04a8b06d6356fb40209f64cde9285d64677adfe97b15e6aa442bcb28e68ac138

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2024, 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04a8b06d6356fb40209f64cde9285d64677adfe97b15e6aa442bcb28e68ac138.exe
Size

52KB
MD5

e2e75c2bd5b0ba3973a49ab9ea6cb5e1
SHA1

64896db5b960a34761bc2a69107618e657668986
SHA256

04a8b06d6356fb40209f64cde9285d64677adfe97b15e6aa442bcb28e68ac138
SHA512

6669f5e2f90662267b5a5bfd96b01542f3d1fb4a0c24b3718d4954d97f9f48bbb2c32d864033197035e9b919bb014a23deff55c8bbe073125ab17aafd45933e7
SSDEEP

768:AsXjwf+s347rTN0+46/PWkQVYQxcMIYQRTInPP20FTd+/1H5F/sl6MABvKWe:TXjHsIXTH4WqqQxcMNcTIPew6MAdKZ

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibjjhn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehnglm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hopnqdan.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhlejnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liddbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldanqkki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhcpgmjf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcbpab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkalchij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkikkeeo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hecmijim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipknlb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Heocnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiaephpc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jedeph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lboeaifi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfbploob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcbihpel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbeidl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iemppiab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjjhn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfoiokfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jimekgff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdnidn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfcicmqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfckahdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehnglm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Helfik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Himldi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbgmcnhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffddka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Menjdbgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibcmom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe

Executes dropped EXE 64 IoCs

pid	Process
1816	Eapedd32.exe
4784	Ednaqo32.exe
1560	Eleiam32.exe
2032	Eocenh32.exe
2688	Eemnjbaj.exe
1248	Eofbch32.exe
1848	Eadopc32.exe
5092	Ehnglm32.exe
3500	Fcckif32.exe
1344	Fdegandp.exe
3596	Fojlngce.exe
4568	Ffddka32.exe
4424	Fhcpgmjf.exe
2592	Fkalchij.exe
1680	Fhemmlhc.exe
736	Fbnafb32.exe
2084	Fdlnbm32.exe
1836	Fhgjblfq.exe
2100	Fcmnpe32.exe
1520	Fbpnkama.exe
5088	Glebhjlg.exe
3460	Ghlcnk32.exe
4976	Gkkojgao.exe
568	Gcagkdba.exe
4676	Ghopckpi.exe
4840	Gcddpdpo.exe
4684	Gfbploob.exe
2632	Ghaliknf.exe
4064	Gcfqfc32.exe
1000	Gfembo32.exe
2284	Gfgjgo32.exe
2888	Hmabdibj.exe
3996	Hopnqdan.exe
1932	Helfik32.exe
2132	Hkfoeega.exe
4368	Hbpgbo32.exe
1844	Heocnk32.exe
2420	Hkikkeeo.exe
5016	Hbbdholl.exe
2228	Himldi32.exe
2584	Hofdacke.exe
5020	Hcbpab32.exe
4848	Hecmijim.exe
4004	Hkmefd32.exe
2740	Hbgmcnhf.exe
1448	Hfcicmqp.exe
1584	Iiaephpc.exe
3940	Ipknlb32.exe
2108	Ibjjhn32.exe
2288	Iehfdi32.exe
4308	Iicbehnq.exe
5060	Ikbnacmd.exe
2824	Icifbang.exe
2912	Ifgbnlmj.exe
4324	Iejcji32.exe
2900	Ildkgc32.exe
3176	Ickchq32.exe
3980	Iemppiab.exe
1292	Ipbdmaah.exe
1880	Ibqpimpl.exe
4988	Ieolehop.exe
836	Imfdff32.exe
4328	Ipdqba32.exe
1192	Ibcmom32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fcckif32.exe	Ehnglm32.exe
File opened for modification	C:\Windows\SysWOW64\Lekehdgp.exe	Lbmhlihl.exe
File created	C:\Windows\SysWOW64\Ocbddc32.exe	Olhlhjpd.exe
File opened for modification	C:\Windows\SysWOW64\Pmoahijl.exe	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Mpnaemnl.dll	Hkmefd32.exe
File created	C:\Windows\SysWOW64\Bdkfmkdc.dll	Kplpjn32.exe
File opened for modification	C:\Windows\SysWOW64\Mlefklpj.exe	Melnob32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Ehnglm32.exe	Eadopc32.exe
File created	C:\Windows\SysWOW64\Chdfonda.dll	Gfgjgo32.exe
File created	C:\Windows\SysWOW64\Ncnaabfm.dll	Jplfcpin.exe
File created	C:\Windows\SysWOW64\Kikame32.exe	Kepelfam.exe
File opened for modification	C:\Windows\SysWOW64\Ncianepl.exe	Npjebj32.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	Anadoi32.exe
File created	C:\Windows\SysWOW64\Ghaliknf.exe	Gfbploob.exe
File created	C:\Windows\SysWOW64\Nngokoej.exe	Nepgjaeg.exe
File created	C:\Windows\SysWOW64\Nhgaocmg.dll	Kfckahdj.exe
File opened for modification	C:\Windows\SysWOW64\Lepncd32.exe	Ldoaklml.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Mdckfk32.exe	Lphoelqn.exe
File created	C:\Windows\SysWOW64\Ghngib32.dll	Pqpgdfnp.exe
File opened for modification	C:\Windows\SysWOW64\Pmidog32.exe	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Fcmnpe32.exe	Fhgjblfq.exe
File opened for modification	C:\Windows\SysWOW64\Jcllonma.exe	Jlednamo.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Lnhjmp32.dll	Jcllonma.exe
File created	C:\Windows\SysWOW64\Kpgfooop.exe	Klljnp32.exe
File opened for modification	C:\Windows\SysWOW64\Mpoefk32.exe	Mmpijp32.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Ojllan32.exe	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Pgefeajb.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Cdbinofi.dll	Jmpgldhg.exe
File opened for modification	C:\Windows\SysWOW64\Npjebj32.exe	Nnlhfn32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Coffpf32.dll	Ndcdmikd.exe
File opened for modification	C:\Windows\SysWOW64\Ocbddc32.exe	Olhlhjpd.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Acnlgp32.exe
File opened for modification	C:\Windows\SysWOW64\Ildkgc32.exe	Iejcji32.exe
File opened for modification	C:\Windows\SysWOW64\Jfhlejnh.exe	Jcioiood.exe
File created	C:\Windows\SysWOW64\Mjpabk32.dll	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Afhohlbj.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Jlednamo.exe	Jmbdbd32.exe
File created	C:\Windows\SysWOW64\Qoecnk32.dll	Kmdqgd32.exe
File opened for modification	C:\Windows\SysWOW64\Pdkcde32.exe	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Odaoecld.dll	Pcppfaka.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Fbnafb32.exe	Fhemmlhc.exe
File created	C:\Windows\SysWOW64\Fqplhmkl.dll	Jfcbjk32.exe
File opened for modification	C:\Windows\SysWOW64\Lmiciaaj.exe	Lebkhc32.exe
File created	C:\Windows\SysWOW64\Nnqbanmo.exe	Nggjdc32.exe
File opened for modification	C:\Windows\SysWOW64\Pdmpje32.exe	Pmfhig32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Hkfoeega.exe	Helfik32.exe
File opened for modification	C:\Windows\SysWOW64\Mlampmdo.exe	Mbfkbhpa.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Hbpgbo32.exe	Hkfoeega.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Chcddk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8660	8476	WerFault.exe	391

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncnaabfm.dll"	Jplfcpin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbjcolha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfmccd32.dll"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fhgjblfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gijloo32.dll"	Kpbmco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjeieojj.dll"	Lbdolh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pohkbc32.dll"	Gfembo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlkhie32.dll"	Ipdqba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcbifaej.dll"	Jimekgff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eemnjbaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfenmm32.dll"	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iiaephpc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfoafi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clncadfb.dll"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgfjhqm.dll"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfckahdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lepncd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphoelqn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlefklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jlkagbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmiciaaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klngdpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jlnnmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdnidn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpqiemge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lboeaifi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ildkgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpgfooop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lboeaifi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcdak32.dll"	Hmabdibj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfcicmqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfjhkjle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okokppbk.dll"	Kibgmdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkenegog.dll"	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gijlad32.dll"	Mbfkbhpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 1816	4528	04a8b06d6356fb40209f64cde9285d64677adfe97b15e6aa442bcb28e68ac138.exe	89
PID 4528 wrote to memory of 1816	4528	04a8b06d6356fb40209f64cde9285d64677adfe97b15e6aa442bcb28e68ac138.exe	89
PID 4528 wrote to memory of 1816	4528	04a8b06d6356fb40209f64cde9285d64677adfe97b15e6aa442bcb28e68ac138.exe	89
PID 1816 wrote to memory of 4784	1816	Eapedd32.exe	90
PID 1816 wrote to memory of 4784	1816	Eapedd32.exe	90
PID 1816 wrote to memory of 4784	1816	Eapedd32.exe	90
PID 4784 wrote to memory of 1560	4784	Ednaqo32.exe	91
PID 4784 wrote to memory of 1560	4784	Ednaqo32.exe	91
PID 4784 wrote to memory of 1560	4784	Ednaqo32.exe	91
PID 1560 wrote to memory of 2032	1560	Eleiam32.exe	92
PID 1560 wrote to memory of 2032	1560	Eleiam32.exe	92
PID 1560 wrote to memory of 2032	1560	Eleiam32.exe	92
PID 2032 wrote to memory of 2688	2032	Eocenh32.exe	93
PID 2032 wrote to memory of 2688	2032	Eocenh32.exe	93
PID 2032 wrote to memory of 2688	2032	Eocenh32.exe	93
PID 2688 wrote to memory of 1248	2688	Eemnjbaj.exe	94
PID 2688 wrote to memory of 1248	2688	Eemnjbaj.exe	94
PID 2688 wrote to memory of 1248	2688	Eemnjbaj.exe	94
PID 1248 wrote to memory of 1848	1248	Eofbch32.exe	95
PID 1248 wrote to memory of 1848	1248	Eofbch32.exe	95
PID 1248 wrote to memory of 1848	1248	Eofbch32.exe	95
PID 1848 wrote to memory of 5092	1848	Eadopc32.exe	96
PID 1848 wrote to memory of 5092	1848	Eadopc32.exe	96
PID 1848 wrote to memory of 5092	1848	Eadopc32.exe	96
PID 5092 wrote to memory of 3500	5092	Ehnglm32.exe	97
PID 5092 wrote to memory of 3500	5092	Ehnglm32.exe	97
PID 5092 wrote to memory of 3500	5092	Ehnglm32.exe	97
PID 3500 wrote to memory of 1344	3500	Fcckif32.exe	98
PID 3500 wrote to memory of 1344	3500	Fcckif32.exe	98
PID 3500 wrote to memory of 1344	3500	Fcckif32.exe	98
PID 1344 wrote to memory of 3596	1344	Fdegandp.exe	99
PID 1344 wrote to memory of 3596	1344	Fdegandp.exe	99
PID 1344 wrote to memory of 3596	1344	Fdegandp.exe	99
PID 3596 wrote to memory of 4568	3596	Fojlngce.exe	100
PID 3596 wrote to memory of 4568	3596	Fojlngce.exe	100
PID 3596 wrote to memory of 4568	3596	Fojlngce.exe	100
PID 4568 wrote to memory of 4424	4568	Ffddka32.exe	101
PID 4568 wrote to memory of 4424	4568	Ffddka32.exe	101
PID 4568 wrote to memory of 4424	4568	Ffddka32.exe	101
PID 4424 wrote to memory of 2592	4424	Fhcpgmjf.exe	102
PID 4424 wrote to memory of 2592	4424	Fhcpgmjf.exe	102
PID 4424 wrote to memory of 2592	4424	Fhcpgmjf.exe	102
PID 2592 wrote to memory of 1680	2592	Fkalchij.exe	103
PID 2592 wrote to memory of 1680	2592	Fkalchij.exe	103
PID 2592 wrote to memory of 1680	2592	Fkalchij.exe	103
PID 1680 wrote to memory of 736	1680	Fhemmlhc.exe	104
PID 1680 wrote to memory of 736	1680	Fhemmlhc.exe	104
PID 1680 wrote to memory of 736	1680	Fhemmlhc.exe	104
PID 736 wrote to memory of 2084	736	Fbnafb32.exe	105
PID 736 wrote to memory of 2084	736	Fbnafb32.exe	105
PID 736 wrote to memory of 2084	736	Fbnafb32.exe	105
PID 2084 wrote to memory of 1836	2084	Fdlnbm32.exe	106
PID 2084 wrote to memory of 1836	2084	Fdlnbm32.exe	106
PID 2084 wrote to memory of 1836	2084	Fdlnbm32.exe	106
PID 1836 wrote to memory of 2100	1836	Fhgjblfq.exe	107
PID 1836 wrote to memory of 2100	1836	Fhgjblfq.exe	107
PID 1836 wrote to memory of 2100	1836	Fhgjblfq.exe	107
PID 2100 wrote to memory of 1520	2100	Fcmnpe32.exe	108
PID 2100 wrote to memory of 1520	2100	Fcmnpe32.exe	108
PID 2100 wrote to memory of 1520	2100	Fcmnpe32.exe	108
PID 1520 wrote to memory of 5088	1520	Fbpnkama.exe	109
PID 1520 wrote to memory of 5088	1520	Fbpnkama.exe	109
PID 1520 wrote to memory of 5088	1520	Fbpnkama.exe	109
PID 5088 wrote to memory of 3460	5088	Glebhjlg.exe	110

C:\Users\Admin\AppData\Local\Temp\04a8b06d6356fb40209f64cde9285d64677adfe97b15e6aa442bcb28e68ac138.exe
"C:\Users\Admin\AppData\Local\Temp\04a8b06d6356fb40209f64cde9285d64677adfe97b15e6aa442bcb28e68ac138.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Windows\SysWOW64\Eapedd32.exe
  C:\Windows\system32\Eapedd32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Windows\SysWOW64\Ednaqo32.exe
    C:\Windows\system32\Ednaqo32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4784
  - - C:\Windows\SysWOW64\Eleiam32.exe
      C:\Windows\system32\Eleiam32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1560
    - - C:\Windows\SysWOW64\Eocenh32.exe
        
        C:\Windows\system32\Eocenh32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2032
      - C:\Windows\SysWOW64\Eemnjbaj.exe
        
        C:\Windows\system32\Eemnjbaj.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\SysWOW64\Eofbch32.exe
        
        C:\Windows\system32\Eofbch32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\SysWOW64\Eadopc32.exe
        
        C:\Windows\system32\Eadopc32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\SysWOW64\Ehnglm32.exe
        
        C:\Windows\system32\Ehnglm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\Fcckif32.exe
        
        C:\Windows\system32\Fcckif32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Windows\SysWOW64\Fdegandp.exe
        
        C:\Windows\system32\Fdegandp.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\SysWOW64\Fojlngce.exe
        
        C:\Windows\system32\Fojlngce.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\SysWOW64\Ffddka32.exe
        
        C:\Windows\system32\Ffddka32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\SysWOW64\Fhcpgmjf.exe
        
        C:\Windows\system32\Fhcpgmjf.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\SysWOW64\Fkalchij.exe
        
        C:\Windows\system32\Fkalchij.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\SysWOW64\Fhemmlhc.exe
        
        C:\Windows\system32\Fhemmlhc.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Fbnafb32.exe
        
        C:\Windows\system32\Fbnafb32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Windows\SysWOW64\Fdlnbm32.exe
        
        C:\Windows\system32\Fdlnbm32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\Fhgjblfq.exe
        
        C:\Windows\system32\Fhgjblfq.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\SysWOW64\Fcmnpe32.exe
        
        C:\Windows\system32\Fcmnpe32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Fbpnkama.exe
        
        C:\Windows\system32\Fbpnkama.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\SysWOW64\Glebhjlg.exe
        
        C:\Windows\system32\Glebhjlg.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\SysWOW64\Ghlcnk32.exe
        
        C:\Windows\system32\Ghlcnk32.exe
        23⤵
        Executes dropped EXE
        
        PID:3460
        
        C:\Windows\SysWOW64\Gkkojgao.exe
        
        C:\Windows\system32\Gkkojgao.exe
        24⤵
        Executes dropped EXE
        
        PID:4976
        
        C:\Windows\SysWOW64\Gcagkdba.exe
        
        C:\Windows\system32\Gcagkdba.exe
        25⤵
        Executes dropped EXE
        
        PID:568
        
        C:\Windows\SysWOW64\Ghopckpi.exe
        
        C:\Windows\system32\Ghopckpi.exe
        26⤵
        Executes dropped EXE
        
        PID:4676
        
        C:\Windows\SysWOW64\Gcddpdpo.exe
        
        C:\Windows\system32\Gcddpdpo.exe
        27⤵
        Executes dropped EXE
        
        PID:4840
        
        C:\Windows\SysWOW64\Gfbploob.exe
        
        C:\Windows\system32\Gfbploob.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4684
        
        C:\Windows\SysWOW64\Ghaliknf.exe
        
        C:\Windows\system32\Ghaliknf.exe
        29⤵
        Executes dropped EXE
        
        PID:2632
        
        C:\Windows\SysWOW64\Gcfqfc32.exe
        
        C:\Windows\system32\Gcfqfc32.exe
        30⤵
        Executes dropped EXE
        
        PID:4064
        
        C:\Windows\SysWOW64\Gfembo32.exe
        
        C:\Windows\system32\Gfembo32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\Gfgjgo32.exe
        
        C:\Windows\system32\Gfgjgo32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2284
        
        C:\Windows\SysWOW64\Hmabdibj.exe
        
        C:\Windows\system32\Hmabdibj.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2888
        
        C:\Windows\SysWOW64\Hopnqdan.exe
        
        C:\Windows\system32\Hopnqdan.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3996
        
        C:\Windows\SysWOW64\Helfik32.exe
        
        C:\Windows\system32\Helfik32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1932
        
        C:\Windows\SysWOW64\Hkfoeega.exe
        
        C:\Windows\system32\Hkfoeega.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2132
        
        C:\Windows\SysWOW64\Hbpgbo32.exe
        
        C:\Windows\system32\Hbpgbo32.exe
        37⤵
        Executes dropped EXE
        
        PID:4368
        
        C:\Windows\SysWOW64\Heocnk32.exe
        
        C:\Windows\system32\Heocnk32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1844
        
        C:\Windows\SysWOW64\Hkikkeeo.exe
        
        C:\Windows\system32\Hkikkeeo.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2420
        
        C:\Windows\SysWOW64\Hbbdholl.exe
        
        C:\Windows\system32\Hbbdholl.exe
        40⤵
        Executes dropped EXE
        
        PID:5016
        
        C:\Windows\SysWOW64\Himldi32.exe
        
        C:\Windows\system32\Himldi32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2228
        
        C:\Windows\SysWOW64\Hofdacke.exe
        
        C:\Windows\system32\Hofdacke.exe
        42⤵
        Executes dropped EXE
        
        PID:2584
        
        C:\Windows\SysWOW64\Hcbpab32.exe
        
        C:\Windows\system32\Hcbpab32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5020
        
        C:\Windows\SysWOW64\Hecmijim.exe
        
        C:\Windows\system32\Hecmijim.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4848
        
        C:\Windows\SysWOW64\Hkmefd32.exe
        
        C:\Windows\system32\Hkmefd32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4004
        
        C:\Windows\SysWOW64\Hbgmcnhf.exe
        
        C:\Windows\system32\Hbgmcnhf.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2740
        
        C:\Windows\SysWOW64\Hfcicmqp.exe
        
        C:\Windows\system32\Hfcicmqp.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Iiaephpc.exe
        
        C:\Windows\system32\Iiaephpc.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Ipknlb32.exe
        
        C:\Windows\system32\Ipknlb32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3940
        
        C:\Windows\SysWOW64\Ibjjhn32.exe
        
        C:\Windows\system32\Ibjjhn32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2108
        
        C:\Windows\SysWOW64\Iehfdi32.exe
        
        C:\Windows\system32\Iehfdi32.exe
        51⤵
        Executes dropped EXE
        
        PID:2288
        
        C:\Windows\SysWOW64\Iicbehnq.exe
        
        C:\Windows\system32\Iicbehnq.exe
        52⤵
        Executes dropped EXE
        
        PID:4308
        
        C:\Windows\SysWOW64\Ikbnacmd.exe
        
        C:\Windows\system32\Ikbnacmd.exe
        53⤵
        Executes dropped EXE
        
        PID:5060
        
        C:\Windows\SysWOW64\Icifbang.exe
        
        C:\Windows\system32\Icifbang.exe
        54⤵
        Executes dropped EXE
        
        PID:2824
        
        C:\Windows\SysWOW64\Ifgbnlmj.exe
        
        C:\Windows\system32\Ifgbnlmj.exe
        55⤵
        Executes dropped EXE
        
        PID:2912
        
        C:\Windows\SysWOW64\Iejcji32.exe
        
        C:\Windows\system32\Iejcji32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4324
        
        C:\Windows\SysWOW64\Ildkgc32.exe
        
        C:\Windows\system32\Ildkgc32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Ickchq32.exe
        
        C:\Windows\system32\Ickchq32.exe
        58⤵
        Executes dropped EXE
        
        PID:3176
        
        C:\Windows\SysWOW64\Iemppiab.exe
        
        C:\Windows\system32\Iemppiab.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3980
        
        C:\Windows\SysWOW64\Ipbdmaah.exe
        
        C:\Windows\system32\Ipbdmaah.exe
        60⤵
        Executes dropped EXE
        
        PID:1292
        
        C:\Windows\SysWOW64\Ibqpimpl.exe
        
        C:\Windows\system32\Ibqpimpl.exe
        61⤵
        Executes dropped EXE
        
        PID:1880
        
        C:\Windows\SysWOW64\Ieolehop.exe
        
        C:\Windows\system32\Ieolehop.exe
        62⤵
        Executes dropped EXE
        
        PID:4988
        
        C:\Windows\SysWOW64\Imfdff32.exe
        
        C:\Windows\system32\Imfdff32.exe
        63⤵
        Executes dropped EXE
        
        PID:836
        
        C:\Windows\SysWOW64\Ipdqba32.exe
        
        C:\Windows\system32\Ipdqba32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Ibcmom32.exe
        
        C:\Windows\system32\Ibcmom32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1192
        
        C:\Windows\SysWOW64\Jfoiokfb.exe
        
        C:\Windows\system32\Jfoiokfb.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:948
        
        C:\Windows\SysWOW64\Jimekgff.exe
        
        C:\Windows\system32\Jimekgff.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Jlkagbej.exe
        
        C:\Windows\system32\Jlkagbej.exe
        68⤵
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Jcbihpel.exe
        
        C:\Windows\system32\Jcbihpel.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4548
        
        C:\Windows\SysWOW64\Jbeidl32.exe
        
        C:\Windows\system32\Jbeidl32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4924
        
        C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1684
        
        C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        72⤵
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Jcefno32.exe
        
        C:\Windows\system32\Jcefno32.exe
        73⤵
        
        PID:732
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        74⤵
        Drops file in System32 directory
        
        PID:4040
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        75⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        76⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        78⤵
        Modifies registry class
        
        PID:3456
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        79⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\Jmpgldhg.exe
        
        C:\Windows\system32\Jmpgldhg.exe
        80⤵
        Drops file in System32 directory
        
        PID:4492
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        81⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        82⤵
        Drops file in System32 directory
        
        PID:5164
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5212
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        84⤵
        Drops file in System32 directory
        
        PID:5252
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        85⤵
        Drops file in System32 directory
        
        PID:5300
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        86⤵
        Drops file in System32 directory
        
        PID:5340
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        87⤵
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        88⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        89⤵
        Drops file in System32 directory
        
        PID:5464
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        90⤵
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        92⤵
        Drops file in System32 directory
        
        PID:5600
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        93⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        94⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        95⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        96⤵
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        97⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        98⤵
        Drops file in System32 directory
        
        PID:5856
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        99⤵
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        100⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        101⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        102⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        103⤵
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        104⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        106⤵
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        107⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        108⤵
        Drops file in System32 directory
        
        PID:5332
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        109⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        110⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5540
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        112⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        113⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        114⤵
        Drops file in System32 directory
        
        PID:5708
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        115⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        116⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        117⤵
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6108
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        120⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        121⤵
        Drops file in System32 directory
        
        PID:5248
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        122⤵
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        123⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        124⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5668
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        126⤵
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        127⤵
        Drops file in System32 directory
        
        PID:5976
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        128⤵
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        129⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        130⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        131⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        132⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        133⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        134⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        135⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        136⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        137⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        138⤵
        Drops file in System32 directory
        
        PID:5136
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        139⤵
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        140⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        141⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6180
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6220
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6264
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        145⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        146⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6344
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        147⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        148⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        149⤵
        Modifies registry class
        
        PID:6472
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        150⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        151⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        152⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        153⤵
        Drops file in System32 directory
        
        PID:6636
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        154⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        155⤵
        Drops file in System32 directory
        
        PID:6728
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        156⤵
        Drops file in System32 directory
        
        PID:6768
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6820
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        158⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        159⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6952
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        161⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        162⤵
        Drops file in System32 directory
        
        PID:7036
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7088
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7128
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        165⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        166⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        167⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6292
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        169⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        170⤵
        Drops file in System32 directory
        
        PID:6448
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        171⤵
        Drops file in System32 directory
        
        PID:6528
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        172⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6668
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        174⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        175⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        176⤵
        Modifies registry class
        
        PID:6856
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6948
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7020
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        179⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        180⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        181⤵
        Drops file in System32 directory
        
        PID:6212
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        182⤵
        Modifies registry class
        
        PID:6308
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        183⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        184⤵
        Drops file in System32 directory
        
        PID:6580
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        185⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6844
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        187⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        188⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        189⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        190⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6544
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        192⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        193⤵
        Drops file in System32 directory
        
        PID:6996
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        194⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        195⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6828
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        197⤵
        Modifies registry class
        
        PID:7096
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        198⤵
        Drops file in System32 directory
        
        PID:6272
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        199⤵
        Drops file in System32 directory
        
        PID:6940
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        200⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        201⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7192
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        203⤵
        Drops file in System32 directory
        
        PID:7256
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        204⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        205⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7332
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        206⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        207⤵
        
        PID:7440
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        208⤵
        
        PID:7480
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        209⤵
        
        PID:7520
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        210⤵
        
        PID:7552
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        211⤵
        Drops file in System32 directory
        
        PID:7604
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        212⤵
        Modifies registry class
        
        PID:7648
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        213⤵
        
        PID:7684
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        214⤵
        
        PID:7732
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        215⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        216⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        217⤵
        Drops file in System32 directory
        
        PID:7848
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        218⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7892
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        219⤵
        
        PID:7944
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        220⤵
        Drops file in System32 directory
        
        PID:7980
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        221⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        222⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        223⤵
        Modifies registry class
        
        PID:8108
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        224⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8156
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        225⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        226⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        227⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7328
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        228⤵
        Drops file in System32 directory
        
        PID:7420
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        229⤵
        
        PID:7512
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        230⤵
        Modifies registry class
        
        PID:7588
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        231⤵
        Modifies registry class
        
        PID:7660
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        232⤵
        Drops file in System32 directory
        
        PID:7752
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        233⤵
        
        PID:7836
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        234⤵
        
        PID:7880
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        235⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        236⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        237⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        238⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        239⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        240⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        241⤵
        Modifies registry class
        
        PID:7504
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        242⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6416
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        243⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        244⤵
        Modifies registry class
        
        PID:7876
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        245⤵
        Drops file in System32 directory
        
        PID:7992
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        246⤵
        
        PID:8084
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        247⤵
        Modifies registry class
        
        PID:7172
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        248⤵
        Drops file in System32 directory
        
        PID:7384
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        249⤵
        
        PID:7612
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        250⤵
        Modifies registry class
        
        PID:7860
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        251⤵
        
        PID:8052
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        252⤵
        
        PID:8168
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        253⤵
        
        PID:7596
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        254⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7800
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        255⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8148
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        256⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7840
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        257⤵
        Drops file in System32 directory
        
        PID:7388
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        258⤵
        
        PID:8056
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        259⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8128
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        260⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8208
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        261⤵
        
        PID:8252
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        262⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8288
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        263⤵
        
        PID:8336
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        264⤵
        
        PID:8380
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        265⤵
        
        PID:8436
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        266⤵
        Modifies registry class
        
        PID:8480
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        267⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8532
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        268⤵
        
        PID:8592
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        269⤵
        Modifies registry class
        
        PID:8636
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        270⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8708
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        271⤵
        
        PID:8752
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        272⤵
        
        PID:8792
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        273⤵
        
        PID:8864
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        274⤵
        Drops file in System32 directory
        
        PID:8912
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        275⤵
        Modifies registry class
        
        PID:8976
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        276⤵
        
        PID:9032
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        277⤵
        Modifies registry class
        
        PID:9072
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        278⤵
        
        PID:9120
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        279⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9160
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        280⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:9200
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        281⤵
        Drops file in System32 directory
        
        PID:8240
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        282⤵
        
        PID:8304
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        283⤵
        Drops file in System32 directory
        
        PID:8368
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        284⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8468
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        285⤵
        
        PID:8600
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        286⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8616
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        287⤵
        Modifies registry class
        
        PID:8744
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        288⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8860
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        289⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8952
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        290⤵
        Modifies registry class
        
        PID:9060
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        291⤵
        
        PID:9100
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        292⤵
        Drops file in System32 directory
        
        PID:9172
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        293⤵
        Modifies registry class
        
        PID:8236
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        294⤵
        
        PID:8352
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        295⤵
        
        PID:8476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8476 -s 404
        296⤵
        Program crash
        
        PID:8660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 8476 -ip 8476
1⤵
PID:8512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
52KB

MD5
574f56b9735db853a8beffb611b29e88

SHA1
ac17e499e8b6b12a8f0181dd492af60e64f66d41

SHA256
af943d616e0ab34288d864bd4fca6c2731334e3138701f3bfed59e3e075d3f8b

SHA512
6a8220c702ad9abc91d6616e3b56fcbdb7d067b89ea071c8d0d1b74b4b00955aec9e439b193db89cf62be299093786dca2c9e92e2b2d564e71dd81c7b71539f0

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
52KB

MD5
ab0db8ec8507db0a29d7d85f2489a623

SHA1
3577586200b7bfe137c2317df097f5055584136c

SHA256
60984f36209118f36ed74593e2118b60331fd06de7ae66c11284e3cb9c9659b2

SHA512
d330d395fd08510cae0af88963b8f6c34ff0ccfd7f8f388f2840d387587e653e3934aa9cacbea073dbee09e441768e53feee9c6213a2d67bf7d5cd2e62eeb5a2

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
52KB

MD5
c558643a0fa9a211efb36b54134ea992

SHA1
a4f1a63c88b4945518e21cad4b315751885c4279

SHA256
9457a0e6dc849a6b155350eb71a85c253e07e213fb0621d83f18fdd28b979514

SHA512
d6dd74217840736d928910f6a6bd8e8cbe6f2b87f3068d033042179c12e9473414da0da7d5325357f81380a7f2a995f41eed3d96015032424205557638f895d9

Download Submit
C:\Windows\SysWOW64\Eadopc32.exe

Filesize
52KB

MD5
5778043ca63763f2b9752f25a0232ea6

SHA1
6c58a1d585f85779f469e79b7ea714946eb6b771

SHA256
15112ba501645b5246b9ff9a391bfcdb456a0f89d24c9b30a44d15687fe593b7

SHA512
77b0cd0e706d86e1a61e9a6fc1a7ab34c015a5f6d0c8979a3acb51c9c008f90cf8fb62b6c01e05db4cb6e1fbe473f7a4f570ce632a129111fc316cb67bf5552e

Download Submit
C:\Windows\SysWOW64\Eapedd32.exe

Filesize
52KB

MD5
d1bc90828a1739fd821365055c4eb23f

SHA1
d5f968aab6bdac6d77a3581e2975df0ec72bcb13

SHA256
7f640d60cc4670e691e012198957d0151dc6203329e46acb677a04c1fab41532

SHA512
1b0cb7d87da56bb3ce4ab529bbf23a391bbaf4730ff342ce201d8bcc4ca2a235e94c8bb9dff63b27b3e027e428a9bfb864754fbad5c9351cb45a5ba0916783ed

Download Submit
C:\Windows\SysWOW64\Ednaqo32.exe

Filesize
52KB

MD5
79ecb9ef5cd924580c222d8a060c0cb5

SHA1
da3d914fbb5d58a2527ff9b7dd1696f6e8abb456

SHA256
84d3ce3dcec6d249eb4dd18820f6c2cd1c01c5150db170507df08fdf6cee525f

SHA512
1e52fe09f468f6227e25e10d52949b5140140d4ff1a2842b14555f716bb279d70b7ee00fdf50bfa8065947d9f0aa188120282e0ee266effef156ca91a6c08f23

Download Submit
C:\Windows\SysWOW64\Eemnjbaj.exe

Filesize
52KB

MD5
bbc124b41c9b7dce902fa1e9386f4672

SHA1
9d4b078d70cfa15f42c80bdba5ad122d2df5b22c

SHA256
e4fef34024b615d7b5bb1ca861e38bd623ad239b6b916e9f176c744f835eed3b

SHA512
2abea767cfedecd7c2327e0ec2c1651827739efe410e85804ad6843a4e0e6c099ff9077e36a35d1d1063a55d690adcbe686df15b3ed036a491af24e996afff9a

Download Submit
C:\Windows\SysWOW64\Ehnglm32.exe

Filesize
52KB

MD5
96611873a7560805b21de217a4ff6789

SHA1
8bd98cf4a022d6dadcdbbb024b309abaeb14ccf2

SHA256
f990cca9f41813d8e579de669371b3c9ea0c9dab2629f52079fab269b99b83b7

SHA512
0d76dc84302bed3395fb38c4e5361de59be0ec6c78cedcb9780ec827c1cceebac0fbb2609b97115c184bdace519fb84f2a17da40389c971406effc6897829d8a

Download Submit
C:\Windows\SysWOW64\Eleiam32.exe

Filesize
52KB

MD5
7dfaa81845646d0f30c4f33fec6f6d85

SHA1
e8241c3f9513a9c676a158c7a989eb3dc42f8599

SHA256
e2369e12a369f8816a1a45bf4e6c3aa5917fb0e524af9d1b560c8295041c1c8a

SHA512
36671a515233051a8783311c6498718a3848a1c86d5feb9c93dfdd8dc80de3237a522f325ab67d773fccb3ed1ecb35367e6149cbfaf232de4da9f7722d0af4cd

Download Submit
C:\Windows\SysWOW64\Eocenh32.exe

Filesize
52KB

MD5
251bcd22808fe43f66768a375e6f39e7

SHA1
187651f9918c16624ce9c2a093094242146de945

SHA256
33bf46d7b9e20f36a091b6ff67ea5597fbf16aa56deaa51704613579bc5d249e

SHA512
d8ba02a90a11de930796f0e6e836fe47913245f06addec223aca9190dd16c2355cf3eccee3252b71ab732f21ce09d0861e2f04f450ca54158a7af8ff42fc61bc

Download Submit
C:\Windows\SysWOW64\Eofbch32.exe

Filesize
52KB

MD5
67123afac7c3c70a7f4ad7d73dd64495

SHA1
2e0475dbdab80160b103dd68f3fa1cccc4bad0c9

SHA256
5c12cc1a00a7284bede45276370b6ad2197cf7d1f828c74ac1827751bf684dfa

SHA512
62335fadca0732ec3822c672c4ecc250d8d1299bc5155fc87d71b7918568f2503ecac60a9097c1e527c28d4cd1ad0133c2d9c62f78e2d0f12c95719a6dcd55ed

Download Submit
C:\Windows\SysWOW64\Fbnafb32.exe

Filesize
52KB

MD5
b5a855aaacf0b0dd30bc47d7fd3566e6

SHA1
74c2f8980dcb26160cd205e72329d33d7cbb4218

SHA256
4d0c78b8a68052ef96a251cee83d66a27589d236fa66b2410349261387f44eae

SHA512
4797899b1f9a6ef083963265089304325daea0411e4f36154f394bc9dfa98118794f24ddcfc99db79827df061709893a6ced1d6536488cbc6a617836c963d86c

Download Submit
C:\Windows\SysWOW64\Fbpnkama.exe

Filesize
52KB

MD5
9cce91628581f297c5a74a50e82b1d0d

SHA1
55285584f14327fa46072fcd8c0225747f9b46c5

SHA256
f5df094852e868f9143f64ed6882031575cba1d90b5a28f454e7c1321d79f89d

SHA512
c5a8bccd3fd57467ef81352caa486d949d1bb362ee2eeca9192a498faec137f94bf7b600058e764ab6b968fcf45fe959107b661685cfb7c0a4c036269bc1d8fb

Download Submit
C:\Windows\SysWOW64\Fcckif32.exe

Filesize
52KB

MD5
d0b40a8049a1954625deaa8e609b0e54

SHA1
1da5fcce879a66c7e92498c09df51dcaec4db3b2

SHA256
b62dad6bd85d79e41afe354323504949f8139624b20cb56d9edb79d6444ea601

SHA512
deca0b3414bf09d989446cdeaef40efd254b8997f02f36e5e8ce5be044233d4d78633eced1232e9b0bc486f4a98a67ee82a23765b60db1ee037e7f913fc37482

Download Submit
C:\Windows\SysWOW64\Fcmnpe32.exe

Filesize
52KB

MD5
39159e6e9097358290e27118f23e165c

SHA1
0867732cd9801bbf93bf648f3ae544db85d9ec7d

SHA256
9c6fdb988ca7a5e1f1fd3dfd405cb44dbb98c23e2488eb9e01f407a69e98afd1

SHA512
e1a42ebc7364f859479c67563c795ee55e2c614b045b3358d710b69ece5ca472874527627f2a3ceef0ead5cdda32c5405b716f7d68618ae59201d229c3abe459

Download Submit
C:\Windows\SysWOW64\Fdegandp.exe

Filesize
52KB

MD5
cda8f23c16b8e01bb08e11dbd3f8450c

SHA1
ee447ab7ee76cef60111e75091e8600fa1540d35

SHA256
2949c9cd9e5d4408f59772c364a94bc65b1d600ec0bf76f6cb4200b39fc187f1

SHA512
78749fc04fc12385979606be1262c5502a724aac210da5af2303cbd1a618aefeae6a64254daf2827ce98d20394ce7ab93c9cf467eab357edb5588b9045d3ed8b

Download Submit
C:\Windows\SysWOW64\Fdlnbm32.exe

Filesize
52KB

MD5
25f5d3cced2402a6f3dc3ee9337ea391

SHA1
f54f8140f6db9a626212e633eeef24d94ce7def5

SHA256
05042f9820a0e4ec31ee57eafca278e1ed932653e4bbfb4537279ccff95568eb

SHA512
3884489191a43dee17b24f19728b606c61ebc02bbb3f4b0443c2ea9339a0b6f56e8cf3f7ea394ebaea9f643bc3df99087ec1fe209c4f0e9bfffe2aa939771283

Download Submit
C:\Windows\SysWOW64\Ffddka32.exe

Filesize
52KB

MD5
da74ce84d633199340e2687aec12215d

SHA1
93201b264f78b9e9c35e0e881efd3456d6f2fe1d

SHA256
d7fc5881a799670cbb8c6eb1b39b6f7cc4509581adde597aba1fc08b3dcba043

SHA512
7d35620ec62b96d3f3a08e6782761c7d9160663e230c13f1c76826eccda7d47587984ec16635c3661aadd831192ba6bb720d63fb970de74084975ed25e2f052f

Download Submit
C:\Windows\SysWOW64\Fhcpgmjf.exe

Filesize
52KB

MD5
b910c8d12268962be10961ca46a8598e

SHA1
39c38b3ecbe2971eba6d30391686d251e48b6971

SHA256
24e06078f32db9c012ea696542d4f2f3d163f3296cfadc746c9f3359f4d386b3

SHA512
546b28966a095956eff220771e10c12ab268aca82a52b7d6fe1f9bc663d9fd91cfbd387ec85c2a7db684d0665296893d447375307a5e27ed110baa4ed7691923

Download Submit
C:\Windows\SysWOW64\Fhemmlhc.exe

Filesize
52KB

MD5
7c600158d0d670e295c7d9b5e8168b66

SHA1
e7da6868d760ef12c0ace4711217c8e6f72f73ad

SHA256
a23286029f2655e847310e0ff7c1033e812dc26c59d105132df211b75d202ce6

SHA512
edef19cdd241bb289833e2e3662c508e570eed470ec1a9a3ca91fec33479d12527cf1b8e2d7cdf91509aecd2fef32b2e844980066c6edf61ddb8a54fe8f018d6

Download Submit
C:\Windows\SysWOW64\Fhgjblfq.exe

Filesize
52KB

MD5
d90795822e9420d4e4e882a0e039e144

SHA1
3395468be244dbe7aeda7c8aa945c4b781cc8557

SHA256
f618175a4a5f60250a10ba54f217085219b9532956f595dcb892669913cafb57

SHA512
6f52522a2d2df80f93cf5853caad760c851c6bfe639d53b37465f96ab5b8bb3fb1f828de87af57a2342f90b929a3baffd51fd4894bb93097b8e02b710e8559df

Download Submit
C:\Windows\SysWOW64\Fkalchij.exe

Filesize
52KB

MD5
463403355ffa04cace1f48658c0e5dc8

SHA1
cc5a423b9c1364f1d1fe0bd3853a183c5c166811

SHA256
2224cc25526f8e18b39ba82b54668479b3558f39f29467d61e4d306c472e73e2

SHA512
3bc9e03d33329bfa7056415fca2c9c957e5ac3ddf826d0461fbdca0dd6a46293e0f3887202b6359080fe5bc5ccc5468e806de1c069cf6206ee791634d58c7367

Download Submit
C:\Windows\SysWOW64\Fojlngce.exe

Filesize
52KB

MD5
79dec3d4663a5024a7871a9291e80bc9

SHA1
2c7aaee91e7df1a5e14aee8ab77aa0bbe00b2745

SHA256
55b048d4921b3c836e7151d4d43df21b2ca9054f9ac14ae3984ac87997767724

SHA512
8b3963254c5c554c318d0f7ee53e17946c2ae004719900ae91cf11367a1d11ceb1a7d004a7e06501f785d95233fe6b4beeeafc19308faf354155a9ed8afb8012

Download Submit
C:\Windows\SysWOW64\Gcagkdba.exe

Filesize
52KB

MD5
e844e498b64c0f45eaab831b01255676

SHA1
c6a29b63d1aee349a56d39085dbd97549e6d76e0

SHA256
d35525a80c8353e793418e409f1e01ac87fd30992ca95a0b8ee963e820458fc2

SHA512
ed4f18ca98f7062f79fcd34fb0dcd72d0c5af9b3cc04f18311c649346ba0d2affddba277089b8f15ea2727149e1618935390e4576547d453bb7225edd07642f2

Download Submit
C:\Windows\SysWOW64\Gcddpdpo.exe

Filesize
52KB

MD5
e00f1e97759e97ffadd4e61b1fc19c3f

SHA1
f267a0501e8bbc9f40eefff4ff57f19da4e8959b

SHA256
cd33666f20107acf5ee57f1d0a7c8293435ac7c72b1cf0e7124509d1a2cc717c

SHA512
5e9a5e273236f35af582efe23c9b8dc45118f219b224b137c46faf5729ebe00c50c046ab0f358612d565816abcd4a985e10fa085040031a3aafb65530c188d02

Download Submit
C:\Windows\SysWOW64\Gcfqfc32.exe

Filesize
52KB

MD5
a6c27499f912af2a1131b95eda2a9528

SHA1
1f3b15e8667db21c8f8bbafff1ef562add1f5484

SHA256
3469e5d10dc79aeb50089734eea5d3a453612f86f79802af74d3b0a0ff3cb32e

SHA512
7fae575be20bd7bb730dc40753425168e21131e1740221a0c9ad8729cf7f277d491f1101244621651298c407650e35fe726e3df89681751ef3dd396fcd8dfbe4

Download Submit
C:\Windows\SysWOW64\Gfbploob.exe

Filesize
52KB

MD5
ce05c46476ec2481bfd017f10844825f

SHA1
541f6f49aac6aaaaa30a5dc77cc1d591da1ca589

SHA256
795ffe534da57b556296e334981311a7764671a9998ea8a45b8fdd3b13db4a24

SHA512
e89746900e0441186d2ee360fa688a6cc5630ef127760cb00af094cf7276859d8397897670067026cc4db6c4c88bae15aa9b6efba3258412a97a59a210e413ff

Download Submit
C:\Windows\SysWOW64\Gfembo32.exe

Filesize
52KB

MD5
8eee30f2ece0ce827a65ac3b34c2db1e

SHA1
5fe37189cc859f423d2c9e125c69265bbfe266bf

SHA256
53a0ec3b287a6cae32883c3e11a26d454002e30c7e6ed343569afc8d6998b4fa

SHA512
43ff2d711bf114a91682b1dc6eae9f40e28dd68e7899db5e6b0709042bbf4c750009d13af810c92c459048d5a682974e8b11965ff817ee7423c06b6f6c74be66

Download Submit
C:\Windows\SysWOW64\Gfgjgo32.exe

Filesize
52KB

MD5
2a78e0912d70527c862ef1cf76ab706d

SHA1
6607273349333c401e15b49c21a6d4915c1b16d6

SHA256
e4ac3d8215b83d016f709a2ab8cebdf8c8f110bfd5718015fe05ed8d342486c0

SHA512
fa5b1eb900c3a1acf893a20284d87a9769291ed9e1c30c80e4a110e5836f07bbafb8ecb14e549cdd3e8c9fe97f3313f11827118f394a113bb6c70def30606481

Download Submit
C:\Windows\SysWOW64\Ghaliknf.exe

Filesize
52KB

MD5
3266be980eb8e279e4da25823ac0761f

SHA1
8c8d0630d547900994e804d0827e694d4e780d89

SHA256
f35b4c61e3a85a60987d502ba7c6d2386e875a21826bb0a4176143848a0ef122

SHA512
23644343b55c2b7ad8071586b793f4b8aafa666e6667026dae888e165051685e1ce74133d0fee33392914aad9880df66d52579699d5ec1965555635e4781e05a

Download Submit
C:\Windows\SysWOW64\Ghlcnk32.exe

Filesize
52KB

MD5
59ee1c502c19b9a640a03060346b3e38

SHA1
8b60e10cc4120eecd1585fb6ee8fc3de0cd8dc24

SHA256
1c1243e29a76edcd7236914cf87eb57a42976628be445f6bf0860350fedcae5d

SHA512
50c28056e870dbce3cf2a5424ed4b6fe02854facd6a1cde8d8cfdaaa1055df42bcf5e64455051357a90b681471cb4e84c511dd6134a657dbf8d7b0f4ba4e8927

Download Submit
C:\Windows\SysWOW64\Ghopckpi.exe

Filesize
52KB

MD5
3b3e37a04bb1ab6d8fe3831860062a7d

SHA1
dca29c9aa06f4062ee79db99b35ed9bd055d39d9

SHA256
c1b6cd3fd58e6479345e8cd4a51a4061d578fe423491ad0bf279ad95e78dcd79

SHA512
add998b0d974020fcf3ced3193efd5a2354956f53474d3519a94a0bf557f1736d0f791322ebbbbbd871ed21c743cbdf66299e575fb0a187d000305c0609aa008

Download Submit
C:\Windows\SysWOW64\Gkkojgao.exe

Filesize
52KB

MD5
5c1a4bf55d5d27c36c8bf23952c39f41

SHA1
570ea45f009b045860b5fa33391e63240b944573

SHA256
160cdc23b3e6d29661842d2b3e59ed63047cf787be4fe9f2481fe70f39c62498

SHA512
e7eee718f7514b4b73da5c62b27d0443c8c6f0d13f90b92ce19df005483021cdda6882f2acbde2409b7cdff0cb08164108e9ef85620025f642a4a2486d5e669b

Download Submit
C:\Windows\SysWOW64\Glebhjlg.exe

Filesize
52KB

MD5
6e2ece5b7074759b627583f37b891209

SHA1
9b289801f204f8542f4d99eebf7b087555e137c5

SHA256
233fbf50bfcf3ed36beccbb0b2b13e72d8423b6f9e0ecd0e6054439477575528

SHA512
18c72100988ac3d56174f69b70fd0b85efcd509c923d614c09d8dcafb463050b5a7210e79a0afc6eb59b52524603da7b090f85071b51b82de21d22219c245cc8

Download Submit
C:\Windows\SysWOW64\Hmabdibj.exe

Filesize
52KB

MD5
5ea9088819616fcca485db8e0287b8af

SHA1
740c8b258fc7a45d3ad0282d99187eb01c079de7

SHA256
42a3dd6fbc06713b6eb574539a80ba0ab19b4126c4cdbbd6be5ecb07e32c60b2

SHA512
64fde8c01cbe1c3146dc36deaa0030f176a2e926b982688bbfc46c61f6e93923098b3e442697ba47f5c5cb4c708faf1ffec24567ca4f787961c5710bb0f3fd01

Download Submit
C:\Windows\SysWOW64\Kfoafi32.exe

Filesize
52KB

MD5
21c0cf9b85f0e26b2dd1c231fc836f60

SHA1
6436446baaa65a864d1fb3ed89e75616724fde64

SHA256
c51d59bf8c7dacdc4a123b8fb3f1eddcba5b5cc0a5e42285e17d4342d5aea66f

SHA512
ae0737241fcd7e1e1ab3f3b21c6eac8d783401d92b68dd84541586de30b0350056240bb08faf58da8f1cf6906732060600484ae225020bb44726234d9c20d4ba

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
52KB

MD5
8bcc3686085e302450de3d5f8a1b28c8

SHA1
dc19ce5194ce7a7c520708cc727c67a2b8ba666d

SHA256
689c7d42f4dfa59851b81dbf5de794ed13fa2ee3625b4e5b8fe71ff4b8b96c1d

SHA512
74fb45090c0636d0f9f783c9d7b662b86d01c2c71ec781495dc81882c6c77ad2b32b878775f22dd775774473130f7768bbc561c42e4b2eafa9b638fd3a3e26d0

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
52KB

MD5
6f5dc9c3a0db5c1804fed7fc06fa29ea

SHA1
6e24242208c70f5288574459f39f77ffc91bb0c6

SHA256
3fbc5e17e906340ac82eff1ab9f777f0dc870755aabaa367c0a168f8800314e8

SHA512
4c79a3552ae4bd232cea217239d899f9270633c2332146e69635f6d71c90cb64840b9a8845b013472d27cdd31ea11380ee2478de73f4f8d6417730d477d864cd

Download Submit
memory/568-284-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/568-204-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/736-138-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1000-325-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1000-253-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1248-142-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1248-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1344-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1344-177-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1520-175-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1560-115-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1560-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1680-211-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1680-125-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1816-89-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1816-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1836-228-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1836-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1844-305-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1848-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1848-150-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1932-290-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2032-36-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2032-123-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2084-148-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2100-165-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2132-292-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2228-331-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2284-267-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2420-313-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2584-337-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2592-116-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2592-202-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2632-238-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2632-311-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2688-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2688-137-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2888-273-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3460-191-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3500-71-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3500-169-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3596-102-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3996-278-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4064-312-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4064-246-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4368-303-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4424-111-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4528-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4528-79-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4568-106-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4676-212-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4676-291-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4684-234-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4784-95-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4784-20-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4840-221-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4840-298-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4976-195-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4976-277-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5016-319-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5088-178-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5088-262-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5092-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5092-63-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads