7e41bb8daee6065eb041e817244e0f6b898465c45aade5e023f0ce528db66389

Analysis

max time kernel
163s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8cc62184fe2db524bb99c51aab0ff267.exe
Size

55KB
MD5

8cc62184fe2db524bb99c51aab0ff267
SHA1

3664e4d8f8a2f54b094417f2bc450d5b5c5a87a6
SHA256

7e41bb8daee6065eb041e817244e0f6b898465c45aade5e023f0ce528db66389
SHA512

eeb51bd3787ea6b1f55e43acb5d4b527b1d3fca3385e61a7b44b1d86f9c9856e1aaa4536e7b4bcb0bf20d6045550e6300ae768860860903b8eeb3a7a28463854
SSDEEP

768:APeFMQGZ4P5gmMZ6gZ1aZnUterzTRtDg/gA+OOkeOTMVelvZqMqf/1H5cXdnhK:AWeQGZg3Q6W8UterZtDGKmRUvlI

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcphkhad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkpjnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omqeobjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpfcelml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apfhajjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oicccj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Piapehkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epfflj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okjcdq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Malnklgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiibdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imdgjlgb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffnkggld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcmongoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcffggkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdjgbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnddb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daeioo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpjdiadb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onneeceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oceepj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcolcgmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egpnidgk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8cc62184fe2db524bb99c51aab0ff267.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgodjiio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enigek32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldpijknm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnopjfgi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alfcflfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfhne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhpopb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enjfen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iaokdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icdhojka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcnhfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmpido32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfacai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fafkoiji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfcbcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkpjnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khmoionj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kedcml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebiffc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aiimejap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hapancai.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdjilphb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hagodlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckfggf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbnlbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdiamnpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gicgjk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpapgknd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljjicl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jogeia32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Negoaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmoclg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Goabhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnfafpfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffnkggld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lndaaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjolck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Loemgdmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgmnooom.exe

Executes dropped EXE 64 IoCs

pid	Process
1300	Icgbob32.exe
4548	Kmbmdeoj.exe
2016	Mkicjgnn.exe
3676	Maehlqch.exe
3376	Oahnhncc.exe
3556	Qoocnpag.exe
4120	Akmjdpac.exe
2944	Bnppkj32.exe
2220	Bgmnooom.exe
5036	Bpfcelml.exe
4516	Cfjnhe32.exe
3592	Dlicflic.exe
5044	Dpnbmi32.exe
2792	Ehifak32.exe
3952	Eojeodga.exe
2168	Fplnogmb.exe
1656	Fhiphi32.exe
1944	Hhckeeam.exe
1900	Hjbhph32.exe
776	Ihheqd32.exe
1432	Ijjnpg32.exe
3112	Ijngkf32.exe
3976	Jmffnq32.exe
4876	Kpilekqj.exe
4004	Kmpido32.exe
4200	Kfhnme32.exe
4284	Kfjjbd32.exe
3176	Lglcag32.exe
4524	Malnklgg.exe
1156	Mfmpob32.exe
3304	Mhoind32.exe
3536	Nhcbidcd.exe
3104	Pjjaci32.exe
1856	Pjlnhi32.exe
4064	Qnopjfgi.exe
2644	Ahinbo32.exe
3440	Abflfc32.exe
324	Bdiamnpc.exe
2916	Bgodjiio.exe
3164	Dijppjfd.exe
2872	Dajnol32.exe
1056	Eihlahjd.exe
4992	Eacaej32.exe
3704	Facjlhil.exe
1752	Gbecljnl.exe
4328	Hkodak32.exe
2900	Jbnopbdl.exe
4988	Kokbpe32.exe
2000	Ljjicl32.exe
1820	Lcbmlbig.exe
2440	Liofdigo.exe
4928	Llpofd32.exe
4836	Mmfaafej.exe
3152	Njmopj32.exe
3296	Npighq32.exe
3836	Npqmipjq.exe
4268	Nfjeej32.exe
4968	Odnfonag.exe
4352	Ollgiplp.exe
4772	Okaabg32.exe
4108	Pbmffi32.exe
3248	Pgmkbg32.exe
2856	Alfcflfb.exe
4348	Apfhajjf.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Akoqjl32.exe	Qocfjlan.exe
File opened for modification	C:\Windows\SysWOW64\Dojqcjgi.exe	Dqipeboj.exe
File created	C:\Windows\SysWOW64\Dkpjnd32.exe	Dpjfqljl.exe
File created	C:\Windows\SysWOW64\Ldmldk32.exe	Kopcld32.exe
File opened for modification	C:\Windows\SysWOW64\Icgbob32.exe	8cc62184fe2db524bb99c51aab0ff267.exe
File created	C:\Windows\SysWOW64\Bgmnooom.exe	Bnppkj32.exe
File opened for modification	C:\Windows\SysWOW64\Afelal32.exe	Qcpieamc.exe
File created	C:\Windows\SysWOW64\Ndblob32.dll	Pmgcidqm.exe
File created	C:\Windows\SysWOW64\Pdfeandd.exe	Poimigfm.exe
File opened for modification	C:\Windows\SysWOW64\Dnhgcgbi.exe	Cgnogmkl.exe
File created	C:\Windows\SysWOW64\Cckfkiep.exe	Ckpagg32.exe
File created	C:\Windows\SysWOW64\Lglcag32.exe	Kfjjbd32.exe
File created	C:\Windows\SysWOW64\Efjbne32.exe	Eopjakkg.exe
File created	C:\Windows\SysWOW64\Pnbifmla.exe	Palkgi32.exe
File created	C:\Windows\SysWOW64\Dapnokng.dll	Bmomecoi.exe
File created	C:\Windows\SysWOW64\Kddhjo32.dll	Hlldaape.exe
File opened for modification	C:\Windows\SysWOW64\Lcocmi32.exe	Kifodcej.exe
File opened for modification	C:\Windows\SysWOW64\Ldpijknm.exe	Lbnlbc32.exe
File created	C:\Windows\SysWOW64\Gmejknqp.dll	Nhbfpl32.exe
File created	C:\Windows\SysWOW64\Ingpgcmj.exe	Igmgji32.exe
File created	C:\Windows\SysWOW64\Ompmie32.exe	Ohahkojp.exe
File opened for modification	C:\Windows\SysWOW64\Oendaipn.exe	Negoaj32.exe
File created	C:\Windows\SysWOW64\Mjalkblo.dll	Cikkga32.exe
File opened for modification	C:\Windows\SysWOW64\Abkjnd32.exe	Qebpipij.exe
File created	C:\Windows\SysWOW64\Kmpido32.exe	Kpilekqj.exe
File created	C:\Windows\SysWOW64\Qniogl32.exe	Qimfoe32.exe
File created	C:\Windows\SysWOW64\Ohfddi32.dll	Ahmlaj32.exe
File opened for modification	C:\Windows\SysWOW64\Gbgibgpf.exe	Fmjqjqao.exe
File created	C:\Windows\SysWOW64\Ilnbch32.exe	Icfnjcec.exe
File opened for modification	C:\Windows\SysWOW64\Apeabg32.exe	Akiijq32.exe
File created	C:\Windows\SysWOW64\Eojeodga.exe	Ehifak32.exe
File created	C:\Windows\SysWOW64\Imdgjlgb.exe	Ilpaei32.exe
File opened for modification	C:\Windows\SysWOW64\Kkelmc32.exe	Jcphkhad.exe
File created	C:\Windows\SysWOW64\Bfqjhj32.dll	Indkih32.exe
File created	C:\Windows\SysWOW64\Eocfgq32.dll	Hjbhph32.exe
File created	C:\Windows\SysWOW64\Elighial.dll	Coojpg32.exe
File created	C:\Windows\SysWOW64\Jpihke32.dll	Mpapgknd.exe
File created	C:\Windows\SysWOW64\Amcmie32.exe	Afelal32.exe
File created	C:\Windows\SysWOW64\Ecpmod32.exe	Dihllkal.exe
File opened for modification	C:\Windows\SysWOW64\Kehocokh.exe	Kkbkffka.exe
File created	C:\Windows\SysWOW64\Qoocnpag.exe	Oahnhncc.exe
File created	C:\Windows\SysWOW64\Gpaqbf32.dll	Ngnnbq32.exe
File opened for modification	C:\Windows\SysWOW64\Fkalmn32.exe	Fafkoiji.exe
File created	C:\Windows\SysWOW64\Fcdpakhk.dll	Bnppkj32.exe
File opened for modification	C:\Windows\SysWOW64\Jlphnbfe.exe	Jbgdelpe.exe
File created	C:\Windows\SysWOW64\Oicccj32.exe	Obgoaq32.exe
File created	C:\Windows\SysWOW64\Jdahga32.dll	Bcddlhgo.exe
File created	C:\Windows\SysWOW64\Gmmmoppl.exe	Gbgibgpf.exe
File opened for modification	C:\Windows\SysWOW64\Eghimo32.exe	Dqdnjfpc.exe
File created	C:\Windows\SysWOW64\Lcacmeaa.dll	Aaanif32.exe
File created	C:\Windows\SysWOW64\Gjiipife.dll	Qjmeaafi.exe
File created	C:\Windows\SysWOW64\Hdicbkci.exe	Hgcfcg32.exe
File created	C:\Windows\SysWOW64\Poickc32.dll	Ecgone32.exe
File created	C:\Windows\SysWOW64\Ijjnpg32.exe	Ihheqd32.exe
File created	C:\Windows\SysWOW64\Cikkga32.exe	Chlomnfl.exe
File created	C:\Windows\SysWOW64\Kbebdpca.exe	Kpgfhddn.exe
File created	C:\Windows\SysWOW64\Ibjanpje.dll	Apeabg32.exe
File created	C:\Windows\SysWOW64\Amloakki.exe	Agbgda32.exe
File created	C:\Windows\SysWOW64\Eihlahjd.exe	Dajnol32.exe
File opened for modification	C:\Windows\SysWOW64\Lndaaj32.exe	Kbfjljhf.exe
File created	C:\Windows\SysWOW64\Bqkcgq32.dll	Mmmqbb32.exe
File created	C:\Windows\SysWOW64\Iikmlnae.exe	Himqjpme.exe
File created	C:\Windows\SysWOW64\Fflngpbn.dll	Bgnfpp32.exe
File opened for modification	C:\Windows\SysWOW64\Foapkfco.exe	Felkmnci.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akmjdpac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfjeej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocmjcjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poeink32.dll"	Bpkllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpalomaq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mfchehla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Giqjdk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	8cc62184fe2db524bb99c51aab0ff267.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldmldk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlldaape.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkckcj32.dll"	Olfgbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bonhqnpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiphfa32.dll"	Dnondf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maplgcdk.dll"	Dcffggkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofmjlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mbfmha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Piapehkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhglhbni.dll"	Eacaej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjjccl32.dll"	Kbebdpca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nimioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qocfjlan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohoed32.dll"	Imieblgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bffhme32.dll"	Aeoppbge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qimfoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enigek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjbofkpn.dll"	Ehifak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akiijq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdmokljp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdhcdlco.dll"	Djhiglji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phioej32.dll"	Llpofd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jieiif32.dll"	Njmopj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cempebgi.dll"	Kfjjbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odepecoi.dll"	Kchmljab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fokbbcmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpaqbf32.dll"	Ngnnbq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odmbkolo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbkbkm32.dll"	Adfgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcacmeaa.dll"	Aaanif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oihjionb.dll"	Gdjilphb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebiffc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klbgpi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejhkdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmffnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fnmqegle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmaimd32.dll"	Lnanadfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibgmldnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nggddfag.dll"	Iomcqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kjkpif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekoofiod.dll"	Iikmlnae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijjnpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfdpm32.dll"	Mfchehla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmgenjm.dll"	Npqmipjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjgple32.dll"	Ldkfno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcojkgea.dll"	Piphaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfqppold.dll"	Baephacf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknmfekb.dll"	Dajbjoao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkkdegaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkkfal32.dll"	Kmbmdeoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoljhi32.dll"	Mmfaafej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffpjihee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbebdpca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hgcfcg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjlnhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afelal32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 1300	1120	8cc62184fe2db524bb99c51aab0ff267.exe	94
PID 1120 wrote to memory of 1300	1120	8cc62184fe2db524bb99c51aab0ff267.exe	94
PID 1120 wrote to memory of 1300	1120	8cc62184fe2db524bb99c51aab0ff267.exe	94
PID 1300 wrote to memory of 4548	1300	Icgbob32.exe	95
PID 1300 wrote to memory of 4548	1300	Icgbob32.exe	95
PID 1300 wrote to memory of 4548	1300	Icgbob32.exe	95
PID 4548 wrote to memory of 2016	4548	Kmbmdeoj.exe	96
PID 4548 wrote to memory of 2016	4548	Kmbmdeoj.exe	96
PID 4548 wrote to memory of 2016	4548	Kmbmdeoj.exe	96
PID 2016 wrote to memory of 3676	2016	Mkicjgnn.exe	98
PID 2016 wrote to memory of 3676	2016	Mkicjgnn.exe	98
PID 2016 wrote to memory of 3676	2016	Mkicjgnn.exe	98
PID 3676 wrote to memory of 3376	3676	Maehlqch.exe	100
PID 3676 wrote to memory of 3376	3676	Maehlqch.exe	100
PID 3676 wrote to memory of 3376	3676	Maehlqch.exe	100
PID 3376 wrote to memory of 3556	3376	Oahnhncc.exe	101
PID 3376 wrote to memory of 3556	3376	Oahnhncc.exe	101
PID 3376 wrote to memory of 3556	3376	Oahnhncc.exe	101
PID 3556 wrote to memory of 4120	3556	Qoocnpag.exe	102
PID 3556 wrote to memory of 4120	3556	Qoocnpag.exe	102
PID 3556 wrote to memory of 4120	3556	Qoocnpag.exe	102
PID 4120 wrote to memory of 2944	4120	Akmjdpac.exe	103
PID 4120 wrote to memory of 2944	4120	Akmjdpac.exe	103
PID 4120 wrote to memory of 2944	4120	Akmjdpac.exe	103
PID 2944 wrote to memory of 2220	2944	Bnppkj32.exe	104
PID 2944 wrote to memory of 2220	2944	Bnppkj32.exe	104
PID 2944 wrote to memory of 2220	2944	Bnppkj32.exe	104
PID 2220 wrote to memory of 5036	2220	Bgmnooom.exe	106
PID 2220 wrote to memory of 5036	2220	Bgmnooom.exe	106
PID 2220 wrote to memory of 5036	2220	Bgmnooom.exe	106
PID 5036 wrote to memory of 4516	5036	Bpfcelml.exe	107
PID 5036 wrote to memory of 4516	5036	Bpfcelml.exe	107
PID 5036 wrote to memory of 4516	5036	Bpfcelml.exe	107
PID 4516 wrote to memory of 3592	4516	Cfjnhe32.exe	108
PID 4516 wrote to memory of 3592	4516	Cfjnhe32.exe	108
PID 4516 wrote to memory of 3592	4516	Cfjnhe32.exe	108
PID 3592 wrote to memory of 5044	3592	Dlicflic.exe	109
PID 3592 wrote to memory of 5044	3592	Dlicflic.exe	109
PID 3592 wrote to memory of 5044	3592	Dlicflic.exe	109
PID 5044 wrote to memory of 2792	5044	Dpnbmi32.exe	110
PID 5044 wrote to memory of 2792	5044	Dpnbmi32.exe	110
PID 5044 wrote to memory of 2792	5044	Dpnbmi32.exe	110
PID 2792 wrote to memory of 3952	2792	Ehifak32.exe	111
PID 2792 wrote to memory of 3952	2792	Ehifak32.exe	111
PID 2792 wrote to memory of 3952	2792	Ehifak32.exe	111
PID 3952 wrote to memory of 2168	3952	Eojeodga.exe	112
PID 3952 wrote to memory of 2168	3952	Eojeodga.exe	112
PID 3952 wrote to memory of 2168	3952	Eojeodga.exe	112
PID 2168 wrote to memory of 1656	2168	Fplnogmb.exe	113
PID 2168 wrote to memory of 1656	2168	Fplnogmb.exe	113
PID 2168 wrote to memory of 1656	2168	Fplnogmb.exe	113
PID 1656 wrote to memory of 1944	1656	Fhiphi32.exe	114
PID 1656 wrote to memory of 1944	1656	Fhiphi32.exe	114
PID 1656 wrote to memory of 1944	1656	Fhiphi32.exe	114
PID 1944 wrote to memory of 1900	1944	Hhckeeam.exe	115
PID 1944 wrote to memory of 1900	1944	Hhckeeam.exe	115
PID 1944 wrote to memory of 1900	1944	Hhckeeam.exe	115
PID 1900 wrote to memory of 776	1900	Hjbhph32.exe	116
PID 1900 wrote to memory of 776	1900	Hjbhph32.exe	116
PID 1900 wrote to memory of 776	1900	Hjbhph32.exe	116
PID 776 wrote to memory of 1432	776	Ihheqd32.exe	117
PID 776 wrote to memory of 1432	776	Ihheqd32.exe	117
PID 776 wrote to memory of 1432	776	Ihheqd32.exe	117
PID 1432 wrote to memory of 3112	1432	Ijjnpg32.exe	118

C:\Users\Admin\AppData\Local\Temp\8cc62184fe2db524bb99c51aab0ff267.exe
"C:\Users\Admin\AppData\Local\Temp\8cc62184fe2db524bb99c51aab0ff267.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Windows\SysWOW64\Icgbob32.exe
  C:\Windows\system32\Icgbob32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1300
- - C:\Windows\SysWOW64\Kmbmdeoj.exe
    C:\Windows\system32\Kmbmdeoj.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4548
  - - C:\Windows\SysWOW64\Mkicjgnn.exe
      C:\Windows\system32\Mkicjgnn.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2016
    - - C:\Windows\SysWOW64\Maehlqch.exe
        
        C:\Windows\system32\Maehlqch.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3676
      - C:\Windows\SysWOW64\Oahnhncc.exe
        
        C:\Windows\system32\Oahnhncc.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3376
        
        C:\Windows\SysWOW64\Qoocnpag.exe
        
        C:\Windows\system32\Qoocnpag.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3556
        
        C:\Windows\SysWOW64\Akmjdpac.exe
        
        C:\Windows\system32\Akmjdpac.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4120
        
        C:\Windows\SysWOW64\Bnppkj32.exe
        
        C:\Windows\system32\Bnppkj32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\Bgmnooom.exe
        
        C:\Windows\system32\Bgmnooom.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\Bpfcelml.exe
        
        C:\Windows\system32\Bpfcelml.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Cfjnhe32.exe
        
        C:\Windows\system32\Cfjnhe32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Dlicflic.exe
        
        C:\Windows\system32\Dlicflic.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3592
        
        C:\Windows\SysWOW64\Dpnbmi32.exe
        
        C:\Windows\system32\Dpnbmi32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Ehifak32.exe
        
        C:\Windows\system32\Ehifak32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\SysWOW64\Eojeodga.exe
        
        C:\Windows\system32\Eojeodga.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\Fplnogmb.exe
        
        C:\Windows\system32\Fplnogmb.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Fhiphi32.exe
        
        C:\Windows\system32\Fhiphi32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Hhckeeam.exe
        
        C:\Windows\system32\Hhckeeam.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Hjbhph32.exe
        
        C:\Windows\system32\Hjbhph32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\SysWOW64\Ihheqd32.exe
        
        C:\Windows\system32\Ihheqd32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:776
        
        C:\Windows\SysWOW64\Ijjnpg32.exe
        
        C:\Windows\system32\Ijjnpg32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\Ijngkf32.exe
        
        C:\Windows\system32\Ijngkf32.exe
        23⤵
        Executes dropped EXE
        
        PID:3112
        
        C:\Windows\SysWOW64\Jmffnq32.exe
        
        C:\Windows\system32\Jmffnq32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3976
        
        C:\Windows\SysWOW64\Kpilekqj.exe
        
        C:\Windows\system32\Kpilekqj.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4876
        
        C:\Windows\SysWOW64\Kmpido32.exe
        
        C:\Windows\system32\Kmpido32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4004
        
        C:\Windows\SysWOW64\Kfhnme32.exe
        
        C:\Windows\system32\Kfhnme32.exe
        27⤵
        Executes dropped EXE
        
        PID:4200
        
        C:\Windows\SysWOW64\Kfjjbd32.exe
        
        C:\Windows\system32\Kfjjbd32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\Lglcag32.exe
        
        C:\Windows\system32\Lglcag32.exe
        29⤵
        Executes dropped EXE
        
        PID:3176
        
        C:\Windows\SysWOW64\Malnklgg.exe
        
        C:\Windows\system32\Malnklgg.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4524
        
        C:\Windows\SysWOW64\Mfmpob32.exe
        
        C:\Windows\system32\Mfmpob32.exe
        31⤵
        Executes dropped EXE
        
        PID:1156
        
        C:\Windows\SysWOW64\Mhoind32.exe
        
        C:\Windows\system32\Mhoind32.exe
        32⤵
        Executes dropped EXE
        
        PID:3304
        
        C:\Windows\SysWOW64\Nhcbidcd.exe
        
        C:\Windows\system32\Nhcbidcd.exe
        33⤵
        Executes dropped EXE
        
        PID:3536
        
        C:\Windows\SysWOW64\Pjjaci32.exe
        
        C:\Windows\system32\Pjjaci32.exe
        34⤵
        Executes dropped EXE
        
        PID:3104
        
        C:\Windows\SysWOW64\Pjlnhi32.exe
        
        C:\Windows\system32\Pjlnhi32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Qnopjfgi.exe
        
        C:\Windows\system32\Qnopjfgi.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4064
        
        C:\Windows\SysWOW64\Ahinbo32.exe
        
        C:\Windows\system32\Ahinbo32.exe
        37⤵
        Executes dropped EXE
        
        PID:2644
        
        C:\Windows\SysWOW64\Abflfc32.exe
        
        C:\Windows\system32\Abflfc32.exe
        38⤵
        Executes dropped EXE
        
        PID:3440
        
        C:\Windows\SysWOW64\Bdiamnpc.exe
        
        C:\Windows\system32\Bdiamnpc.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:324
        
        C:\Windows\SysWOW64\Bgodjiio.exe
        
        C:\Windows\system32\Bgodjiio.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2916
        
        C:\Windows\SysWOW64\Dijppjfd.exe
        
        C:\Windows\system32\Dijppjfd.exe
        41⤵
        Executes dropped EXE
        
        PID:3164
        
        C:\Windows\SysWOW64\Dajnol32.exe
        
        C:\Windows\system32\Dajnol32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2872
        
        C:\Windows\SysWOW64\Eihlahjd.exe
        
        C:\Windows\system32\Eihlahjd.exe
        43⤵
        Executes dropped EXE
        
        PID:1056
        
        C:\Windows\SysWOW64\Eacaej32.exe
        
        C:\Windows\system32\Eacaej32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4992
        
        C:\Windows\SysWOW64\Facjlhil.exe
        
        C:\Windows\system32\Facjlhil.exe
        45⤵
        Executes dropped EXE
        
        PID:3704
        
        C:\Windows\SysWOW64\Gbecljnl.exe
        
        C:\Windows\system32\Gbecljnl.exe
        46⤵
        Executes dropped EXE
        
        PID:1752
        
        C:\Windows\SysWOW64\Hkodak32.exe
        
        C:\Windows\system32\Hkodak32.exe
        47⤵
        Executes dropped EXE
        
        PID:4328
        
        C:\Windows\SysWOW64\Jbnopbdl.exe
        
        C:\Windows\system32\Jbnopbdl.exe
        48⤵
        Executes dropped EXE
        
        PID:2900
        
        C:\Windows\SysWOW64\Kokbpe32.exe
        
        C:\Windows\system32\Kokbpe32.exe
        49⤵
        Executes dropped EXE
        
        PID:4988
        
        C:\Windows\SysWOW64\Ljjicl32.exe
        
        C:\Windows\system32\Ljjicl32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2000
        
        C:\Windows\SysWOW64\Lcbmlbig.exe
        
        C:\Windows\system32\Lcbmlbig.exe
        51⤵
        Executes dropped EXE
        
        PID:1820
        
        C:\Windows\SysWOW64\Liofdigo.exe
        
        C:\Windows\system32\Liofdigo.exe
        52⤵
        Executes dropped EXE
        
        PID:2440
        
        C:\Windows\SysWOW64\Llpofd32.exe
        
        C:\Windows\system32\Llpofd32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Mmfaafej.exe
        
        C:\Windows\system32\Mmfaafej.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Njmopj32.exe
        
        C:\Windows\system32\Njmopj32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3152
        
        C:\Windows\SysWOW64\Npighq32.exe
        
        C:\Windows\system32\Npighq32.exe
        56⤵
        Executes dropped EXE
        
        PID:3296
        
        C:\Windows\SysWOW64\Npqmipjq.exe
        
        C:\Windows\system32\Npqmipjq.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3836
        
        C:\Windows\SysWOW64\Nfjeej32.exe
        
        C:\Windows\system32\Nfjeej32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Odnfonag.exe
        
        C:\Windows\system32\Odnfonag.exe
        59⤵
        Executes dropped EXE
        
        PID:4968
        
        C:\Windows\SysWOW64\Ollgiplp.exe
        
        C:\Windows\system32\Ollgiplp.exe
        60⤵
        Executes dropped EXE
        
        PID:4352
        
        C:\Windows\SysWOW64\Okaabg32.exe
        
        C:\Windows\system32\Okaabg32.exe
        61⤵
        Executes dropped EXE
        
        PID:4772
        
        C:\Windows\SysWOW64\Pbmffi32.exe
        
        C:\Windows\system32\Pbmffi32.exe
        62⤵
        Executes dropped EXE
        
        PID:4108
        
        C:\Windows\SysWOW64\Pgmkbg32.exe
        
        C:\Windows\system32\Pgmkbg32.exe
        63⤵
        Executes dropped EXE
        
        PID:3248
        
        C:\Windows\SysWOW64\Alfcflfb.exe
        
        C:\Windows\system32\Alfcflfb.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2856
        
        C:\Windows\SysWOW64\Apfhajjf.exe
        
        C:\Windows\system32\Apfhajjf.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4348
        
        C:\Windows\SysWOW64\Cgnmpbec.exe
        
        C:\Windows\system32\Cgnmpbec.exe
        66⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\Djhiglji.exe
        
        C:\Windows\system32\Djhiglji.exe
        67⤵
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Dqbadf32.exe
        
        C:\Windows\system32\Dqbadf32.exe
        68⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\Dqdnjfpc.exe
        
        C:\Windows\system32\Dqdnjfpc.exe
        69⤵
        Drops file in System32 directory
        
        PID:4920
        
        C:\Windows\SysWOW64\Eghimo32.exe
        
        C:\Windows\system32\Eghimo32.exe
        70⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\Fnmqegle.exe
        
        C:\Windows\system32\Fnmqegle.exe
        71⤵
        Modifies registry class
        
        PID:4684
        
        C:\Windows\SysWOW64\Fegiba32.exe
        
        C:\Windows\system32\Fegiba32.exe
        72⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\Galfhpmf.exe
        
        C:\Windows\system32\Galfhpmf.exe
        73⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\Helkdnaj.exe
        
        C:\Windows\system32\Helkdnaj.exe
        74⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\Iaokdn32.exe
        
        C:\Windows\system32\Iaokdn32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4960
        
        C:\Windows\SysWOW64\Jogeia32.exe
        
        C:\Windows\system32\Jogeia32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5052
        
        C:\Windows\SysWOW64\Khimhefk.exe
        
        C:\Windows\system32\Khimhefk.exe
        77⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\Klibdcjo.exe
        
        C:\Windows\system32\Klibdcjo.exe
        78⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\Kbfjljhf.exe
        
        C:\Windows\system32\Kbfjljhf.exe
        79⤵
        Drops file in System32 directory
        
        PID:3396
        
        C:\Windows\SysWOW64\Lndaaj32.exe
        
        C:\Windows\system32\Lndaaj32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2432
        
        C:\Windows\SysWOW64\Moomgl32.exe
        
        C:\Windows\system32\Moomgl32.exe
        81⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\Nfpled32.exe
        
        C:\Windows\system32\Nfpled32.exe
        82⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Aiimejap.exe
        
        C:\Windows\system32\Aiimejap.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5312
        
        C:\Windows\SysWOW64\Blqlgdhi.exe
        
        C:\Windows\system32\Blqlgdhi.exe
        84⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Cfpfqiha.exe
        
        C:\Windows\system32\Cfpfqiha.exe
        85⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Cpjdiadb.exe
        
        C:\Windows\system32\Cpjdiadb.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5468
        
        C:\Windows\SysWOW64\Cfglahbj.exe
        
        C:\Windows\system32\Cfglahbj.exe
        87⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Claenb32.exe
        
        C:\Windows\system32\Claenb32.exe
        88⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Ejcaidlp.exe
        
        C:\Windows\system32\Ejcaidlp.exe
        89⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Eopjakkg.exe
        
        C:\Windows\system32\Eopjakkg.exe
        90⤵
        Drops file in System32 directory
        
        PID:5752
        
        C:\Windows\SysWOW64\Efjbne32.exe
        
        C:\Windows\system32\Efjbne32.exe
        91⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Ejhkdc32.exe
        
        C:\Windows\system32\Ejhkdc32.exe
        92⤵
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Gmimll32.exe
        
        C:\Windows\system32\Gmimll32.exe
        93⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\Hfmqapcl.exe
        
        C:\Windows\system32\Hfmqapcl.exe
        94⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Ihcclb32.exe
        
        C:\Windows\system32\Ihcclb32.exe
        95⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Jopaejlo.exe
        
        C:\Windows\system32\Jopaejlo.exe
        96⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\Kpanmb32.exe
        
        C:\Windows\system32\Kpanmb32.exe
        97⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\Knhkkfod.exe
        
        C:\Windows\system32\Knhkkfod.exe
        98⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\Khmoionj.exe
        
        C:\Windows\system32\Khmoionj.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3676
        
        C:\Windows\SysWOW64\Lnanadfi.exe
        
        C:\Windows\system32\Lnanadfi.exe
        100⤵
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Ldkfno32.exe
        
        C:\Windows\system32\Ldkfno32.exe
        101⤵
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Mbfmha32.exe
        
        C:\Windows\system32\Mbfmha32.exe
        102⤵
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\Nnmfdpni.exe
        
        C:\Windows\system32\Nnmfdpni.exe
        103⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Negoaj32.exe
        
        C:\Windows\system32\Negoaj32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5636
        
        C:\Windows\SysWOW64\Oendaipn.exe
        
        C:\Windows\system32\Oendaipn.exe
        105⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Palkgi32.exe
        
        C:\Windows\system32\Palkgi32.exe
        106⤵
        Drops file in System32 directory
        
        PID:5784
        
        C:\Windows\SysWOW64\Pnbifmla.exe
        
        C:\Windows\system32\Pnbifmla.exe
        107⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\Qimfoe32.exe
        
        C:\Windows\system32\Qimfoe32.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Qniogl32.exe
        
        C:\Windows\system32\Qniogl32.exe
        109⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\Qecgcfmf.exe
        
        C:\Windows\system32\Qecgcfmf.exe
        110⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Aaanif32.exe
        
        C:\Windows\system32\Aaanif32.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Bhppap32.exe
        
        C:\Windows\system32\Bhppap32.exe
        112⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\Chlomnfl.exe
        
        C:\Windows\system32\Chlomnfl.exe
        113⤵
        Drops file in System32 directory
        
        PID:3956
        
        C:\Windows\SysWOW64\Cikkga32.exe
        
        C:\Windows\system32\Cikkga32.exe
        114⤵
        Drops file in System32 directory
        
        PID:5168
        
        C:\Windows\SysWOW64\Cafpkc32.exe
        
        C:\Windows\system32\Cafpkc32.exe
        115⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\Coojpg32.exe
        
        C:\Windows\system32\Coojpg32.exe
        116⤵
        Drops file in System32 directory
        
        PID:2016
        
        C:\Windows\SysWOW64\Dllmoj32.exe
        
        C:\Windows\system32\Dllmoj32.exe
        117⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\Ehcndkaa.exe
        
        C:\Windows\system32\Ehcndkaa.exe
        118⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\Eoapldei.exe
        
        C:\Windows\system32\Eoapldei.exe
        119⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\Fbeeco32.exe
        
        C:\Windows\system32\Fbeeco32.exe
        120⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Fokbbcmo.exe
        
        C:\Windows\system32\Fokbbcmo.exe
        121⤵
        Modifies registry class
        
        PID:4120
        
        C:\Windows\SysWOW64\Fmoclg32.exe
        
        C:\Windows\system32\Fmoclg32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5440
        
        C:\Windows\SysWOW64\Gbqeonfj.exe
        
        C:\Windows\system32\Gbqeonfj.exe
        123⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Gqaeme32.exe
        
        C:\Windows\system32\Gqaeme32.exe
        124⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Gcggjp32.exe
        
        C:\Windows\system32\Gcggjp32.exe
        125⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\Hapancai.exe
        
        C:\Windows\system32\Hapancai.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2412
        
        C:\Windows\SysWOW64\Hfacai32.exe
        
        C:\Windows\system32\Hfacai32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5892
        
        C:\Windows\SysWOW64\Ipqnknld.exe
        
        C:\Windows\system32\Ipqnknld.exe
        128⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\Iiibdc32.exe
        
        C:\Windows\system32\Iiibdc32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5948
        
        C:\Windows\SysWOW64\Jjoeoedo.exe
        
        C:\Windows\system32\Jjoeoedo.exe
        130⤵
        
        PID:224
        
        C:\Windows\SysWOW64\Kfhbifgq.exe
        
        C:\Windows\system32\Kfhbifgq.exe
        131⤵
        
        PID:396
        
        C:\Windows\SysWOW64\Kcfiof32.exe
        
        C:\Windows\system32\Kcfiof32.exe
        132⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\Lgdbedmc.exe
        
        C:\Windows\system32\Lgdbedmc.exe
        133⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Ligglo32.exe
        
        C:\Windows\system32\Ligglo32.exe
        134⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\Mgbnfb32.exe
        
        C:\Windows\system32\Mgbnfb32.exe
        135⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\Mkepgp32.exe
        
        C:\Windows\system32\Mkepgp32.exe
        136⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Ngnnbq32.exe
        
        C:\Windows\system32\Ngnnbq32.exe
        137⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Onfbpi32.exe
        
        C:\Windows\system32\Onfbpi32.exe
        138⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\Pnmhqh32.exe
        
        C:\Windows\system32\Pnmhqh32.exe
        139⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\Pnoefg32.exe
        
        C:\Windows\system32\Pnoefg32.exe
        140⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\Pglcjl32.exe
        
        C:\Windows\system32\Pglcjl32.exe
        141⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Qjmllgjd.exe
        
        C:\Windows\system32\Qjmllgjd.exe
        142⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\Qebpipij.exe
        
        C:\Windows\system32\Qebpipij.exe
        143⤵
        Drops file in System32 directory
        
        PID:560
        
        C:\Windows\SysWOW64\Abkjnd32.exe
        
        C:\Windows\system32\Abkjnd32.exe
        144⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\Abpcicpi.exe
        
        C:\Windows\system32\Abpcicpi.exe
        145⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\Ahmlaj32.exe
        
        C:\Windows\system32\Ahmlaj32.exe
        146⤵
        Drops file in System32 directory
        
        PID:5180
        
        C:\Windows\SysWOW64\Bbemdb32.exe
        
        C:\Windows\system32\Bbemdb32.exe
        147⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\Chpangnk.exe
        
        C:\Windows\system32\Chpangnk.exe
        148⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\Fkjfloeo.exe
        
        C:\Windows\system32\Fkjfloeo.exe
        149⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\Ffpjihee.exe
        
        C:\Windows\system32\Ffpjihee.exe
        150⤵
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Fklcbocl.exe
        
        C:\Windows\system32\Fklcbocl.exe
        151⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\Fafkoiji.exe
        
        C:\Windows\system32\Fafkoiji.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1616
        
        C:\Windows\SysWOW64\Fkalmn32.exe
        
        C:\Windows\system32\Fkalmn32.exe
        153⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Fbkdjh32.exe
        
        C:\Windows\system32\Fbkdjh32.exe
        154⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\Goabhl32.exe
        
        C:\Windows\system32\Goabhl32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5660
        
        C:\Windows\SysWOW64\Gbpnegbo.exe
        
        C:\Windows\system32\Gbpnegbo.exe
        156⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\Hdgmga32.exe
        
        C:\Windows\system32\Hdgmga32.exe
        157⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\Hijohoki.exe
        
        C:\Windows\system32\Hijohoki.exe
        158⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\Hcpcehko.exe
        
        C:\Windows\system32\Hcpcehko.exe
        159⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\Ibgmldnd.exe
        
        C:\Windows\system32\Ibgmldnd.exe
        160⤵
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Ilpaei32.exe
        
        C:\Windows\system32\Ilpaei32.exe
        161⤵
        Drops file in System32 directory
        
        PID:4276
        
        C:\Windows\SysWOW64\Imdgjlgb.exe
        
        C:\Windows\system32\Imdgjlgb.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4480
        
        C:\Windows\SysWOW64\Jfcbcp32.exe
        
        C:\Windows\system32\Jfcbcp32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3272
        
        C:\Windows\SysWOW64\Kdnincal.exe
        
        C:\Windows\system32\Kdnincal.exe
        164⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\Kmfmfigl.exe
        
        C:\Windows\system32\Kmfmfigl.exe
        165⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\Kbceoped.exe
        
        C:\Windows\system32\Kbceoped.exe
        166⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Kpgfhddn.exe
        
        C:\Windows\system32\Kpgfhddn.exe
        167⤵
        Drops file in System32 directory
        
        PID:4928
        
        C:\Windows\SysWOW64\Kbebdpca.exe
        
        C:\Windows\system32\Kbebdpca.exe
        168⤵
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Kipkaj32.exe
        
        C:\Windows\system32\Kipkaj32.exe
        169⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\Lbhojo32.exe
        
        C:\Windows\system32\Lbhojo32.exe
        170⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\Mpebjb32.exe
        
        C:\Windows\system32\Mpebjb32.exe
        171⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Mipchg32.exe
        
        C:\Windows\system32\Mipchg32.exe
        172⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\Nneboemj.exe
        
        C:\Windows\system32\Nneboemj.exe
        173⤵
        
        PID:220
        
        C:\Windows\SysWOW64\Onneeceo.exe
        
        C:\Windows\system32\Onneeceo.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5040
        
        C:\Windows\SysWOW64\Ocmjcjad.exe
        
        C:\Windows\system32\Ocmjcjad.exe
        175⤵
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\Pgefogop.exe
        
        C:\Windows\system32\Pgefogop.exe
        176⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\Qmhdhm32.exe
        
        C:\Windows\system32\Qmhdhm32.exe
        177⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Qjmeaafi.exe
        
        C:\Windows\system32\Qjmeaafi.exe
        178⤵
        Drops file in System32 directory
        
        PID:5296
        
        C:\Windows\SysWOW64\Bepeph32.exe
        
        C:\Windows\system32\Bepeph32.exe
        179⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Bjokno32.exe
        
        C:\Windows\system32\Bjokno32.exe
        180⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\Bgckgcem.exe
        
        C:\Windows\system32\Bgckgcem.exe
        181⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\Cjindm32.exe
        
        C:\Windows\system32\Cjindm32.exe
        182⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\Hgcfcg32.exe
        
        C:\Windows\system32\Hgcfcg32.exe
        183⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Hdicbkci.exe
        
        C:\Windows\system32\Hdicbkci.exe
        184⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\Hkckoe32.exe
        
        C:\Windows\system32\Hkckoe32.exe
        185⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\Hhglhi32.exe
        
        C:\Windows\system32\Hhglhi32.exe
        186⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\Hnddqp32.exe
        
        C:\Windows\system32\Hnddqp32.exe
        187⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\Hhihnihm.exe
        
        C:\Windows\system32\Hhihnihm.exe
        188⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\Hnfafpfd.exe
        
        C:\Windows\system32\Hnfafpfd.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:576
        
        C:\Windows\SysWOW64\Iickdgpb.exe
        
        C:\Windows\system32\Iickdgpb.exe
        190⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\Iomcqa32.exe
        
        C:\Windows\system32\Iomcqa32.exe
        191⤵
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Jgjekc32.exe
        
        C:\Windows\system32\Jgjekc32.exe
        192⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\Jbilnkjc.exe
        
        C:\Windows\system32\Jbilnkjc.exe
        193⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\Kflnpild.exe
        
        C:\Windows\system32\Kflnpild.exe
        194⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\Lnlloj32.exe
        
        C:\Windows\system32\Lnlloj32.exe
        195⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Lefdld32.exe
        
        C:\Windows\system32\Lefdld32.exe
        196⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\Miomnaip.exe
        
        C:\Windows\system32\Miomnaip.exe
        197⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\Noaoagca.exe
        
        C:\Windows\system32\Noaoagca.exe
        198⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Nekgna32.exe
        
        C:\Windows\system32\Nekgna32.exe
        199⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Nohdaf32.exe
        
        C:\Windows\system32\Nohdaf32.exe
        200⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Nimioo32.exe
        
        C:\Windows\system32\Nimioo32.exe
        201⤵
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Nojagf32.exe
        
        C:\Windows\system32\Nojagf32.exe
        202⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\Nhbfpl32.exe
        
        C:\Windows\system32\Nhbfpl32.exe
        203⤵
        Drops file in System32 directory
        
        PID:1444
        
        C:\Windows\SysWOW64\Ocopncke.exe
        
        C:\Windows\system32\Ocopncke.exe
        204⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\Qleahgff.exe
        
        C:\Windows\system32\Qleahgff.exe
        205⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\Qcpieamc.exe
        
        C:\Windows\system32\Qcpieamc.exe
        206⤵
        Drops file in System32 directory
        
        PID:880
        
        C:\Windows\SysWOW64\Afelal32.exe
        
        C:\Windows\system32\Afelal32.exe
        207⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3900
        
        C:\Windows\SysWOW64\Amcmie32.exe
        
        C:\Windows\system32\Amcmie32.exe
        208⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Bcboan32.exe
        
        C:\Windows\system32\Bcboan32.exe
        209⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\Bpkllo32.exe
        
        C:\Windows\system32\Bpkllo32.exe
        210⤵
        Modifies registry class
        
        PID:3108
        
        C:\Windows\SysWOW64\Bmomecoi.exe
        
        C:\Windows\system32\Bmomecoi.exe
        211⤵
        Drops file in System32 directory
        
        PID:5036
        
        C:\Windows\SysWOW64\Bgeabloo.exe
        
        C:\Windows\system32\Bgeabloo.exe
        212⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\Ccpkblqn.exe
        
        C:\Windows\system32\Ccpkblqn.exe
        213⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\Dffmogji.exe
        
        C:\Windows\system32\Dffmogji.exe
        214⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\Iqklhd32.exe
        
        C:\Windows\system32\Iqklhd32.exe
        215⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Jnhphg32.exe
        
        C:\Windows\system32\Jnhphg32.exe
        216⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\Jhndepbi.exe
        
        C:\Windows\system32\Jhndepbi.exe
        217⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\Jklpakam.exe
        
        C:\Windows\system32\Jklpakam.exe
        218⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Jbfhne32.exe
        
        C:\Windows\system32\Jbfhne32.exe
        219⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5184
        
        C:\Windows\SysWOW64\Kjkpif32.exe
        
        C:\Windows\system32\Kjkpif32.exe
        220⤵
        Modifies registry class
        
        PID:3224
        
        C:\Windows\SysWOW64\Kepdfo32.exe
        
        C:\Windows\system32\Kepdfo32.exe
        221⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Laqhao32.exe
        
        C:\Windows\system32\Laqhao32.exe
        222⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Mbenfq32.exe
        
        C:\Windows\system32\Mbenfq32.exe
        223⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\Nlbkjf32.exe
        
        C:\Windows\system32\Nlbkjf32.exe
        224⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\Ohboeenl.exe
        
        C:\Windows\system32\Ohboeenl.exe
        225⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Phpkgc32.exe
        
        C:\Windows\system32\Phpkgc32.exe
        226⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\Piphaf32.exe
        
        C:\Windows\system32\Piphaf32.exe
        227⤵
        Modifies registry class
        
        PID:3212
        
        C:\Windows\SysWOW64\Qocfjlan.exe
        
        C:\Windows\system32\Qocfjlan.exe
        228⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Akoqjl32.exe
        
        C:\Windows\system32\Akoqjl32.exe
        229⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\Bbpoge32.exe
        
        C:\Windows\system32\Bbpoge32.exe
        230⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\Bfpdcc32.exe
        
        C:\Windows\system32\Bfpdcc32.exe
        231⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Bcddlhgo.exe
        
        C:\Windows\system32\Bcddlhgo.exe
        232⤵
        Drops file in System32 directory
        
        PID:6032
        
        C:\Windows\SysWOW64\Cooolhin.exe
        
        C:\Windows\system32\Cooolhin.exe
        233⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\Doiabgqc.exe
        
        C:\Windows\system32\Doiabgqc.exe
        234⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Dihllkal.exe
        
        C:\Windows\system32\Dihllkal.exe
        235⤵
        Drops file in System32 directory
        
        PID:552
        
        C:\Windows\SysWOW64\Ecpmod32.exe
        
        C:\Windows\system32\Ecpmod32.exe
        236⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\Elbhde32.exe
        
        C:\Windows\system32\Elbhde32.exe
        237⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Ffjignde.exe
        
        C:\Windows\system32\Ffjignde.exe
        238⤵
        
        PID:216
        
        C:\Windows\SysWOW64\Gdjilphb.exe
        
        C:\Windows\system32\Gdjilphb.exe
        239⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Hlldaape.exe
        
        C:\Windows\system32\Hlldaape.exe
        240⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Inecac32.exe
        
        C:\Windows\system32\Inecac32.exe
        241⤵
        
        PID:224
        
        C:\Windows\SysWOW64\Igmgji32.exe
        
        C:\Windows\system32\Igmgji32.exe
        242⤵
        Drops file in System32 directory
        
        PID:396
        
        C:\Windows\SysWOW64\Ingpgcmj.exe
        
        C:\Windows\system32\Ingpgcmj.exe
        243⤵
        
        PID:776
        
        C:\Windows\SysWOW64\Icdhojka.exe
        
        C:\Windows\system32\Icdhojka.exe
        244⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5136
        
        C:\Windows\SysWOW64\Jdkkjl32.exe
        
        C:\Windows\system32\Jdkkjl32.exe
        245⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\Jkdcffci.exe
        
        C:\Windows\system32\Jkdcffci.exe
        246⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\Jpalomaq.exe
        
        C:\Windows\system32\Jpalomaq.exe
        247⤵
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Jcphkhad.exe
        
        C:\Windows\system32\Jcphkhad.exe
        248⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:388
        
        C:\Windows\SysWOW64\Kkelmc32.exe
        
        C:\Windows\system32\Kkelmc32.exe
        249⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\Kglmbd32.exe
        
        C:\Windows\system32\Kglmbd32.exe
        250⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\Lkchoaif.exe
        
        C:\Windows\system32\Lkchoaif.exe
        251⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\Menimfnd.exe
        
        C:\Windows\system32\Menimfnd.exe
        252⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\Mkhajq32.exe
        
        C:\Windows\system32\Mkhajq32.exe
        253⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Mnhkklbb.exe
        
        C:\Windows\system32\Mnhkklbb.exe
        254⤵
        
        PID:384
        
        C:\Windows\SysWOW64\Mlohjpoi.exe
        
        C:\Windows\system32\Mlohjpoi.exe
        255⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Nhjbjp32.exe
        
        C:\Windows\system32\Nhjbjp32.exe
        256⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\Ohahkojp.exe
        
        C:\Windows\system32\Ohahkojp.exe
        257⤵
        Drops file in System32 directory
        
        PID:5548
        
        C:\Windows\SysWOW64\Ompmie32.exe
        
        C:\Windows\system32\Ompmie32.exe
        258⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\Ojdnbj32.exe
        
        C:\Windows\system32\Ojdnbj32.exe
        259⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\Odmbkolo.exe
        
        C:\Windows\system32\Odmbkolo.exe
        260⤵
        Modifies registry class
        
        PID:3164
        
        C:\Windows\SysWOW64\Olfgbl32.exe
        
        C:\Windows\system32\Olfgbl32.exe
        261⤵
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Pmgcidqm.exe
        
        C:\Windows\system32\Pmgcidqm.exe
        262⤵
        Drops file in System32 directory
        
        PID:5484
        
        C:\Windows\SysWOW64\Pdalfo32.exe
        
        C:\Windows\system32\Pdalfo32.exe
        263⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\Poimigfm.exe
        
        C:\Windows\system32\Poimigfm.exe
        264⤵
        Drops file in System32 directory
        
        PID:5300
        
        C:\Windows\SysWOW64\Pdfeandd.exe
        
        C:\Windows\system32\Pdfeandd.exe
        265⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Qkegiggl.exe
        
        C:\Windows\system32\Qkegiggl.exe
        266⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Aehghn32.exe
        
        C:\Windows\system32\Aehghn32.exe
        267⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\Bekdmnio.exe
        
        C:\Windows\system32\Bekdmnio.exe
        268⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\Beomhm32.exe
        
        C:\Windows\system32\Beomhm32.exe
        269⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Cleeafbi.exe
        
        C:\Windows\system32\Cleeafbi.exe
        270⤵
        
        PID:376
        
        C:\Windows\SysWOW64\Domdcpib.exe
        
        C:\Windows\system32\Domdcpib.exe
        271⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Eilomd32.exe
        
        C:\Windows\system32\Eilomd32.exe
        272⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\Enigek32.exe
        
        C:\Windows\system32\Enigek32.exe
        273⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Fnegqjne.exe
        
        C:\Windows\system32\Fnegqjne.exe
        274⤵
        
        PID:368
        
        C:\Windows\SysWOW64\Feoomd32.exe
        
        C:\Windows\system32\Feoomd32.exe
        275⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\Fngcfikb.exe
        
        C:\Windows\system32\Fngcfikb.exe
        276⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\Ffnkggld.exe
        
        C:\Windows\system32\Ffnkggld.exe
        277⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3248
        
        C:\Windows\SysWOW64\Flkdpnjl.exe
        
        C:\Windows\system32\Flkdpnjl.exe
        278⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\Fmjqjqao.exe
        
        C:\Windows\system32\Fmjqjqao.exe
        279⤵
        Drops file in System32 directory
        
        PID:4616
        
        C:\Windows\SysWOW64\Gbgibgpf.exe
        
        C:\Windows\system32\Gbgibgpf.exe
        280⤵
        Drops file in System32 directory
        
        PID:4524
        
        C:\Windows\SysWOW64\Gmmmoppl.exe
        
        C:\Windows\system32\Gmmmoppl.exe
        281⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\Gnnjgh32.exe
        
        C:\Windows\system32\Gnnjgh32.exe
        282⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\Himqjpme.exe
        
        C:\Windows\system32\Himqjpme.exe
        283⤵
        Drops file in System32 directory
        
        PID:1860
        
        C:\Windows\SysWOW64\Iikmlnae.exe
        
        C:\Windows\system32\Iikmlnae.exe
        284⤵
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Imieblgl.exe
        
        C:\Windows\system32\Imieblgl.exe
        285⤵
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Icfnjcec.exe
        
        C:\Windows\system32\Icfnjcec.exe
        286⤵
        Drops file in System32 directory
        
        PID:3376
        
        C:\Windows\SysWOW64\Ilnbch32.exe
        
        C:\Windows\system32\Ilnbch32.exe
        287⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\Jookdcie.exe
        
        C:\Windows\system32\Jookdcie.exe
        288⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Jgoflpal.exe
        
        C:\Windows\system32\Jgoflpal.exe
        289⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\Kedcml32.exe
        
        C:\Windows\system32\Kedcml32.exe
        290⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2932
        
        C:\Windows\SysWOW64\Lomqmoob.exe
        
        C:\Windows\system32\Lomqmoob.exe
        291⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Mfchehla.exe
        
        C:\Windows\system32\Mfchehla.exe
        292⤵
        Modifies registry class
        
        PID:3204
        
        C:\Windows\SysWOW64\Mmmqbb32.exe
        
        C:\Windows\system32\Mmmqbb32.exe
        293⤵
        Drops file in System32 directory
        
        PID:2708
        
        C:\Windows\SysWOW64\Ncnook32.exe
        
        C:\Windows\system32\Ncnook32.exe
        294⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\Njhglelp.exe
        
        C:\Windows\system32\Njhglelp.exe
        295⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\Ocbhjjqn.exe
        
        C:\Windows\system32\Ocbhjjqn.exe
        296⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\Oceepj32.exe
        
        C:\Windows\system32\Oceepj32.exe
        297⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4940
        
        C:\Windows\SysWOW64\Pcnhfi32.exe
        
        C:\Windows\system32\Pcnhfi32.exe
        298⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3044
        
        C:\Windows\SysWOW64\Pfmdbd32.exe
        
        C:\Windows\system32\Pfmdbd32.exe
        299⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\Pdenghpi.exe
        
        C:\Windows\system32\Pdenghpi.exe
        300⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Pnkbdqpo.exe
        
        C:\Windows\system32\Pnkbdqpo.exe
        301⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\Pploli32.exe
        
        C:\Windows\system32\Pploli32.exe
        302⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Pffghc32.exe
        
        C:\Windows\system32\Pffghc32.exe
        303⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\Pmpoemef.exe
        
        C:\Windows\system32\Pmpoemef.exe
        304⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\Qdjgbg32.exe
        
        C:\Windows\system32\Qdjgbg32.exe
        305⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1836
        
        C:\Windows\SysWOW64\Qpahghbg.exe
        
        C:\Windows\system32\Qpahghbg.exe
        306⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Qfkqcb32.exe
        
        C:\Windows\system32\Qfkqcb32.exe
        307⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Aapeakij.exe
        
        C:\Windows\system32\Aapeakij.exe
        308⤵
        
        PID:676
        
        C:\Windows\SysWOW64\Akiijq32.exe
        
        C:\Windows\system32\Akiijq32.exe
        309⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Apeabg32.exe
        
        C:\Windows\system32\Apeabg32.exe
        310⤵
        Drops file in System32 directory
        
        PID:2224
        
        C:\Windows\SysWOW64\Agbgda32.exe
        
        C:\Windows\system32\Agbgda32.exe
        311⤵
        Drops file in System32 directory
        
        PID:1048
        
        C:\Windows\SysWOW64\Amloakki.exe
        
        C:\Windows\system32\Amloakki.exe
        312⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\Adfgne32.exe
        
        C:\Windows\system32\Adfgne32.exe
        313⤵
        Modifies registry class
        
        PID:3760
        
        C:\Windows\SysWOW64\Amnlfk32.exe
        
        C:\Windows\system32\Amnlfk32.exe
        314⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\Adhdcepc.exe
        
        C:\Windows\system32\Adhdcepc.exe
        315⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Bonhqnpi.exe
        
        C:\Windows\system32\Bonhqnpi.exe
        316⤵
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Bdjqienq.exe
        
        C:\Windows\system32\Bdjqienq.exe
        317⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\Bpaanfce.exe
        
        C:\Windows\system32\Bpaanfce.exe
        318⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Bgkijp32.exe
        
        C:\Windows\system32\Bgkijp32.exe
        319⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\Bmeagjbo.exe
        
        C:\Windows\system32\Bmeagjbo.exe
        320⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Bdojdd32.exe
        
        C:\Windows\system32\Bdojdd32.exe
        321⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Bgnfpp32.exe
        
        C:\Windows\system32\Bgnfpp32.exe
        322⤵
        Drops file in System32 directory
        
        PID:3276
        
        C:\Windows\SysWOW64\Bdagidhi.exe
        
        C:\Windows\system32\Bdagidhi.exe
        323⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\Baegchgb.exe
        
        C:\Windows\system32\Baegchgb.exe
        324⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\Bhpopb32.exe
        
        C:\Windows\system32\Bhpopb32.exe
        325⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1300
        
        C:\Windows\SysWOW64\Cponodge.exe
        
        C:\Windows\system32\Cponodge.exe
        326⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\Ckealm32.exe
        
        C:\Windows\system32\Ckealm32.exe
        327⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\Cglbanmo.exe
        
        C:\Windows\system32\Cglbanmo.exe
        328⤵
        
        PID:880
        
        C:\Windows\SysWOW64\Cpdgjc32.exe
        
        C:\Windows\system32\Cpdgjc32.exe
        329⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\Cgnogmkl.exe
        
        C:\Windows\system32\Cgnogmkl.exe
        330⤵
        Drops file in System32 directory
        
        PID:3848
        
        C:\Windows\SysWOW64\Dnhgcgbi.exe
        
        C:\Windows\system32\Dnhgcgbi.exe
        331⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\Ddbppa32.exe
        
        C:\Windows\system32\Ddbppa32.exe
        332⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\Dklhmlac.exe
        
        C:\Windows\system32\Dklhmlac.exe
        333⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\Dqipeboj.exe
        
        C:\Windows\system32\Dqipeboj.exe
        334⤵
        Drops file in System32 directory
        
        PID:4876
        
        C:\Windows\SysWOW64\Dojqcjgi.exe
        
        C:\Windows\system32\Dojqcjgi.exe
        335⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Dqkmkb32.exe
        
        C:\Windows\system32\Dqkmkb32.exe
        336⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Dgeegled.exe
        
        C:\Windows\system32\Dgeegled.exe
        337⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\Dnondf32.exe
        
        C:\Windows\system32\Dnondf32.exe
        338⤵
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Ddifaqcn.exe
        
        C:\Windows\system32\Ddifaqcn.exe
        339⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\Doojni32.exe
        
        C:\Windows\system32\Doojni32.exe
        340⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\Egjobl32.exe
        
        C:\Windows\system32\Egjobl32.exe
        341⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\Ebocpd32.exe
        
        C:\Windows\system32\Ebocpd32.exe
        342⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Ebiffc32.exe
        
        C:\Windows\system32\Ebiffc32.exe
        343⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Fomfpg32.exe
        
        C:\Windows\system32\Fomfpg32.exe
        344⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\Fdiohnek.exe
        
        C:\Windows\system32\Fdiohnek.exe
        345⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\Foocegea.exe
        
        C:\Windows\system32\Foocegea.exe
        346⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\Felkmnci.exe
        
        C:\Windows\system32\Felkmnci.exe
        347⤵
        Drops file in System32 directory
        
        PID:6264
        
        C:\Windows\SysWOW64\Foapkfco.exe
        
        C:\Windows\system32\Foapkfco.exe
        348⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Giqjdk32.exe
        
        C:\Windows\system32\Giqjdk32.exe
        349⤵
        Modifies registry class
        
        PID:6348
        
        C:\Windows\SysWOW64\Gicgjk32.exe
        
        C:\Windows\system32\Gicgjk32.exe
        350⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6392
        
        C:\Windows\SysWOW64\Gpmofe32.exe
        
        C:\Windows\system32\Gpmofe32.exe
        351⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\Ganlnmop.exe
        
        C:\Windows\system32\Ganlnmop.exe
        352⤵
        
        PID:6476
        
        C:\Windows\SysWOW64\Hngebq32.exe
        
        C:\Windows\system32\Hngebq32.exe
        353⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\Hiljpi32.exe
        
        C:\Windows\system32\Hiljpi32.exe
        354⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\Hagodlge.exe
        
        C:\Windows\system32\Hagodlge.exe
        355⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6612
        
        C:\Windows\SysWOW64\Ieagfh32.exe
        
        C:\Windows\system32\Ieagfh32.exe
        356⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\Ipgkcabd.exe
        
        C:\Windows\system32\Ipgkcabd.exe
        357⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\Iahgki32.exe
        
        C:\Windows\system32\Iahgki32.exe
        358⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\Ihbphcpo.exe
        
        C:\Windows\system32\Ihbphcpo.exe
        359⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\Jbgdelpe.exe
        
        C:\Windows\system32\Jbgdelpe.exe
        360⤵
        Drops file in System32 directory
        
        PID:6840
        
        C:\Windows\SysWOW64\Jlphnbfe.exe
        
        C:\Windows\system32\Jlphnbfe.exe
        361⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\Jemfbgiq.exe
        
        C:\Windows\system32\Jemfbgiq.exe
        362⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\Jpbjophf.exe
        
        C:\Windows\system32\Jpbjophf.exe
        363⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\Jacggh32.exe
        
        C:\Windows\system32\Jacggh32.exe
        364⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\Kedlbf32.exe
        
        C:\Windows\system32\Kedlbf32.exe
        365⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\Klndopje.exe
        
        C:\Windows\system32\Klndopje.exe
        366⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\Kchmljab.exe
        
        C:\Windows\system32\Kchmljab.exe
        367⤵
        Modifies registry class
        
        PID:7164
        
        C:\Windows\SysWOW64\Klpaep32.exe
        
        C:\Windows\system32\Klpaep32.exe
        368⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\Keifneoc.exe
        
        C:\Windows\system32\Keifneoc.exe
        369⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Kpnjknni.exe
        
        C:\Windows\system32\Kpnjknni.exe
        370⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\Kifodcej.exe
        
        C:\Windows\system32\Kifodcej.exe
        371⤵
        Drops file in System32 directory
        
        PID:6424
        
        C:\Windows\SysWOW64\Lcocmi32.exe
        
        C:\Windows\system32\Lcocmi32.exe
        372⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\Lhnhkpgo.exe
        
        C:\Windows\system32\Lhnhkpgo.exe
        373⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\Lcclhhge.exe
        
        C:\Windows\system32\Lcclhhge.exe
        374⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\Ljnddb32.exe
        
        C:\Windows\system32\Ljnddb32.exe
        375⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6688
        
        C:\Windows\SysWOW64\Lcfimheb.exe
        
        C:\Windows\system32\Lcfimheb.exe
        376⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Lchfch32.exe
        
        C:\Windows\system32\Lchfch32.exe
        377⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\Lhenko32.exe
        
        C:\Windows\system32\Lhenko32.exe
        378⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Mjdkeaij.exe
        
        C:\Windows\system32\Mjdkeaij.exe
        379⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\Mcmongoj.exe
        
        C:\Windows\system32\Mcmongoj.exe
        380⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7004
        
        C:\Windows\SysWOW64\Mjggka32.exe
        
        C:\Windows\system32\Mjggka32.exe
        381⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\Mpapgknd.exe
        
        C:\Windows\system32\Mpapgknd.exe
        382⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7136
        
        C:\Windows\SysWOW64\Mcolcgmh.exe
        
        C:\Windows\system32\Mcolcgmh.exe
        383⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5636
        
        C:\Windows\SysWOW64\Nbkoeb32.exe
        
        C:\Windows\system32\Nbkoeb32.exe
        384⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\Nfihkq32.exe
        
        C:\Windows\system32\Nfihkq32.exe
        385⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\Nmcphkik.exe
        
        C:\Windows\system32\Nmcphkik.exe
        386⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\Obgoaq32.exe
        
        C:\Windows\system32\Obgoaq32.exe
        387⤵
        Drops file in System32 directory
        
        PID:6584
        
        C:\Windows\SysWOW64\Oicccj32.exe
        
        C:\Windows\system32\Oicccj32.exe
        388⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6656
        
        C:\Windows\SysWOW64\Pflmhnbi.exe
        
        C:\Windows\system32\Pflmhnbi.exe
        389⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\Piapehkd.exe
        
        C:\Windows\system32\Piapehkd.exe
        390⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6832
        
        C:\Windows\SysWOW64\Qfepnmjn.exe
        
        C:\Windows\system32\Qfepnmjn.exe
        391⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\Qblacnob.exe
        
        C:\Windows\system32\Qblacnob.exe
        392⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\Aplahpdo.exe
        
        C:\Windows\system32\Aplahpdo.exe
        393⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\Babccb32.exe
        
        C:\Windows\system32\Babccb32.exe
        394⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\Baephacf.exe
        
        C:\Windows\system32\Baephacf.exe
        395⤵
        Modifies registry class
        
        PID:6292
        
        C:\Windows\SysWOW64\Cmlamb32.exe
        
        C:\Windows\system32\Cmlamb32.exe
        396⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Ckpagg32.exe
        
        C:\Windows\system32\Ckpagg32.exe
        397⤵
        Drops file in System32 directory
        
        PID:6560
        
        C:\Windows\SysWOW64\Cckfkiep.exe
        
        C:\Windows\system32\Cckfkiep.exe
        398⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\Ccmcaicm.exe
        
        C:\Windows\system32\Ccmcaicm.exe
        399⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\Cdmokljp.exe
        
        C:\Windows\system32\Cdmokljp.exe
        400⤵
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Ckfggf32.exe
        
        C:\Windows\system32\Ckfggf32.exe
        401⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6968
        
        C:\Windows\SysWOW64\Dkkabeng.exe
        
        C:\Windows\system32\Dkkabeng.exe
        402⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\Daeioo32.exe
        
        C:\Windows\system32\Daeioo32.exe
        403⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7092
        
        C:\Windows\SysWOW64\Dcffggkb.exe
        
        C:\Windows\system32\Dcffggkb.exe
        404⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Diqnda32.exe
        
        C:\Windows\system32\Diqnda32.exe
        405⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\Dpjfqljl.exe
        
        C:\Windows\system32\Dpjfqljl.exe
        406⤵
        Drops file in System32 directory
        
        PID:5388
        
        C:\Windows\SysWOW64\Dkpjnd32.exe
        
        C:\Windows\system32\Dkpjnd32.exe
        407⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5528
        
        C:\Windows\SysWOW64\Dajbjoao.exe
        
        C:\Windows\system32\Dajbjoao.exe
        408⤵
        Modifies registry class
        
        PID:6496
        
        C:\Windows\SysWOW64\Dggkbeof.exe
        
        C:\Windows\system32\Dggkbeof.exe
        409⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\Djegoanj.exe
        
        C:\Windows\system32\Djegoanj.exe
        410⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\Ealopnol.exe
        
        C:\Windows\system32\Ealopnol.exe
        411⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\Ekddidel.exe
        
        C:\Windows\system32\Ekddidel.exe
        412⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\Egkdne32.exe
        
        C:\Windows\system32\Egkdne32.exe
        413⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Enemjobn.exe
        
        C:\Windows\system32\Enemjobn.exe
        414⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\Egnacd32.exe
        
        C:\Windows\system32\Egnacd32.exe
        415⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\Enhipo32.exe
        
        C:\Windows\system32\Enhipo32.exe
        416⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\Epfflj32.exe
        
        C:\Windows\system32\Epfflj32.exe
        417⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6828
        
        C:\Windows\SysWOW64\Egpnidgk.exe
        
        C:\Windows\system32\Egpnidgk.exe
        418⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6876
        
        C:\Windows\SysWOW64\Enjfen32.exe
        
        C:\Windows\system32\Enjfen32.exe
        419⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2368
        
        C:\Windows\SysWOW64\Ecgone32.exe
        
        C:\Windows\system32\Ecgone32.exe
        420⤵
        Drops file in System32 directory
        
        PID:6160
        
        C:\Windows\SysWOW64\Faholm32.exe
        
        C:\Windows\system32\Faholm32.exe
        421⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\Hebcjdkb.exe
        
        C:\Windows\system32\Hebcjdkb.exe
        422⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Hjolck32.exe
        
        C:\Windows\system32\Hjolck32.exe
        423⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2964
        
        C:\Windows\SysWOW64\Indkih32.exe
        
        C:\Windows\system32\Indkih32.exe
        424⤵
        Drops file in System32 directory
        
        PID:5352
        
        C:\Windows\SysWOW64\Jldkokod.exe
        
        C:\Windows\system32\Jldkokod.exe
        425⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\Jelogq32.exe
        
        C:\Windows\system32\Jelogq32.exe
        426⤵
        
        PID:216
        
        C:\Windows\SysWOW64\Jlfhdk32.exe
        
        C:\Windows\system32\Jlfhdk32.exe
        427⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\Kkkdegaj.exe
        
        C:\Windows\system32\Kkkdegaj.exe
        428⤵
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Klkaojhl.exe
        
        C:\Windows\system32\Klkaojhl.exe
        429⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Kkpnqf32.exe
        
        C:\Windows\system32\Kkpnqf32.exe
        430⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3556
        
        C:\Windows\SysWOW64\Kbgfad32.exe
        
        C:\Windows\system32\Kbgfad32.exe
        431⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Kdhbilde.exe
        
        C:\Windows\system32\Kdhbilde.exe
        432⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\Kkbkffka.exe
        
        C:\Windows\system32\Kkbkffka.exe
        433⤵
        Drops file in System32 directory
        
        PID:6488
        
        C:\Windows\SysWOW64\Kehocokh.exe
        
        C:\Windows\system32\Kehocokh.exe
        434⤵
        
        PID:396
        
        C:\Windows\SysWOW64\Klbgpi32.exe
        
        C:\Windows\system32\Klbgpi32.exe
        435⤵
        Modifies registry class
        
        PID:6668
        
        C:\Windows\SysWOW64\Kopcld32.exe
        
        C:\Windows\system32\Kopcld32.exe
        436⤵
        Drops file in System32 directory
        
        PID:4748
        
        C:\Windows\SysWOW64\Ldmldk32.exe
        
        C:\Windows\system32\Ldmldk32.exe
        437⤵
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Llddei32.exe
        
        C:\Windows\system32\Llddei32.exe
        438⤵
        
        PID:224
        
        C:\Windows\SysWOW64\Lbnlbc32.exe
        
        C:\Windows\system32\Lbnlbc32.exe
        439⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3832
        
        C:\Windows\SysWOW64\Ldpijknm.exe
        
        C:\Windows\system32\Ldpijknm.exe
        440⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6252
        
        C:\Windows\SysWOW64\Loemgdmc.exe
        
        C:\Windows\system32\Loemgdmc.exe
        441⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5628
        
        C:\Windows\SysWOW64\Llimqhll.exe
        
        C:\Windows\system32\Llimqhll.exe
        442⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Lojfbc32.exe
        
        C:\Windows\system32\Lojfbc32.exe
        443⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\Ofmjlj32.exe
        
        C:\Windows\system32\Ofmjlj32.exe
        444⤵
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\Okjcdq32.exe
        
        C:\Windows\system32\Okjcdq32.exe
        445⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4292
        
        C:\Windows\SysWOW64\Ofgmbh32.exe
        
        C:\Windows\system32\Ofgmbh32.exe
        446⤵
        
        PID:872
        
        C:\Windows\SysWOW64\Omqeobjo.exe
        
        C:\Windows\system32\Omqeobjo.exe
        447⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1884
        
        C:\Windows\SysWOW64\Pcknlmal.exe
        
        C:\Windows\system32\Pcknlmal.exe
        448⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\Pfbmnf32.exe
        
        C:\Windows\system32\Pfbmnf32.exe
        449⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\Qcijmjel.exe
        
        C:\Windows\system32\Qcijmjel.exe
        450⤵
        
        PID:568
        
        C:\Windows\SysWOW64\Aeoppbge.exe
        
        C:\Windows\system32\Aeoppbge.exe
        451⤵
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Bldghjdd.exe
        
        C:\Windows\system32\Bldghjdd.exe
        452⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Bbnped32.exe
        
        C:\Windows\system32\Bbnped32.exe
        453⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\Bpbpoi32.exe
        
        C:\Windows\system32\Bpbpoi32.exe
        454⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\Beoigphb.exe
        
        C:\Windows\system32\Beoigphb.exe
        455⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Bliacj32.exe
        
        C:\Windows\system32\Bliacj32.exe
        456⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Bfoeqb32.exe
        
        C:\Windows\system32\Bfoeqb32.exe
        457⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\Cmhmmmgb.exe
        
        C:\Windows\system32\Cmhmmmgb.exe
        458⤵
        
        PID:3356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aiimejap.exe

Filesize
55KB

MD5
73667636fa893e6f0b11c9b2cad8ef79

SHA1
59efd1705ac4a95b504853f55eb1507c13da7e35

SHA256
a40f7d1e791a25728f26d6919b770f34bf978a2ca0a8792fbfcf3ddf01637f32

SHA512
f756d6d06c6b48a9f83da1059337308e9e4077f44f3a72c6722bb1b4e44980dbc22b0154085cc2de23b568c70a45504aa86fdee628e6e6ed851d521c4de28039

Download Submit
C:\Windows\SysWOW64\Akmjdpac.exe

Filesize
55KB

MD5
9e2eff12ad8b02f4340e9c18b2977d97

SHA1
08ec59834be643bdec4286844bd44d146894fd96

SHA256
fe19c0a7dabb560e41ef3bfaa9365f824e75739ed3ad136eaecaa2d31120b796

SHA512
48988bdf66d152c9a9cfa6f40d40962dc828cf56f21be534b8905ed18d34256dbb37ecaee836d72b995d38ca1c01e4285ce52abbd1a61b712c360ccc6c892786

Download Submit
C:\Windows\SysWOW64\Bgmnooom.exe

Filesize
55KB

MD5
1962e5f6f7fad5ecf9eada91e8c6bec8

SHA1
448331ffe1896d9fabfb9a35e86966abce4e92c8

SHA256
1963ed9e42cf17c8756cc6a1964cd78fce58e8dbd9f5ae64b028bce854928e8f

SHA512
868390010ac425ecd73fb1f2d9ff3e636b33b50282a168e61ccaa6e8e297c47ca07acf82f4c2fd9ba8b4f584f5e535b8cca32f24004c8404eee90ba850c1453d

Download Submit
C:\Windows\SysWOW64\Bnppkj32.exe

Filesize
55KB

MD5
dd3bf28981135310dadee1828e11f808

SHA1
ff17e3efb6b09220902df6cd027d13de348ea9c7

SHA256
396550566d547ebb1e7f33c108cb6a9ee738b3ca35afa705b8bd87e7ae91ba97

SHA512
4a84cadb82d686952ac6ed1958855a54d7c33cf973e6f4b2213bc2af7b15e3693f893fde73e309fca3c616cfba86c1d2f09bb59988d883f97c7ea4584b071a4c

Download Submit
C:\Windows\SysWOW64\Bpfcelml.exe

Filesize
55KB

MD5
708d8255273fa26299d905c77500c60a

SHA1
ccc227b03b5783224f2df782fcf3aaa84a76b873

SHA256
c3e548d2f74135eed1eb317959d1a37a09346ae83f491eee2874bec2e6063a93

SHA512
989577c31c5339a7509cf7814611b5eb4400eb5d3959ba6ad41ac00ee9775f6da595622bfef60ed04c3448cdefa0faf0e15a560a4c0f560cd2148580453724bf

Download Submit
C:\Windows\SysWOW64\Cfjnhe32.exe

Filesize
55KB

MD5
7a7dac3899b58106c7ae927fa94d9256

SHA1
2b3b7e25ad7ffcab7ac7bdddc9b44bade8eace5f

SHA256
b1dee95d8265611238d37c2c8205a2de5288c1a60ba7d53e59b4d582dc374730

SHA512
1f042a7fd599fd17c77fb3dda609ad2b3d8b1851b1ffe62d5044454427232d4a6e392478c06be576db5ecb91f4f54ba3628b0e2795c1069e461a9e3bd8317691

Download Submit
C:\Windows\SysWOW64\Dlicflic.exe

Filesize
55KB

MD5
ff6f958ef438b1fc4fdabe03bad7a302

SHA1
7ebec97be0cb15e6aa933defe827e2ce7eefa754

SHA256
099a78cf547a79e3a63620bf06fb91035c440a87beaedae4b5ed9c20754536bc

SHA512
9f64e2667f6cbe5ec7c2503802b4d7a54a1d61e574ed8714994c7bf4fd37713618ec7e5a37cd1cc0caeb9a83af6ebb2a83f1a45f01b8397bc39016b4d827f7b8

Download Submit
C:\Windows\SysWOW64\Dpnbmi32.exe

Filesize
55KB

MD5
641daaccbf00052c91e286916103543f

SHA1
c5f4c613b7ba2820ef46e7b963fabace2a008d35

SHA256
5f86dc0bb472f341a7e093886fe6ed23182bac287c251e29773c9be9b5b66430

SHA512
a16e3a8d91d25f170e0a203773110300560d266efc6b9796bf8d4d7d46036b8220435d6eb8f3f9b0605c8dc8c1987b3362f7b614271f7d9224316391a22ac8a1

Download Submit
C:\Windows\SysWOW64\Ehifak32.exe

Filesize
55KB

MD5
a81334f9f378818144e8cd35317acbac

SHA1
51734f114c6428dc5cc5da42e3fd7d9bbbbc908e

SHA256
f299333577fc57b2ea4e226e28f69557d41f4f5449f27afa84ad48210bef0233

SHA512
1fb7c0926271329bb5c16838eed921cad39021dfa36eb3603ec2b7214e0648e3f21e402953672fe7bee1b08380d43c35ae886293dfe8fc8bd3edbd84b18bf7b2

Download Submit
C:\Windows\SysWOW64\Eilomd32.exe

Filesize
55KB

MD5
1bf2024ee0d06a61b108e65a3c5735d7

SHA1
1de3793a73d4cbd31fdfc1d4a19151c58c06644f

SHA256
eddc88466e5e2e25f432c346b57ad4b43fb9173aa963716bde769806226fb389

SHA512
5dacafa4e104ae71a3107187d8a1b35dd4c5280066079bcbce571d9b1bc8327dbaedda772e7e7231e1f7e34b539e205987abb0d477dac955f4e604f031f40465

Download Submit
C:\Windows\SysWOW64\Eojeodga.exe

Filesize
55KB

MD5
ed3453cb2799689206da89f492e4d083

SHA1
6d08ae538421a4ce3e1689d0cef95deb69d5aa30

SHA256
b16f31a8f3388035f8521b8be39f40baa49317fa190a723933b8eddf9abb8e72

SHA512
e1d3f7ff67408bfc5457035742f39a696ae65c86e74a8af074ce0db29f904b1138fadbc188e02b6fc67cd3ac459f6f794335f517579b3133810eaca0e3d15557

Download Submit
C:\Windows\SysWOW64\Felkmnci.exe

Filesize
55KB

MD5
ae6ad151de02e34b8693019d2f2cca35

SHA1
d4e527930b16280c5a5399ffd7499f305f9b3567

SHA256
0a16418fab746760f971b90b256ee65cf8a47b09223129db5461784e929ef5e1

SHA512
ced1468caffb2e66528b1d934bebefe6579748a152fb274be300dcaaacb31d15a8b7f831f8bc24a03d748e33f8b1603f08ef13b6aba9c0a28c4a85bd3f51caac

Download Submit
C:\Windows\SysWOW64\Fhiphi32.exe

Filesize
55KB

MD5
fdeb2cd6242d69bebc2ec0c877c0268f

SHA1
3551cefe790baa0ea80459e81c6a4e7f6cb926c2

SHA256
a08cdc0fff78785eea25bdc7481ac2111495615cbb61df1ec081bd02c6e69345

SHA512
a9caea74f7756eb8d36e9cb8ae1caf0761bfdd74e82dff0e3659d88027883baa091f4277a2c0f10e6975b649b6d4e288c0a0938f999dada9c3889c7611ba14c0

Download Submit
C:\Windows\SysWOW64\Fplnogmb.exe

Filesize
55KB

MD5
84529262e0adc2ad58ef48f29c918551

SHA1
fd2dc521b93305bfd1b1a0824818f8a560cb1b43

SHA256
d4481c6606756616d6a662f6be3be3b3a22623965f16d6efb9cd08f844cf2fb5

SHA512
ec25c366d86082a31bc271fd2859ec74b3c6e21ee932c2dba33724aa79b1d8c128245d81d0e43d124c57dcc12933ebaf8cd24377ece0eb140cfd7bc2f067757f

Download Submit
C:\Windows\SysWOW64\Galfhpmf.exe

Filesize
55KB

MD5
bef152e2c5ee59c93cafad5fe32cd638

SHA1
3597abae60d85d5c8c106ff79ebda6c403fdd113

SHA256
7645d8507984869c21be401e635be1f3e08897761d4c9a835e9a0a0633a6ecab

SHA512
b274328eaf3e427e6e1aeb2ca4643b196bc1210418f02167b2be933b848abf949b9306f7c8cff6fb662cc1c4849c0aefbaf6c54d4f15b56abe418b4ffa9270d3

Download Submit
C:\Windows\SysWOW64\Gicgjk32.exe

Filesize
55KB

MD5
2a278ca687ce6e95a0ac24b701835d18

SHA1
794057e8057c78c3d009d3d330dc4ed4c0dd5f0e

SHA256
147d5f2bf88f251b74e04229652b7c50c1282a7d80e7dd535edc87c44d4934db

SHA512
65e58eb4c22b50ceaf7d124820995f2700d5f562d3d05d3e381e58b879f1763b75402e62af909c21508b33be8e41aa04118bf6b98d4da15b2c448a898eb00503

Download Submit
C:\Windows\SysWOW64\Hhckeeam.exe

Filesize
55KB

MD5
d0b5eeddc96aa4e15f3cb13d4b83e818

SHA1
5e21f4bcb5bd2ff161af8eb701b567dbde3e5c9e

SHA256
a3d9b0619d2377b340842122f2afaa4fc2975169c7ee586cd697a9a5253fa790

SHA512
f0e97020ee7e83b87180ecf8682ae1cdc4b52445d5e42a5adb9307244c7a2c2d6a1002c5946f056c67e7be267fdfe6529bffb9e32d370ed6ac08aee07cb7a349

Download Submit
C:\Windows\SysWOW64\Hjbhph32.exe

Filesize
55KB

MD5
8033d55a5ef1a7368042575638498371

SHA1
0e33d4a8583744cf24412c744840c2e8f20efcb0

SHA256
cc5a0d502f829364339015248e595ca06081a26807c63cba881ab50d3972d96a

SHA512
aab8e1cdc92f3cd0ac0344c63715dbc13236a32cff96744e54b71d57724d22d09eeb1068d916aa77d6b6e96101fe5181cedaf13981e17a18cd8309accf890d8c

Download Submit
C:\Windows\SysWOW64\Hkodak32.exe

Filesize
55KB

MD5
586a303d111deebbf4f4e9546fcdccf1

SHA1
ddc41f8064c7f92a77d7fa5f2eef3a3fe286006f

SHA256
e711e30d4bb48819bf15065aa94402a9333b33dd09f7a6f9036355d8eef101cf

SHA512
20dd0db909d3fe2b320567cf2575aee5b2e1b295b8c67d3b06023065e15ef231e25705cf690df0019bb4a68355f364a159809ee9337d0884eb2946023b7d1f83

Download Submit
C:\Windows\SysWOW64\Icgbob32.exe

Filesize
55KB

MD5
5540e05d0fcb3cadd85741c7ee9b3d0d

SHA1
07157e483ccbe67cf5173a347727c2bc3f768938

SHA256
2f9088de4da62834f64c128fc1d0c887f7286389bccb832b8caae211a0ccae9a

SHA512
325dfa334df2727522cc4ca8590b59aace8e95444b9b9d11c25fe1a8c04e58d87455a78808bffae5a06a6eb3e7194716d33c6804cdd40eda63b8ba71927a6e56

Download Submit
C:\Windows\SysWOW64\Ihheqd32.exe

Filesize
55KB

MD5
b49236722bd23574fb67e96c6f538acf

SHA1
234fa82ba75a001b996f25d0c95528d2c765f745

SHA256
2d512fe27d667439e38da2a21373a9976fb75c4319af025b874eae65ae791f85

SHA512
a90631704e0c26c3481a42c0562eccdc1ec9d9b7f796c4bce38bb954d504f14c7c999ef5229e7ee4de1292df8ed9e671ed47350d9d772a46b2ab3a432522fced

Download Submit
C:\Windows\SysWOW64\Ijjnpg32.exe

Filesize
55KB

MD5
5ea827920024579a8b5a7ddd5e6eef34

SHA1
f176df1f3e4fb12e446ce527da8cb9f3815a8698

SHA256
342f4cb9836e43fba6b7f6ffe829acafe509222df78964c1dcd31565029187c9

SHA512
43202c711ae49306da7b58a86b039d20f9da4c9224c27bd75e5d62daa8cf3375c8cc227588e1001c966e8651459427d6f6c49712517af02d07f7a0f79f04b078

Download Submit
C:\Windows\SysWOW64\Ijngkf32.exe

Filesize
55KB

MD5
460f1b8df8f34b5b7c3f0d47ed40c451

SHA1
3bfc346706c9d0251e4df2d9be339ec5926f023e

SHA256
fef7eb26a1ff22d822671fee3f539eae39f8b5c455a447dc2441c2bc01c5a51c

SHA512
d2caedb352e727abb7a7dbc48e8fbe25088f22641e6689f5c116ce4a2f0f7b86f89436cf0efbd567dc36a5d2860a87dafbda61a00e249010ab8de345063f091d

Download Submit
C:\Windows\SysWOW64\Jmffnq32.exe

Filesize
55KB

MD5
777d9162c028eb75e9d07c3c4bec7001

SHA1
3f6c3ef39f036a59a2462771c0106e2af9d18e57

SHA256
e10e9273b0f707350dd0e567a944bb3a3d987b9e3cf0b8ceb7b9e0e5380968fd

SHA512
8ea28092a9f3943490c386d1e22d6b719a0245324f2a480d39f3e4fbd1ffae42c29940048e4b9800e133dcc2cca5432219d74b0a557a97c32847f75e8ac46df2

Download Submit
C:\Windows\SysWOW64\Jogeia32.exe

Filesize
55KB

MD5
fad67d07438436125f308626cd9245bf

SHA1
5ddf7b09236e8809fbe3d90b955c0a0ef37252df

SHA256
856739f9868bb98519075984fc3e0cda4c45f87ede686361ff4988e7ba38ddc8

SHA512
45c410d825765a58aac5022e752bcd37b4f8948930d47b15f8e559cb6cd26d2d16b0d033705f908178e0a68cc3399b8c9447409ef19d3bce404e2302cb810f43

Download Submit
C:\Windows\SysWOW64\Kcfiof32.exe

Filesize
55KB

MD5
34d385281fbefad865bc58886a1e6f21

SHA1
f76b5659d82c2e3e27107c68f69f2b31c0ec6c67

SHA256
60af42c64905fbcc14a456b9fa2787eb0bbba708102b4f611e6f022b7efb96b6

SHA512
af3eae67b0b644f34295ae6d44d89ed2f006f02689953c4431bc08ef50cb180d031c303580fc6f17b90bccda2d7e2852ce0cb0671d4dfdeb9b541dabc64ff47b

Download Submit
C:\Windows\SysWOW64\Kfhnme32.exe

Filesize
55KB

MD5
5c85f4886bebd723477c8dabce67ac0d

SHA1
68f404cea14124e91ab15fe7e0a34b151ba28494

SHA256
1db2c2a8a3e4a03166109cddb0c06e09270231743de44ff048657aac43413789

SHA512
665b1239e0ecd0139787b1e3a0df5b22d2a67b9818fe5479b9942245a8a42e94195882f96a1a47197bb7106981da0d99a9282a5d77bb1f76a67cced693f910cf

Download Submit
C:\Windows\SysWOW64\Kfjjbd32.exe

Filesize
55KB

MD5
b155705f1b0515e8594b30186177c518

SHA1
cf35b7dba3eb5b75231a291c736dd543705c1f79

SHA256
70c08f481b2a925c8e8493b2d95a40392732b6030eca39d0cc4c3da0821d5cc0

SHA512
5dac7d839211e630ab3c1533182e2059f62ace48a85d01ca2d75bd3bd9cd5e406b3c31544028efb82763c24299dec68ae5f38bf0e78a5d43c5dd6d78bd40cefd

Download Submit
C:\Windows\SysWOW64\Kmbmdeoj.exe

Filesize
55KB

MD5
cb9e3bf79c6c0c337b3665f31141a226

SHA1
d725c546b4595dc17770128e6c6882958cfcb024

SHA256
de6d5adc1706d02020b1b9a907ea277632bc2440fa3fbdf327b946d42637cc62

SHA512
cf7571da1191d97fc0857b81eaeedf19e987fde38c3a20762d3996fdff2081947893554f5ae6fe6188e281d7639fee2cc3b058960e2e8d4d5b418dd5adfcc542

Download Submit
C:\Windows\SysWOW64\Kmpido32.exe

Filesize
55KB

MD5
efd3b22248f666a025d33dbf55753acc

SHA1
26e394dd10b61c6369603cf9e1dda1aed96d3219

SHA256
0b67a4906b5f084d8d7ec0ee70febb157b55952c87ef7cb23904088c8f729870

SHA512
880b876a609237ad527d5a5fe4bf8c4f431896be8ba639c99beae051ddf8603dbad1791bf30d3ef43f1eec11e435938ecda87e92ed60e72180cc9cca6eeb8b08

Download Submit
C:\Windows\SysWOW64\Kpilekqj.exe

Filesize
55KB

MD5
3d65edaf510ff7ee8045b3f3543fde54

SHA1
37b48ae992d071633dbd19405bd154915c2cdabb

SHA256
6bb93521212bc967ee75d219c062620c24b848aa9c7a69215addd3fb6d940faa

SHA512
a5dbe2bc459544cb8c69703ae5ec43c0714856388d42cf2dbd2691f1beae448d8825d65da03008c3dd345421e28f16d4cb821dd10197d100c4692e8e43906982

Download Submit
C:\Windows\SysWOW64\Lglcag32.exe

Filesize
55KB

MD5
2d08c53ed5c48f784201b1be91c3e51b

SHA1
1d2285b21e9f639885cb5ad5fe9cff034f371e6f

SHA256
bdeb684d06976990203607d1b642025b5bccad3203541a8702af0b884eccec50

SHA512
e15eb2693319a08d6437d720a77912ecfb2b1a21f5b41c0a57abd393e2f9411406c45674b0dfea3b4afd54cac90d11d16e0a7de77e2969b42922241141cd224d

Download Submit
C:\Windows\SysWOW64\Llpofd32.exe

Filesize
55KB

MD5
1dfc75936428341c8e024770deca5599

SHA1
2e126d3f67b37eb645ad0d9dd91e78d56bf760be

SHA256
1ea0cca4cf3fe66720027d7c43dc11b02b13ebff87f94763a473239ebf62057f

SHA512
272eff31581cd159883bb608ffe8938cdbea8d840498ad5d6089c630f9f22b2493cb35017e9cc90c5015207a788c8909af1406a7f7677b041517028af75f8d5c

Download Submit
C:\Windows\SysWOW64\Maehlqch.exe

Filesize
55KB

MD5
2969407df547917bcafc11558a512180

SHA1
115181305f43bcede948bfcf41a600527ffee829

SHA256
21e35a7a5685f22441ef4e40183579b0c085d02c47aa106e6604eb19595f10df

SHA512
ff225d26dac0a25cc906fd03867e764ec9222b0bfd2225d6c73ee1e6a5d05486073b61479fc20ff351df00cc4f1f2d0a4b03032bfe143c95c048eec9e9d1a706

Download Submit
C:\Windows\SysWOW64\Malnklgg.exe

Filesize
55KB

MD5
46e22b1aeb038b5fcb686cae1f136b36

SHA1
815358e36330332dbdc5e9d748e4e8647ebf0ada

SHA256
08e0191e3f50e8878432deca92ddc7b9344f80d75dd547c0610d342cf1dde23d

SHA512
209a26fb07c30f8283df19339d11fe80b199e06935c3a180b74e5ff3a61bd5bd9602c03eb5af442fc863081b405bf5567b20c83c654e1d64de1d6b794c8e3619

Download Submit
C:\Windows\SysWOW64\Mfmpob32.exe

Filesize
55KB

MD5
1004c0ad4298bf3563a2cb6a1842cfdc

SHA1
59661f107125a2e6d872029888b6fe3fce40fae0

SHA256
3451dd643459480c266205bb7819b01b9744dd1af99cc0f54ae0b99623f66c96

SHA512
1a14517e93561ac36cec7d7c22c21bd4f10750fec4a3366c2911156cd3f20988c6c24b3929841fdb0454bc05ca530ca84cd6f993d0bbde01aa9ceb87dfd72132

Download Submit
C:\Windows\SysWOW64\Mhoind32.exe

Filesize
55KB

MD5
6eda5a8b0260297e849620a60ba9f76f

SHA1
02e8bc5e34b40f2064c0c134c8a566e4fe68f9d6

SHA256
3e5e042bb5746d4eea3778acfd1837ff319d555a726fd0252fbb9516373da1e1

SHA512
bb2c921e3d0fdec36bc876dce370faa857ecca9d2dfebaef2fad862902de3bf7dc8ce432d67734bb2720d0d296cf9d7961f731dd73235875ca43000144ad3eff

Download Submit
C:\Windows\SysWOW64\Mkicjgnn.exe

Filesize
55KB

MD5
c98b12586aba44e82fe76d2d4a1e1511

SHA1
e7439cf944ce6b7e5511e22ba824343ee9e7a637

SHA256
800dccc989d72cdb42fb660cb606e1f6e036a162a0117915cd3e1e16e88428c4

SHA512
7375d2c9bc684ec7d224eb58c1931e85f1b4f6c2e13e684b7ea9d1414c10ada1649aff822e457ba31b6553f68ace9fca834c0d597976ec29738d9f297ea9e76e

Download Submit
C:\Windows\SysWOW64\Nhcbidcd.exe

Filesize
55KB

MD5
a0b2c4c684713435ff6bb29faa8ac386

SHA1
0131c8b6d065d745c1077c1c72d69e5f88a8b4fd

SHA256
5de0b366e9646ae6d4de649396370e40a8c93cde2c7f3ec128b3634f68b6f446

SHA512
d11c926f8c266efe9b7645756894f91bc00e01b5f6633f1b21eb68eaddcff09e79412639765ef79d4cec4d2d4ca78855684861516649d2e94980a83ee33bf8c7

Download Submit
C:\Windows\SysWOW64\Njmopj32.exe

Filesize
55KB

MD5
30f9878c084a3b7d6dbf0b22c27a659c

SHA1
8d69346e77f05b8137329e52ba69ebe44be14815

SHA256
f143986ce47a48311d07906932aea74aa864659cd2e8a964beb1c0df7c313ca9

SHA512
aee7a11908ff7c01bdc0089997a0db05ddcd73581b2eea2b51e560cec149068f9abe1bc7d5f6dc9612167e55807e87a53f1abdf222f2a40feff0a27b49a80f7f

Download Submit
C:\Windows\SysWOW64\Oahnhncc.exe

Filesize
55KB

MD5
722f38d02a2cebef9d5b2f857d92c52a

SHA1
abe2c3a55a8ae3db6263a2c00f7b4fec60b90d5d

SHA256
988f0365435f1a6c2e9624d1efde34523ba311b0707a9344cbcfdbf4a9583cfe

SHA512
aff655fe71b3f8400e90f384b85de9a57ee6ddace87af469d7fa099f5685a5e18756b9d5c986b1cf01020a7307592f6fde16d26de94d2f01e348fda26871df7f

Download Submit
C:\Windows\SysWOW64\Odnfonag.exe

Filesize
55KB

MD5
b5d0c39eeb69e862e20abaf945fb7b65

SHA1
e63203b77cb3882a40c1aaae68103e2fddb10fa8

SHA256
9a54eafa02c30e9f352f19d2573ce8e8c6bfac558ff9be661b7904b10c982ef1

SHA512
9da99bd66ff9ba4c6ffd9525930795db26aaf871cc3226825c59709736a793a31ee544dcc5a218e325828af426bc0ce96d50ddc21785ef82e3ce3032c943c7b1

Download Submit
C:\Windows\SysWOW64\Ojdnbj32.exe

Filesize
55KB

MD5
048bc28b5b5e2a585bfb245fa0e24343

SHA1
a03eb81ef67fa1e3fa90a9eec23bef302a33faa2

SHA256
a1ecffb0aea47e41460e53ac637b0760c4d08170deb3e1dffbc5d04e8687abc3

SHA512
72e3d9f334cee1a04d288dedf29fd72feca698ea47741edc17fd2d418f3e98f356080e823171fca00c50da4df413cc1283c16da6d6ae98144d7508ac725e35b8

Download Submit
C:\Windows\SysWOW64\Pbmffi32.exe

Filesize
55KB

MD5
e8fe1de525afca8761f6180fbeb29631

SHA1
2e16ba00643020b454f87e54f19140d546ecd914

SHA256
5942678f1cac7f429913ec3b959be3870cc665b673470486a04acb732a09463d

SHA512
a99c61802e3ce7fb53a0cf0b7ab5ebe8941e9be19a55cf39355360bb37fa02d55516ba341eb79077900597e2f33231fd6046a92b2c5b803c6d23f21f88129b27

Download Submit
C:\Windows\SysWOW64\Piapehkd.exe

Filesize
55KB

MD5
b52a1333e22e39c81a051fdee90c4d25

SHA1
a828f0043e19179e2b80d7b2f9f8b33cdfc62620

SHA256
302fdb05515081cce93445b974b902160217f93a5a6551a0da8d7e310a66bcb2

SHA512
e199d14a71c9d671cd571e50bb83a028b6d865e6a89a34bc66ee7963d148288128968f507fb58d1c5bf86999fe137d97d7149ceded2c8630136423fdeb6dbae4

Download Submit
C:\Windows\SysWOW64\Pjlnhi32.exe

Filesize
55KB

MD5
291d2815ff747bc6f6774e797ca8eb29

SHA1
920e1d20d9f696dc5c6a5973a16203fc71828c06

SHA256
9320799bd03cd262074ec99bd9fc3c1946b552118425d1d79edfba3cd1bd200b

SHA512
b7f89267c7c95349cf786e6b704a2fae244cbad18ce643e67a7623df66941ce3febbed8bad6bebb1a7d72bfd8d7e641c515130e672d6f47c298f4f91af315b71

Download Submit
C:\Windows\SysWOW64\Qdjgbg32.exe

Filesize
55KB

MD5
f71962d166a7cd73c49cd1a4e534ce4c

SHA1
707e059813824cf898859887500657b8d3d813f7

SHA256
abac608c4851a1e4264efe91fb245e3868d86ea05d1f2b11ddc5a5a775bba38f

SHA512
31a32258c587343aa6cdeba86e5d8616d98ccb09262cb0fb714f4b4008dac538b6e57d479fd173d6fb7e1c9bad24ca925179e4cb68ad73fee76cb092d6ec0792

Download Submit
C:\Windows\SysWOW64\Qoocnpag.exe

Filesize
55KB

MD5
9cb2a04b3c6a3eeb096434eef1ee6b12

SHA1
0862e5e628e54e327a7756fc1e296165e8f9aedc

SHA256
5f4fa7b5b30c231044b54e4b29ae344cd295a4e1b145fc2aa32fd9463c149cf1

SHA512
829ca935629a06baa69955bce56b9981d2263946d7f3493889976b0319ece7217bda3e3d2a400559e9029e291065aadef963ab04b2c44872cda5e63a17d15546

Download Submit
memory/324-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/776-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/776-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1056-337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1120-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1120-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1120-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1156-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1156-416-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1300-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1300-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1432-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1432-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1752-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1820-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1856-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1900-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1900-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1944-146-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1944-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2000-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-30-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2168-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2168-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-307-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2792-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2792-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2872-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-380-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3104-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3112-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3112-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3152-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3164-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3176-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3176-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3248-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3296-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3304-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3376-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3376-42-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3440-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3536-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3556-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3556-50-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3592-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3592-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3676-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3676-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3704-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3836-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3952-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3952-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3976-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4004-203-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4004-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4108-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4120-295-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4120-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4200-211-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4200-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4268-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4284-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4284-219-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4328-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4524-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4772-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4876-194-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4876-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-417-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4968-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4988-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5036-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5036-82-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5044-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5044-106-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads