleil.exe	Ngqfpijh.exe
File opened for modification	C:\Windows\SysWOW64\Jbkkfd32.exe	Ibhnadhb.exe
File created	C:\Windows\SysWOW64\Ljpfbqci.dll	Ibhnadhb.exe
File created	C:\Windows\SysWOW64\Hkaalc32.dll	Kghple32.exe
File created	C:\Windows\SysWOW64\Mcdjofpk.exe	Mmjabl32.exe
File opened for modification	C:\Windows\SysWOW64\Loelffhd.exe	Llgpjkiq.exe
File opened for modification	C:\Windows\SysWOW64\Lhpndk32.exe	Logikffa.exe
File opened for modification	C:\Windows\SysWOW64\Qpoadied.exe	Pbkqkefk.exe
File opened for modification	C:\Windows\SysWOW64\Lfbfha32.exe	Klgeil32.exe
File created	C:\Windows\SysWOW64\Knleln32.exe	Kgbmocbi.exe
File created	C:\Windows\SysWOW64\Anegiqeg.dll	Lhpndk32.exe
File opened for modification	C:\Windows\SysWOW64\Pegpnq32.exe	Pakdnbaa.exe
File opened for modification	C:\Windows\SysWOW64\Jodhadia.exe	Jbkkfd32.exe
File created	C:\Windows\SysWOW64\Chfjpdkc.dll	Gmnqmi32.exe
File opened for modification	C:\Windows\SysWOW64\Pbfglelj.exe	Pinbcp32.exe
File created	C:\Windows\SysWOW64\Nnifkqoc.exe	Mhlmcjqk.exe
File opened for modification	C:\Windows\SysWOW64\Gklqqc32.exe	Goeplbgm.exe
File created	C:\Windows\SysWOW64\Ikbmeqbd.exe	Ikpqpadg.exe
File created	C:\Windows\SysWOW64\Bgfefj32.exe	Bcjielmk.exe
File created	C:\Windows\SysWOW64\Qalqqqnm.dll	Llgpjkiq.exe
File opened for modification	C:\Windows\SysWOW64\Moopoenp.exe	Lhekcgdh.exe
File opened for modification	C:\Windows\SysWOW64\Npmpdmii.exe	Nagccqda.exe
File created	C:\Windows\SysWOW64\Hlfjce32.exe	Higngj32.exe
File created	C:\Windows\SysWOW64\Aooqfi32.exe	Aibhnb32.exe
File created	C:\Windows\SysWOW64\Bdpohcod.exe	Blejdqbi.exe
File created	C:\Windows\SysWOW64\Jgnide32.exe	Hhgbnfbd.exe
File created	C:\Windows\SysWOW64\Igglgh32.dll	Kfmhkpda.exe
File created	C:\Windows\SysWOW64\Jdcnok32.exe	Jodhadia.exe
File created	C:\Windows\SysWOW64\Dnlchm32.dll	Ikbmeqbd.exe
File opened for modification	C:\Windows\SysWOW64\Ikggpp32.exe	Iaobgjgn.exe
File created	C:\Windows\SysWOW64\Dnnbbi32.dll	Lpppejcl.exe
File created	C:\Windows\SysWOW64\Hgnacbbp.dll	Mfqiebaa.exe
File created	C:\Windows\SysWOW64\Jadpdk32.exe	Occeedod.exe
File created	C:\Windows\SysWOW64\Lgejeh32.exe	Lhbjjkkp.exe
File opened for modification	C:\Windows\SysWOW64\Fjpemmaq.exe	Fcemqc32.exe
File opened for modification	C:\Windows\SysWOW64\Joneebmi.exe	Jgbapp32.exe
File created	C:\Windows\SysWOW64\Lbeafpfm.exe	Leapmlhc.exe
File opened for modification	C:\Windows\SysWOW64\Lolbfe32.exe	Lgejeh32.exe
File created	C:\Windows\SysWOW64\Hhdekb32.dll	Lpmonmhj.exe
File created	C:\Windows\SysWOW64\Njmfge32.exe	Ngnjkj32.exe
File opened for modification	C:\Windows\SysWOW64\Ofmibe32.exe	Onfaqghf.exe
File created	C:\Windows\SysWOW64\Gnigil32.dll	Pbfglelj.exe
File created	C:\Windows\SysWOW64\Aibhnb32.exe	Apjcem32.exe
File opened for modification	C:\Windows\SysWOW64\Cnmmlh32.exe	Chqddach.exe
File created	C:\Windows\SysWOW64\Jebimi32.exe	Jgnide32.exe
File created	C:\Windows\SysWOW64\Gnmjbojb.exe	Gklqqc32.exe
File opened for modification	C:\Windows\SysWOW64\Kkaogd32.exe	Jdcnok32.exe
File created	C:\Windows\SysWOW64\Hgcbefhg.dll	Klgeil32.exe
File created	C:\Windows\SysWOW64\Bhongjcn.dll	Ikggpp32.exe
File opened for modification	C:\Windows\SysWOW64\Lhkdilag.exe	Lfjhad32.exe
File created	C:\Windows\SysWOW64\Kmddbk32.exe	Kgeoddal.exe
File created	C:\Windows\SysWOW64\Ijpopp32.dll	Flbjdh32.exe

Modifies registry class 64 IoCs

Processes:

Hijkmibn.exeKgeoddal.exeKfmhkpda.exeKpemdf32.exeGbapbnid.exeJibifgfc.exeJhhgch32.exeJgmcdd32.exeLmflhi32.exeKmddbk32.exeHedahm32.exeOjdagefm.exeOfnnafjn.exeOcceedod.exeOepjmapb.exeMmjabl32.exeNkgieiff.exePbfglelj.exeQjhbdg32.exeHmecikmh.exeKiglha32.exeMqejon32.exeLiafhjlg.exeMjlefq32.exeJadpdk32.exePinbcp32.exeNnifkqoc.exeQpoadied.exeHfodgpaf.exeJdcnok32.exeLbnlaebp.exeLlgpjkiq.exeLhbjjkkp.exePcgcdnbh.exedce987a0d6a9d733e42b438cb10de233474ccef00734abceaa463673e9f0a490.exeMiddlnnf.exeHlfjce32.exeAibhnb32.exeAdlinq32.exeCaflgg32.exeNgqfpijh.exeMkhmjeab.exeIjhpab32.exeMcmcng32.exeLnocbbig.exeEnoabm32.exeMomdej32.exePamqcaoo.exeKifghp32.exeQimobchd.exeMekdaocj.exeIaobgjgn.exeIilcal32.exeChngnaek.exeJgbapp32.exeNbjkaddk.exeMaadhk32.exeLhkdilag.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkdefi32.dll"	Hijkmibn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgeoddal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igglgh32.dll"	Kfmhkpda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpemdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpallm32.dll"	Gbapbnid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jibifgfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbglqboc.dll"	Jhhgch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jgmcdd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmflhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmddbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hedahm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnbannep.dll"	Ojdagefm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofnnafjn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Occeedod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oepjmapb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dijoke32.dll"	Mmjabl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkgieiff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbfglelj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qjhbdg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmecikmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kiglha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mqejon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbacei32.dll"	Liafhjlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkcnlkkl.dll"	Mjlefq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jadpdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Albegldd.dll"	Pinbcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnifkqoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qpoadied.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mobpkcda.dll"	Hfodgpaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgkbnccq.dll"	Jdcnok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbnlaebp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llgpjkiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhbjjkkp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcgcdnbh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	dce987a0d6a9d733e42b438cb10de233474ccef00734abceaa463673e9f0a490.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Middlnnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcmkoppm.dll"	Hlfjce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lekjqbmj.dll"	Jadpdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcgcdnbh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aibhnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adlinq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caflgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poijkj32.dll"	Ngqfpijh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkhmjeab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlicpd32.dll"	Ijhpab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqieappe.dll"	Mcmcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnocbbig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qpoadied.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enoabm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Momdej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pamqcaoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahbfcjoi.dll"	Kifghp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qimobchd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mekdaocj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iaobgjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdihka32.dll"	Iilcal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjlefq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chngnaek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jgbapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Occeedod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llgpjkiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbjkaddk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdhgqiba.dll"	Maadhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhkdilag.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2028 wrote to memory of 1988	2028	dce987a0d6a9d733e42b438cb10de233474ccef00734abceaa463673e9f0a490.exe	Hhgbnfbd.exe
PID 2028 wrote to memory of 1988	2028	dce987a0d6a9d733e42b438cb10de233474ccef00734abceaa463673e9f0a490.exe	Hhgbnfbd.exe
PID 2028 wrote to memory of 1988	2028	dce987a0d6a9d733e42b438cb10de233474ccef00734abceaa463673e9f0a490.exe	Hhgbnfbd.exe
PID 2028 wrote to memory of 1988	2028	dce987a0d6a9d733e42b438cb10de233474ccef00734abceaa463673e9f0a490.exe	Hhgbnfbd.exe
PID 1988 wrote to memory of 560	1988	Hhgbnfbd.exe	Jgnide32.exe
PID 1988 wrote to memory of 560	1988	Hhgbnfbd.exe	Jgnide32.exe
PID 1988 wrote to memory of 560	1988	Hhgbnfbd.exe	Jgnide32.exe
PID 1988 wrote to memory of 560	1988	Hhgbnfbd.exe	Jgnide32.exe
PID 560 wrote to memory of 268	560	Jgnide32.exe	Jebimi32.exe
PID 560 wrote to memory of 268	560	Jgnide32.exe	Jebimi32.exe
PID 560 wrote to memory of 268	560	Jgnide32.exe	Jebimi32.exe
PID 560 wrote to memory of 268	560	Jgnide32.exe	Jebimi32.exe
PID 268 wrote to memory of 824	268	Jebimi32.exe	Jedfci32.exe
PID 268 wrote to memory of 824	268	Jebimi32.exe	Jedfci32.exe
PID 268 wrote to memory of 824	268	Jebimi32.exe	Jedfci32.exe
PID 268 wrote to memory of 824	268	Jebimi32.exe	Jedfci32.exe
PID 824 wrote to memory of 1880	824	Jedfci32.exe	Jffbjajj.exe
PID 824 wrote to memory of 1880	824	Jedfci32.exe	Jffbjajj.exe
PID 824 wrote to memory of 1880	824	Jedfci32.exe	Jffbjajj.exe
PID 824 wrote to memory of 1880	824	Jedfci32.exe	Jffbjajj.exe
PID 1880 wrote to memory of 872	1880	Jffbjajj.exe	Kgeoddal.exe
PID 1880 wrote to memory of 872	1880	Jffbjajj.exe	Kgeoddal.exe
PID 1880 wrote to memory of 872	1880	Jffbjajj.exe	Kgeoddal.exe
PID 1880 wrote to memory of 872	1880	Jffbjajj.exe	Kgeoddal.exe
PID 872 wrote to memory of 1824	872	Kgeoddal.exe	Kmddbk32.exe
PID 872 wrote to memory of 1824	872	Kgeoddal.exe	Kmddbk32.exe
PID 872 wrote to memory of 1824	872	Kgeoddal.exe	Kmddbk32.exe
PID 872 wrote to memory of 1824	872	Kgeoddal.exe	Kmddbk32.exe
PID 1824 wrote to memory of 1280	1824	Kmddbk32.exe	Kfmhkpda.exe
PID 1824 wrote to memory of 1280	1824	Kmddbk32.exe	Kfmhkpda.exe
PID 1824 wrote to memory of 1280	1824	Kmddbk32.exe	Kfmhkpda.exe
PID 1824 wrote to memory of 1280	1824	Kmddbk32.exe	Kfmhkpda.exe
PID 1280 wrote to memory of 1436	1280	Kfmhkpda.exe	Kpemdf32.exe
PID 1280 wrote to memory of 1436	1280	Kfmhkpda.exe	Kpemdf32.exe
PID 1280 wrote to memory of 1436	1280	Kfmhkpda.exe	Kpemdf32.exe
PID 1280 wrote to memory of 1436	1280	Kfmhkpda.exe	Kpemdf32.exe
PID 1436 wrote to memory of 1544	1436	Kpemdf32.exe	Kllnig32.exe
PID 1436 wrote to memory of 1544	1436	Kpemdf32.exe	Kllnig32.exe
PID 1436 wrote to memory of 1544	1436	Kpemdf32.exe	Kllnig32.exe
PID 1436 wrote to memory of 1544	1436	Kpemdf32.exe	Kllnig32.exe
PID 1544 wrote to memory of 288	1544	Kllnig32.exe	Kedbblgg.exe
PID 1544 wrote to memory of 288	1544	Kllnig32.exe	Kedbblgg.exe
PID 1544 wrote to memory of 288	1544	Kllnig32.exe	Kedbblgg.exe
PID 1544 wrote to memory of 288	1544	Kllnig32.exe	Kedbblgg.exe
PID 288 wrote to memory of 1984	288	Kedbblgg.exe	Lhekcgdh.exe
PID 288 wrote to memory of 1984	288	Kedbblgg.exe	Lhekcgdh.exe
PID 288 wrote to memory of 1984	288	Kedbblgg.exe	Lhekcgdh.exe
PID 288 wrote to memory of 1984	288	Kedbblgg.exe	Lhekcgdh.exe
PID 1984 wrote to memory of 1564	1984	Lhekcgdh.exe	Moopoenp.exe
PID 1984 wrote to memory of 1564	1984	Lhekcgdh.exe	Moopoenp.exe
PID 1984 wrote to memory of 1564	1984	Lhekcgdh.exe	Moopoenp.exe
PID 1984 wrote to memory of 1564	1984	Lhekcgdh.exe	Moopoenp.exe
PID 1564 wrote to memory of 1960	1564	Moopoenp.exe	Middlnnf.exe
PID 1564 wrote to memory of 1960	1564	Moopoenp.exe	Middlnnf.exe
PID 1564 wrote to memory of 1960	1564	Moopoenp.exe	Middlnnf.exe
PID 1564 wrote to memory of 1960	1564	Moopoenp.exe	Middlnnf.exe
PID 1960 wrote to memory of 1776	1960	Middlnnf.exe	Mlbphimj.exe
PID 1960 wrote to memory of 1776	1960	Middlnnf.exe	Mlbphimj.exe
PID 1960 wrote to memory of 1776	1960	Middlnnf.exe	Mlbphimj.exe
PID 1960 wrote to memory of 1776	1960	Middlnnf.exe	Mlbphimj.exe
PID 1776 wrote to memory of 1832	1776	Mlbphimj.exe	Mekdaocj.exe
PID 1776 wrote to memory of 1832	1776	Mlbphimj.exe	Mekdaocj.exe
PID 1776 wrote to memory of 1832	1776	Mlbphimj.exe	Mekdaocj.exe
PID 1776 wrote to memory of 1832	1776	Mlbphimj.exe	Mekdaocj.exe

C:\Users\Admin\AppData\Local\Temp\dce987a0d6a9d733e42b438cb10de233474ccef00734abceaa463673e9f0a490.exe
"C:\Users\Admin\AppData\Local\Temp\dce987a0d6a9d733e42b438cb10de233474ccef00734abceaa463673e9f0a490.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\SysWOW64\Hhgbnfbd.exe
  C:\Windows\system32\Hhgbnfbd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\SysWOW64\Jgnide32.exe
    C:\Windows\system32\Jgnide32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:560
  - - C:\Windows\SysWOW64\Jebimi32.exe
      C:\Windows\system32\Jebimi32.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:268
    - - C:\Windows\SysWOW64\Jedfci32.exe
        
        C:\Windows\system32\Jedfci32.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:824
      - C:\Windows\SysWOW64\Jffbjajj.exe
        
        C:\Windows\system32\Jffbjajj.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\SysWOW64\Kgeoddal.exe
        
        C:\Windows\system32\Kgeoddal.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\SysWOW64\Kmddbk32.exe
        
        C:\Windows\system32\Kmddbk32.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\Kfmhkpda.exe
        
        C:\Windows\system32\Kfmhkpda.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Windows\SysWOW64\Kpemdf32.exe
        
        C:\Windows\system32\Kpemdf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\SysWOW64\Kllnig32.exe
        
        C:\Windows\system32\Kllnig32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1544

C:\Windows\SysWOW64\Kedbblgg.exe
C:\Windows\system32\Kedbblgg.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:288
- C:\Windows\SysWOW64\Lhekcgdh.exe
  C:\Windows\system32\Lhekcgdh.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\SysWOW64\Moopoenp.exe
    C:\Windows\system32\Moopoenp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1564
  - - C:\Windows\SysWOW64\Middlnnf.exe
      C:\Windows\system32\Middlnnf.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1960
    - - C:\Windows\SysWOW64\Mlbphimj.exe
        
        C:\Windows\system32\Mlbphimj.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1776
      - C:\Windows\SysWOW64\Mekdaocj.exe
        
        C:\Windows\system32\Mekdaocj.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1832
        
        C:\Windows\SysWOW64\Mkhmjeab.exe
        
        C:\Windows\system32\Mkhmjeab.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:972
        
        C:\Windows\SysWOW64\Mhlmcjqk.exe
        
        C:\Windows\system32\Mhlmcjqk.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1936
        
        C:\Windows\SysWOW64\Nnifkqoc.exe
        
        C:\Windows\system32\Nnifkqoc.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1932
        
        C:\Windows\SysWOW64\Ndbnhkfp.exe
        
        C:\Windows\system32\Ndbnhkfp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1624
        
        C:\Windows\SysWOW64\Nkmfee32.exe
        
        C:\Windows\system32\Nkmfee32.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1352
        
        C:\Windows\SysWOW64\Npioml32.exe
        
        C:\Windows\system32\Npioml32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:324
        
        C:\Windows\SysWOW64\Ngcgjfcq.exe
        
        C:\Windows\system32\Ngcgjfcq.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:544
        
        C:\Windows\SysWOW64\Ppjgij32.exe
        
        C:\Windows\system32\Ppjgij32.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1640
        
        C:\Windows\SysWOW64\Pbkqkefk.exe
        
        C:\Windows\system32\Pbkqkefk.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:928
        
        C:\Windows\SysWOW64\Qpoadied.exe
        
        C:\Windows\system32\Qpoadied.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:568
        
        C:\Windows\SysWOW64\Qjhbdg32.exe
        
        C:\Windows\system32\Qjhbdg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Ccaoikej.exe
        
        C:\Windows\system32\Ccaoikej.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:908
        
        C:\Windows\SysWOW64\Opfjebdj.exe
        
        C:\Windows\system32\Opfjebdj.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1036
        
        C:\Windows\SysWOW64\Oklnbkdp.exe
        
        C:\Windows\system32\Oklnbkdp.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1728
        
        C:\Windows\SysWOW64\Enoabm32.exe
        
        C:\Windows\system32\Enoabm32.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1100
        
        C:\Windows\SysWOW64\Fjmhhmcc.exe
        
        C:\Windows\system32\Fjmhhmcc.exe
        22⤵
        Executes dropped EXE
        
        PID:832
        
        C:\Windows\SysWOW64\Fcemqc32.exe
        
        C:\Windows\system32\Fcemqc32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1664
        
        C:\Windows\SysWOW64\Fjpemmaq.exe
        
        C:\Windows\system32\Fjpemmaq.exe
        24⤵
        Executes dropped EXE
        
        PID:1540
        
        C:\Windows\SysWOW64\Folmedph.exe
        
        C:\Windows\system32\Folmedph.exe
        25⤵
        Executes dropped EXE
        
        PID:860
        
        C:\Windows\SysWOW64\Fgcegapj.exe
        
        C:\Windows\system32\Fgcegapj.exe
        26⤵
        Executes dropped EXE
        
        PID:992
        
        C:\Windows\SysWOW64\Fhdanifh.exe
        
        C:\Windows\system32\Fhdanifh.exe
        27⤵
        Executes dropped EXE
        
        PID:1500
        
        C:\Windows\SysWOW64\Flbjdh32.exe
        
        C:\Windows\system32\Flbjdh32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1704
        
        C:\Windows\SysWOW64\Gbapbnid.exe
        
        C:\Windows\system32\Gbapbnid.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:764
        
        C:\Windows\SysWOW64\Goeplbgm.exe
        
        C:\Windows\system32\Goeplbgm.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1452
        
        C:\Windows\SysWOW64\Gklqqc32.exe
        
        C:\Windows\system32\Gklqqc32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1488
        
        C:\Windows\SysWOW64\Gnmjbojb.exe
        
        C:\Windows\system32\Gnmjbojb.exe
        32⤵
        Executes dropped EXE
        
        PID:1948
        
        C:\Windows\SysWOW64\Gfhngagn.exe
        
        C:\Windows\system32\Gfhngagn.exe
        33⤵
        Executes dropped EXE
        
        PID:892
        
        C:\Windows\SysWOW64\Hghkadoq.exe
        
        C:\Windows\system32\Hghkadoq.exe
        34⤵
        Executes dropped EXE
        
        PID:2000
        
        C:\Windows\SysWOW64\Hmecikmh.exe
        
        C:\Windows\system32\Hmecikmh.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Hfodgpaf.exe
        
        C:\Windows\system32\Hfodgpaf.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Hedahm32.exe
        
        C:\Windows\system32\Hedahm32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\Ijfclcqp.exe
        
        C:\Windows\system32\Ijfclcqp.exe
        38⤵
        Executes dropped EXE
        
        PID:1676
        
        C:\Windows\SysWOW64\Ijhpab32.exe
        
        C:\Windows\system32\Ijhpab32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:572
        
        C:\Windows\SysWOW64\Ibhnadhb.exe
        
        C:\Windows\system32\Ibhnadhb.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:380
        
        C:\Windows\SysWOW64\Jbkkfd32.exe
        
        C:\Windows\system32\Jbkkfd32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1516
        
        C:\Windows\SysWOW64\Jodhadia.exe
        
        C:\Windows\system32\Jodhadia.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1576
        
        C:\Windows\SysWOW64\Jdcnok32.exe
        
        C:\Windows\system32\Jdcnok32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Kkaogd32.exe
        
        C:\Windows\system32\Kkaogd32.exe
        44⤵
        Executes dropped EXE
        
        PID:268
        
        C:\Windows\SysWOW64\Kpnhok32.exe
        
        C:\Windows\system32\Kpnhok32.exe
        45⤵
        Executes dropped EXE
        
        PID:1168
        
        C:\Windows\SysWOW64\Kghple32.exe
        
        C:\Windows\system32\Kghple32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:872
        
        C:\Windows\SysWOW64\Kiglha32.exe
        
        C:\Windows\system32\Kiglha32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:552
        
        C:\Windows\SysWOW64\Klgeil32.exe
        
        C:\Windows\system32\Klgeil32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1436
        
        C:\Windows\SysWOW64\Lfbfha32.exe
        
        C:\Windows\system32\Lfbfha32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:900
        
        C:\Windows\SysWOW64\Mgmefhmh.exe
        
        C:\Windows\system32\Mgmefhmh.exe
        50⤵
        Executes dropped EXE
        
        PID:1444
        
        C:\Windows\SysWOW64\Mqejon32.exe
        
        C:\Windows\system32\Mqejon32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:288
        
        C:\Windows\SysWOW64\Mqggdmaf.exe
        
        C:\Windows\system32\Mqggdmaf.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1832
        
        C:\Windows\SysWOW64\Momdej32.exe
        
        C:\Windows\system32\Momdej32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Miehnomn.exe
        
        C:\Windows\system32\Miehnomn.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1740
        
        C:\Windows\SysWOW64\Nijaio32.exe
        
        C:\Windows\system32\Nijaio32.exe
        55⤵
        Executes dropped EXE
        
        PID:624
        
        C:\Windows\SysWOW64\Njmkff32.exe
        
        C:\Windows\system32\Njmkff32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1964
        
        C:\Windows\SysWOW64\Nagccqda.exe
        
        C:\Windows\system32\Nagccqda.exe
        57⤵
        Drops file in System32 directory
        
        PID:680
        
        C:\Windows\SysWOW64\Npmpdmii.exe
        
        C:\Windows\system32\Npmpdmii.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1632
        
        C:\Windows\SysWOW64\Njbdafho.exe
        
        C:\Windows\system32\Njbdafho.exe
        59⤵
        
        PID:108
        
        C:\Windows\SysWOW64\Ojdagefm.exe
        
        C:\Windows\system32\Ojdagefm.exe
        60⤵
        Modifies registry class
        
        PID:656
        
        C:\Windows\SysWOW64\Ofnnafjn.exe
        
        C:\Windows\system32\Ofnnafjn.exe
        61⤵
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\Jibifgfc.exe
        
        C:\Windows\system32\Jibifgfc.exe
        62⤵
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Fbkmfm32.exe
        
        C:\Windows\system32\Fbkmfm32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:856
        
        C:\Windows\SysWOW64\Gnbmknbo.exe
        
        C:\Windows\system32\Gnbmknbo.exe
        64⤵
        Drops file in System32 directory
        
        PID:1112
        
        C:\Windows\SysWOW64\Gjinpohc.exe
        
        C:\Windows\system32\Gjinpohc.exe
        65⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\Gbpfalhe.exe
        
        C:\Windows\system32\Gbpfalhe.exe
        66⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\Gaecbh32.exe
        
        C:\Windows\system32\Gaecbh32.exe
        67⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\Gmldgi32.exe
        
        C:\Windows\system32\Gmldgi32.exe
        68⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\Gmnqmi32.exe
        
        C:\Windows\system32\Gmnqmi32.exe
        69⤵
        Drops file in System32 directory
        
        PID:972
        
        C:\Windows\SysWOW64\Hchiichl.exe
        
        C:\Windows\system32\Hchiichl.exe
        70⤵
        
        PID:316
        
        C:\Windows\SysWOW64\Hfgeeo32.exe
        
        C:\Windows\system32\Hfgeeo32.exe
        71⤵
        Drops file in System32 directory
        
        PID:1932
        
        C:\Windows\SysWOW64\Higngj32.exe
        
        C:\Windows\system32\Higngj32.exe
        72⤵
        Drops file in System32 directory
        
        PID:1624
        
        C:\Windows\SysWOW64\Hlfjce32.exe
        
        C:\Windows\system32\Hlfjce32.exe
        73⤵
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Hijkmibn.exe
        
        C:\Windows\system32\Hijkmibn.exe
        74⤵
        Modifies registry class
        
        PID:1884
        
        C:\Windows\SysWOW64\Heqkbj32.exe
        
        C:\Windows\system32\Heqkbj32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1640
        
        C:\Windows\SysWOW64\Hlkcodoo.exe
        
        C:\Windows\system32\Hlkcodoo.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:928
        
        C:\Windows\SysWOW64\Hbdlko32.exe
        
        C:\Windows\system32\Hbdlko32.exe
        77⤵
        
        PID:272
        
        C:\Windows\SysWOW64\Ikpqpadg.exe
        
        C:\Windows\system32\Ikpqpadg.exe
        78⤵
        Drops file in System32 directory
        
        PID:844
        
        C:\Windows\SysWOW64\Ikbmeqbd.exe
        
        C:\Windows\system32\Ikbmeqbd.exe
        79⤵
        Drops file in System32 directory
        
        PID:1604
        
        C:\Windows\SysWOW64\Idjanf32.exe
        
        C:\Windows\system32\Idjanf32.exe
        80⤵
        
        PID:540
        
        C:\Windows\SysWOW64\Iginja32.exe
        
        C:\Windows\system32\Iginja32.exe
        81⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\Iaobgjgn.exe
        
        C:\Windows\system32\Iaobgjgn.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Ikggpp32.exe
        
        C:\Windows\system32\Ikggpp32.exe
        83⤵
        Drops file in System32 directory
        
        PID:908
        
        C:\Windows\SysWOW64\Idokiedo.exe
        
        C:\Windows\system32\Idokiedo.exe
        84⤵
        Drops file in System32 directory
        
        PID:1036
        
        C:\Windows\SysWOW64\Iilcal32.exe
        
        C:\Windows\system32\Iilcal32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Jecdfmhk.exe
        
        C:\Windows\system32\Jecdfmhk.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:812
        
        C:\Windows\SysWOW64\Jgbapp32.exe
        
        C:\Windows\system32\Jgbapp32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1068
        
        C:\Windows\SysWOW64\Joneebmi.exe
        
        C:\Windows\system32\Joneebmi.exe
        88⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\Jhhgch32.exe
        
        C:\Windows\system32\Jhhgch32.exe
        89⤵
        Modifies registry class
        
        PID:1084
        
        C:\Windows\SysWOW64\Jdoghi32.exe
        
        C:\Windows\system32\Jdoghi32.exe
        90⤵
        
        PID:904
        
        C:\Windows\SysWOW64\Jgmcdd32.exe
        
        C:\Windows\system32\Jgmcdd32.exe
        91⤵
        Modifies registry class
        
        PID:604
        
        C:\Windows\SysWOW64\Khmpngma.exe
        
        C:\Windows\system32\Khmpngma.exe
        92⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\Kqhebi32.exe
        
        C:\Windows\system32\Kqhebi32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1732
        
        C:\Windows\SysWOW64\Kgbmocbi.exe
        
        C:\Windows\system32\Kgbmocbi.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1628
        
        C:\Windows\SysWOW64\Knleln32.exe
        
        C:\Windows\system32\Knleln32.exe
        95⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\Kcindd32.exe
        
        C:\Windows\system32\Kcindd32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2028
        
        C:\Windows\SysWOW64\Kjebfn32.exe
        
        C:\Windows\system32\Kjebfn32.exe
        97⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\Lmflhi32.exe
        
        C:\Windows\system32\Lmflhi32.exe
        98⤵
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Leapmlhc.exe
        
        C:\Windows\system32\Leapmlhc.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1924
        
        C:\Windows\SysWOW64\Lbeafpfm.exe
        
        C:\Windows\system32\Lbeafpfm.exe
        100⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\Lnlaka32.exe
        
        C:\Windows\system32\Lnlaka32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1144
        
        C:\Windows\SysWOW64\Liafhjlg.exe
        
        C:\Windows\system32\Liafhjlg.exe
        102⤵
        Modifies registry class
        
        PID:240
        
        C:\Windows\SysWOW64\Lckgighf.exe
        
        C:\Windows\system32\Lckgighf.exe
        103⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\Maogblgp.exe
        
        C:\Windows\system32\Maogblgp.exe
        104⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\Mcmcng32.exe
        
        C:\Windows\system32\Mcmcng32.exe
        105⤵
        Modifies registry class
        
        PID:1320
        
        C:\Windows\SysWOW64\Maadhk32.exe
        
        C:\Windows\system32\Maadhk32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Mjjhqaln.exe
        
        C:\Windows\system32\Mjjhqaln.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1176
        
        C:\Windows\SysWOW64\Mimiln32.exe
        
        C:\Windows\system32\Mimiln32.exe
        108⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\Mfqiebaa.exe
        
        C:\Windows\system32\Mfqiebaa.exe
        109⤵
        Drops file in System32 directory
        
        PID:1736
        
        C:\Windows\SysWOW64\Mjlefq32.exe
        
        C:\Windows\system32\Mjlefq32.exe
        110⤵
        Modifies registry class
        
        PID:656
        
        C:\Windows\SysWOW64\Mmjabl32.exe
        
        C:\Windows\system32\Mmjabl32.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:824
        
        C:\Windows\SysWOW64\Mcdjofpk.exe
        
        C:\Windows\system32\Mcdjofpk.exe
        112⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\Micomm32.exe
        
        C:\Windows\system32\Micomm32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:568
        
        C:\Windows\SysWOW64\Nldhoh32.exe
        
        C:\Windows\system32\Nldhoh32.exe
        114⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\Npijmk32.exe
        
        C:\Windows\system32\Npijmk32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:896
        
        C:\Windows\SysWOW64\Opbmci32.exe
        
        C:\Windows\system32\Opbmci32.exe
        116⤵
        
        PID:768
        
        C:\Windows\SysWOW64\Occeedod.exe
        
        C:\Windows\system32\Occeedod.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Jadpdk32.exe
        
        C:\Windows\system32\Jadpdk32.exe
        118⤵
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Kjjdfdnp.exe
        
        C:\Windows\system32\Kjjdfdnp.exe
        119⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\Kfenfdoo.exe
        
        C:\Windows\system32\Kfenfdoo.exe
        120⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\Kblokeec.exe
        
        C:\Windows\system32\Kblokeec.exe
        121⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\Kfhkld32.exe
        
        C:\Windows\system32\Kfhkld32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2196
        
        C:\Windows\SysWOW64\Kifghp32.exe
        
        C:\Windows\system32\Kifghp32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\Lpppejcl.exe
        
        C:\Windows\system32\Lpppejcl.exe
        124⤵
        Drops file in System32 directory
        
        PID:2224
        
        C:\Windows\SysWOW64\Lbnlaebp.exe
        
        C:\Windows\system32\Lbnlaebp.exe
        125⤵
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Lfjhad32.exe
        
        C:\Windows\system32\Lfjhad32.exe
        126⤵
        Drops file in System32 directory
        
        PID:2260
        
        C:\Windows\SysWOW64\Lhkdilag.exe
        
        C:\Windows\system32\Lhkdilag.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Llgpjkiq.exe
        
        C:\Windows\system32\Llgpjkiq.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Loelffhd.exe
        
        C:\Windows\system32\Loelffhd.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2312
        
        C:\Windows\SysWOW64\Logikffa.exe
        
        C:\Windows\system32\Logikffa.exe
        130⤵
        Drops file in System32 directory
        
        PID:2320
        
        C:\Windows\SysWOW64\Lhpndk32.exe
        
        C:\Windows\system32\Lhpndk32.exe
        131⤵
        Drops file in System32 directory
        
        PID:2328
        
        C:\Windows\SysWOW64\Lhbjjkkp.exe
        
        C:\Windows\system32\Lhbjjkkp.exe
        132⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Lgejeh32.exe
        
        C:\Windows\system32\Lgejeh32.exe
        133⤵
        Drops file in System32 directory
        
        PID:2344
        
        C:\Windows\SysWOW64\Lolbfe32.exe
        
        C:\Windows\system32\Lolbfe32.exe
        134⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\Lnocbbig.exe
        
        C:\Windows\system32\Lnocbbig.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Lpmonmhj.exe
        
        C:\Windows\system32\Lpmonmhj.exe
        136⤵
        Drops file in System32 directory
        
        PID:2368
        
        C:\Windows\SysWOW64\Mdikol32.exe
        
        C:\Windows\system32\Mdikol32.exe
        137⤵
        Drops file in System32 directory
        
        PID:2376
        
        C:\Windows\SysWOW64\Mglqfglb.exe
        
        C:\Windows\system32\Mglqfglb.exe
        138⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\Mjjmbbkf.exe
        
        C:\Windows\system32\Mjjmbbkf.exe
        139⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\Mliinnji.exe
        
        C:\Windows\system32\Mliinnji.exe
        140⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\Mogeji32.exe
        
        C:\Windows\system32\Mogeji32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2408
        
        C:\Windows\SysWOW64\Mcenqgoc.exe
        
        C:\Windows\system32\Mcenqgoc.exe
        142⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\Nbjkaddk.exe
        
        C:\Windows\system32\Nbjkaddk.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Nkcpji32.exe
        
        C:\Windows\system32\Nkcpji32.exe
        144⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\Nkelpi32.exe
        
        C:\Windows\system32\Nkelpi32.exe
        145⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\Nkgieiff.exe
        
        C:\Windows\system32\Nkgieiff.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Nqdanpdn.exe
        
        C:\Windows\system32\Nqdanpdn.exe
        147⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\Ngnjkj32.exe
        
        C:\Windows\system32\Ngnjkj32.exe
        148⤵
        Drops file in System32 directory
        
        PID:2464
        
        C:\Windows\SysWOW64\Njmfge32.exe
        
        C:\Windows\system32\Njmfge32.exe
        149⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\Ngqfpijh.exe
        
        C:\Windows\system32\Ngqfpijh.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Ojobleil.exe
        
        C:\Windows\system32\Ojobleil.exe
        151⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\Ojaobdgi.exe
        
        C:\Windows\system32\Ojaobdgi.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2684
        
        C:\Windows\SysWOW64\Obmdfg32.exe
        
        C:\Windows\system32\Obmdfg32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2692
        
        C:\Windows\SysWOW64\Ofhpgemm.exe
        
        C:\Windows\system32\Ofhpgemm.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2700
        
        C:\Windows\SysWOW64\Oboqlf32.exe
        
        C:\Windows\system32\Oboqlf32.exe
        155⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\Oemmhb32.exe
        
        C:\Windows\system32\Oemmhb32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2716
        
        C:\Windows\SysWOW64\Oiiihqjn.exe
        
        C:\Windows\system32\Oiiihqjn.exe
        157⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\Onfaqghf.exe
        
        C:\Windows\system32\Onfaqghf.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2732
        
        C:\Windows\SysWOW64\Ofmibe32.exe
        
        C:\Windows\system32\Ofmibe32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2740
        
        C:\Windows\SysWOW64\Oepjmapb.exe
        
        C:\Windows\system32\Oepjmapb.exe
        160⤵
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Openkjoh.exe
        
        C:\Windows\system32\Openkjoh.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2756
        
        C:\Windows\SysWOW64\Pinbcp32.exe
        
        C:\Windows\system32\Pinbcp32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2764
        
        C:\Windows\SysWOW64\Pbfglelj.exe
        
        C:\Windows\system32\Pbfglelj.exe
        163⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Pcgcdnbh.exe
        
        C:\Windows\system32\Pcgcdnbh.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2780
        
        C:\Windows\SysWOW64\Plnkekcj.exe
        
        C:\Windows\system32\Plnkekcj.exe
        165⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\Pakdnbaa.exe
        
        C:\Windows\system32\Pakdnbaa.exe
        166⤵
        Drops file in System32 directory
        
        PID:2796
        
        C:\Windows\SysWOW64\Pegpnq32.exe
        
        C:\Windows\system32\Pegpnq32.exe
        167⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\Pamqcaoo.exe
        
        C:\Windows\system32\Pamqcaoo.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Piiegd32.exe
        
        C:\Windows\system32\Piiegd32.exe
        169⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\Pbajpicj.exe
        
        C:\Windows\system32\Pbajpicj.exe
        170⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\Pjhaagcm.exe
        
        C:\Windows\system32\Pjhaagcm.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2836
        
        C:\Windows\SysWOW64\Qimobchd.exe
        
        C:\Windows\system32\Qimobchd.exe
        172⤵
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Qedogd32.exe
        
        C:\Windows\system32\Qedogd32.exe
        173⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\Apjcem32.exe
        
        C:\Windows\system32\Apjcem32.exe
        174⤵
        Drops file in System32 directory
        
        PID:2860
        
        C:\Windows\SysWOW64\Aibhnb32.exe
        
        C:\Windows\system32\Aibhnb32.exe
        175⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Aooqfi32.exe
        
        C:\Windows\system32\Aooqfi32.exe
        176⤵
        Drops file in System32 directory
        
        PID:2876
        
        C:\Windows\SysWOW64\Adlinq32.exe
        
        C:\Windows\system32\Adlinq32.exe
        177⤵
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Akhnqj32.exe
        
        C:\Windows\system32\Akhnqj32.exe
        178⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\Amigbe32.exe
        
        C:\Windows\system32\Amigbe32.exe
        179⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\Biphgf32.exe
        
        C:\Windows\system32\Biphgf32.exe
        180⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\Bcjielmk.exe
        
        C:\Windows\system32\Bcjielmk.exe
        181⤵
        Drops file in System32 directory
        
        PID:1296
        
        C:\Windows\SysWOW64\Bgfefj32.exe
        
        C:\Windows\system32\Bgfefj32.exe
        182⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\Blejdqbi.exe
        
        C:\Windows\system32\Blejdqbi.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1776
        
        C:\Windows\SysWOW64\Bdpohcod.exe
        
        C:\Windows\system32\Bdpohcod.exe
        184⤵
        
        PID:924
        
        C:\Windows\SysWOW64\Clggiq32.exe
        
        C:\Windows\system32\Clggiq32.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:288
        
        C:\Windows\SysWOW64\Chngnaek.exe
        
        C:\Windows\system32\Chngnaek.exe
        186⤵
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\Caflgg32.exe
        
        C:\Windows\system32\Caflgg32.exe
        187⤵
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Chqddach.exe
        
        C:\Windows\system32\Chqddach.exe
        188⤵
        Drops file in System32 directory
        
        PID:900
        
        C:\Windows\SysWOW64\Cnmmlh32.exe
        
        C:\Windows\system32\Cnmmlh32.exe
        189⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\Cmbimdfg.exe
        
        C:\Windows\system32\Cmbimdfg.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1160
        
        C:\Windows\SysWOW64\Cfknfj32.exe
        
        C:\Windows\system32\Cfknfj32.exe
        191⤵
        
        PID:552
        
        C:\Windows\SysWOW64\Dmgchd32.exe
        
        C:\Windows\system32\Dmgchd32.exe
        192⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\Dklpipgj.exe
        
        C:\Windows\system32\Dklpipgj.exe
        193⤵
        
        PID:868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hhgbnfbd.exe

Filesize
50KB

MD5
76eb5fa0f965c89536f69aed54462417

SHA1
f9931ce3181762d269daa50ba65e9ba543a41d30

SHA256
8a5df408c328010897bcd2527c87bc7db1c05828d5c20373ab67eed2bd8931db

SHA512
ee2240bca94a5a19b1db63ce4174b315e5e99aed562b44ddddc21a9932365e76b23e2212665c1ee8e1739a33bb4a2cafccea3ca73918219eb03f0df3c5a24870

Download Submit
C:\Windows\SysWOW64\Hhgbnfbd.exe

Filesize
50KB

MD5
76eb5fa0f965c89536f69aed54462417

SHA1
f9931ce3181762d269daa50ba65e9ba543a41d30

SHA256
8a5df408c328010897bcd2527c87bc7db1c05828d5c20373ab67eed2bd8931db

SHA512
ee2240bca94a5a19b1db63ce4174b315e5e99aed562b44ddddc21a9932365e76b23e2212665c1ee8e1739a33bb4a2cafccea3ca73918219eb03f0df3c5a24870

Download Submit
C:\Windows\SysWOW64\Jebimi32.exe

Filesize
50KB

MD5
3e70259298bf32cd64eb72a44090364b

SHA1
2b972d75bf01532a716504c9f9e0bc72e42f6491

SHA256
a5606324385134d5dc5bb9707126579fb479e34a0843a1b32769ce8b5ee26e81

SHA512
e1864af2e0882d18a9933c4b76973336222424bc8d5f2856e3b0f959d6f0d221bcaf84e10939d119d6a06ca31275a8c777a5db4e3804af5e6685c9aaedccb264

Download Submit
C:\Windows\SysWOW64\Jebimi32.exe

Filesize
50KB

MD5
3e70259298bf32cd64eb72a44090364b

SHA1
2b972d75bf01532a716504c9f9e0bc72e42f6491

SHA256
a5606324385134d5dc5bb9707126579fb479e34a0843a1b32769ce8b5ee26e81

SHA512
e1864af2e0882d18a9933c4b76973336222424bc8d5f2856e3b0f959d6f0d221bcaf84e10939d119d6a06ca31275a8c777a5db4e3804af5e6685c9aaedccb264

Download Submit
C:\Windows\SysWOW64\Jedfci32.exe

Filesize
50KB

MD5
53e27a0f90e06d8d5d7ca01751d0b627

SHA1
2086a29c712952ace1828bdbb553df0509ab5f5f

SHA256
cbc0a67e6b879fad76a718b8c31ef96dd2b0b7dff5b025bd51d27bc2154d8248

SHA512
abbc1e7a81c4e76504f7070642c21703df38c4bdf4a74a6ffadcbaef4fa890bcc0a2f3b00c679623c1bb47ca2cfde387293a1f1c12cda67ecffdd8f281e06772

Download Submit
C:\Windows\SysWOW64\Jedfci32.exe

Filesize
50KB

MD5
53e27a0f90e06d8d5d7ca01751d0b627

SHA1
2086a29c712952ace1828bdbb553df0509ab5f5f

SHA256
cbc0a67e6b879fad76a718b8c31ef96dd2b0b7dff5b025bd51d27bc2154d8248

SHA512
abbc1e7a81c4e76504f7070642c21703df38c4bdf4a74a6ffadcbaef4fa890bcc0a2f3b00c679623c1bb47ca2cfde387293a1f1c12cda67ecffdd8f281e06772

Download Submit
C:\Windows\SysWOW64\Jffbjajj.exe

Filesize
50KB

MD5
768f727c31df29c4ed16b3cb0f35f1c2

SHA1
ddcb0269189c715b4d1e281eab054905eca05f67

SHA256
27a0c5b2a4e76b41bd7a2c27b0e51cff2ee3737f6f90c8dc699a05ce3296b5b3

SHA512
2f436721a750fe36e93bd95dc5d2a61fc7a6ee951edcd0f8345b7c9de88ad17edc861c387287cd1b9746f74b0cde759b1ed2fab5ccaf00109230705132584a8a

Download Submit
C:\Windows\SysWOW64\Jffbjajj.exe

Filesize
50KB

MD5
768f727c31df29c4ed16b3cb0f35f1c2

SHA1
ddcb0269189c715b4d1e281eab054905eca05f67

SHA256
27a0c5b2a4e76b41bd7a2c27b0e51cff2ee3737f6f90c8dc699a05ce3296b5b3

SHA512
2f436721a750fe36e93bd95dc5d2a61fc7a6ee951edcd0f8345b7c9de88ad17edc861c387287cd1b9746f74b0cde759b1ed2fab5ccaf00109230705132584a8a

Download Submit
C:\Windows\SysWOW64\Jgnide32.exe

Filesize
50KB

MD5
4e86e5464950b8a6850946d01f0590e5

SHA1
1ddb3f14ae5e6d9b45296a44f49630e5159c2b2d

SHA256
e5b800d17e6f4f042f2d3e5b80110a017eec12e4000226200959af570340fdf2

SHA512
5b61ef0ee15aef8ea0177301b8557c07cffb432457472a89f01ae84804aae10574bafb812849901c08ab1df779fcce324b7229272fb4eae20f64b5c155db870d

Download Submit
C:\Windows\SysWOW64\Jgnide32.exe

Filesize
50KB

MD5
4e86e5464950b8a6850946d01f0590e5

SHA1
1ddb3f14ae5e6d9b45296a44f49630e5159c2b2d

SHA256
e5b800d17e6f4f042f2d3e5b80110a017eec12e4000226200959af570340fdf2

SHA512
5b61ef0ee15aef8ea0177301b8557c07cffb432457472a89f01ae84804aae10574bafb812849901c08ab1df779fcce324b7229272fb4eae20f64b5c155db870d

Download Submit
C:\Windows\SysWOW64\Kedbblgg.exe

Filesize
50KB

MD5
4d53c2e3dc47e06cb78016d78dde8b01

SHA1
13019a546acfeaec045bd1614faa5936a3752a1f

SHA256
e90938acaf746d481e1fdf75fbabd1d75a4ac2f23a1cf074ba890e8f841fe96e

SHA512
cc30af5831d09d6dcaee13e5a6b99e042a726ccef5c1516569a245857e56f6451a7edbf8191f0a82ee86ecfe02949b56ffdc782a8b15e40c00a6479762d0c23a

Download Submit
C:\Windows\SysWOW64\Kedbblgg.exe

Filesize
50KB

MD5
4d53c2e3dc47e06cb78016d78dde8b01

SHA1
13019a546acfeaec045bd1614faa5936a3752a1f

SHA256
e90938acaf746d481e1fdf75fbabd1d75a4ac2f23a1cf074ba890e8f841fe96e

SHA512
cc30af5831d09d6dcaee13e5a6b99e042a726ccef5c1516569a245857e56f6451a7edbf8191f0a82ee86ecfe02949b56ffdc782a8b15e40c00a6479762d0c23a

Download Submit
C:\Windows\SysWOW64\Kfmhkpda.exe

Filesize
50KB

MD5
a16a44898e81ed218c8b921686771e6f

SHA1
dc5ca3937c0b3bba7942ff6328583a03ce61c294

SHA256
1afa1e6c690b1086ebf52961f5752a472376a0427f0aec7ab59266f9a2d60067

SHA512
1408814fb8dda069d5061ab9302a86e67939557bdc51fb83090933ac30f593436a9a551f7931a4430de871dae49517108853fce51c4c636119df39a4dd654c57

Download Submit
C:\Windows\SysWOW64\Kfmhkpda.exe

Filesize
50KB

MD5
a16a44898e81ed218c8b921686771e6f

SHA1
dc5ca3937c0b3bba7942ff6328583a03ce61c294

SHA256
1afa1e6c690b1086ebf52961f5752a472376a0427f0aec7ab59266f9a2d60067

SHA512
1408814fb8dda069d5061ab9302a86e67939557bdc51fb83090933ac30f593436a9a551f7931a4430de871dae49517108853fce51c4c636119df39a4dd654c57

Download Submit
C:\Windows\SysWOW64\Kgeoddal.exe

Filesize
50KB

MD5
2dfb054d1455659e84f63b4564b836a1

SHA1
cefe3d304cc8217101c0de8723c3110649f74972

SHA256
2317733f07ca1324219e2accbfc28cf9ca5a585884f10c96f84c35a38eaa42f2

SHA512
ead63fe4e5d97db8e6db692061e903c55a20fcdd31cab909a20c80b722f806c57efac3d6ff84049144ec4d20f89702f7fcbdac6d403c97d6300133d07693e5d4

Download Submit
C:\Windows\SysWOW64\Kgeoddal.exe

Filesize
50KB

MD5
2dfb054d1455659e84f63b4564b836a1

SHA1
cefe3d304cc8217101c0de8723c3110649f74972

SHA256
2317733f07ca1324219e2accbfc28cf9ca5a585884f10c96f84c35a38eaa42f2

SHA512
ead63fe4e5d97db8e6db692061e903c55a20fcdd31cab909a20c80b722f806c57efac3d6ff84049144ec4d20f89702f7fcbdac6d403c97d6300133d07693e5d4

Download Submit
C:\Windows\SysWOW64\Kllnig32.exe

Filesize
50KB

MD5
3e5eb813114d3cdfef1ac218e4cc2fed

SHA1
f3cca3afa74f1e9f29cfd6d5513971ee32a3f1b8

SHA256
84552c3ccd430bbd8ee8a5dade6a3b8a165866c4752d4541d2ff35aefe6bb171

SHA512
be38ced8b37ce0859b7b73bef782d146af95221a6966c3c85824817cdd6ad2101427b404c42f21887b210950a2c450b85d5b7bca140c720064a6175db82d535a

Download Submit
C:\Windows\SysWOW64\Kllnig32.exe

Filesize
50KB

MD5
3e5eb813114d3cdfef1ac218e4cc2fed

SHA1
f3cca3afa74f1e9f29cfd6d5513971ee32a3f1b8

SHA256
84552c3ccd430bbd8ee8a5dade6a3b8a165866c4752d4541d2ff35aefe6bb171

SHA512
be38ced8b37ce0859b7b73bef782d146af95221a6966c3c85824817cdd6ad2101427b404c42f21887b210950a2c450b85d5b7bca140c720064a6175db82d535a

Download Submit
C:\Windows\SysWOW64\Kmddbk32.exe

Filesize
50KB

MD5
9b1669b0c8f3d83ec05fac9eea3ff633

SHA1
29337fc9861b7f5137dfaf7a78f124759d3b6de9

SHA256
384731d843d4d573c662249761a98e30e01f2c17e99f4512b7a1cf440fe86b02

SHA512
11c096f8f2f6e5e7d6fbf830296610e4b6433e85c9f24682e18aafd4cf772a8d819746a552b7376cbb02512ed0ddbeef0167025519f9bac0bb15f5a9fcaab5fe

Download Submit
C:\Windows\SysWOW64\Kmddbk32.exe

Filesize
50KB

MD5
9b1669b0c8f3d83ec05fac9eea3ff633

SHA1
29337fc9861b7f5137dfaf7a78f124759d3b6de9

SHA256
384731d843d4d573c662249761a98e30e01f2c17e99f4512b7a1cf440fe86b02

SHA512
11c096f8f2f6e5e7d6fbf830296610e4b6433e85c9f24682e18aafd4cf772a8d819746a552b7376cbb02512ed0ddbeef0167025519f9bac0bb15f5a9fcaab5fe

Download Submit
C:\Windows\SysWOW64\Kpemdf32.exe

Filesize
50KB

MD5
dfe60fd45504f3d993fcf47aea4414ea

SHA1
1c3d2e89b77b3c7a2bf1aa24f0794db48d3e27c6

SHA256
7e67d98929ae76ad139f3cef7853a893dd3dfb5bc9ccf9770ae1050a7fa7f71a

SHA512
ffd1d41a4508259699af1651d6776c20eab5756f8c739eb6ccb2f42bdd9d56dbb63255f97faeb3f9b6061c1fd6c43073761ffa4acdbe2ae74a67fd68c533ae1a

Download Submit
C:\Windows\SysWOW64\Kpemdf32.exe

Filesize
50KB

MD5
dfe60fd45504f3d993fcf47aea4414ea

SHA1
1c3d2e89b77b3c7a2bf1aa24f0794db48d3e27c6

SHA256
7e67d98929ae76ad139f3cef7853a893dd3dfb5bc9ccf9770ae1050a7fa7f71a

SHA512
ffd1d41a4508259699af1651d6776c20eab5756f8c739eb6ccb2f42bdd9d56dbb63255f97faeb3f9b6061c1fd6c43073761ffa4acdbe2ae74a67fd68c533ae1a

Download Submit
C:\Windows\SysWOW64\Lhekcgdh.exe

Filesize
50KB

MD5
8b4dcd21e145098a2430781cd6d4ddca

SHA1
967a6bd353d919732cb4e05f0a20129b2cdcbf6f

SHA256
97f20fe51b8b2d30abddfdd8d828af8d1e3e1b16137e3ea522990b1a9bb55d19

SHA512
6e7140fabb1c9109d3a9f3b63443ea132d30d9bd743af36018a777cc0a73c01d8665d013089a300181137e9b4da212f309d6c13eee5553dcad42a4c9dc45dc7f

Download Submit
C:\Windows\SysWOW64\Lhekcgdh.exe

Filesize
50KB

MD5
8b4dcd21e145098a2430781cd6d4ddca

SHA1
967a6bd353d919732cb4e05f0a20129b2cdcbf6f

SHA256
97f20fe51b8b2d30abddfdd8d828af8d1e3e1b16137e3ea522990b1a9bb55d19

SHA512
6e7140fabb1c9109d3a9f3b63443ea132d30d9bd743af36018a777cc0a73c01d8665d013089a300181137e9b4da212f309d6c13eee5553dcad42a4c9dc45dc7f

Download Submit
C:\Windows\SysWOW64\Mekdaocj.exe

Filesize
50KB

MD5
33de7692c77e2b6e59f7d6dca3bcacb1

SHA1
7ba0abc12bb463e4808a37a694b1b43fb24633dd

SHA256
4bd04d663df936f12cc71bc7ae8562e05b98d9f60b13d82a0fcb4ba967d42edf

SHA512
3e9c9ffe122a71a173bbc791ef3aee435d94df3d9f9c2ebfbc815f36a7299c58a94412f69d7ea8edf20c3e9756b1112afee74c301fe4ee8e558d3713ceafe688

Download Submit
C:\Windows\SysWOW64\Mekdaocj.exe

Filesize
50KB

MD5
33de7692c77e2b6e59f7d6dca3bcacb1

SHA1
7ba0abc12bb463e4808a37a694b1b43fb24633dd

SHA256
4bd04d663df936f12cc71bc7ae8562e05b98d9f60b13d82a0fcb4ba967d42edf

SHA512
3e9c9ffe122a71a173bbc791ef3aee435d94df3d9f9c2ebfbc815f36a7299c58a94412f69d7ea8edf20c3e9756b1112afee74c301fe4ee8e558d3713ceafe688

Download Submit
C:\Windows\SysWOW64\Middlnnf.exe

Filesize
50KB

MD5
cb3bd02ff51b9307142de7a0d45cfb40

SHA1
edd7aa2d5e930134d6576cb61db66ef5e7f8d70c

SHA256
6a9dac303ab00af4351023e10b1ac17facb0d4d011ecba5f215ed6167847ba83

SHA512
ecbaa8d4e8e8eecf7a7a120434602b73753b011ad937c83a06b13fd84652f75c17d4619c517b302907b140443cd51c19430b91610c601d129d79824aad4a3e44

Download Submit
C:\Windows\SysWOW64\Middlnnf.exe

Filesize
50KB

MD5
cb3bd02ff51b9307142de7a0d45cfb40

SHA1
edd7aa2d5e930134d6576cb61db66ef5e7f8d70c

SHA256
6a9dac303ab00af4351023e10b1ac17facb0d4d011ecba5f215ed6167847ba83

SHA512
ecbaa8d4e8e8eecf7a7a120434602b73753b011ad937c83a06b13fd84652f75c17d4619c517b302907b140443cd51c19430b91610c601d129d79824aad4a3e44

Download Submit
C:\Windows\SysWOW64\Mlbphimj.exe

Filesize
50KB

MD5
18e82a23d6ee6d09cb90c4d0d2ba3b96

SHA1
dfbfa40dbcaca7c4d419b9c574c9867c15b18542

SHA256
48741ab19ad62723dba85a564176b511eb445abc6a8ce358dc65697041e82f2b

SHA512
af020bf10f17cf608862b89c87c60c7bc79b6326d9aa757d4fa16a66319b8b3382168f4e2c177ce5d8d1a4d0930c4f533e6a01dac9de523ef96a3c26690d731b

Download Submit
C:\Windows\SysWOW64\Mlbphimj.exe

Filesize
50KB

MD5
18e82a23d6ee6d09cb90c4d0d2ba3b96

SHA1
dfbfa40dbcaca7c4d419b9c574c9867c15b18542

SHA256
48741ab19ad62723dba85a564176b511eb445abc6a8ce358dc65697041e82f2b

SHA512
af020bf10f17cf608862b89c87c60c7bc79b6326d9aa757d4fa16a66319b8b3382168f4e2c177ce5d8d1a4d0930c4f533e6a01dac9de523ef96a3c26690d731b

Download Submit
C:\Windows\SysWOW64\Moopoenp.exe

Filesize
50KB

MD5
7c37582eb7269fce2b260d2b2bef71ea

SHA1
e19ce5c7904c01e8df58c1fd0b3ec5ee5a40f111

SHA256
305a37edc8feaee66a9b31aa40f71a08888c666dd363009fc96ced4ad3388281

SHA512
75ccd9204f1777c3a6972cf1a6a085c85b0c77d719fbf03fd6f8b24d830b4f409809b8b9f1cc360769455b6242e9cede6b99382dafe5e22f3dbe1521ee2c5d99

Download Submit
C:\Windows\SysWOW64\Moopoenp.exe

Filesize
50KB

MD5
7c37582eb7269fce2b260d2b2bef71ea

SHA1
e19ce5c7904c01e8df58c1fd0b3ec5ee5a40f111

SHA256
305a37edc8feaee66a9b31aa40f71a08888c666dd363009fc96ced4ad3388281

SHA512
75ccd9204f1777c3a6972cf1a6a085c85b0c77d719fbf03fd6f8b24d830b4f409809b8b9f1cc360769455b6242e9cede6b99382dafe5e22f3dbe1521ee2c5d99

Download Submit
\Windows\SysWOW64\Hhgbnfbd.exe

Filesize
50KB

MD5
76eb5fa0f965c89536f69aed54462417

SHA1
f9931ce3181762d269daa50ba65e9ba543a41d30

SHA256
8a5df408c328010897bcd2527c87bc7db1c05828d5c20373ab67eed2bd8931db

SHA512
ee2240bca94a5a19b1db63ce4174b315e5e99aed562b44ddddc21a9932365e76b23e2212665c1ee8e1739a33bb4a2cafccea3ca73918219eb03f0df3c5a24870

Download Submit
\Windows\SysWOW64\Hhgbnfbd.exe

Filesize
50KB

MD5
76eb5fa0f965c89536f69aed54462417

SHA1
f9931ce3181762d269daa50ba65e9ba543a41d30

SHA256
8a5df408c328010897bcd2527c87bc7db1c05828d5c20373ab67eed2bd8931db

SHA512
ee2240bca94a5a19b1db63ce4174b315e5e99aed562b44ddddc21a9932365e76b23e2212665c1ee8e1739a33bb4a2cafccea3ca73918219eb03f0df3c5a24870

Download Submit
\Windows\SysWOW64\Jebimi32.exe

Filesize
50KB

MD5
3e70259298bf32cd64eb72a44090364b

SHA1
2b972d75bf01532a716504c9f9e0bc72e42f6491

SHA256
a5606324385134d5dc5bb9707126579fb479e34a0843a1b32769ce8b5ee26e81

SHA512
e1864af2e0882d18a9933c4b76973336222424bc8d5f2856e3b0f959d6f0d221bcaf84e10939d119d6a06ca31275a8c777a5db4e3804af5e6685c9aaedccb264

Download Submit
\Windows\SysWOW64\Jebimi32.exe

Filesize
50KB

MD5
3e70259298bf32cd64eb72a44090364b

SHA1
2b972d75bf01532a716504c9f9e0bc72e42f6491

SHA256
a5606324385134d5dc5bb9707126579fb479e34a0843a1b32769ce8b5ee26e81

SHA512
e1864af2e0882d18a9933c4b76973336222424bc8d5f2856e3b0f959d6f0d221bcaf84e10939d119d6a06ca31275a8c777a5db4e3804af5e6685c9aaedccb264

Download Submit
\Windows\SysWOW64\Jedfci32.exe

Filesize
50KB

MD5
53e27a0f90e06d8d5d7ca01751d0b627

SHA1
2086a29c712952ace1828bdbb553df0509ab5f5f

SHA256
cbc0a67e6b879fad76a718b8c31ef96dd2b0b7dff5b025bd51d27bc2154d8248

SHA512
abbc1e7a81c4e76504f7070642c21703df38c4bdf4a74a6ffadcbaef4fa890bcc0a2f3b00c679623c1bb47ca2cfde387293a1f1c12cda67ecffdd8f281e06772

Download Submit
\Windows\SysWOW64\Jedfci32.exe

Filesize
50KB

MD5
53e27a0f90e06d8d5d7ca01751d0b627

SHA1
2086a29c712952ace1828bdbb553df0509ab5f5f

SHA256
cbc0a67e6b879fad76a718b8c31ef96dd2b0b7dff5b025bd51d27bc2154d8248

SHA512
abbc1e7a81c4e76504f7070642c21703df38c4bdf4a74a6ffadcbaef4fa890bcc0a2f3b00c679623c1bb47ca2cfde387293a1f1c12cda67ecffdd8f281e06772

Download Submit
\Windows\SysWOW64\Jffbjajj.exe

Filesize
50KB

MD5
768f727c31df29c4ed16b3cb0f35f1c2

SHA1
ddcb0269189c715b4d1e281eab054905eca05f67

SHA256
27a0c5b2a4e76b41bd7a2c27b0e51cff2ee3737f6f90c8dc699a05ce3296b5b3

SHA512
2f436721a750fe36e93bd95dc5d2a61fc7a6ee951edcd0f8345b7c9de88ad17edc861c387287cd1b9746f74b0cde759b1ed2fab5ccaf00109230705132584a8a

Download Submit
\Windows\SysWOW64\Jffbjajj.exe

Filesize
50KB

MD5
768f727c31df29c4ed16b3cb0f35f1c2

SHA1
ddcb0269189c715b4d1e281eab054905eca05f67

SHA256
27a0c5b2a4e76b41bd7a2c27b0e51cff2ee3737f6f90c8dc699a05ce3296b5b3

SHA512
2f436721a750fe36e93bd95dc5d2a61fc7a6ee951edcd0f8345b7c9de88ad17edc861c387287cd1b9746f74b0cde759b1ed2fab5ccaf00109230705132584a8a

Download Submit
\Windows\SysWOW64\Jgnide32.exe

Filesize
50KB

MD5
4e86e5464950b8a6850946d01f0590e5

SHA1
1ddb3f14ae5e6d9b45296a44f49630e5159c2b2d

SHA256
e5b800d17e6f4f042f2d3e5b80110a017eec12e4000226200959af570340fdf2

SHA512
5b61ef0ee15aef8ea0177301b8557c07cffb432457472a89f01ae84804aae10574bafb812849901c08ab1df779fcce324b7229272fb4eae20f64b5c155db870d

Download Submit
\Windows\SysWOW64\Jgnide32.exe

Filesize
50KB

MD5
4e86e5464950b8a6850946d01f0590e5

SHA1
1ddb3f14ae5e6d9b45296a44f49630e5159c2b2d

SHA256
e5b800d17e6f4f042f2d3e5b80110a017eec12e4000226200959af570340fdf2

SHA512
5b61ef0ee15aef8ea0177301b8557c07cffb432457472a89f01ae84804aae10574bafb812849901c08ab1df779fcce324b7229272fb4eae20f64b5c155db870d

Download Submit
\Windows\SysWOW64\Kedbblgg.exe

Filesize
50KB

MD5
4d53c2e3dc47e06cb78016d78dde8b01

SHA1
13019a546acfeaec045bd1614faa5936a3752a1f

SHA256
e90938acaf746d481e1fdf75fbabd1d75a4ac2f23a1cf074ba890e8f841fe96e

SHA512
cc30af5831d09d6dcaee13e5a6b99e042a726ccef5c1516569a245857e56f6451a7edbf8191f0a82ee86ecfe02949b56ffdc782a8b15e40c00a6479762d0c23a

Download Submit
\Windows\SysWOW64\Kedbblgg.exe

Filesize
50KB

MD5
4d53c2e3dc47e06cb78016d78dde8b01

SHA1
13019a546acfeaec045bd1614faa5936a3752a1f

SHA256
e90938acaf746d481e1fdf75fbabd1d75a4ac2f23a1cf074ba890e8f841fe96e

SHA512
cc30af5831d09d6dcaee13e5a6b99e042a726ccef5c1516569a245857e56f6451a7edbf8191f0a82ee86ecfe02949b56ffdc782a8b15e40c00a6479762d0c23a

Download Submit
\Windows\SysWOW64\Kfmhkpda.exe

Filesize
50KB

MD5
a16a44898e81ed218c8b921686771e6f

SHA1
dc5ca3937c0b3bba7942ff6328583a03ce61c294

SHA256
1afa1e6c690b1086ebf52961f5752a472376a0427f0aec7ab59266f9a2d60067

SHA512
1408814fb8dda069d5061ab9302a86e67939557bdc51fb83090933ac30f593436a9a551f7931a4430de871dae49517108853fce51c4c636119df39a4dd654c57

Download Submit
\Windows\SysWOW64\Kfmhkpda.exe

Filesize
50KB

MD5
a16a44898e81ed218c8b921686771e6f

SHA1
dc5ca3937c0b3bba7942ff6328583a03ce61c294

SHA256
1afa1e6c690b1086ebf52961f5752a472376a0427f0aec7ab59266f9a2d60067

SHA512
1408814fb8dda069d5061ab9302a86e67939557bdc51fb83090933ac30f593436a9a551f7931a4430de871dae49517108853fce51c4c636119df39a4dd654c57

Download Submit
\Windows\SysWOW64\Kgeoddal.exe

Filesize
50KB

MD5
2dfb054d1455659e84f63b4564b836a1

SHA1
cefe3d304cc8217101c0de8723c3110649f74972

SHA256
2317733f07ca1324219e2accbfc28cf9ca5a585884f10c96f84c35a38eaa42f2

SHA512
ead63fe4e5d97db8e6db692061e903c55a20fcdd31cab909a20c80b722f806c57efac3d6ff84049144ec4d20f89702f7fcbdac6d403c97d6300133d07693e5d4

Download Submit
\Windows\SysWOW64\Kgeoddal.exe

Filesize
50KB

MD5
2dfb054d1455659e84f63b4564b836a1

SHA1
cefe3d304cc8217101c0de8723c3110649f74972

SHA256
2317733f07ca1324219e2accbfc28cf9ca5a585884f10c96f84c35a38eaa42f2

SHA512
ead63fe4e5d97db8e6db692061e903c55a20fcdd31cab909a20c80b722f806c57efac3d6ff84049144ec4d20f89702f7fcbdac6d403c97d6300133d07693e5d4

Download Submit
\Windows\SysWOW64\Kllnig32.exe

Filesize
50KB

MD5
3e5eb813114d3cdfef1ac218e4cc2fed

SHA1
f3cca3afa74f1e9f29cfd6d5513971ee32a3f1b8

SHA256
84552c3ccd430bbd8ee8a5dade6a3b8a165866c4752d4541d2ff35aefe6bb171

SHA512
be38ced8b37ce0859b7b73bef782d146af95221a6966c3c85824817cdd6ad2101427b404c42f21887b210950a2c450b85d5b7bca140c720064a6175db82d535a

Download Submit
\Windows\SysWOW64\Kllnig32.exe

Filesize
50KB

MD5
3e5eb813114d3cdfef1ac218e4cc2fed

SHA1
f3cca3afa74f1e9f29cfd6d5513971ee32a3f1b8

SHA256
84552c3ccd430bbd8ee8a5dade6a3b8a165866c4752d4541d2ff35aefe6bb171

SHA512
be38ced8b37ce0859b7b73bef782d146af95221a6966c3c85824817cdd6ad2101427b404c42f21887b210950a2c450b85d5b7bca140c720064a6175db82d535a

Download Submit
\Windows\SysWOW64\Kmddbk32.exe

Filesize
50KB

MD5
9b1669b0c8f3d83ec05fac9eea3ff633

SHA1
29337fc9861b7f5137dfaf7a78f124759d3b6de9

SHA256
384731d843d4d573c662249761a98e30e01f2c17e99f4512b7a1cf440fe86b02

SHA512
11c096f8f2f6e5e7d6fbf830296610e4b6433e85c9f24682e18aafd4cf772a8d819746a552b7376cbb02512ed0ddbeef0167025519f9bac0bb15f5a9fcaab5fe

Download Submit
\Windows\SysWOW64\Kmddbk32.exe

Filesize
50KB

MD5
9b1669b0c8f3d83ec05fac9eea3ff633

SHA1
29337fc9861b7f5137dfaf7a78f124759d3b6de9

SHA256
384731d843d4d573c662249761a98e30e01f2c17e99f4512b7a1cf440fe86b02

SHA512
11c096f8f2f6e5e7d6fbf830296610e4b6433e85c9f24682e18aafd4cf772a8d819746a552b7376cbb02512ed0ddbeef0167025519f9bac0bb15f5a9fcaab5fe

Download Submit
\Windows\SysWOW64\Kpemdf32.exe

Filesize
50KB

MD5
dfe60fd45504f3d993fcf47aea4414ea

SHA1
1c3d2e89b77b3c7a2bf1aa24f0794db48d3e27c6

SHA256
7e67d98929ae76ad139f3cef7853a893dd3dfb5bc9ccf9770ae1050a7fa7f71a

SHA512
ffd1d41a4508259699af1651d6776c20eab5756f8c739eb6ccb2f42bdd9d56dbb63255f97faeb3f9b6061c1fd6c43073761ffa4acdbe2ae74a67fd68c533ae1a

Download Submit
\Windows\SysWOW64\Kpemdf32.exe

Filesize
50KB

MD5
dfe60fd45504f3d993fcf47aea4414ea

SHA1
1c3d2e89b77b3c7a2bf1aa24f0794db48d3e27c6

SHA256
7e67d98929ae76ad139f3cef7853a893dd3dfb5bc9ccf9770ae1050a7fa7f71a

SHA512
ffd1d41a4508259699af1651d6776c20eab5756f8c739eb6ccb2f42bdd9d56dbb63255f97faeb3f9b6061c1fd6c43073761ffa4acdbe2ae74a67fd68c533ae1a

Download Submit
\Windows\SysWOW64\Lhekcgdh.exe

Filesize
50KB

MD5
8b4dcd21e145098a2430781cd6d4ddca

SHA1
967a6bd353d919732cb4e05f0a20129b2cdcbf6f

SHA256
97f20fe51b8b2d30abddfdd8d828af8d1e3e1b16137e3ea522990b1a9bb55d19

SHA512
6e7140fabb1c9109d3a9f3b63443ea132d30d9bd743af36018a777cc0a73c01d8665d013089a300181137e9b4da212f309d6c13eee5553dcad42a4c9dc45dc7f

Download Submit
\Windows\SysWOW64\Lhekcgdh.exe

Filesize
50KB

MD5
8b4dcd21e145098a2430781cd6d4ddca

SHA1
967a6bd353d919732cb4e05f0a20129b2cdcbf6f

SHA256
97f20fe51b8b2d30abddfdd8d828af8d1e3e1b16137e3ea522990b1a9bb55d19

SHA512
6e7140fabb1c9109d3a9f3b63443ea132d30d9bd743af36018a777cc0a73c01d8665d013089a300181137e9b4da212f309d6c13eee5553dcad42a4c9dc45dc7f

Download Submit
\Windows\SysWOW64\Mekdaocj.exe

Filesize
50KB

MD5
33de7692c77e2b6e59f7d6dca3bcacb1

SHA1
7ba0abc12bb463e4808a37a694b1b43fb24633dd

SHA256
4bd04d663df936f12cc71bc7ae8562e05b98d9f60b13d82a0fcb4ba967d42edf

SHA512
3e9c9ffe122a71a173bbc791ef3aee435d94df3d9f9c2ebfbc815f36a7299c58a94412f69d7ea8edf20c3e9756b1112afee74c301fe4ee8e558d3713ceafe688

Download Submit
\Windows\SysWOW64\Mekdaocj.exe

Filesize
50KB

MD5
33de7692c77e2b6e59f7d6dca3bcacb1

SHA1
7ba0abc12bb463e4808a37a694b1b43fb24633dd

SHA256
4bd04d663df936f12cc71bc7ae8562e05b98d9f60b13d82a0fcb4ba967d42edf

SHA512
3e9c9ffe122a71a173bbc791ef3aee435d94df3d9f9c2ebfbc815f36a7299c58a94412f69d7ea8edf20c3e9756b1112afee74c301fe4ee8e558d3713ceafe688

Download Submit
\Windows\SysWOW64\Middlnnf.exe

Filesize
50KB

MD5
cb3bd02ff51b9307142de7a0d45cfb40

SHA1
edd7aa2d5e930134d6576cb61db66ef5e7f8d70c

SHA256
6a9dac303ab00af4351023e10b1ac17facb0d4d011ecba5f215ed6167847ba83

SHA512
ecbaa8d4e8e8eecf7a7a120434602b73753b011ad937c83a06b13fd84652f75c17d4619c517b302907b140443cd51c19430b91610c601d129d79824aad4a3e44

Download Submit
\Windows\SysWOW64\Middlnnf.exe

Filesize
50KB

MD5
cb3bd02ff51b9307142de7a0d45cfb40

SHA1
edd7aa2d5e930134d6576cb61db66ef5e7f8d70c

SHA256
6a9dac303ab00af4351023e10b1ac17facb0d4d011ecba5f215ed6167847ba83

SHA512
ecbaa8d4e8e8eecf7a7a120434602b73753b011ad937c83a06b13fd84652f75c17d4619c517b302907b140443cd51c19430b91610c601d129d79824aad4a3e44

Download Submit
\Windows\SysWOW64\Mlbphimj.exe

Filesize
50KB

MD5
18e82a23d6ee6d09cb90c4d0d2ba3b96

SHA1
dfbfa40dbcaca7c4d419b9c574c9867c15b18542

SHA256
48741ab19ad62723dba85a564176b511eb445abc6a8ce358dc65697041e82f2b

SHA512
af020bf10f17cf608862b89c87c60c7bc79b6326d9aa757d4fa16a66319b8b3382168f4e2c177ce5d8d1a4d0930c4f533e6a01dac9de523ef96a3c26690d731b

Download Submit
\Windows\SysWOW64\Mlbphimj.exe

Filesize
50KB

MD5
18e82a23d6ee6d09cb90c4d0d2ba3b96

SHA1
dfbfa40dbcaca7c4d419b9c574c9867c15b18542

SHA256
48741ab19ad62723dba85a564176b511eb445abc6a8ce358dc65697041e82f2b

SHA512
af020bf10f17cf608862b89c87c60c7bc79b6326d9aa757d4fa16a66319b8b3382168f4e2c177ce5d8d1a4d0930c4f533e6a01dac9de523ef96a3c26690d731b

Download Submit
\Windows\SysWOW64\Moopoenp.exe

Filesize
50KB

MD5
7c37582eb7269fce2b260d2b2bef71ea

SHA1
e19ce5c7904c01e8df58c1fd0b3ec5ee5a40f111

SHA256
305a37edc8feaee66a9b31aa40f71a08888c666dd363009fc96ced4ad3388281

SHA512
75ccd9204f1777c3a6972cf1a6a085c85b0c77d719fbf03fd6f8b24d830b4f409809b8b9f1cc360769455b6242e9cede6b99382dafe5e22f3dbe1521ee2c5d99

Download Submit
\Windows\SysWOW64\Moopoenp.exe

Filesize
50KB

MD5
7c37582eb7269fce2b260d2b2bef71ea

SHA1
e19ce5c7904c01e8df58c1fd0b3ec5ee5a40f111

SHA256
305a37edc8feaee66a9b31aa40f71a08888c666dd363009fc96ced4ad3388281

SHA512
75ccd9204f1777c3a6972cf1a6a085c85b0c77d719fbf03fd6f8b24d830b4f409809b8b9f1cc360769455b6242e9cede6b99382dafe5e22f3dbe1521ee2c5d99

Download Submit
memory/268-67-0x0000000000000000-mapping.dmp

Download
memory/268-105-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/268-237-0x0000000000000000-mapping.dmp

Download
memory/288-115-0x0000000000000000-mapping.dmp

Download
memory/288-244-0x0000000000000000-mapping.dmp

Download
memory/288-155-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/324-152-0x0000000000000000-mapping.dmp

Download
memory/324-166-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/380-214-0x0000000000000000-mapping.dmp

Download
memory/544-167-0x0000000000000000-mapping.dmp

Download
memory/544-171-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/552-240-0x0000000000000000-mapping.dmp

Download
memory/560-102-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/560-62-0x0000000000000000-mapping.dmp

Download
memory/568-177-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/568-175-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/568-178-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/568-170-0x0000000000000000-mapping.dmp

Download
memory/572-213-0x0000000000000000-mapping.dmp

Download
memory/572-231-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/624-274-0x0000000000000000-mapping.dmp

Download
memory/764-215-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/764-206-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/764-194-0x0000000000000000-mapping.dmp

Download
memory/824-72-0x0000000000000000-mapping.dmp

Download
memory/824-109-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/832-187-0x0000000000000000-mapping.dmp

Download
memory/832-198-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/860-201-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/860-190-0x0000000000000000-mapping.dmp

Download
memory/872-113-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/872-82-0x0000000000000000-mapping.dmp

Download
memory/872-239-0x0000000000000000-mapping.dmp

Download
memory/892-208-0x0000000000000000-mapping.dmp

Download
memory/892-219-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/892-221-0x00000000002B0000-0x00000000002E1000-memory.dmp

Filesize
196KB

Download
memory/892-220-0x00000000002B0000-0x00000000002E1000-memory.dmp

Filesize
196KB

Download
memory/900-242-0x0000000000000000-mapping.dmp

Download
memory/908-180-0x0000000000000000-mapping.dmp

Download
memory/908-183-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/928-174-0x00000000002B0000-0x00000000002E1000-memory.dmp

Filesize
196KB

Download
memory/928-169-0x0000000000000000-mapping.dmp

Download
memory/928-173-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/972-161-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/972-147-0x0000000000000000-mapping.dmp

Download
memory/992-191-0x0000000000000000-mapping.dmp

Download
memory/992-202-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1036-181-0x0000000000000000-mapping.dmp

Download
memory/1036-184-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1100-186-0x0000000000000000-mapping.dmp

Download
memory/1100-195-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1168-238-0x0000000000000000-mapping.dmp

Download
memory/1280-121-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1280-92-0x0000000000000000-mapping.dmp

Download
memory/1280-119-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1340-223-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1340-210-0x0000000000000000-mapping.dmp

Download
memory/1352-165-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1352-151-0x0000000000000000-mapping.dmp

Download
memory/1436-241-0x0000000000000000-mapping.dmp

Download
memory/1436-99-0x0000000000000000-mapping.dmp

Download
memory/1436-153-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1444-243-0x0000000000000000-mapping.dmp

Download
memory/1452-197-0x0000000000000000-mapping.dmp

Download
memory/1452-216-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1488-217-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1488-205-0x0000000000000000-mapping.dmp

Download
memory/1492-236-0x0000000000000000-mapping.dmp

Download
memory/1500-192-0x0000000000000000-mapping.dmp

Download
memory/1500-203-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1516-224-0x0000000000000000-mapping.dmp

Download
memory/1540-189-0x0000000000000000-mapping.dmp

Download
memory/1540-200-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1544-107-0x0000000000000000-mapping.dmp

Download
memory/1544-154-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1560-179-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1560-176-0x0000000000000000-mapping.dmp

Download
memory/1560-182-0x0000000000230000-0x0000000000261000-memory.dmp

Filesize
196KB

Download
memory/1564-157-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1564-129-0x0000000000000000-mapping.dmp

Download
memory/1576-233-0x0000000000000000-mapping.dmp

Download
memory/1624-164-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1624-150-0x0000000000000000-mapping.dmp

Download
memory/1640-172-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1640-168-0x0000000000000000-mapping.dmp

Download
memory/1664-199-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1664-188-0x0000000000000000-mapping.dmp

Download
memory/1676-228-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1676-230-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1676-229-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1676-212-0x0000000000000000-mapping.dmp

Download
memory/1700-262-0x0000000000000000-mapping.dmp

Download
memory/1704-193-0x0000000000000000-mapping.dmp

Download
memory/1704-204-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1728-196-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1728-185-0x0000000000000000-mapping.dmp

Download
memory/1740-273-0x0000000000000000-mapping.dmp

Download
memory/1744-226-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1744-227-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1776-159-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1776-139-0x0000000000000000-mapping.dmp

Download
memory/1824-116-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1824-118-0x00000000005D0000-0x0000000000601000-memory.dmp

Filesize
196KB

Download
memory/1824-87-0x0000000000000000-mapping.dmp

Download
memory/1832-160-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1832-144-0x0000000000000000-mapping.dmp

Download
memory/1832-253-0x0000000000000000-mapping.dmp

Download
memory/1880-111-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1880-77-0x0000000000000000-mapping.dmp

Download
memory/1932-163-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1932-149-0x0000000000000000-mapping.dmp

Download
memory/1936-148-0x0000000000000000-mapping.dmp

Download
memory/1936-162-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1948-218-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1948-207-0x0000000000000000-mapping.dmp

Download
memory/1960-158-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1960-134-0x0000000000000000-mapping.dmp

Download
memory/1976-225-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1976-211-0x0000000000000000-mapping.dmp

Download
memory/1984-156-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1984-124-0x0000000000000000-mapping.dmp

Download
memory/1988-100-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1988-57-0x0000000000000000-mapping.dmp

Download
memory/2000-222-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2000-209-0x0000000000000000-mapping.dmp

Download
memory/2028-94-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/2028-96-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/2028-54-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download