9490ddf2cb2a0dda46b5178a81045f261339386769b8f5f1097a07325e8e718a

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2024, 21:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9490ddf2cb2a0dda46b5178a81045f261339386769b8f5f1097a07325e8e718a.exe
Size

107KB
MD5

143aedceab41cfae3a3b830a4ad3af04
SHA1

292347612ef7e21d950db76cc6bcbc13fcd8a6e8
SHA256

9490ddf2cb2a0dda46b5178a81045f261339386769b8f5f1097a07325e8e718a
SHA512

8bd08cc8cbf7bef900d7da1ca242330fc91286c2d59133d2553a1c43d6d1cedcac3cdc8354cf04480ffb884abeb3c5cfe4bccb485724464cc4204f0cd9c12da8
SSDEEP

1536:M/PLkozVjX/1nRGQ+JcOoDiC+2LvaIZTJ+7LhkiB0MPiKeEAgHD/Chx3y:MXLkKVTNaoDiEvaMU7uihJ5233y

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmficqpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijaida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imihfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjepaecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfachc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haidklda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iffmccbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icljbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcgoilpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifopiajn.exe

Executes dropped EXE 64 IoCs

pid	Process
436	Efpajh32.exe
3236	Ehonfc32.exe
4756	Emjjgbjp.exe
3880	Eqfeha32.exe
1352	Ecdbdl32.exe
5004	Fjnjqfij.exe
780	Fqhbmqqg.exe
3688	Fcgoilpj.exe
3456	Fjqgff32.exe
4128	Fmocba32.exe
4672	Fomonm32.exe
5084	Fbllkh32.exe
2764	Fjcclf32.exe
3512	Fmapha32.exe
3976	Fopldmcl.exe
1696	Fbnhphbp.exe
1692	Fjepaecb.exe
900	Fqohnp32.exe
1996	Fcnejk32.exe
948	Fjhmgeao.exe
3764	Fmficqpc.exe
2096	Gcpapkgp.exe
984	Gfnnlffc.exe
1500	Gimjhafg.exe
3752	Gcbnejem.exe
404	Gfqjafdq.exe
4164	Giofnacd.exe
320	Gqfooodg.exe
4740	Gcekkjcj.exe
2608	Gbgkfg32.exe
2364	Giacca32.exe
4320	Gmmocpjk.exe
4624	Gcggpj32.exe
1928	Gjapmdid.exe
368	Gmoliohh.exe
2924	Gpnhekgl.exe
1172	Gfhqbe32.exe
4184	Gmaioo32.exe
3772	Gameonno.exe
4568	Hclakimb.exe
5072	Hfjmgdlf.exe
4028	Hmdedo32.exe
4464	Hapaemll.exe
4892	Hcnnaikp.exe
4420	Hbanme32.exe
2356	Hfljmdjc.exe
3428	Hjhfnccl.exe
5076	Hmfbjnbp.exe
4924	Habnjm32.exe
2896	Hcqjfh32.exe
704	Hfofbd32.exe
3480	Hpgkkioa.exe
1192	Hccglh32.exe
3016	Hfachc32.exe
2728	Hjmoibog.exe
1764	Hmklen32.exe
4992	Haggelfd.exe
4356	Hcedaheh.exe
3172	Hfcpncdk.exe
4456	Hjolnb32.exe
3404	Hibljoco.exe
2832	Haidklda.exe
1844	Ipldfi32.exe
4288	Ibjqcd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Oimhnoch.dll	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Jibpdc32.dll	Iinlemia.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Lcmofolg.exe
File opened for modification	C:\Windows\SysWOW64\Fbllkh32.exe	Fomonm32.exe
File created	C:\Windows\SysWOW64\Imgkql32.exe	Iikopmkd.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Fopldmcl.exe	Fmapha32.exe
File created	C:\Windows\SysWOW64\Fqohnp32.exe	Fjepaecb.exe
File created	C:\Windows\SysWOW64\Gcbnejem.exe	Gimjhafg.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Ngiehn32.dll	Gfnnlffc.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Ajgblndm.dll	Kinemkko.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Iljnde32.dll	Jiikak32.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Ldooifgl.dll	Hcnnaikp.exe
File created	C:\Windows\SysWOW64\Imihfl32.exe	Iinlemia.exe
File created	C:\Windows\SysWOW64\Eplmgmol.dll	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Imdnklfp.exe	Iiibkn32.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Jokmgc32.dll	Gimjhafg.exe
File opened for modification	C:\Windows\SysWOW64\Hmdedo32.exe	Hfjmgdlf.exe
File created	C:\Windows\SysWOW64\Hfcpncdk.exe	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Fmficqpc.exe	Fjhmgeao.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Fogjfmfe.dll	Kcifkp32.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Fcgoilpj.exe	Fqhbmqqg.exe
File opened for modification	C:\Windows\SysWOW64\Gbgkfg32.exe	Gcekkjcj.exe
File opened for modification	C:\Windows\SysWOW64\Kacphh32.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Ehonfc32.exe	Efpajh32.exe
File opened for modification	C:\Windows\SysWOW64\Jmbklj32.exe	Jigollag.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Hapaemll.exe	Hmdedo32.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Hfachc32.exe	Hccglh32.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Jbfpobpb.exe	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Ggcjqj32.dll	Jjmhppqd.exe
File opened for modification	C:\Windows\SysWOW64\Jdjfcecp.exe	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Emhmioko.dll	Gmmocpjk.exe
File created	C:\Windows\SysWOW64\Gpnhekgl.exe	Gmoliohh.exe
File opened for modification	C:\Windows\SysWOW64\Iikopmkd.exe	Ijhodq32.exe
File created	C:\Windows\SysWOW64\Gbledndp.dll	Imihfl32.exe
File created	C:\Windows\SysWOW64\Jigollag.exe	Jkdnpo32.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Fmficqpc.exe	Fjhmgeao.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7992	7472	WerFault.exe	353

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcgaen32.dll"	Emjjgbjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emhmioko.dll"	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmihaj32.dll"	Ehonfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Impoan32.dll"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Habnjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeiooj32.dll"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfqjafdq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efpajh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbjnl32.dll"	Habnjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iidipnal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfkkgo32.dll"	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkillp32.dll"	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcgoilpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeopdi32.dll"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dofqcl32.dll"	Fqhbmqqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnplgc32.dll"	Hcqjfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Impoan32.dll"	Imgkql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipmack32.dll"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmfbjnbp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4980 wrote to memory of 436	4980	9490ddf2cb2a0dda46b5178a81045f261339386769b8f5f1097a07325e8e718a.exe	88
PID 4980 wrote to memory of 436	4980	9490ddf2cb2a0dda46b5178a81045f261339386769b8f5f1097a07325e8e718a.exe	88
PID 4980 wrote to memory of 436	4980	9490ddf2cb2a0dda46b5178a81045f261339386769b8f5f1097a07325e8e718a.exe	88
PID 436 wrote to memory of 3236	436	Efpajh32.exe	89
PID 436 wrote to memory of 3236	436	Efpajh32.exe	89
PID 436 wrote to memory of 3236	436	Efpajh32.exe	89
PID 3236 wrote to memory of 4756	3236	Ehonfc32.exe	90
PID 3236 wrote to memory of 4756	3236	Ehonfc32.exe	90
PID 3236 wrote to memory of 4756	3236	Ehonfc32.exe	90
PID 4756 wrote to memory of 3880	4756	Emjjgbjp.exe	91
PID 4756 wrote to memory of 3880	4756	Emjjgbjp.exe	91
PID 4756 wrote to memory of 3880	4756	Emjjgbjp.exe	91
PID 3880 wrote to memory of 1352	3880	Eqfeha32.exe	92
PID 3880 wrote to memory of 1352	3880	Eqfeha32.exe	92
PID 3880 wrote to memory of 1352	3880	Eqfeha32.exe	92
PID 1352 wrote to memory of 5004	1352	Ecdbdl32.exe	93
PID 1352 wrote to memory of 5004	1352	Ecdbdl32.exe	93
PID 1352 wrote to memory of 5004	1352	Ecdbdl32.exe	93
PID 5004 wrote to memory of 780	5004	Fjnjqfij.exe	94
PID 5004 wrote to memory of 780	5004	Fjnjqfij.exe	94
PID 5004 wrote to memory of 780	5004	Fjnjqfij.exe	94
PID 780 wrote to memory of 3688	780	Fqhbmqqg.exe	95
PID 780 wrote to memory of 3688	780	Fqhbmqqg.exe	95
PID 780 wrote to memory of 3688	780	Fqhbmqqg.exe	95
PID 3688 wrote to memory of 3456	3688	Fcgoilpj.exe	96
PID 3688 wrote to memory of 3456	3688	Fcgoilpj.exe	96
PID 3688 wrote to memory of 3456	3688	Fcgoilpj.exe	96
PID 3456 wrote to memory of 4128	3456	Fjqgff32.exe	97
PID 3456 wrote to memory of 4128	3456	Fjqgff32.exe	97
PID 3456 wrote to memory of 4128	3456	Fjqgff32.exe	97
PID 4128 wrote to memory of 4672	4128	Fmocba32.exe	98
PID 4128 wrote to memory of 4672	4128	Fmocba32.exe	98
PID 4128 wrote to memory of 4672	4128	Fmocba32.exe	98
PID 4672 wrote to memory of 5084	4672	Fomonm32.exe	99
PID 4672 wrote to memory of 5084	4672	Fomonm32.exe	99
PID 4672 wrote to memory of 5084	4672	Fomonm32.exe	99
PID 5084 wrote to memory of 2764	5084	Fbllkh32.exe	100
PID 5084 wrote to memory of 2764	5084	Fbllkh32.exe	100
PID 5084 wrote to memory of 2764	5084	Fbllkh32.exe	100
PID 2764 wrote to memory of 3512	2764	Fjcclf32.exe	101
PID 2764 wrote to memory of 3512	2764	Fjcclf32.exe	101
PID 2764 wrote to memory of 3512	2764	Fjcclf32.exe	101
PID 3512 wrote to memory of 3976	3512	Fmapha32.exe	102
PID 3512 wrote to memory of 3976	3512	Fmapha32.exe	102
PID 3512 wrote to memory of 3976	3512	Fmapha32.exe	102
PID 3976 wrote to memory of 1696	3976	Fopldmcl.exe	104
PID 3976 wrote to memory of 1696	3976	Fopldmcl.exe	104
PID 3976 wrote to memory of 1696	3976	Fopldmcl.exe	104
PID 1696 wrote to memory of 1692	1696	Fbnhphbp.exe	105
PID 1696 wrote to memory of 1692	1696	Fbnhphbp.exe	105
PID 1696 wrote to memory of 1692	1696	Fbnhphbp.exe	105
PID 1692 wrote to memory of 900	1692	Fjepaecb.exe	106
PID 1692 wrote to memory of 900	1692	Fjepaecb.exe	106
PID 1692 wrote to memory of 900	1692	Fjepaecb.exe	106
PID 900 wrote to memory of 1996	900	Fqohnp32.exe	107
PID 900 wrote to memory of 1996	900	Fqohnp32.exe	107
PID 900 wrote to memory of 1996	900	Fqohnp32.exe	107
PID 1996 wrote to memory of 948	1996	Fcnejk32.exe	109
PID 1996 wrote to memory of 948	1996	Fcnejk32.exe	109
PID 1996 wrote to memory of 948	1996	Fcnejk32.exe	109
PID 948 wrote to memory of 3764	948	Fjhmgeao.exe	110
PID 948 wrote to memory of 3764	948	Fjhmgeao.exe	110
PID 948 wrote to memory of 3764	948	Fjhmgeao.exe	110
PID 3764 wrote to memory of 2096	3764	Fmficqpc.exe	111

C:\Users\Admin\AppData\Local\Temp\9490ddf2cb2a0dda46b5178a81045f261339386769b8f5f1097a07325e8e718a.exe
"C:\Users\Admin\AppData\Local\Temp\9490ddf2cb2a0dda46b5178a81045f261339386769b8f5f1097a07325e8e718a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Windows\SysWOW64\Efpajh32.exe
  C:\Windows\system32\Efpajh32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Windows\SysWOW64\Ehonfc32.exe
    C:\Windows\system32\Ehonfc32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3236
  - - C:\Windows\SysWOW64\Emjjgbjp.exe
      C:\Windows\system32\Emjjgbjp.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4756
    - - C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3880
      - C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4128
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:900
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3764
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        23⤵
        Executes dropped EXE
        
        PID:2096
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:984
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1500
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        26⤵
        Executes dropped EXE
        
        PID:3752
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        28⤵
        Executes dropped EXE
        
        PID:4164
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        29⤵
        Executes dropped EXE
        
        PID:320
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4740
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        31⤵
        Executes dropped EXE
        
        PID:2608
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        32⤵
        Executes dropped EXE
        
        PID:2364
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        34⤵
        Executes dropped EXE
        
        PID:4624
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        35⤵
        Executes dropped EXE
        
        PID:1928
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:368
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        37⤵
        Executes dropped EXE
        
        PID:2924
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        38⤵
        Executes dropped EXE
        
        PID:1172
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        39⤵
        Executes dropped EXE
        
        PID:4184
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        40⤵
        Executes dropped EXE
        
        PID:3772
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        44⤵
        Executes dropped EXE
        
        PID:4464
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4892
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        48⤵
        Executes dropped EXE
        
        PID:3428
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        52⤵
        Executes dropped EXE
        
        PID:704
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        53⤵
        Executes dropped EXE
        
        PID:3480
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1192
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3016
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        56⤵
        Executes dropped EXE
        
        PID:2728
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1764
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        58⤵
        Executes dropped EXE
        
        PID:4992
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4356
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        60⤵
        Executes dropped EXE
        
        PID:3172
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        61⤵
        Executes dropped EXE
        
        PID:4456
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3404
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1844
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        65⤵
        Executes dropped EXE
        
        PID:4288
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:796
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2408
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        68⤵
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        69⤵
        
        PID:548
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1560
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        72⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4528
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        74⤵
        Modifies registry class
        
        PID:4696
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        75⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        76⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        77⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5036
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        79⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        80⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        81⤵
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        82⤵
        Drops file in System32 directory
        
        PID:5208
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        83⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        84⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        85⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        86⤵
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5428
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        88⤵
        Drops file in System32 directory
        
        PID:5472
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5516
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        90⤵
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        91⤵
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        92⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5668
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        96⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5832
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5872
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5908
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5956
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5996
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        102⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        103⤵
        Drops file in System32 directory
        
        PID:6088
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        104⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        105⤵
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        106⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        107⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        108⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        109⤵
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        110⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        111⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        112⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        113⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        117⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        118⤵
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6084
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        120⤵
        Drops file in System32 directory
        
        PID:5132
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        121⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5220
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        123⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        124⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        125⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        126⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        127⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        128⤵
        Drops file in System32 directory
        
        PID:6036
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        129⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        130⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        131⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        132⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        133⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        134⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        135⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        136⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        137⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        138⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5508
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        140⤵
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        141⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2436
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6172
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        144⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        145⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6296
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6340
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        148⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        149⤵
        Drops file in System32 directory
        
        PID:6424
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        150⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        151⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6548
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        153⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        154⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        155⤵
        Drops file in System32 directory
        
        PID:6680
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        156⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        157⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        158⤵
        Drops file in System32 directory
        
        PID:6800
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        159⤵
        Modifies registry class
        
        PID:6848
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        160⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6936
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        162⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        163⤵
        Modifies registry class
        
        PID:7016
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        164⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7096
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        166⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        167⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6204
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        169⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6372
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        171⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        172⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        173⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        174⤵
        Drops file in System32 directory
        
        PID:6656
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        175⤵
        Drops file in System32 directory
        
        PID:6712
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6788
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        177⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        178⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6968
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        180⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        181⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        182⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6280
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        184⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        185⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        186⤵
        Modifies registry class
        
        PID:6604
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        187⤵
        Drops file in System32 directory
        
        PID:6732
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        188⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6924
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7044
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7160
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        192⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        193⤵
        Modifies registry class
        
        PID:6452
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        194⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6664
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6816
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        196⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        197⤵
        Modifies registry class
        
        PID:7136
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        198⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        199⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6888
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        201⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        202⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7164
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7024
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        204⤵
        Drops file in System32 directory
        
        PID:6324
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        205⤵
        Drops file in System32 directory
        
        PID:6636
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        206⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        207⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7184
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        208⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7224
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        209⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7280
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        210⤵
        
        PID:7320
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        211⤵
        Drops file in System32 directory
        
        PID:7360
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        212⤵
        
        PID:7404
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        213⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7444
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        214⤵
        Modifies registry class
        
        PID:7480
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        215⤵
        Modifies registry class
        
        PID:7524
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        216⤵
        Modifies registry class
        
        PID:7560
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        217⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7608
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        218⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        219⤵
        Modifies registry class
        
        PID:7704
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        220⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        221⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        222⤵
        
        PID:7828
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        223⤵
        
        PID:7880
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        224⤵
        Drops file in System32 directory
        
        PID:7916
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        225⤵
        Modifies registry class
        
        PID:7960
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        226⤵
        Modifies registry class
        
        PID:7996
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        227⤵
        
        PID:8032
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        228⤵
        
        PID:8076
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        229⤵
        Modifies registry class
        
        PID:8116
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        230⤵
        
        PID:8152
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        231⤵
        Drops file in System32 directory
        
        PID:6536
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        232⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        233⤵
        
        PID:7316
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        234⤵
        
        PID:7400
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        235⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7476
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        236⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        237⤵
        
        PID:7588
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        238⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7664
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        239⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        240⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7816
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        241⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7908
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        242⤵
        
        PID:8004
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        243⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        244⤵
        Drops file in System32 directory
        
        PID:8124
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        245⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7192
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        246⤵
        
        PID:7304
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        247⤵
        
        PID:7368
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        248⤵
        Drops file in System32 directory
        
        PID:7532
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        249⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        250⤵
        Drops file in System32 directory
        
        PID:7692
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        251⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7824
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        252⤵
        Drops file in System32 directory
        
        PID:7984
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        253⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        254⤵
        
        PID:8160
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        255⤵
        
        PID:7356
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        256⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7520
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        257⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7780
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        258⤵
        
        PID:7968
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        259⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8176
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        260⤵
        Modifies registry class
        
        PID:7428
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        261⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        262⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        263⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7472 -s 408
        264⤵
        Program crash
        
        PID:7992

C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
1⤵
PID:2436

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:3036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 7472 -ip 7472
1⤵
PID:8180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
107KB

MD5
abe7b7e5761cdeb25d6d31498615243d

SHA1
94bc42aa9d1a58484edcd1989026ac1734221902

SHA256
f961f295c7588c7a764550566dbb8c5195728c20df04273afddbf5258908a2d6

SHA512
5d3aab2849c6f2ac70169ef54675a7fc896c762ee311679d9d965515fd2b4e77823b741700a79c2e53bbc047a4356e1a8ed976d4ad6b438fc10e91d76eeafe67

Download Submit
C:\Windows\SysWOW64\Efpajh32.exe

Filesize
107KB

MD5
69d2e504c516d59f92332740322fedcb

SHA1
564cd4e4eb5de6c3ede64f25314cf410b9edbc25

SHA256
ef660dd3f7c2d81caa429c061b47b98dc399e299c64c859e15cb512e4fd109d2

SHA512
a5b370466021355ddc187b3c0e3fad80466e5c7da10751138c1f386a07ae83c3d98f0613a5ff65ad365ed074c8725018ecb1a6468bf5cf56c25ac35726cff347

Download Submit
C:\Windows\SysWOW64\Ehonfc32.exe

Filesize
107KB

MD5
9f9d01ad197f84a17a3a4d8ec81edc12

SHA1
f23accb5ea6652d80a2469e272e3a1e2e25ccecd

SHA256
d4c35a34d0acbceced26d7fccb3b920f29b066b63d433b09386118a22df43594

SHA512
75936e3e10fee8ed3c26bff1440d7288150e0d635ccc6408c839efddeaf1b60edb363b69f07c1c6ffa1fe3dd9049d04432b97a3405716346840ed9957cee0317

Download Submit
C:\Windows\SysWOW64\Emjjgbjp.exe

Filesize
107KB

MD5
ca3ccad5ed3a18f057c2ab2d0f33cf2f

SHA1
87646873c31b0ce719378f0144818e41685c382f

SHA256
b85c8b2bcf7b390bc22fc709e3238b60c00eeeef790f03ff19ca81bb08c5b545

SHA512
0d33cc2ac1f8aad68f15e1a9f613913c31652024fbd9c9b8fca1b9b52be429b65534fd0a24f5f24ed6441a30bdff739af26824d3019c087c0966e6fc15a676ce

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
107KB

MD5
618b6218fe9015f18d08912e7378e2e1

SHA1
effbe6cf4a48cb94668a353d9513ad5da63c9650

SHA256
e6c4fe8bc6e77e5dfd2959df09edd1162c35ab5dda36c59966526787690a1faf

SHA512
3671c76714789210be4bd828d92a40aeedd554653965e12e694751919a67ef0df29e74c76bd25abc1215473eca105575f88352c69613e2e8cc8d2a825c6f3c43

Download Submit
C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
107KB

MD5
6c5ef2e64b04e315e87ce8227ab007d0

SHA1
920fb0748ea9fe5fd6ad6d1acfb164749fabacd7

SHA256
7de7654cdc8224b0227a3cf14f59596152b73457fe99f0a9e32177856c468e4e

SHA512
28f89ea28af74536248ab2216ee421db2c181a5d6bf4bf973cd1e30df462867b982b4a5a7bdc408d3c3f2be56d9340f5259e3cc1b5ad16ae48070b759150ac84

Download Submit
C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
107KB

MD5
7bca55d372bdebd2ee6d5e3ba275ee6c

SHA1
9fa572491e3880e4389600a6555bd72a45a169c5

SHA256
63196b79cd64f34d704e51d22ac214e40244d38489e8b2e7971aaf6e8ae6cf15

SHA512
23e426b911cd10460e3338da3e113dfcf6bf52e633e8470015439b4e4db54dcedd4a9a6598d9877dd575c0fbb931909df5f16dca9f7a54ad74d9330da699e373

Download Submit
C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
107KB

MD5
716a6c601d3caa93d1e97709ba3725ab

SHA1
0c68bd2791450833c151df83782046a38b1963a4

SHA256
a0a91eb811014604212c3cf1dfb0ca66c210db1d385ca7a091d27ebbe3bbc580

SHA512
7ae97e17f68a62124203f4a19edcf3dcb60911c50a0b07e05cf58b8cf2f869b73ce9157c84ba351cd596553fa2008c3f4255b3d8a713205f3df4f9721ace989e

Download Submit
C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
107KB

MD5
8d075219bcf6964b612876fbed5ed4e5

SHA1
ca6de590f1239f8c220365a33034cab1789a9141

SHA256
97a7c3993196f25a5cf8dbcfd838a4468638f8211752b78ac71d27e9367475cf

SHA512
e66233d05fa0945e488f2d8606191e2336fa80733803d2e72097081ab4c366594d4f5fbea402d13ccb6bd802e599211a64fbc0a5918d191c36c865aa7dcd1cd8

Download Submit
C:\Windows\SysWOW64\Fcnejk32.exe

Filesize
107KB

MD5
3f44de274ea8512fcd6a5472d2fa286e

SHA1
b3348f3a79787bf7df6accf57cba5b261958d721

SHA256
d8032a4f062235c775740fdb56f03878ad79acd28af08b5c11adcbf21defc8cb

SHA512
3b2042846b3d8164ab763b3384e7692ab63dc592d2220cac58de71d08725bb7b20d8da934eba8a582483712686b8f2afa9a0a766b55efd9acbf69243c3fdd36d

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
107KB

MD5
75ca6fb93d0c508ede29148ade87ce80

SHA1
63f2e95245293758e61506bebf3e220becb5efe1

SHA256
e1b35f3935d26d715d41298f85ee670796efcc7f30eb57084fd368efdd0a706d

SHA512
0b9454e0ef8bca7aedc7a4d5145a8068331f509ded8b9d7316ec338918b421e12d9bb9194307e44794fbe5d866126f70e4dcf772228434be83cd233f6c1f8a7c

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
107KB

MD5
b32c02810e6abb30771235c75122bb3c

SHA1
11e99ae2fa15f57d3bdffef5bc2484c1f47ea3d0

SHA256
a24fbc41fbc017500ff084821d629bd66d38a81aa05c2b62d05fbb4ccda95d32

SHA512
0bd4ffdb492fb138bee0538158a26c020469331b73cecd00afd3c5bb3859124d2b7a746e34f5af00039fc937210689336e06b4a649258a47955a02b10e0243eb

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
107KB

MD5
430e638f9e27638b55400eb3f86e849b

SHA1
2237acbe93ea4eafb9bda7d275e4e54a9ed67a2f

SHA256
3c38461d41627c6627bf8bef2e202aa73099e9be8d308221cb602ecfae9eb853

SHA512
a76a5d26c33cf754a92c8f08f819d4b4a45ba1e2e8f7250fe92a5bbf27c571528bb58f4c65d90c12f1c7a69a9459a10635b046641e560aebf1ca2f2cdc37b5d4

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
107KB

MD5
8a1d8c8d38962a7dff5e9c3092b3d954

SHA1
e505649f2d11192e0372f9d063bc606ac8949d2f

SHA256
740765883bc579f73eeaf63556e4b19e3f1abf1c1de65d0ff399b94151d7af01

SHA512
52fb43cb78c5de6d07ce3112ffa4e06fddcf7becccb5afdbed9a52330ab58d3a3e3e0844daa92de9561aa332886817e856c79fe488cd6b11dee06dafa2f8a643

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
107KB

MD5
b4f3fd2861086f91679d66ab3803951e

SHA1
f53f4778dcd83e0500a537e1c5e94d1ca1e26426

SHA256
a70f4a4e0af871ba531f175f136bb60f81ae95282fbda0cdbd452cc7169a179e

SHA512
cf2dfdd7db72b77049da8514888a3edb296926cc0d40f2d656b4cc21abf18b1d21b5587f0628aebcc8381baef6d28efa8b75be693a06e942d43808b30cced32c

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
107KB

MD5
478a720acbc67b84babc12a1fdccd57b

SHA1
3e821001f8d394c2fb2f4eb1cfcc51c25d67f79e

SHA256
da3a79d4198ae15f4459c4407f0933a1e10aa9ebd22c684ab0b06b6ebf19ff9a

SHA512
2e5e5e4bd9b167fb31651d31eccab0e286584cdc6977b5bcd3087db0bf8891e7d82659b4a76a7ed8d03ab70dbe8cce9bbbd795a402c2629c8bddbb28a44e1774

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
107KB

MD5
61c7b7d4e27498448d0675db255864c4

SHA1
50793d52cdc46130e78e83c764518040516df257

SHA256
7dff7f5a330363f9c01f17ea8fce3249ebfa76789b4e25ff6c8ae8c8ffcee55d

SHA512
09aab756b6923fee786aa68b7f7628f3603834cfdf81790537aacda629a02af87bc659a30fe8a00aae1adc77fb03abb3c10150206c120ad496900a7a0e5a8b8f

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
107KB

MD5
93c6b436f7e46862f24b0a575ec25e88

SHA1
d0cb724b2e922f98c031a9f7a28ce82fdab10b8f

SHA256
1e7cd7074cfd36b659c22083c9e09fb72d58a97d074c55e779282eb08c0cb5f3

SHA512
780c55f139b457a0e64f43db48b96dc199f096b50c5e74babfe75a9dd05c59c8fe4392be82b857943ffd570547d25e24e16ce07e228e6be5e11f30ddcb3513cb

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
107KB

MD5
db35c7f19e7800087fb8ed06c3a422cf

SHA1
340a0a3675c3af9d5ecb100e83d2ec974b3bba9e

SHA256
c1acc5e657b60e4954bf8dc1f7f670caf8a0f4df1b63c5766d28f56cd461e692

SHA512
803c43003b0abdbd0d216cc927275c4fe3eb9cb782efc3287c64efb2da98c0ae3fb52f62e9a08b13a3fc0ecc4da48cbbbd0faad5eef129a4f6de57a62f1f6dd1

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
107KB

MD5
c7a52102a6bccfaf04ed2d6dd88deffe

SHA1
30524db1db61b466ea6cedf6b59f121a6906c413

SHA256
5c7d6e83669c7e242290cae5d3de5d2cee2640583b3429c48b54d4b506156ecd

SHA512
ec1defaf7448e31859c744361ab8fc5e7b746a19d8093cc5990abd27cdd6802dd9fab114c54ac339e14e28cef0198d7b7358f3a38c0ff605826d824948d007e5

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
107KB

MD5
bc505048a9f5269b8bbda93ba566c856

SHA1
d8da13105a9a41653650d3aac0b08617f67b49e6

SHA256
3ee46e8f2319bdc3cdad13759abaf209f0c6ece881fa69fa1bf63781882cb7e8

SHA512
d3add8f39cbe1b38a87eec58b0a78e6b991d932be0411314116e5ed2ff7fd422f58d17a82b9cdade368cb5e803697c9468311e2509d811153d087868e178873f

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
107KB

MD5
61b61b158aec0acfe69c99324ef907a7

SHA1
903ac4424edc73fc7ee7b01baf07331f6004c6c5

SHA256
d8d542b1d5f98800009b016f5c5fc20cf74dd5a2c6618128d590b6b55656bef6

SHA512
dd958a4922f79f776e893fabeba3f79800b55a05894c49d654725091172dfa311eb2242f1011db144eac5d0d67c646ac122ce4cd87257d768d8df5028f5343c2

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
107KB

MD5
d63bdacea503b89faf94db04cc399d4a

SHA1
b350fccb01d6850fd9098847ed654dfc8c3b2395

SHA256
10b5268a3765ea271bb17225f0dd45ea69c5650611ba998fa1f2ee3b65bb794e

SHA512
b4479bf8f53e14550b9005b3021341faa8767f632e5264d488e4f4f2d6963b5ae7f96e36b71a7ec121bebc68be9fe08b2c00bf95435805bffdf376d7985a96bc

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
107KB

MD5
7b7c181d48da2d60a7e1f71c389d8fc7

SHA1
b74a9cd444812253b71365479f57b4d74851260c

SHA256
e74ae41aa756732210352108347fa0e9c191e1976db058a884767cfe0cc665e6

SHA512
55461d2f32903710ede5c1afb4bfd02baa450e0c24634ad73388a61bb42045e30464e364fcf76809058d25c84e8ff5d2ae296fd94fef626231304dff3bea068a

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
107KB

MD5
daec5b05bbf79d0ed8d1189a956b72fc

SHA1
89c0b46b9a0657fd0662d462680f35fc906d5a55

SHA256
c7874511f1f04c4176cad5fdc0d690a005ab6c9ef6c2dd1916f453ae3ad4f21c

SHA512
9741e7cdbbfb7b9b05e03596152ada4d9e2f9425304ab2ef13ae299757e6d63cd04e1e0905457901550d7c3056baffc5985742d6a2b4acc013cc8e27166a9844

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
107KB

MD5
61620d3e6bca779e3be0f56ad88addb4

SHA1
d572749ec03ae0d3ebd2b25b5b4006c7d797ee8d

SHA256
0c6bb03ba256a88b8822e1babfa92516d42e6e57cfb467b807bebbb0f3505907

SHA512
f20d6e623b3a37269c360c6f98f1f4c767a07a4391d1dbfc90230d2af6c8e1949adad887765d33f3ff168e9aebb84423ce4902c2cee78c5f2fc0da1be26ab0c8

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
107KB

MD5
d967fc347be20b4e0b4695bc333e0591

SHA1
c49a72781b991b5483970bd49962e85bd5c779f3

SHA256
dd1b31f56517d1883a4c781cd717c81577361a116a6d3bf83e1fbb518d91f936

SHA512
8d65abbf846562777a1b6299e98dd08e145a51b6f6e2720688874d3f4cc245a74e918e9a7813be79d7cf8ab4d5d8e774a525374f3a155b7e7f306a6710286309

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
107KB

MD5
ca077ffbe2f3167aba2b64240517829d

SHA1
5d1e394ea1255e7beb756915d2fdf8d0748e3277

SHA256
e51cdc42dea9c84e11637181217284a834c786d9f6848a062efcd895797309e7

SHA512
f40c6c9750119cf77f543d030cffb8ac047a0b4f1fb1a15b802d416d32c8d3a808dde0c7e049ee10201351b38b76f08841d8346152b4f9427f6e5a93e921dea9

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
107KB

MD5
98654e5a180c583cddd3785ead92d662

SHA1
f47eaa047d43a9667c60c61f424ee2a569daf91c

SHA256
f4c1ee293e63d56a40b13874c95f527e61e257f44963b9b7e36394c38e52dbf5

SHA512
9a9169b1111e9e8b1051519712c182d03ec0dafc7510aeccbc2ef5030924e1c5de90f349769dbc278021ba6aa983754f48171346305ebe6b32cbf800fa32d518

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
107KB

MD5
8bbe1324ae0d9c0f89ee27cfbf6146e3

SHA1
db1f1077d15eb3de2e0b05e9449c3178ec4a1093

SHA256
38aa4d6a376b9d8df10a69c490f61a385977079649d23f7d209208503204c567

SHA512
73d0f74c8320665135f7c704bae45e4bb9deac7e9cd1ea8ffbcd4c90af22c0d11e9ab60cfa0ffcac62542757004e367ebf1288a229d70b6122e350e3c0c34eca

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
107KB

MD5
788c180dd25891a0135195c3cdb2963a

SHA1
976118caea48bd9716a0cb6f6a13e9755502cb4c

SHA256
f8e1681d544343e179174202977e54c1002bd3b6328d5450a82848f834be1e70

SHA512
6a15c9612123035730d6a86c889df3320e177672c80b626da01cfb70bb4765dcc730f07a36b13762d680a2c2bd6e3d2e7ccfa63d07bf5c978aebda2bf6c7e13f

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
107KB

MD5
0aa4b21441f524c4d6e1e055368c11a4

SHA1
92d652d3a862347e1da885d17eaba7fa78f1fce7

SHA256
d7382889026cb929825eac4364071b46a355fe85014aa813a58024ea483be108

SHA512
49cdb2a0c26fafe2d4135a7f1b7e34d52af1c8e7317d4f1218c6f81e0a54645183c8940cc14b128da2ccedae449a181b39b4f236f8697753e36fb499be68270f

Download Submit
C:\Windows\SysWOW64\Ibojncfj.exe

Filesize
107KB

MD5
d2cad891c9c4e2e3e1c2b3dd3f585eb3

SHA1
9b9df3f08a78d1a0b99cb83206189dd07ae78d2e

SHA256
81e77fb8e9a81cf797813b38f23606ea1d5efba2f20de1afc31357ec7d38ab33

SHA512
92029ec2667eaa24b619e312b6d2d11ff66cc038d935fec5dcd10b7adfe95593a4f663287aec6313cffd3c1d91517a02909a2ac2639c4d0155504fc41a4442c2

Download Submit
C:\Windows\SysWOW64\Imdnklfp.exe

Filesize
107KB

MD5
b3cf1ac124fe75605a228ab88c763b96

SHA1
5b73d77506b51bc2766b6e2a1e2a3e5789bca8d6

SHA256
a2f73f5d894cf448539a084e9bc389386d5c913ada0392a109a3523e57019bc4

SHA512
aa058f3226ffb1491c56642e1f6d7c786d62a937f3366f9e5677e0a04ea9a600620d5c4162e9771dd04c8685cd1714c83d2d0c2af6f0e96c32fbcfa3e6032b15

Download Submit
C:\Windows\SysWOW64\Ipegmg32.exe

Filesize
107KB

MD5
3c7ca4e5e8b2ee19c675426512dfc4ec

SHA1
dd378ee9193ad6f9e90db3231e2840509aabd02b

SHA256
b5da7c83a70a5b87b3bc712d7cecb4fe2b974e818627aff327f81705fe4e5a76

SHA512
dbcb35350a748fe965dac6580baec0994135aa69c4022ff1e2d8de517c00a3aacdc2bca2d54fc469fbe1f78b422040541064fa090d92f726d70fc97f30acf488

Download Submit
C:\Windows\SysWOW64\Jbfpobpb.exe

Filesize
107KB

MD5
5a1c431a0b3f1e7518c60b4b17420d72

SHA1
e5606a7b16a331dae17db77f2bda6924057d1059

SHA256
f0c994d663cb16a7cd8093eb2d6c54528726a35df8ea672b5e9c2fe174dd4269

SHA512
92bb4cd29cebca80c08acb68cf7720e95899bf3e754255fe6f5d50cc44c20c6511a5662cc0091beee446e14a84fecaf7a6ab0f09c4ee2cb38080886f00be5c7b

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
107KB

MD5
76fc89837a27784cdde66be4aeb48714

SHA1
cfa5cbc93e1de58a0d9a67e6666dd16251538e82

SHA256
7c2e61e47d76bee769c163607dabbbdb5f6bea9c03693b4b5489490c88c43f2f

SHA512
ac34f48f87ff167964dce3bc803e7b0d9a337cca9379783e8381636c74bb61c878c51516dd9c2cab496a299b670200e9730c5ba9fe9af682e620fd0897f67356

Download Submit
C:\Windows\SysWOW64\Jkfkfohj.exe

Filesize
107KB

MD5
2b59f7597e7a52f7f2e596177371a803

SHA1
bf3961c165883cf0a9a291ccfc515bf8b9adc014

SHA256
a5798c75134ea994b05f13d9428318e8d71b095b19c1e925b098d40bac201c9b

SHA512
ce002a94b86bbee4c45c8971abb9b3475a3357efcc843eb539c43dcc43f32c6f33cc8aaed9862f45621975e1a058e32ef81630ec199b963bc6d4eadb5dbcc76c

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
107KB

MD5
5356a1ee0ab3ca31c93bd3f75dd44434

SHA1
9fec860933c6310e05b57222d3adbe59f894788c

SHA256
810d7d197b8494b435a9c8be9f9d82ea73501b47c6ee754bb7834cbaa2418b51

SHA512
684f646ae9c7959618711a7ade9e2b58591ecf54465f15e0a394e7d6a905682c6ddf6dcf98f124ea6d295707f0de6ada891f5e125b8f59efb78286c1b10a540f

Download Submit
C:\Windows\SysWOW64\Jplmmfmi.exe

Filesize
107KB

MD5
c9db4202e3bfcebd413fe3bf67e1ec3a

SHA1
901a038ed90833d5a7c472749753e9219df007a1

SHA256
a43de83c2eb5e4296f448b609545f8865adbff69f7d9d1f4e7262db1a062146a

SHA512
4a29e626ea0a37cd9336e2b8240178d76ec149bd9d27f0ab21b47497bef61812ffa78eb307093b0a22f2babedeab8047c8d104a2ecf092e3ef7615508bce2446

Download Submit
C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
107KB

MD5
03584ae3ff37856ec15ba745675fddb6

SHA1
f5eb9480a3fc707f57bd5e9b4c96a2aba404ed2e

SHA256
b3007799547f4ba5e1c1979e3d72be40483fa1512fd768b8d6cb4c595a290691

SHA512
6562622a89a780b5e4af58b295e4c91802677f4222955871fb341d6a1ea411da81a07d99e3a63257044ffa2084f88b723f096eb51ba3b2ae355a0de0754ceba5

Download Submit
C:\Windows\SysWOW64\Kdaldd32.exe

Filesize
107KB

MD5
2ba6269672dd036259f201458dbea10b

SHA1
6215c89a066e6a9bdea400b80948b6a1776ae3ae

SHA256
657f1ed03f9f92fa7d88082573941d1f7dcf3a6c42b1bb68d7fe7d93cc7dcc9c

SHA512
53bd14b568797257439d740c571c4a5ace5a87dd5c53568aaa97e65c23188cd6fd4655fef0970e69678f747cefa8f7dec0c530f25bd967ffc6413bfa01a1edaf

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
107KB

MD5
5a331706561136cd16e70168938aa26c

SHA1
a788b4d6b214614e391b372133c3bf70730dccff

SHA256
9a034c099b84468b0a8f604732b6ee11c27adf433b01523168d1e874af1a05e3

SHA512
19a7f6bdba1386cf95c41aafb5b529b6ae9e64c24de8ebf6717d618ebf9eebffeb138124eeb9f1a6f7a79c334cfd515568ffd956275ae1380efa05f99bc80528

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
107KB

MD5
59a02affb4e205275cbc9f5a4209adb6

SHA1
979850e2849be66c312eefc08bf94c6d9b785c9c

SHA256
95dcfd4494f218082fbecd7924c6e9ad0f9706ff6c97b4262cfe70a06927e20f

SHA512
77cd142c19e5e2e43da885fa7a42b0e0efddbfc3897bcf64660524c41c91d6e9bea93c90de339595ccd737c9afbf6ea4a51cb5ccf5a119186269c04f0636f445

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
90KB

MD5
db855365ba79468af5c3f8987b86e444

SHA1
7e7945c8d3401066e95cfa5710c438747dee5c65

SHA256
11ace9298db9ff504dec9d7b32b3883036969b59ada17007ba57fcc2c511caab

SHA512
193390d1dd15f004f46ddcb07448bca8518c3d2ae7985b1036e3fd6f98a4e39ae01223bf106fdeb1c3475c96ab95e56b24eefe31e801fe3a6762e60a1a7943e6

Download Submit
C:\Windows\SysWOW64\Kgmlkp32.exe

Filesize
107KB

MD5
d959ef5931cef8610888f39ff2c59cc0

SHA1
ab063638459dab29fe6532a902b55b6c8326f1eb

SHA256
90eee742a0ba89d8833152cff427bf14066371c9d6042ee1512f73be3b35eea3

SHA512
edfde24596a3d2cc998d65e58e73be4d1ab56efe03fdb28e3d259c4cd653f577281884e89c122429890831cf0021ab4ea15e6bd72127c6622720727d21a55476

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
107KB

MD5
cb5d59bb8ea27158ccea58e5a507b629

SHA1
e9bbf28a9a2c9e527163f9762c0760216bb1a4be

SHA256
6b47c08fe15edbc996eddcd3cddc76a9d00954186d8f57232f82fbcb42b06439

SHA512
0a75283c93eb718ab9456bc5e9a1f3f34b69c0d53d45b12f5121cefc86a6a436e3b735212039a1dac4ae2ab84d56d3e68aa12da618b381884c6dfd33e2da09dd

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
107KB

MD5
d7c2b7ea2f901044769d814d847411f2

SHA1
11d0f2b1b5bcbf2a6b9a863f85fac3c4bf475d75

SHA256
1c4c68063cdcd83aa1d907584660259dcbca6530092c112fe487fbd38f2e776d

SHA512
bdd74168c9e9b54f42a970684d1f3a022328a3b5fab831ff2fa96e725717fa35bd98f64dfb3fbebb08a73f27cbe76d40b8896ad0d713b4bdc39231fa54650b03

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
107KB

MD5
5cf8339362e634a02aa5a2c1920d610b

SHA1
9e843498d17fe54999cc53e73f7f340ef9f3c045

SHA256
7a70d26f3e05583c33e5e24536a288dd1ab59f41a21614d238585e0fd5553207

SHA512
be374d97a09c73ad0a801b1132501ac5f02594143d69fce9018f674091279c7713cdd57659dcbc415c612cd5e6bffd5f88827fa18fdc3e3906d45d4a9c649ab6

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
107KB

MD5
6b93f503480cf5c569679c3789d053ce

SHA1
fb762ce91c93a167e8fcb48e507e73dcf906c331

SHA256
88fcbf68fd2a3c0d687e3ab96fc6a0889a8f77091faf9da1536122ad52f4a304

SHA512
4e306170e0d775ffc3dfa227082d4b071ccb0c956187f08932e802c6457493fa90aa815adb3991df56677712ed1a98ab06030348004fa95b11b4db8fa6646470

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
107KB

MD5
ac2beaa6befa47367a89c6d651bb7aa4

SHA1
eef972d6420d8bcdad121496370645a2bb0cfdb3

SHA256
0552105f97b21b1366e995e9ce0feff84cea23003a16e6590d804c2a1e9492ac

SHA512
42bcc269ec19b10c342b998bb240b6a610074252e19a69836ff44e6c94afbba756645dd30fda4f4b56d63a72a2be523329bac2f34e6b84a914bf34badb524be8

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
107KB

MD5
fa1b4b6a60f69d06e4551f9b973273c7

SHA1
4ecdc4b84fac9e415ed2faaccbcaa99c96e06ef8

SHA256
a8ee6aecf267f61e61c2ca9dc042b4447939a6149dabfdd80be8977bfef63d7c

SHA512
fe56c4039dccae632d963466e98d1124cd74c9267997560988326914570d2bf63a28fb7f7b9c70a3eafe687987653f0a5203d719394fbae40d50eebda1db30e8

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
107KB

MD5
b495cf050f80d672addd39739c4519d1

SHA1
82bbd6c50cedb2420d8b18626fcd74f61fc27529

SHA256
b3f18c302c91d262d02f5946742181f390e5d4a6806da49026e07361661b4369

SHA512
295a45bdfffb8f0ba6177278ed1145553242c714e7f96f1753d6a6040c152acd8c5cf0168f14052d71cb6ca5de1f12f05580108cde69dadc1ae887e887e0367f

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
107KB

MD5
0cfda185b5e327a6bbc6db684ccb0d96

SHA1
e9f6b2f2c791f7a106bd48c9358d3d3efa92fe88

SHA256
9602bb40e7e7a764fe0f9a374086917bf781a7595927e9bb12ec4d96b2fda611

SHA512
3ed3e161d55b1496b808b0858c87e54220458245ee3d0da7a6aeb763cd0f635709712b062be9068e5a3b91cd881771d1422d6cdbbacda77c2b42093d5c1c9d79

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
107KB

MD5
4190208042e9a3d1a21659e8e6060af4

SHA1
48c98e218d1eaf49ec59294c98360ae11861675e

SHA256
d47217d4f29fbbae1e6fd8451d8a7a76bb682f60a71f84d3b656f5efc17770ec

SHA512
817227659122fbee39432fcb33e06ca619a0e10c2992308359945f2ac24edecb6d3cdeb5d5c6e3d99198cc4bc5202e7bf576a4a26197fb20d6a2e04a343d7fc0

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
107KB

MD5
cca2ec291a924b3f8d266a73147e6b25

SHA1
108de1e064acc7d59036a022bb43a40b92027694

SHA256
9d6e43f0a77cecb1ddbd5e66a97813605bd2ffd2ed65510515a166008ca4ac7f

SHA512
1fa76ff077cc33dd0fdc718ec838137691f9618d166dbbc633046b0bae744812e40107a00f66f7c0176643fe42af130139137ffe57773c8946ffbe4fcce3d835

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
107KB

MD5
734fff3472c0a53a4e9d5b5b99f1e035

SHA1
a6cc01fe7bce2a342f42180d83cc02be583b9f76

SHA256
75c1d5c94317591cdaf9b35cc41f288591231538676dce8ffa06d59823256655

SHA512
dfe1d7d4e67a9271620bc8043a590cdda4ecddaebdcd45936900c72f6e1cd48bddbe22ba10d079518cc761446c2d2f0e1a365ab06b7ee1de4e706e36f52d232e

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
107KB

MD5
076104d005adb61fd8d4addee6bd720c

SHA1
643f5ba26210d39c653967c1e8a3a41148139abf

SHA256
a8607c7667050feb60fc40b8b1c54373730ff9743b2104d479f2a4d7b3afaae4

SHA512
5ca648c6378555ad3a8f5571b86185a6550f632cdb10ed7027aa38c44722510420ad56e4471bb9389a7a4b65430b425a2140bfbce0e5851a014d1ed76983be32

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
107KB

MD5
fe5e6f7c66485c669b9ef5b799dd4479

SHA1
e5bf053e8cf9062c91ad7006b0e4c6a5188e6753

SHA256
84199fe871840f884f4632d1e6d8599baa7c76c550d70ae49a14e63ddc89aa20

SHA512
3ba76babb895d3c5759e12250fedb16f9fee1ef205df5b91bb20fb65113196fbb1ac371cda2d693aabd4bf55c8fda4ce1058e405eb2b4a1d4194a56e29650884

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
107KB

MD5
35f6d95b5307285f7b680581a712a5b5

SHA1
70fe677ed79b937ee33b2446c84cd2d299daf563

SHA256
fa591ee6bf1f242cd565969fa3b06283d7b9cc0c85d17bc14beaed21da09af1e

SHA512
9571bfa778be001829a36f7a67cb60f74f0f8bc214b865b08e40f318667c76ff81dd97dfd5f1c0ca32ebf591e1fefb8ab4f52fe80d2dd6c9e099c91ae4c7583b

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
107KB

MD5
e1014e9fb471d3bfbf3ff4746f4370ca

SHA1
368019e0bd95537d7765f1212f170f136279fb6c

SHA256
33f8dd3e861df9c5afd0c5058836a6809fd0c432b8077b143e3f7ca82f56bd6f

SHA512
b5219e6eb5b876ea2bb0dd752fcbb399321108f858b25f31b6b945d42504b3821e4e7ac866bf470da6fbd588e3c9b652e9b165bdac9dbbf40369df621c89fe7b

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
107KB

MD5
371c703f67e71b0622797b45d8439778

SHA1
a40979cd539ca12e1f2744e26fdb2ee1afede40d

SHA256
f276277cbe6828c375a72b346f1fcf14fa0d225ce5a7761fac9333468f2ac21e

SHA512
b8ccd2f218906e9a160a58115e27bfc53faccaef60f354f7cd6c8678e852dd75ed6d4d964ce285270015826e4c8879783344a12a838cea12f94f1726aedb9396

Download Submit
memory/320-243-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/368-296-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/404-298-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/404-224-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/436-13-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/780-57-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/780-141-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/900-236-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/900-151-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/948-173-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/984-278-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/984-195-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1172-305-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1352-40-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1352-127-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1500-289-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1500-204-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1692-228-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1692-142-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1696-137-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1928-291-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1996-164-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2096-186-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2096-270-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2364-267-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2608-258-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2608-324-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2764-194-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2764-108-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2924-303-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3236-17-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3236-97-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3456-163-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3456-77-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3512-202-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3512-118-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3688-65-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3688-150-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3752-216-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3764-178-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3764-265-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3772-322-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3880-117-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3880-33-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3976-128-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4128-168-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4128-81-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4164-233-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4184-315-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4320-272-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4320-337-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4568-325-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4624-282-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4672-88-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4672-176-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4740-246-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4740-317-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4756-29-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4980-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4980-5-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5004-49-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5004-132-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5072-334-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5084-102-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads