e9c3ff9076374987e6cdc823794d97792e86f2801ff5c3a70e348e7b8c9120e4

Analysis

max time kernel
114s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2024, 04:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e9c3ff9076374987e6cdc823794d97792e86f2801ff5c3a70e348e7b8c9120e4.exe
Size

64KB
MD5

0167cf85db0c06fe9f858a1dd01691d9
SHA1

cdc013d34d7cc1d50ef8b4de4a9da3dd783f9217
SHA256

e9c3ff9076374987e6cdc823794d97792e86f2801ff5c3a70e348e7b8c9120e4
SHA512

3887d15f0b3dc930bc64d8390b56289769a677895dd2753f41a5c8e4955281748e4e882966ce3b945d9c44eb99023b9f25d08ccacd5d7f0fae52fb639e10e886
SSDEEP

1536:HOv5EM5k96wW6Mo6dgIe9FfR28MV1iL+iALMH6:HOv5E79Nzn95MV1iL+9Ma

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbfcmhpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeaanjkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hoeieolb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hibafp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkpmdbfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eofgpikj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebgpad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cammjakm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipgkjlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbaclegm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpnmbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmmolepp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmohno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieagmcmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccmgiaig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldgccb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chiigadc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ioolkncg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emmkiclm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmechmip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljfhqh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bojomm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iefgbh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jahqiaeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipflihfq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkeekk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odhifjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkbcj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hekgfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofmdio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmbanbmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ioolkncg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnlkfal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kifojnol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdnln32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkkgpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iciaqc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilafiihp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccmcgcmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckggnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gljgbllj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnkggfkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njinmf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aojefobm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ombcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmmbbejp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecbjkngo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eppqqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Madjhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blielbfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jllokajf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iehmmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjjnifbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kqbdldnq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnlkedai.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haoimcgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmmbbejp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmoohe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hildmn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Coegoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkhgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqoloc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkbmqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Knhakh32.exe

Executes dropped EXE 64 IoCs

pid	Process
4620	Hpomcp32.exe
444	Hkeaqi32.exe
4708	Haoimcgg.exe
2204	Hjjnae32.exe
4244	Hpdfnolo.exe
4572	Hkjjlhle.exe
2668	Qebhhp32.exe
1532	Akffafgg.exe
3888	Aodogdmn.exe
976	Bmlilh32.exe
2004	Bmabggdm.exe
5044	Bbnkonbd.exe
4928	Cihclh32.exe
1316	Ccmgiaig.exe
4012	Cijpahho.exe
4140	Ccpdoqgd.exe
2904	Ckkiccep.exe
1888	Cfqmpl32.exe
4508	Cfcjfk32.exe
4536	Cmmbbejp.exe
2764	Dfefkkqp.exe
4224	Dmoohe32.exe
5104	Dfgcakon.exe
4016	Dpphjp32.exe
2592	Dlghoa32.exe
4212	Dbqqkkbo.exe
3120	Dmfeidbe.exe
264	Dcpmen32.exe
4104	Djjebh32.exe
2972	Ecbjkngo.exe
4228	Ecefqnel.exe
4332	Emmkiclm.exe
2080	Eplgeokq.exe
4480	Ejalcgkg.exe
4596	Efhlhh32.exe
4164	Eppqqn32.exe
2720	Ejfeng32.exe
1120	Fpbmfn32.exe
3728	Fikbocki.exe
2100	Fpejlmcf.exe
1744	Fjjnifbl.exe
4856	Fpggamqc.exe
3084	Fbfcmhpg.exe
5064	Flngfn32.exe
4816	Fbhpch32.exe
4752	Fibhpbea.exe
4584	Fffhifdk.exe
4136	Gpnmbl32.exe
4976	Gigaka32.exe
880	Gfkbde32.exe
1576	Giinpa32.exe
4888	Gbabigfj.exe
3572	Gljgbllj.exe
3808	Gkkgpc32.exe
1152	Glldgljg.exe
4204	Gbfldf32.exe
1588	Hmlpaoaj.exe
4380	Hbhijepa.exe
4944	Hibafp32.exe
4908	Hplicjok.exe
3856	Hckeoeno.exe
2340	Hkbmqb32.exe
224	Hlcjhkdp.exe
3384	Hcmbee32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mlkpophj.dll	Hlglidlo.exe
File opened for modification	C:\Windows\SysWOW64\Hlkfbocp.exe	Gngeik32.exe
File created	C:\Windows\SysWOW64\Kolabf32.exe	Khbiello.exe
File created	C:\Windows\SysWOW64\Jgbchj32.exe	Jokkgl32.exe
File created	C:\Windows\SysWOW64\Falmlm32.dll	Joekag32.exe
File created	C:\Windows\SysWOW64\Cqglioac.dll	Nghekkmn.exe
File opened for modification	C:\Windows\SysWOW64\Ojgjndno.exe	Oejbfmpg.exe
File created	C:\Windows\SysWOW64\Iogkekkb.dll	Cbbnpg32.exe
File created	C:\Windows\SysWOW64\Imnocf32.exe	Iefgbh32.exe
File opened for modification	C:\Windows\SysWOW64\Jahqiaeb.exe	Jojdlfeo.exe
File created	C:\Windows\SysWOW64\Pbekii32.exe	Padnaq32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnnimak.exe	Bbhildae.exe
File created	C:\Windows\SysWOW64\Haoimcgg.exe	Hkeaqi32.exe
File created	C:\Windows\SysWOW64\Cijpahho.exe	Ccmgiaig.exe
File opened for modification	C:\Windows\SysWOW64\Efhlhh32.exe	Ejalcgkg.exe
File created	C:\Windows\SysWOW64\Cdkifmjq.exe	Cammjakm.exe
File created	C:\Windows\SysWOW64\Oejbfmpg.exe	Olanmgig.exe
File opened for modification	C:\Windows\SysWOW64\Ddgplado.exe	Dbicpfdk.exe
File opened for modification	C:\Windows\SysWOW64\Imnocf32.exe	Iefgbh32.exe
File created	C:\Windows\SysWOW64\Bdmmeo32.exe	Amcehdod.exe
File opened for modification	C:\Windows\SysWOW64\Hkeaqi32.exe	Hpomcp32.exe
File created	C:\Windows\SysWOW64\Knknhqjn.dll	Dcpmen32.exe
File opened for modification	C:\Windows\SysWOW64\Bkjiao32.exe	Baadiiif.exe
File opened for modification	C:\Windows\SysWOW64\Ehlhih32.exe	Ebaplnie.exe
File opened for modification	C:\Windows\SysWOW64\Iiopca32.exe	Ibegfglj.exe
File opened for modification	C:\Windows\SysWOW64\Bbhildae.exe	Bagmdllg.exe
File created	C:\Windows\SysWOW64\Fdnnlj32.dll	Ckjbhmad.exe
File created	C:\Windows\SysWOW64\Gkgmdnki.dll	Dmohno32.exe
File created	C:\Windows\SysWOW64\Kcndbp32.exe	Kmdlffhj.exe
File created	C:\Windows\SysWOW64\Bdpkjpdi.dll	Lkalplel.exe
File created	C:\Windows\SysWOW64\Jebiel32.dll	Nmigoagp.exe
File opened for modification	C:\Windows\SysWOW64\Knalji32.exe	Jjafok32.exe
File created	C:\Windows\SysWOW64\Gdencf32.dll	Napjdpcn.exe
File created	C:\Windows\SysWOW64\Fnadil32.dll	Ebgpad32.exe
File created	C:\Windows\SysWOW64\Hhjhdagb.dll	Hblkjo32.exe
File created	C:\Windows\SysWOW64\Bkamodje.dll	Boenhgdd.exe
File created	C:\Windows\SysWOW64\Blnlefae.dll	Cfqmpl32.exe
File created	C:\Windows\SysWOW64\Jbqaei32.dll	Dlghoa32.exe
File created	C:\Windows\SysWOW64\Gjimmmpe.dll	Fffhifdk.exe
File opened for modification	C:\Windows\SysWOW64\Malpia32.exe	Mjahlgpf.exe
File opened for modification	C:\Windows\SysWOW64\Jmbhoeid.exe	Joahqn32.exe
File created	C:\Windows\SysWOW64\Lahoec32.dll	Bgelgi32.exe
File opened for modification	C:\Windows\SysWOW64\Fpggamqc.exe	Fjjnifbl.exe
File created	C:\Windows\SysWOW64\Iaghgm32.dll	Ldgccb32.exe
File created	C:\Windows\SysWOW64\Lkeekk32.exe	Lgjijmin.exe
File created	C:\Windows\SysWOW64\Dmohno32.exe	Ddgplado.exe
File created	C:\Windows\SysWOW64\Pigbqakg.dll	Epmmqheb.exe
File created	C:\Windows\SysWOW64\Iefgbh32.exe	Ipjoja32.exe
File created	C:\Windows\SysWOW64\Dmcnoekk.dll	Impliekg.exe
File opened for modification	C:\Windows\SysWOW64\Pfojdh32.exe	Obqanjdb.exe
File created	C:\Windows\SysWOW64\Gbabigfj.exe	Giinpa32.exe
File opened for modification	C:\Windows\SysWOW64\Omegjomb.exe	Ojgjndno.exe
File created	C:\Windows\SysWOW64\Kiljgf32.dll	Cohkokgj.exe
File opened for modification	C:\Windows\SysWOW64\Bmdkcnie.exe	Bfkbfd32.exe
File created	C:\Windows\SysWOW64\Memfnodb.dll	Dfefkkqp.exe
File opened for modification	C:\Windows\SysWOW64\Ejalcgkg.exe	Eplgeokq.exe
File created	C:\Windows\SysWOW64\Hnibokbd.exe	Hlkfbocp.exe
File created	C:\Windows\SysWOW64\Jiejjepo.dll	Hmpcbhji.exe
File created	C:\Windows\SysWOW64\Binlfp32.dll	Ncnofeof.exe
File created	C:\Windows\SysWOW64\Ngcglo32.dll	Jemfhacc.exe
File created	C:\Windows\SysWOW64\Ljeffhcd.dll	Hmechmip.exe
File opened for modification	C:\Windows\SysWOW64\Jjafok32.exe	Jcgnbaeo.exe
File created	C:\Windows\SysWOW64\Adkgje32.exe	Akccap32.exe
File opened for modification	C:\Windows\SysWOW64\Nabfjpak.exe	Njinmf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
10512	11260	WerFault.exe	536

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kcndbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apmhiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdkifmjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpcodihc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fngjep32.dll"	Lmgabcge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aolblopj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chiigadc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hblkjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnibokbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbqqkkbo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oacoqnci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jgbchj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iloidijb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abklmb32.dll"	Chnbbqpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clahmb32.dll"	Lobjni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpolbo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iialhaad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccppmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbfldf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnpdegjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbdfqocb.dll"	Hfcnpn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkhgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpmenm32.dll"	Ibegfglj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jojdlfeo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hildmn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnkggfkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdhbmh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eppjfgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oakbehfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klggli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfdjaieh.dll"	Injmcmej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmmcnn32.dll"	Ljobpiql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adkgje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gigaka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jlfpdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhoneioi.dll"	Jgkdbacp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocdglf32.dll"	Nlkgmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bojomm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fimhjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hekgfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgaclkia.dll"	Hpqldc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lobjni32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnjqmpgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmfdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgbpaipl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgicnp32.dll"	Dgeenfog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gngeik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lomjicei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Niojoeel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcpmen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opkpck32.dll"	Hibafp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnohlgep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqbijpeo.dll"	Onnmdcjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfkbfh32.dll"	Aefjii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lggejg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehhjm32.dll"	Paeelgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckebcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qejpnh32.dll"	Iialhaad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcain32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjiipk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calfpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eafhkhce.dll"	Ecefqnel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eppqqn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjafok32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3904 wrote to memory of 4620	3904	e9c3ff9076374987e6cdc823794d97792e86f2801ff5c3a70e348e7b8c9120e4.exe	91
PID 3904 wrote to memory of 4620	3904	e9c3ff9076374987e6cdc823794d97792e86f2801ff5c3a70e348e7b8c9120e4.exe	91
PID 3904 wrote to memory of 4620	3904	e9c3ff9076374987e6cdc823794d97792e86f2801ff5c3a70e348e7b8c9120e4.exe	91
PID 4620 wrote to memory of 444	4620	Hpomcp32.exe	92
PID 4620 wrote to memory of 444	4620	Hpomcp32.exe	92
PID 4620 wrote to memory of 444	4620	Hpomcp32.exe	92
PID 444 wrote to memory of 4708	444	Hkeaqi32.exe	93
PID 444 wrote to memory of 4708	444	Hkeaqi32.exe	93
PID 444 wrote to memory of 4708	444	Hkeaqi32.exe	93
PID 4708 wrote to memory of 2204	4708	Haoimcgg.exe	94
PID 4708 wrote to memory of 2204	4708	Haoimcgg.exe	94
PID 4708 wrote to memory of 2204	4708	Haoimcgg.exe	94
PID 2204 wrote to memory of 4244	2204	Hjjnae32.exe	95
PID 2204 wrote to memory of 4244	2204	Hjjnae32.exe	95
PID 2204 wrote to memory of 4244	2204	Hjjnae32.exe	95
PID 4244 wrote to memory of 4572	4244	Hpdfnolo.exe	97
PID 4244 wrote to memory of 4572	4244	Hpdfnolo.exe	97
PID 4244 wrote to memory of 4572	4244	Hpdfnolo.exe	97
PID 4572 wrote to memory of 2668	4572	Hkjjlhle.exe	99
PID 4572 wrote to memory of 2668	4572	Hkjjlhle.exe	99
PID 4572 wrote to memory of 2668	4572	Hkjjlhle.exe	99
PID 2668 wrote to memory of 1532	2668	Qebhhp32.exe	100
PID 2668 wrote to memory of 1532	2668	Qebhhp32.exe	100
PID 2668 wrote to memory of 1532	2668	Qebhhp32.exe	100
PID 1532 wrote to memory of 3888	1532	Akffafgg.exe	101
PID 1532 wrote to memory of 3888	1532	Akffafgg.exe	101
PID 1532 wrote to memory of 3888	1532	Akffafgg.exe	101
PID 3888 wrote to memory of 976	3888	Aodogdmn.exe	102
PID 3888 wrote to memory of 976	3888	Aodogdmn.exe	102
PID 3888 wrote to memory of 976	3888	Aodogdmn.exe	102
PID 976 wrote to memory of 2004	976	Bmlilh32.exe	103
PID 976 wrote to memory of 2004	976	Bmlilh32.exe	103
PID 976 wrote to memory of 2004	976	Bmlilh32.exe	103
PID 2004 wrote to memory of 5044	2004	Bmabggdm.exe	104
PID 2004 wrote to memory of 5044	2004	Bmabggdm.exe	104
PID 2004 wrote to memory of 5044	2004	Bmabggdm.exe	104
PID 5044 wrote to memory of 4928	5044	Bbnkonbd.exe	105
PID 5044 wrote to memory of 4928	5044	Bbnkonbd.exe	105
PID 5044 wrote to memory of 4928	5044	Bbnkonbd.exe	105
PID 4928 wrote to memory of 1316	4928	Cihclh32.exe	106
PID 4928 wrote to memory of 1316	4928	Cihclh32.exe	106
PID 4928 wrote to memory of 1316	4928	Cihclh32.exe	106
PID 1316 wrote to memory of 4012	1316	Ccmgiaig.exe	108
PID 1316 wrote to memory of 4012	1316	Ccmgiaig.exe	108
PID 1316 wrote to memory of 4012	1316	Ccmgiaig.exe	108
PID 4012 wrote to memory of 4140	4012	Cijpahho.exe	109
PID 4012 wrote to memory of 4140	4012	Cijpahho.exe	109
PID 4012 wrote to memory of 4140	4012	Cijpahho.exe	109
PID 4140 wrote to memory of 2904	4140	Ccpdoqgd.exe	110
PID 4140 wrote to memory of 2904	4140	Ccpdoqgd.exe	110
PID 4140 wrote to memory of 2904	4140	Ccpdoqgd.exe	110
PID 2904 wrote to memory of 1888	2904	Ckkiccep.exe	111
PID 2904 wrote to memory of 1888	2904	Ckkiccep.exe	111
PID 2904 wrote to memory of 1888	2904	Ckkiccep.exe	111
PID 1888 wrote to memory of 4508	1888	Cfqmpl32.exe	112
PID 1888 wrote to memory of 4508	1888	Cfqmpl32.exe	112
PID 1888 wrote to memory of 4508	1888	Cfqmpl32.exe	112
PID 4508 wrote to memory of 4536	4508	Cfcjfk32.exe	113
PID 4508 wrote to memory of 4536	4508	Cfcjfk32.exe	113
PID 4508 wrote to memory of 4536	4508	Cfcjfk32.exe	113
PID 4536 wrote to memory of 2764	4536	Cmmbbejp.exe	114
PID 4536 wrote to memory of 2764	4536	Cmmbbejp.exe	114
PID 4536 wrote to memory of 2764	4536	Cmmbbejp.exe	114
PID 2764 wrote to memory of 4224	2764	Dfefkkqp.exe	115

C:\Users\Admin\AppData\Local\Temp\e9c3ff9076374987e6cdc823794d97792e86f2801ff5c3a70e348e7b8c9120e4.exe
"C:\Users\Admin\AppData\Local\Temp\e9c3ff9076374987e6cdc823794d97792e86f2801ff5c3a70e348e7b8c9120e4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3904
- C:\Windows\SysWOW64\Hpomcp32.exe
  C:\Windows\system32\Hpomcp32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4620
- - C:\Windows\SysWOW64\Hkeaqi32.exe
    C:\Windows\system32\Hkeaqi32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:444
  - - C:\Windows\SysWOW64\Haoimcgg.exe
      C:\Windows\system32\Haoimcgg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4708
    - - C:\Windows\SysWOW64\Hjjnae32.exe
        
        C:\Windows\system32\Hjjnae32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2204
      - C:\Windows\SysWOW64\Hpdfnolo.exe
        
        C:\Windows\system32\Hpdfnolo.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\SysWOW64\Hkjjlhle.exe
        
        C:\Windows\system32\Hkjjlhle.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\SysWOW64\Qebhhp32.exe
        
        C:\Windows\system32\Qebhhp32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\Akffafgg.exe
        
        C:\Windows\system32\Akffafgg.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\Aodogdmn.exe
        
        C:\Windows\system32\Aodogdmn.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Windows\SysWOW64\Bmlilh32.exe
        
        C:\Windows\system32\Bmlilh32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\SysWOW64\Bmabggdm.exe
        
        C:\Windows\system32\Bmabggdm.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Bbnkonbd.exe
        
        C:\Windows\system32\Bbnkonbd.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Cihclh32.exe
        
        C:\Windows\system32\Cihclh32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SysWOW64\Ccmgiaig.exe
        
        C:\Windows\system32\Ccmgiaig.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\SysWOW64\Cijpahho.exe
        
        C:\Windows\system32\Cijpahho.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Windows\SysWOW64\Ccpdoqgd.exe
        
        C:\Windows\system32\Ccpdoqgd.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Windows\SysWOW64\Ckkiccep.exe
        
        C:\Windows\system32\Ckkiccep.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SysWOW64\Cfqmpl32.exe
        
        C:\Windows\system32\Cfqmpl32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\SysWOW64\Cfcjfk32.exe
        
        C:\Windows\system32\Cfcjfk32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\SysWOW64\Cmmbbejp.exe
        
        C:\Windows\system32\Cmmbbejp.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\SysWOW64\Dfefkkqp.exe
        
        C:\Windows\system32\Dfefkkqp.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\Dmoohe32.exe
        
        C:\Windows\system32\Dmoohe32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4224
        
        C:\Windows\SysWOW64\Dfgcakon.exe
        
        C:\Windows\system32\Dfgcakon.exe
        24⤵
        Executes dropped EXE
        
        PID:5104
        
        C:\Windows\SysWOW64\Dpphjp32.exe
        
        C:\Windows\system32\Dpphjp32.exe
        25⤵
        Executes dropped EXE
        
        PID:4016
        
        C:\Windows\SysWOW64\Dlghoa32.exe
        
        C:\Windows\system32\Dlghoa32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2592
        
        C:\Windows\SysWOW64\Dbqqkkbo.exe
        
        C:\Windows\system32\Dbqqkkbo.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4212
        
        C:\Windows\SysWOW64\Dmfeidbe.exe
        
        C:\Windows\system32\Dmfeidbe.exe
        28⤵
        Executes dropped EXE
        
        PID:3120
        
        C:\Windows\SysWOW64\Dcpmen32.exe
        
        C:\Windows\system32\Dcpmen32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:264
        
        C:\Windows\SysWOW64\Djjebh32.exe
        
        C:\Windows\system32\Djjebh32.exe
        30⤵
        Executes dropped EXE
        
        PID:4104
        
        C:\Windows\SysWOW64\Ecbjkngo.exe
        
        C:\Windows\system32\Ecbjkngo.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2972
        
        C:\Windows\SysWOW64\Ecefqnel.exe
        
        C:\Windows\system32\Ecefqnel.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4228
        
        C:\Windows\SysWOW64\Emmkiclm.exe
        
        C:\Windows\system32\Emmkiclm.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4332
        
        C:\Windows\SysWOW64\Eplgeokq.exe
        
        C:\Windows\system32\Eplgeokq.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2080
        
        C:\Windows\SysWOW64\Ejalcgkg.exe
        
        C:\Windows\system32\Ejalcgkg.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4480
        
        C:\Windows\SysWOW64\Efhlhh32.exe
        
        C:\Windows\system32\Efhlhh32.exe
        36⤵
        Executes dropped EXE
        
        PID:4596
        
        C:\Windows\SysWOW64\Eppqqn32.exe
        
        C:\Windows\system32\Eppqqn32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4164
        
        C:\Windows\SysWOW64\Ejfeng32.exe
        
        C:\Windows\system32\Ejfeng32.exe
        38⤵
        Executes dropped EXE
        
        PID:2720
        
        C:\Windows\SysWOW64\Fpbmfn32.exe
        
        C:\Windows\system32\Fpbmfn32.exe
        39⤵
        Executes dropped EXE
        
        PID:1120
        
        C:\Windows\SysWOW64\Fikbocki.exe
        
        C:\Windows\system32\Fikbocki.exe
        40⤵
        Executes dropped EXE
        
        PID:3728
        
        C:\Windows\SysWOW64\Fpejlmcf.exe
        
        C:\Windows\system32\Fpejlmcf.exe
        41⤵
        Executes dropped EXE
        
        PID:2100
        
        C:\Windows\SysWOW64\Fjjnifbl.exe
        
        C:\Windows\system32\Fjjnifbl.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1744
        
        C:\Windows\SysWOW64\Fpggamqc.exe
        
        C:\Windows\system32\Fpggamqc.exe
        43⤵
        Executes dropped EXE
        
        PID:4856
        
        C:\Windows\SysWOW64\Fbfcmhpg.exe
        
        C:\Windows\system32\Fbfcmhpg.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3084
        
        C:\Windows\SysWOW64\Flngfn32.exe
        
        C:\Windows\system32\Flngfn32.exe
        45⤵
        Executes dropped EXE
        
        PID:5064
        
        C:\Windows\SysWOW64\Fbhpch32.exe
        
        C:\Windows\system32\Fbhpch32.exe
        46⤵
        Executes dropped EXE
        
        PID:4816
        
        C:\Windows\SysWOW64\Fibhpbea.exe
        
        C:\Windows\system32\Fibhpbea.exe
        47⤵
        Executes dropped EXE
        
        PID:4752
        
        C:\Windows\SysWOW64\Fffhifdk.exe
        
        C:\Windows\system32\Fffhifdk.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4584
        
        C:\Windows\SysWOW64\Gpnmbl32.exe
        
        C:\Windows\system32\Gpnmbl32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4136
        
        C:\Windows\SysWOW64\Gigaka32.exe
        
        C:\Windows\system32\Gigaka32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Gfkbde32.exe
        
        C:\Windows\system32\Gfkbde32.exe
        51⤵
        Executes dropped EXE
        
        PID:880
        
        C:\Windows\SysWOW64\Giinpa32.exe
        
        C:\Windows\system32\Giinpa32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1576
        
        C:\Windows\SysWOW64\Gbabigfj.exe
        
        C:\Windows\system32\Gbabigfj.exe
        53⤵
        Executes dropped EXE
        
        PID:4888
        
        C:\Windows\SysWOW64\Gljgbllj.exe
        
        C:\Windows\system32\Gljgbllj.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3572
        
        C:\Windows\SysWOW64\Gkkgpc32.exe
        
        C:\Windows\system32\Gkkgpc32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3808
        
        C:\Windows\SysWOW64\Glldgljg.exe
        
        C:\Windows\system32\Glldgljg.exe
        56⤵
        Executes dropped EXE
        
        PID:1152
        
        C:\Windows\SysWOW64\Gbfldf32.exe
        
        C:\Windows\system32\Gbfldf32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4204
        
        C:\Windows\SysWOW64\Hmlpaoaj.exe
        
        C:\Windows\system32\Hmlpaoaj.exe
        58⤵
        Executes dropped EXE
        
        PID:1588
        
        C:\Windows\SysWOW64\Hbhijepa.exe
        
        C:\Windows\system32\Hbhijepa.exe
        59⤵
        Executes dropped EXE
        
        PID:4380
        
        C:\Windows\SysWOW64\Hibafp32.exe
        
        C:\Windows\system32\Hibafp32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Hplicjok.exe
        
        C:\Windows\system32\Hplicjok.exe
        61⤵
        Executes dropped EXE
        
        PID:4908
        
        C:\Windows\SysWOW64\Hckeoeno.exe
        
        C:\Windows\system32\Hckeoeno.exe
        62⤵
        Executes dropped EXE
        
        PID:3856
        
        C:\Windows\SysWOW64\Hkbmqb32.exe
        
        C:\Windows\system32\Hkbmqb32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2340
        
        C:\Windows\SysWOW64\Hlcjhkdp.exe
        
        C:\Windows\system32\Hlcjhkdp.exe
        64⤵
        Executes dropped EXE
        
        PID:224
        
        C:\Windows\SysWOW64\Hcmbee32.exe
        
        C:\Windows\system32\Hcmbee32.exe
        65⤵
        Executes dropped EXE
        
        PID:3384
        
        C:\Windows\SysWOW64\Higjaoci.exe
        
        C:\Windows\system32\Higjaoci.exe
        66⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\Hpabni32.exe
        
        C:\Windows\system32\Hpabni32.exe
        67⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\Hgkkkcbc.exe
        
        C:\Windows\system32\Hgkkkcbc.exe
        68⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Hmechmip.exe
        
        C:\Windows\system32\Hmechmip.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5180
        
        C:\Windows\SysWOW64\Hpcodihc.exe
        
        C:\Windows\system32\Hpcodihc.exe
        70⤵
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Hildmn32.exe
        
        C:\Windows\system32\Hildmn32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Ipflihfq.exe
        
        C:\Windows\system32\Ipflihfq.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5300
        
        C:\Windows\SysWOW64\Ikkpgafg.exe
        
        C:\Windows\system32\Ikkpgafg.exe
        73⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Injmcmej.exe
        
        C:\Windows\system32\Injmcmej.exe
        74⤵
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Idcepgmg.exe
        
        C:\Windows\system32\Idcepgmg.exe
        75⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Iknmla32.exe
        
        C:\Windows\system32\Iknmla32.exe
        76⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Iloidijb.exe
        
        C:\Windows\system32\Iloidijb.exe
        77⤵
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Iciaqc32.exe
        
        C:\Windows\system32\Iciaqc32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5576
        
        C:\Windows\SysWOW64\Ijcjmmil.exe
        
        C:\Windows\system32\Ijcjmmil.exe
        79⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Ilafiihp.exe
        
        C:\Windows\system32\Ilafiihp.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5700
        
        C:\Windows\SysWOW64\Icknfcol.exe
        
        C:\Windows\system32\Icknfcol.exe
        81⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Inqbclob.exe
        
        C:\Windows\system32\Inqbclob.exe
        82⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Idkkpf32.exe
        
        C:\Windows\system32\Idkkpf32.exe
        83⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Jjgchm32.exe
        
        C:\Windows\system32\Jjgchm32.exe
        84⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Jlfpdh32.exe
        
        C:\Windows\system32\Jlfpdh32.exe
        85⤵
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Jdmgfedl.exe
        
        C:\Windows\system32\Jdmgfedl.exe
        86⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\Jgkdbacp.exe
        
        C:\Windows\system32\Jgkdbacp.exe
        87⤵
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Jnelok32.exe
        
        C:\Windows\system32\Jnelok32.exe
        88⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Jdodkebj.exe
        
        C:\Windows\system32\Jdodkebj.exe
        89⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Jkimho32.exe
        
        C:\Windows\system32\Jkimho32.exe
        90⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Jlkipgpe.exe
        
        C:\Windows\system32\Jlkipgpe.exe
        91⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Jdaaaeqg.exe
        
        C:\Windows\system32\Jdaaaeqg.exe
        92⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Jnjejjgh.exe
        
        C:\Windows\system32\Jnjejjgh.exe
        93⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Jcgnbaeo.exe
        
        C:\Windows\system32\Jcgnbaeo.exe
        94⤵
        Drops file in System32 directory
        
        PID:5540
        
        C:\Windows\SysWOW64\Jjafok32.exe
        
        C:\Windows\system32\Jjafok32.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Knalji32.exe
        
        C:\Windows\system32\Knalji32.exe
        96⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Kmdlffhj.exe
        
        C:\Windows\system32\Kmdlffhj.exe
        97⤵
        Drops file in System32 directory
        
        PID:5828
        
        C:\Windows\SysWOW64\Kcndbp32.exe
        
        C:\Windows\system32\Kcndbp32.exe
        98⤵
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Kjhloj32.exe
        
        C:\Windows\system32\Kjhloj32.exe
        99⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\Kqbdldnq.exe
        
        C:\Windows\system32\Kqbdldnq.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6060
        
        C:\Windows\SysWOW64\Kglmio32.exe
        
        C:\Windows\system32\Kglmio32.exe
        101⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\Knfeeimj.exe
        
        C:\Windows\system32\Knfeeimj.exe
        102⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Kqdaadln.exe
        
        C:\Windows\system32\Kqdaadln.exe
        103⤵
        
        PID:836
        
        C:\Windows\SysWOW64\Kkjeomld.exe
        
        C:\Windows\system32\Kkjeomld.exe
        104⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Knhakh32.exe
        
        C:\Windows\system32\Knhakh32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5752
        
        C:\Windows\SysWOW64\Kqfngd32.exe
        
        C:\Windows\system32\Kqfngd32.exe
        106⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Lgqfdnah.exe
        
        C:\Windows\system32\Lgqfdnah.exe
        107⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Ljobpiql.exe
        
        C:\Windows\system32\Ljobpiql.exe
        108⤵
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Lmmolepp.exe
        
        C:\Windows\system32\Lmmolepp.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5412
        
        C:\Windows\SysWOW64\Lknojl32.exe
        
        C:\Windows\system32\Lknojl32.exe
        110⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Lnmkfh32.exe
        
        C:\Windows\system32\Lnmkfh32.exe
        111⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Ldgccb32.exe
        
        C:\Windows\system32\Ldgccb32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6072
        
        C:\Windows\SysWOW64\Lkalplel.exe
        
        C:\Windows\system32\Lkalplel.exe
        113⤵
        Drops file in System32 directory
        
        PID:5268
        
        C:\Windows\SysWOW64\Lnohlgep.exe
        
        C:\Windows\system32\Lnohlgep.exe
        114⤵
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Ldipha32.exe
        
        C:\Windows\system32\Ldipha32.exe
        115⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Ljfhqh32.exe
        
        C:\Windows\system32\Ljfhqh32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5620
        
        C:\Windows\SysWOW64\Lmdemd32.exe
        
        C:\Windows\system32\Lmdemd32.exe
        117⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Lgjijmin.exe
        
        C:\Windows\system32\Lgjijmin.exe
        118⤵
        Drops file in System32 directory
        
        PID:5680
        
        C:\Windows\SysWOW64\Lkeekk32.exe
        
        C:\Windows\system32\Lkeekk32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5724
        
        C:\Windows\SysWOW64\Lmgabcge.exe
        
        C:\Windows\system32\Lmgabcge.exe
        120⤵
        Modifies registry class
        
        PID:6156
        
        C:\Windows\SysWOW64\Madjhb32.exe
        
        C:\Windows\system32\Madjhb32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6196
        
        C:\Windows\SysWOW64\Mccfdmmo.exe
        
        C:\Windows\system32\Mccfdmmo.exe
        122⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\Mjmoag32.exe
        
        C:\Windows\system32\Mjmoag32.exe
        123⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\Maggnali.exe
        
        C:\Windows\system32\Maggnali.exe
        124⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\Mkmkkjko.exe
        
        C:\Windows\system32\Mkmkkjko.exe
        125⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\Mnkggfkb.exe
        
        C:\Windows\system32\Mnkggfkb.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6420
        
        C:\Windows\SysWOW64\Meepdp32.exe
        
        C:\Windows\system32\Meepdp32.exe
        127⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\Mjahlgpf.exe
        
        C:\Windows\system32\Mjahlgpf.exe
        128⤵
        Drops file in System32 directory
        
        PID:6504
        
        C:\Windows\SysWOW64\Malpia32.exe
        
        C:\Windows\system32\Malpia32.exe
        129⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\Mcjmel32.exe
        
        C:\Windows\system32\Mcjmel32.exe
        130⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\Mjdebfnd.exe
        
        C:\Windows\system32\Mjdebfnd.exe
        131⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\Mmbanbmg.exe
        
        C:\Windows\system32\Mmbanbmg.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6680
        
        C:\Windows\SysWOW64\Meiioonj.exe
        
        C:\Windows\system32\Meiioonj.exe
        133⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\Nghekkmn.exe
        
        C:\Windows\system32\Nghekkmn.exe
        134⤵
        Drops file in System32 directory
        
        PID:6768
        
        C:\Windows\SysWOW64\Napjdpcn.exe
        
        C:\Windows\system32\Napjdpcn.exe
        135⤵
        Drops file in System32 directory
        
        PID:6812
        
        C:\Windows\SysWOW64\Ncofplba.exe
        
        C:\Windows\system32\Ncofplba.exe
        136⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\Njinmf32.exe
        
        C:\Windows\system32\Njinmf32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6896
        
        C:\Windows\SysWOW64\Nabfjpak.exe
        
        C:\Windows\system32\Nabfjpak.exe
        138⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\Nhmofj32.exe
        
        C:\Windows\system32\Nhmofj32.exe
        139⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\Njkkbehl.exe
        
        C:\Windows\system32\Njkkbehl.exe
        140⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\Nmigoagp.exe
        
        C:\Windows\system32\Nmigoagp.exe
        141⤵
        Drops file in System32 directory
        
        PID:7088
        
        C:\Windows\SysWOW64\Neqopnhb.exe
        
        C:\Windows\system32\Neqopnhb.exe
        142⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\Nlkgmh32.exe
        
        C:\Windows\system32\Nlkgmh32.exe
        143⤵
        Modifies registry class
        
        PID:6188
        
        C:\Windows\SysWOW64\Njpdnedf.exe
        
        C:\Windows\system32\Njpdnedf.exe
        144⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\Odhifjkg.exe
        
        C:\Windows\system32\Odhifjkg.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6308
        
        C:\Windows\SysWOW64\Onnmdcjm.exe
        
        C:\Windows\system32\Onnmdcjm.exe
        146⤵
        Modifies registry class
        
        PID:6376
        
        C:\Windows\SysWOW64\Oeheqm32.exe
        
        C:\Windows\system32\Oeheqm32.exe
        147⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\Olanmgig.exe
        
        C:\Windows\system32\Olanmgig.exe
        148⤵
        Drops file in System32 directory
        
        PID:6540
        
        C:\Windows\SysWOW64\Oejbfmpg.exe
        
        C:\Windows\system32\Oejbfmpg.exe
        149⤵
        Drops file in System32 directory
        
        PID:6576
        
        C:\Windows\SysWOW64\Ojgjndno.exe
        
        C:\Windows\system32\Ojgjndno.exe
        150⤵
        Drops file in System32 directory
        
        PID:6660
        
        C:\Windows\SysWOW64\Omegjomb.exe
        
        C:\Windows\system32\Omegjomb.exe
        151⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Olfghg32.exe
        
        C:\Windows\system32\Olfghg32.exe
        152⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\Omgcpokp.exe
        
        C:\Windows\system32\Omgcpokp.exe
        153⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\Oacoqnci.exe
        
        C:\Windows\system32\Oacoqnci.exe
        154⤵
        Modifies registry class
        
        PID:6924
        
        C:\Windows\SysWOW64\Ohmhmh32.exe
        
        C:\Windows\system32\Ohmhmh32.exe
        155⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\Pmlmkn32.exe
        
        C:\Windows\system32\Pmlmkn32.exe
        156⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\Pecellgl.exe
        
        C:\Windows\system32\Pecellgl.exe
        157⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Pkpmdbfd.exe
        
        C:\Windows\system32\Pkpmdbfd.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6220
        
        C:\Windows\SysWOW64\Pmoiqneg.exe
        
        C:\Windows\system32\Pmoiqneg.exe
        159⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\Pdhbmh32.exe
        
        C:\Windows\system32\Pdhbmh32.exe
        160⤵
        Modifies registry class
        
        PID:6404
        
        C:\Windows\SysWOW64\Pkbjjbda.exe
        
        C:\Windows\system32\Pkbjjbda.exe
        161⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\Qeodhjmo.exe
        
        C:\Windows\system32\Qeodhjmo.exe
        162⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\Aeaanjkl.exe
        
        C:\Windows\system32\Aeaanjkl.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6756
        
        C:\Windows\SysWOW64\Aojefobm.exe
        
        C:\Windows\system32\Aojefobm.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6808
        
        C:\Windows\SysWOW64\Aolblopj.exe
        
        C:\Windows\system32\Aolblopj.exe
        165⤵
        Modifies registry class
        
        PID:6916
        
        C:\Windows\SysWOW64\Aefjii32.exe
        
        C:\Windows\system32\Aefjii32.exe
        166⤵
        Modifies registry class
        
        PID:7040
        
        C:\Windows\SysWOW64\Ahdged32.exe
        
        C:\Windows\system32\Ahdged32.exe
        167⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Akccap32.exe
        
        C:\Windows\system32\Akccap32.exe
        168⤵
        Drops file in System32 directory
        
        PID:6256
        
        C:\Windows\SysWOW64\Adkgje32.exe
        
        C:\Windows\system32\Adkgje32.exe
        169⤵
        Modifies registry class
        
        PID:6360
        
        C:\Windows\SysWOW64\Aekddhcb.exe
        
        C:\Windows\system32\Aekddhcb.exe
        170⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Alelqb32.exe
        
        C:\Windows\system32\Alelqb32.exe
        171⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Baadiiif.exe
        
        C:\Windows\system32\Baadiiif.exe
        172⤵
        Drops file in System32 directory
        
        PID:6904
        
        C:\Windows\SysWOW64\Bkjiao32.exe
        
        C:\Windows\system32\Bkjiao32.exe
        173⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\Bepmoh32.exe
        
        C:\Windows\system32\Bepmoh32.exe
        174⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Blielbfi.exe
        
        C:\Windows\system32\Blielbfi.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6528
        
        C:\Windows\SysWOW64\Bnkbcj32.exe
        
        C:\Windows\system32\Bnkbcj32.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6836
        
        C:\Windows\SysWOW64\Bebjdgmj.exe
        
        C:\Windows\system32\Bebjdgmj.exe
        177⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\Bojomm32.exe
        
        C:\Windows\system32\Bojomm32.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6448
        
        C:\Windows\SysWOW64\Bhbcfbjk.exe
        
        C:\Windows\system32\Bhbcfbjk.exe
        179⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\Bnoknihb.exe
        
        C:\Windows\system32\Bnoknihb.exe
        180⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Ckclhn32.exe
        
        C:\Windows\system32\Ckclhn32.exe
        181⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\Cfipef32.exe
        
        C:\Windows\system32\Cfipef32.exe
        182⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\Chglab32.exe
        
        C:\Windows\system32\Chglab32.exe
        183⤵
        
        PID:7244
        
        C:\Windows\SysWOW64\Clchbqoo.exe
        
        C:\Windows\system32\Clchbqoo.exe
        184⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\Coadnlnb.exe
        
        C:\Windows\system32\Coadnlnb.exe
        185⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\Cbpajgmf.exe
        
        C:\Windows\system32\Cbpajgmf.exe
        186⤵
        
        PID:7400
        
        C:\Windows\SysWOW64\Chiigadc.exe
        
        C:\Windows\system32\Chiigadc.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7444
        
        C:\Windows\SysWOW64\Ckhecmcf.exe
        
        C:\Windows\system32\Ckhecmcf.exe
        188⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\Cbbnpg32.exe
        
        C:\Windows\system32\Cbbnpg32.exe
        189⤵
        Drops file in System32 directory
        
        PID:7556
        
        C:\Windows\SysWOW64\Chlflabp.exe
        
        C:\Windows\system32\Chlflabp.exe
        190⤵
        
        PID:7612
        
        C:\Windows\SysWOW64\Ckjbhmad.exe
        
        C:\Windows\system32\Ckjbhmad.exe
        191⤵
        Drops file in System32 directory
        
        PID:7660
        
        C:\Windows\SysWOW64\Cfpffeaj.exe
        
        C:\Windows\system32\Cfpffeaj.exe
        192⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\Chnbbqpn.exe
        
        C:\Windows\system32\Chnbbqpn.exe
        193⤵
        Modifies registry class
        
        PID:7752
        
        C:\Windows\SysWOW64\Cohkokgj.exe
        
        C:\Windows\system32\Cohkokgj.exe
        194⤵
        Drops file in System32 directory
        
        PID:7796
        
        C:\Windows\SysWOW64\Dokgdkeh.exe
        
        C:\Windows\system32\Dokgdkeh.exe
        195⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\Dbicpfdk.exe
        
        C:\Windows\system32\Dbicpfdk.exe
        196⤵
        Drops file in System32 directory
        
        PID:7888
        
        C:\Windows\SysWOW64\Ddgplado.exe
        
        C:\Windows\system32\Ddgplado.exe
        197⤵
        Drops file in System32 directory
        
        PID:7936
        
        C:\Windows\SysWOW64\Dmohno32.exe
        
        C:\Windows\system32\Dmohno32.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7980
        
        C:\Windows\SysWOW64\Dnpdegjp.exe
        
        C:\Windows\system32\Dnpdegjp.exe
        199⤵
        Modifies registry class
        
        PID:8028
        
        C:\Windows\SysWOW64\Ddjmba32.exe
        
        C:\Windows\system32\Ddjmba32.exe
        200⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\Dooaoj32.exe
        
        C:\Windows\system32\Dooaoj32.exe
        201⤵
        
        PID:8116
        
        C:\Windows\SysWOW64\Dmcain32.exe
        
        C:\Windows\system32\Dmcain32.exe
        202⤵
        Modifies registry class
        
        PID:8156
        
        C:\Windows\SysWOW64\Eofgpikj.exe
        
        C:\Windows\system32\Eofgpikj.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6688
        
        C:\Windows\SysWOW64\Eecphp32.exe
        
        C:\Windows\system32\Eecphp32.exe
        204⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\Ebgpad32.exe
        
        C:\Windows\system32\Ebgpad32.exe
        205⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7320
        
        C:\Windows\SysWOW64\Eiahnnph.exe
        
        C:\Windows\system32\Eiahnnph.exe
        206⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\Eokqkh32.exe
        
        C:\Windows\system32\Eokqkh32.exe
        207⤵
        
        PID:7484
        
        C:\Windows\SysWOW64\Efeihb32.exe
        
        C:\Windows\system32\Efeihb32.exe
        208⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\Epmmqheb.exe
        
        C:\Windows\system32\Epmmqheb.exe
        209⤵
        Drops file in System32 directory
        
        PID:7656
        
        C:\Windows\SysWOW64\Eppjfgcp.exe
        
        C:\Windows\system32\Eppjfgcp.exe
        210⤵
        Modifies registry class
        
        PID:7696
        
        C:\Windows\SysWOW64\Felbnn32.exe
        
        C:\Windows\system32\Felbnn32.exe
        211⤵
        
        PID:7780
        
        C:\Windows\SysWOW64\Fpbflg32.exe
        
        C:\Windows\system32\Fpbflg32.exe
        212⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\Fflohaij.exe
        
        C:\Windows\system32\Fflohaij.exe
        213⤵
        
        PID:7944
        
        C:\Windows\SysWOW64\Fimhjl32.exe
        
        C:\Windows\system32\Fimhjl32.exe
        214⤵
        Modifies registry class
        
        PID:8008
        
        C:\Windows\SysWOW64\Fpgpgfmh.exe
        
        C:\Windows\system32\Fpgpgfmh.exe
        215⤵
        
        PID:8068
        
        C:\Windows\SysWOW64\Fbelcblk.exe
        
        C:\Windows\system32\Fbelcblk.exe
        216⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\Fechomko.exe
        
        C:\Windows\system32\Fechomko.exe
        217⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\Fiodpl32.exe
        
        C:\Windows\system32\Fiodpl32.exe
        218⤵
        
        PID:8176
        
        C:\Windows\SysWOW64\Fpimlfke.exe
        
        C:\Windows\system32\Fpimlfke.exe
        219⤵
        
        PID:7328
        
        C:\Windows\SysWOW64\Fefedmil.exe
        
        C:\Windows\system32\Fefedmil.exe
        220⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\Fnnjmbpm.exe
        
        C:\Windows\system32\Fnnjmbpm.exe
        221⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\Gihgfk32.exe
        
        C:\Windows\system32\Gihgfk32.exe
        222⤵
        
        PID:7704
        
        C:\Windows\SysWOW64\Gpgind32.exe
        
        C:\Windows\system32\Gpgind32.exe
        223⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\Gbeejp32.exe
        
        C:\Windows\system32\Gbeejp32.exe
        224⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\Hfcnpn32.exe
        
        C:\Windows\system32\Hfcnpn32.exe
        225⤵
        Modifies registry class
        
        PID:8052
        
        C:\Windows\SysWOW64\Hidgai32.exe
        
        C:\Windows\system32\Hidgai32.exe
        226⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\Hmpcbhji.exe
        
        C:\Windows\system32\Hmpcbhji.exe
        227⤵
        Drops file in System32 directory
        
        PID:3544
        
        C:\Windows\SysWOW64\Hblkjo32.exe
        
        C:\Windows\system32\Hblkjo32.exe
        228⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7396
        
        C:\Windows\SysWOW64\Hekgfj32.exe
        
        C:\Windows\system32\Hekgfj32.exe
        229⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7584
        
        C:\Windows\SysWOW64\Hpqldc32.exe
        
        C:\Windows\system32\Hpqldc32.exe
        230⤵
        Modifies registry class
        
        PID:7736
        
        C:\Windows\SysWOW64\Hbohpn32.exe
        
        C:\Windows\system32\Hbohpn32.exe
        231⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\Hemdlj32.exe
        
        C:\Windows\system32\Hemdlj32.exe
        232⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Hlglidlo.exe
        
        C:\Windows\system32\Hlglidlo.exe
        233⤵
        Drops file in System32 directory
        
        PID:7340
        
        C:\Windows\SysWOW64\Hoeieolb.exe
        
        C:\Windows\system32\Hoeieolb.exe
        234⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7624
        
        C:\Windows\SysWOW64\Iepaaico.exe
        
        C:\Windows\system32\Iepaaico.exe
        235⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\Imgicgca.exe
        
        C:\Windows\system32\Imgicgca.exe
        236⤵
        
        PID:7240
        
        C:\Windows\SysWOW64\Ipeeobbe.exe
        
        C:\Windows\system32\Ipeeobbe.exe
        237⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\Ibcaknbi.exe
        
        C:\Windows\system32\Ibcaknbi.exe
        238⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\Illfdc32.exe
        
        C:\Windows\system32\Illfdc32.exe
        239⤵
        
        PID:8084
        
        C:\Windows\SysWOW64\Iedjmioj.exe
        
        C:\Windows\system32\Iedjmioj.exe
        240⤵
        
        PID:7536
        
        C:\Windows\SysWOW64\Imkbnf32.exe
        
        C:\Windows\system32\Imkbnf32.exe
        241⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Ipjoja32.exe
        
        C:\Windows\system32\Ipjoja32.exe
        242⤵
        Drops file in System32 directory
        
        PID:7324
        
        C:\Windows\SysWOW64\Iefgbh32.exe
        
        C:\Windows\system32\Iefgbh32.exe
        243⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7976
        
        C:\Windows\SysWOW64\Imnocf32.exe
        
        C:\Windows\system32\Imnocf32.exe
        244⤵
        
        PID:8200
        
        C:\Windows\SysWOW64\Ioolkncg.exe
        
        C:\Windows\system32\Ioolkncg.exe
        245⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8248
        
        C:\Windows\SysWOW64\Ieidhh32.exe
        
        C:\Windows\system32\Ieidhh32.exe
        246⤵
        
        PID:8292
        
        C:\Windows\SysWOW64\Impliekg.exe
        
        C:\Windows\system32\Impliekg.exe
        247⤵
        Drops file in System32 directory
        
        PID:8328
        
        C:\Windows\SysWOW64\Joahqn32.exe
        
        C:\Windows\system32\Joahqn32.exe
        248⤵
        Drops file in System32 directory
        
        PID:8376
        
        C:\Windows\SysWOW64\Jmbhoeid.exe
        
        C:\Windows\system32\Jmbhoeid.exe
        249⤵
        
        PID:8420
        
        C:\Windows\SysWOW64\Jocefm32.exe
        
        C:\Windows\system32\Jocefm32.exe
        250⤵
        
        PID:8472
        
        C:\Windows\SysWOW64\Jlgepanl.exe
        
        C:\Windows\system32\Jlgepanl.exe
        251⤵
        
        PID:8520
        
        C:\Windows\SysWOW64\Jepjhg32.exe
        
        C:\Windows\system32\Jepjhg32.exe
        252⤵
        
        PID:8560
        
        C:\Windows\SysWOW64\Jgpfbjlo.exe
        
        C:\Windows\system32\Jgpfbjlo.exe
        253⤵
        
        PID:8616
        
        C:\Windows\SysWOW64\Jinboekc.exe
        
        C:\Windows\system32\Jinboekc.exe
        254⤵
        
        PID:8660
        
        C:\Windows\SysWOW64\Jllokajf.exe
        
        C:\Windows\system32\Jllokajf.exe
        255⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8704
        
        C:\Windows\SysWOW64\Jokkgl32.exe
        
        C:\Windows\system32\Jokkgl32.exe
        256⤵
        Drops file in System32 directory
        
        PID:8740
        
        C:\Windows\SysWOW64\Jgbchj32.exe
        
        C:\Windows\system32\Jgbchj32.exe
        257⤵
        Modifies registry class
        
        PID:8788
        
        C:\Windows\SysWOW64\Jnlkedai.exe
        
        C:\Windows\system32\Jnlkedai.exe
        258⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8836
        
        C:\Windows\SysWOW64\Kpjgaoqm.exe
        
        C:\Windows\system32\Kpjgaoqm.exe
        259⤵
        
        PID:8876
        
        C:\Windows\SysWOW64\Kegpifod.exe
        
        C:\Windows\system32\Kegpifod.exe
        260⤵
        
        PID:8920
        
        C:\Windows\SysWOW64\Koodbl32.exe
        
        C:\Windows\system32\Koodbl32.exe
        261⤵
        
        PID:8964
        
        C:\Windows\SysWOW64\Keimof32.exe
        
        C:\Windows\system32\Keimof32.exe
        262⤵
        
        PID:9008
        
        C:\Windows\SysWOW64\Koaagkcb.exe
        
        C:\Windows\system32\Koaagkcb.exe
        263⤵
        
        PID:9052
        
        C:\Windows\SysWOW64\Kodnmkap.exe
        
        C:\Windows\system32\Kodnmkap.exe
        264⤵
        
        PID:9092
        
        C:\Windows\SysWOW64\Kjjbjd32.exe
        
        C:\Windows\system32\Kjjbjd32.exe
        265⤵
        
        PID:9136
        
        C:\Windows\SysWOW64\Llmhaold.exe
        
        C:\Windows\system32\Llmhaold.exe
        266⤵
        
        PID:9180
        
        C:\Windows\SysWOW64\Ljqhkckn.exe
        
        C:\Windows\system32\Ljqhkckn.exe
        267⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\Lgdidgjg.exe
        
        C:\Windows\system32\Lgdidgjg.exe
        268⤵
        
        PID:8232
        
        C:\Windows\SysWOW64\Lmaamn32.exe
        
        C:\Windows\system32\Lmaamn32.exe
        269⤵
        
        PID:8280
        
        C:\Windows\SysWOW64\Lqmmmmph.exe
        
        C:\Windows\system32\Lqmmmmph.exe
        270⤵
        
        PID:8352
        
        C:\Windows\SysWOW64\Lggejg32.exe
        
        C:\Windows\system32\Lggejg32.exe
        271⤵
        Modifies registry class
        
        PID:8396
        
        C:\Windows\SysWOW64\Lobjni32.exe
        
        C:\Windows\system32\Lobjni32.exe
        272⤵
        Modifies registry class
        
        PID:8516
        
        C:\Windows\SysWOW64\Lgibpf32.exe
        
        C:\Windows\system32\Lgibpf32.exe
        273⤵
        
        PID:8544
        
        C:\Windows\SysWOW64\Mqafhl32.exe
        
        C:\Windows\system32\Mqafhl32.exe
        274⤵
        
        PID:8644
        
        C:\Windows\SysWOW64\Mfnoqc32.exe
        
        C:\Windows\system32\Mfnoqc32.exe
        275⤵
        
        PID:8700
        
        C:\Windows\SysWOW64\Mgnlkfal.exe
        
        C:\Windows\system32\Mgnlkfal.exe
        276⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8768
        
        C:\Windows\SysWOW64\Mnjqmpgg.exe
        
        C:\Windows\system32\Mnjqmpgg.exe
        277⤵
        Modifies registry class
        
        PID:8848
        
        C:\Windows\SysWOW64\Mcgiefen.exe
        
        C:\Windows\system32\Mcgiefen.exe
        278⤵
        
        PID:8904
        
        C:\Windows\SysWOW64\Mjcngpjh.exe
        
        C:\Windows\system32\Mjcngpjh.exe
        279⤵
        
        PID:8972
        
        C:\Windows\SysWOW64\Nqmfdj32.exe
        
        C:\Windows\system32\Nqmfdj32.exe
        280⤵
        Modifies registry class
        
        PID:9028
        
        C:\Windows\SysWOW64\Nggnadib.exe
        
        C:\Windows\system32\Nggnadib.exe
        281⤵
        
        PID:9116
        
        C:\Windows\SysWOW64\Ncnofeof.exe
        
        C:\Windows\system32\Ncnofeof.exe
        282⤵
        Drops file in System32 directory
        
        PID:7636
        
        C:\Windows\SysWOW64\Ncqlkemc.exe
        
        C:\Windows\system32\Ncqlkemc.exe
        283⤵
        
        PID:8288
        
        C:\Windows\SysWOW64\Nfaemp32.exe
        
        C:\Windows\system32\Nfaemp32.exe
        284⤵
        
        PID:8360
        
        C:\Windows\SysWOW64\Npiiffqe.exe
        
        C:\Windows\system32\Npiiffqe.exe
        285⤵
        
        PID:8460
        
        C:\Windows\SysWOW64\Oakbehfe.exe
        
        C:\Windows\system32\Oakbehfe.exe
        286⤵
        Modifies registry class
        
        PID:8624
        
        C:\Windows\SysWOW64\Ombcji32.exe
        
        C:\Windows\system32\Ombcji32.exe
        287⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8728
        
        C:\Windows\SysWOW64\Ofmdio32.exe
        
        C:\Windows\system32\Ofmdio32.exe
        288⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8824
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        289⤵
        Modifies registry class
        
        PID:9176
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        290⤵
        
        PID:9036
        
        C:\Windows\SysWOW64\Pdmdnadc.exe
        
        C:\Windows\system32\Pdmdnadc.exe
        291⤵
        
        PID:9100
        
        C:\Windows\SysWOW64\Qjiipk32.exe
        
        C:\Windows\system32\Qjiipk32.exe
        292⤵
        Modifies registry class
        
        PID:8216
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        293⤵
        
        PID:8372
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        294⤵
        
        PID:8528
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        295⤵
        
        PID:8732
        
        C:\Windows\SysWOW64\Apmhiq32.exe
        
        C:\Windows\system32\Apmhiq32.exe
        296⤵
        Modifies registry class
        
        PID:8888
        
        C:\Windows\SysWOW64\Akblfj32.exe
        
        C:\Windows\system32\Akblfj32.exe
        297⤵
        
        PID:9016
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        298⤵
        Drops file in System32 directory
        
        PID:7968
        
        C:\Windows\SysWOW64\Bdmmeo32.exe
        
        C:\Windows\system32\Bdmmeo32.exe
        299⤵
        
        PID:8452
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        300⤵
        Drops file in System32 directory
        
        PID:8748
        
        C:\Windows\SysWOW64\Baegibae.exe
        
        C:\Windows\system32\Baegibae.exe
        301⤵
        
        PID:8992
        
        C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        302⤵
        
        PID:8320
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        303⤵
        Modifies registry class
        
        PID:9164
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        304⤵
        
        PID:8324
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        305⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\Bgelgi32.exe
        
        C:\Windows\system32\Bgelgi32.exe
        306⤵
        Drops file in System32 directory
        
        PID:9212
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        307⤵
        
        PID:9232
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        308⤵
        
        PID:9280
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        309⤵
        
        PID:9332
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        310⤵
        
        PID:9376
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        311⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:9420
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        312⤵
        Modifies registry class
        
        PID:9460
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        313⤵
        Modifies registry class
        
        PID:9508
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        314⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9548
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        315⤵
        
        PID:9584
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        316⤵
        
        PID:9636
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        317⤵
        
        PID:9672
        
        C:\Windows\SysWOW64\Dgeenfog.exe
        
        C:\Windows\system32\Dgeenfog.exe
        318⤵
        Modifies registry class
        
        PID:9720
        
        C:\Windows\SysWOW64\Dnajppda.exe
        
        C:\Windows\system32\Dnajppda.exe
        319⤵
        
        PID:9756
        
        C:\Windows\SysWOW64\Ddkbmj32.exe
        
        C:\Windows\system32\Ddkbmj32.exe
        320⤵
        
        PID:9800
        
        C:\Windows\SysWOW64\Dkhgod32.exe
        
        C:\Windows\system32\Dkhgod32.exe
        321⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:9848
        
        C:\Windows\SysWOW64\Ebaplnie.exe
        
        C:\Windows\system32\Ebaplnie.exe
        322⤵
        Drops file in System32 directory
        
        PID:9892
        
        C:\Windows\SysWOW64\Ehlhih32.exe
        
        C:\Windows\system32\Ehlhih32.exe
        323⤵
        
        PID:9932
        
        C:\Windows\SysWOW64\Enkmfolf.exe
        
        C:\Windows\system32\Enkmfolf.exe
        324⤵
        
        PID:9968
        
        C:\Windows\SysWOW64\Eqiibjlj.exe
        
        C:\Windows\system32\Eqiibjlj.exe
        325⤵
        
        PID:10012
        
        C:\Windows\SysWOW64\Ekonpckp.exe
        
        C:\Windows\system32\Ekonpckp.exe
        326⤵
        
        PID:10052
        
        C:\Windows\SysWOW64\Ekajec32.exe
        
        C:\Windows\system32\Ekajec32.exe
        327⤵
        
        PID:10092
        
        C:\Windows\SysWOW64\Eghkjdoa.exe
        
        C:\Windows\system32\Eghkjdoa.exe
        328⤵
        
        PID:10136
        
        C:\Windows\SysWOW64\Fbmohmoh.exe
        
        C:\Windows\system32\Fbmohmoh.exe
        329⤵
        
        PID:10180
        
        C:\Windows\SysWOW64\Fdlkdhnk.exe
        
        C:\Windows\system32\Fdlkdhnk.exe
        330⤵
        
        PID:10224
        
        C:\Windows\SysWOW64\Fbplml32.exe
        
        C:\Windows\system32\Fbplml32.exe
        331⤵
        
        PID:9228
        
        C:\Windows\SysWOW64\Fqeioiam.exe
        
        C:\Windows\system32\Fqeioiam.exe
        332⤵
        
        PID:9324
        
        C:\Windows\SysWOW64\Filapfbo.exe
        
        C:\Windows\system32\Filapfbo.exe
        333⤵
        
        PID:9400
        
        C:\Windows\SysWOW64\Fniihmpf.exe
        
        C:\Windows\system32\Fniihmpf.exe
        334⤵
        
        PID:9468
        
        C:\Windows\SysWOW64\Gegkpf32.exe
        
        C:\Windows\system32\Gegkpf32.exe
        335⤵
        
        PID:9544
        
        C:\Windows\SysWOW64\Gpolbo32.exe
        
        C:\Windows\system32\Gpolbo32.exe
        336⤵
        Modifies registry class
        
        PID:9592
        
        C:\Windows\SysWOW64\Gaqhjggp.exe
        
        C:\Windows\system32\Gaqhjggp.exe
        337⤵
        
        PID:9656
        
        C:\Windows\SysWOW64\Geoapenf.exe
        
        C:\Windows\system32\Geoapenf.exe
        338⤵
        
        PID:9740
        
        C:\Windows\SysWOW64\Gngeik32.exe
        
        C:\Windows\system32\Gngeik32.exe
        339⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:9808
        
        C:\Windows\SysWOW64\Hlkfbocp.exe
        
        C:\Windows\system32\Hlkfbocp.exe
        340⤵
        Drops file in System32 directory
        
        PID:9884
        
        C:\Windows\SysWOW64\Hnibokbd.exe
        
        C:\Windows\system32\Hnibokbd.exe
        341⤵
        Modifies registry class
        
        PID:9956
        
        C:\Windows\SysWOW64\Hioflcbj.exe
        
        C:\Windows\system32\Hioflcbj.exe
        342⤵
        
        PID:10040
        
        C:\Windows\SysWOW64\Hlblcn32.exe
        
        C:\Windows\system32\Hlblcn32.exe
        343⤵
        
        PID:10088
        
        C:\Windows\SysWOW64\Hbldphde.exe
        
        C:\Windows\system32\Hbldphde.exe
        344⤵
        
        PID:10156
        
        C:\Windows\SysWOW64\Hifmmb32.exe
        
        C:\Windows\system32\Hifmmb32.exe
        345⤵
        
        PID:10204
        
        C:\Windows\SysWOW64\Hnbeeiji.exe
        
        C:\Windows\system32\Hnbeeiji.exe
        346⤵
        
        PID:9328
        
        C:\Windows\SysWOW64\Ihmfco32.exe
        
        C:\Windows\system32\Ihmfco32.exe
        347⤵
        
        PID:9408
        
        C:\Windows\SysWOW64\Ibcjqgnm.exe
        
        C:\Windows\system32\Ibcjqgnm.exe
        348⤵
        
        PID:9516
        
        C:\Windows\SysWOW64\Ieagmcmq.exe
        
        C:\Windows\system32\Ieagmcmq.exe
        349⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9644
        
        C:\Windows\SysWOW64\Ipgkjlmg.exe
        
        C:\Windows\system32\Ipgkjlmg.exe
        350⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9708
        
        C:\Windows\SysWOW64\Ibegfglj.exe
        
        C:\Windows\system32\Ibegfglj.exe
        351⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:9860
        
        C:\Windows\SysWOW64\Iiopca32.exe
        
        C:\Windows\system32\Iiopca32.exe
        352⤵
        
        PID:9920
        
        C:\Windows\SysWOW64\Ipihpkkd.exe
        
        C:\Windows\system32\Ipihpkkd.exe
        353⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\Ibgdlg32.exe
        
        C:\Windows\system32\Ibgdlg32.exe
        354⤵
        
        PID:10128
        
        C:\Windows\SysWOW64\Iefphb32.exe
        
        C:\Windows\system32\Iefphb32.exe
        355⤵
        
        PID:10236
        
        C:\Windows\SysWOW64\Iialhaad.exe
        
        C:\Windows\system32\Iialhaad.exe
        356⤵
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Ilphdlqh.exe
        
        C:\Windows\system32\Ilphdlqh.exe
        357⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\Iondqhpl.exe
        
        C:\Windows\system32\Iondqhpl.exe
        358⤵
        
        PID:9580
        
        C:\Windows\SysWOW64\Ibjqaf32.exe
        
        C:\Windows\system32\Ibjqaf32.exe
        359⤵
        
        PID:9700
        
        C:\Windows\SysWOW64\Iehmmb32.exe
        
        C:\Windows\system32\Iehmmb32.exe
        360⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9784
        
        C:\Windows\SysWOW64\Jlbejloe.exe
        
        C:\Windows\system32\Jlbejloe.exe
        361⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\Jaajhb32.exe
        
        C:\Windows\system32\Jaajhb32.exe
        362⤵
        
        PID:10212
        
        C:\Windows\SysWOW64\Jemfhacc.exe
        
        C:\Windows\system32\Jemfhacc.exe
        363⤵
        Drops file in System32 directory
        
        PID:5080
        
        C:\Windows\SysWOW64\Joekag32.exe
        
        C:\Windows\system32\Joekag32.exe
        364⤵
        Drops file in System32 directory
        
        PID:9456
        
        C:\Windows\SysWOW64\Jhnojl32.exe
        
        C:\Windows\system32\Jhnojl32.exe
        365⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\Jafdcbge.exe
        
        C:\Windows\system32\Jafdcbge.exe
        366⤵
        
        PID:9952
        
        C:\Windows\SysWOW64\Jimldogg.exe
        
        C:\Windows\system32\Jimldogg.exe
        367⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\Jhplpl32.exe
        
        C:\Windows\system32\Jhplpl32.exe
        368⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Jojdlfeo.exe
        
        C:\Windows\system32\Jojdlfeo.exe
        369⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:9812
        
        C:\Windows\SysWOW64\Jahqiaeb.exe
        
        C:\Windows\system32\Jahqiaeb.exe
        370⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9268
        
        C:\Windows\SysWOW64\Khbiello.exe
        
        C:\Windows\system32\Khbiello.exe
        371⤵
        Drops file in System32 directory
        
        PID:9816
        
        C:\Windows\SysWOW64\Kolabf32.exe
        
        C:\Windows\system32\Kolabf32.exe
        372⤵
        
        PID:9752
        
        C:\Windows\SysWOW64\Klbnajqc.exe
        
        C:\Windows\system32\Klbnajqc.exe
        373⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\Kapfiqoj.exe
        
        C:\Windows\system32\Kapfiqoj.exe
        374⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\Kifojnol.exe
        
        C:\Windows\system32\Kifojnol.exe
        375⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3748
        
        C:\Windows\SysWOW64\Kabcopmg.exe
        
        C:\Windows\system32\Kabcopmg.exe
        376⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\Klggli32.exe
        
        C:\Windows\system32\Klggli32.exe
        377⤵
        Modifies registry class
        
        PID:9704
        
        C:\Windows\SysWOW64\Lcfidb32.exe
        
        C:\Windows\system32\Lcfidb32.exe
        378⤵
        
        PID:10260
        
        C:\Windows\SysWOW64\Ledepn32.exe
        
        C:\Windows\system32\Ledepn32.exe
        379⤵
        
        PID:10304
        
        C:\Windows\SysWOW64\Lhcali32.exe
        
        C:\Windows\system32\Lhcali32.exe
        380⤵
        
        PID:10352
        
        C:\Windows\SysWOW64\Lomjicei.exe
        
        C:\Windows\system32\Lomjicei.exe
        381⤵
        Modifies registry class
        
        PID:10400
        
        C:\Windows\SysWOW64\Lancko32.exe
        
        C:\Windows\system32\Lancko32.exe
        382⤵
        
        PID:10444
        
        C:\Windows\SysWOW64\Llcghg32.exe
        
        C:\Windows\system32\Llcghg32.exe
        383⤵
        
        PID:10488
        
        C:\Windows\SysWOW64\Mhldbh32.exe
        
        C:\Windows\system32\Mhldbh32.exe
        384⤵
        
        PID:10532
        
        C:\Windows\SysWOW64\Mbgeqmjp.exe
        
        C:\Windows\system32\Mbgeqmjp.exe
        385⤵
        
        PID:10572
        
        C:\Windows\SysWOW64\Nblolm32.exe
        
        C:\Windows\system32\Nblolm32.exe
        386⤵
        
        PID:10612
        
        C:\Windows\SysWOW64\Nckkfp32.exe
        
        C:\Windows\system32\Nckkfp32.exe
        387⤵
        
        PID:10660
        
        C:\Windows\SysWOW64\Nhhdnf32.exe
        
        C:\Windows\system32\Nhhdnf32.exe
        388⤵
        
        PID:10704
        
        C:\Windows\SysWOW64\Nqoloc32.exe
        
        C:\Windows\system32\Nqoloc32.exe
        389⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10748
        
        C:\Windows\SysWOW64\Nbphglbe.exe
        
        C:\Windows\system32\Nbphglbe.exe
        390⤵
        
        PID:10788
        
        C:\Windows\SysWOW64\Njgqhicg.exe
        
        C:\Windows\system32\Njgqhicg.exe
        391⤵
        
        PID:10832
        
        C:\Windows\SysWOW64\Nijqcf32.exe
        
        C:\Windows\system32\Nijqcf32.exe
        392⤵
        
        PID:10876
        
        C:\Windows\SysWOW64\Ncbafoge.exe
        
        C:\Windows\system32\Ncbafoge.exe
        393⤵
        
        PID:10916
        
        C:\Windows\SysWOW64\Niojoeel.exe
        
        C:\Windows\system32\Niojoeel.exe
        394⤵
        Modifies registry class
        
        PID:10956
        
        C:\Windows\SysWOW64\Ocdnln32.exe
        
        C:\Windows\system32\Ocdnln32.exe
        395⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10996
        
        C:\Windows\SysWOW64\Oifppdpd.exe
        
        C:\Windows\system32\Oifppdpd.exe
        396⤵
        
        PID:11036
        
        C:\Windows\SysWOW64\Oqmhqapg.exe
        
        C:\Windows\system32\Oqmhqapg.exe
        397⤵
        
        PID:11084
        
        C:\Windows\SysWOW64\Oqoefand.exe
        
        C:\Windows\system32\Oqoefand.exe
        398⤵
        
        PID:11128
        
        C:\Windows\SysWOW64\Obqanjdb.exe
        
        C:\Windows\system32\Obqanjdb.exe
        399⤵
        Drops file in System32 directory
        
        PID:11172
        
        C:\Windows\SysWOW64\Pfojdh32.exe
        
        C:\Windows\system32\Pfojdh32.exe
        400⤵
        
        PID:11212
        
        C:\Windows\SysWOW64\Padnaq32.exe
        
        C:\Windows\system32\Padnaq32.exe
        401⤵
        Drops file in System32 directory
        
        PID:10244
        
        C:\Windows\SysWOW64\Pbekii32.exe
        
        C:\Windows\system32\Pbekii32.exe
        402⤵
        
        PID:10296
        
        C:\Windows\SysWOW64\Pfepdg32.exe
        
        C:\Windows\system32\Pfepdg32.exe
        403⤵
        
        PID:10372
        
        C:\Windows\SysWOW64\Pblajhje.exe
        
        C:\Windows\system32\Pblajhje.exe
        404⤵
        
        PID:10440
        
        C:\Windows\SysWOW64\Qbajeg32.exe
        
        C:\Windows\system32\Qbajeg32.exe
        405⤵
        
        PID:10516
        
        C:\Windows\SysWOW64\Ajohfcpj.exe
        
        C:\Windows\system32\Ajohfcpj.exe
        406⤵
        
        PID:10584
        
        C:\Windows\SysWOW64\Bfkbfd32.exe
        
        C:\Windows\system32\Bfkbfd32.exe
        407⤵
        Drops file in System32 directory
        
        PID:10648
        
        C:\Windows\SysWOW64\Bmdkcnie.exe
        
        C:\Windows\system32\Bmdkcnie.exe
        408⤵
        
        PID:10712
        
        C:\Windows\SysWOW64\Bpcgpihi.exe
        
        C:\Windows\system32\Bpcgpihi.exe
        409⤵
        
        PID:10780
        
        C:\Windows\SysWOW64\Bbaclegm.exe
        
        C:\Windows\system32\Bbaclegm.exe
        410⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10844
        
        C:\Windows\SysWOW64\Biklho32.exe
        
        C:\Windows\system32\Biklho32.exe
        411⤵
        
        PID:10936
        
        C:\Windows\SysWOW64\Babcil32.exe
        
        C:\Windows\system32\Babcil32.exe
        412⤵
        
        PID:11004
        
        C:\Windows\SysWOW64\Bdapehop.exe
        
        C:\Windows\system32\Bdapehop.exe
        413⤵
        
        PID:11068
        
        C:\Windows\SysWOW64\Bfolacnc.exe
        
        C:\Windows\system32\Bfolacnc.exe
        414⤵
        
        PID:11136
        
        C:\Windows\SysWOW64\Bbfmgd32.exe
        
        C:\Windows\system32\Bbfmgd32.exe
        415⤵
        
        PID:11196
        
        C:\Windows\SysWOW64\Bkmeha32.exe
        
        C:\Windows\system32\Bkmeha32.exe
        416⤵
        
        PID:10252
        
        C:\Windows\SysWOW64\Bagmdllg.exe
        
        C:\Windows\system32\Bagmdllg.exe
        417⤵
        Drops file in System32 directory
        
        PID:10364
        
        C:\Windows\SysWOW64\Bbhildae.exe
        
        C:\Windows\system32\Bbhildae.exe
        418⤵
        Drops file in System32 directory
        
        PID:10468
        
        C:\Windows\SysWOW64\Cmnnimak.exe
        
        C:\Windows\system32\Cmnnimak.exe
        419⤵
        
        PID:10524
        
        C:\Windows\SysWOW64\Cdhffg32.exe
        
        C:\Windows\system32\Cdhffg32.exe
        420⤵
        
        PID:10596
        
        C:\Windows\SysWOW64\Ckbncapd.exe
        
        C:\Windows\system32\Ckbncapd.exe
        421⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\Calfpk32.exe
        
        C:\Windows\system32\Calfpk32.exe
        422⤵
        Modifies registry class
        
        PID:10808
        
        C:\Windows\SysWOW64\Ccmcgcmp.exe
        
        C:\Windows\system32\Ccmcgcmp.exe
        423⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10912
        
        C:\Windows\SysWOW64\Cmbgdl32.exe
        
        C:\Windows\system32\Cmbgdl32.exe
        424⤵
        
        PID:10976
        
        C:\Windows\SysWOW64\Ccppmc32.exe
        
        C:\Windows\system32\Ccppmc32.exe
        425⤵
        Modifies registry class
        
        PID:11076
        
        C:\Windows\SysWOW64\Ckggnp32.exe
        
        C:\Windows\system32\Ckggnp32.exe
        426⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11156
        
        C:\Windows\SysWOW64\Ciihjmcj.exe
        
        C:\Windows\system32\Ciihjmcj.exe
        427⤵
        
        PID:10280
        
        C:\Windows\SysWOW64\Caqpkjcl.exe
        
        C:\Windows\system32\Caqpkjcl.exe
        428⤵
        
        PID:10384
        
        C:\Windows\SysWOW64\Ckidcpjl.exe
        
        C:\Windows\system32\Ckidcpjl.exe
        429⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\Cmgqpkip.exe
        
        C:\Windows\system32\Cmgqpkip.exe
        430⤵
        
        PID:10556
        
        C:\Windows\SysWOW64\Cpfmlghd.exe
        
        C:\Windows\system32\Cpfmlghd.exe
        431⤵
        
        PID:10700
        
        C:\Windows\SysWOW64\Ccdihbgg.exe
        
        C:\Windows\system32\Ccdihbgg.exe
        432⤵
        
        PID:10800
        
        C:\Windows\SysWOW64\Dmjmekgn.exe
        
        C:\Windows\system32\Dmjmekgn.exe
        433⤵
        
        PID:10980
        
        C:\Windows\SysWOW64\Dphiaffa.exe
        
        C:\Windows\system32\Dphiaffa.exe
        434⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\Dcffnbee.exe
        
        C:\Windows\system32\Dcffnbee.exe
        435⤵
        
        PID:11124
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        436⤵
        
        PID:11260
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 11260 -s 400
        437⤵
        Program crash
        
        PID:10512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 11260 -ip 11260
1⤵
PID:2320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3364 --field-trial-handle=2276,i,1205556100727695622,5044463180471657307,262144 --variations-seed-version /prefetch:8
1⤵
PID:10348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Akffafgg.exe

Filesize
64KB

MD5
64f388b258b66f6ed1bf50bb17af71a4

SHA1
42402e0d4d5a95c67d209cd1c192e6dbb7c5959d

SHA256
c31c3c86b4c8f2db794d8d05f6d077d10ca599c43dc1b672f86a3c82e3333f1e

SHA512
a7bf4b932cc09d558042a7fe6ff65245ab13fc3fcb8c601d7db19b0411aac27d5113750bcfcc56b6fc820bcb439ba29cc4d569d6cce1e7809dbe4ad7f5722bf8

Download Submit
C:\Windows\SysWOW64\Alelqb32.exe

Filesize
64KB

MD5
f9dc69ed45a4faafb0c5dd2535ad8f23

SHA1
bffb6fae9dba97ca83b0b291acb3407cf35450be

SHA256
bd9fd74420e7e0d316c0c138ebde27ef1a3d4b558c6ed6350e5aec882ab1babf

SHA512
9ff6723b50b4501549989bb52c6967a3f8c3f24929d3aa15e4c5d19a3a7070653684f7e9025d33e52f8d61a5deca05786f714e2c69fe5d9842135a346e35e294

Download Submit
C:\Windows\SysWOW64\Aodogdmn.exe

Filesize
64KB

MD5
44d97dc8ab9bad334e570afb29963687

SHA1
598fa8bc8097f75f835cdaf244fca78fcbf7ed79

SHA256
5bd4f7cc3fbaf8d35d214601da0ad8103bab3b44fab8c1730f550b78ac8e5992

SHA512
332eabcc810a5a4be531fc8944fb9de41f4809c0c79420c91ec6538a4c195d018c8e5b46c1010542453a21e0404d0c6e1b3d64b6e84541751d1b5b709b5f755e

Download Submit
C:\Windows\SysWOW64\Bbnkonbd.exe

Filesize
64KB

MD5
654e58aa7c30a8d7f77cff93281612ce

SHA1
f8b0c226d47c62d8feb7ba209d9bc516b8ac5034

SHA256
36dcc9155642e55d0bdcc028cbdab2abe6001a47b7a070d8d4fb87b4fb28e268

SHA512
d6c54be49941931e6883d19c5baa4960d6d9240174353cce78a5b2c358bfd8a386814ddccdb3675218e268144288036284c13d0b76514082216c8356c0503458

Download Submit
C:\Windows\SysWOW64\Bmabggdm.exe

Filesize
64KB

MD5
31f67dfc9538b70994754d5f90d31478

SHA1
fed7a9a17e0755742858ca9f0805b66dbc515086

SHA256
6ee82513439653e8859ee097fc4c128a332c3ee730b27422f95d914a3ef90cd7

SHA512
97d2ba4180a22109e107842bdf226f6a42393d105d87630cc1cfa0baf5f5a8348c5677370b4acc1f1da5ac6fddd58508527877e2325a6fa785060d09a1af8354

Download Submit
C:\Windows\SysWOW64\Bmlilh32.exe

Filesize
64KB

MD5
ceab7ad3e25ed0c7d41243ed7081a1d0

SHA1
3c8c622f47b558e94bbe08949735763ecec30b26

SHA256
7764e50ca4ae4e637672ca558c6b044e3b0c0f35267a1d8de72810c162f1f8dc

SHA512
d229c693fcd7adb3abcdf52cf03ed3e7a1cdaf2e45ef6b6dfc28f517c6fc18e5e513f746a2ac774d07bf82f81c094e42b2021ecf21da720299402d18504df383

Download Submit
C:\Windows\SysWOW64\Ccmgiaig.exe

Filesize
64KB

MD5
9f1d7ff96d5a14cb56273169e15b143f

SHA1
2633094215b398402f9c82857dc0c15f520ee382

SHA256
2504f192b7c83e1dc5a94ed800ae4bc63f493d8fc99584f59e70d96aafb1a36a

SHA512
9acf502f61f10236ff59250174715033617e5abf0460bd42b0fa220b88cb908dde5be1626de87f5ce09f0cce7c5b8b9df74ba0255f6a98ade92abd38f23968ef

Download Submit
C:\Windows\SysWOW64\Ccpdoqgd.exe

Filesize
64KB

MD5
83b5fb2956c2398e53c57221b4a69384

SHA1
0cb94ded60bd6996d34c4624313cf7caeac2d329

SHA256
ff3afc86ad537b0a86104c7ce8c9ea7792287960a8d1b8bade45cd025181ce25

SHA512
975bcbab02c2d15442f9127eb13406edc699cfcb4f3cdade506da1c22776642efb2c6ac3cedaf7e5eea6556f3f2c0c8180239e59aa2bdd3ca1a644eafcccf004

Download Submit
C:\Windows\SysWOW64\Cfcjfk32.exe

Filesize
64KB

MD5
6e3005c365f96c060d81d5c8b350f436

SHA1
2ced573303505867aaf6ae012f7308d06a44cc1f

SHA256
115f7a6ae693da90fdbdb80da7f232635eef6500cd604d42e71ce0e2df599e91

SHA512
297060b1bbc9b799a2f8fd712c57ea5ce53256cbe8707b19cdd43867f20f16cba06d5ab2aebb68a1be2df4082ff52f93573a458fe5d7bbf484c48e069dd1c076

Download Submit
C:\Windows\SysWOW64\Cfqmpl32.exe

Filesize
64KB

MD5
f1bd22b0b022ec3fb98963cfd9ee15b3

SHA1
03f49d377c4fba44b1a229238b459e87da6bc771

SHA256
43b2d192e00eb2243427df7345efc5e530b7ef77aee368d05087a9f2352b5c9d

SHA512
87c48957ba39ccbe5be07177783f9577945d2fe67cb994430260151e1fdf51b3b0e410d79b7e12859ea77d086897c301de9f2c75100ff83a34c49bff89fcbeb6

Download Submit
C:\Windows\SysWOW64\Cihclh32.exe

Filesize
64KB

MD5
eff372478d761f7a50e421572a0a8f4c

SHA1
0fe73a7990494407c91f425a8b6e6669e4df0e13

SHA256
0ea1815979691d01abe58605c149d352ddf0ec33455fcec227eba35dac4fede3

SHA512
6a7a4e2af98789bde0559ca63ac14e7cda804274bad46e137fe47f7155156b264bf3fb8c071572c862ecbcb7d4cd9cddc69d5ced4fe413157305a851d3aba188

Download Submit
C:\Windows\SysWOW64\Cijpahho.exe

Filesize
64KB

MD5
fe5ed5d5cd82fa25c058ca3e5f93c25b

SHA1
7d17c95dbec303464a7f0edcee2b99b2fa13e231

SHA256
35730d67e11fbceaf2de53b5f26e77b954f7a48d9b0733b93046e2b94c84461f

SHA512
5034a5d03c08f9db216dcc187f2bea7b376b51645ba30b11eb05c414db9f4f8fd2ec7eb588f7d14784e5d6117b3f654c02e05b48d01a231af4c87a993f8c005b

Download Submit
C:\Windows\SysWOW64\Ckkiccep.exe

Filesize
64KB

MD5
a331f08a493c1f592f6a600fdb9bc1dc

SHA1
d9360777b850671eaa2b24c95e57c851a184a73a

SHA256
e594932aaddb8827eacba70d35436090cf56c67843a69fae0c5d248944933e93

SHA512
f2f72ad8ec50bd0929d75fca32f6f4bb78373495ad0d5d77367fc1be8a23d7faae940ce9ad25172ddc056b5da0e803bfb84b5f09d2f128ddf773936a91f80d3d

Download Submit
C:\Windows\SysWOW64\Cmmbbejp.exe

Filesize
64KB

MD5
5534c401222f251f721788868b3bb606

SHA1
6a067b2d73b92c7d08e0cb6642c31da66c8f7ba2

SHA256
9af4954ee564cc9606e64bdaaeb788f48e2a99dad1a9fc368f0df4a3d8deda2c

SHA512
f045379e7503ac1c9676d28b907b52430fba9280c774910dc84b76365d9278be9d7e3165c6651a615af0ba18cb2a8301818d07fa9c420fcc74edbf8e40eeba68

Download Submit
C:\Windows\SysWOW64\Dbqqkkbo.exe

Filesize
64KB

MD5
5587ec033f8db0cbbb6d87fa7a19262a

SHA1
1847e1333a1f2c94288d9e96925dd7f0cdd2ab81

SHA256
eb5be7560e96d5c97aa4289fa3bb5590acec2225f22283903486502749868e37

SHA512
0fdd74972ff8678d7d98d90b1c9efbe665673d9c6ec7558f40f4295449b0f0483e8f1391228de1681661251d7fe01e7e0987a5164524615f210023633fcd0400

Download Submit
C:\Windows\SysWOW64\Dcpmen32.exe

Filesize
64KB

MD5
5e0016b966d8a61175eb2aedaf2b8411

SHA1
3ccb01d039407ff3147b0cd65ed65ac6a3985129

SHA256
918fd235fef806148f16ceea1b09eee3403776e72cdd31cbae8e3e2abbbe7d21

SHA512
0c1e274a5fe2c0bc7e9301ea7c0c1972b5ec4342dbf7bf6409815a03d3bd48644263f3e4d8c617c5873ecc66a639ff6686b4587f8ac3ecfc2d55d02607b1c754

Download Submit
C:\Windows\SysWOW64\Ddjmba32.exe

Filesize
64KB

MD5
be11d16682d2faa1c1479e1b0dc9f519

SHA1
6856c1be2ace6e90dbdedc98e39ced0dd14b1b49

SHA256
e6e8ca29fedd75a8294c1f804f43ecb33c714e89907941e24b7f304360fc7dd3

SHA512
23fda9fac76cfdffad21a89ad6875ceca579ea834cd5887894737e859be6472e292269a7a7bdb150bd822a648b21c54e62f473f4a623b3023b15cdde043044cc

Download Submit
C:\Windows\SysWOW64\Dfefkkqp.exe

Filesize
64KB

MD5
84a2b87060c9e4ff279883113a02d4c9

SHA1
b5ade168ef46652d90b9b7efbdde60cf10aee885

SHA256
c5c360da86214d0371459169a4a7a6f8565ee59b025fb4239f420a870abb9f98

SHA512
ae350174492c4e1c74f2f2852c9237509193dc526367e7a741646142a4816155602bbb2f48db54bb4571de72ad5e63079b1a00a9ba80310665408c00c1fa351d

Download Submit
C:\Windows\SysWOW64\Dfgcakon.exe

Filesize
64KB

MD5
00244837abbb12204e9932a1e4b1a0e1

SHA1
25b11c527a247772b77f655497fe27f2b43111c3

SHA256
b3daec73a621724c0e1eb3c448141e037d4996e4e42051d5505a8eff4e9dbbff

SHA512
c48df45ef65a5d7cd2f472138ba2096f0378f0640f2eaef39a8b911b5813b3ebe301ca36ecaa522654409acce6615c2f8c8b69212cd6b332effc5077ca6b171c

Download Submit
C:\Windows\SysWOW64\Djjebh32.exe

Filesize
64KB

MD5
11adcea637dcb974b618f2a110ef01fc

SHA1
95118862e0d9c631e19d5eae0cc5504471136ecb

SHA256
24ddd4b1ebda9a39495f26d30e98f7e63a7e790354c4afdbc9798ccca62b2435

SHA512
8740f26994a139465890a9d195564144be9f33968d8931b025a3cacc5a2c57923e89fd4117d003a2325740f662c9c441d2c0c170c230dc052986bc30313ee296

Download Submit
C:\Windows\SysWOW64\Dlghoa32.exe

Filesize
64KB

MD5
34c73801b9267886b1dd4c4ef8677ae1

SHA1
cee8f9b5ffaf37341d45c228e1371ebd91a257af

SHA256
f6126165195181647883b995c904c9ece8b1bf3c4137161b60ca54e274b5adf6

SHA512
263e5e113b11056da66acc01828a8e8ae1e1f0d7864762e2062ed1f8fee6477192cc2ba7380b4e41ab0339824042267b2677b1c429889e646ca7f8e7a733c5db

Download Submit
C:\Windows\SysWOW64\Dmcain32.exe

Filesize
64KB

MD5
53b45e5553404aa47d447978a198f877

SHA1
2f0c832bd77740229e4d463d7425b81bf5242e4f

SHA256
2f2241798fd1d5f2f0853829b8240ce65e71228a1290099d4867c8b84775503a

SHA512
877a9d3440d670a84c790a9993269647ee4447037bb5bcf79b0076b3cd77c076ddefde576cdc48153b6bc2eb713e4b968d2d4b9c775662ab862233eb9fbd07c6

Download Submit
C:\Windows\SysWOW64\Dmfeidbe.exe

Filesize
64KB

MD5
f4ec71d5e736d5ffefffbccb857c460b

SHA1
0970e58c97ec8e240bc3890ee5ffc561af8636a3

SHA256
e5bb0ad8e5cbc8a3a15b9d129108da431b73c12cc28c440c593fdf049e44a09b

SHA512
89662fcd187821aeb63f5868701559602f3175660b6dfe92ce090e7dc1b02ee6ae1b2d21b5f8f6e266d58be9301f41c5a90cc61a6776bd800dc18a48dcc83333

Download Submit
C:\Windows\SysWOW64\Dmoohe32.exe

Filesize
64KB

MD5
53c4e578cb9ecccdb336a676b7b2a70b

SHA1
1641d2a3fe54721fde5c211a554b5f470f703507

SHA256
4c9aac90a656d0806482f3f276f1c664ec6ea518426d41ffb5074a84bb4937cf

SHA512
ac15a507c41151ff3223b264f9f8c746b8def9845cf2af11ce54c017285aa30f7100e2a08e78c1d57e96a962d34b3013e5e747446782146c8a3bcc1cdc5057a7

Download Submit
C:\Windows\SysWOW64\Dpphjp32.exe

Filesize
64KB

MD5
ec28409c46d22fd5c7179df22c89a08e

SHA1
f9a7e64b98de7fc75aefccae57b431ead96a8674

SHA256
885169ea72435e69d4264344b2d7bd20acf62f0ae5c05f79615a4a5b8b38b2ce

SHA512
81b17f592f03eef1f72bc2e118dc6b557cab5d4f6ab05a6271c88d35cad43900a95178b6bb16fb7f3157e22351328d6f9d86d2e2ed59fd24a7ad1c1c3e5ece0a

Download Submit
C:\Windows\SysWOW64\Ecbjkngo.exe

Filesize
64KB

MD5
ad8025afee957d07a18d9dabba629410

SHA1
e2e4ca6bbdcf61cfb7f65e3a7cf9e5b8bf0eb175

SHA256
c1b7e89f785362ed27973d306990f5e2989ecda844306073385a914c27647ce2

SHA512
a896d1e26b6452530a0ef135745fd4aa80a486cb9ab2a23dcbaf85222820a82ea2f46b5f5bc2fc7eafc5409f1ae711e7af068a26a54710945a777670e525c6d0

Download Submit
C:\Windows\SysWOW64\Ecefqnel.exe

Filesize
64KB

MD5
7007a6aa105cd64a45ff6946601645fd

SHA1
6aedd2db4f5bc44c68e72cdc8c4d5435878dc1c5

SHA256
f24e9358f86509b78811d45d5688f33d946c213d3590b1fbc6e69602484973a7

SHA512
851188091ad9934c2112cc98c42f604c340e1a1af3478c3087bd95fd26b3258f8f26afa31e19b1310d6171f141b06a7c671daadc19e32b6c948561bd1931ed4e

Download Submit
C:\Windows\SysWOW64\Emmkiclm.exe

Filesize
64KB

MD5
b26af1644aee861e0bf24bc60d56591c

SHA1
14417c3169896b3329877671aaa02adc1206a437

SHA256
93f314f946a5b83c42dde57a92639c1c37db9817781667d831e9e0f38675e09f

SHA512
7316b51a4a123e7de9e8d44ab100f1c91e547005ba4c86a37edf64ce9ac4cd32aa99fa6641eeeda100783a7f01313ca1ecd660779898ad86e1d008112dfe6d8d

Download Submit
C:\Windows\SysWOW64\Fefedmil.exe

Filesize
64KB

MD5
cbbbf876dc5e6bff32ac764cd3fa1091

SHA1
7f5bd09912ff4f3a4fc2eee3bcd0088e8605f000

SHA256
b5e5683490339f4541fb629df54cf8328a5730096c7f94dd808299503ae70c17

SHA512
e884f898ac17a2779de4f5b0fba9ff639c2dadf05ce8bc7fe8d7d957fda2a74ba05267ffd58745b155ba30780e44933b6cb1166a4798719d8c589441afecd701

Download Submit
C:\Windows\SysWOW64\Fffhifdk.exe

Filesize
64KB

MD5
638bbb3185f083539a4a8f4eefab4ded

SHA1
728356ac72e66f092fdec4f5260216822b82fdea

SHA256
953d0872a7fc305166aa98bede70854f5eef801b4fa2f69c8237fdc25f9f7357

SHA512
f6b36d47721d54f4fddc1acd122471d5a912d05dacca47b186e18b1c9f03886cc97499837feaa28ad32717e4766c180722b69f0410850ecfcbf3a4c0c05c5fca

Download Submit
C:\Windows\SysWOW64\Gfkbde32.exe

Filesize
64KB

MD5
bab9d913c1810f0e5928557dc8576937

SHA1
8b344d80d72dba4eefa492b5b4c7171629801a24

SHA256
43d2e887debfeb2f774276a6d80ffc302538cec0fc59e18baa3c597eb8de527e

SHA512
e1f54b583a7926410191a7327839a661c7f37d85bd627058b2610038416636c98b5d445a1a4974930e4118dadfff7f598530b79146e256a06c64d650d5445f3d

Download Submit
C:\Windows\SysWOW64\Gljgbllj.exe

Filesize
64KB

MD5
c3a90751ed1e260767af5dd7b9f475a4

SHA1
bddad2b9349f7b7c4912f5b518b4622aea2a3590

SHA256
80b291b767eda2c734519b42b92bce28b2e934a29f89f71be178b8236bd6cb2b

SHA512
f0d0c8f147cf6bec849f72860f2b60eedd7e29899f92c71ba64de037136abe0f6e3a2f8702dd0fad131dc580b6961d258ed49a7dc2a423e5ede4a6d7ed7dc7a2

Download Submit
C:\Windows\SysWOW64\Haoimcgg.exe

Filesize
64KB

MD5
b0509f8d621fcb067468d8352f0ff2d9

SHA1
ed0b5cdbd7d968ea8d9306fca729bc0285e45746

SHA256
c232f237fedef321537119ec957a60392d0e6de329d53383b570ba6e4ed57447

SHA512
4e44f41bf2ffc481e4939463de01cc29c8d9b9fe66d6411821eeb90351e32123ca52124de4ff1c64c26182889a9913e8d1838a1d9dbf718d288a14b65e8c5ea2

Download Submit
C:\Windows\SysWOW64\Hjjnae32.exe

Filesize
64KB

MD5
b36184e84309d636aab506d71bda741d

SHA1
46c80591a9c78406e2866a37ce6bf3b940a147be

SHA256
63a51476f63c0e324830c971d571fb4135f548e2d9e00dfa102f823386b9d7ee

SHA512
32ef850181575720f6e33c080f1cdba857bdf605da424c9def99f2a424e5966e922ec46dfbe3eef840aec55597717e569496685cb8e2996645f637de903c2399

Download Submit
C:\Windows\SysWOW64\Hkeaqi32.exe

Filesize
64KB

MD5
501e0ba0c768dd9e0fee75cd359aa013

SHA1
fe332bd37db8927ee91ae2846d549d0b025adfe7

SHA256
a9d3c240688a6c035fd1924be4de5524ab8c8c0962ed5bd7b8daeedb830d3adc

SHA512
9c7f5e9c31a9c1b37508bd6ba83de32300b41a27a1ea2263b1c2d236be05c09d31fc2ff7d61b5765b3c8d2aca0a377f8739df88b2c25babd3dbac31153b12e12

Download Submit
C:\Windows\SysWOW64\Hkjjlhle.exe

Filesize
64KB

MD5
f15fb577b6ecc7ccb37d4f6db76ca2b4

SHA1
2e47c3d84cfccee87962366943a96d2b2c582373

SHA256
5b153957b3d9798417642e95218458b17b847331553d4056cf2ed31347e623c4

SHA512
5be5c323be7886169068ee2faaa78f22453db8ddbde5177f55b1aeef5402c447eba3a52f95d714a8fdf3178b6a7422a8ad344711be4f0f10b6be5c07f23aac86

Download Submit
C:\Windows\SysWOW64\Hmpcbhji.exe

Filesize
64KB

MD5
4475c40f3a333642fee31d333018dde2

SHA1
045e8cb356070063bfa0b7f5c86645a12e360a97

SHA256
61ad557b55b20472113a42b2601ea69e6d56de0631412b933a5973a93236e71d

SHA512
fe7e9b47d4619e5bf3b61a552cc47e055d79c8e88c4792ff6511271b145d46d06c7fe2308d8ce901f60b6f540930ef384e2b7cd9dee9d306823677afe9bad8d2

Download Submit
C:\Windows\SysWOW64\Hpdfnolo.exe

Filesize
64KB

MD5
3b5ec78d4f1b4f5fbcf7a2367e225383

SHA1
e487a22d7907262b2a4f0e08f9c506f9193c0a91

SHA256
6182cee0fa742c3ced78c177287df878589c734fad1170845cc8bf17810694af

SHA512
27b8ecff29b7e373b45e8805bb5824d3d3cf06ae9ad707bb5e361d172f0b444dbba859a9fbaae3ad3c9998defcd0cd55f2248828716025f200bf550a65e13174

Download Submit
C:\Windows\SysWOW64\Hpomcp32.exe

Filesize
64KB

MD5
2ae3d27e3f293990470ae2297f6acf55

SHA1
16768a7f6d4edf6ff27fa01eb5cebebb3721f75a

SHA256
ca80e6ce3740d90278cfe1ec04ff55394d24804b1e3b42208a28931a8bdde2dd

SHA512
7de798651143f822729c963cc8fc5259eb9cc50c650715086a6639e44efc068b22a9114e20ad6599e18a6f30d78582dbcaff8add1f098982eeec2dfeb515ffc4

Download Submit
C:\Windows\SysWOW64\Jepjhg32.exe

Filesize
64KB

MD5
b90f16ce43476a85c7c14378ec39dd33

SHA1
3e4a6d710e519576cf9bc65315edff97b772a36b

SHA256
11e47cc5689165f9cebeb334cd759cc638a5be35c472b84541bb547673bf597d

SHA512
ddb1235e66644dc28924a0a2f4493344e0197b4d4ae016362be1706d01f078ab364c96b31dbc4b4a6311aef02f0d4b3c5ff4dad88b1486a842a03ec627572e99

Download Submit
C:\Windows\SysWOW64\Klbnajqc.exe

Filesize
64KB

MD5
90507334e64e62583d56e4e78da00109

SHA1
4d5110d696e8f8455017496bc6998127aafc5105

SHA256
82b6de17168e86cdcce6140eed5fbb0307f673371876a33f5f7f9179fb7c9518

SHA512
909934fd720e63843e7f8a41ee2d674aaf9c0922a85951777e682687bced17bfc235fa16412f2fd79e549186e345c952cdc3a98fced6cd552eacad3cd8d51700

Download Submit
C:\Windows\SysWOW64\Mfnoqc32.exe

Filesize
64KB

MD5
57fdc2a48aee91f2747b1e7a9c87dba8

SHA1
18665ed649fc72c7fe364186da410700cf3cca88

SHA256
2d5365f9faf9340d8cc736535f31ba9139d01cfdca743b60931624389620e33d

SHA512
a1cc093d69ac79c963adf4c35867cd6b041eaa856b1bc4abdac82d5b5caac88d35c00c3a19cc208e37436a9569e10737ba3ab87cf6c8f4f140f7b542dfe49e0c

Download Submit
C:\Windows\SysWOW64\Ncbafoge.exe

Filesize
64KB

MD5
80f555df99dfe14ad545d5a6d4270f0b

SHA1
e094a77d48eb57022e2863bf8e3057aab5800f2b

SHA256
8ad5fc061fa09b9e79069a1a7d47d9f2c9eb224344c7e6d79daa94f74ee6b290

SHA512
5b05f6176701b0dc1c44cec117f7919b5a9014440fac31330cc0861662665294adefc1de0da593887f57e55d1342b522bc49010dd19c7d2484873b71046f5aec

Download Submit
C:\Windows\SysWOW64\Nckkfp32.exe

Filesize
64KB

MD5
7e63dd20c7901099eda458e0dfe2ae27

SHA1
3f9f9eda670bf049d24dca31c66a623e8878133c

SHA256
b248d32eae21bfca9db7a3f34f65ebd5965252c8bb24239f0a777ec6cf7a0f5e

SHA512
58eea28660e40d041f627b9b5d8e5b69c54065e5e49793826d9b25f1bc17c785e1ce0878449b26493957b703d916c8d9d102252474a579ae233f559258d1602d

Download Submit
C:\Windows\SysWOW64\Ocdnln32.exe

Filesize
64KB

MD5
aa6c880ddcf3fc7e00416ad5f3ccc3e4

SHA1
281ae83afd27148ad3ded416a31ea6495d433dbd

SHA256
ba519b699f5ea2595e84104d1f29f5feb9ec06daf501fb531913ebf3518ead25

SHA512
9111b788a6c1bbeaaf423c996423fdde8b1b6c2da5a7d1711a341b526c8c89a8ed70445e425c49160d16f4f84917ae529006123d5e5b3034d5c88d74b1ab162f

Download Submit
C:\Windows\SysWOW64\Paeelgnj.exe

Filesize
64KB

MD5
2aeb27e701043bff297692473eb81fa2

SHA1
1c7c99e033aa16439bcfb7f0a783e65ee510c7f8

SHA256
107eeb4c036cbc2e5297836e60462fa706a1ae8d32b8239bef81f2bb7f933b2c

SHA512
5acac13353bba362ff327b254bd042669c032387caa46e20902ecb30a02fce1cd462543c202564e1434595dcdbdc208e378a830fe365f53c13974742a9bd4e7f

Download Submit
C:\Windows\SysWOW64\Qebhhp32.exe

Filesize
64KB

MD5
b22375ad19a3ed06a2cc881f5737d71d

SHA1
5d682623aa74a14a172e04378878c4f837a5b95a

SHA256
b20cfc011d5ec1d0a66d3ec86436e6ba9a0ae4c1b018fcba08071c287ca6b750

SHA512
ba3b3698b871494a210376343dfda437a8b2f5c93c60cd0e837733e159d57c1a180fbadf1661741f44326e0de9ff10b27854380953b4fe836c48fcd9215bf7c6

Download Submit
memory/264-225-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/444-17-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/880-365-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/976-81-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1120-293-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1152-395-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1316-112-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1532-65-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1576-372-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1588-407-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1744-311-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1888-149-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2004-89-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2080-263-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2100-305-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2204-33-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2340-437-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2592-201-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2668-56-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2720-287-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2764-174-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2904-137-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2972-240-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3084-323-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3120-217-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3572-383-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3728-299-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3808-393-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3856-432-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3888-72-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3904-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3904-5-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4012-120-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4016-192-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4104-233-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4136-353-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4140-128-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4164-281-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4204-401-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4212-214-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4224-181-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4228-248-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4244-40-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4332-261-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4380-413-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4480-269-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4508-156-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4536-160-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4572-48-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4584-347-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4596-275-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4620-12-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4708-24-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4752-341-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4816-339-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4856-317-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4888-377-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4908-425-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4928-105-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4944-419-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4976-359-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5044-101-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5064-329-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5104-188-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads