74218f91ad1b0fb48b75325eddbf9cf8a62e365091aa92805f1326f0ab812667

Analysis

max time kernel
131s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2024, 20:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

74218f91ad1b0fb48b75325eddbf9cf8a62e365091aa92805f1326f0ab812667.exe
Size

81KB
MD5

c2afef5ab2d4e6063b4843ccab94475b
SHA1

295081f52ca52e662434695762429c9771a73b7a
SHA256

74218f91ad1b0fb48b75325eddbf9cf8a62e365091aa92805f1326f0ab812667
SHA512

23c8189f0176ed4d72480393d3f23c42da08596ddd4eed32ef54a08f7bbcfab1aa81202278e8d9e7caa1f9c3e122bc9a53ea6342de19f5ae9ec0db97d3a70d14
SSDEEP

1536:BXAPi0hW+GzWaYhiQ9sg8O4a2jLDpk7m4LO++/+1m6KadhYxU33HX0L:OiOWRWDCgiaGDpk/LrCimBaH8UH30L

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gokbgpeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lobjni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfdjinjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdhkcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aagkhd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amnlme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekcgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klekfinp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqhfoebo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llodgnja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmipdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmlfqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdmmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkmjaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gijmad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apjdikqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojhpimhp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhgonidg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kakmna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbhgoh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgklmacf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpacqg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cildom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfgipd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hiacacpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hicpgc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iehmmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obqanjdb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbkfbcpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cildom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pakdbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlbcnd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbhoeid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcimdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqlfhjig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpolbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Modpib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohlqcagj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chnlgjlb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eomffaag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kiikpnmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajmladbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbohpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcngpjh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apggckbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmeandma.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cponen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chiblk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enfckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekjded32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqoefand.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiikpnmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajjjk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efgemb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfjola32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhphmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fiqjke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbkkik32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kapfiqoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckbncapd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jphkkpbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahfmpnql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mapppn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgmhcaac.exe

Executes dropped EXE 64 IoCs

pid	Process
2592	Innfnl32.exe
880	Iggjga32.exe
2144	Inqbclob.exe
1576	Ipoopgnf.exe
4260	Mnpabe32.exe
3436	Aafemk32.exe
2608	Cndeii32.exe
4252	Eiloco32.exe
3204	Eeelnp32.exe
3168	Ennqfenp.exe
4844	Ekaapi32.exe
4692	Efgemb32.exe
2136	Ekdnei32.exe
1856	Felbnn32.exe
1664	Fneggdhg.exe
1004	Feoodn32.exe
4536	Fbbpmb32.exe
4880	Flkdfh32.exe
4004	Fechomko.exe
680	Fbgihaji.exe
3720	Fmmmfj32.exe
3996	Fnnjmbpm.exe
4356	Gehbjm32.exe
3364	Gnqfcbnj.exe
4100	Gejopl32.exe
3840	Gppcmeem.exe
1408	Gihgfk32.exe
3852	Gpbpbecj.exe
2556	Gmfplibd.exe
1832	Gfodeohd.exe
2340	Gimqajgh.exe
4972	Gbeejp32.exe
936	Holfoqcm.exe
3324	Hibjli32.exe
3404	Hoobdp32.exe
3452	Hehkajig.exe
1188	Hlbcnd32.exe
2268	Hekgfj32.exe
3428	Hpqldc32.exe
264	Hbohpn32.exe
4652	Hiipmhmk.exe
4608	Ibaeen32.exe
4980	Iepaaico.exe
2684	Iliinc32.exe
4612	Iohejo32.exe
888	Iebngial.exe
4428	Illfdc32.exe
4952	Imkbnf32.exe
3328	Ilnbicff.exe
5128	Iibccgep.exe
5176	Iidphgcn.exe
5220	Jghpbk32.exe
5260	Jmbhoeid.exe
5300	Jcoaglhk.exe
5344	Jmeede32.exe
5384	Jebfng32.exe
5444	Jphkkpbp.exe
5500	Jedccfqg.exe
5540	Jlolpq32.exe
5580	Kgdpni32.exe
5624	Kncaec32.exe
5664	Kodnmkap.exe
5704	Kpcjgnhb.exe
5744	Ljnlecmp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mmkdcm32.exe	Mgloefco.exe
File created	C:\Windows\SysWOW64\Bcjfln32.dll	Mgloefco.exe
File opened for modification	C:\Windows\SysWOW64\Ojajin32.exe	Offnhpfo.exe
File opened for modification	C:\Windows\SysWOW64\Jhplpl32.exe	Jbccge32.exe
File opened for modification	C:\Windows\SysWOW64\Cdjblf32.exe	Calfpk32.exe
File opened for modification	C:\Windows\SysWOW64\Holfoqcm.exe	Gbeejp32.exe
File created	C:\Windows\SysWOW64\Dahcld32.dll	Ilnbicff.exe
File opened for modification	C:\Windows\SysWOW64\Eojiqb32.exe	Egcaod32.exe
File created	C:\Windows\SysWOW64\Cmedjl32.exe	Ckggnp32.exe
File created	C:\Windows\SysWOW64\Dhikci32.exe	Dqbcbkab.exe
File created	C:\Windows\SysWOW64\Fbbpmb32.exe	Feoodn32.exe
File created	C:\Windows\SysWOW64\Jedccfqg.exe	Jphkkpbp.exe
File opened for modification	C:\Windows\SysWOW64\Opclldhj.exe	Omdppiif.exe
File created	C:\Windows\SysWOW64\Blnfhilh.dll	Hpioin32.exe
File created	C:\Windows\SysWOW64\Ipgkjlmg.exe	Iimcma32.exe
File created	C:\Windows\SysWOW64\Hcoejf32.dll	Modpib32.exe
File created	C:\Windows\SysWOW64\Fhcbhh32.dll	Qfmfefni.exe
File created	C:\Windows\SysWOW64\Ombnni32.dll	Ljnlecmp.exe
File opened for modification	C:\Windows\SysWOW64\Klndfj32.exe	Jhplpl32.exe
File opened for modification	C:\Windows\SysWOW64\Lfgipd32.exe	Lcimdh32.exe
File created	C:\Windows\SysWOW64\Gbhibfek.dll	Pcgdhkem.exe
File created	C:\Windows\SysWOW64\Ipoopgnf.exe	Inqbclob.exe
File opened for modification	C:\Windows\SysWOW64\Eiloco32.exe	Cndeii32.exe
File created	C:\Windows\SysWOW64\Hehkajig.exe	Hoobdp32.exe
File opened for modification	C:\Windows\SysWOW64\Iohejo32.exe	Iliinc32.exe
File opened for modification	C:\Windows\SysWOW64\Fiqjke32.exe	Fajbjh32.exe
File opened for modification	C:\Windows\SysWOW64\Chiblk32.exe	Coqncejg.exe
File created	C:\Windows\SysWOW64\Gipbmd32.dll	Ncpeaoih.exe
File created	C:\Windows\SysWOW64\Hpqldc32.exe	Hekgfj32.exe
File opened for modification	C:\Windows\SysWOW64\Mjcngpjh.exe	Mjodla32.exe
File opened for modification	C:\Windows\SysWOW64\Ofkgcobj.exe	Ombcji32.exe
File created	C:\Windows\SysWOW64\Cdaile32.exe	Cacmpj32.exe
File opened for modification	C:\Windows\SysWOW64\Inebjihf.exe	Haaaaeim.exe
File created	C:\Windows\SysWOW64\Omalpc32.exe	Ofgdcipq.exe
File created	C:\Windows\SysWOW64\Fohhdm32.dll	Cildom32.exe
File created	C:\Windows\SysWOW64\Ghcjeh32.dll	Eiloco32.exe
File opened for modification	C:\Windows\SysWOW64\Mfpell32.exe	Mpclce32.exe
File created	C:\Windows\SysWOW64\Nqdmimbf.dll	Gfodeohd.exe
File opened for modification	C:\Windows\SysWOW64\Illfdc32.exe	Iebngial.exe
File created	C:\Windows\SysWOW64\Dhgonidg.exe	Damfao32.exe
File created	C:\Windows\SysWOW64\Pencqe32.dll	Pbhgoh32.exe
File created	C:\Windows\SysWOW64\Aolece32.dll	Fmmmfj32.exe
File opened for modification	C:\Windows\SysWOW64\Nfjola32.exe	Nggnadib.exe
File created	C:\Windows\SysWOW64\Chiblk32.exe	Coqncejg.exe
File opened for modification	C:\Windows\SysWOW64\Eqgmmk32.exe	Enhpao32.exe
File created	C:\Windows\SysWOW64\Cdmoafdb.exe	Cpacqg32.exe
File created	C:\Windows\SysWOW64\Cildom32.exe	Cgmhcaac.exe
File created	C:\Windows\SysWOW64\Kfcfimfi.dll	Pfdjinjo.exe
File created	C:\Windows\SysWOW64\Qnbidcgp.dll	Bgkiaj32.exe
File opened for modification	C:\Windows\SysWOW64\Dnmaea32.exe	Dhphmj32.exe
File created	C:\Windows\SysWOW64\Idknpoad.dll	Iimcma32.exe
File opened for modification	C:\Windows\SysWOW64\Gejopl32.exe	Gnqfcbnj.exe
File created	C:\Windows\SysWOW64\Lnoaaaad.exe	Lfgipd32.exe
File created	C:\Windows\SysWOW64\Pnplfj32.exe	Pfiddm32.exe
File created	C:\Windows\SysWOW64\Aoioli32.exe	Adcjop32.exe
File created	C:\Windows\SysWOW64\Cponen32.exe	Cnaaib32.exe
File created	C:\Windows\SysWOW64\Ddcebe32.exe	Daeifj32.exe
File opened for modification	C:\Windows\SysWOW64\Kpccmhdg.exe	Kiikpnmj.exe
File opened for modification	C:\Windows\SysWOW64\Jphkkpbp.exe	Jebfng32.exe
File created	C:\Windows\SysWOW64\Adfnba32.dll	Nmipdk32.exe
File opened for modification	C:\Windows\SysWOW64\Pffgom32.exe	Pdhkcb32.exe
File created	C:\Windows\SysWOW64\Apnndj32.exe	Apjdikqd.exe
File created	C:\Windows\SysWOW64\Hoobdp32.exe	Hibjli32.exe
File created	C:\Windows\SysWOW64\Bdimkqnb.dll	Jmbhoeid.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
9900	9784	WerFault.exe	424

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnpabe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hibjli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cildom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Felbnn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmmmfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Holfoqcm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chnlgjlb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nblolm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijgiemgc.dll"	Apnndj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnnimak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iohejo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qjfmkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nflnbh32.dll"	Ckbemgcp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpochfji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iebngial.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bljlpjaf.dll"	Bhmbqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgbfjmkq.dll"	Mcfbkpab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjhbfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdimkqnb.dll"	Jmbhoeid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jphkkpbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqdpgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jppnpjel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clpchk32.dll"	Jbccge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbeejp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hekgfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhmleng.dll"	Ojhpimhp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fnfmbmbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dahceqce.dll"	Gbkkik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Inebjihf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnpabe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bklomh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpaihooo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jhgiim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aammfkln.dll"	Daeifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpclce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfpell32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkkhbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgpeha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnmaea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbhgoh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckggnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnonkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njgqhicg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcmdgodo.dll"	Chkobkod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fneggdhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnafno32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kiikpnmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oipgkfab.dll"	Mpclce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmbhoeid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjodla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmkmjjaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chiblk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hnbeeiji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klekfinp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fechomko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmlfqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Balgcpkn.dll"	Oiccje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pffgom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmeandma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enjgeopm.dll"	Ncqlkemc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bphgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmpockdl.dll"	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdimqm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgeenfog.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 768 wrote to memory of 2592	768	74218f91ad1b0fb48b75325eddbf9cf8a62e365091aa92805f1326f0ab812667.exe	94
PID 768 wrote to memory of 2592	768	74218f91ad1b0fb48b75325eddbf9cf8a62e365091aa92805f1326f0ab812667.exe	94
PID 768 wrote to memory of 2592	768	74218f91ad1b0fb48b75325eddbf9cf8a62e365091aa92805f1326f0ab812667.exe	94
PID 2592 wrote to memory of 880	2592	Innfnl32.exe	95
PID 2592 wrote to memory of 880	2592	Innfnl32.exe	95
PID 2592 wrote to memory of 880	2592	Innfnl32.exe	95
PID 880 wrote to memory of 2144	880	Iggjga32.exe	96
PID 880 wrote to memory of 2144	880	Iggjga32.exe	96
PID 880 wrote to memory of 2144	880	Iggjga32.exe	96
PID 2144 wrote to memory of 1576	2144	Inqbclob.exe	98
PID 2144 wrote to memory of 1576	2144	Inqbclob.exe	98
PID 2144 wrote to memory of 1576	2144	Inqbclob.exe	98
PID 1576 wrote to memory of 4260	1576	Ipoopgnf.exe	100
PID 1576 wrote to memory of 4260	1576	Ipoopgnf.exe	100
PID 1576 wrote to memory of 4260	1576	Ipoopgnf.exe	100
PID 4260 wrote to memory of 3436	4260	Mnpabe32.exe	101
PID 4260 wrote to memory of 3436	4260	Mnpabe32.exe	101
PID 4260 wrote to memory of 3436	4260	Mnpabe32.exe	101
PID 3436 wrote to memory of 2608	3436	Aafemk32.exe	102
PID 3436 wrote to memory of 2608	3436	Aafemk32.exe	102
PID 3436 wrote to memory of 2608	3436	Aafemk32.exe	102
PID 2608 wrote to memory of 4252	2608	Cndeii32.exe	103
PID 2608 wrote to memory of 4252	2608	Cndeii32.exe	103
PID 2608 wrote to memory of 4252	2608	Cndeii32.exe	103
PID 4252 wrote to memory of 3204	4252	Eiloco32.exe	105
PID 4252 wrote to memory of 3204	4252	Eiloco32.exe	105
PID 4252 wrote to memory of 3204	4252	Eiloco32.exe	105
PID 3204 wrote to memory of 3168	3204	Eeelnp32.exe	106
PID 3204 wrote to memory of 3168	3204	Eeelnp32.exe	106
PID 3204 wrote to memory of 3168	3204	Eeelnp32.exe	106
PID 3168 wrote to memory of 4844	3168	Ennqfenp.exe	107
PID 3168 wrote to memory of 4844	3168	Ennqfenp.exe	107
PID 3168 wrote to memory of 4844	3168	Ennqfenp.exe	107
PID 4844 wrote to memory of 4692	4844	Ekaapi32.exe	108
PID 4844 wrote to memory of 4692	4844	Ekaapi32.exe	108
PID 4844 wrote to memory of 4692	4844	Ekaapi32.exe	108
PID 4692 wrote to memory of 2136	4692	Efgemb32.exe	109
PID 4692 wrote to memory of 2136	4692	Efgemb32.exe	109
PID 4692 wrote to memory of 2136	4692	Efgemb32.exe	109
PID 2136 wrote to memory of 1856	2136	Ekdnei32.exe	110
PID 2136 wrote to memory of 1856	2136	Ekdnei32.exe	110
PID 2136 wrote to memory of 1856	2136	Ekdnei32.exe	110
PID 1856 wrote to memory of 1664	1856	Felbnn32.exe	111
PID 1856 wrote to memory of 1664	1856	Felbnn32.exe	111
PID 1856 wrote to memory of 1664	1856	Felbnn32.exe	111
PID 1664 wrote to memory of 1004	1664	Fneggdhg.exe	112
PID 1664 wrote to memory of 1004	1664	Fneggdhg.exe	112
PID 1664 wrote to memory of 1004	1664	Fneggdhg.exe	112
PID 1004 wrote to memory of 4536	1004	Feoodn32.exe	113
PID 1004 wrote to memory of 4536	1004	Feoodn32.exe	113
PID 1004 wrote to memory of 4536	1004	Feoodn32.exe	113
PID 4536 wrote to memory of 4880	4536	Fbbpmb32.exe	114
PID 4536 wrote to memory of 4880	4536	Fbbpmb32.exe	114
PID 4536 wrote to memory of 4880	4536	Fbbpmb32.exe	114
PID 4880 wrote to memory of 4004	4880	Flkdfh32.exe	115
PID 4880 wrote to memory of 4004	4880	Flkdfh32.exe	115
PID 4880 wrote to memory of 4004	4880	Flkdfh32.exe	115
PID 4004 wrote to memory of 680	4004	Fechomko.exe	116
PID 4004 wrote to memory of 680	4004	Fechomko.exe	116
PID 4004 wrote to memory of 680	4004	Fechomko.exe	116
PID 680 wrote to memory of 3720	680	Fbgihaji.exe	117
PID 680 wrote to memory of 3720	680	Fbgihaji.exe	117
PID 680 wrote to memory of 3720	680	Fbgihaji.exe	117
PID 3720 wrote to memory of 3996	3720	Fmmmfj32.exe	118

C:\Users\Admin\AppData\Local\Temp\74218f91ad1b0fb48b75325eddbf9cf8a62e365091aa92805f1326f0ab812667.exe
"C:\Users\Admin\AppData\Local\Temp\74218f91ad1b0fb48b75325eddbf9cf8a62e365091aa92805f1326f0ab812667.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:768
- C:\Windows\SysWOW64\Innfnl32.exe
  C:\Windows\system32\Innfnl32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\SysWOW64\Iggjga32.exe
    C:\Windows\system32\Iggjga32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:880
  - - C:\Windows\SysWOW64\Inqbclob.exe
      C:\Windows\system32\Inqbclob.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2144
    - - C:\Windows\SysWOW64\Ipoopgnf.exe
        
        C:\Windows\system32\Ipoopgnf.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1576
      - C:\Windows\SysWOW64\Mnpabe32.exe
        
        C:\Windows\system32\Mnpabe32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4260
        
        C:\Windows\SysWOW64\Aafemk32.exe
        
        C:\Windows\system32\Aafemk32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3436
        
        C:\Windows\SysWOW64\Cndeii32.exe
        
        C:\Windows\system32\Cndeii32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\Eiloco32.exe
        
        C:\Windows\system32\Eiloco32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\SysWOW64\Eeelnp32.exe
        
        C:\Windows\system32\Eeelnp32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Windows\SysWOW64\Ennqfenp.exe
        
        C:\Windows\system32\Ennqfenp.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\SysWOW64\Ekaapi32.exe
        
        C:\Windows\system32\Ekaapi32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SysWOW64\Efgemb32.exe
        
        C:\Windows\system32\Efgemb32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\Ekdnei32.exe
        
        C:\Windows\system32\Ekdnei32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\SysWOW64\Felbnn32.exe
        
        C:\Windows\system32\Felbnn32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\SysWOW64\Fneggdhg.exe
        
        C:\Windows\system32\Fneggdhg.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\SysWOW64\Feoodn32.exe
        
        C:\Windows\system32\Feoodn32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\SysWOW64\Fbbpmb32.exe
        
        C:\Windows\system32\Fbbpmb32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\SysWOW64\Flkdfh32.exe
        
        C:\Windows\system32\Flkdfh32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\Fechomko.exe
        
        C:\Windows\system32\Fechomko.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Windows\SysWOW64\Fbgihaji.exe
        
        C:\Windows\system32\Fbgihaji.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:680
        
        C:\Windows\SysWOW64\Fmmmfj32.exe
        
        C:\Windows\system32\Fmmmfj32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\SysWOW64\Fnnjmbpm.exe
        
        C:\Windows\system32\Fnnjmbpm.exe
        23⤵
        Executes dropped EXE
        
        PID:3996
        
        C:\Windows\SysWOW64\Gehbjm32.exe
        
        C:\Windows\system32\Gehbjm32.exe
        24⤵
        Executes dropped EXE
        
        PID:4356
        
        C:\Windows\SysWOW64\Gnqfcbnj.exe
        
        C:\Windows\system32\Gnqfcbnj.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3364
        
        C:\Windows\SysWOW64\Gejopl32.exe
        
        C:\Windows\system32\Gejopl32.exe
        26⤵
        Executes dropped EXE
        
        PID:4100
        
        C:\Windows\SysWOW64\Gppcmeem.exe
        
        C:\Windows\system32\Gppcmeem.exe
        27⤵
        Executes dropped EXE
        
        PID:3840
        
        C:\Windows\SysWOW64\Gihgfk32.exe
        
        C:\Windows\system32\Gihgfk32.exe
        28⤵
        Executes dropped EXE
        
        PID:1408
        
        C:\Windows\SysWOW64\Gpbpbecj.exe
        
        C:\Windows\system32\Gpbpbecj.exe
        29⤵
        Executes dropped EXE
        
        PID:3852
        
        C:\Windows\SysWOW64\Gmfplibd.exe
        
        C:\Windows\system32\Gmfplibd.exe
        30⤵
        Executes dropped EXE
        
        PID:2556
        
        C:\Windows\SysWOW64\Gfodeohd.exe
        
        C:\Windows\system32\Gfodeohd.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1832
        
        C:\Windows\SysWOW64\Gimqajgh.exe
        
        C:\Windows\system32\Gimqajgh.exe
        32⤵
        Executes dropped EXE
        
        PID:2340
        
        C:\Windows\SysWOW64\Gbeejp32.exe
        
        C:\Windows\system32\Gbeejp32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Holfoqcm.exe
        
        C:\Windows\system32\Holfoqcm.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\Hibjli32.exe
        
        C:\Windows\system32\Hibjli32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3324
        
        C:\Windows\SysWOW64\Hoobdp32.exe
        
        C:\Windows\system32\Hoobdp32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3404
        
        C:\Windows\SysWOW64\Hehkajig.exe
        
        C:\Windows\system32\Hehkajig.exe
        37⤵
        Executes dropped EXE
        
        PID:3452
        
        C:\Windows\SysWOW64\Hlbcnd32.exe
        
        C:\Windows\system32\Hlbcnd32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1188
        
        C:\Windows\SysWOW64\Hekgfj32.exe
        
        C:\Windows\system32\Hekgfj32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Hpqldc32.exe
        
        C:\Windows\system32\Hpqldc32.exe
        40⤵
        Executes dropped EXE
        
        PID:3428
        
        C:\Windows\SysWOW64\Hbohpn32.exe
        
        C:\Windows\system32\Hbohpn32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:264
        
        C:\Windows\SysWOW64\Hiipmhmk.exe
        
        C:\Windows\system32\Hiipmhmk.exe
        42⤵
        Executes dropped EXE
        
        PID:4652
        
        C:\Windows\SysWOW64\Ibaeen32.exe
        
        C:\Windows\system32\Ibaeen32.exe
        43⤵
        Executes dropped EXE
        
        PID:4608
        
        C:\Windows\SysWOW64\Iepaaico.exe
        
        C:\Windows\system32\Iepaaico.exe
        44⤵
        Executes dropped EXE
        
        PID:4980
        
        C:\Windows\SysWOW64\Iliinc32.exe
        
        C:\Windows\system32\Iliinc32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2684
        
        C:\Windows\SysWOW64\Iohejo32.exe
        
        C:\Windows\system32\Iohejo32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Iebngial.exe
        
        C:\Windows\system32\Iebngial.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:888
        
        C:\Windows\SysWOW64\Illfdc32.exe
        
        C:\Windows\system32\Illfdc32.exe
        48⤵
        Executes dropped EXE
        
        PID:4428
        
        C:\Windows\SysWOW64\Imkbnf32.exe
        
        C:\Windows\system32\Imkbnf32.exe
        49⤵
        Executes dropped EXE
        
        PID:4952
        
        C:\Windows\SysWOW64\Ilnbicff.exe
        
        C:\Windows\system32\Ilnbicff.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3328
        
        C:\Windows\SysWOW64\Iibccgep.exe
        
        C:\Windows\system32\Iibccgep.exe
        51⤵
        Executes dropped EXE
        
        PID:5128
        
        C:\Windows\SysWOW64\Iidphgcn.exe
        
        C:\Windows\system32\Iidphgcn.exe
        52⤵
        Executes dropped EXE
        
        PID:5176
        
        C:\Windows\SysWOW64\Jghpbk32.exe
        
        C:\Windows\system32\Jghpbk32.exe
        53⤵
        Executes dropped EXE
        
        PID:5220
        
        C:\Windows\SysWOW64\Jmbhoeid.exe
        
        C:\Windows\system32\Jmbhoeid.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Jcoaglhk.exe
        
        C:\Windows\system32\Jcoaglhk.exe
        55⤵
        Executes dropped EXE
        
        PID:5300
        
        C:\Windows\SysWOW64\Jmeede32.exe
        
        C:\Windows\system32\Jmeede32.exe
        56⤵
        Executes dropped EXE
        
        PID:5344
        
        C:\Windows\SysWOW64\Jebfng32.exe
        
        C:\Windows\system32\Jebfng32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5384
        
        C:\Windows\SysWOW64\Jphkkpbp.exe
        
        C:\Windows\system32\Jphkkpbp.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Jedccfqg.exe
        
        C:\Windows\system32\Jedccfqg.exe
        59⤵
        Executes dropped EXE
        
        PID:5500
        
        C:\Windows\SysWOW64\Jlolpq32.exe
        
        C:\Windows\system32\Jlolpq32.exe
        60⤵
        Executes dropped EXE
        
        PID:5540
        
        C:\Windows\SysWOW64\Kgdpni32.exe
        
        C:\Windows\system32\Kgdpni32.exe
        61⤵
        Executes dropped EXE
        
        PID:5580
        
        C:\Windows\SysWOW64\Kncaec32.exe
        
        C:\Windows\system32\Kncaec32.exe
        62⤵
        Executes dropped EXE
        
        PID:5624
        
        C:\Windows\SysWOW64\Kodnmkap.exe
        
        C:\Windows\system32\Kodnmkap.exe
        63⤵
        Executes dropped EXE
        
        PID:5664
        
        C:\Windows\SysWOW64\Kpcjgnhb.exe
        
        C:\Windows\system32\Kpcjgnhb.exe
        64⤵
        Executes dropped EXE
        
        PID:5704
        
        C:\Windows\SysWOW64\Ljnlecmp.exe
        
        C:\Windows\system32\Ljnlecmp.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5744
        
        C:\Windows\SysWOW64\Lokdnjkg.exe
        
        C:\Windows\system32\Lokdnjkg.exe
        66⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Lgbloglj.exe
        
        C:\Windows\system32\Lgbloglj.exe
        67⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Lnldla32.exe
        
        C:\Windows\system32\Lnldla32.exe
        68⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Llodgnja.exe
        
        C:\Windows\system32\Llodgnja.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5936
        
        C:\Windows\SysWOW64\Lcimdh32.exe
        
        C:\Windows\system32\Lcimdh32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5980
        
        C:\Windows\SysWOW64\Lfgipd32.exe
        
        C:\Windows\system32\Lfgipd32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6020
        
        C:\Windows\SysWOW64\Lnoaaaad.exe
        
        C:\Windows\system32\Lnoaaaad.exe
        72⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Lobjni32.exe
        
        C:\Windows\system32\Lobjni32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6104
        
        C:\Windows\SysWOW64\Lflbkcll.exe
        
        C:\Windows\system32\Lflbkcll.exe
        74⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Mmfkhmdi.exe
        
        C:\Windows\system32\Mmfkhmdi.exe
        75⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Mgloefco.exe
        
        C:\Windows\system32\Mgloefco.exe
        76⤵
        Drops file in System32 directory
        
        PID:5248
        
        C:\Windows\SysWOW64\Mmkdcm32.exe
        
        C:\Windows\system32\Mmkdcm32.exe
        77⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Mjodla32.exe
        
        C:\Windows\system32\Mjodla32.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Mjcngpjh.exe
        
        C:\Windows\system32\Mjcngpjh.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5528
        
        C:\Windows\SysWOW64\Nqmfdj32.exe
        
        C:\Windows\system32\Nqmfdj32.exe
        80⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Nggnadib.exe
        
        C:\Windows\system32\Nggnadib.exe
        81⤵
        Drops file in System32 directory
        
        PID:5644
        
        C:\Windows\SysWOW64\Nfjola32.exe
        
        C:\Windows\system32\Nfjola32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5736
        
        C:\Windows\SysWOW64\Nnafno32.exe
        
        C:\Windows\system32\Nnafno32.exe
        83⤵
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Ncnofeof.exe
        
        C:\Windows\system32\Ncnofeof.exe
        84⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Ncqlkemc.exe
        
        C:\Windows\system32\Ncqlkemc.exe
        85⤵
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Nfohgqlg.exe
        
        C:\Windows\system32\Nfohgqlg.exe
        86⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Njjdho32.exe
        
        C:\Windows\system32\Njjdho32.exe
        87⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Nmipdk32.exe
        
        C:\Windows\system32\Nmipdk32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5172
        
        C:\Windows\SysWOW64\Ngndaccj.exe
        
        C:\Windows\system32\Ngndaccj.exe
        89⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Nmkmjjaa.exe
        
        C:\Windows\system32\Nmkmjjaa.exe
        90⤵
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Ngqagcag.exe
        
        C:\Windows\system32\Ngqagcag.exe
        91⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Oaifpi32.exe
        
        C:\Windows\system32\Oaifpi32.exe
        92⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Ocgbld32.exe
        
        C:\Windows\system32\Ocgbld32.exe
        93⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Offnhpfo.exe
        
        C:\Windows\system32\Offnhpfo.exe
        94⤵
        Drops file in System32 directory
        
        PID:5888
        
        C:\Windows\SysWOW64\Ojajin32.exe
        
        C:\Windows\system32\Ojajin32.exe
        95⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Opnbae32.exe
        
        C:\Windows\system32\Opnbae32.exe
        96⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Ocjoadei.exe
        
        C:\Windows\system32\Ocjoadei.exe
        97⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Ombcji32.exe
        
        C:\Windows\system32\Ombcji32.exe
        98⤵
        Drops file in System32 directory
        
        PID:5568
        
        C:\Windows\SysWOW64\Ofkgcobj.exe
        
        C:\Windows\system32\Ofkgcobj.exe
        99⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Omdppiif.exe
        
        C:\Windows\system32\Omdppiif.exe
        100⤵
        Drops file in System32 directory
        
        PID:5964
        
        C:\Windows\SysWOW64\Opclldhj.exe
        
        C:\Windows\system32\Opclldhj.exe
        101⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Ojhpimhp.exe
        
        C:\Windows\system32\Ojhpimhp.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Omgmeigd.exe
        
        C:\Windows\system32\Omgmeigd.exe
        103⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\Ohlqcagj.exe
        
        C:\Windows\system32\Ohlqcagj.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5140
        
        C:\Windows\SysWOW64\Pjkmomfn.exe
        
        C:\Windows\system32\Pjkmomfn.exe
        105⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        106⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Pmlfqh32.exe
        
        C:\Windows\system32\Pmlfqh32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Pdenmbkk.exe
        
        C:\Windows\system32\Pdenmbkk.exe
        108⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\Pfdjinjo.exe
        
        C:\Windows\system32\Pfdjinjo.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6152
        
        C:\Windows\SysWOW64\Pmnbfhal.exe
        
        C:\Windows\system32\Pmnbfhal.exe
        110⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\Pdhkcb32.exe
        
        C:\Windows\system32\Pdhkcb32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6236
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        112⤵
        Modifies registry class
        
        PID:6280
        
        C:\Windows\SysWOW64\Pmpolgoi.exe
        
        C:\Windows\system32\Pmpolgoi.exe
        113⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\Pdjgha32.exe
        
        C:\Windows\system32\Pdjgha32.exe
        114⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\Pfiddm32.exe
        
        C:\Windows\system32\Pfiddm32.exe
        115⤵
        Drops file in System32 directory
        
        PID:6412
        
        C:\Windows\SysWOW64\Pnplfj32.exe
        
        C:\Windows\system32\Pnplfj32.exe
        116⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        117⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\Pdmdnadc.exe
        
        C:\Windows\system32\Pdmdnadc.exe
        118⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\Qjfmkk32.exe
        
        C:\Windows\system32\Qjfmkk32.exe
        119⤵
        Modifies registry class
        
        PID:6584
        
        C:\Windows\SysWOW64\Qmeigg32.exe
        
        C:\Windows\system32\Qmeigg32.exe
        120⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        121⤵
        Drops file in System32 directory
        
        PID:6672
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        122⤵
        Modifies registry class
        
        PID:6716
        
        C:\Windows\SysWOW64\Aagkhd32.exe
        
        C:\Windows\system32\Aagkhd32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6756
        
        C:\Windows\SysWOW64\Ahaceo32.exe
        
        C:\Windows\system32\Ahaceo32.exe
        124⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6840
        
        C:\Windows\SysWOW64\Adhdjpjf.exe
        
        C:\Windows\system32\Adhdjpjf.exe
        126⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\Aggpfkjj.exe
        
        C:\Windows\system32\Aggpfkjj.exe
        127⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        128⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7004
        
        C:\Windows\SysWOW64\Agimkk32.exe
        
        C:\Windows\system32\Agimkk32.exe
        130⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\Bdmmeo32.exe
        
        C:\Windows\system32\Bdmmeo32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7096
        
        C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        132⤵
        Drops file in System32 directory
        
        PID:7140
        
        C:\Windows\SysWOW64\Bmeandma.exe
        
        C:\Windows\system32\Bmeandma.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        134⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\Bdojjo32.exe
        
        C:\Windows\system32\Bdojjo32.exe
        135⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\Bkibgh32.exe
        
        C:\Windows\system32\Bkibgh32.exe
        136⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        137⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        138⤵
        Modifies registry class
        
        PID:6516
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        139⤵
        Modifies registry class
        
        PID:6620
        
        C:\Windows\SysWOW64\Bmjkic32.exe
        
        C:\Windows\system32\Bmjkic32.exe
        140⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        141⤵
        Modifies registry class
        
        PID:6764
        
        C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        142⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        143⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        144⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        145⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        146⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        147⤵
        Modifies registry class
        
        PID:6176
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        148⤵
        Modifies registry class
        
        PID:6320
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        149⤵
        Drops file in System32 directory
        
        PID:6408
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6508
        
        C:\Windows\SysWOW64\Coqncejg.exe
        
        C:\Windows\system32\Coqncejg.exe
        151⤵
        Drops file in System32 directory
        
        PID:6640
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6808
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        153⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        154⤵
        Modifies registry class
        
        PID:6964
        
        C:\Windows\SysWOW64\Ckjknfnh.exe
        
        C:\Windows\system32\Ckjknfnh.exe
        155⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        156⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\Chnlgjlb.exe
        
        C:\Windows\system32\Chnlgjlb.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6356
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        158⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\Dhphmj32.exe
        
        C:\Windows\system32\Dhphmj32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6792
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        160⤵
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Dgeenfog.exe
        
        C:\Windows\system32\Dgeenfog.exe
        161⤵
        Modifies registry class
        
        PID:7040
        
        C:\Windows\SysWOW64\Dolmodpi.exe
        
        C:\Windows\system32\Dolmodpi.exe
        162⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\Dnonkq32.exe
        
        C:\Windows\system32\Dnonkq32.exe
        163⤵
        Modifies registry class
        
        PID:6436
        
        C:\Windows\SysWOW64\Dqnjgl32.exe
        
        C:\Windows\system32\Dqnjgl32.exe
        164⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\Dggbcf32.exe
        
        C:\Windows\system32\Dggbcf32.exe
        165⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\Doojec32.exe
        
        C:\Windows\system32\Doojec32.exe
        166⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\Damfao32.exe
        
        C:\Windows\system32\Damfao32.exe
        167⤵
        Drops file in System32 directory
        
        PID:6848
        
        C:\Windows\SysWOW64\Dhgonidg.exe
        
        C:\Windows\system32\Dhgonidg.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7192
        
        C:\Windows\SysWOW64\Doagjc32.exe
        
        C:\Windows\system32\Doagjc32.exe
        169⤵
        
        PID:7232
        
        C:\Windows\SysWOW64\Dqbcbkab.exe
        
        C:\Windows\system32\Dqbcbkab.exe
        170⤵
        Drops file in System32 directory
        
        PID:7276
        
        C:\Windows\SysWOW64\Dhikci32.exe
        
        C:\Windows\system32\Dhikci32.exe
        171⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\Dkhgod32.exe
        
        C:\Windows\system32\Dkhgod32.exe
        172⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\Enfckp32.exe
        
        C:\Windows\system32\Enfckp32.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7432
        
        C:\Windows\SysWOW64\Eqdpgk32.exe
        
        C:\Windows\system32\Eqdpgk32.exe
        174⤵
        Modifies registry class
        
        PID:7488
        
        C:\Windows\SysWOW64\Ehlhih32.exe
        
        C:\Windows\system32\Ehlhih32.exe
        175⤵
        
        PID:7552
        
        C:\Windows\SysWOW64\Ekjded32.exe
        
        C:\Windows\system32\Ekjded32.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7604
        
        C:\Windows\SysWOW64\Enhpao32.exe
        
        C:\Windows\system32\Enhpao32.exe
        177⤵
        Drops file in System32 directory
        
        PID:7652
        
        C:\Windows\SysWOW64\Eqgmmk32.exe
        
        C:\Windows\system32\Eqgmmk32.exe
        178⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\Eklajcmc.exe
        
        C:\Windows\system32\Eklajcmc.exe
        179⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\Enkmfolf.exe
        
        C:\Windows\system32\Enkmfolf.exe
        180⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\Eqiibjlj.exe
        
        C:\Windows\system32\Eqiibjlj.exe
        181⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\Egcaod32.exe
        
        C:\Windows\system32\Egcaod32.exe
        182⤵
        Drops file in System32 directory
        
        PID:7900
        
        C:\Windows\SysWOW64\Eojiqb32.exe
        
        C:\Windows\system32\Eojiqb32.exe
        183⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\Enmjlojd.exe
        
        C:\Windows\system32\Enmjlojd.exe
        184⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\Eqlfhjig.exe
        
        C:\Windows\system32\Eqlfhjig.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8028
        
        C:\Windows\SysWOW64\Ehbnigjj.exe
        
        C:\Windows\system32\Ehbnigjj.exe
        186⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\Eomffaag.exe
        
        C:\Windows\system32\Eomffaag.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8128
        
        C:\Windows\SysWOW64\Eqncnj32.exe
        
        C:\Windows\system32\Eqncnj32.exe
        188⤵
        
        PID:8180
        
        C:\Windows\SysWOW64\Ekcgkb32.exe
        
        C:\Windows\system32\Ekcgkb32.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7240
        
        C:\Windows\SysWOW64\Fnfmbmbi.exe
        
        C:\Windows\system32\Fnfmbmbi.exe
        190⤵
        Modifies registry class
        
        PID:7340
        
        C:\Windows\SysWOW64\Fgoakc32.exe
        
        C:\Windows\system32\Fgoakc32.exe
        191⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\Fkjmlaac.exe
        
        C:\Windows\system32\Fkjmlaac.exe
        192⤵
        
        PID:7496
        
        C:\Windows\SysWOW64\Fkmjaa32.exe
        
        C:\Windows\system32\Fkmjaa32.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7588
        
        C:\Windows\SysWOW64\Fajbjh32.exe
        
        C:\Windows\system32\Fajbjh32.exe
        194⤵
        Drops file in System32 directory
        
        PID:7688
        
        C:\Windows\SysWOW64\Fiqjke32.exe
        
        C:\Windows\system32\Fiqjke32.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7736
        
        C:\Windows\SysWOW64\Gokbgpeg.exe
        
        C:\Windows\system32\Gokbgpeg.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7824
        
        C:\Windows\SysWOW64\Ggfglb32.exe
        
        C:\Windows\system32\Ggfglb32.exe
        197⤵
        
        PID:7880
        
        C:\Windows\SysWOW64\Gpmomo32.exe
        
        C:\Windows\system32\Gpmomo32.exe
        198⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\Gbkkik32.exe
        
        C:\Windows\system32\Gbkkik32.exe
        199⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8036
        
        C:\Windows\SysWOW64\Giecfejd.exe
        
        C:\Windows\system32\Giecfejd.exe
        200⤵
        
        PID:8108
        
        C:\Windows\SysWOW64\Gghdaa32.exe
        
        C:\Windows\system32\Gghdaa32.exe
        201⤵
        
        PID:8164
        
        C:\Windows\SysWOW64\Gpolbo32.exe
        
        C:\Windows\system32\Gpolbo32.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5048
        
        C:\Windows\SysWOW64\Gaqhjggp.exe
        
        C:\Windows\system32\Gaqhjggp.exe
        203⤵
        
        PID:7216
        
        C:\Windows\SysWOW64\Gihpkd32.exe
        
        C:\Windows\system32\Gihpkd32.exe
        204⤵
        
        PID:7316
        
        C:\Windows\SysWOW64\Gpaihooo.exe
        
        C:\Windows\system32\Gpaihooo.exe
        205⤵
        Modifies registry class
        
        PID:4716
        
        C:\Windows\SysWOW64\Gacepg32.exe
        
        C:\Windows\system32\Gacepg32.exe
        206⤵
        
        PID:7528
        
        C:\Windows\SysWOW64\Gijmad32.exe
        
        C:\Windows\system32\Gijmad32.exe
        207⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7660
        
        C:\Windows\SysWOW64\Gpdennml.exe
        
        C:\Windows\system32\Gpdennml.exe
        208⤵
        
        PID:836
        
        C:\Windows\SysWOW64\Geanfelc.exe
        
        C:\Windows\system32\Geanfelc.exe
        209⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\Ghojbq32.exe
        
        C:\Windows\system32\Ghojbq32.exe
        210⤵
        
        PID:8064
        
        C:\Windows\SysWOW64\Hbenoi32.exe
        
        C:\Windows\system32\Hbenoi32.exe
        211⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\Hpioin32.exe
        
        C:\Windows\system32\Hpioin32.exe
        212⤵
        Drops file in System32 directory
        
        PID:4084
        
        C:\Windows\SysWOW64\Hbgkei32.exe
        
        C:\Windows\system32\Hbgkei32.exe
        213⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\Hiacacpg.exe
        
        C:\Windows\system32\Hiacacpg.exe
        214⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5148
        
        C:\Windows\SysWOW64\Hhdcmp32.exe
        
        C:\Windows\system32\Hhdcmp32.exe
        215⤵
        
        PID:7576
        
        C:\Windows\SysWOW64\Hicpgc32.exe
        
        C:\Windows\system32\Hicpgc32.exe
        216⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7740
        
        C:\Windows\SysWOW64\Hnbeeiji.exe
        
        C:\Windows\system32\Hnbeeiji.exe
        217⤵
        Modifies registry class
        
        PID:7832
        
        C:\Windows\SysWOW64\Haaaaeim.exe
        
        C:\Windows\system32\Haaaaeim.exe
        218⤵
        Drops file in System32 directory
        
        PID:7948
        
        C:\Windows\SysWOW64\Inebjihf.exe
        
        C:\Windows\system32\Inebjihf.exe
        219⤵
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Ieojgc32.exe
        
        C:\Windows\system32\Ieojgc32.exe
        220⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\Iimcma32.exe
        
        C:\Windows\system32\Iimcma32.exe
        221⤵
        Drops file in System32 directory
        
        PID:7484
        
        C:\Windows\SysWOW64\Ipgkjlmg.exe
        
        C:\Windows\system32\Ipgkjlmg.exe
        222⤵
        
        PID:7828
        
        C:\Windows\SysWOW64\Iojkeh32.exe
        
        C:\Windows\system32\Iojkeh32.exe
        223⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\Ieccbbkn.exe
        
        C:\Windows\system32\Ieccbbkn.exe
        224⤵
        
        PID:7720
        
        C:\Windows\SysWOW64\Ibgdlg32.exe
        
        C:\Windows\system32\Ibgdlg32.exe
        225⤵
        
        PID:8088
        
        C:\Windows\SysWOW64\Iefphb32.exe
        
        C:\Windows\system32\Iefphb32.exe
        226⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\Iehmmb32.exe
        
        C:\Windows\system32\Iehmmb32.exe
        227⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8120
        
        C:\Windows\SysWOW64\Jhgiim32.exe
        
        C:\Windows\system32\Jhgiim32.exe
        228⤵
        Modifies registry class
        
        PID:7752
        
        C:\Windows\SysWOW64\Jblmgf32.exe
        
        C:\Windows\system32\Jblmgf32.exe
        229⤵
        
        PID:8216
        
        C:\Windows\SysWOW64\Jppnpjel.exe
        
        C:\Windows\system32\Jppnpjel.exe
        230⤵
        Modifies registry class
        
        PID:8260
        
        C:\Windows\SysWOW64\Jlgoek32.exe
        
        C:\Windows\system32\Jlgoek32.exe
        231⤵
        
        PID:8300
        
        C:\Windows\SysWOW64\Jbccge32.exe
        
        C:\Windows\system32\Jbccge32.exe
        232⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8344
        
        C:\Windows\SysWOW64\Jhplpl32.exe
        
        C:\Windows\system32\Jhplpl32.exe
        233⤵
        Drops file in System32 directory
        
        PID:8384
        
        C:\Windows\SysWOW64\Klndfj32.exe
        
        C:\Windows\system32\Klndfj32.exe
        234⤵
        
        PID:8428
        
        C:\Windows\SysWOW64\Kolabf32.exe
        
        C:\Windows\system32\Kolabf32.exe
        235⤵
        
        PID:8472
        
        C:\Windows\SysWOW64\Kakmna32.exe
        
        C:\Windows\system32\Kakmna32.exe
        236⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8512
        
        C:\Windows\SysWOW64\Kibeoo32.exe
        
        C:\Windows\system32\Kibeoo32.exe
        237⤵
        
        PID:8556
        
        C:\Windows\SysWOW64\Koonge32.exe
        
        C:\Windows\system32\Koonge32.exe
        238⤵
        
        PID:8596
        
        C:\Windows\SysWOW64\Khgbqkhj.exe
        
        C:\Windows\system32\Khgbqkhj.exe
        239⤵
        
        PID:8640
        
        C:\Windows\SysWOW64\Kpnjah32.exe
        
        C:\Windows\system32\Kpnjah32.exe
        240⤵
        
        PID:8684
        
        C:\Windows\SysWOW64\Kapfiqoj.exe
        
        C:\Windows\system32\Kapfiqoj.exe
        241⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8720
        
        C:\Windows\SysWOW64\Kifojnol.exe
        
        C:\Windows\system32\Kifojnol.exe
        242⤵
        
        PID:8772
        
        C:\Windows\SysWOW64\Klekfinp.exe
        
        C:\Windows\system32\Klekfinp.exe
        243⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8812
        
        C:\Windows\SysWOW64\Kiikpnmj.exe
        
        C:\Windows\system32\Kiikpnmj.exe
        244⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:8864
        
        C:\Windows\SysWOW64\Kpccmhdg.exe
        
        C:\Windows\system32\Kpccmhdg.exe
        245⤵
        
        PID:8904
        
        C:\Windows\SysWOW64\Lllagh32.exe
        
        C:\Windows\system32\Lllagh32.exe
        246⤵
        
        PID:8944
        
        C:\Windows\SysWOW64\Ledepn32.exe
        
        C:\Windows\system32\Ledepn32.exe
        247⤵
        
        PID:8992
        
        C:\Windows\SysWOW64\Lpochfji.exe
        
        C:\Windows\system32\Lpochfji.exe
        248⤵
        Modifies registry class
        
        PID:9032
        
        C:\Windows\SysWOW64\Mapppn32.exe
        
        C:\Windows\system32\Mapppn32.exe
        249⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9076
        
        C:\Windows\SysWOW64\Modpib32.exe
        
        C:\Windows\system32\Modpib32.exe
        250⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:9116
        
        C:\Windows\SysWOW64\Mpclce32.exe
        
        C:\Windows\system32\Mpclce32.exe
        251⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:9160
        
        C:\Windows\SysWOW64\Mfpell32.exe
        
        C:\Windows\system32\Mfpell32.exe
        252⤵
        Modifies registry class
        
        PID:9208
        
        C:\Windows\SysWOW64\Mqhfoebo.exe
        
        C:\Windows\system32\Mqhfoebo.exe
        253⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8248
        
        C:\Windows\SysWOW64\Mcfbkpab.exe
        
        C:\Windows\system32\Mcfbkpab.exe
        254⤵
        Modifies registry class
        
        PID:8312
        
        C:\Windows\SysWOW64\Mlofcf32.exe
        
        C:\Windows\system32\Mlofcf32.exe
        255⤵
        
        PID:8372
        
        C:\Windows\SysWOW64\Nblolm32.exe
        
        C:\Windows\system32\Nblolm32.exe
        256⤵
        Modifies registry class
        
        PID:8456
        
        C:\Windows\SysWOW64\Njbgmjgl.exe
        
        C:\Windows\system32\Njbgmjgl.exe
        257⤵
        
        PID:8520
        
        C:\Windows\SysWOW64\Nbphglbe.exe
        
        C:\Windows\system32\Nbphglbe.exe
        258⤵
        
        PID:8572
        
        C:\Windows\SysWOW64\Njgqhicg.exe
        
        C:\Windows\system32\Njgqhicg.exe
        259⤵
        Modifies registry class
        
        PID:8672
        
        C:\Windows\SysWOW64\Nqaiecjd.exe
        
        C:\Windows\system32\Nqaiecjd.exe
        260⤵
        
        PID:8768
        
        C:\Windows\SysWOW64\Ncpeaoih.exe
        
        C:\Windows\system32\Ncpeaoih.exe
        261⤵
        Drops file in System32 directory
        
        PID:8872
        
        C:\Windows\SysWOW64\Nfnamjhk.exe
        
        C:\Windows\system32\Nfnamjhk.exe
        262⤵
        
        PID:8956
        
        C:\Windows\SysWOW64\Nqcejcha.exe
        
        C:\Windows\system32\Nqcejcha.exe
        263⤵
        
        PID:9020
        
        C:\Windows\SysWOW64\Nbebbk32.exe
        
        C:\Windows\system32\Nbebbk32.exe
        264⤵
        
        PID:9072
        
        C:\Windows\SysWOW64\Oiccje32.exe
        
        C:\Windows\system32\Oiccje32.exe
        265⤵
        Modifies registry class
        
        PID:9144
        
        C:\Windows\SysWOW64\Ocihgnam.exe
        
        C:\Windows\system32\Ocihgnam.exe
        266⤵
        
        PID:9204
        
        C:\Windows\SysWOW64\Ofgdcipq.exe
        
        C:\Windows\system32\Ofgdcipq.exe
        267⤵
        Drops file in System32 directory
        
        PID:8284
        
        C:\Windows\SysWOW64\Omalpc32.exe
        
        C:\Windows\system32\Omalpc32.exe
        268⤵
        
        PID:8412
        
        C:\Windows\SysWOW64\Obnehj32.exe
        
        C:\Windows\system32\Obnehj32.exe
        269⤵
        
        PID:8492
        
        C:\Windows\SysWOW64\Oqoefand.exe
        
        C:\Windows\system32\Oqoefand.exe
        270⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8692
        
        C:\Windows\SysWOW64\Obqanjdb.exe
        
        C:\Windows\system32\Obqanjdb.exe
        271⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8848
        
        C:\Windows\SysWOW64\Pfojdh32.exe
        
        C:\Windows\system32\Pfojdh32.exe
        272⤵
        
        PID:8952
        
        C:\Windows\SysWOW64\Padnaq32.exe
        
        C:\Windows\system32\Padnaq32.exe
        273⤵
        
        PID:9068
        
        C:\Windows\SysWOW64\Pbhgoh32.exe
        
        C:\Windows\system32\Pbhgoh32.exe
        274⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:9152
        
        C:\Windows\SysWOW64\Pcgdhkem.exe
        
        C:\Windows\system32\Pcgdhkem.exe
        275⤵
        Drops file in System32 directory
        
        PID:8256
        
        C:\Windows\SysWOW64\Pidlqb32.exe
        
        C:\Windows\system32\Pidlqb32.exe
        276⤵
        
        PID:8424
        
        C:\Windows\SysWOW64\Pakdbp32.exe
        
        C:\Windows\system32\Pakdbp32.exe
        277⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8648
        
        C:\Windows\SysWOW64\Pciqnk32.exe
        
        C:\Windows\system32\Pciqnk32.exe
        278⤵
        
        PID:8936
        
        C:\Windows\SysWOW64\Qiiflaoo.exe
        
        C:\Windows\system32\Qiiflaoo.exe
        279⤵
        
        PID:9060
        
        C:\Windows\SysWOW64\Qcnjijoe.exe
        
        C:\Windows\system32\Qcnjijoe.exe
        280⤵
        
        PID:8236
        
        C:\Windows\SysWOW64\Qfmfefni.exe
        
        C:\Windows\system32\Qfmfefni.exe
        281⤵
        Drops file in System32 directory
        
        PID:8608
        
        C:\Windows\SysWOW64\Qjhbfd32.exe
        
        C:\Windows\system32\Qjhbfd32.exe
        282⤵
        Modifies registry class
        
        PID:8788
        
        C:\Windows\SysWOW64\Apggckbf.exe
        
        C:\Windows\system32\Apggckbf.exe
        283⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8196
        
        C:\Windows\SysWOW64\Ajmladbl.exe
        
        C:\Windows\system32\Ajmladbl.exe
        284⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4028
        
        C:\Windows\SysWOW64\Apjdikqd.exe
        
        C:\Windows\system32\Apjdikqd.exe
        285⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:9104
        
        C:\Windows\SysWOW64\Apnndj32.exe
        
        C:\Windows\system32\Apnndj32.exe
        286⤵
        Modifies registry class
        
        PID:7384
        
        C:\Windows\SysWOW64\Bmggingc.exe
        
        C:\Windows\system32\Bmggingc.exe
        287⤵
        
        PID:8292
        
        C:\Windows\SysWOW64\Bpedeiff.exe
        
        C:\Windows\system32\Bpedeiff.exe
        288⤵
        
        PID:9220
        
        C:\Windows\SysWOW64\Bfolacnc.exe
        
        C:\Windows\system32\Bfolacnc.exe
        289⤵
        
        PID:9268
        
        C:\Windows\SysWOW64\Bkkhbb32.exe
        
        C:\Windows\system32\Bkkhbb32.exe
        290⤵
        Modifies registry class
        
        PID:9312
        
        C:\Windows\SysWOW64\Bipecnkd.exe
        
        C:\Windows\system32\Bipecnkd.exe
        291⤵
        
        PID:9356
        
        C:\Windows\SysWOW64\Cmnnimak.exe
        
        C:\Windows\system32\Cmnnimak.exe
        292⤵
        Modifies registry class
        
        PID:9400
        
        C:\Windows\SysWOW64\Cajjjk32.exe
        
        C:\Windows\system32\Cajjjk32.exe
        293⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9436
        
        C:\Windows\SysWOW64\Cdhffg32.exe
        
        C:\Windows\system32\Cdhffg32.exe
        294⤵
        
        PID:9480
        
        C:\Windows\SysWOW64\Cbkfbcpb.exe
        
        C:\Windows\system32\Cbkfbcpb.exe
        295⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9520
        
        C:\Windows\SysWOW64\Ckbncapd.exe
        
        C:\Windows\system32\Ckbncapd.exe
        296⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9572
        
        C:\Windows\SysWOW64\Cienon32.exe
        
        C:\Windows\system32\Cienon32.exe
        297⤵
        
        PID:9620
        
        C:\Windows\SysWOW64\Calfpk32.exe
        
        C:\Windows\system32\Calfpk32.exe
        298⤵
        Drops file in System32 directory
        
        PID:9664
        
        C:\Windows\SysWOW64\Cdjblf32.exe
        
        C:\Windows\system32\Cdjblf32.exe
        299⤵
        
        PID:9704
        
        C:\Windows\SysWOW64\Ckdkhq32.exe
        
        C:\Windows\system32\Ckdkhq32.exe
        300⤵
        
        PID:9748
        
        C:\Windows\SysWOW64\Cmbgdl32.exe
        
        C:\Windows\system32\Cmbgdl32.exe
        301⤵
        
        PID:9788
        
        C:\Windows\SysWOW64\Cpacqg32.exe
        
        C:\Windows\system32\Cpacqg32.exe
        302⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:9828
        
        C:\Windows\SysWOW64\Cdmoafdb.exe
        
        C:\Windows\system32\Cdmoafdb.exe
        303⤵
        
        PID:9876
        
        C:\Windows\SysWOW64\Cgklmacf.exe
        
        C:\Windows\system32\Cgklmacf.exe
        304⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9924
        
        C:\Windows\SysWOW64\Ckggnp32.exe
        
        C:\Windows\system32\Ckggnp32.exe
        305⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:9964
        
        C:\Windows\SysWOW64\Cmedjl32.exe
        
        C:\Windows\system32\Cmedjl32.exe
        306⤵
        
        PID:10012
        
        C:\Windows\SysWOW64\Cdolgfbp.exe
        
        C:\Windows\system32\Cdolgfbp.exe
        307⤵
        
        PID:10060
        
        C:\Windows\SysWOW64\Cgmhcaac.exe
        
        C:\Windows\system32\Cgmhcaac.exe
        308⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:10124
        
        C:\Windows\SysWOW64\Cildom32.exe
        
        C:\Windows\system32\Cildom32.exe
        309⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:10172
        
        C:\Windows\SysWOW64\Cacmpj32.exe
        
        C:\Windows\system32\Cacmpj32.exe
        310⤵
        Drops file in System32 directory
        
        PID:10228
        
        C:\Windows\SysWOW64\Cdaile32.exe
        
        C:\Windows\system32\Cdaile32.exe
        311⤵
        
        PID:9260
        
        C:\Windows\SysWOW64\Dgpeha32.exe
        
        C:\Windows\system32\Dgpeha32.exe
        312⤵
        Modifies registry class
        
        PID:9320
        
        C:\Windows\SysWOW64\Dkkaiphj.exe
        
        C:\Windows\system32\Dkkaiphj.exe
        313⤵
        
        PID:9392
        
        C:\Windows\SysWOW64\Dmjmekgn.exe
        
        C:\Windows\system32\Dmjmekgn.exe
        314⤵
        
        PID:9452
        
        C:\Windows\SysWOW64\Daeifj32.exe
        
        C:\Windows\system32\Daeifj32.exe
        315⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:9508
        
        C:\Windows\SysWOW64\Ddcebe32.exe
        
        C:\Windows\system32\Ddcebe32.exe
        316⤵
        
        PID:9608
        
        C:\Windows\SysWOW64\Dcffnbee.exe
        
        C:\Windows\system32\Dcffnbee.exe
        317⤵
        
        PID:9640
        
        C:\Windows\SysWOW64\Dknnoofg.exe
        
        C:\Windows\system32\Dknnoofg.exe
        318⤵
        
        PID:9688
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        319⤵
        
        PID:9784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9784 -s 404
        320⤵
        Program crash
        
        PID:9900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 9784 -ip 9784
1⤵
PID:9872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4856 --field-trial-handle=2276,i,1205556100727695622,5044463180471657307,262144 --variations-seed-version /prefetch:8
1⤵
PID:9656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aafemk32.exe

Filesize
81KB

MD5
c53fc4f74a33be841a0c6e4f0fa01aa9

SHA1
042232e4a0324b00a45a7821de54437ee48eea23

SHA256
23d9d084e3f83bf0c5bf224c44276353461251f9a53ce76298af61f607786cd7

SHA512
b827cb041cebe9c54645e2bcb20d0cf9ff3aee0cea0b42b5421e9e68ab84a6930661d7361abceb552d938a71acf43ccd6b00b81d00c4f8093b97c6f03d0e8556

Download Submit
C:\Windows\SysWOW64\Cdimqm32.exe

Filesize
81KB

MD5
c8c85537277a1ad9e2bbd0c71140d0ab

SHA1
1cdabfa8889c9487117d301449497be296662951

SHA256
437ca488cee839cc546c13e52535fafb90700622c296b3706c67ed4d79411664

SHA512
14a11a2822abb1655776415972442e63593eff0bc6ce00e3c6e4319d525a26b9d3a4240e7683d04bb3181924675d23542da6801793aa20b8e04030513750b133

Download Submit
C:\Windows\SysWOW64\Cdjblf32.exe

Filesize
81KB

MD5
de4e51740662058b25580a96110699be

SHA1
799cd0c8feb665d596a53e58b4e7d70d991730e7

SHA256
3aea2a56376ab31c23dce6e7143a75d0d2970730c90d2dc2fed852abcc44f906

SHA512
b4df3f2bb54d0a74a5e8b5a55ab915d4ec1a38a1bc9c33b83301fcf22a786c625d818560d48f46446a92277cac49e8a9083c7417707cf200a1564ad4ec3737f1

Download Submit
C:\Windows\SysWOW64\Ckgohf32.exe

Filesize
81KB

MD5
5f62f29305f81931401bffde9dddb797

SHA1
d9b135ef7cc0d493377403aa184ea35904d79105

SHA256
649122a42a93a426848aec0bed2066bca4092fd6725090df0c6e75db1e269083

SHA512
0a660fdefed9cf41996af660482b0a62562a48e8da428f2336efd3197fc62bdc1e2353dcd8456d520e891531a3248bf3a8e9c06414bcb2c2f437a891e059f758

Download Submit
C:\Windows\SysWOW64\Cndeii32.exe

Filesize
81KB

MD5
5a459adf0e556c76bfd42c3931235eb9

SHA1
a861ba503f8de3830ecb4911d0a83daefa4b6780

SHA256
6705f0a22a0a903cbedd966c2c81ab5e7c5c2b12da93d947987bf48414e43b0d

SHA512
082305b63c9de5875f484b33019849998abaff3d4e7ef24f422296581ff6fab76eb158a3df77a10178344713a04e41dfa2ef90000182133cdcde3bd59c767ae9

Download Submit
C:\Windows\SysWOW64\Coqncejg.exe

Filesize
81KB

MD5
6c8a061fc2edb0527a888170044355e3

SHA1
221b6575aa33765cec7a6b1e48cd757da7d35363

SHA256
af772a286b572e7b96974d670dd068f75e699f8fef0d12eb6b9c1d520bf7d775

SHA512
a51d48aa918645f344e4e291ba94e072063f5c336728fd1986428fcfeb186afd3183467e4a2310cbacc6dbab85c363e220b34caff52a7924decbbfc1d183fba8

Download Submit
C:\Windows\SysWOW64\Dhphmj32.exe

Filesize
81KB

MD5
85316b1f9ba019a9e87f2ce384b73b62

SHA1
f41a4be8e8d4ac0d540337fbad1431eb47babf14

SHA256
fe2f2ceb27e4db06803df0cc7e7c31a86eff4f48a6a8f9e5d4e74b8df3e675e5

SHA512
f639ab9d4f28b6ff76cf2ab102db8e1aa69ce436e101c67cd50635d39c7868b1a2c541449c3aa9eed4486b30866d97638e7874b102189df432d5716ad4567504

Download Submit
C:\Windows\SysWOW64\Eeelnp32.exe

Filesize
81KB

MD5
d7c2354ecb6c9030816781f7d5058462

SHA1
b0c35e710c6b0d38bd9becc0025d49cb04e1218b

SHA256
5ba4a257029c24d6d8dcbbf93033667337c0eb88537323e0757cee8dc0cf5a90

SHA512
d423c13b05482eb457e83af39ae08c586e74e6c638d40d94c2299a70510b385d6b3f38d41a061b34c2f7f7c07badf8d8e4aad8914e6d346e857123291ff023a3

Download Submit
C:\Windows\SysWOW64\Efgemb32.exe

Filesize
81KB

MD5
3a25db57025307760eb919dc646bdb20

SHA1
4571208a0217eb66100e0fde5eef2a6b3ae55d7d

SHA256
5367bb2c0c64c10151ec4c5e1ced42684ea1213f0b92a56469e993f3727b0937

SHA512
2274c0bb905f6cb9d774483fe2fa08dd045df0c8e0e6f2a735cb7b8968a457679dd527c78f8585af20674c0082783660914bd1886f76ccda75d018ed992c74cd

Download Submit
C:\Windows\SysWOW64\Eiloco32.exe

Filesize
81KB

MD5
1c685c1deab84cc871895cfd5c3b3dcf

SHA1
639e2a890966a84fe98c012fbd8b75b409b2a34a

SHA256
7da77f1e2caaa770d23abc060cc3d570c127b3fa9b794d74dd6f716671f4e8c7

SHA512
2c74d6065ce79dcd84600d0afb385151b3db7bd19ed84db3b7d4f2d5496dbed9abc00cd696c3dc4570de83a398f19c48ac5461effe304e8c3638fdeb3a8265c6

Download Submit
C:\Windows\SysWOW64\Ekaapi32.exe

Filesize
81KB

MD5
c640a67e0fa4822652a116fa296f413e

SHA1
ef683d6e65175808c65df60573c9c1a853f6f8fd

SHA256
d09ed6f0236f5e22e86dc96ac996473f90bd80845941427542cb54d9aa6227d9

SHA512
dd25b03be8a611a21132f9a90168ae12497331906680e946bc32cb3ec1879a46dae74c3b7510731602373bd2b066857e8393e20012c49f269c94e9ad2fb1eb59

Download Submit
C:\Windows\SysWOW64\Ekdnei32.exe

Filesize
81KB

MD5
af44cc88480217a81b45d74202f84bcd

SHA1
1db2b8ad5ee4cb4177915e173e16fc83015cc7ef

SHA256
013286c3717082c75bccd8a57f1398c31c7745d4efa825f86bcd2c07a9e090da

SHA512
c7781456f263e7f846343b1c4cb733a7bf6c7c9f0022241cd6f1131b718e2af98c81734d4c4a1f84eba3bb103911509b6e966fdb0f2cbe046bea310ede818e2c

Download Submit
C:\Windows\SysWOW64\Ennqfenp.exe

Filesize
81KB

MD5
7f7d3270a3eac4f629c9ecb9effd6349

SHA1
794605c1c32fbb532004a37bd606ad72762841b5

SHA256
f2e94f626a7989ae11fc4c8124735f1126cae3a6abba20a917eaefe82358ab61

SHA512
8d99373114a97fcdf58db87f1a845e12a64319aaa077b3f65209caff6b5000f342daa73b166ef767eb4fed62bc64fe991ea5744f98215a080200ecff0c2e7974

Download Submit
C:\Windows\SysWOW64\Fbbpmb32.exe

Filesize
81KB

MD5
826c3c41b7ebe94eba4c82e181fbfd00

SHA1
f308a39b76314fe9241c31e1db6c50a7e4fa46f4

SHA256
9316d03bc364c497deb786d72a41665caf55e4e7b3aa764a56b9f1b338c9b292

SHA512
078e8c2b7256bbb9ee10db5c56ef84c27846dc2ce52e837d9b452628fa5e9cbc4c049b57e95da84af88c57e86f79ee808f309f3c108dda6dfd62aeabcfc62bd1

Download Submit
C:\Windows\SysWOW64\Fbgihaji.exe

Filesize
81KB

MD5
36c6efdf52607ffd1c829e4d2b20bc9b

SHA1
1495882d19873a3416be6a4aed683acaf6cb8dc7

SHA256
01ad51cfe97d9f795bb03acedc08250a47fd113f7a19f1ee28308119436eb376

SHA512
ebe9562ff6c1ddca4f92d1b588e89863aeaebf9304c2b1f5ec41063c0e9be6f3025ac2e8d10d67d1f40ce5dbbf6794639ff7bad834e75d75d73620a7cc6e3752

Download Submit
C:\Windows\SysWOW64\Fechomko.exe

Filesize
81KB

MD5
39090cb9f01a4828a87bde4b550e38f8

SHA1
1abb0c2405c135b944fc207416a4eb171d6be02e

SHA256
691247e219050d47bab94bc19d4f20fcf6e5f63b91ac47b649df9aa76f870cf9

SHA512
1f9ea855837c5246b3ba4434bc1bfc1a9ddd13af0ff1383a5ded7e48131a2445b50e071197a14c863a1e2b11e50fdf4d1afc58d64d407d16eafb94d6895f542d

Download Submit
C:\Windows\SysWOW64\Felbnn32.exe

Filesize
81KB

MD5
6ae4821c1259af44939d7d74ee77b936

SHA1
d2d37a9c3615c215e885de407ce32ddb0655c9d3

SHA256
039d2aa92e09c147455a05610be78a45ff8d7e43c0f938e25a3e9677ddff3e2f

SHA512
589638156cb24e6bc28271ab9d13e6196fc6be51f5fce39017fac6b78d3e1450906a2ffe25c9fb41ae79a765c0559f5fe8fe2aedeb19a854d14a5c85ed452562

Download Submit
C:\Windows\SysWOW64\Feoodn32.exe

Filesize
81KB

MD5
d0b713dea8137ad2a34642b42f9c19e7

SHA1
86d3e97b270a0444b10cde8aaf789338a12004c7

SHA256
f217f6de6e7d9fb40950c107c613798e81bac599782234f54d812f838945f954

SHA512
c71f898811338f59caa58dc636a8610519c31f4a767765c31eb5ea794ca78a3c949045594d3b25f529249325b7a529041638daad34138252acdea26f8bb77e70

Download Submit
C:\Windows\SysWOW64\Flkdfh32.exe

Filesize
81KB

MD5
624cd5b8803218eb9d51ae0bb7945b4e

SHA1
cdf53cb0ffbe2969cf07a4d1ce7155844c333435

SHA256
89558792698781420da37d456043d2cad819215fb0e7df410639722439150b00

SHA512
dea229c1e57c4520a4dc017a30488e98123acf101921f0365a7d60585c6e070c5a25a3327c87de4e40969345b5eb069416abbbfed22c06b293ee547691e29b57

Download Submit
C:\Windows\SysWOW64\Fmmmfj32.exe

Filesize
81KB

MD5
cc732aacb3962b40c08413b775fb5d5e

SHA1
f43ce0ba007e7912da2c363b15a19c1f0cbf11e9

SHA256
ed533da8c55cb30f2dc526601cd532b5bac0a3eb4383549983cd879533dc3bd8

SHA512
fdab937caa6ca01277d56775e14c80430c905b66fbecb0688a2ae956e641e711f5ab003ac483493b21ab17f4aee58c40f51fcda9bde398b5b97116b07c2a4e37

Download Submit
C:\Windows\SysWOW64\Fneggdhg.exe

Filesize
81KB

MD5
e79d86eb37432d8d08feee343d33dfd2

SHA1
c6643432de19236c9ccb2f34fc16e1b6d77fbc65

SHA256
c88c7524ecb4c8cd8b819f247e51eec9bada575c22193be717d6269d20d66f61

SHA512
fa95ddc26d79058535dc6d251d83d416195d60defdbb3acd934eea8d957d91e2fb878b8d565eaf0f9c2d010a766b4750dad59f980978aa2eda9631fed745a058

Download Submit
C:\Windows\SysWOW64\Fnnjmbpm.exe

Filesize
81KB

MD5
47dacc88df7a724528d94c2e8df9ccb3

SHA1
4eaff369365e9bc2bbce3c2f4e25e5d59c28c601

SHA256
5db6be6bb9ac825033d9e7d33d745d9e3fe0445533d19d662f890fa16f506a50

SHA512
21d3e1b1dc33fb7987654c578aab38c04c490e8f40323f7ea723dcc8e0469ffceb98be2f8cca0c52fbe904446eb606a1283ded9c85cdfea378e595a900835643

Download Submit
C:\Windows\SysWOW64\Gbeejp32.exe

Filesize
81KB

MD5
54d59061f4c16a382751b773f0fa193a

SHA1
90ae4e47aae01e4f86aff969d304a1f16b1568d0

SHA256
bd72cf58e8e2047ba9735a2eedcb83b7bb75f5c889041a77240b0d0ca7cc14d8

SHA512
8a74bf07b2e9bd1371d086a0879c2dd0f59f3352ff9650afdcd20cb01b3b5f2382ce4711e83c73c74f12c324e515852b313604760e2d45264925355c7d719e5c

Download Submit
C:\Windows\SysWOW64\Gehbjm32.exe

Filesize
81KB

MD5
0f5768365090236d03c02fd7a3fdb94e

SHA1
650ad909b8e1a6657ddcf6ee6b69dc89676aa601

SHA256
ab78dc524064980d9b9974aff3165c918bd5bf043e0d98c32681d36d9022f219

SHA512
daea4df5b7e5b15e74d63dc6d0a13b96303f1babd51382807727b072c1e933e2618c03d9f81d8e894f6b877a976ce19808e259179605c8b5411399b6d1c929d7

Download Submit
C:\Windows\SysWOW64\Gejopl32.exe

Filesize
81KB

MD5
00d7068e58344259d676b7473b67c5ff

SHA1
30cde5831769589d85dfc80d2eb3915f829b47d6

SHA256
a64f2842678582120d174e48a3fac02b319a248a5dcd61259a1726971c43edb4

SHA512
59c5baaae48a1a84b2424c9aa16d4df9a8fe8656a3cf636351689c76f5cc9e751a599d46a764b88b5b81107980bb61d7d122928bc7334197109fbf4616d7a2e8

Download Submit
C:\Windows\SysWOW64\Gfodeohd.exe

Filesize
81KB

MD5
a42199d31187c5443622df5bcb6b45e0

SHA1
e2079203dc6cb95d920b88c7f9bec7821ac36e45

SHA256
85a893a10124f3fbb9a796ae3717a396966173bf2ad16b121e88445f3d41611e

SHA512
3fb86ac0f656a10f8aad0ff2791cc431d55f4a6b1da3f9be1aaa92f35e24cca0e0942680613fbddd1ae6ac8fc47616d3a464d2cc72a94dd68ef21bf854ada92f

Download Submit
C:\Windows\SysWOW64\Gihgfk32.exe

Filesize
81KB

MD5
e450dcf74f2f06e7fe8533651fc6818d

SHA1
a65a87c907d9f7209a401d0b64f66e0e75218be8

SHA256
15d2e01c736708f9e487c8157087281c17b91d85269009a5891ecb0e3113a596

SHA512
8c5ceb0aa7c304784a71abe9a6cc53f4b5b53a65b82ca0da57f931554ae95b48100059025e29fab549548d464db45671f4c740c8643f37b988710dafe1025286

Download Submit
C:\Windows\SysWOW64\Gimqajgh.exe

Filesize
81KB

MD5
f29c9cb327f68183015f93b8095ee78b

SHA1
3e0bcf89a8f8b96b598edb3f953e4a17de7b87fd

SHA256
513059566575e0460e9f4e0b826f3cfd2dbc5badd7c98bd526e0b3675a3445bd

SHA512
b757bcd418414f0f53a3bad4da86d01031cad0d94f56fc1c000dd85d5685cf27e74fda80dd2baa48f36318d863558bb906bd02e3e1fef4bb4c6cb0137f3d62b3

Download Submit
C:\Windows\SysWOW64\Gmfplibd.exe

Filesize
81KB

MD5
0da9f80e1657046dc8e13faab282a72f

SHA1
f3a1a53f4e5f50d3403d626626a08c2fb8960fb7

SHA256
f22d891d6a54be849b62204a2f7b439a83c0418ce73f20dc99249f9016723d06

SHA512
f2844957616e9daf3dd467df348b9b2e5aff2fa2757293968c221ef77bfacccc437ca60b5cd2c8ed4a50f590598a7736e9b23b7653235516d2b328f39c98ff15

Download Submit
C:\Windows\SysWOW64\Gnqfcbnj.exe

Filesize
81KB

MD5
3613abcb785ab456bd080f50ce2e02c8

SHA1
b523d16f91f3a2b3e30e7c4cf26cbeb30fe222ee

SHA256
47ac6244a9b39677d878c91e061f07406807a2f3485194b195c0353205c2268e

SHA512
8959f9c201ccc1853a26813138f37f6ec017d787f7a9978b646d043e032626359984161d24db2450e5e4766b6779d7ff8023d86cf9f55d6e3869b5c8f62c7641

Download Submit
C:\Windows\SysWOW64\Gpbpbecj.exe

Filesize
81KB

MD5
f0b32923276e03bb59a91947133ff7fb

SHA1
79ea957bd759675b89e7f8fb05ac381919ad6930

SHA256
c2692a92d4f33ed96a23f38aa301ec32f38e5e177bb600c673b84c900903eb69

SHA512
943686990a8ed9ffa4fabf082614928e94eef3c3f81123742aea7484556ce13e3008b3ae04aaeecd2c5afaf3db911b095a172a854df3478ad0b2d2822f31ac91

Download Submit
C:\Windows\SysWOW64\Gppcmeem.exe

Filesize
81KB

MD5
16f750280e116b7dab38560aed75048c

SHA1
77f2dc0628a6b939d33b54b544b99c38d0d3bd30

SHA256
d42a2e63d8816d9ee7e52e64636cdd03a7e6439f2803d242b1594f5679b1ffd6

SHA512
0a4a0fe97e1cdfdcdc8cfda8e55e55cc8b8f1795f0a7b387763dedd598bae8f7fccbc2b8ad6d84c071341ee101763b4548d3561a2b18efc012ac27394ce8fea9

Download Submit
C:\Windows\SysWOW64\Iggjga32.exe

Filesize
81KB

MD5
6746bdd5005aff32eb6fb463572ffe0e

SHA1
4401e10d8a2606d6fd870409450bb1d3d8e954d9

SHA256
3940078841b22a74972e03f76b8ba8cce848caab481268166b4c7c345029b517

SHA512
e29ab330198fccfe3e8a226823254a09f930b7ef909dc8738d07c7ad6ba991a02a79d9a77d2560921e7d154777481ec1ae70036bbcebe61867d50c41c5d2596b

Download Submit
C:\Windows\SysWOW64\Innfnl32.exe

Filesize
81KB

MD5
90a45a52179af0a5afab2d01db0c9bb4

SHA1
2a3cbfe5630db4dcca6cfac314e047af6d8abc5c

SHA256
9cb85313863cc64fd3929c62c3f6335676b6790d05067612b5805eb431e9523c

SHA512
392ec6e2314cfa045affedd91e295f7587df5de04312dd711678a9979b2b333b9de6fa5baea67b038ea5df0670c66481c6babcece562e6837403139e1446fe8d

Download Submit
C:\Windows\SysWOW64\Inqbclob.exe

Filesize
81KB

MD5
5fcfc416ea3356031ffd40cf33103c87

SHA1
383a30d54ce467dd2d57343a379aff7ccfe25053

SHA256
60f949ed63a52c509ec952056603d98bfae48c32f86e92e86067c336487d5d0b

SHA512
919c1aa6baa4ff7c3291f0bcd3ffc0aa19ea0f26ea285415c54d2316ca48503eb8203f7741b20771bb3b51e4c00d5b3145301ff4871eb3497c437647141dffcb

Download Submit
C:\Windows\SysWOW64\Ipoopgnf.exe

Filesize
81KB

MD5
730f02f23cac072c886643ddfe565c09

SHA1
62d254f9f9e65db522fb7baf29445229cb1e4042

SHA256
5301e2fa944af95ac6278366541a0dbfcc07ff2e8644916cbd0b81b4667073a2

SHA512
9199b2f775ca815bd2f0aee2fd88abd3e625f683a5142413fa2cbf7950aface6a6b1ce742099307ce7120093cc6a9747426642fb3d2c497c44e4279cfd6da401

Download Submit
C:\Windows\SysWOW64\Jmeede32.exe

Filesize
81KB

MD5
eeaafda73df4371689d6d7a6da94b592

SHA1
b6db585996402520c4f16fd63469d24427ec8d7c

SHA256
b65ff605bf859ac7291e6bd4371a48acadde94b8b0831cb3422b42a9a0ad4a63

SHA512
d59d587217196889e5e4c85132c07d089f43053f97296cd383818cc9f4d5ae7108663834fd551b75e49dbb014c73da96b8bbf2f05114a7597f6fd7111aae63da

Download Submit
C:\Windows\SysWOW64\Kgdpni32.exe

Filesize
81KB

MD5
d821b697a4d54bfe425dfa05ad55b2c8

SHA1
c849681616c79684b10249aac2f1141bb572b0f3

SHA256
14be00152108e2a53a1d1ecc6147884aaef28969232e3a12acb86e21d4d4c97c

SHA512
45c8504ac4efa260d98211ac397ce82e5dc76ec01a7c828ee74abc96c5fcdc8434a3b779df271a553de1b3cb420a6d802a98545d183a93c5f319f251c60a0cc1

Download Submit
C:\Windows\SysWOW64\Kiikpnmj.exe

Filesize
81KB

MD5
2581365056a4efbdce7c3ce7b96c3e0a

SHA1
f5db7216bfdece4099045f8ae6f8a57ec6b47f0c

SHA256
ec398b0519c98f800a578879148032122b9ee145ba9aa622ab7cec24a6d53f7b

SHA512
b9a2af9732cb554f115cb6d5f6bbb5d17870af62610872ed8bef61c5a5bdc4fa39f1216c00b7cbb7e22f18d247fd72b29d14b8607480c7fc427abc7a40d90034

Download Submit
C:\Windows\SysWOW64\Mmkdcm32.exe

Filesize
81KB

MD5
e4b71c374fac9ed3bf3192d51b53f8af

SHA1
b276ff99af0d1fa9700ad8a3868c5362936f9e36

SHA256
37a00bb511c2b09b7e7b8d54028e7ee717ad242c45460fe94a9bfe9ac337650f

SHA512
400e2f55edb8f134513a243336c5c3891bdcd51f41bfd4e941d4906d975c04ebd676099aad0a2f7f47a9039b438c453d4a9d8e49dc5b691f29d440a986dafd92

Download Submit
C:\Windows\SysWOW64\Mnpabe32.exe

Filesize
81KB

MD5
4af535bd0749823694185eb2fd782c10

SHA1
011c25fcb283311cf1cbabc388f3cd3b601738d1

SHA256
bd4f2c7189626eed45af0043ecad250fa816e789c4ad5cccf381bf3b229d6b76

SHA512
2e8d934b940333992ea95d27225430c82d8cd58e7b7e13ff84b42ab5179373d8100fbf3dfb3e082f70e743ca4292fbbeecd65fae6697e4fdf6f98817db39d664

Download Submit
C:\Windows\SysWOW64\Nmkmjjaa.exe

Filesize
81KB

MD5
ea6adb09cd93a228b09d89149d1625fc

SHA1
522466c4cc9d5dbcc9a717794b83a491b545601e

SHA256
dea5c2e80e711f160302681cd26d5607773e3f6462a9893c431334cc8da79954

SHA512
a3c13554757d4c9e3c4984d81166afd80eb2bc36a598969811761e757659cad7e6596bda1cf2c936b34f88edcc56185e2acc37627f4ddd5df8453750e54d2d58

Download Submit
C:\Windows\SysWOW64\Pmlfqh32.exe

Filesize
81KB

MD5
cfaa733e675144a5d436a8c46bd6a135

SHA1
f4de7812309653448146d3aaebad449570bf1e29

SHA256
e14a37cf870ed43be976dd3e106f6e9aabd1ca63250589952180011ab4fa8471

SHA512
066bb2400877de67e0ced2dcb32639c595918d6677d6a332f9a400b82325b45b4e7ef1b531044986288e0974617501457a898677e465a2f8693a7c97d670ded9

Download Submit
memory/264-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/680-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/768-5-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/768-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/880-367-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/880-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/888-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/936-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1004-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1188-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1408-217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1576-541-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1576-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1664-125-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1832-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1856-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2136-105-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2144-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2144-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2268-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2340-249-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2556-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2592-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2592-361-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2608-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2684-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3168-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3204-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3324-273-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3328-360-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3364-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3404-279-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3428-303-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3436-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3452-285-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3720-169-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3840-209-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3852-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3996-181-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4004-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4100-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4252-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4260-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4356-185-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4428-348-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4536-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4608-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4612-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4652-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4692-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4880-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4952-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4972-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4980-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5128-368-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5176-375-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5220-381-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5260-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5300-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5344-399-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5384-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5444-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5500-417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5540-423-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5580-429-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5624-435-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5664-441-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/9572-2177-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/9608-2157-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/9620-2176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/9664-2175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/9876-2170-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/9924-2169-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/10124-2165-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads