7aa1c2c2f0ef3f36f68319f007bb8cdc08f8cf97ca3c7ab097611911d529257d

Analysis

max time kernel
14s
max time network
35s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2024, 21:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7aa1c2c2f0ef3f36f68319f007bb8cdc08f8cf97ca3c7ab097611911d529257d.exe
Size

136KB
MD5

af11390f2ebf77e31d5bcbf2a107f5b6
SHA1

4dcade6512830658117709bd51bdb887f611260e
SHA256

7aa1c2c2f0ef3f36f68319f007bb8cdc08f8cf97ca3c7ab097611911d529257d
SHA512

8e8580fea04bc7bd100e3d050493039b377fd85039e90b6c953286fb05c54167dbf8f2d75d4082b9b2349983b9d66b8913e79c29a86ef12ffda74f459b654b78
SSDEEP

3072:b6T9ez1VsqyUfMtsohLwdNbw+Y92xQuohLwdNbw5bxH0zVWccA:Aez1Vitsohxd2Quohdbd0zscj

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddpeoafg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkmefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpppnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ippggbck.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipbdmaah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfmepi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffddka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deoaid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eefhjc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeaikh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlgmpogj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkopnh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfmepi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Echknh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecjhcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fohoigfh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiefcj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmiciaaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Megdccmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlampmdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmcojh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmmjgejj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdnidn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dekhneap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gicinj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cahfmgoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdhmnlcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icifbang.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meiaib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kplpjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Likjcbkc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkdbpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Heocnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikbnacmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipbdmaah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldjhpl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdeqhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmbfpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekacmjgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdjagjco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbgmcnhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifefimom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imakkfdg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hioiji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmiciaaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifefimom.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmhhehlb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiaephpc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfbkj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mipcob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkalchij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcfqfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hckjacjg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hofdacke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhemmlhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbnjmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfoiokfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fomhdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Likjcbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpjlklok.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doeiljfn.exe

Executes dropped EXE 64 IoCs

pid	Process
4804	Cahfmgoo.exe
4712	Chbnia32.exe
720	Colffknh.exe
3504	Cefoce32.exe
1768	Clpgpp32.exe
1816	Conclk32.exe
1168	Clbceo32.exe
1748	Dbllbibl.exe
316	Dekhneap.exe
1308	Ddmhja32.exe
4952	Dldpkoil.exe
5112	Docmgjhp.exe
4632	Dboigi32.exe
1620	Demecd32.exe
4308	Ddpeoafg.exe
2004	Dlgmpogj.exe
2692	Doeiljfn.exe
3748	Dadeieea.exe
1680	Deoaid32.exe
3868	Dccbbhld.exe
1676	Deanodkh.exe
5028	Dllfkn32.exe
396	Dceohhja.exe
1568	Dedkdcie.exe
4092	Dhbgqohi.exe
1428	Dlncan32.exe
1100	Ekacmjgl.exe
1272	Eolpmi32.exe
3128	Echknh32.exe
1096	Eefhjc32.exe
2768	Edihepnm.exe
1220	Ehedfo32.exe
4880	Elppfmoo.exe
1008	Ekcpbj32.exe
1828	Ecjhcg32.exe
4376	Eamhodmf.exe
2308	Fohoigfh.exe
416	Fafkecel.exe
1716	Fdegandp.exe
2368	Fkopnh32.exe
4652	Fojlngce.exe
2164	Ffddka32.exe
1328	Fdgdgnbm.exe
1436	Fkalchij.exe
760	Fomhdg32.exe
4944	Fakdpb32.exe
4688	Fhemmlhc.exe
1432	Fkciihgg.exe
60	Fckajehi.exe
2800	Ffimfqgm.exe
380	Fdlnbm32.exe
2576	Flceckoj.exe
2896	Fbpnkama.exe
1360	Fdnjgmle.exe
3240	Glebhjlg.exe
4920	Gododflk.exe
1572	Gfngap32.exe
2256	Ghlcnk32.exe
4900	Gkkojgao.exe
2592	Gcagkdba.exe
4320	Gcddpdpo.exe
5076	Gbgdlq32.exe
1488	Gdeqhl32.exe
2424	Ghaliknf.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Afomjffg.dll	Ifllil32.exe
File created	C:\Windows\SysWOW64\Jeaikh32.exe	Jfoiokfb.exe
File opened for modification	C:\Windows\SysWOW64\Ldjhpl32.exe	Lmppcbjd.exe
File opened for modification	C:\Windows\SysWOW64\Mlampmdo.exe	Mibpda32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmhja32.exe	Dekhneap.exe
File created	C:\Windows\SysWOW64\Gjihje32.dll	Dhbgqohi.exe
File created	C:\Windows\SysWOW64\Mjegoo32.dll	Hcmgfbhd.exe
File created	C:\Windows\SysWOW64\Gnchkk32.dll	Iihkpg32.exe
File created	C:\Windows\SysWOW64\Eolpmi32.exe	Ekacmjgl.exe
File created	C:\Windows\SysWOW64\Lfkgaokd.dll	Fdegandp.exe
File opened for modification	C:\Windows\SysWOW64\Hiefcj32.exe	Gdjjckag.exe
File created	C:\Windows\SysWOW64\Hjakkfbf.dll	Iejcji32.exe
File created	C:\Windows\SysWOW64\Ndokbi32.exe	Miifeq32.exe
File created	C:\Windows\SysWOW64\Knkkfojb.dll	Ndokbi32.exe
File created	C:\Windows\SysWOW64\Lhclbphg.dll	Fckajehi.exe
File created	C:\Windows\SysWOW64\Qegnoi32.dll	Iefioj32.exe
File created	C:\Windows\SysWOW64\Ceacpg32.dll	Immapg32.exe
File created	C:\Windows\SysWOW64\Jjhijoaa.dll	Likjcbkc.exe
File created	C:\Windows\SysWOW64\Kmdqgd32.exe	Kemhff32.exe
File created	C:\Windows\SysWOW64\Pniggbmk.dll	Ekacmjgl.exe
File created	C:\Windows\SysWOW64\Flnakb32.dll	Echknh32.exe
File created	C:\Windows\SysWOW64\Ajgblabf.dll	Heocnk32.exe
File created	C:\Windows\SysWOW64\Fpeohm32.dll	Hfqlnm32.exe
File created	C:\Windows\SysWOW64\Icnpmp32.exe	Ipbdmaah.exe
File created	C:\Windows\SysWOW64\Klngdpdd.exe	Kipkhdeq.exe
File created	C:\Windows\SysWOW64\Kdihjfbe.dll	Fohoigfh.exe
File opened for modification	C:\Windows\SysWOW64\Fhemmlhc.exe	Fakdpb32.exe
File created	C:\Windows\SysWOW64\Gdhmnlcj.exe	Gbiaapdf.exe
File opened for modification	C:\Windows\SysWOW64\Iiaephpc.exe	Iefioj32.exe
File created	C:\Windows\SysWOW64\Djkahqga.dll	Kikame32.exe
File created	C:\Windows\SysWOW64\Oaeokj32.dll	Lpqiemge.exe
File created	C:\Windows\SysWOW64\Hflheb32.dll	Llgjjnlj.exe
File created	C:\Windows\SysWOW64\Dllfkn32.exe	Deanodkh.exe
File created	C:\Windows\SysWOW64\Hfqlnm32.exe	Hofdacke.exe
File created	C:\Windows\SysWOW64\Ipbdmaah.exe	Imdgqfbd.exe
File opened for modification	C:\Windows\SysWOW64\Mchhggno.exe	Mpjlklok.exe
File created	C:\Windows\SysWOW64\Odgdacjh.dll	Ncbknfed.exe
File created	C:\Windows\SysWOW64\Pejjde32.dll	Elppfmoo.exe
File opened for modification	C:\Windows\SysWOW64\Gkkojgao.exe	Ghlcnk32.exe
File created	C:\Windows\SysWOW64\Kefkme32.exe	Kdeoemeg.exe
File opened for modification	C:\Windows\SysWOW64\Kefkme32.exe	Kdeoemeg.exe
File created	C:\Windows\SysWOW64\Iicbehnq.exe	Iehfdi32.exe
File created	C:\Windows\SysWOW64\Npibja32.dll	Ipdqba32.exe
File opened for modification	C:\Windows\SysWOW64\Jcbihpel.exe	Jpgmha32.exe
File created	C:\Windows\SysWOW64\Jlednamo.exe	Jifhaenk.exe
File created	C:\Windows\SysWOW64\Jinpgcmg.dll	Dbllbibl.exe
File created	C:\Windows\SysWOW64\Fakdpb32.exe	Fomhdg32.exe
File opened for modification	C:\Windows\SysWOW64\Hkfoeega.exe	Hmcojh32.exe
File created	C:\Windows\SysWOW64\Ijlbqboa.dll	Hmcojh32.exe
File created	C:\Windows\SysWOW64\Ejnjpohk.dll	Kpgfooop.exe
File created	C:\Windows\SysWOW64\Mibpda32.exe	Megdccmb.exe
File opened for modification	C:\Windows\SysWOW64\Jmhale32.exe	Jeaikh32.exe
File created	C:\Windows\SysWOW64\Mdjagjco.exe	Mlcifmbl.exe
File created	C:\Windows\SysWOW64\Ifefimom.exe	Icgjmapi.exe
File opened for modification	C:\Windows\SysWOW64\Kplpjn32.exe	Kmncnb32.exe
File created	C:\Windows\SysWOW64\Ldjhpl32.exe	Lmppcbjd.exe
File created	C:\Windows\SysWOW64\Clbceo32.exe	Conclk32.exe
File opened for modification	C:\Windows\SysWOW64\Ekcpbj32.exe	Elppfmoo.exe
File opened for modification	C:\Windows\SysWOW64\Hckjacjg.exe	Hkdbpe32.exe
File opened for modification	C:\Windows\SysWOW64\Mlefklpj.exe	Mmbfpp32.exe
File opened for modification	C:\Windows\SysWOW64\Hmcojh32.exe	Helfik32.exe
File created	C:\Windows\SysWOW64\Jcinbcgc.dll	Iehfdi32.exe
File created	C:\Windows\SysWOW64\Hledan32.dll	Kemhff32.exe
File created	C:\Windows\SysWOW64\Laffdj32.dll	Hmhhehlb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
9192	8880	WerFault.exe	409

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deoaid32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkaejf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iehfdi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afomjffg.dll"	Ifllil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmijbcpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcmgfbhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqplhmkl.dll"	Jfcbjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npfhbbpk.dll"	Ddmhja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olpppj32.dll"	Hckjacjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddpeoafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbbhclmi.dll"	Gkaejf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqhimici.dll"	Eamhodmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kikame32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmppcbjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmbmibhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmmjgejj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Colffknh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eckgieoo.dll"	Dllfkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocalcppo.dll"	Ecjhcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gdhmnlcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gicinj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Helfik32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ippggbck.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dllfkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkmefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ikbnacmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ligqhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fkciihgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfnphn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifgbnlmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imdgqfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiopcppf.dll"	Jfaedkdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jlnnmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hledan32.dll"	Kemhff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Glebhjlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcdmga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifefimom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jioaqfcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncbknfed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	7aa1c2c2f0ef3f36f68319f007bb8cdc08f8cf97ca3c7ab097611911d529257d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Echknh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgbcdnbb.dll"	Gdhmnlcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcimkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idodkeom.dll"	Miifeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Linjpeof.dll"	Eefhjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbiaapdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkaejf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifgbnlmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laapnj32.dll"	Ibnccmbo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Likjcbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hofdacke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bagcnd32.dll"	Medgncoe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Miifeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odgdacjh.dll"	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmiciaaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgifdn32.dll"	Conclk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkkdmeko.dll"	Fkalchij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieakglmn.dll"	Hmjdjgjo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 4804	1912	7aa1c2c2f0ef3f36f68319f007bb8cdc08f8cf97ca3c7ab097611911d529257d.exe	84
PID 1912 wrote to memory of 4804	1912	7aa1c2c2f0ef3f36f68319f007bb8cdc08f8cf97ca3c7ab097611911d529257d.exe	84
PID 1912 wrote to memory of 4804	1912	7aa1c2c2f0ef3f36f68319f007bb8cdc08f8cf97ca3c7ab097611911d529257d.exe	84
PID 4804 wrote to memory of 4712	4804	Cahfmgoo.exe	85
PID 4804 wrote to memory of 4712	4804	Cahfmgoo.exe	85
PID 4804 wrote to memory of 4712	4804	Cahfmgoo.exe	85
PID 4712 wrote to memory of 720	4712	Chbnia32.exe	86
PID 4712 wrote to memory of 720	4712	Chbnia32.exe	86
PID 4712 wrote to memory of 720	4712	Chbnia32.exe	86
PID 720 wrote to memory of 3504	720	Colffknh.exe	87
PID 720 wrote to memory of 3504	720	Colffknh.exe	87
PID 720 wrote to memory of 3504	720	Colffknh.exe	87
PID 3504 wrote to memory of 1768	3504	Cefoce32.exe	88
PID 3504 wrote to memory of 1768	3504	Cefoce32.exe	88
PID 3504 wrote to memory of 1768	3504	Cefoce32.exe	88
PID 1768 wrote to memory of 1816	1768	Clpgpp32.exe	89
PID 1768 wrote to memory of 1816	1768	Clpgpp32.exe	89
PID 1768 wrote to memory of 1816	1768	Clpgpp32.exe	89
PID 1816 wrote to memory of 1168	1816	Conclk32.exe	90
PID 1816 wrote to memory of 1168	1816	Conclk32.exe	90
PID 1816 wrote to memory of 1168	1816	Conclk32.exe	90
PID 1168 wrote to memory of 1748	1168	Clbceo32.exe	91
PID 1168 wrote to memory of 1748	1168	Clbceo32.exe	91
PID 1168 wrote to memory of 1748	1168	Clbceo32.exe	91
PID 1748 wrote to memory of 316	1748	Dbllbibl.exe	93
PID 1748 wrote to memory of 316	1748	Dbllbibl.exe	93
PID 1748 wrote to memory of 316	1748	Dbllbibl.exe	93
PID 316 wrote to memory of 1308	316	Dekhneap.exe	94
PID 316 wrote to memory of 1308	316	Dekhneap.exe	94
PID 316 wrote to memory of 1308	316	Dekhneap.exe	94
PID 1308 wrote to memory of 4952	1308	Ddmhja32.exe	95
PID 1308 wrote to memory of 4952	1308	Ddmhja32.exe	95
PID 1308 wrote to memory of 4952	1308	Ddmhja32.exe	95
PID 4952 wrote to memory of 5112	4952	Dldpkoil.exe	96
PID 4952 wrote to memory of 5112	4952	Dldpkoil.exe	96
PID 4952 wrote to memory of 5112	4952	Dldpkoil.exe	96
PID 5112 wrote to memory of 4632	5112	Docmgjhp.exe	97
PID 5112 wrote to memory of 4632	5112	Docmgjhp.exe	97
PID 5112 wrote to memory of 4632	5112	Docmgjhp.exe	97
PID 4632 wrote to memory of 1620	4632	Dboigi32.exe	98
PID 4632 wrote to memory of 1620	4632	Dboigi32.exe	98
PID 4632 wrote to memory of 1620	4632	Dboigi32.exe	98
PID 1620 wrote to memory of 4308	1620	Demecd32.exe	99
PID 1620 wrote to memory of 4308	1620	Demecd32.exe	99
PID 1620 wrote to memory of 4308	1620	Demecd32.exe	99
PID 4308 wrote to memory of 2004	4308	Ddpeoafg.exe	100
PID 4308 wrote to memory of 2004	4308	Ddpeoafg.exe	100
PID 4308 wrote to memory of 2004	4308	Ddpeoafg.exe	100
PID 2004 wrote to memory of 2692	2004	Dlgmpogj.exe	101
PID 2004 wrote to memory of 2692	2004	Dlgmpogj.exe	101
PID 2004 wrote to memory of 2692	2004	Dlgmpogj.exe	101
PID 2692 wrote to memory of 3748	2692	Doeiljfn.exe	102
PID 2692 wrote to memory of 3748	2692	Doeiljfn.exe	102
PID 2692 wrote to memory of 3748	2692	Doeiljfn.exe	102
PID 3748 wrote to memory of 1680	3748	Dadeieea.exe	103
PID 3748 wrote to memory of 1680	3748	Dadeieea.exe	103
PID 3748 wrote to memory of 1680	3748	Dadeieea.exe	103
PID 1680 wrote to memory of 3868	1680	Deoaid32.exe	104
PID 1680 wrote to memory of 3868	1680	Deoaid32.exe	104
PID 1680 wrote to memory of 3868	1680	Deoaid32.exe	104
PID 3868 wrote to memory of 1676	3868	Dccbbhld.exe	106
PID 3868 wrote to memory of 1676	3868	Dccbbhld.exe	106
PID 3868 wrote to memory of 1676	3868	Dccbbhld.exe	106
PID 1676 wrote to memory of 5028	1676	Deanodkh.exe	107

C:\Users\Admin\AppData\Local\Temp\7aa1c2c2f0ef3f36f68319f007bb8cdc08f8cf97ca3c7ab097611911d529257d.exe
"C:\Users\Admin\AppData\Local\Temp\7aa1c2c2f0ef3f36f68319f007bb8cdc08f8cf97ca3c7ab097611911d529257d.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Windows\SysWOW64\Cahfmgoo.exe
  C:\Windows\system32\Cahfmgoo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4804
- - C:\Windows\SysWOW64\Chbnia32.exe
    C:\Windows\system32\Chbnia32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4712
  - - C:\Windows\SysWOW64\Colffknh.exe
      C:\Windows\system32\Colffknh.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:720
    - - C:\Windows\SysWOW64\Cefoce32.exe
        
        C:\Windows\system32\Cefoce32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3504
      - C:\Windows\SysWOW64\Clpgpp32.exe
        
        C:\Windows\system32\Clpgpp32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\SysWOW64\Conclk32.exe
        
        C:\Windows\system32\Conclk32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\SysWOW64\Clbceo32.exe
        
        C:\Windows\system32\Clbceo32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\SysWOW64\Dbllbibl.exe
        
        C:\Windows\system32\Dbllbibl.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\Dekhneap.exe
        
        C:\Windows\system32\Dekhneap.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Windows\SysWOW64\Ddmhja32.exe
        
        C:\Windows\system32\Ddmhja32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Windows\SysWOW64\Dldpkoil.exe
        
        C:\Windows\system32\Dldpkoil.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Docmgjhp.exe
        
        C:\Windows\system32\Docmgjhp.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\SysWOW64\Dboigi32.exe
        
        C:\Windows\system32\Dboigi32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\Demecd32.exe
        
        C:\Windows\system32\Demecd32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\Ddpeoafg.exe
        
        C:\Windows\system32\Ddpeoafg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Windows\SysWOW64\Dlgmpogj.exe
        
        C:\Windows\system32\Dlgmpogj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Doeiljfn.exe
        
        C:\Windows\system32\Doeiljfn.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\Dadeieea.exe
        
        C:\Windows\system32\Dadeieea.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3748
        
        C:\Windows\SysWOW64\Deoaid32.exe
        
        C:\Windows\system32\Deoaid32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Dccbbhld.exe
        
        C:\Windows\system32\Dccbbhld.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3868
        
        C:\Windows\SysWOW64\Deanodkh.exe
        
        C:\Windows\system32\Deanodkh.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Dllfkn32.exe
        
        C:\Windows\system32\Dllfkn32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\Dceohhja.exe
        
        C:\Windows\system32\Dceohhja.exe
        24⤵
        Executes dropped EXE
        
        PID:396
        
        C:\Windows\SysWOW64\Dedkdcie.exe
        
        C:\Windows\system32\Dedkdcie.exe
        25⤵
        Executes dropped EXE
        
        PID:1568
        
        C:\Windows\SysWOW64\Dhbgqohi.exe
        
        C:\Windows\system32\Dhbgqohi.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4092
        
        C:\Windows\SysWOW64\Dlncan32.exe
        
        C:\Windows\system32\Dlncan32.exe
        27⤵
        Executes dropped EXE
        
        PID:1428
        
        C:\Windows\SysWOW64\Ekacmjgl.exe
        
        C:\Windows\system32\Ekacmjgl.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1100
        
        C:\Windows\SysWOW64\Eolpmi32.exe
        
        C:\Windows\system32\Eolpmi32.exe
        29⤵
        Executes dropped EXE
        
        PID:1272
        
        C:\Windows\SysWOW64\Echknh32.exe
        
        C:\Windows\system32\Echknh32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3128
        
        C:\Windows\SysWOW64\Eefhjc32.exe
        
        C:\Windows\system32\Eefhjc32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1096
        
        C:\Windows\SysWOW64\Edihepnm.exe
        
        C:\Windows\system32\Edihepnm.exe
        32⤵
        Executes dropped EXE
        
        PID:2768
        
        C:\Windows\SysWOW64\Ehedfo32.exe
        
        C:\Windows\system32\Ehedfo32.exe
        33⤵
        Executes dropped EXE
        
        PID:1220
        
        C:\Windows\SysWOW64\Elppfmoo.exe
        
        C:\Windows\system32\Elppfmoo.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4880
        
        C:\Windows\SysWOW64\Ekcpbj32.exe
        
        C:\Windows\system32\Ekcpbj32.exe
        35⤵
        Executes dropped EXE
        
        PID:1008
        
        C:\Windows\SysWOW64\Ecjhcg32.exe
        
        C:\Windows\system32\Ecjhcg32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Eamhodmf.exe
        
        C:\Windows\system32\Eamhodmf.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Fohoigfh.exe
        
        C:\Windows\system32\Fohoigfh.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2308
        
        C:\Windows\SysWOW64\Fafkecel.exe
        
        C:\Windows\system32\Fafkecel.exe
        39⤵
        Executes dropped EXE
        
        PID:416
        
        C:\Windows\SysWOW64\Fdegandp.exe
        
        C:\Windows\system32\Fdegandp.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1716
        
        C:\Windows\SysWOW64\Fkopnh32.exe
        
        C:\Windows\system32\Fkopnh32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2368
        
        C:\Windows\SysWOW64\Fojlngce.exe
        
        C:\Windows\system32\Fojlngce.exe
        42⤵
        Executes dropped EXE
        
        PID:4652
        
        C:\Windows\SysWOW64\Ffddka32.exe
        
        C:\Windows\system32\Ffddka32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2164
        
        C:\Windows\SysWOW64\Fdgdgnbm.exe
        
        C:\Windows\system32\Fdgdgnbm.exe
        44⤵
        Executes dropped EXE
        
        PID:1328
        
        C:\Windows\SysWOW64\Fkalchij.exe
        
        C:\Windows\system32\Fkalchij.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Fomhdg32.exe
        
        C:\Windows\system32\Fomhdg32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:760
        
        C:\Windows\SysWOW64\Fakdpb32.exe
        
        C:\Windows\system32\Fakdpb32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4944
        
        C:\Windows\SysWOW64\Fhemmlhc.exe
        
        C:\Windows\system32\Fhemmlhc.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4688
        
        C:\Windows\SysWOW64\Fkciihgg.exe
        
        C:\Windows\system32\Fkciihgg.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Fckajehi.exe
        
        C:\Windows\system32\Fckajehi.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:60
        
        C:\Windows\SysWOW64\Ffimfqgm.exe
        
        C:\Windows\system32\Ffimfqgm.exe
        51⤵
        Executes dropped EXE
        
        PID:2800
        
        C:\Windows\SysWOW64\Fdlnbm32.exe
        
        C:\Windows\system32\Fdlnbm32.exe
        52⤵
        Executes dropped EXE
        
        PID:380
        
        C:\Windows\SysWOW64\Flceckoj.exe
        
        C:\Windows\system32\Flceckoj.exe
        53⤵
        Executes dropped EXE
        
        PID:2576
        
        C:\Windows\SysWOW64\Fbpnkama.exe
        
        C:\Windows\system32\Fbpnkama.exe
        54⤵
        Executes dropped EXE
        
        PID:2896
        
        C:\Windows\SysWOW64\Fdnjgmle.exe
        
        C:\Windows\system32\Fdnjgmle.exe
        55⤵
        Executes dropped EXE
        
        PID:1360
        
        C:\Windows\SysWOW64\Glebhjlg.exe
        
        C:\Windows\system32\Glebhjlg.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3240
        
        C:\Windows\SysWOW64\Gododflk.exe
        
        C:\Windows\system32\Gododflk.exe
        57⤵
        Executes dropped EXE
        
        PID:4920
        
        C:\Windows\SysWOW64\Gfngap32.exe
        
        C:\Windows\system32\Gfngap32.exe
        58⤵
        Executes dropped EXE
        
        PID:1572
        
        C:\Windows\SysWOW64\Ghlcnk32.exe
        
        C:\Windows\system32\Ghlcnk32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2256
        
        C:\Windows\SysWOW64\Gkkojgao.exe
        
        C:\Windows\system32\Gkkojgao.exe
        60⤵
        Executes dropped EXE
        
        PID:4900
        
        C:\Windows\SysWOW64\Gcagkdba.exe
        
        C:\Windows\system32\Gcagkdba.exe
        61⤵
        Executes dropped EXE
        
        PID:2592
        
        C:\Windows\SysWOW64\Gcddpdpo.exe
        
        C:\Windows\system32\Gcddpdpo.exe
        62⤵
        Executes dropped EXE
        
        PID:4320
        
        C:\Windows\SysWOW64\Gbgdlq32.exe
        
        C:\Windows\system32\Gbgdlq32.exe
        63⤵
        Executes dropped EXE
        
        PID:5076
        
        C:\Windows\SysWOW64\Gdeqhl32.exe
        
        C:\Windows\system32\Gdeqhl32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1488
        
        C:\Windows\SysWOW64\Ghaliknf.exe
        
        C:\Windows\system32\Ghaliknf.exe
        65⤵
        Executes dropped EXE
        
        PID:2424
        
        C:\Windows\SysWOW64\Gcfqfc32.exe
        
        C:\Windows\system32\Gcfqfc32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4136
        
        C:\Windows\SysWOW64\Gbiaapdf.exe
        
        C:\Windows\system32\Gbiaapdf.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4184
        
        C:\Windows\SysWOW64\Gdhmnlcj.exe
        
        C:\Windows\system32\Gdhmnlcj.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3132
        
        C:\Windows\SysWOW64\Gicinj32.exe
        
        C:\Windows\system32\Gicinj32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Gkaejf32.exe
        
        C:\Windows\system32\Gkaejf32.exe
        70⤵
        Modifies registry class
        
        PID:3340
        
        C:\Windows\SysWOW64\Gcimkc32.exe
        
        C:\Windows\system32\Gcimkc32.exe
        71⤵
        Modifies registry class
        
        PID:3220
        
        C:\Windows\SysWOW64\Gblngpbd.exe
        
        C:\Windows\system32\Gblngpbd.exe
        72⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\Gdjjckag.exe
        
        C:\Windows\system32\Gdjjckag.exe
        73⤵
        Drops file in System32 directory
        
        PID:4656
        
        C:\Windows\SysWOW64\Hiefcj32.exe
        
        C:\Windows\system32\Hiefcj32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4676
        
        C:\Windows\SysWOW64\Hkdbpe32.exe
        
        C:\Windows\system32\Hkdbpe32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4060
        
        C:\Windows\SysWOW64\Hckjacjg.exe
        
        C:\Windows\system32\Hckjacjg.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Hbnjmp32.exe
        
        C:\Windows\system32\Hbnjmp32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4432
        
        C:\Windows\SysWOW64\Helfik32.exe
        
        C:\Windows\system32\Helfik32.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3724
        
        C:\Windows\SysWOW64\Hmcojh32.exe
        
        C:\Windows\system32\Hmcojh32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:488
        
        C:\Windows\SysWOW64\Hkfoeega.exe
        
        C:\Windows\system32\Hkfoeega.exe
        80⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\Hcmgfbhd.exe
        
        C:\Windows\system32\Hcmgfbhd.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Heocnk32.exe
        
        C:\Windows\system32\Heocnk32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2596
        
        C:\Windows\SysWOW64\Hodgkc32.exe
        
        C:\Windows\system32\Hodgkc32.exe
        83⤵
        
        PID:812
        
        C:\Windows\SysWOW64\Hcpclbfa.exe
        
        C:\Windows\system32\Hcpclbfa.exe
        84⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\Hfnphn32.exe
        
        C:\Windows\system32\Hfnphn32.exe
        85⤵
        Modifies registry class
        
        PID:3244
        
        C:\Windows\SysWOW64\Himldi32.exe
        
        C:\Windows\system32\Himldi32.exe
        86⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\Hmhhehlb.exe
        
        C:\Windows\system32\Hmhhehlb.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4316
        
        C:\Windows\SysWOW64\Hofdacke.exe
        
        C:\Windows\system32\Hofdacke.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Hfqlnm32.exe
        
        C:\Windows\system32\Hfqlnm32.exe
        89⤵
        Drops file in System32 directory
        
        PID:4372
        
        C:\Windows\SysWOW64\Hioiji32.exe
        
        C:\Windows\system32\Hioiji32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4056
        
        C:\Windows\SysWOW64\Hmjdjgjo.exe
        
        C:\Windows\system32\Hmjdjgjo.exe
        91⤵
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Hkmefd32.exe
        
        C:\Windows\system32\Hkmefd32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Hcdmga32.exe
        
        C:\Windows\system32\Hcdmga32.exe
        93⤵
        Modifies registry class
        
        PID:2428
        
        C:\Windows\SysWOW64\Hbgmcnhf.exe
        
        C:\Windows\system32\Hbgmcnhf.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2540
        
        C:\Windows\SysWOW64\Iefioj32.exe
        
        C:\Windows\system32\Iefioj32.exe
        95⤵
        Drops file in System32 directory
        
        PID:4276
        
        C:\Windows\SysWOW64\Iiaephpc.exe
        
        C:\Windows\system32\Iiaephpc.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1420
        
        C:\Windows\SysWOW64\Immapg32.exe
        
        C:\Windows\system32\Immapg32.exe
        97⤵
        Drops file in System32 directory
        
        PID:848
        
        C:\Windows\SysWOW64\Icgjmapi.exe
        
        C:\Windows\system32\Icgjmapi.exe
        98⤵
        Drops file in System32 directory
        
        PID:1864
        
        C:\Windows\SysWOW64\Ifefimom.exe
        
        C:\Windows\system32\Ifefimom.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Iehfdi32.exe
        
        C:\Windows\system32\Iehfdi32.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1872
        
        C:\Windows\SysWOW64\Iicbehnq.exe
        
        C:\Windows\system32\Iicbehnq.exe
        101⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Ikbnacmd.exe
        
        C:\Windows\system32\Ikbnacmd.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Icifbang.exe
        
        C:\Windows\system32\Icifbang.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5212
        
        C:\Windows\SysWOW64\Ifgbnlmj.exe
        
        C:\Windows\system32\Ifgbnlmj.exe
        104⤵
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Iejcji32.exe
        
        C:\Windows\system32\Iejcji32.exe
        105⤵
        Drops file in System32 directory
        
        PID:5296
        
        C:\Windows\SysWOW64\Imakkfdg.exe
        
        C:\Windows\system32\Imakkfdg.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5336
        
        C:\Windows\SysWOW64\Ippggbck.exe
        
        C:\Windows\system32\Ippggbck.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Ibnccmbo.exe
        
        C:\Windows\system32\Ibnccmbo.exe
        108⤵
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Ifjodl32.exe
        
        C:\Windows\system32\Ifjodl32.exe
        109⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\Iihkpg32.exe
        
        C:\Windows\system32\Iihkpg32.exe
        110⤵
        Drops file in System32 directory
        
        PID:5496
        
        C:\Windows\SysWOW64\Imdgqfbd.exe
        
        C:\Windows\system32\Imdgqfbd.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Ipbdmaah.exe
        
        C:\Windows\system32\Ipbdmaah.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5592
        
        C:\Windows\SysWOW64\Icnpmp32.exe
        
        C:\Windows\system32\Icnpmp32.exe
        113⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Ifllil32.exe
        
        C:\Windows\system32\Ifllil32.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Ipdqba32.exe
        
        C:\Windows\system32\Ipdqba32.exe
        115⤵
        Drops file in System32 directory
        
        PID:5720
        
        C:\Windows\SysWOW64\Icplcpgo.exe
        
        C:\Windows\system32\Icplcpgo.exe
        116⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Jfoiokfb.exe
        
        C:\Windows\system32\Jfoiokfb.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5804
        
        C:\Windows\SysWOW64\Jeaikh32.exe
        
        C:\Windows\system32\Jeaikh32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5844
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        119⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Jpgmha32.exe
        
        C:\Windows\system32\Jpgmha32.exe
        120⤵
        Drops file in System32 directory
        
        PID:5924
        
        C:\Windows\SysWOW64\Jcbihpel.exe
        
        C:\Windows\system32\Jcbihpel.exe
        121⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Jfaedkdp.exe
        
        C:\Windows\system32\Jfaedkdp.exe
        122⤵
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        123⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        124⤵
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        125⤵
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        126⤵
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        127⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        129⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        130⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        131⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        132⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        133⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        134⤵
        Drops file in System32 directory
        
        PID:5712
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        135⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5824
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        137⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        138⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        139⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6136
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5192
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        142⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        143⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        144⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        145⤵
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        146⤵
        Drops file in System32 directory
        
        PID:5736
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        147⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6012
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        149⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        150⤵
        Drops file in System32 directory
        
        PID:5332
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        151⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        152⤵
        Drops file in System32 directory
        
        PID:5756
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        153⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        154⤵
        Drops file in System32 directory
        
        PID:6052
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5428
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        156⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        157⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5588
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        159⤵
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        160⤵
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        161⤵
        Drops file in System32 directory
        
        PID:5396
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        162⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6224
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        164⤵
        Drops file in System32 directory
        
        PID:6272
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6308
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6356
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        167⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        168⤵
        Modifies registry class
        
        PID:6452
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        169⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6536
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6580
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        172⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        173⤵
        Modifies registry class
        
        PID:6656
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6704
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6744
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        176⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6844
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        178⤵
        Drops file in System32 directory
        
        PID:6884
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6928
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        180⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        181⤵
        
        PID:7040
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7080
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        183⤵
        Modifies registry class
        
        PID:7128
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        184⤵
        Drops file in System32 directory
        
        PID:6148
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6240
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        186⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6336
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        188⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        189⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        190⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        191⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6752
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        192⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6828
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        193⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6900
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        194⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        195⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        196⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        197⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        198⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        199⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        200⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        201⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        202⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        203⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        204⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        205⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        206⤵
        
        PID:7300
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        207⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        208⤵
        
        PID:7384
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        209⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        210⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        211⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        212⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        213⤵
        
        PID:7584
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        214⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        215⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        216⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        217⤵
        
        PID:7776
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        218⤵
        
        PID:7816
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        219⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        220⤵
        
        PID:7900
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        221⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        222⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        223⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        224⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        225⤵
        
        PID:8100
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        226⤵
        
        PID:8144
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        227⤵
        
        PID:8184
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        228⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        229⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        230⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        231⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        232⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        233⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        234⤵
        
        PID:7320
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        235⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        236⤵
        
        PID:7460
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        237⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        238⤵
        
        PID:7592
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        239⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        240⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        241⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        242⤵
        
        PID:7880
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        243⤵
        
        PID:7936
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        244⤵
        
        PID:8032
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        245⤵
        
        PID:8088
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        246⤵
        
        PID:8152
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        247⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        248⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        249⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        250⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        251⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        252⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        253⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        254⤵
        
        PID:7696
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        255⤵
        
        PID:7848
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        256⤵
        
        PID:7928
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        257⤵
        
        PID:8012
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        258⤵
        
        PID:8164
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        259⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        260⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        261⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        262⤵
        
        PID:7532
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        263⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        264⤵
        
        PID:7892
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        265⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        266⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        267⤵
        
        PID:7292
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        268⤵
        
        PID:7704
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        269⤵
        
        PID:7884
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        270⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        271⤵
        
        PID:7372
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        272⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        273⤵
        
        PID:7240
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        274⤵
        
        PID:8112
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        275⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        276⤵
        
        PID:8252
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        277⤵
        
        PID:8308
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        278⤵
        
        PID:8344
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        279⤵
        
        PID:8396
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        280⤵
        
        PID:8440
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        281⤵
        
        PID:8476
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        282⤵
        
        PID:8520
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        283⤵
        
        PID:8556
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        284⤵
        
        PID:8608
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        285⤵
        
        PID:8648
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        286⤵
        
        PID:8684
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        287⤵
        
        PID:8724
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        288⤵
        
        PID:8764
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        289⤵
        
        PID:8808
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        290⤵
        
        PID:8844
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        291⤵
        
        PID:8884
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        292⤵
        
        PID:8932
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        293⤵
        
        PID:8976
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        294⤵
        
        PID:9012
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        295⤵
        
        PID:9052
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        296⤵
        
        PID:9096
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        297⤵
        
        PID:9140
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        298⤵
        
        PID:9196
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        299⤵
        
        PID:8200
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        300⤵
        
        PID:8288
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        301⤵
        
        PID:8320
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        302⤵
        
        PID:8420
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        303⤵
        
        PID:8484
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        304⤵
        
        PID:8552
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        305⤵
        
        PID:8636
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        306⤵
        
        PID:8712
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        307⤵
        
        PID:8784
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        308⤵
        
        PID:8872
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        309⤵
        
        PID:8952
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        310⤵
        
        PID:9028
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        311⤵
        
        PID:9092
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        312⤵
        
        PID:9168
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        313⤵
        
        PID:8212
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        314⤵
        
        PID:8328
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        315⤵
        
        PID:8432
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        316⤵
        
        PID:8548
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        317⤵
        
        PID:8672
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        318⤵
        
        PID:8776
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        319⤵
        
        PID:8880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8880 -s 404
        320⤵
        Program crash
        
        PID:9192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 8880 -ip 8880
1⤵
PID:9084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cahfmgoo.exe

Filesize
136KB

MD5
32e0df9d8720c3fc47fc9ef91d6c3bcd

SHA1
879f66a7e7bebb7bbdea900a9a69dce1aa09bafd

SHA256
1833bf775d460369a468e6bf98538dbba849c58ee226fc3101fbd0e4b56ff8b3

SHA512
cd02daff17bf43a5b46974ad3c0819fb1b35743d6ae7ac8965dabc33fffd1f2cbb95d59126c2612f8ebc2026e6e834fd5f62b7b9c6dddfc1982701b2d248689d

Download Submit
C:\Windows\SysWOW64\Cefoce32.exe

Filesize
136KB

MD5
551c034b8a2c5f47a28146ffc70e3256

SHA1
566c4747cb222ade2797eb48dc9e493f1648dd6f

SHA256
d2b6b41371dc755b21f98048aeaf78558fb437c0b9ef477f9a1b5bdbfe7d8098

SHA512
38fbc80b2d6c6b97b8e8760aa1bf67597f71ddfaf14c4572983bdce8ab16691425975ec4fdbb2363ff7155d906be5f0cff38bd46304add5a651c8b07ffb87b18

Download Submit
C:\Windows\SysWOW64\Chbnia32.exe

Filesize
136KB

MD5
0c3e557c0635cefc36f59b71c475cbf3

SHA1
4332cebfc5ef66c8c2854d8cbc5e871eee0e7284

SHA256
d8b67689d8540a6acf6d3ef46ecca7899cc0f60fbe98fc1a72572618a959861e

SHA512
ad87210cf58a99effe83865521b385c90f5e66d4cf201a61a19d3faf5ab51b749ccae065191b864339061e770081fba8f495cd7f231367736b8dd9eece0d56de

Download Submit
C:\Windows\SysWOW64\Clbceo32.exe

Filesize
136KB

MD5
47f1344c27be08cb72586aebe0b79e13

SHA1
b911ad87ace24da9f575ab0f0c23a1cfba99a845

SHA256
77c289f2d00147e812abe2cdd0b8473624f42a4df0f202acf57d16a6292cf410

SHA512
91139705ff5f0a95830c8bb445f0a550e294c934e985d51eaf4c61d31e934e9b111c14a2c87a8577670031f934107c5d73c10b888e718158ac0610012c6f2025

Download Submit
C:\Windows\SysWOW64\Clpgpp32.exe

Filesize
136KB

MD5
80c12ab226d10b0efba33a12380e276c

SHA1
e7a431bfbfb3c3572f63681916fef0bae78c10df

SHA256
4dc3e64e10a0e3ebebff1575b06e583130cb6fe837dcca3baff3d141f9b8e137

SHA512
1ca039b3cb2bac8a8d468ff355ea94be187f1c4fc8244c1e83c47bde832871bec859999f5067fd0da750912555f8ad3edb20214444077107610952aa069ef01e

Download Submit
C:\Windows\SysWOW64\Colffknh.exe

Filesize
136KB

MD5
24c08765bf122be08e23c2fb546c7fd2

SHA1
df968fc4776edfde8cacb294d1a61ac78933dce9

SHA256
bfb4c2e7067adffc21958fe32d22c47fd0c092583f089689091b580945c1c307

SHA512
14004d04327cfa6dbc3371125fbbbe1fee7925fc3a49d87b23cfd7de62f3f02f726c8c71e536825f1cd82a88faa57f411dca48a78febea750118c653d937ff04

Download Submit
C:\Windows\SysWOW64\Conclk32.exe

Filesize
136KB

MD5
7514b5a2e5076daa5fdba295f79df638

SHA1
3fa2f5a49559384767917fe69ab6d832888ecb64

SHA256
6cab6eb10053814def967621ecd44508974045c5ad9fb40e043843b24effcb47

SHA512
ce952f947cd9625c62ac5f90abc089dc8019d988a7927c00816f57a4be884ef1cb317d6258bbcbfb21dbbd0a63318fff72b333f2c6659ffff14dfe129fcd21ef

Download Submit
C:\Windows\SysWOW64\Dadeieea.exe

Filesize
136KB

MD5
bce86bc1fec2b3a0bcb6f24c9e2d8cae

SHA1
19ca12cb1628aee99117653387ca98c526ca6267

SHA256
748f106737376e3d70924eed989f3c5d588ed0b87d2cb4663c274dddb5993d42

SHA512
c01f8d31dee7440ed67ef2d0961ffb69b49c700e39edecb52ca677a99ab4fe487cc9efaf5a64fb9bb2adcf030c2829977d609e1b145d4f0045b5c0007f254284

Download Submit
C:\Windows\SysWOW64\Dbllbibl.exe

Filesize
136KB

MD5
6c7c2de29d52f2fdf12e01d998cb1c7d

SHA1
6b290cae7fffb668561e9e0d52f983c1d528b7cf

SHA256
6cd92b4c7d14273599d53a90b37f12811811822b6830373b9f9b368981c49ebd

SHA512
7457711f7eafedb188471546cb339e9276151fd681f586d4fb02e585d4983ac507e6d2e078d7136fa8fc65cba11df103dd4660823ab3f7154448010f83569a03

Download Submit
C:\Windows\SysWOW64\Dboigi32.exe

Filesize
136KB

MD5
8abafa9ff5936224043e1d0a18475e72

SHA1
cff1f5657191232fa1e659f0a0f87aa1b721ee20

SHA256
86243bab3f920671166240fff07b1c69789eb80825c687bfeb109c39d500cf02

SHA512
ad50b8ddaf84c5bd33758cbe78a60065efadce474a48720a7955d6b9d237593eeb83d2384aced59678b83058d712d6dc5a3a72a4880d2fd343107d2635d783cf

Download Submit
C:\Windows\SysWOW64\Dccbbhld.exe

Filesize
136KB

MD5
194ad7c73ac5c311a560a230d58a25de

SHA1
8b8256d7d228e2a6703c2a8e84c0cdc4da66300a

SHA256
23f1d630f6f8d1c29fda1ae70b433fca81debdf010621942b0a1b8674ffe1550

SHA512
d1f57ca2848632ab228239f817d835b43a013f8bbee53ebecf1c05b53c329dacecdc190894493416782b9d784d9f4f336c023be893b32970463e35b51e8c825b

Download Submit
C:\Windows\SysWOW64\Dceohhja.exe

Filesize
136KB

MD5
1fea764e0f2a456f9a429612c920f120

SHA1
e631a7c1d09ec4e126726e79a27b45428f3498fc

SHA256
7fcc4ea7764aa59ac2162d2215ec1311a3ef7a838fe78f5c6e5231846b9d3f09

SHA512
3b75f55139bb12dc1e7b46240bd31f927a66d5d230bbb33a349c6ec1c1ea9dd3a7b761f57f2d0f3babdbc69b34959a427ce6b5fb284b57767b43533806eaf250

Download Submit
C:\Windows\SysWOW64\Ddmhja32.exe

Filesize
136KB

MD5
af5dabbe1e84e705d866a09556712346

SHA1
19d5ee6e49378584a2cabee9649cb28cd61a6fe9

SHA256
6721851efb51e8a92082d8d4478ddf905329279a82c0641cbc2c55e14296724d

SHA512
5b26a56e019065a46e4e687de49071467c23021679bab7f93cdd29f03a2856a8ddb8119d940d431e5720fb869f5a68b5241d067a8b495903836cc16c5d54c31b

Download Submit
C:\Windows\SysWOW64\Ddpeoafg.exe

Filesize
136KB

MD5
ca0246f5cc5c9a9a1d5e87fdc5a918bd

SHA1
d19457c86be7dddfae3d0b6911153b8837e46ca1

SHA256
55ab33ca9278bd04f07c5f32d105b89227b83171c33112e1beadc447ad190d32

SHA512
fae5caa4815f3f40a6f94380f30085b7cb0b7032bc38118ef1a0e84f5fd7e1509700f283435f4e995672d727a22fc615758f92a93bc23edba2a849a843365c14

Download Submit
C:\Windows\SysWOW64\Deanodkh.exe

Filesize
136KB

MD5
e668c54791d40023f1d7d84935b660b2

SHA1
a510a66ec44c421d5a1f3f615febcf61961b8d2e

SHA256
72658130e3b742a17a6336395d7bb4d494e52b7750a6584f8015a258992d96a9

SHA512
c77accd0420a11de51251159c2bcd611f5d80c7c009dc5df8467148f2def3bafb5b57fd4145b49919dd2a9361524b02bfb5592a535c429d5b2a71be69f219977

Download Submit
C:\Windows\SysWOW64\Dedkdcie.exe

Filesize
136KB

MD5
b69bcfb82580ff0d3ce146446d57e1f6

SHA1
534e3f34e2c1094f1619c15bc73295e63b04c1e4

SHA256
2845e1e80af76378556daaaccc983a5a80ba40122595acd2e13f5f067701bd2f

SHA512
c6d57838c26edd9665ffc03630e65c7475b528b952bf68317a36df769c322ee9ed83b97bf495ddaf2ca2b3721dae0b0ec4e72823b86f4fdd7d4fce5b9e2fcc6c

Download Submit
C:\Windows\SysWOW64\Dekhneap.exe

Filesize
136KB

MD5
bd7b4cf133db4acca7d84fbd96b08f44

SHA1
2f6275beb89c5f49304b111d1d883aa3ff9de9af

SHA256
18926804bdd6f2f90fa16fc10d6589c846bc40c03d71a016b320bd45dc9326de

SHA512
acf724ab8f659a113d128e898f6ef9981880aa9391df545a6399dd22537e2db2be0a522285ad3bc2b37cd45fafc8b4a96d8a718ec6e0bd8399e466eccd272318

Download Submit
C:\Windows\SysWOW64\Demecd32.exe

Filesize
136KB

MD5
70f4080409f92bf34676e8cc8efd2ea4

SHA1
d9ce4c01663244a435c9185384977680b2b9ba50

SHA256
0307483ce4f982620c5394994d9fa2a265666a823a96d554fd180302bf9f867a

SHA512
0fdde7d2decddea77221080524f1bf338b3c15a11e225c8cc8bf440ea4496db569d76eecc46396586c92bd34e593c72ac12cdde8ed42103c840a97ea95aebe84

Download Submit
C:\Windows\SysWOW64\Deoaid32.exe

Filesize
136KB

MD5
47f15daf36d5014e966b4e2f644a0e86

SHA1
a822a2266277ccdb3ea46fcba9c22f0426feaf17

SHA256
0567a8a1922649f4a93a3c1c2261ee57a6d9afe7684882fa10cf00dc429fb305

SHA512
3d26d80f3399430842e4651b4b45ee3a3a98d72403d16978872615459279ec14e45fbed602ef413e398923fbf34ba4bcbea6f69091b1dd1959f70529ec5e2788

Download Submit
C:\Windows\SysWOW64\Dhbgqohi.exe

Filesize
136KB

MD5
9def7e6831a6564312681aa9a8a3a782

SHA1
f0bded12ac62ae729ef96809c9450da4602bfaa6

SHA256
87345ac2e82909431f7f789fc45b51790d1afbf44c027364ee4ff98ef60f1dbc

SHA512
5e6d73dc70b3ce3eef631827f990bbe77aeb5f920365bd7639cf08d2a507aa2c620f60a2565d54c9b054a26297f7e17738eab733e5c911c914c456b2dad9ee1e

Download Submit
C:\Windows\SysWOW64\Dldpkoil.exe

Filesize
136KB

MD5
d22162635afe30df57b089ead13066b8

SHA1
2a2a69e9d2dbec6bea4925a5724c94939e011245

SHA256
69f13f188257dc5b1569ccf1e995b3e9732535a0627fbffdf7eae6659b2a4e78

SHA512
7653fad5ae81f105a40c8a95c58d104a5ad14c42686206e1a759af21aa7ca4091f74045d3d94aad21d52ae02358ced2b78051bfabd36409d8f291bbebaeee18d

Download Submit
C:\Windows\SysWOW64\Dlgmpogj.exe

Filesize
136KB

MD5
f606762495a5508310fcce861771edfe

SHA1
d8cdab4f9c3b4bc41db0bdc50bf1d880ab26f849

SHA256
f3a52a594199ff5d718bfe1308d96208ff089f5b60801da3425a3a1e90ec8089

SHA512
88c4c61eb1157d92a659603054dad20a07e1ee149e6a6982c5ca5f5385f92fff2c287d01d14e1b1ad8f071a6fd9960385e7a47a2601e336627243fb49cc65c9e

Download Submit
C:\Windows\SysWOW64\Dllfkn32.exe

Filesize
136KB

MD5
befdc3724d03304a8f54fe4fd567d2b1

SHA1
0526d51d2ca2886e3027f206ed9e4c72393288a8

SHA256
f5afe30fa165aa798c045763b6fb2036e6f79ba332941e5c8ef61ece65f55486

SHA512
58217ad8be98eceb4785b2918174788fdf3121bbd8f12643050b1837afc9ed12c95c2c64ddbf64b8cafce6ef6429b3f4620db06128f7a7a19457ecd50ee3efc4

Download Submit
C:\Windows\SysWOW64\Dlncan32.exe

Filesize
136KB

MD5
4c7de81c5aafa991848b9449d9210627

SHA1
90a2f3a61436d697ab2633a929e97c2ca0a8cdb0

SHA256
0f42fd8b1219cf42f2f1967692cdffaa3644fbe3dc9f9b5f483f5368672f8acc

SHA512
6a6031490181936dab74192375ec952d52ca1ec750f3bbdb0cae6d1a79072ca05fcc69a33ae70651b56afbdddf910dbfbc9b99abeb77ec40b2334f5fbb5dcfbd

Download Submit
C:\Windows\SysWOW64\Dlncan32.exe

Filesize
128KB

MD5
517b974425f7ae846d774894a3037123

SHA1
7645554d7c65f6f921338b1c1e2d4d8836b6960a

SHA256
f53a71cc17a9f2bdd8820ff7269bfa290e1473390fe22456688c91d3d450346d

SHA512
c7cb8e8a29627e123c2f056e1983f84c70afedcde2f8a5cf9c24d77854c30c16804b18f42a8f1b8e52ead814bc8e24e9bb9a231c44bd7c9aea59c9754162d5a0

Download Submit
C:\Windows\SysWOW64\Docmgjhp.exe

Filesize
136KB

MD5
f4c91f68ebb435237d8755078d0af949

SHA1
2779adbf36da47dd2947d10db0343acb4be12b7a

SHA256
b8daa780a0c13a1dd499d86a7e3acc958637250bfd609a0eeabea1ea623da1bf

SHA512
bcf36154a1bdde07b9f000aa0a4cac2374bd5b664cbd7866619be162178e9d1d79dc1038c3950472709f2f0d38703fa24a1d9cf2d24d064710550df0f7a783fd

Download Submit
C:\Windows\SysWOW64\Doeiljfn.exe

Filesize
136KB

MD5
58c3994b65292264de90047561eccc30

SHA1
46959269497d03befedb322157e2fa1f75daae88

SHA256
46d9cc36d379d9fea65b0608197e306db87c5ce507c20ca418ba01212bfbe5bb

SHA512
05aadd91c5f7e8df8b5cc39d24a72b0070dda92487e3993bd105f086d4c9f40083deb300ba2d0ea6dd19a6001852c49cd580698edceb0a7efeda9e363edffdb5

Download Submit
C:\Windows\SysWOW64\Echknh32.exe

Filesize
136KB

MD5
7f80f2fe96c84890ef3e575934e356c6

SHA1
c5d95c7379edc8e50521772252dca04234205906

SHA256
f97ba24dd723e4f35edcada4ebb9dc129564047ec08702848ffd14e5fff64e85

SHA512
9ba93656f140c8c580696c62fbb93aa653cfd0fa506427fe43a440af698ae6fe11f1456a92b184c9c947be01e582f343d31a34a2d62425ed73c038bd49772637

Download Submit
C:\Windows\SysWOW64\Echknh32.exe

Filesize
14KB

MD5
6c628e888e50b8c2b2270276cf1758a3

SHA1
8b607f3597e3ef70a711e3e8e09765adb117448c

SHA256
3eb5ee80a0d93d49ba83dc9b21efdeefaa0727fd2711dcca3ffc22cf7b2dc0bc

SHA512
501515e63e3843a63f0b30fc5ce13323f171e62eef5c6cc3ff6ea50fea4166e3197a50ffea2db27f455b237746a3bff2370c3d2635dedabd5d7f2d6e44886dbd

Download Submit
C:\Windows\SysWOW64\Edihepnm.exe

Filesize
136KB

MD5
265ae31fd109452999598a6d9fef4805

SHA1
339b227f03b77e1d3b70c5759936e5531eacf3c9

SHA256
37aed993955fc9265aae83883115daafa6f69ce454e5764b77b7e84c4790d8e2

SHA512
6f3297807c9d9211a0a7a2440c2647f7af1634d8c7cc9d42a1edcfb8f06e0395dd5ecc46459271f671b0522c00796827e284c42e551ac8e67719b659c9f19628

Download Submit
C:\Windows\SysWOW64\Eefhjc32.exe

Filesize
136KB

MD5
837263f1f89b1059f940fa535b3b5d1e

SHA1
8f53c46f945c6f73ce3b5042b2a0f9b4af38e8c3

SHA256
c69d82b4f873a4592c699a23f9c0c6264229c91ee005c8d44bc64772a379c201

SHA512
98ed0de9d5b252af7118088477ce3b8a2b68e8a3fdfd19d823a35e3442846b41e3786f724cb3e97648c8b0e28f0660a86d57058628849f982a45974e873d4243

Download Submit
C:\Windows\SysWOW64\Ehedfo32.exe

Filesize
136KB

MD5
01401f4a5dafc8387b12cabe2b74e12b

SHA1
1b3313d5d9d9be54cbb9a732e22668c405c46aae

SHA256
2fdd5e05d878c9e9f8c9fedd87a1412b26334c1ea6bc06f36bc79e6a4a166e9a

SHA512
fbac881222cb7e65f49fccbb3469fe532010aa82643f7f0c7d676dcc4f74a644d40ad712bbb3a3f74399924185f92e85a302dbf33e20e7a00d9b586fdccf82d8

Download Submit
C:\Windows\SysWOW64\Ekacmjgl.exe

Filesize
136KB

MD5
6581d1cd4c2b1d5895821d43ee8242c2

SHA1
da3fe22f1eba103bd52effabe9151517e2bca399

SHA256
e5bbb881638dcd5064a8acf83c93d492509012118927fece5d0302e45c0a42ba

SHA512
7d4e20318963e99c4f344ada914fc07f332f6f9dface903e36ca844ed0afa88bbc9aa1c507d64fbb9838f471a681374b96f04ba278827cb47804380e3c2a3b50

Download Submit
C:\Windows\SysWOW64\Ekacmjgl.exe

Filesize
64KB

MD5
0e4e5f52ca5339c29d968687ea4d1c32

SHA1
6117729b77a8173b79c8b103b8524316374dac19

SHA256
8943fd196c81b538f9ac32f04ff2a07e5debc61065d99f815d162f991b7e17de

SHA512
62f66d14c2db74e79ecd61b3707b89ab02dc95d573bbbd37863ed72c2bc5f561fcb4fe9eb48d7c3093be2ec30d1e30068b642b0487b0a1f05deb4fb5e5beb616

Download Submit
C:\Windows\SysWOW64\Eolpmi32.exe

Filesize
136KB

MD5
ff168f8e0f6ec22596174a7bb1092fea

SHA1
729cbc7e11643b722bde5a28ea7ec5961c102089

SHA256
dca0c14c64cb76880d318fbc4aa20641ab951ce89c8886668ba0e3d1af3b9f45

SHA512
7514fbd5bd8c0c959b821acdcd951000257a0403345fb7bef8409ebf58d8ff4f2e3c334acd4a96bcddce9c6d9d20c3426f3029a4ea5ae6f19f7f36699462905a

Download Submit
C:\Windows\SysWOW64\Eolpmi32.exe

Filesize
48KB

MD5
921fba0239dda1b32fce7105414fd22e

SHA1
d74180b30de248e6634ad1aa9355a3bbdce6ba5b

SHA256
5e04584cf8e9d0bcade337814f9c0b0327f660df40fadbeb074dab306d84ecb5

SHA512
7aa2e431b67869dbe57da8a2897f56cfa0ae078348e58cf20f905c2f7d62d008c4662b8de731c5e7630d4b258d0a7d090ac7766ce1bc422da46970d76e4cb194

Download Submit
C:\Windows\SysWOW64\Hiefcj32.exe

Filesize
136KB

MD5
8d77acbdc351c8aca1838914c8b54329

SHA1
2ce2c8ba4f6d1e2d082123afa4cd0934de6b6bfb

SHA256
f36f9270b1fa523b724894b701190b639c188a53fa3acedf586ded4d9399c919

SHA512
1ded2ec72e6bbbaf6173a6e2efc2841012c1e84e5a962133c4bceb8fa94c0ce05023beb50d403b2e8caf6b7c452e8775224719e9cd956ae4cb0df2391f42f97b

Download Submit
memory/60-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/316-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/380-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/396-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/416-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/720-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1008-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1096-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1100-272-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1168-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1220-277-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1272-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1308-91-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1328-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1360-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1428-271-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1432-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1436-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1568-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1572-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1620-155-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1676-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-172-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1716-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1768-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1816-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1828-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1912-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1912-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1912-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2004-164-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2308-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2592-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2692-171-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2768-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3128-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3240-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3504-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3748-265-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3868-266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4092-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4320-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4376-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4632-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4652-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4688-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4712-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4804-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4900-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4920-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4944-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-139-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5028-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5112-147-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8764-2118-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8872-2098-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8932-2114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/9140-2109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/9196-2108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads