5e5466272eea445087ef794368cc469eef6efee4f2b74e9d0ef47a77e9a69a8a

Analysis

max time kernel
97s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2024, 20:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e5466272eea445087ef794368cc469eef6efee4f2b74e9d0ef47a77e9a69a8a.exe
Size

64KB
MD5

e3e7fe93e02d2bf40555a7bfc1cbaa4c
SHA1

75281f73c366c62e462f053df2b1d047d7307308
SHA256

5e5466272eea445087ef794368cc469eef6efee4f2b74e9d0ef47a77e9a69a8a
SHA512

99ef5058325a5d851081bc6920ed0ff8b2e73dd60cd1e60d5f3cb9d5bcff289f383b44ba8e0049dc52d3639b8af78119d80af3010c51146dc627637fe2e2c2c0
SSDEEP

1536:GWAAZeMPkmqY7SemSiDlrR4PXaqt0PaXUwXfzwv:GWLZew3qYtLMlrRMNYuPzwv

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbofkbbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehjdldfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffbnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcnejk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebbidj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqmlhpla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Denlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djpnohej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpbaqj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Denlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Debeijoc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbcakg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcopbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcikolnh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjapmdid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfdida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dephckaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjjjle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecdbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biiohl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcdimopp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efgodj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqhbmqqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Himcoo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	5e5466272eea445087ef794368cc469eef6efee4f2b74e9d0ef47a77e9a69a8a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cibank32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlegeemh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehlaaddj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpjmee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cibank32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpacfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djnaji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcikolnh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dakbckbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfedle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhibni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cedihl32.exe

Executes dropped EXE 64 IoCs

pid	Process
5096	Bammlomg.exe
3472	Bidemmnj.exe
1528	Blbaihmn.exe
4980	Boanecla.exe
440	Bifbbllg.exe
216	Bhibni32.exe
5076	Bockjc32.exe
3768	Bbofkbbh.exe
4348	Bemcgmak.exe
3536	Biiohl32.exe
3084	Blgkdg32.exe
2500	Boegpc32.exe
4568	Bbacqape.exe
2616	Beppmmoi.exe
4028	Bikkml32.exe
4172	Clihig32.exe
1892	Cpedjf32.exe
1204	Cohdebfi.exe
4204	Cafpanem.exe
3132	Cimhckeo.exe
3180	Chphoh32.exe
3556	Clldogdc.exe
3320	Cpgqpe32.exe
5044	Ccfmla32.exe
2840	Caimgncj.exe
2344	Cedihl32.exe
1328	Chbedh32.exe
3048	Cpjmee32.exe
4684	Commqb32.exe
4652	Cakjmm32.exe
3112	Cibank32.exe
760	Chebighd.exe
1872	Clqnjf32.exe
3408	Coojfa32.exe
4860	Ccjfgphj.exe
4056	Camfbm32.exe
1568	Ceibclgn.exe
64	Cidncj32.exe
4404	Chgoogfa.exe
1852	Clckpf32.exe
4176	Cpofpdgd.exe
3736	Ccmclp32.exe
2208	Capchmmb.exe
4872	Digkijmd.exe
1708	Dhjkdg32.exe
2888	Dlegeemh.exe
4036	Dpacfd32.exe
4548	Dcopbp32.exe
4984	Dabpnlkp.exe
5000	Denlnk32.exe
5064	Diihojkb.exe
4776	Dhlhjf32.exe
3272	Dpcpkc32.exe
3660	Dofpgqji.exe
4592	Dcalgo32.exe
4852	Dadlclim.exe
1472	Dephckaf.exe
4276	Djlddi32.exe
4564	Dhnepfpj.exe
1536	Dljqpd32.exe
4976	Dohmlp32.exe
5084	Dcdimopp.exe
4224	Dagiil32.exe
4900	Debeijoc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Chgoogfa.exe	Cidncj32.exe
File created	C:\Windows\SysWOW64\Fihqmb32.exe	Fjepaecb.exe
File opened for modification	C:\Windows\SysWOW64\Gqkhjn32.exe	Gidphq32.exe
File opened for modification	C:\Windows\SysWOW64\Fmmfmbhn.exe	Fhajlc32.exe
File opened for modification	C:\Windows\SysWOW64\Gfedle32.exe	Gbjhlfhb.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Gedmgfjd.dll	Ffjdqg32.exe
File opened for modification	C:\Windows\SysWOW64\Gmkbnp32.exe	Giofnacd.exe
File created	C:\Windows\SysWOW64\Leqcod32.dll	Jfdida32.exe
File created	C:\Windows\SysWOW64\Bammlomg.exe	5e5466272eea445087ef794368cc469eef6efee4f2b74e9d0ef47a77e9a69a8a.exe
File opened for modification	C:\Windows\SysWOW64\Fjhmgeao.exe	Fflaff32.exe
File opened for modification	C:\Windows\SysWOW64\Gfnnlffc.exe	Gbcakg32.exe
File created	C:\Windows\SysWOW64\Oddfqf32.dll	Gmkbnp32.exe
File opened for modification	C:\Windows\SysWOW64\Kgmlkp32.exe	Kdopod32.exe
File opened for modification	C:\Windows\SysWOW64\Fjepaecb.exe	Ffjdqg32.exe
File opened for modification	C:\Windows\SysWOW64\Jpjqhgol.exe	Jagqlj32.exe
File opened for modification	C:\Windows\SysWOW64\Kgphpo32.exe	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Gfedle32.exe	Gbjhlfhb.exe
File created	C:\Windows\SysWOW64\Hboagf32.exe	Gppekj32.exe
File created	C:\Windows\SysWOW64\Jpjqhgol.exe	Jagqlj32.exe
File opened for modification	C:\Windows\SysWOW64\Kilhgk32.exe	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Cafpanem.exe	Cohdebfi.exe
File opened for modification	C:\Windows\SysWOW64\Camfbm32.exe	Ccjfgphj.exe
File created	C:\Windows\SysWOW64\Bofjdo32.dll	Fjnjqfij.exe
File opened for modification	C:\Windows\SysWOW64\Fqhbmqqg.exe	Fmmfmbhn.exe
File created	C:\Windows\SysWOW64\Bademghm.dll	Fmocba32.exe
File created	C:\Windows\SysWOW64\Cibank32.exe	Cakjmm32.exe
File created	C:\Windows\SysWOW64\Omlami32.dll	Dpcpkc32.exe
File opened for modification	C:\Windows\SysWOW64\Ehjdldfl.exe	Ejgdpg32.exe
File created	C:\Windows\SysWOW64\Gimjhafg.exe	Gjjjle32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Ebeejijj.exe	Elhmablc.exe
File created	C:\Windows\SysWOW64\Fqaeco32.exe	Fqaeco32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Dhqaefng.exe	Djnaji32.exe
File created	C:\Windows\SysWOW64\Elhmablc.exe	Ehlaaddj.exe
File created	C:\Windows\SysWOW64\Gmhfhp32.exe	Gimjhafg.exe
File opened for modification	C:\Windows\SysWOW64\Hbckbepg.exe	Hcqjfh32.exe
File opened for modification	C:\Windows\SysWOW64\Blbaihmn.exe	Bidemmnj.exe
File opened for modification	C:\Windows\SysWOW64\Dhjkdg32.exe	Digkijmd.exe
File opened for modification	C:\Windows\SysWOW64\Dljqpd32.exe	Dhnepfpj.exe
File created	C:\Windows\SysWOW64\Inccjgbc.dll	Hjfihc32.exe
File opened for modification	C:\Windows\SysWOW64\Imbaemhc.exe	Ijdeiaio.exe
File opened for modification	C:\Windows\SysWOW64\Gcekkjcj.exe	Goiojk32.exe
File opened for modification	C:\Windows\SysWOW64\Hmklen32.exe	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Ccfmla32.exe	Cpgqpe32.exe
File created	C:\Windows\SysWOW64\Gagaaq32.dll	Ejegjh32.exe
File opened for modification	C:\Windows\SysWOW64\Jdhine32.exe	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	Kdaldd32.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Denlnk32.exe	Dabpnlkp.exe
File created	C:\Windows\SysWOW64\Jdmaid32.dll	Ehlaaddj.exe
File opened for modification	C:\Windows\SysWOW64\Hjjbcbqj.exe	Hbckbepg.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Jfifijhb.dll	Ccmclp32.exe
File created	C:\Windows\SysWOW64\Dhnepfpj.exe	Djlddi32.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Gmlfmg32.dll	Hadkpm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8712	8548	WerFault.exe	396

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eceakm32.dll"	Dephckaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gibgla32.dll"	Capchmmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfifijhb.dll"	Ccmclp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djlddi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ginahd32.dll"	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmdfpmb.dll"	Gfedle32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boanecla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoodnhmi.dll"	Epopgbia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inccjgbc.dll"	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gqdbiofi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cimhckeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjobcj32.dll"	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bidemmnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jingckla.dll"	Coojfa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dofpgqji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfdcbdnc.dll"	Eflhoigi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcnejk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honckk32.dll"	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eoifcnid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifegaglc.dll"	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmocba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Camfbm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chgoogfa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobgoedj.dll"	Ejbkehcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eodlho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bockjc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebeejijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejegjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecphimfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eddbig32.dll"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efneehef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gqdbiofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgblndm.dll"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpkbc32.dll"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhnepfpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ehjdldfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcbnejem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll"	Kgbefoji.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5056 wrote to memory of 5096	5056	5e5466272eea445087ef794368cc469eef6efee4f2b74e9d0ef47a77e9a69a8a.exe	85
PID 5056 wrote to memory of 5096	5056	5e5466272eea445087ef794368cc469eef6efee4f2b74e9d0ef47a77e9a69a8a.exe	85
PID 5056 wrote to memory of 5096	5056	5e5466272eea445087ef794368cc469eef6efee4f2b74e9d0ef47a77e9a69a8a.exe	85
PID 5096 wrote to memory of 3472	5096	Bammlomg.exe	86
PID 5096 wrote to memory of 3472	5096	Bammlomg.exe	86
PID 5096 wrote to memory of 3472	5096	Bammlomg.exe	86
PID 3472 wrote to memory of 1528	3472	Bidemmnj.exe	87
PID 3472 wrote to memory of 1528	3472	Bidemmnj.exe	87
PID 3472 wrote to memory of 1528	3472	Bidemmnj.exe	87
PID 1528 wrote to memory of 4980	1528	Blbaihmn.exe	88
PID 1528 wrote to memory of 4980	1528	Blbaihmn.exe	88
PID 1528 wrote to memory of 4980	1528	Blbaihmn.exe	88
PID 4980 wrote to memory of 440	4980	Boanecla.exe	90
PID 4980 wrote to memory of 440	4980	Boanecla.exe	90
PID 4980 wrote to memory of 440	4980	Boanecla.exe	90
PID 440 wrote to memory of 216	440	Bifbbllg.exe	91
PID 440 wrote to memory of 216	440	Bifbbllg.exe	91
PID 440 wrote to memory of 216	440	Bifbbllg.exe	91
PID 216 wrote to memory of 5076	216	Bhibni32.exe	92
PID 216 wrote to memory of 5076	216	Bhibni32.exe	92
PID 216 wrote to memory of 5076	216	Bhibni32.exe	92
PID 5076 wrote to memory of 3768	5076	Bockjc32.exe	93
PID 5076 wrote to memory of 3768	5076	Bockjc32.exe	93
PID 5076 wrote to memory of 3768	5076	Bockjc32.exe	93
PID 3768 wrote to memory of 4348	3768	Bbofkbbh.exe	94
PID 3768 wrote to memory of 4348	3768	Bbofkbbh.exe	94
PID 3768 wrote to memory of 4348	3768	Bbofkbbh.exe	94
PID 4348 wrote to memory of 3536	4348	Bemcgmak.exe	95
PID 4348 wrote to memory of 3536	4348	Bemcgmak.exe	95
PID 4348 wrote to memory of 3536	4348	Bemcgmak.exe	95
PID 3536 wrote to memory of 3084	3536	Biiohl32.exe	96
PID 3536 wrote to memory of 3084	3536	Biiohl32.exe	96
PID 3536 wrote to memory of 3084	3536	Biiohl32.exe	96
PID 3084 wrote to memory of 2500	3084	Blgkdg32.exe	97
PID 3084 wrote to memory of 2500	3084	Blgkdg32.exe	97
PID 3084 wrote to memory of 2500	3084	Blgkdg32.exe	97
PID 2500 wrote to memory of 4568	2500	Boegpc32.exe	99
PID 2500 wrote to memory of 4568	2500	Boegpc32.exe	99
PID 2500 wrote to memory of 4568	2500	Boegpc32.exe	99
PID 4568 wrote to memory of 2616	4568	Bbacqape.exe	100
PID 4568 wrote to memory of 2616	4568	Bbacqape.exe	100
PID 4568 wrote to memory of 2616	4568	Bbacqape.exe	100
PID 2616 wrote to memory of 4028	2616	Beppmmoi.exe	101
PID 2616 wrote to memory of 4028	2616	Beppmmoi.exe	101
PID 2616 wrote to memory of 4028	2616	Beppmmoi.exe	101
PID 4028 wrote to memory of 4172	4028	Bikkml32.exe	102
PID 4028 wrote to memory of 4172	4028	Bikkml32.exe	102
PID 4028 wrote to memory of 4172	4028	Bikkml32.exe	102
PID 4172 wrote to memory of 1892	4172	Clihig32.exe	103
PID 4172 wrote to memory of 1892	4172	Clihig32.exe	103
PID 4172 wrote to memory of 1892	4172	Clihig32.exe	103
PID 1892 wrote to memory of 1204	1892	Cpedjf32.exe	104
PID 1892 wrote to memory of 1204	1892	Cpedjf32.exe	104
PID 1892 wrote to memory of 1204	1892	Cpedjf32.exe	104
PID 1204 wrote to memory of 4204	1204	Cohdebfi.exe	106
PID 1204 wrote to memory of 4204	1204	Cohdebfi.exe	106
PID 1204 wrote to memory of 4204	1204	Cohdebfi.exe	106
PID 4204 wrote to memory of 3132	4204	Cafpanem.exe	107
PID 4204 wrote to memory of 3132	4204	Cafpanem.exe	107
PID 4204 wrote to memory of 3132	4204	Cafpanem.exe	107
PID 3132 wrote to memory of 3180	3132	Cimhckeo.exe	108
PID 3132 wrote to memory of 3180	3132	Cimhckeo.exe	108
PID 3132 wrote to memory of 3180	3132	Cimhckeo.exe	108
PID 3180 wrote to memory of 3556	3180	Chphoh32.exe	109

C:\Users\Admin\AppData\Local\Temp\5e5466272eea445087ef794368cc469eef6efee4f2b74e9d0ef47a77e9a69a8a.exe
"C:\Users\Admin\AppData\Local\Temp\5e5466272eea445087ef794368cc469eef6efee4f2b74e9d0ef47a77e9a69a8a.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Windows\SysWOW64\Bammlomg.exe
  C:\Windows\system32\Bammlomg.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5096
- - C:\Windows\SysWOW64\Bidemmnj.exe
    C:\Windows\system32\Bidemmnj.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3472
  - - C:\Windows\SysWOW64\Blbaihmn.exe
      C:\Windows\system32\Blbaihmn.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1528
    - - C:\Windows\SysWOW64\Boanecla.exe
        
        C:\Windows\system32\Boanecla.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4980
      - C:\Windows\SysWOW64\Bifbbllg.exe
        
        C:\Windows\system32\Bifbbllg.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\Bhibni32.exe
        
        C:\Windows\system32\Bhibni32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\SysWOW64\Bockjc32.exe
        
        C:\Windows\system32\Bockjc32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\SysWOW64\Bbofkbbh.exe
        
        C:\Windows\system32\Bbofkbbh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3768
        
        C:\Windows\SysWOW64\Bemcgmak.exe
        
        C:\Windows\system32\Bemcgmak.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\SysWOW64\Biiohl32.exe
        
        C:\Windows\system32\Biiohl32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3536
        
        C:\Windows\SysWOW64\Blgkdg32.exe
        
        C:\Windows\system32\Blgkdg32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Windows\SysWOW64\Boegpc32.exe
        
        C:\Windows\system32\Boegpc32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\SysWOW64\Bbacqape.exe
        
        C:\Windows\system32\Bbacqape.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\SysWOW64\Beppmmoi.exe
        
        C:\Windows\system32\Beppmmoi.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\SysWOW64\Bikkml32.exe
        
        C:\Windows\system32\Bikkml32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\SysWOW64\Clihig32.exe
        
        C:\Windows\system32\Clihig32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\SysWOW64\Cpedjf32.exe
        
        C:\Windows\system32\Cpedjf32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SysWOW64\Cohdebfi.exe
        
        C:\Windows\system32\Cohdebfi.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\SysWOW64\Cafpanem.exe
        
        C:\Windows\system32\Cafpanem.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Windows\SysWOW64\Cimhckeo.exe
        
        C:\Windows\system32\Cimhckeo.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3132
        
        C:\Windows\SysWOW64\Chphoh32.exe
        
        C:\Windows\system32\Chphoh32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\SysWOW64\Clldogdc.exe
        
        C:\Windows\system32\Clldogdc.exe
        23⤵
        Executes dropped EXE
        
        PID:3556
        
        C:\Windows\SysWOW64\Cpgqpe32.exe
        
        C:\Windows\system32\Cpgqpe32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3320
        
        C:\Windows\SysWOW64\Ccfmla32.exe
        
        C:\Windows\system32\Ccfmla32.exe
        25⤵
        Executes dropped EXE
        
        PID:5044
        
        C:\Windows\SysWOW64\Caimgncj.exe
        
        C:\Windows\system32\Caimgncj.exe
        26⤵
        Executes dropped EXE
        
        PID:2840
        
        C:\Windows\SysWOW64\Cedihl32.exe
        
        C:\Windows\system32\Cedihl32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2344
        
        C:\Windows\SysWOW64\Chbedh32.exe
        
        C:\Windows\system32\Chbedh32.exe
        28⤵
        Executes dropped EXE
        
        PID:1328
        
        C:\Windows\SysWOW64\Cpjmee32.exe
        
        C:\Windows\system32\Cpjmee32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3048
        
        C:\Windows\SysWOW64\Commqb32.exe
        
        C:\Windows\system32\Commqb32.exe
        30⤵
        Executes dropped EXE
        
        PID:4684
        
        C:\Windows\SysWOW64\Cakjmm32.exe
        
        C:\Windows\system32\Cakjmm32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4652
        
        C:\Windows\SysWOW64\Cibank32.exe
        
        C:\Windows\system32\Cibank32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3112
        
        C:\Windows\SysWOW64\Chebighd.exe
        
        C:\Windows\system32\Chebighd.exe
        33⤵
        Executes dropped EXE
        
        PID:760
        
        C:\Windows\SysWOW64\Clqnjf32.exe
        
        C:\Windows\system32\Clqnjf32.exe
        34⤵
        Executes dropped EXE
        
        PID:1872
        
        C:\Windows\SysWOW64\Coojfa32.exe
        
        C:\Windows\system32\Coojfa32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3408
        
        C:\Windows\SysWOW64\Ccjfgphj.exe
        
        C:\Windows\system32\Ccjfgphj.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4860
        
        C:\Windows\SysWOW64\Camfbm32.exe
        
        C:\Windows\system32\Camfbm32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4056
        
        C:\Windows\SysWOW64\Ceibclgn.exe
        
        C:\Windows\system32\Ceibclgn.exe
        38⤵
        Executes dropped EXE
        
        PID:1568
        
        C:\Windows\SysWOW64\Cidncj32.exe
        
        C:\Windows\system32\Cidncj32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:64
        
        C:\Windows\SysWOW64\Chgoogfa.exe
        
        C:\Windows\system32\Chgoogfa.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Clckpf32.exe
        
        C:\Windows\system32\Clckpf32.exe
        41⤵
        Executes dropped EXE
        
        PID:1852
        
        C:\Windows\SysWOW64\Cpofpdgd.exe
        
        C:\Windows\system32\Cpofpdgd.exe
        42⤵
        Executes dropped EXE
        
        PID:4176
        
        C:\Windows\SysWOW64\Ccmclp32.exe
        
        C:\Windows\system32\Ccmclp32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Capchmmb.exe
        
        C:\Windows\system32\Capchmmb.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Digkijmd.exe
        
        C:\Windows\system32\Digkijmd.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4872
        
        C:\Windows\SysWOW64\Dhjkdg32.exe
        
        C:\Windows\system32\Dhjkdg32.exe
        46⤵
        Executes dropped EXE
        
        PID:1708
        
        C:\Windows\SysWOW64\Dlegeemh.exe
        
        C:\Windows\system32\Dlegeemh.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2888
        
        C:\Windows\SysWOW64\Dpacfd32.exe
        
        C:\Windows\system32\Dpacfd32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4036
        
        C:\Windows\SysWOW64\Dcopbp32.exe
        
        C:\Windows\system32\Dcopbp32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4548
        
        C:\Windows\SysWOW64\Dabpnlkp.exe
        
        C:\Windows\system32\Dabpnlkp.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4984
        
        C:\Windows\SysWOW64\Denlnk32.exe
        
        C:\Windows\system32\Denlnk32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5000
        
        C:\Windows\SysWOW64\Diihojkb.exe
        
        C:\Windows\system32\Diihojkb.exe
        52⤵
        Executes dropped EXE
        
        PID:5064
        
        C:\Windows\SysWOW64\Dhlhjf32.exe
        
        C:\Windows\system32\Dhlhjf32.exe
        53⤵
        Executes dropped EXE
        
        PID:4776
        
        C:\Windows\SysWOW64\Dpcpkc32.exe
        
        C:\Windows\system32\Dpcpkc32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3272
        
        C:\Windows\SysWOW64\Dofpgqji.exe
        
        C:\Windows\system32\Dofpgqji.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3660
        
        C:\Windows\SysWOW64\Dcalgo32.exe
        
        C:\Windows\system32\Dcalgo32.exe
        56⤵
        Executes dropped EXE
        
        PID:4592
        
        C:\Windows\SysWOW64\Dadlclim.exe
        
        C:\Windows\system32\Dadlclim.exe
        57⤵
        Executes dropped EXE
        
        PID:4852
        
        C:\Windows\SysWOW64\Dephckaf.exe
        
        C:\Windows\system32\Dephckaf.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Djlddi32.exe
        
        C:\Windows\system32\Djlddi32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4276
        
        C:\Windows\SysWOW64\Dhnepfpj.exe
        
        C:\Windows\system32\Dhnepfpj.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Dljqpd32.exe
        
        C:\Windows\system32\Dljqpd32.exe
        61⤵
        Executes dropped EXE
        
        PID:1536
        
        C:\Windows\SysWOW64\Dohmlp32.exe
        
        C:\Windows\system32\Dohmlp32.exe
        62⤵
        Executes dropped EXE
        
        PID:4976
        
        C:\Windows\SysWOW64\Dcdimopp.exe
        
        C:\Windows\system32\Dcdimopp.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5084
        
        C:\Windows\SysWOW64\Dagiil32.exe
        
        C:\Windows\system32\Dagiil32.exe
        64⤵
        Executes dropped EXE
        
        PID:4224
        
        C:\Windows\SysWOW64\Debeijoc.exe
        
        C:\Windows\system32\Debeijoc.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4900
        
        C:\Windows\SysWOW64\Djnaji32.exe
        
        C:\Windows\system32\Djnaji32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3908
        
        C:\Windows\SysWOW64\Dhqaefng.exe
        
        C:\Windows\system32\Dhqaefng.exe
        67⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\Dphifcoi.exe
        
        C:\Windows\system32\Dphifcoi.exe
        68⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\Dokjbp32.exe
        
        C:\Windows\system32\Dokjbp32.exe
        69⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\Dcfebonm.exe
        
        C:\Windows\system32\Dcfebonm.exe
        70⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\Djpnohej.exe
        
        C:\Windows\system32\Djpnohej.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4920
        
        C:\Windows\SysWOW64\Dpjflb32.exe
        
        C:\Windows\system32\Dpjflb32.exe
        72⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\Domfgpca.exe
        
        C:\Windows\system32\Domfgpca.exe
        73⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\Dakbckbe.exe
        
        C:\Windows\system32\Dakbckbe.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1380
        
        C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1248
        
        C:\Windows\SysWOW64\Ejbkehcg.exe
        
        C:\Windows\system32\Ejbkehcg.exe
        76⤵
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\Elagacbk.exe
        
        C:\Windows\system32\Elagacbk.exe
        77⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        78⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\Eoocmoao.exe
        
        C:\Windows\system32\Eoocmoao.exe
        79⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        80⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        81⤵
        
        PID:828
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        83⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\Elccfc32.exe
        
        C:\Windows\system32\Elccfc32.exe
        84⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        85⤵
        Modifies registry class
        
        PID:1096
        
        C:\Windows\SysWOW64\Ecmlcmhe.exe
        
        C:\Windows\system32\Ecmlcmhe.exe
        86⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        87⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        88⤵
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        89⤵
        Drops file in System32 directory
        
        PID:5216
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        91⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        92⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        93⤵
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Ecphimfb.exe
        
        C:\Windows\system32\Ecphimfb.exe
        94⤵
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5484
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        96⤵
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        97⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5608
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        99⤵
        Drops file in System32 directory
        
        PID:5656
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        100⤵
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        101⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        102⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        103⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        104⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        105⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        106⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        107⤵
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6036
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        109⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6112
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        111⤵
        Drops file in System32 directory
        
        PID:5144
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        112⤵
        Drops file in System32 directory
        
        PID:5204
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        113⤵
        Drops file in System32 directory
        
        PID:5248
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5300
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        115⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        116⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        117⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5596
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        119⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        120⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        121⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        122⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5892
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        124⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        125⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        126⤵
        Drops file in System32 directory
        
        PID:6080
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        127⤵
        Drops file in System32 directory
        
        PID:3916
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        128⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        129⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5364
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5512
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        132⤵
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        133⤵
        Drops file in System32 directory
        
        PID:5652
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        134⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        135⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        136⤵
        Drops file in System32 directory
        
        PID:5960
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        137⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        138⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4620
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        140⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5440
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        142⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        143⤵
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        144⤵
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        145⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        146⤵
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        147⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        148⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        149⤵
        Drops file in System32 directory
        
        PID:5708
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        150⤵
        Drops file in System32 directory
        
        PID:5936
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        151⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        152⤵
        Drops file in System32 directory
        
        PID:5436
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        153⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4400
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        155⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        156⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        157⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        158⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        159⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        160⤵
        Drops file in System32 directory
        
        PID:6220
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6260
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6308
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        163⤵
        Drops file in System32 directory
        
        PID:6356
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        164⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6444
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        166⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        167⤵
        Modifies registry class
        
        PID:6520
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        168⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        169⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        170⤵
        Drops file in System32 directory
        
        PID:6656
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        171⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        172⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6736
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6784
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        174⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        175⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        176⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        177⤵
        Modifies registry class
        
        PID:6948
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        178⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7032
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        180⤵
        Drops file in System32 directory
        
        PID:7072
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7116
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7160
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        183⤵
        Drops file in System32 directory
        
        PID:6176
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6216
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        185⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        186⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        187⤵
        Modifies registry class
        
        PID:6472
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        188⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        189⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        190⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        191⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6804
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        193⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        194⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        195⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        196⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        197⤵
        Drops file in System32 directory
        
        PID:7144
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        198⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        199⤵
        Modifies registry class
        
        PID:6292
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        200⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        201⤵
        Modifies registry class
        
        PID:6560
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        202⤵
        Modifies registry class
        
        PID:6640
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        203⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        204⤵
        Modifies registry class
        
        PID:6900
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        205⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        206⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        207⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        208⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        209⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        210⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        211⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        212⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        213⤵
        Modifies registry class
        
        PID:6416
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        214⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        215⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6848
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        216⤵
        Drops file in System32 directory
        
        PID:5636
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        217⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        218⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:208
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        219⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5072
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        220⤵
        Modifies registry class
        
        PID:7100
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        221⤵
        Drops file in System32 directory
        
        PID:4252
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        222⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        223⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        224⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        225⤵
        Modifies registry class
        
        PID:7292
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        226⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        227⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7392
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        228⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7452
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        229⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        230⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        231⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7632
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        232⤵
        Modifies registry class
        
        PID:7672
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        233⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7716
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        234⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7760
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        235⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7800
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        236⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7848
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        237⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7888
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        238⤵
        
        PID:7928
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        239⤵
        
        PID:7968
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        240⤵
        Drops file in System32 directory
        
        PID:8016
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        241⤵
        
        PID:8056
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        242⤵
        Modifies registry class
        
        PID:8096
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        243⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        244⤵
        Modifies registry class
        
        PID:8180
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        245⤵
        
        PID:7200
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        246⤵
        Modifies registry class
        
        PID:7320
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        247⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        248⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        249⤵
        
        PID:7588
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        250⤵
        
        PID:7660
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        251⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        252⤵
        
        PID:7816
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        253⤵
        
        PID:7896
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        254⤵
        
        PID:7976
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        255⤵
        Modifies registry class
        
        PID:8040
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        256⤵
        
        PID:8112
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        257⤵
        
        PID:8176
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        258⤵
        Modifies registry class
        
        PID:7336
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        259⤵
        
        PID:7384
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        260⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        261⤵
        Modifies registry class
        
        PID:7744
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        262⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7836
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        263⤵
        
        PID:7952
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        264⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        265⤵
        Modifies registry class
        
        PID:6400
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        266⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        267⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7648
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        268⤵
        Drops file in System32 directory
        
        PID:7772
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        269⤵
        
        PID:7924
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        270⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8080
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        271⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7704
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        272⤵
        Drops file in System32 directory
        
        PID:7856
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        273⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        274⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7832
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        275⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        276⤵
        Drops file in System32 directory
        
        PID:8204
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        277⤵
        
        PID:8248
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        278⤵
        
        PID:8284
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        279⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8332
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        280⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8372
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        281⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8412
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        282⤵
        Modifies registry class
        
        PID:8452
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        283⤵
        Modifies registry class
        
        PID:8496
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        284⤵
        
        PID:8536
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        285⤵
        
        PID:8588
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        286⤵
        
        PID:8624
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        287⤵
        
        PID:8676
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        288⤵
        
        PID:8716
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        289⤵
        
        PID:8752
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        290⤵
        
        PID:8800
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        291⤵
        Drops file in System32 directory
        
        PID:8836
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        292⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8880
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        293⤵
        
        PID:8920
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        294⤵
        
        PID:8960
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        295⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:9004
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        296⤵
        
        PID:9048
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        297⤵
        Drops file in System32 directory
        
        PID:9084
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        298⤵
        
        PID:9124
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        299⤵
        
        PID:9172
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        300⤵
        
        PID:9208
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        301⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8212
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        302⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8272
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        303⤵
        Drops file in System32 directory
        
        PID:8352
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        304⤵
        Modifies registry class
        
        PID:8408
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        305⤵
        Drops file in System32 directory
        
        PID:8480
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        306⤵
        
        PID:8548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8548 -s 400
        307⤵
        Program crash
        
        PID:8712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 8548 -ip 8548
1⤵
PID:8664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bammlomg.exe

Filesize
64KB

MD5
fd1fb1cd3f27c11e9c36f774fc2eb38c

SHA1
232347a888e51c8a149432eed0194b2534364e2f

SHA256
9a70ae6f2f753e45e6c29188fa508a70645267863123eb8e11afab80f03fb37b

SHA512
39dee28b41fd40733638a2e67598603ecad0b69a992e57f865c08202a9aa5cf5f169f34fd2e229789ab64dbb34c34599c80e0dfd4e9eb58af6cdbb53f18fa7f0

Download Submit
C:\Windows\SysWOW64\Bbacqape.exe

Filesize
64KB

MD5
eaca70856ee4de1c5f22293ffd3d968c

SHA1
f2a88c08f504a2d7c9437bfcbe5e2d4fb74fa705

SHA256
c1f4485079dda3affb022f038666d0ee260e25111dd893612198972533511a09

SHA512
fcc3a743ef536b883c7d79af7808fd5679a5cde6dc346e3aac8cfd1e4dd9bd13f003dacdff87f9bd5c036bc39acb1b1741ce3a2383c8324c38266d3cbe6fde12

Download Submit
C:\Windows\SysWOW64\Bbofkbbh.exe

Filesize
64KB

MD5
5ff291b1bafebd54d7657df0376fd4b1

SHA1
71a1e263d0ad87f9c8822075c7ab6439aff4fdc7

SHA256
6681d2995152b12982337fe0c8fb7c581f82adfbebc923c34a9938e79b22a223

SHA512
ee5199ec8445c37ba6dea55f8cc771a7f2704c7bb23c65469a13c1380a7a0eb3844d18c4657af2baf400d184e2aa19aede2fa7a518ab7bbd7ef29b9cc944a1cb

Download Submit
C:\Windows\SysWOW64\Bemcgmak.exe

Filesize
64KB

MD5
ed5b76754d580ecab29de5a3da77fdfa

SHA1
b8f51934e78f509b01ef0bde55a61e63557ded59

SHA256
dfb7b33eeb16aa65a0b732a64566e80513af66165bec650bb55a20212bd12b6a

SHA512
ebad0857a548b3e985bb4e824dfa387723be9ab04d7dd4b17f2130620e75b5dd04e134f3e8537f716aeb5fedeba385407950d0043553ab508d316e7975a38186

Download Submit
C:\Windows\SysWOW64\Beppmmoi.exe

Filesize
64KB

MD5
673df6061c7233a86ed3444be656858a

SHA1
63bdcd50d6cd40cf5770097d76f0881e2f93157b

SHA256
5efbd7e21131c42e6d54908edb841c686ed2ea08d0a24d9228c4c537edadcb8f

SHA512
2b95278b16bb9fed4b0186af46cf2555641fd90797a4990865e7634a92461d90c940b3f8912b4212b5dee07c65d230306e75b30b8503f1f891fbe0ffbef220eb

Download Submit
C:\Windows\SysWOW64\Bhibni32.exe

Filesize
64KB

MD5
524aa84c070191a8d8e9ef6842a92776

SHA1
45bddfe2bd215c22e4b45f6ce70fd61751ff39a5

SHA256
c3192d86d1f31d08e73fd49880c57356bf06af0a26d073a3496f568115f3c4d6

SHA512
ecbb2f2fbe4b0ab772da63fb8c7cd7ac4b568f362913597c1201a732744f89cdb1f8dec2765039b436f903da8b03443ec35897b1623fee0bde789e86a9767a5f

Download Submit
C:\Windows\SysWOW64\Bidemmnj.exe

Filesize
64KB

MD5
ea1979c4f8ae4c18654d699483fae6bf

SHA1
6401572b0bd50f103fbab847943aa04d51e58f5e

SHA256
f8295539286101fdd247058366755f8709a618a2b834d7c99485ad43df532db9

SHA512
df791dd905456bebeeafe4758a8e8693de761437c5b49f51b6aac98e36069e4e1ab867957988050b4971257d121716ca91bc667e39c64eb532bfecf5994e9e91

Download Submit
C:\Windows\SysWOW64\Bifbbllg.exe

Filesize
64KB

MD5
79b52ddca65f6f981afe0372696cd7a3

SHA1
5a1e95f56145832284a821f000155b9013c7e97f

SHA256
3a7e8f45e4c7cb8653182a2b8aa45b87b6cf8b8eddc3a1a9ff8385e799e96bba

SHA512
71f7c598bbb2c75557ff17e46f0724e5d2aff9d0173af777cef2fb72e80a7471d93acc68b67944aa23bd04cbd88e4858b39bc3798bec37e11ec94634a0dfdf62

Download Submit
C:\Windows\SysWOW64\Biiohl32.exe

Filesize
64KB

MD5
0813eec09efb8bcf5dda3a1f229f1eae

SHA1
fb2c4c9e2a7bb2eb2ebeaa4dc448fb80a17b1d53

SHA256
9d9a40f533bb8869eb94b2fdea946551053af9854576abe8d04e6936888f4241

SHA512
e85ab69eedfb57fdb9b2daebc1747ae1780e58144e6659412fe7eeed3f7906ea18f0051a56a5e6692baf328ec679b70f65c85c2e7a88add33fd52f4205c78752

Download Submit
C:\Windows\SysWOW64\Bikkml32.exe

Filesize
64KB

MD5
42263a8d2dacd312d262b894b6257de7

SHA1
0655ddbb9ffebcef8d197ce58d427538ae3cc741

SHA256
18549a51e256c0136bfc5cfd86d58f9dc074befa06a5c727876460c976fd2c82

SHA512
33cca8902cf3b0fef1b281096c39401a9d28712c09c5addb993f3910546473cefe93ea15348ff313fbda9fad0d4ccc3d42a92698e8c22c30e203bb765f960941

Download Submit
C:\Windows\SysWOW64\Blbaihmn.exe

Filesize
64KB

MD5
04d564403a507ced902be3c8c84a9dc0

SHA1
20f983775a4f39eb887abc9c76bee6655a36ca36

SHA256
891e4abd7b1eb6bde4c45a6eb80c302802dbf105b72cbc265ac15bd54d87c6b7

SHA512
dde36aef47722182b02660c3bc521387b892b1c2b4ed7ccfd1711dd70f9aa61e6cdacb9bda4cdf5b91ee274f77cd39433e870687de0a6c12cee1e1f424a7ea61

Download Submit
C:\Windows\SysWOW64\Blgkdg32.exe

Filesize
64KB

MD5
a551b194af084d8bdeb33fad7592fe4c

SHA1
67c3a1312a3a2a8f3512337248c2cbb0c21c3391

SHA256
320e3dcdc1296608025abf9a882c1a98a9134dc9052b727ef68a6782d22e05b6

SHA512
dd0df6eab0bb40b2a478ca25aeb11b4c5b0979736e80319c1790690668834b36b4a0bbc3c6d54c753aec59bc0b3a27ef41180e8fd6497af899f851527f71cfb8

Download Submit
C:\Windows\SysWOW64\Boanecla.exe

Filesize
25KB

MD5
37a22d0dcfd8572bbe5258bdfd227dd7

SHA1
bb908057aed301ae4fe10724c428cadb06bd9474

SHA256
bc947c9368a88d58c720fa8715a31b92761cda5eceac93674377758278fe3b37

SHA512
28556b6b41f3c258c86f12dbdd793c7f6a24f4f8ea1d48cd4a89b7159fc18b9a9a009ab524d6994f9f9e566f3528de3ffa83014a7f44ad3d65f33171d26b9e88

Download Submit
C:\Windows\SysWOW64\Boanecla.exe

Filesize
64KB

MD5
28d780e4caa6b49c6479dbc2d1b2cb0b

SHA1
76858957a16e067b7f03ada14bd22a86b9d19869

SHA256
885470791967e0353caed8218d7aa2e0353bea5ce655adf0524d7adb661b3d6e

SHA512
462f702b4e34a858ed856e84a75e3279fdcd6811458886a78defe8f91d8ae0306e6b992d7c72cfa6c495c07110ea262f69846ff6d84d851b372ab667ec0ed09a

Download Submit
C:\Windows\SysWOW64\Bockjc32.exe

Filesize
64KB

MD5
ebd3d66ff54b45d50be50a9bf42432dd

SHA1
93483e1294f9500dd4f3f133541c337578a10aea

SHA256
26523093b1a40caebb3548cf96f1fbb9d408e8f96a4a1a6f524270f4b3ac3f66

SHA512
487a21903d6750eda73aeea93cf67bd8d53a673bfc6f0c32ffb773f8fd8243cb1f6ad21fa256ccd6678cced67a127ae0c8d784f6f6dff173b17de4ec2d63c820

Download Submit
C:\Windows\SysWOW64\Boegpc32.exe

Filesize
64KB

MD5
a500399b43ac8c5c6632adda1908c8c0

SHA1
01949442775acd033a9e742706c9210fe617a4d1

SHA256
d17d1fd728f558ef07daea1f91f8fc9e4350999b3836723008db392f855af584

SHA512
45e4acf562fec9b67d5252559f80846409a9fbb011aca79e899086c5d6d6672d86fb534a96b36f90ddef988a74906fb60fa83e2264dec0c4f495f9a78bdda593

Download Submit
C:\Windows\SysWOW64\Cafpanem.exe

Filesize
64KB

MD5
88994fc74506d8c18031ffb6cbe0c54e

SHA1
49883905881dc0ab644d4b1d07a4988f665d3933

SHA256
eb42ae94e073662974239bdf0ba48c14124d3178a9c6961b7cd197370a57f90b

SHA512
dfa7cf023a606083e091f58e2166af54b3cc6e6e869de496e694a70377226a73f969b765ee4fd82650d6fc64df3ce4ab2f3319d4bdc594490741b9f26a80ee03

Download Submit
C:\Windows\SysWOW64\Caimgncj.exe

Filesize
64KB

MD5
c7a59e62766719e3a55cef8159e6f424

SHA1
7ddb8679b774ca3351c2f0a65e0d08d5f835b944

SHA256
15149dcd06e2f9301927e6e6a6cacad32b15d89fe104467fa34c4c2809f9f67c

SHA512
e22954a75cf2282f7f1102706080a94a55d2e15972dbdd9eb5c7c562b82428d65044db4e1cb64384328e84cfc26d112808e47b61440bef7833a2995b96e880f2

Download Submit
C:\Windows\SysWOW64\Cakjmm32.exe

Filesize
64KB

MD5
85095f9cab667f1a699778c8234ddd15

SHA1
a48f6a6a0bcdcd5655e76c3352dce41e1a681ccc

SHA256
e42478dc83c01650ef16aab9c637d8006d7ec86e14ad6907c745223289268752

SHA512
f59a0887eafb0da04b57f68c3d48c2078e28fcaa614172cf02d25a93215a96555ab3fad00bf38d114d87905decffef4f9309adcc6bb39212d9d7eea4036b81d2

Download Submit
C:\Windows\SysWOW64\Ccfmla32.exe

Filesize
64KB

MD5
0122455c6e61a34895acbb0b78d1f4cb

SHA1
a6274f81293a9a90277a25d71708f8a3216d7910

SHA256
7edac1b824c73883853b586f20ab2456bcbe6b8eca14ac4c4b38d67a38692f3b

SHA512
4ac5db9744ae4f856f04e2c72ddf9d803be0c8a1a09b9c989e13a016b736ec7a8847ef795bc5a26db221b5a75f7ad7ae966593a90b6f3920fc242295f7611fb3

Download Submit
C:\Windows\SysWOW64\Cedihl32.exe

Filesize
64KB

MD5
9787352fd100b5bf0e731e86bba5d727

SHA1
f032dcd971f3ae3534a1df639a72bdd1a32981f5

SHA256
f1e15ed07f32785dc44efd6743cb55ca92f13b8af96858a9eb3ee7cc23ee9e87

SHA512
331a8ab1be11996fcd063b4086bf0e51d5824d687904fc0689fe00bb8841b7f4f6dce5709a1d15b00f70ad83fe3d2a58748b125b32c27c7e3fc8c0b541e798cc

Download Submit
C:\Windows\SysWOW64\Chbedh32.exe

Filesize
64KB

MD5
3cd0c36276bbd2481662300e9e9d9cb9

SHA1
fdd0d1de2c12ebed5dd94f01d364bd1b2fe98b3c

SHA256
82c6fa317339b74fb632045c12ebf4bdf3cbb2e789b0c71413b093d332c50a87

SHA512
8afc680be2d4d6a4e14b5b77b81a4a994138ab3ae410b123de431263450d8fb68f9afef6e62baf9e185d34ef18df05eca332c1aada234421a683864a0f2c6031

Download Submit
C:\Windows\SysWOW64\Chebighd.exe

Filesize
64KB

MD5
a3dff7e48b26dcbb12d7e988477ac95b

SHA1
f577387216cf62aa59815ac8563a344b62c49b2d

SHA256
30a8eceae224b8165dc428dbb29a5cf873e5579fe8601794fe65e632dc521c12

SHA512
61ce42dd2dc26e65ba435c48c754e6de56c93b1471140063400df88788c1cffc5000599eac028ba9e2dee6c6f3ab529a72f0e4dd8bc2adcdd212a3c72b6ff4f8

Download Submit
C:\Windows\SysWOW64\Cibank32.exe

Filesize
64KB

MD5
42e6b5c56173edb4f6214ea73b5c2e8a

SHA1
ff9c27d25520dc8067607a38baf1b274e1dafc3a

SHA256
317b25f12ee0eed174e9d42e3d5cf03fdc972c1c43f9fac336e4a27d15a35749

SHA512
30ac603de85661f8d49c21ef04493dc9390775c739e764e0e697dd916e52e59e0a552069966fe9b6d5bbfe15166515cff44a119f4e0721765249808bf51390a3

Download Submit
C:\Windows\SysWOW64\Cimhckeo.exe

Filesize
64KB

MD5
369dc7f36ab484f2b69657cd2535ca6c

SHA1
32642ba2021efd5bad01d6796b5f16967983f5ac

SHA256
bd4c7b592a385363640283ec25f5104b614e45016eb0ff21e2a23cf9a8adb1a3

SHA512
2b5d879ef2d29d3ccae143c1efeca808f6f2c18d883f2b8bb08f1da4e31fe57f3071e6fedba13075e2835bab33fb762f6ee8c37348008b5c0741509379de11e5

Download Submit
C:\Windows\SysWOW64\Clihig32.exe

Filesize
64KB

MD5
d3f4e40c105d962b618875c2888aa621

SHA1
175a3858b15e866f27b00d35c7d891f6a050ee70

SHA256
c5a371070b01634a389190c96e92035018bb7e9ab1fac18388508a1354165129

SHA512
33d32198082026979c836395743375c4656d0f064832000de0ac2f284b8762397164c1143e57305a31a11afcb96fcb7474e55da75c7cbd72e094761babae1eb3

Download Submit
C:\Windows\SysWOW64\Clldogdc.exe

Filesize
64KB

MD5
99edd7bc38ac64b89ca89bccafc6187b

SHA1
606b0ff5c7fcdfc3359fa53173c89e896e74ee28

SHA256
429548fa8f79e09d62907984073c74761230349ab73bcc7ac0b59fd8d18c58ab

SHA512
db95d197a860f41f59a83a65cdc352423b35b77a8392ecf211d8d6968e3c05d148c88c765d8103500341e0e8a28f0550c9ed9ea9ae7ed381bfa7209f44a12d78

Download Submit
C:\Windows\SysWOW64\Clldogdc.exe

Filesize
64KB

MD5
8eca2dac9a5429d06b6e597b25db6e4b

SHA1
7e848ebe171f150e17d75e322dfabad597eef8d1

SHA256
bc306380dd64b5a864179306c04d945264700bbb4f95ec6b06dfce9519332877

SHA512
dd94fd04c332636171104c58d36178134104972924fe51fcae461a38d20499aaf4e8076e984619a9b54be9ee046f042bf38c11f180110d881361a23c4fbd5ad3

Download Submit
C:\Windows\SysWOW64\Cohdebfi.exe

Filesize
64KB

MD5
7cc930f269aa7ff40e014c65a0f278a2

SHA1
0e032d557d04f7281cb7a781a930b52702aec99c

SHA256
ea8c0dcf0b72e7e61ce2d9af9d53c3c75f4c96c45460550edd055ad7777816cd

SHA512
73b1cccee6ad2453342c0eedb4900e79316a80fdab65f6fde9025c336ca1336d5664b91b9e9f6541939982cfb2c4eaa89eb504fa8b5d98589daf46bad39140d3

Download Submit
C:\Windows\SysWOW64\Commqb32.exe

Filesize
64KB

MD5
8c6f7598c2bb6d1486534ba81db565e6

SHA1
9186e87664d26aa009a21a5acb8211dc064ead9e

SHA256
030e0cc77b2e57c93a94425be43d2925a56a60e6c83bc5cbc9fb5f96dfc3a8be

SHA512
330e4e14367af2f373ab1719545b756cb6763d4be7bbe72ea86c04258a3954d499e820479ce9ea9bc29ef67bd21e017b01128c80e1dfb0a634bf7adaeb2c0dbb

Download Submit
C:\Windows\SysWOW64\Cpedjf32.exe

Filesize
64KB

MD5
917842aaaa68e48c675ffbbbf962afb9

SHA1
798d1855482b81271fe1afcf5455cd85cf27a095

SHA256
31f1c8a07c74419fdf42c1011ec1531137854a04b966d2ca9902b7688b466c9d

SHA512
347873f8342cadd6d57242059810ff96030425aa3a4b5712f120e96083d6f9c837d96f64e440e5be2e3337476517ba6ba8472b4517c2eaf9ea72c06d22627ff7

Download Submit
C:\Windows\SysWOW64\Cpgqpe32.exe

Filesize
64KB

MD5
90540645db3c631def408ef82fa92ea8

SHA1
ba4a93660e88f566fbdacdbe6f1f7d995ca958e5

SHA256
67780faabdb9c0d105409e512e056922634b9993814071e75b1488feed92d460

SHA512
c4e9a1f75ee15f8b827ded00d11230db5973d829e57baf02617135c0d24cab0fab32532802c5640b1061da89c55ed0394fa7221c60f44e41ba6dd6ee56a35b70

Download Submit
C:\Windows\SysWOW64\Cpjmee32.exe

Filesize
64KB

MD5
abd93e048ac25870bff5085efeda8a17

SHA1
9418e721ba9525b454bf6b9dc5e8e90615d55ed3

SHA256
62592d1a7061e2710d31c420f7403a4bd175a32b96bf3ca6ea0fe76a2d5cf5bb

SHA512
79a5709cdfb2bdd057cc980e89e80747782f7ffd42489f7e93b795c36b09ae2a09b66d832c95595df4c1ad9366ef54a32681b4df5a5dd3a74809a91381daa9c0

Download Submit
C:\Windows\SysWOW64\Dabpnlkp.exe

Filesize
64KB

MD5
4ab64445eb8650f3312fe913fc207bed

SHA1
ab5e48eaa8a1706d8de5e400e4f21586747f0d9a

SHA256
23eb3016355c231be38a931bcd0d77afae071bb81999e678f49b8ce6c03195de

SHA512
438c47226806742fc3c67296d973cff0b0837511208c3a3bee79ac79805f769bb9d219cee847b0c4cc804e71c2fa4ce41a510a5823598d1d140e82882f97052c

Download Submit
C:\Windows\SysWOW64\Dhjkdg32.exe

Filesize
64KB

MD5
5f609bad996fa8c25b46e2af4af74e7f

SHA1
b9b44864b57851bd82d332947e52627632383b39

SHA256
954fad61722dced74f142adee9fe3d18b3ba0915a4cfbfcc4b7a256054affe13

SHA512
3677ac62bf5581dfbf6e56c5429c8021db18b097a73a1b8f062c8e19d1f2d36c1952160882fea57a0dd91327e93fd33a3a9f36ca19c974ebad8e0212a324f958

Download Submit
C:\Windows\SysWOW64\Dofpgqji.exe

Filesize
64KB

MD5
940cb226c78d976cbc3c9decaffa7819

SHA1
8b562608c1107a1d730f0bf67a4847bf7e3513df

SHA256
c1136c54ac5ff864a0eac04bd604de5436882d06c25d39df772af0db43d70b5b

SHA512
614ac05ea6c6a02d30319e7fe14fdf6ed105125e631f6505f90a96b31678fe81bbeacb84ac03f205704fce7bbbfaa11586fe682c5fbb0b584e3edef600741ec3

Download Submit
C:\Windows\SysWOW64\Dohmlp32.exe

Filesize
64KB

MD5
aaac34b914ee6b7dff898dc5ace230fa

SHA1
79d94dd0abb2f8f9e787106f8656df0e89533a6e

SHA256
93d0ffb6aff8d6d7d8dcefbfcde0a9ca341ae43ee34111dffc8bf40ef42224d2

SHA512
f0802dba5c402188ca58d669e602a5f0749586851ffbf4a5d115b8c251c10c7f5dbc603474e648feaccc5747be948558016790ca7a128b095e04a0c6f0942ef3

Download Submit
C:\Windows\SysWOW64\Efgodj32.exe

Filesize
64KB

MD5
e6aaaa8a3b2f926f4ecce41c55c0e2bc

SHA1
84c98a7d5791d2b962a9fc88f27e926254323d02

SHA256
9efb4a42df71314a12eb137e94dac9e75e0ac36360b78e06d9e253ca2e9916d0

SHA512
3cfb6a2f88301a65a7a6538a29d5b718b031ef37488510a1f5f7081b67bc0efae8e7fa609c061f4cb20309cf50c7521af74fb2989055920370b19bd7cc02d9cd

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
64KB

MD5
eff24f21486473e78128236d54524443

SHA1
891499fbb0bd03a47a28f8db9f6826b474169ae8

SHA256
cd86c34da0b63eed2a417369c1073ac764dddc63bbcbd7c19fff51acbd30e101

SHA512
f1ac66a7476589e2b81c4f87e779d183580621800b71877028c065ffdd639e33b3648478dbf54b5c982b79bd4afbc03d30b2fdb72fbabf413dab0faa00004cc0

Download Submit
C:\Windows\SysWOW64\Ejgdpg32.exe

Filesize
64KB

MD5
581cef8ecc825645f7305a1c2345309d

SHA1
1ef90ed2be38bda7ff84bb1907aff457e19e5857

SHA256
9e87aa2da770aebc0efab5548bb8b451e407914d2c2fbdbb52472c92e3374855

SHA512
c158c41167214fe2995a7789e6eafce7cb9d4a9f6ff2607234ff90d416f2dfaed40558d249cb0472f0ecaa983b419b8665a19c47f8f4a8995e76e58dea178ca6

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
64KB

MD5
cd1979514200ac1dca1325cb3d6080ed

SHA1
86cea7f1119aeaa98bc1f6341c30ca6ec4ff38c6

SHA256
10afff92c8b3004e8ed828a7213161351d4f465ac1144105fd03b1b3b09c08bf

SHA512
92d9c4d6d88c075b4249f0a24ac7a447e31c24ec5fef7dd63c2aef392739f2d44bcc90fc8e1c7d2f08795904fac5d442610c10631325e2784bc55faf64ada869

Download Submit
C:\Windows\SysWOW64\Fbgbpihg.exe

Filesize
64KB

MD5
5dcc280a8a6cb676b7bc5495fb7ca7b9

SHA1
67d3f4de5b17c5440bfa4f2b51e0049e0c522600

SHA256
4b9b31679252a00ef05e68ace7fe7537be512d77d0c11abe190de591ed4fe657

SHA512
d271191e5ecb8aa4e034ee2b97ac9a34cd2bdf9ae9cab1775ba3d6a018b9fd42d65a18f120822a271054e72379f72d806e3d9c89764613c585e501da9f54d14f

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
64KB

MD5
64ea57467f61d3eae637ace66b23f0ab

SHA1
0e606b9c5a4840404579e9d05b2c3682531ef152

SHA256
6b10222a0a36e6902baacf915e5ca1563692d0f5af497ff6b17b751145e54cb9

SHA512
831c9adef96b82b4b16eb8cba92e2440c73ecbd6ce221dd7c82d2b83bbfe9fdcf6c3e9137d3a5fae709c9d9667baf48e02463ad23ca1c6bf7674273b8e4492c7

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
64KB

MD5
ed81e38e94115990670f5fa3d2025947

SHA1
dfba7afb0bbd2a7465fc2dea39a89924ddd6a4c1

SHA256
56743f4f9f2cb832e0420821d778609471d4b681b6f8835e72a2ae8aa6a56bca

SHA512
9e66bd60d4553e329c6815717d59df4b1082196a1479a31441524ceee45ad4058d474edf1bdaaa1f234a19b8ad57b30237e02577b79477a4bfde4f1c923a6a0e

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
64KB

MD5
b6b369d752915fc895b1cc32a5c34ecf

SHA1
6667d1e257aa8303f5247e34212c7b9f690ecb63

SHA256
a1a544f6106c8ee6da6844dcf239028d4123e21a343d3a737d3b54932135ac86

SHA512
9452086a14be759ea688592890e1a54c083f0a33ba57e2062ef2e82a0a33ec59a25d61a91fc3d55fe0d93628f61f70d451a4f47395ec984f41050c516d5132e5

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
64KB

MD5
33bcc0032685b02297ef40fdabaa35e6

SHA1
55ee7619bb9ddfe3b566f261ed7db64997199c4c

SHA256
ea7d65b85c214c711e93c7fd08ef333ca6c221e544c39888bf4e628e25445aa5

SHA512
6337f664d7f05811e754bbbd9c315729f2015558729c3b9c2bf119c65003625710ca315454ccc322d9358eed3bf46be082fd70da8e2af2fb62f6616d9961bd86

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
64KB

MD5
f6082131bd3f8a34656a8de92cf91352

SHA1
4d57e19c6ac74ac919eef5daa51aa54604d97022

SHA256
3116bd36cbaeb9f44a4bf25b9cd793651ec794e6df8a6914ab983dfda25c4ef1

SHA512
293d695d15d211c93d618f3dfe0ed2205e1bbf600894b464a4f6861f794f75d59f3204ff766a42e17a256f1a6d0d53081e1d0548cc5b696e4cd953c481055e50

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
64KB

MD5
045ccda185dd98a20b423a963bbfbfcc

SHA1
41c6a12f9ca4d5409ecae5c030d486f012e838d3

SHA256
03fa30ec284b9bae0c92925f158669afb0ffa646cb7c57718c8172ec2ac854b3

SHA512
4ee8d0f4ce652cc287d5e5ae7803367d290aa2b562beed48a6c22a6d0e6c89142351d9a0e649fa08c97f5094eb83cdd9bccdf5277779152dfbbd909f0819b7d3

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
64KB

MD5
b3845addd18c943a6be85d4f17d53506

SHA1
b29ccaaabcc48e67cbc1d3244b203555be5b3a68

SHA256
638dac74c1c090bc0499aa1a9f9de4739ff635ab95d802ff5ab2bb97a46976de

SHA512
d281072798c366610be89d70f9e6b21559075ace17d26aa9088b3f4e954048ad725e5b9dec27c18a1ccfc7ff34a143b475b218a331a519d39210e16f2d02e3e9

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
64KB

MD5
9bce32c300263597e0952f07f9909c4c

SHA1
932cb843ccf61c5650ca5cc06c3ecd07b401511f

SHA256
95fe5b46ad48579e9acfcfa5fd806578d9b3e712eabcfeb98a656edcb8968f78

SHA512
dcd96a37ce93e1122e80059a7e67743d37d5d2d2f03584ffaf7932a3978b3d3105345c42738d3402685f519c6ccde0d29c7bcb0f2261a547eb9dac72988903d0

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
64KB

MD5
8a344fb8009f22c981e2846198dff139

SHA1
cbd8e859f57f784fcbb0159a9b98f7a65d28e39a

SHA256
a63c07c34e7ce3cbf19c5780593c74dbbf7101c85df0ed13384ecf32d252144b

SHA512
945130d7ad761301dcd263a6d75aca362e5557f08f812c675e8a2485a1f177b955a7be7c6efa2eeed3f0c5c5399668f53ae87afbc24e59a97e8c94024a352a88

Download Submit
C:\Windows\SysWOW64\Hfcpncdk.exe

Filesize
64KB

MD5
c648a5f61142472572f0a3cbe2390112

SHA1
5d0aedabf0914842722fe6211ab7a33b88f79405

SHA256
91b4c4367685ca82683aa0304dc0b8d7a5e2d19afcd01975de703dec658de619

SHA512
a982cecbc08dd04c89e1b6fed814d4d36a9624482c76eb6e57350bf52972225ce8a9ada4cd429d54d516b254c383a1a25a4d7ff9a596ddce0012f6d3a6fadead

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
64KB

MD5
2f62aa9e751ec7c4b992b8d6c3097aaf

SHA1
55608b1b0934ec467be1cc6f4a632e56dda6eaf9

SHA256
155ea7642ea88d5baf634d964c4cec1280b4bc0330dbb4c021d2f2e7eb9e8c8c

SHA512
bea0ff62252d36526aa0d2da47663ef6b73558d035cf44287bfcc969e2cc29c4ec4fbc789581f58ad2d8dc5a4294b39059a79ce31c59ae33437a3001e5a9a926

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
64KB

MD5
b5a9ca4a704954a588c9d351850cc01d

SHA1
f551a78b077726c049f16dae80b326a689b12456

SHA256
521ce57c66e2b62508c4d6e5b6547827df00cabd3e26892ec94dcd6cd0f93d0e

SHA512
866c467d9b167e1775fe955f3247bf3e733b1a92ef5e5367f57d32b307ae2407b808b53140600c2340a22bbf27f0043d51c95bee65ce4828d1d014098ea4f93e

Download Submit
memory/64-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/216-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/440-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/760-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1204-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1328-220-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1472-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1528-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1536-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1568-291-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1708-338-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1852-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1872-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1892-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2208-326-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2344-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2500-100-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2616-116-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2840-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2888-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3048-228-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3084-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3112-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3132-160-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3180-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3272-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3320-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3408-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3472-20-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3536-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3556-180-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3660-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3736-321-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3768-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4028-121-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4036-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4056-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4172-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4176-314-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4204-156-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4224-446-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4276-415-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4348-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4404-302-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4548-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4564-422-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4568-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4592-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4652-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4684-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4776-381-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4852-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4860-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4872-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4976-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4980-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4984-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5000-369-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5044-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5056-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5064-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5076-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5084-441-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5096-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6400-2037-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/7212-2027-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/7336-2044-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/7352-2036-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/7376-2055-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/7500-2054-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/7660-2052-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/7704-2031-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/7744-2041-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/7856-2030-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/7896-2049-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/7976-2048-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/8040-2047-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/8072-2038-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/8204-2026-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/8212-2001-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/8272-2000-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/8352-1999-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/8480-1997-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/8536-2018-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/8588-2017-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/8624-2016-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/8752-2013-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/8920-2009-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/8960-2008-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/9004-2007-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads