3a4de418fa381dae4c6abc16bdc2aead86a53fc89bcadb3157b0d25f28de34b9

Analysis

max time kernel
92s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/03/2024, 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a4de418fa381dae4c6abc16bdc2aead86a53fc89bcadb3157b0d25f28de34b9.exe
Size

483KB
MD5

c759b8c19cf15065f48bc279fcf6c93a
SHA1

9ab88a9753a7796a244596c923697295790d4655
SHA256

3a4de418fa381dae4c6abc16bdc2aead86a53fc89bcadb3157b0d25f28de34b9
SHA512

2e62f845dac2f84fc4c9bcc935c56d41973385aa093cb6537118d828f479e8231d7b2929ecd4258ae2886c6c2647cfe592e6d5a46ff77272e6323f29b930f44e
SSDEEP

12288:cGutY5vARMSG0dhvARM/3ARMSG0dhvARMoHG:cGutY5wdhcdhMHG

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpijnqkp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcckif32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jblpek32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhfonc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cafigg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdialn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lboeaifi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkljak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbiaapdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmppcbjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odnnnnfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbpjhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbmhlihl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfoiokfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Alabgd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdkldb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhfjljd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bemlmgnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehgqln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fooeif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmoeoidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gomakdcp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obidhaog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Angddopp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhpjkojk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmknaell.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hihbijhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgallfcq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfbkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odpjcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdeoemeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bajjli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odnnnnfe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qecppkdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Megdccmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfoiokfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eepjpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eepjpb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqgkhnjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbnpqk32.exe

Executes dropped EXE 64 IoCs

pid	Process
4824	Jpojcf32.exe
4648	Jmbklj32.exe
4844	Jpaghf32.exe
4828	Jfkoeppq.exe
4712	Kdopod32.exe
3992	Kkihknfg.exe
60	Kpepcedo.exe
556	Kinemkko.exe
3632	Kdcijcke.exe
1436	Kmlnbi32.exe
4892	Kgdbkohf.exe
4924	Kpmfddnf.exe
1820	Kkbkamnl.exe
4212	Lcmofolg.exe
4340	Ldmlpbbj.exe
4244	Lkgdml32.exe
4692	Laalifad.exe
1396	Ldohebqh.exe
4156	Lkiqbl32.exe
2824	Lpfijcfl.exe
796	Ljnnch32.exe
848	Laefdf32.exe
4396	Lgbnmm32.exe
904	Mnlfigcc.exe
2748	Mkpgck32.exe
3808	Mnapdf32.exe
4860	Mjhqjg32.exe
816	Mglack32.exe
1540	Mdpalp32.exe
3832	Njljefql.exe
4148	Ngpjnkpf.exe
512	Njogjfoj.exe
4636	Ncgkcl32.exe
5020	Njacpf32.exe
4420	Nqklmpdd.exe
412	Ncihikcg.exe
4644	Nkqpjidj.exe
1936	Nnolfdcn.exe
1536	Nqmhbpba.exe
4584	Ncldnkae.exe
5048	Nggqoj32.exe
116	Nnaikd32.exe
3604	Ndkahnhh.exe
3140	Ogjmdigk.exe
1976	Ojhiqefo.exe
1624	Oboaabga.exe
2352	Odnnnnfe.exe
3152	Okhfjh32.exe
2424	Obangb32.exe
4972	Odpjcm32.exe
3712	Ogogoi32.exe
4740	Onholckc.exe
4032	Oqgkhnjf.exe
468	Ocegdjij.exe
1620	Onklabip.exe
3016	Oqihnn32.exe
3008	Ogcpjhoq.exe
5092	Ojalgcnd.exe
4908	Obidhaog.exe
440	Odgqdlnj.exe
4748	Pkaiqf32.exe
4520	Pnpemb32.exe
756	Pqnaim32.exe
3596	Pkceffcd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Likjcbkc.exe	Lgmngglp.exe
File created	C:\Windows\SysWOW64\Ldobbkdk.dll	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Kinemkko.exe	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Allebf32.dll	Lekehdgp.exe
File created	C:\Windows\SysWOW64\Ogibpb32.dll	Likjcbkc.exe
File created	C:\Windows\SysWOW64\Lgepdkpo.dll	Npmagine.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Kgllfjld.dll	Pjkombfj.exe
File opened for modification	C:\Windows\SysWOW64\Ehgqln32.exe	Eeidoc32.exe
File created	C:\Windows\SysWOW64\Jfoiokfb.exe	Ipdqba32.exe
File created	C:\Windows\SysWOW64\Ikkokgea.dll	Lllcen32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Aahamf32.dll	Acocaf32.exe
File created	C:\Windows\SysWOW64\Igoedk32.dll	Eoolbinc.exe
File created	C:\Windows\SysWOW64\Bhfonc32.exe	Behbag32.exe
File created	C:\Windows\SysWOW64\Bldgdago.exe	Bdmpcdfm.exe
File created	C:\Windows\SysWOW64\Ehljfnpn.exe	Eemnjbaj.exe
File opened for modification	C:\Windows\SysWOW64\Gododflk.exe	Fhjfhl32.exe
File created	C:\Windows\SysWOW64\Kipkhdeq.exe	Kbfbkj32.exe
File opened for modification	C:\Windows\SysWOW64\Jpojcf32.exe	3a4de418fa381dae4c6abc16bdc2aead86a53fc89bcadb3157b0d25f28de34b9.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Dokfjo32.dll	Qgallfcq.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Ndkahnhh.exe	Nnaikd32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Ecjhcg32.exe	Eoolbinc.exe
File opened for modification	C:\Windows\SysWOW64\Kipkhdeq.exe	Kbfbkj32.exe
File created	C:\Windows\SysWOW64\Edgbbfnk.dll	Kdeoemeg.exe
File created	C:\Windows\SysWOW64\Lpnlpnih.exe	Lmppcbjd.exe
File created	C:\Windows\SysWOW64\Mdckfk32.exe	Lllcen32.exe
File created	C:\Windows\SysWOW64\Mgjpndjd.dll	Alabgd32.exe
File created	C:\Windows\SysWOW64\Jidpnp32.dll	Cbcilkjg.exe
File created	C:\Windows\SysWOW64\Fobdihjo.dll	Clbceo32.exe
File created	C:\Windows\SysWOW64\Codqon32.dll	Nljofl32.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Alfkbc32.exe	Ahkobekf.exe
File opened for modification	C:\Windows\SysWOW64\Bbgipldd.exe	Bjpaooda.exe
File created	C:\Windows\SysWOW64\Clkndpag.exe	Cafigg32.exe
File opened for modification	C:\Windows\SysWOW64\Cojjqlpk.exe	Clkndpag.exe
File created	C:\Windows\SysWOW64\Kdcbom32.exe	Kmijbcpl.exe
File opened for modification	C:\Windows\SysWOW64\Lcmofolg.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Gfogkano.dll	Okhfjh32.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Ngmgne32.exe	Ndokbi32.exe
File created	C:\Windows\SysWOW64\Ncianepl.exe	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Kfjhkjle.exe	Kboljk32.exe
File opened for modification	C:\Windows\SysWOW64\Aadifclh.exe	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Alhhhcal.exe	Adapgfqj.exe
File opened for modification	C:\Windows\SysWOW64\Hfnphn32.exe	Hcpclbfa.exe
File opened for modification	C:\Windows\SysWOW64\Hfqlnm32.exe	Hbeqmoji.exe
File created	C:\Windows\SysWOW64\Jfnbea32.dll	Kdcbom32.exe
File created	C:\Windows\SysWOW64\Pjcbbmif.exe	Pgefeajb.exe
File opened for modification	C:\Windows\SysWOW64\Kdcijcke.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Adapgfqj.exe	Aacckjaf.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Ooojbbid.dll	Aminee32.exe
File created	C:\Windows\SysWOW64\Fkmchi32.exe	Ehnglm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
9984	11176	WerFault.exe	535

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmamoe32.dll"	Jefbfgig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlampmdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgepdkpo.dll"	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hoiafcic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chfgkj32.dll"	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojhkmkj.dll"	Lmbmibhb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnnobj32.dll"	Alfkbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apignbdf.dll"	Ffkjlp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lekehdgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qecppkdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgabj32.dll"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlkefpan.dll"	Pkaiqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjehk32.dll"	Eemnjbaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bemlmgnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmipecpd.dll"	Fllpbldb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elocna32.dll"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eeidoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neiigifj.dll"	Dedkdcie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpppnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbgdlq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edgbbfnk.dll"	Kdeoemeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oncofm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eoolbinc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckhindhb.dll"	Fbpnkama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfpcgpae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbldglg.dll"	Dboigi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honhef32.dll"	Ndkahnhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aolmfp32.dll"	Pkceffcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Camphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngndc32.dll"	Gbiaapdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpgmha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldamee32.dll"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clpelohh.dll"	Nnaikd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahkobekf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baocghgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgpjhl32.dll"	Bajjli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhdbhcck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eeidoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbiaapdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kibgmdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiihjon.dll"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qloebdig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anbkio32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Likjcbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmjdjgjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cibifp32.dll"	Hoiafcic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3572 wrote to memory of 4824	3572	3a4de418fa381dae4c6abc16bdc2aead86a53fc89bcadb3157b0d25f28de34b9.exe	85
PID 3572 wrote to memory of 4824	3572	3a4de418fa381dae4c6abc16bdc2aead86a53fc89bcadb3157b0d25f28de34b9.exe	85
PID 3572 wrote to memory of 4824	3572	3a4de418fa381dae4c6abc16bdc2aead86a53fc89bcadb3157b0d25f28de34b9.exe	85
PID 4824 wrote to memory of 4648	4824	Jpojcf32.exe	86
PID 4824 wrote to memory of 4648	4824	Jpojcf32.exe	86
PID 4824 wrote to memory of 4648	4824	Jpojcf32.exe	86
PID 4648 wrote to memory of 4844	4648	Jmbklj32.exe	87
PID 4648 wrote to memory of 4844	4648	Jmbklj32.exe	87
PID 4648 wrote to memory of 4844	4648	Jmbklj32.exe	87
PID 4844 wrote to memory of 4828	4844	Jpaghf32.exe	88
PID 4844 wrote to memory of 4828	4844	Jpaghf32.exe	88
PID 4844 wrote to memory of 4828	4844	Jpaghf32.exe	88
PID 4828 wrote to memory of 4712	4828	Jfkoeppq.exe	89
PID 4828 wrote to memory of 4712	4828	Jfkoeppq.exe	89
PID 4828 wrote to memory of 4712	4828	Jfkoeppq.exe	89
PID 4712 wrote to memory of 3992	4712	Kdopod32.exe	90
PID 4712 wrote to memory of 3992	4712	Kdopod32.exe	90
PID 4712 wrote to memory of 3992	4712	Kdopod32.exe	90
PID 3992 wrote to memory of 60	3992	Kkihknfg.exe	91
PID 3992 wrote to memory of 60	3992	Kkihknfg.exe	91
PID 3992 wrote to memory of 60	3992	Kkihknfg.exe	91
PID 60 wrote to memory of 556	60	Kpepcedo.exe	92
PID 60 wrote to memory of 556	60	Kpepcedo.exe	92
PID 60 wrote to memory of 556	60	Kpepcedo.exe	92
PID 556 wrote to memory of 3632	556	Kinemkko.exe	93
PID 556 wrote to memory of 3632	556	Kinemkko.exe	93
PID 556 wrote to memory of 3632	556	Kinemkko.exe	93
PID 3632 wrote to memory of 1436	3632	Kdcijcke.exe	94
PID 3632 wrote to memory of 1436	3632	Kdcijcke.exe	94
PID 3632 wrote to memory of 1436	3632	Kdcijcke.exe	94
PID 1436 wrote to memory of 4892	1436	Kmlnbi32.exe	95
PID 1436 wrote to memory of 4892	1436	Kmlnbi32.exe	95
PID 1436 wrote to memory of 4892	1436	Kmlnbi32.exe	95
PID 4892 wrote to memory of 4924	4892	Kgdbkohf.exe	96
PID 4892 wrote to memory of 4924	4892	Kgdbkohf.exe	96
PID 4892 wrote to memory of 4924	4892	Kgdbkohf.exe	96
PID 4924 wrote to memory of 1820	4924	Kpmfddnf.exe	97
PID 4924 wrote to memory of 1820	4924	Kpmfddnf.exe	97
PID 4924 wrote to memory of 1820	4924	Kpmfddnf.exe	97
PID 1820 wrote to memory of 4212	1820	Kkbkamnl.exe	98
PID 1820 wrote to memory of 4212	1820	Kkbkamnl.exe	98
PID 1820 wrote to memory of 4212	1820	Kkbkamnl.exe	98
PID 4212 wrote to memory of 4340	4212	Lcmofolg.exe	99
PID 4212 wrote to memory of 4340	4212	Lcmofolg.exe	99
PID 4212 wrote to memory of 4340	4212	Lcmofolg.exe	99
PID 4340 wrote to memory of 4244	4340	Ldmlpbbj.exe	100
PID 4340 wrote to memory of 4244	4340	Ldmlpbbj.exe	100
PID 4340 wrote to memory of 4244	4340	Ldmlpbbj.exe	100
PID 4244 wrote to memory of 4692	4244	Lkgdml32.exe	101
PID 4244 wrote to memory of 4692	4244	Lkgdml32.exe	101
PID 4244 wrote to memory of 4692	4244	Lkgdml32.exe	101
PID 4692 wrote to memory of 1396	4692	Laalifad.exe	102
PID 4692 wrote to memory of 1396	4692	Laalifad.exe	102
PID 4692 wrote to memory of 1396	4692	Laalifad.exe	102
PID 1396 wrote to memory of 4156	1396	Ldohebqh.exe	103
PID 1396 wrote to memory of 4156	1396	Ldohebqh.exe	103
PID 1396 wrote to memory of 4156	1396	Ldohebqh.exe	103
PID 4156 wrote to memory of 2824	4156	Lkiqbl32.exe	104
PID 4156 wrote to memory of 2824	4156	Lkiqbl32.exe	104
PID 4156 wrote to memory of 2824	4156	Lkiqbl32.exe	104
PID 2824 wrote to memory of 796	2824	Lpfijcfl.exe	105
PID 2824 wrote to memory of 796	2824	Lpfijcfl.exe	105
PID 2824 wrote to memory of 796	2824	Lpfijcfl.exe	105
PID 796 wrote to memory of 848	796	Ljnnch32.exe	106

C:\Users\Admin\AppData\Local\Temp\3a4de418fa381dae4c6abc16bdc2aead86a53fc89bcadb3157b0d25f28de34b9.exe
"C:\Users\Admin\AppData\Local\Temp\3a4de418fa381dae4c6abc16bdc2aead86a53fc89bcadb3157b0d25f28de34b9.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3572
- C:\Windows\SysWOW64\Jpojcf32.exe
  C:\Windows\system32\Jpojcf32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4824
- - C:\Windows\SysWOW64\Jmbklj32.exe
    C:\Windows\system32\Jmbklj32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4648
  - - C:\Windows\SysWOW64\Jpaghf32.exe
      C:\Windows\system32\Jpaghf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4844
    - - C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4828
      - C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4212
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:796
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:848
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        24⤵
        Executes dropped EXE
        
        PID:4396
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        25⤵
        Executes dropped EXE
        
        PID:904
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        27⤵
        Executes dropped EXE
        
        PID:3808
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4860
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        29⤵
        Executes dropped EXE
        
        PID:816
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        30⤵
        Executes dropped EXE
        
        PID:1540
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3832
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4148
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:512
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        34⤵
        Executes dropped EXE
        
        PID:4636
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5020
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        36⤵
        Executes dropped EXE
        
        PID:4420
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:412
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        38⤵
        Executes dropped EXE
        
        PID:4644
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        39⤵
        Executes dropped EXE
        
        PID:1936
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1536
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        41⤵
        Executes dropped EXE
        
        PID:4584
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Nnaikd32.exe
        
        C:\Windows\system32\Nnaikd32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Ndkahnhh.exe
        
        C:\Windows\system32\Ndkahnhh.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3604
        
        C:\Windows\SysWOW64\Ogjmdigk.exe
        
        C:\Windows\system32\Ogjmdigk.exe
        45⤵
        Executes dropped EXE
        
        PID:3140
        
        C:\Windows\SysWOW64\Ojhiqefo.exe
        
        C:\Windows\system32\Ojhiqefo.exe
        46⤵
        Executes dropped EXE
        
        PID:1976
        
        C:\Windows\SysWOW64\Oboaabga.exe
        
        C:\Windows\system32\Oboaabga.exe
        47⤵
        Executes dropped EXE
        
        PID:1624
        
        C:\Windows\SysWOW64\Odnnnnfe.exe
        
        C:\Windows\system32\Odnnnnfe.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2352
        
        C:\Windows\SysWOW64\Okhfjh32.exe
        
        C:\Windows\system32\Okhfjh32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3152
        
        C:\Windows\SysWOW64\Obangb32.exe
        
        C:\Windows\system32\Obangb32.exe
        50⤵
        Executes dropped EXE
        
        PID:2424
        
        C:\Windows\SysWOW64\Odpjcm32.exe
        
        C:\Windows\system32\Odpjcm32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4972
        
        C:\Windows\SysWOW64\Ogogoi32.exe
        
        C:\Windows\system32\Ogogoi32.exe
        52⤵
        Executes dropped EXE
        
        PID:3712
        
        C:\Windows\SysWOW64\Onholckc.exe
        
        C:\Windows\system32\Onholckc.exe
        53⤵
        Executes dropped EXE
        
        PID:4740
        
        C:\Windows\SysWOW64\Oqgkhnjf.exe
        
        C:\Windows\system32\Oqgkhnjf.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4032
        
        C:\Windows\SysWOW64\Ocegdjij.exe
        
        C:\Windows\system32\Ocegdjij.exe
        55⤵
        Executes dropped EXE
        
        PID:468
        
        C:\Windows\SysWOW64\Onklabip.exe
        
        C:\Windows\system32\Onklabip.exe
        56⤵
        Executes dropped EXE
        
        PID:1620
        
        C:\Windows\SysWOW64\Oqihnn32.exe
        
        C:\Windows\system32\Oqihnn32.exe
        57⤵
        Executes dropped EXE
        
        PID:3016
        
        C:\Windows\SysWOW64\Ogcpjhoq.exe
        
        C:\Windows\system32\Ogcpjhoq.exe
        58⤵
        Executes dropped EXE
        
        PID:3008
        
        C:\Windows\SysWOW64\Ojalgcnd.exe
        
        C:\Windows\system32\Ojalgcnd.exe
        59⤵
        Executes dropped EXE
        
        PID:5092
        
        C:\Windows\SysWOW64\Obidhaog.exe
        
        C:\Windows\system32\Obidhaog.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4908
        
        C:\Windows\SysWOW64\Odgqdlnj.exe
        
        C:\Windows\system32\Odgqdlnj.exe
        61⤵
        Executes dropped EXE
        
        PID:440
        
        C:\Windows\SysWOW64\Pkaiqf32.exe
        
        C:\Windows\system32\Pkaiqf32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Pnpemb32.exe
        
        C:\Windows\system32\Pnpemb32.exe
        63⤵
        Executes dropped EXE
        
        PID:4520
        
        C:\Windows\SysWOW64\Pqnaim32.exe
        
        C:\Windows\system32\Pqnaim32.exe
        64⤵
        Executes dropped EXE
        
        PID:756
        
        C:\Windows\SysWOW64\Pkceffcd.exe
        
        C:\Windows\system32\Pkceffcd.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Pnbbbabh.exe
        
        C:\Windows\system32\Pnbbbabh.exe
        66⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\Pqpnombl.exe
        
        C:\Windows\system32\Pqpnombl.exe
        67⤵
        
        PID:216
        
        C:\Windows\SysWOW64\Pcojkhap.exe
        
        C:\Windows\system32\Pcojkhap.exe
        68⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\Pkfblfab.exe
        
        C:\Windows\system32\Pkfblfab.exe
        69⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\Pndohaqe.exe
        
        C:\Windows\system32\Pndohaqe.exe
        70⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\Pbpjhp32.exe
        
        C:\Windows\system32\Pbpjhp32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2696
        
        C:\Windows\SysWOW64\Pcagphom.exe
        
        C:\Windows\system32\Pcagphom.exe
        72⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\Pgmcqggf.exe
        
        C:\Windows\system32\Pgmcqggf.exe
        73⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\Pjkombfj.exe
        
        C:\Windows\system32\Pjkombfj.exe
        74⤵
        Drops file in System32 directory
        
        PID:3032
        
        C:\Windows\SysWOW64\Pbbgnpgl.exe
        
        C:\Windows\system32\Pbbgnpgl.exe
        75⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\Peqcjkfp.exe
        
        C:\Windows\system32\Peqcjkfp.exe
        76⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\Pgopffec.exe
        
        C:\Windows\system32\Pgopffec.exe
        77⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\Pjmlbbdg.exe
        
        C:\Windows\system32\Pjmlbbdg.exe
        78⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\Pbddcoei.exe
        
        C:\Windows\system32\Pbddcoei.exe
        79⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\Qecppkdm.exe
        
        C:\Windows\system32\Qecppkdm.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Qgallfcq.exe
        
        C:\Windows\system32\Qgallfcq.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:748
        
        C:\Windows\SysWOW64\Qnkdhpjn.exe
        
        C:\Windows\system32\Qnkdhpjn.exe
        82⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\Qajadlja.exe
        
        C:\Windows\system32\Qajadlja.exe
        83⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\Qchmagie.exe
        
        C:\Windows\system32\Qchmagie.exe
        84⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\Qloebdig.exe
        
        C:\Windows\system32\Qloebdig.exe
        85⤵
        Modifies registry class
        
        PID:4832
        
        C:\Windows\SysWOW64\Qjbena32.exe
        
        C:\Windows\system32\Qjbena32.exe
        86⤵
        
        PID:972
        
        C:\Windows\SysWOW64\Qbimoo32.exe
        
        C:\Windows\system32\Qbimoo32.exe
        87⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\Aegikj32.exe
        
        C:\Windows\system32\Aegikj32.exe
        88⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\Acjjfggb.exe
        
        C:\Windows\system32\Acjjfggb.exe
        89⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\Alabgd32.exe
        
        C:\Windows\system32\Alabgd32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2388
        
        C:\Windows\SysWOW64\Ajdbcano.exe
        
        C:\Windows\system32\Ajdbcano.exe
        91⤵
        
        PID:844
        
        C:\Windows\SysWOW64\Abkjdnoa.exe
        
        C:\Windows\system32\Abkjdnoa.exe
        92⤵
        
        PID:824
        
        C:\Windows\SysWOW64\Aejfpjne.exe
        
        C:\Windows\system32\Aejfpjne.exe
        93⤵
        
        PID:620
        
        C:\Windows\SysWOW64\Aldomc32.exe
        
        C:\Windows\system32\Aldomc32.exe
        94⤵
        
        PID:888
        
        C:\Windows\SysWOW64\Anbkio32.exe
        
        C:\Windows\system32\Anbkio32.exe
        95⤵
        Modifies registry class
        
        PID:212
        
        C:\Windows\SysWOW64\Aaqgek32.exe
        
        C:\Windows\system32\Aaqgek32.exe
        96⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\Acocaf32.exe
        
        C:\Windows\system32\Acocaf32.exe
        97⤵
        Drops file in System32 directory
        
        PID:1172
        
        C:\Windows\SysWOW64\Ahkobekf.exe
        
        C:\Windows\system32\Ahkobekf.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Alfkbc32.exe
        
        C:\Windows\system32\Alfkbc32.exe
        99⤵
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Andgoobc.exe
        
        C:\Windows\system32\Andgoobc.exe
        100⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\Aacckjaf.exe
        
        C:\Windows\system32\Aacckjaf.exe
        101⤵
        Drops file in System32 directory
        
        PID:3644
        
        C:\Windows\SysWOW64\Adapgfqj.exe
        
        C:\Windows\system32\Adapgfqj.exe
        102⤵
        Drops file in System32 directory
        
        PID:3132
        
        C:\Windows\SysWOW64\Alhhhcal.exe
        
        C:\Windows\system32\Alhhhcal.exe
        103⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\Angddopp.exe
        
        C:\Windows\system32\Angddopp.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4872
        
        C:\Windows\SysWOW64\Aaepqjpd.exe
        
        C:\Windows\system32\Aaepqjpd.exe
        105⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\Adcmmeog.exe
        
        C:\Windows\system32\Adcmmeog.exe
        106⤵
        
        PID:840
        
        C:\Windows\SysWOW64\Becifhfj.exe
        
        C:\Windows\system32\Becifhfj.exe
        107⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\Bjpaooda.exe
        
        C:\Windows\system32\Bjpaooda.exe
        108⤵
        Drops file in System32 directory
        
        PID:5124
        
        C:\Windows\SysWOW64\Bbgipldd.exe
        
        C:\Windows\system32\Bbgipldd.exe
        109⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\Bajjli32.exe
        
        C:\Windows\system32\Bajjli32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Bhdbhcck.exe
        
        C:\Windows\system32\Bhdbhcck.exe
        111⤵
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Blpnib32.exe
        
        C:\Windows\system32\Blpnib32.exe
        112⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Behbag32.exe
        
        C:\Windows\system32\Behbag32.exe
        113⤵
        Drops file in System32 directory
        
        PID:5340
        
        C:\Windows\SysWOW64\Bhfonc32.exe
        
        C:\Windows\system32\Bhfonc32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5384
        
        C:\Windows\SysWOW64\Blbknaib.exe
        
        C:\Windows\system32\Blbknaib.exe
        115⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Bopgjmhe.exe
        
        C:\Windows\system32\Bopgjmhe.exe
        116⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Baocghgi.exe
        
        C:\Windows\system32\Baocghgi.exe
        117⤵
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Bdmpcdfm.exe
        
        C:\Windows\system32\Bdmpcdfm.exe
        118⤵
        Drops file in System32 directory
        
        PID:5560
        
        C:\Windows\SysWOW64\Bldgdago.exe
        
        C:\Windows\system32\Bldgdago.exe
        119⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Bbnpqk32.exe
        
        C:\Windows\system32\Bbnpqk32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5660
        
        C:\Windows\SysWOW64\Bemlmgnp.exe
        
        C:\Windows\system32\Bemlmgnp.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Bhkhibmc.exe
        
        C:\Windows\system32\Bhkhibmc.exe
        122⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Boepel32.exe
        
        C:\Windows\system32\Boepel32.exe
        123⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Ceoibflm.exe
        
        C:\Windows\system32\Ceoibflm.exe
        124⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Chmeobkq.exe
        
        C:\Windows\system32\Chmeobkq.exe
        125⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Cliaoq32.exe
        
        C:\Windows\system32\Cliaoq32.exe
        126⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Cbcilkjg.exe
        
        C:\Windows\system32\Cbcilkjg.exe
        127⤵
        Drops file in System32 directory
        
        PID:5968
        
        C:\Windows\SysWOW64\Cafigg32.exe
        
        C:\Windows\system32\Cafigg32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6012
        
        C:\Windows\SysWOW64\Clkndpag.exe
        
        C:\Windows\system32\Clkndpag.exe
        129⤵
        Drops file in System32 directory
        
        PID:6056
        
        C:\Windows\SysWOW64\Cojjqlpk.exe
        
        C:\Windows\system32\Cojjqlpk.exe
        130⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Cahfmgoo.exe
        
        C:\Windows\system32\Cahfmgoo.exe
        131⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\Cdfbibnb.exe
        
        C:\Windows\system32\Cdfbibnb.exe
        132⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\Clnjjpod.exe
        
        C:\Windows\system32\Clnjjpod.exe
        133⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Ckpjfm32.exe
        
        C:\Windows\system32\Ckpjfm32.exe
        134⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Colffknh.exe
        
        C:\Windows\system32\Colffknh.exe
        135⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Cajcbgml.exe
        
        C:\Windows\system32\Cajcbgml.exe
        136⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Cdiooblp.exe
        
        C:\Windows\system32\Cdiooblp.exe
        137⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Chdkoa32.exe
        
        C:\Windows\system32\Chdkoa32.exe
        138⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Conclk32.exe
        
        C:\Windows\system32\Conclk32.exe
        139⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Camphf32.exe
        
        C:\Windows\system32\Camphf32.exe
        140⤵
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Cdkldb32.exe
        
        C:\Windows\system32\Cdkldb32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5800
        
        C:\Windows\SysWOW64\Clbceo32.exe
        
        C:\Windows\system32\Clbceo32.exe
        142⤵
        Drops file in System32 directory
        
        PID:5864
        
        C:\Windows\SysWOW64\Doqpak32.exe
        
        C:\Windows\system32\Doqpak32.exe
        143⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Dbllbibl.exe
        
        C:\Windows\system32\Dbllbibl.exe
        144⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\Dekhneap.exe
        
        C:\Windows\system32\Dekhneap.exe
        145⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Dldpkoil.exe
        
        C:\Windows\system32\Dldpkoil.exe
        146⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\Docmgjhp.exe
        
        C:\Windows\system32\Docmgjhp.exe
        147⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Dboigi32.exe
        
        C:\Windows\system32\Dboigi32.exe
        148⤵
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Dhkapp32.exe
        
        C:\Windows\system32\Dhkapp32.exe
        149⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Dbaemi32.exe
        
        C:\Windows\system32\Dbaemi32.exe
        150⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Ddbbeade.exe
        
        C:\Windows\system32\Ddbbeade.exe
        151⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\Dkljak32.exe
        
        C:\Windows\system32\Dkljak32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5784
        
        C:\Windows\SysWOW64\Dccbbhld.exe
        
        C:\Windows\system32\Dccbbhld.exe
        153⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Deanodkh.exe
        
        C:\Windows\system32\Deanodkh.exe
        154⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Dhpjkojk.exe
        
        C:\Windows\system32\Dhpjkojk.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6064
        
        C:\Windows\SysWOW64\Dojcgi32.exe
        
        C:\Windows\system32\Dojcgi32.exe
        156⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Dedkdcie.exe
        
        C:\Windows\system32\Dedkdcie.exe
        157⤵
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Ddgkpp32.exe
        
        C:\Windows\system32\Ddgkpp32.exe
        158⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Ekacmjgl.exe
        
        C:\Windows\system32\Ekacmjgl.exe
        159⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Eaklidoi.exe
        
        C:\Windows\system32\Eaklidoi.exe
        160⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Eoolbinc.exe
        
        C:\Windows\system32\Eoolbinc.exe
        161⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Ecjhcg32.exe
        
        C:\Windows\system32\Ecjhcg32.exe
        162⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\Eeidoc32.exe
        
        C:\Windows\system32\Eeidoc32.exe
        163⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Ehgqln32.exe
        
        C:\Windows\system32\Ehgqln32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5740
        
        C:\Windows\SysWOW64\Ekemhj32.exe
        
        C:\Windows\system32\Ekemhj32.exe
        165⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Eekaebcm.exe
        
        C:\Windows\system32\Eekaebcm.exe
        166⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Ehimanbq.exe
        
        C:\Windows\system32\Ehimanbq.exe
        167⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Ekhjmiad.exe
        
        C:\Windows\system32\Ekhjmiad.exe
        168⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Eocenh32.exe
        
        C:\Windows\system32\Eocenh32.exe
        169⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Eemnjbaj.exe
        
        C:\Windows\system32\Eemnjbaj.exe
        170⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Ehljfnpn.exe
        
        C:\Windows\system32\Ehljfnpn.exe
        171⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\Eofbch32.exe
        
        C:\Windows\system32\Eofbch32.exe
        172⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\Eepjpb32.exe
        
        C:\Windows\system32\Eepjpb32.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6232
        
        C:\Windows\SysWOW64\Ehnglm32.exe
        
        C:\Windows\system32\Ehnglm32.exe
        174⤵
        Drops file in System32 directory
        
        PID:6272
        
        C:\Windows\SysWOW64\Fkmchi32.exe
        
        C:\Windows\system32\Fkmchi32.exe
        175⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\Fcckif32.exe
        
        C:\Windows\system32\Fcckif32.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6356
        
        C:\Windows\SysWOW64\Febgea32.exe
        
        C:\Windows\system32\Febgea32.exe
        177⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\Fhqcam32.exe
        
        C:\Windows\system32\Fhqcam32.exe
        178⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\Fllpbldb.exe
        
        C:\Windows\system32\Fllpbldb.exe
        179⤵
        Modifies registry class
        
        PID:6472
        
        C:\Windows\SysWOW64\Fojlngce.exe
        
        C:\Windows\system32\Fojlngce.exe
        180⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\Ffddka32.exe
        
        C:\Windows\system32\Ffddka32.exe
        181⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\Flnlhk32.exe
        
        C:\Windows\system32\Flnlhk32.exe
        182⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\Fomhdg32.exe
        
        C:\Windows\system32\Fomhdg32.exe
        183⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\Fakdpb32.exe
        
        C:\Windows\system32\Fakdpb32.exe
        184⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\Fdialn32.exe
        
        C:\Windows\system32\Fdialn32.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6716
        
        C:\Windows\SysWOW64\Fkciihgg.exe
        
        C:\Windows\system32\Fkciihgg.exe
        186⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\Fooeif32.exe
        
        C:\Windows\system32\Fooeif32.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6796
        
        C:\Windows\SysWOW64\Fckajehi.exe
        
        C:\Windows\system32\Fckajehi.exe
        188⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\Ffimfqgm.exe
        
        C:\Windows\system32\Ffimfqgm.exe
        189⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\Fkffog32.exe
        
        C:\Windows\system32\Fkffog32.exe
        190⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\Fbpnkama.exe
        
        C:\Windows\system32\Fbpnkama.exe
        191⤵
        Modifies registry class
        
        PID:6968
        
        C:\Windows\SysWOW64\Ffkjlp32.exe
        
        C:\Windows\system32\Ffkjlp32.exe
        192⤵
        Modifies registry class
        
        PID:7012
        
        C:\Windows\SysWOW64\Fhjfhl32.exe
        
        C:\Windows\system32\Fhjfhl32.exe
        193⤵
        Drops file in System32 directory
        
        PID:7052
        
        C:\Windows\SysWOW64\Gododflk.exe
        
        C:\Windows\system32\Gododflk.exe
        194⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\Gbbkaako.exe
        
        C:\Windows\system32\Gbbkaako.exe
        195⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Gdqgmmjb.exe
        
        C:\Windows\system32\Gdqgmmjb.exe
        196⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Gkkojgao.exe
        
        C:\Windows\system32\Gkkojgao.exe
        197⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\Gcagkdba.exe
        
        C:\Windows\system32\Gcagkdba.exe
        198⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\Gfpcgpae.exe
        
        C:\Windows\system32\Gfpcgpae.exe
        199⤵
        Modifies registry class
        
        PID:6336
        
        C:\Windows\SysWOW64\Gmjlcj32.exe
        
        C:\Windows\system32\Gmjlcj32.exe
        200⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\Gkmlofol.exe
        
        C:\Windows\system32\Gkmlofol.exe
        201⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\Gbgdlq32.exe
        
        C:\Windows\system32\Gbgdlq32.exe
        202⤵
        Modifies registry class
        
        PID:6540
        
        C:\Windows\SysWOW64\Ghaliknf.exe
        
        C:\Windows\system32\Ghaliknf.exe
        203⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\Gokdeeec.exe
        
        C:\Windows\system32\Gokdeeec.exe
        204⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\Gbiaapdf.exe
        
        C:\Windows\system32\Gbiaapdf.exe
        205⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6740
        
        C:\Windows\SysWOW64\Gdhmnlcj.exe
        
        C:\Windows\system32\Gdhmnlcj.exe
        206⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\Gmoeoidl.exe
        
        C:\Windows\system32\Gmoeoidl.exe
        207⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6880
        
        C:\Windows\SysWOW64\Gomakdcp.exe
        
        C:\Windows\system32\Gomakdcp.exe
        208⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6952
        
        C:\Windows\SysWOW64\Gblngpbd.exe
        
        C:\Windows\system32\Gblngpbd.exe
        209⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\Gfgjgo32.exe
        
        C:\Windows\system32\Gfgjgo32.exe
        210⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\Hmabdibj.exe
        
        C:\Windows\system32\Hmabdibj.exe
        211⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\Hopnqdan.exe
        
        C:\Windows\system32\Hopnqdan.exe
        212⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\Hfifmnij.exe
        
        C:\Windows\system32\Hfifmnij.exe
        213⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\Hihbijhn.exe
        
        C:\Windows\system32\Hihbijhn.exe
        214⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6392
        
        C:\Windows\SysWOW64\Hobkfd32.exe
        
        C:\Windows\system32\Hobkfd32.exe
        215⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\Hflcbngh.exe
        
        C:\Windows\system32\Hflcbngh.exe
        216⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\Hijooifk.exe
        
        C:\Windows\system32\Hijooifk.exe
        217⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\Hkikkeeo.exe
        
        C:\Windows\system32\Hkikkeeo.exe
        218⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\Hcpclbfa.exe
        
        C:\Windows\system32\Hcpclbfa.exe
        219⤵
        Drops file in System32 directory
        
        PID:6960
        
        C:\Windows\SysWOW64\Hfnphn32.exe
        
        C:\Windows\system32\Hfnphn32.exe
        220⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\Hmhhehlb.exe
        
        C:\Windows\system32\Hmhhehlb.exe
        221⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\Hofdacke.exe
        
        C:\Windows\system32\Hofdacke.exe
        222⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Hbeqmoji.exe
        
        C:\Windows\system32\Hbeqmoji.exe
        223⤵
        Drops file in System32 directory
        
        PID:6424
        
        C:\Windows\SysWOW64\Hfqlnm32.exe
        
        C:\Windows\system32\Hfqlnm32.exe
        224⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\Hmjdjgjo.exe
        
        C:\Windows\system32\Hmjdjgjo.exe
        225⤵
        Modifies registry class
        
        PID:6856
        
        C:\Windows\SysWOW64\Hoiafcic.exe
        
        C:\Windows\system32\Hoiafcic.exe
        226⤵
        Modifies registry class
        
        PID:7044
        
        C:\Windows\SysWOW64\Hfcicmqp.exe
        
        C:\Windows\system32\Hfcicmqp.exe
        227⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Immapg32.exe
        
        C:\Windows\system32\Immapg32.exe
        228⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Ipknlb32.exe
        
        C:\Windows\system32\Ipknlb32.exe
        229⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\Ibjjhn32.exe
        
        C:\Windows\system32\Ibjjhn32.exe
        230⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\Ifefimom.exe
        
        C:\Windows\system32\Ifefimom.exe
        231⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\Iicbehnq.exe
        
        C:\Windows\system32\Iicbehnq.exe
        232⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\Ikbnacmd.exe
        
        C:\Windows\system32\Ikbnacmd.exe
        233⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\Ipnjab32.exe
        
        C:\Windows\system32\Ipnjab32.exe
        234⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\Ifgbnlmj.exe
        
        C:\Windows\system32\Ifgbnlmj.exe
        235⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\Imakkfdg.exe
        
        C:\Windows\system32\Imakkfdg.exe
        236⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\Ickchq32.exe
        
        C:\Windows\system32\Ickchq32.exe
        237⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\Ifjodl32.exe
        
        C:\Windows\system32\Ifjodl32.exe
        238⤵
        
        PID:7292
        
        C:\Windows\SysWOW64\Iemppiab.exe
        
        C:\Windows\system32\Iemppiab.exe
        239⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\Ilghlc32.exe
        
        C:\Windows\system32\Ilghlc32.exe
        240⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\Ibqpimpl.exe
        
        C:\Windows\system32\Ibqpimpl.exe
        241⤵
        
        PID:7432
        
        C:\Windows\SysWOW64\Iikhfg32.exe
        
        C:\Windows\system32\Iikhfg32.exe
        242⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\Imfdff32.exe
        
        C:\Windows\system32\Imfdff32.exe
        243⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\Ipdqba32.exe
        
        C:\Windows\system32\Ipdqba32.exe
        244⤵
        Drops file in System32 directory
        
        PID:7548
        
        C:\Windows\SysWOW64\Jfoiokfb.exe
        
        C:\Windows\system32\Jfoiokfb.exe
        245⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7592
        
        C:\Windows\SysWOW64\Jeaikh32.exe
        
        C:\Windows\system32\Jeaikh32.exe
        246⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        247⤵
        
        PID:7672
        
        C:\Windows\SysWOW64\Jpgmha32.exe
        
        C:\Windows\system32\Jpgmha32.exe
        248⤵
        Modifies registry class
        
        PID:7720
        
        C:\Windows\SysWOW64\Jfaedkdp.exe
        
        C:\Windows\system32\Jfaedkdp.exe
        249⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\Jmknaell.exe
        
        C:\Windows\system32\Jmknaell.exe
        250⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7804
        
        C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        251⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7840
        
        C:\Windows\SysWOW64\Jbhfjljd.exe
        
        C:\Windows\system32\Jbhfjljd.exe
        252⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7888
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        253⤵
        Modifies registry class
        
        PID:7928
        
        C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        254⤵
        
        PID:7968
        
        C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        255⤵
        
        PID:8012
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        256⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        257⤵
        
        PID:8100
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        258⤵
        
        PID:8132
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        259⤵
        
        PID:8180
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        260⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7200
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        261⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        262⤵
        
        PID:7324
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        263⤵
        Modifies registry class
        
        PID:7416
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        264⤵
        Drops file in System32 directory
        
        PID:7460
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        265⤵
        
        PID:7536
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        266⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        267⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        268⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        269⤵
        
        PID:7816
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        270⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        271⤵
        
        PID:7956
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        272⤵
        
        PID:8028
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        273⤵
        
        PID:8108
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        274⤵
        Drops file in System32 directory
        
        PID:8168
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        275⤵
        Drops file in System32 directory
        
        PID:7208
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        276⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7300
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        277⤵
        
        PID:7428
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        278⤵
        
        PID:7540
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        279⤵
        
        PID:7656
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        280⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7772
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        281⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        282⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        283⤵
        Modifies registry class
        
        PID:8096
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        284⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        285⤵
        
        PID:7196
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        286⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        287⤵
        
        PID:7664
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        288⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7880
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        289⤵
        
        PID:8068
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        290⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6756
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        291⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7520
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        292⤵
        Modifies registry class
        
        PID:7748
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        293⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        294⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7232
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        295⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        296⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7372
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        297⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        298⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        299⤵
        Drops file in System32 directory
        
        PID:8240
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        300⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8276
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        301⤵
        
        PID:8316
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        302⤵
        
        PID:8364
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        303⤵
        
        PID:8404
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        304⤵
        
        PID:8440
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        305⤵
        
        PID:8480
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        306⤵
        Drops file in System32 directory
        
        PID:8532
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        307⤵
        
        PID:8576
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        308⤵
        
        PID:8612
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        309⤵
        
        PID:8656
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        310⤵
        Modifies registry class
        
        PID:8700
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        311⤵
        
        PID:8740
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        312⤵
        
        PID:8784
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        313⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8828
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        314⤵
        
        PID:8864
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        315⤵
        Modifies registry class
        
        PID:8904
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        316⤵
        
        PID:8944
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        317⤵
        
        PID:8984
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        318⤵
        
        PID:9028
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        319⤵
        
        PID:9076
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        320⤵
        
        PID:9116
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        321⤵
        
        PID:9152
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        322⤵
        
        PID:9204
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        323⤵
        
        PID:8204
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        324⤵
        
        PID:8268
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        325⤵
        
        PID:8344
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        326⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8412
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        327⤵
        Modifies registry class
        
        PID:8460
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        328⤵
        Drops file in System32 directory
        
        PID:8528
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        329⤵
        
        PID:8604
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        330⤵
        Modifies registry class
        
        PID:8644
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        331⤵
        Modifies registry class
        
        PID:8728
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        332⤵
        
        PID:8760
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        333⤵
        Modifies registry class
        
        PID:8876
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        334⤵
        
        PID:8940
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        335⤵
        
        PID:9012
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        336⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        337⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:9140
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        338⤵
        
        PID:9188
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        339⤵
        
        PID:8260
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        340⤵
        
        PID:8392
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        341⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8544
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        342⤵
        
        PID:8568
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        343⤵
        
        PID:8688
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        344⤵
        
        PID:8856
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        345⤵
        
        PID:8936
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        346⤵
        
        PID:9004
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        347⤵
        Modifies registry class
        
        PID:9124
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        348⤵
        
        PID:8232
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        349⤵
        
        PID:8388
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        350⤵
        
        PID:8508
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        351⤵
        
        PID:8736
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        352⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8884
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        353⤵
        
        PID:9108
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        354⤵
        
        PID:8236
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        355⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8496
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        356⤵
        Modifies registry class
        
        PID:8808
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        357⤵
        
        PID:9020
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        358⤵
        Modifies registry class
        
        PID:8428
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        359⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9180
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        360⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8684
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        361⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8332
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        362⤵
        
        PID:9220
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        363⤵
        
        PID:9260
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        364⤵
        
        PID:9300
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        365⤵
        
        PID:9340
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        366⤵
        
        PID:9380
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        367⤵
        
        PID:9424
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        368⤵
        
        PID:9468
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        369⤵
        
        PID:9500
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        370⤵
        
        PID:9548
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        371⤵
        
        PID:9588
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        372⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9624
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        373⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9664
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        374⤵
        
        PID:9708
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        375⤵
        
        PID:9744
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        376⤵
        
        PID:9780
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        377⤵
        
        PID:9824
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        378⤵
        
        PID:9864
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        379⤵
        
        PID:9912
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        380⤵
        
        PID:9956
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        381⤵
        
        PID:10000
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        382⤵
        
        PID:10036
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        383⤵
        
        PID:10080
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        384⤵
        Modifies registry class
        
        PID:10116
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        385⤵
        
        PID:10160
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        386⤵
        
        PID:10200
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        387⤵
        
        PID:9200
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        388⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        389⤵
        
        PID:9328
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        390⤵
        
        PID:9376
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        391⤵
        
        PID:9452
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        392⤵
        
        PID:9528
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        393⤵
        
        PID:9604
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        394⤵
        Drops file in System32 directory
        
        PID:9672
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        395⤵
        
        PID:9752
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        396⤵
        
        PID:9832
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        397⤵
        Modifies registry class
        
        PID:9900
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        398⤵
        Drops file in System32 directory
        
        PID:9964
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        399⤵
        
        PID:10020
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        400⤵
        
        PID:10100
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        401⤵
        
        PID:10176
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        402⤵
        
        PID:8992
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        403⤵
        
        PID:9308
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        404⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9412
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        405⤵
        
        PID:9508
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        406⤵
        
        PID:9648
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        407⤵
        Drops file in System32 directory
        
        PID:9776
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        408⤵
        Drops file in System32 directory
        
        PID:2160
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        409⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        410⤵
        
        PID:9932
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        411⤵
        
        PID:10008
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        412⤵
        
        PID:10148
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        413⤵
        
        PID:10212
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        414⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:9372
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        415⤵
        
        PID:9544
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        416⤵
        Drops file in System32 directory
        
        PID:9652
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        417⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        418⤵
        
        PID:9848
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        419⤵
        
        PID:10096
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        420⤵
        
        PID:9256
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        421⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9540
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        422⤵
        
        PID:9816
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        423⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        424⤵
        
        PID:10220
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        425⤵
        
        PID:9704
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        426⤵
        
        PID:684
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        427⤵
        
        PID:9476
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        428⤵
        
        PID:10048
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        429⤵
        Modifies registry class
        
        PID:9860
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        430⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10244
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        431⤵
        
        PID:10288
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        432⤵
        
        PID:10336
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        433⤵
        
        PID:10384
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        434⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:10424
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        435⤵
        
        PID:10468
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        436⤵
        Drops file in System32 directory
        
        PID:10512
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        437⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10556
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        438⤵
        
        PID:10592
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        439⤵
        
        PID:10632
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        440⤵
        
        PID:10676
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        441⤵
        
        PID:10712
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        442⤵
        
        PID:10756
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        443⤵
        
        PID:10804
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        444⤵
        
        PID:10840
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        445⤵
        
        PID:10884
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        446⤵
        Drops file in System32 directory
        
        PID:10924
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        447⤵
        
        PID:10960
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        448⤵
        
        PID:11004
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        449⤵
        Modifies registry class
        
        PID:11044
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        450⤵
        
        PID:11088
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        451⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:11124
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        452⤵
        
        PID:11176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 11176 -s 404
        453⤵
        Program crash
        
        PID:9984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 11176 -ip 11176
1⤵
PID:11244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acqimo32.exe

Filesize
483KB

MD5
7283a6b6b60879dbd064c8dfb73c9317

SHA1
783bb9c4365e1d48eb2588b52e4fdc4fc52919e0

SHA256
9b60868f7a5398946f9e7b8e8451617584c2a968a7a8c00b530791e99c7e794a

SHA512
eb9eea789103dde8240f3f75ca231ce99903ae1523147f7a3e959d58fd834858c7846b0e3336862532ce1f2c3658d64a0038c41fcac1f4d44b500a3586df7cb1

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
483KB

MD5
2977aa2b2084974e8bcf477a8eb106d5

SHA1
a86f831d99ebb33baf27753b743bc10a60407972

SHA256
2c0de9db328e9d9f535257f62379cbbac2ee8ab80701d311309fd13717a65ba0

SHA512
884c6112c5bad1a7f1f7c607b4a13ccc3004a54bc52dc650918af4a6386ca6f105dc04968a3369906a0835867d0b1bde50c352ca646de52d7cde1c9246e38865

Download Submit
C:\Windows\SysWOW64\Cafigg32.exe

Filesize
483KB

MD5
9a09216ee178166c4fbc09e12cd3394d

SHA1
791034d0631cfe144fcfb5120d93aeb457811649

SHA256
3c86ce92c8f2eb57258f8cf6bac3873545e58c45708afe02ca46cc9573c3632a

SHA512
ef2a22791b27afe4bee037798ee32bc9085542635c0bb08f8fe04c8e00a1455b56c52748efb699d40e39c72374be74d777272c7134cd20f1a23ec581b7a36d84

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
483KB

MD5
5cd152f8fd62f0ddf3afb0603ed741d6

SHA1
958842f742a22cd88efd44f89100acb284034015

SHA256
b0e9bb1fcce5cd9e4260c5d8548dd3e5416eaddbfb4b32deffad83dc3b0c7b7b

SHA512
7762233f68aac729a3a0d456c7db9f78744c768e66df9ddc1ec9975c0e40a598a90403f0a87c6c81073bc3f3680f51973bb7c43a40071fa6a5e61e0a03b369e5

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
448KB

MD5
cb1c897b399307ac9a0f6f1cdd04de3a

SHA1
92ca6ca64304c56c70ed5432ab0bf74d6e5bcdb1

SHA256
c45cbbcd48b31aefc9aeda6f7d049e2d35741ea7c2d1dafa24e3e96d98b6f608

SHA512
7dd37874ceaa0edae92dcb2f1873cd8f7ce7a9ab8d34a80bf03b7deb2823118617df06aaf3b32de040379d41728648b3f77be5a0595f7854207f763a67bde1de

Download Submit
C:\Windows\SysWOW64\Eaklidoi.exe

Filesize
483KB

MD5
5f725d1768d63a380115b31c5e4ef243

SHA1
7ff059bcc8e18ab1cd286d8354f8f191b5f485f2

SHA256
03b3f9ef82221855a066fc267d53d822b5d6c90cdd1b8c91e9716a04a449ef3e

SHA512
d6c76b5e1b250cff7adb676a524c9925bb864de39b8eb047f6bbe183417f93eacc4c999d99ade6b154e0c6b944cc886e59345388e48f58380a67ca2396030444

Download Submit
C:\Windows\SysWOW64\Eemnjbaj.exe

Filesize
483KB

MD5
7845e0da029be45a6f56fd7e00d18a7d

SHA1
375750bee159a0c5f85414662216bef667fd8420

SHA256
0ada6a6a6e5c87316921be06b0e5dd5d61c56dc43690be77d1cd1bef82a72be8

SHA512
7027ae289b5ea3ea4a04765a741c3e5305704f72be25ce390f81ac8cc87c375a5efa490a60f78fc4747836922728f0122b892647cd8747684d6f92fbfe678a68

Download Submit
C:\Windows\SysWOW64\Fhjfhl32.exe

Filesize
483KB

MD5
fe0178f2ca8b305ea69b26f34fe54a6c

SHA1
ff9ad02840a1d37ccbed729b41315b29c024bda4

SHA256
8f51bfe69db5d904d4e31171e700a4c513b90fd07f0fd51d0b83ae5d28f3cda6

SHA512
8a6d40675c3afc5bb737839e2b0f676506571e2786aad4bf3c83bbcf25193ce3e311590c833c246001deb5972c84530fa103d4c040ba76be8afd9e0d2794516c

Download Submit
C:\Windows\SysWOW64\Fkffog32.exe

Filesize
483KB

MD5
057ad1943e1514c1907fad5ac010ca7d

SHA1
936ded767b5982206d91e9d68e6455f161142f3d

SHA256
cbda3a75f29e2fcd9405530fa651d7c53c017e4f5331fd42b3c2131444e90d51

SHA512
dc0202d78bf8157e45fe2f5de3076b02338f57fef7d9179b6d303b7846f35fbd50a9dcff1f9f185471da59d5402af26e57a735f7d418ae1078aeb9f0ff3421aa

Download Submit
C:\Windows\SysWOW64\Flnlhk32.exe

Filesize
483KB

MD5
b6889f688aa3c96caff7706bf0581471

SHA1
aaa07606a713c717587932e6453abe6953a340b3

SHA256
e357751e60c242230389d9d394b472a50b0cc8ec337881a00ee6abab605f8e9d

SHA512
fef8e890ce6333f68ffa07bcf84bd1b96bbd895f5e0dd74a2942c28e60bd1569130ee26e444e63883cb9368369eec4da294744a555166bed8fee791d21525009

Download Submit
C:\Windows\SysWOW64\Ghaliknf.exe

Filesize
483KB

MD5
7ff836a8ee8778c55db3a42489cd52f7

SHA1
9331ca9502722f6797ccf9df911bf6012d03838d

SHA256
c874c967fd5368550643594deb4893b83558b8d3f948a84cc2a54921c19a33fb

SHA512
794a12c8b78b17ede6a159cb7827dd853a75495185e9184e5bf27be85a38182d9b1e4c07bac57d4ac65d66b1234c5d2e32e3783c5d099fcc4336ca77ba9f0b76

Download Submit
C:\Windows\SysWOW64\Gkkojgao.exe

Filesize
483KB

MD5
1a7f074e6d6c77bdf2a5d12ab1d16c6e

SHA1
3946f4c0c104da8317db4893ccb26d28ae39f4c7

SHA256
e95c0cdd4d328bc5fe8c0fafa0091999a2e68d07ac5776c861caa3b2b2f04bda

SHA512
c76607b616c44c78069eb74c8f7836b520029f1b35efecab3cf8fa799e406e825ceff7c982c67124632f0c4f65a72f429986e14f36775554cc09b721eda9355e

Download Submit
C:\Windows\SysWOW64\Hobkfd32.exe

Filesize
483KB

MD5
ef1537329574bcd32981c869e19da58a

SHA1
c7d178a70940b632d956ad47de7cff383e994a58

SHA256
fbd5f122172f4622c7a83166587d87a6c566afbb91b6bf53e21d3f9181da5bea

SHA512
51901c779ca58b7fd7e63618b0b570b0e5f7c9300f7d6e865ca5c92e4b19184d4407b0d02dddc644d81674a2e6a13d20bc7a49b86fd4270dc4b1701641141e42

Download Submit
C:\Windows\SysWOW64\Jblpek32.exe

Filesize
483KB

MD5
a607ae416f49f2cf45299bfcfe163354

SHA1
48be118df910ccd771d945629204bf7aad3f7f44

SHA256
abcc3d7f13798c92fb7f4d226577a117939d6987570481c565fdb6526687c893

SHA512
b3ec830c528495915a27654682b9091345cc7c1fcf7535bb9c0ad568a7cdaf59ae84ec4345a96398bd755f79ad4116fe791e67a72d0e0ed043f39f4af7e4e6e7

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe

Filesize
483KB

MD5
abf66d6ca6c9b7f2778dafbb6f631172

SHA1
206acd4639b325134ced9aa31196c2ebdf86a8e7

SHA256
b3b4a32875ba77ba27b2fcf1146787c2edf8e1e916d862c4f761e59a48d6551d

SHA512
29fc2bff563e4b111ca65166509b3a1568e434c1548ccb8e8dc872559b644ea787cba0e7a84059e8648d9bfdaacc08e5c0deb35771bdd6315500796f167bd5b3

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
483KB

MD5
d7c9d648e0cf5e4d6e842c7b0cc83e6c

SHA1
52f593c24ac4a476d5e2e322aa9345d80f6630dc

SHA256
ff65bdbcd8d660eaebc74e6946a96ac3348aafb95665fa6fd22441fa9d929e72

SHA512
34f035b0ee64f8661f995eb1ab9ca186cf29c583250484ace891ec2ebccd574026c54b520e84259299f969d234b65da3dccdaf73839a02289760388624037118

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe

Filesize
483KB

MD5
fa4f079138abe5f9afb002fe212c863d

SHA1
b879a4c61168da89b3cc1d2e95a0119d08f398b7

SHA256
35934dfc131d500e2b880b710664cc88016e3b537bf47a5cf87bce7d72c641fa

SHA512
b9fb9be2704dbf6015d2a608de6b9ee18851643b742f332ef7b69613aaff48273e07549490e88e8c22072db694de8c0d17a5db644509292deed6b8e6ed534d12

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe

Filesize
483KB

MD5
c7757f336afab28539f9198da6024a3e

SHA1
476696acaf39d2c2931880e8abd5e9cc3b401e66

SHA256
ac7d6eb0165edc26629231ed45ea76444a327167cd94ce7e93c371243fdb1df6

SHA512
528a26f795bdf3b66d4f5a88efb446e77dc0b2881882006318592d5b802137d21e816fad4aa0403fcca80456501476fa027bc12cd341a88533b2ade057b87cf8

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
483KB

MD5
5357fccfc2502d24291ac0108ccdc2ab

SHA1
f67e5c0fc123600ac5a63d9c6424514f43b73ab5

SHA256
69bb46a2d386c723c5cccb7165414c7d931dd405905dfb50b715fa84b2924203

SHA512
3f5e03b265158737191620b4d8fdf7d7e4db8c9cf06de4ef3ab9c3307e05a525cb6bcb3daca847360b7a1b2777fdf05466ae645a431c76e127e899bb71bc452d

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
483KB

MD5
8c7fcea4d43d9f1b44d228c889d82015

SHA1
bb492920b9681c1f79dd6453f21914f875deb57e

SHA256
193507985872cd8bdaa626a0b93be1ca018ba614b7d99c064ec2bf510909ddde

SHA512
d43865f9e2ca71ef408a6378ff5a4dccc9b825ad5fcfaed6d9b52ae466ced420a313102d1ce6f0b9409d5a323ac4ce84ce79ae8db7c0cd731fb400267ef94b1d

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
483KB

MD5
1fbb6dc76c646867df8a61e63769dee8

SHA1
c681c46237cf795e444b4ec59ad9dda73c6eda06

SHA256
3404cff8da1387a16af2507ca7e60a0558f1deb29faeccac9f0fe735bca6d857

SHA512
77d565d9471ed50508b9bd6ee7d93c1f7b153416d62d5a13b3264f22d207d4e80e6b79296919333669f8519e0f663455a4a5e3f83dc8477b2039eb96a56147b3

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
483KB

MD5
1a7276fcc8b69bd3dbf72bd51f56b41c

SHA1
8fa0def886f685e23f536bf0bbd06c370031ec9a

SHA256
cd86599e1bc7a1703e5c2f9c06715cc240a4792f32d6a3feadc5fb5780182e7f

SHA512
9d8333c7a51c2a64e124a170c64abc715671acab8a91d742c5f10f5ab30237f1d1bd367fbe5085a6137cc3d3e6b9bc8331654be0d491fc0e664d1878c6141440

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
483KB

MD5
6e2fc3eb3a250b7f55b0fe8f7342c16e

SHA1
a783eced061bb75bcd640f1b84f1e7c5d46237ed

SHA256
c2bf5a64a556781b8f0adf355a96610fab12d87fbfd13b6a9c052984843eeedf

SHA512
a6ea53d7e57584142bb922a3cfede9aed42d0d3130a47f9a9dbf097dbd39835c5ade53081e38b24bd25545fff587b419158083b7ece755309d7433f613416790

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
483KB

MD5
2c2ef22616c653a2950245874bf86ed5

SHA1
21e3fd6fb87c027aaacd6018fa7fe55bfe56dfdc

SHA256
4cb020d2f9e25dfc8d1de0cb186c3aaec492d9d774575a47686ac0c95aa95f66

SHA512
6c99bef43473708e3050ed8229041bff34cc92326ee78f303d9dd4661b4eaa258fba73fe5d22fce8a90510d3c9f7dd81d30f18574ba6bc0c57696db3edc61b33

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
483KB

MD5
5d334a9157ec1a5dd65f51a6806156fe

SHA1
0bb6eb6575ba313d127dc36b03b46c8d1b4f2f7e

SHA256
967f1b117364b36a36dd5a811e1a9f79fa5205516587818f27c47e77a281dd3a

SHA512
cc1285994189eafc58ed131a6d75a7ad7b05e9eb294565356cba34ce08f69a094543481c206735937d1b6fd1e5035138670d066aef398eb312e5caf4b614e0f4

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
483KB

MD5
181786a21a98d343ec4451e94c6e4899

SHA1
d275670da09254ce487dde005e6c4d806a6da16d

SHA256
65dfbc4e966e9c480bae61edd9d0ea66947bd8bb964a9e7d93060da9da2b1c09

SHA512
870d799b26a78c11a8a4a25fa38433a8ec23362e3d8b019396f20b0e6ca2e92c479bab04b2147f51f1079fc7ae4f25db63e4e84ddd9b9ae8a9db08e91597637a

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
483KB

MD5
e1c5ad6c3cb79a7c7ae5610a09d6ae2a

SHA1
824a00acd7baf298beac32b50017e409ea640f1c

SHA256
b8d2a654a244c2c61eae3887cd59938390a61550dd0186b8a4182f1405e6d691

SHA512
ad89154661104db7b8726311cbeb2190e877b2b2937770259df181f44339a3088bebb3970dc2a93dfce60fffe9ecd9668f45e8cce8b099e02417a60003e61fc8

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
483KB

MD5
e486b579cf0326f9e0b35c0ea8d97f1b

SHA1
75f8bc5ae34dc18b05b5f0a1fc6f02382bcf2779

SHA256
442128e35eec4b10f317749d09e2c28927da454b331456d7e96dd061efe5e662

SHA512
0f3d9ea3f706bd7b57a3def28c384262e29864493a67a3dd732b5cd31ef29e9913dab599cce4e95a169606486a87ef70d86b0cf40308c2d9aeb9206c85c2f400

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
483KB

MD5
db0cfe64c26daf5a697ef5c4469e4d72

SHA1
7f68ece75dfa0ffea79faf40afa43f214f21353b

SHA256
ddf84bbf53d79e14647c57d6e951ba3ac0345819501bb5b3364f7118c1ddff01

SHA512
090c9ef3f1dc05ee7fe573fa08792d4d97c210f0d24db6dbf3a3c0f1f1dd37de75c8a2ff6f8724596e986ebc1aa25b205b5d928a8495a086fca6221c12c1edbc

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
483KB

MD5
26b5a0761651755111ff45ad413d7d38

SHA1
56b72e2914b9b9f5c69deb03db84bf9c9ad7469c

SHA256
ff3adfb20d11703c2ef4dca8f6227a31547cd1ab5a66f97edf20a4c8dff0b075

SHA512
29e9536fc8aa4ba258100c69143c18cdf51e41b1173139613f92c7fb72aca9a16aaf5ae132577df759425ae92dc3c70cafc5741450ad3a6333dc36db698b1454

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
483KB

MD5
fc19956d204690c26b6686896d196fe9

SHA1
ced56e8ce57ad0e69680828f336de09156b3c599

SHA256
50d7b0f01b680c26ac74a00d069208ac32cfa3cd5b853564dc6b6c2422905735

SHA512
1c24689a51d4f3526527e7a837b8031bf823eb9d9059a3c971d01ab1d72f8d01756a5d6170a208b4ca5d80a3e743d217e39f2267ae83d91678d8ac69a1f507d0

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
483KB

MD5
c321afda25d8590f9eb414edaf1e85f6

SHA1
256e1f2eb7a4f30895466b82f09ee3a5e3356495

SHA256
d3353a8e9284ba73dbbf6c3b3aa954d70a5aa2e133e27a073d030d48adc9d46a

SHA512
4a401a1d2f7705fe09bceee3f0b7fcf491788c29070d8b61e3da6274810812251ca8a182928331303f64d2c9266ee861ed389784115a5c2720a8622a777ffd8d

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
483KB

MD5
346c86d0a3efc0bed7c30269b55642ef

SHA1
c0a1caf42cf574b2f9da2244efbbd14f81f8b28d

SHA256
ac9e01c308aa57c3db4fa590c614673aaa3279e7d7585cf1bd0eada0331f9d0f

SHA512
e7206563a099529d76908dd08e570e5430dc7e475a101e0f0d868b1711ca6b511e39bd24017cf7bf78754aae3eec2941f8657d7046fdadd610327106ddd7d703

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
483KB

MD5
e6b7da9700d6c1c8f667727fb19f0ce8

SHA1
ab5caf662ef01a95fd451ee65c2116e5867a043f

SHA256
d35581cb0f0f638b00d60cfef748e44e92b3dde9d7ba00be6fc65b902de29dc7

SHA512
511f895905687b4c611b47328a2e403c08f5e9f6d8e14e6280ea21a412bb5b0d337a5e2195e950c559d68495c8d0b07fe6f3ae6ec0fb8185befc36799087d3d6

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
483KB

MD5
4dbbf391e9b96ade1a55d00377e0af61

SHA1
f7ae6b6361fec6a45476f1faac7faf48c856f5ae

SHA256
4ff2cd8c5184520aaaa7b262a58c267f372c9cf91e90b2f66df684d0a0489b83

SHA512
29ed3249149baebb682155fc43ca1b8d27f1be0e786bb288e59bb9e23e5476eae436fb207d71d5d39ccf4dd930dee0c6cf489f661789c8e1d1732545d70f03d5

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
483KB

MD5
900f572e742735eeeef7b72b94c42e2d

SHA1
65cc234fb8953022dcbce7c31fb8a20084532f8f

SHA256
945e235f57045c3cefed25acd9760e75c91703f55296db42a0ca6b192b23e297

SHA512
ae27bf67cee3235d0ff34d9c498709aacd5f4f43fee1bd9b1ec36033b29e1e6e6e65d523ee88bedd45a9e515086b9bd113e1cec4414a74f91b060876473bc60e

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
483KB

MD5
8e13c51138e980828d3babe9d0bf85ff

SHA1
b00eab21db1e5f9cdd13889b93ab8e994718218b

SHA256
5d5f0b49690431dbc8d09763af8b13beba1c916483ba066c1f141584f7524d91

SHA512
0c16ddba8b5fadbeffb94f98e4222f9619647621a2464861bf606d4a287c6f28dbeecc1b1e7bccfd5ae7412381d61fd9ef5b13cdb637598fa20507b6a785a8d0

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
483KB

MD5
52367319c5c5d342f6d32ee31bffc520

SHA1
99d7b534be3a61fd641a0d620cc8cc072744d564

SHA256
58a1f7bb537c12e05f388a7848924686da6a0a91dd091e144e18bfe4af8fceda

SHA512
c698524383e15f03780a5b8f967ae56b246bf18c96c63ec30acb7d42d7cd563642264c7cc7c8d4a4d5e466ef7e94c56b04dd2e40deaf7c9458fed88e579c3e86

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
483KB

MD5
388a898436e0e9f70ce51828100e4237

SHA1
bd21ed2a6c7a1ac6256a33400cf98504fa7ae09f

SHA256
a8fd6d89d30eb6929211abc4742e28e96fa185aa4122654637c9d4b34efc04f4

SHA512
6fa522c348d5eab54afcbdfb95e92706deab81058b37558a470603d7bd356a413bc2f1ff2fde737804160d61a972fa76c6090173c2a7c4e465363899efa7d43f

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
64KB

MD5
b1c5b9dba83d810dbf3111a597a621be

SHA1
5b2d80f208c782bf145ae850583bfecc1f1a6818

SHA256
116fa10f6cca4c05fd3fc7fa6eb1ac3a29fe7e343f84e46ea02d00d30eb6b988

SHA512
fd7fa129bb86bbd644dc426f575a5b264dbd7bc89b7aa355966df22a3aacc3ec1f0f6d631c129eef3f3b19c51e5d7ec3275673dd186882f442d4c435ac293c34

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
483KB

MD5
6d24fe42c7dc16570ef8557bd788c1b7

SHA1
764447c9cef59c76fe0d002961e728efdb654100

SHA256
51cf8383a4836e00978008954ac03d5cb03f3563c28348df9cdd392c77d28aab

SHA512
63e11bc5e7506f513b1406e30e107cc595924acc420d73e275a173542657d9015834ce17fa3a86d1bef27021d98bf87acaf5695c25eb1c3f7fd31fd92f3a33b6

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
483KB

MD5
f55f33c0188e3606c6dd687d8f7b99d1

SHA1
4391b922ddc59bc86eb3fad917cc82b4b600c830

SHA256
6a34abde833ea01037e2a68f6f7d6b407b94453b0a975d45b982c301de3c94f9

SHA512
7e8c0619580493df4d393befed24cb5f4519c562304114c63a4eb78e29ce5aef83d81032c12d7634b0ba51f00cc6d43d33dafc23da79bad63acc69c9e0d5fb7e

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
483KB

MD5
cd2170c320700cda818de5ab7db1d57e

SHA1
f305c037848e409ef216d41a99cf4e962b808c70

SHA256
c6319ba13fffe3351d97b06faa634b36fdcd199e8d0c231f1a019fcf5083a544

SHA512
feb1ed35d80eff7031f53bf62f5ff217d79befca23741eb8f0940bdfb2ec4d9fe14a4cb1477f0256be2868b28e460e8130a6caa8f0b7330415c44f6d99583125

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
483KB

MD5
3d898502ddd71962a60523b86b226a61

SHA1
1b7eef80a27c9721d4c9e20b2f75ed3ad18d11fb

SHA256
8cd768c48c5650991bb0713c73feb5d56378ca1dc089945f939eab8db39d4b11

SHA512
4b0bb7c3f2937dfa3fbbe06670aec970f79c93075c5c38fc5a71b535bd5a2b3de9270387f794e0880676e4bda3d9e7e7cdd0a3c8da57084d606c2686e87b6621

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
483KB

MD5
b1e4572be6f96f5d9a9de0830255ead1

SHA1
654d75982860b9d81937222267d0541fa1321a14

SHA256
cbb15b48cdff70c59542eccc65e46ec3e54260b6eb963a2002e04385c9e47236

SHA512
c96828a246ae94e98f202d71dfc26f9de7d62713cbfcef1111e9688216d29572793361fa0bf3030de3e7fbe31c8cdd74c654b2baa5c3dfef1dfc297ede8053a5

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
483KB

MD5
d83dfcebb0239c47c47ab11ad6ea1960

SHA1
b0e364059e99410ec445c440d931ccec60873621

SHA256
24a489dc6d1650b2561e59191b9638bd30164a92c79d7013ec1af4582edc95e7

SHA512
12e170fdc078c0da2292d59f34d9a38df363bb8ecc7ea86f16145f7943514690da9c453b91373012532d71f0c77f12740fbc4e693ce1bdb5b5a9900cfc16490e

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
483KB

MD5
8e01285c3496b67f74bec245ad914a78

SHA1
ce5344902f6828fd078b95863991fd70ebc4026d

SHA256
e1a2b7a9ca76268aee1e7d3d8843faa13f9ba629b1acc13f7b8c34df25582993

SHA512
6a0014f7444e398aae1df84fb73996f9bfb430e8b6dac7571e257b776782b7550e2f500222af66ecc99bc2219472d426c49d98a857f6347e0938435aa5772ed7

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
483KB

MD5
6c99f6bf5b20c398b4f26aad644081c2

SHA1
2b9916a65301bd17d44b45a8c74bbc6cc57dec20

SHA256
46fe72870e6df80925141a3350131f9dc3391a86abdc37394608fe9da5c1a665

SHA512
0f3a85041737b50ae56206f57b95ecfd4b99719ec6fb19eae14316060e06802c45d340dc0d2eb57dc811e6131aebda0ec8e9dd10ec536759093684d95f4cdc0e

Download Submit
memory/60-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/116-318-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/412-282-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/440-426-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/468-390-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/512-258-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/556-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/796-170-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/816-225-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/848-181-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/904-194-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1396-146-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1436-82-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1536-301-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1540-233-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1620-396-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1624-342-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1820-105-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1936-294-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1976-336-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2352-348-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2424-360-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2748-201-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2824-167-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3008-408-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3016-403-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3140-330-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3152-354-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3572-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3572-1-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3572-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3604-324-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3632-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3712-376-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3808-210-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3832-241-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3992-48-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4032-384-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4148-250-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4156-154-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4212-113-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4244-130-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4340-122-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4396-190-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4420-280-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4584-306-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4636-264-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4644-288-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4648-21-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4692-138-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4712-41-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4740-382-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4748-432-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4824-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4828-35-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4844-24-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4860-217-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4892-90-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4908-420-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4924-97-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4972-366-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5020-270-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5048-312-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5092-414-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads