5d36e024079b34f5f5ab43381ec3e7beae83bc799142d1c968b061d77383e6fc

Analysis

max time kernel
138s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d36e024079b34f5f5ab43381ec3e7beae83bc799142d1c968b061d77383e6fc.exe
Size

412KB
MD5

713a6da42ac040a23f18459a5f78631a
SHA1

6457b000ca3493ddae029db793e812a702829bb4
SHA256

5d36e024079b34f5f5ab43381ec3e7beae83bc799142d1c968b061d77383e6fc
SHA512

3ae5cabe07bd14d84a24d739172403634cfd43efcb8ce8ee71268f80b3318648f4ae2104f7883314185c4e55f021a5d23dee39ecbb3be9c18dbf53fe7c185ccf
SSDEEP

6144:tJ7qvCdmyoBB5CMHP7RQmfMishe4Zgufq+cREyR/yfjoshaphaiB00:f7qvbCMHieikLB

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akhaipei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ioqohb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jehcfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlgddkpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agojdnng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddble32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oeamcmmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gojgkl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Geflne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akdfndpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhkgpjqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olpjii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldfoad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkcdfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcabhido.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npgjbabk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kleiid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpjdiadb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mqnfon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aoapcood.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjcqffkm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogmiepcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qpmmfbfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbbjhini.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkqnjhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfeplh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbibeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bimoecio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcmcfeke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	5d36e024079b34f5f5ab43381ec3e7beae83bc799142d1c968b061d77383e6fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gggfme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eohhie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieknpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpemjifi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqpeaeel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ihicah32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opiidhoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeofoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfhqkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okqbac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mapgfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgbkgmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiajck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cohkinob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepmkjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eennefib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cehdib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npcaie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbmfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaemgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fceihh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmncif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfpidk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbklli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqbohocd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejnbdp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hedhoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egnhcgeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbanfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpmmfbfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Facjlhil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oihkgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jgdphm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Picchg32.exe

Executes dropped EXE 64 IoCs

pid	Process
3516	Hgcmbj32.exe
708	Llimgb32.exe
2448	Lddble32.exe
4964	Ldfoad32.exe
3100	Mcabej32.exe
3396	Mkocol32.exe
2820	Ncjdki32.exe
3256	Nconfh32.exe
4772	Ohcmpn32.exe
4960	Omcbkl32.exe
4728	Pbbgicnd.exe
2348	Pfbmdabh.exe
5060	Aeffgkkp.exe
4456	Albkieqj.exe
4560	Bclppboi.exe
728	Cefoni32.exe
3688	Ciiaogon.exe
1964	Debnjgcp.exe
2944	Dbhlikpf.exe
1628	Eennefib.exe
4392	Emioab32.exe
2236	Egdqph32.exe
1216	Fdadpk32.exe
1096	Gggfme32.exe
5008	Hjoeoo32.exe
4412	Kmncif32.exe
568	Ldckan32.exe
3676	Mdokmm32.exe
3224	Nkgoke32.exe
1368	Naaghoik.exe
4672	Oeamcmmo.exe
1008	Okqbac32.exe
3800	Pfkpiled.exe
4892	Pfmlok32.exe
4368	Pfpidk32.exe
1436	Pgcbbc32.exe
1236	Qfilkj32.exe
4416	Aoapcood.exe
660	Akhaipei.exe
2516	Aohfdnil.exe
1948	Abipfifn.exe
3532	Bbklli32.exe
4220	Biedhclh.exe
4592	Bpdfpmoo.exe
4640	Bpfcelml.exe
3924	Cfbhhfbg.exe
5084	Cehdib32.exe
3776	Cihjeq32.exe
4784	Dlicflic.exe
3232	Dhdmfljb.exe
4800	Dpnbmi32.exe
4520	Eppobi32.exe
1020	Eohhie32.exe
4924	Epiaig32.exe
2640	Fgcjea32.exe
3180	Feifgnki.exe
1664	Igkadlcd.exe
4992	Jjcqffkm.exe
1516	Kaflio32.exe
752	Kfcdaehf.exe
1476	Kmbfiokn.exe
2980	Liifnp32.exe
1112	Lpbokjho.exe
1544	Lpelqj32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Eflmkg32.dll	Omcbkl32.exe
File created	C:\Windows\SysWOW64\Jojgkahb.dll	Facjlhil.exe
File created	C:\Windows\SysWOW64\Jlcdjfpl.dll	Jgdphm32.exe
File created	C:\Windows\SysWOW64\Ocligb32.dll	Qnlkllcf.exe
File created	C:\Windows\SysWOW64\Ciipme32.dll	Kapclned.exe
File created	C:\Windows\SysWOW64\Bqbohocd.exe	Bqpbboeg.exe
File created	C:\Windows\SysWOW64\Mjehok32.exe	Mclpbqal.exe
File created	C:\Windows\SysWOW64\Kdbjbfjl.exe	Koeajo32.exe
File created	C:\Windows\SysWOW64\Pipqcn32.dll	Npkmcj32.exe
File created	C:\Windows\SysWOW64\Qlnfkgho.exe	Qfanbpjg.exe
File created	C:\Windows\SysWOW64\Dlfniafa.exe	Cpjdiadb.exe
File opened for modification	C:\Windows\SysWOW64\Pbbgicnd.exe	Omcbkl32.exe
File created	C:\Windows\SysWOW64\Eihijk32.dll	Fbeeco32.exe
File opened for modification	C:\Windows\SysWOW64\Jibejb32.exe	Jbhmnhcm.exe
File opened for modification	C:\Windows\SysWOW64\Ncpelbap.exe	Mgdklb32.exe
File opened for modification	C:\Windows\SysWOW64\Lfodmdni.exe	Lpelqj32.exe
File created	C:\Windows\SysWOW64\Npcaie32.exe	Ndmpddfe.exe
File opened for modification	C:\Windows\SysWOW64\Fgcjea32.exe	Epiaig32.exe
File opened for modification	C:\Windows\SysWOW64\Bjeckojo.exe	Bnlfqngm.exe
File created	C:\Windows\SysWOW64\Eqlbnh32.dll	Ialhdh32.exe
File opened for modification	C:\Windows\SysWOW64\Fqjolfda.exe	Fbiooolb.exe
File created	C:\Windows\SysWOW64\Cjokai32.dll	Pbbgicnd.exe
File created	C:\Windows\SysWOW64\Ejglcq32.exe	Eejcki32.exe
File created	C:\Windows\SysWOW64\Jaodkk32.exe	Jlblcdpf.exe
File created	C:\Windows\SysWOW64\Agobcjka.dll	Pijiif32.exe
File created	C:\Windows\SysWOW64\Oennph32.dll	Qfilkj32.exe
File created	C:\Windows\SysWOW64\Bpfcelml.exe	Bpdfpmoo.exe
File created	C:\Windows\SysWOW64\Nqdfipld.dll	Egnhcgeb.exe
File created	C:\Windows\SysWOW64\Jiepaa32.dll	Lngmhm32.exe
File created	C:\Windows\SysWOW64\Pqagcpkg.dll	Flmonbbp.exe
File created	C:\Windows\SysWOW64\Dcknnglh.dll	Ikjcmi32.exe
File created	C:\Windows\SysWOW64\Jnjjekeo.dll	Kjqfmn32.exe
File created	C:\Windows\SysWOW64\Nmbamdkm.exe	Nfhipj32.exe
File opened for modification	C:\Windows\SysWOW64\Qlpcpffl.exe	Qlnfkgho.exe
File created	C:\Windows\SysWOW64\Ialhdh32.exe	Ihagfb32.exe
File opened for modification	C:\Windows\SysWOW64\Mgdklb32.exe	Lngmhm32.exe
File created	C:\Windows\SysWOW64\Ipmpcock.dll	Bdkghg32.exe
File created	C:\Windows\SysWOW64\Lbbjhini.exe	Lmeapbpa.exe
File created	C:\Windows\SysWOW64\Focgfi32.dll	Fbnhjn32.exe
File opened for modification	C:\Windows\SysWOW64\Eejcki32.exe	Elaobdmm.exe
File created	C:\Windows\SysWOW64\Pamgnckh.dll	Enlqdc32.exe
File created	C:\Windows\SysWOW64\Kcheaong.dll	Gjmmfq32.exe
File created	C:\Windows\SysWOW64\Lajmmc32.exe	Kolaqh32.exe
File created	C:\Windows\SysWOW64\Ncpelbap.exe	Mgdklb32.exe
File created	C:\Windows\SysWOW64\Hakhcd32.exe	Gqhknd32.exe
File created	C:\Windows\SysWOW64\Pgcbbc32.exe	Pfpidk32.exe
File created	C:\Windows\SysWOW64\Eejcki32.exe	Elaobdmm.exe
File created	C:\Windows\SysWOW64\Mmfgjcqc.dll	Mclpbqal.exe
File opened for modification	C:\Windows\SysWOW64\Ihnmlg32.exe	Ioeicajh.exe
File created	C:\Windows\SysWOW64\Qlpcpffl.exe	Qlnfkgho.exe
File created	C:\Windows\SysWOW64\Bbjmih32.exe	Biolkc32.exe
File created	C:\Windows\SysWOW64\Angfompn.dll	Cediab32.exe
File opened for modification	C:\Windows\SysWOW64\Hgcmbj32.exe	5d36e024079b34f5f5ab43381ec3e7beae83bc799142d1c968b061d77383e6fc.exe
File created	C:\Windows\SysWOW64\Dcmcfeke.exe	Didnmp32.exe
File opened for modification	C:\Windows\SysWOW64\Cnmoglij.exe	Ckiipa32.exe
File opened for modification	C:\Windows\SysWOW64\Bpgnmcdh.exe	Agojdnng.exe
File created	C:\Windows\SysWOW64\Bidlqhgc.exe	Bpgnmcdh.exe
File opened for modification	C:\Windows\SysWOW64\Albikp32.exe	Abjdbj32.exe
File opened for modification	C:\Windows\SysWOW64\Kcdakd32.exe	Kiomnk32.exe
File opened for modification	C:\Windows\SysWOW64\Llpofd32.exe	Ljoboloa.exe
File created	C:\Windows\SysWOW64\Epagjcpl.dll	Agfnhf32.exe
File created	C:\Windows\SysWOW64\Nbibeo32.exe	Mnaghb32.exe
File created	C:\Windows\SysWOW64\Jhnhajoo.dll	Albikp32.exe
File created	C:\Windows\SysWOW64\Ejbknnid.exe	Elojej32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
6392	5760	WerFault.exe	428
6664	5760	WerFault.exe	428

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndajcnag.dll"	Giofggia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jogeia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bijnlgcd.dll"	Nbibeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhnhajoo.dll"	Albikp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbhndb32.dll"	Dpemjifi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chbobjbh.dll"	5d36e024079b34f5f5ab43381ec3e7beae83bc799142d1c968b061d77383e6fc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfanbpjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpbkiog.dll"	Bbecnipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Giofggia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Algiaepd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaonaekb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Naaghoik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqpbboeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekliod32.dll"	Llpofd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eegoch32.dll"	Nbgljf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eennefib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccbqeg32.dll"	Akdfndpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gadimkpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pafmke32.dll"	Appaangd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pglcqmml.dll"	Jgiiclkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdokmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eppobi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pamgnckh.dll"	Enlqdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjmmfq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejglcq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agojdnng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqnfigal.dll"	Iiffoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaemgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejglcq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fkehdnee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkqccbkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kloaob32.dll"	Jkqccbkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lqbgcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jiphebml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhkggplm.dll"	Ncpelbap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Koeajo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bonkjk32.dll"	Caagpdop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nconfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmkqknci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdhiigok.dll"	Ppdbfpaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eppobi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lqbgcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plcnfpfp.dll"	Admkgifd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npkmcj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pihdnloc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hakhcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Debnjgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbklli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcealh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lonnfg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahgamo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nboiekjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnjdncio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifckmnbd.dll"	Abodhpic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cohkinob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dafccj32.dll"	Iodaikfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjklcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	5d36e024079b34f5f5ab43381ec3e7beae83bc799142d1c968b061d77383e6fc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjbjlpga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmbamdkm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaodkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Appaangd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcpaiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fkehdnee.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4624 wrote to memory of 3516	4624	5d36e024079b34f5f5ab43381ec3e7beae83bc799142d1c968b061d77383e6fc.exe	96
PID 4624 wrote to memory of 3516	4624	5d36e024079b34f5f5ab43381ec3e7beae83bc799142d1c968b061d77383e6fc.exe	96
PID 4624 wrote to memory of 3516	4624	5d36e024079b34f5f5ab43381ec3e7beae83bc799142d1c968b061d77383e6fc.exe	96
PID 3516 wrote to memory of 708	3516	Hgcmbj32.exe	97
PID 3516 wrote to memory of 708	3516	Hgcmbj32.exe	97
PID 3516 wrote to memory of 708	3516	Hgcmbj32.exe	97
PID 708 wrote to memory of 2448	708	Llimgb32.exe	98
PID 708 wrote to memory of 2448	708	Llimgb32.exe	98
PID 708 wrote to memory of 2448	708	Llimgb32.exe	98
PID 2448 wrote to memory of 4964	2448	Lddble32.exe	99
PID 2448 wrote to memory of 4964	2448	Lddble32.exe	99
PID 2448 wrote to memory of 4964	2448	Lddble32.exe	99
PID 4964 wrote to memory of 3100	4964	Ldfoad32.exe	100
PID 4964 wrote to memory of 3100	4964	Ldfoad32.exe	100
PID 4964 wrote to memory of 3100	4964	Ldfoad32.exe	100
PID 3100 wrote to memory of 3396	3100	Mcabej32.exe	101
PID 3100 wrote to memory of 3396	3100	Mcabej32.exe	101
PID 3100 wrote to memory of 3396	3100	Mcabej32.exe	101
PID 3396 wrote to memory of 2820	3396	Mkocol32.exe	102
PID 3396 wrote to memory of 2820	3396	Mkocol32.exe	102
PID 3396 wrote to memory of 2820	3396	Mkocol32.exe	102
PID 2820 wrote to memory of 3256	2820	Ncjdki32.exe	103
PID 2820 wrote to memory of 3256	2820	Ncjdki32.exe	103
PID 2820 wrote to memory of 3256	2820	Ncjdki32.exe	103
PID 3256 wrote to memory of 4772	3256	Nconfh32.exe	104
PID 3256 wrote to memory of 4772	3256	Nconfh32.exe	104
PID 3256 wrote to memory of 4772	3256	Nconfh32.exe	104
PID 4772 wrote to memory of 4960	4772	Ohcmpn32.exe	105
PID 4772 wrote to memory of 4960	4772	Ohcmpn32.exe	105
PID 4772 wrote to memory of 4960	4772	Ohcmpn32.exe	105
PID 4960 wrote to memory of 4728	4960	Omcbkl32.exe	106
PID 4960 wrote to memory of 4728	4960	Omcbkl32.exe	106
PID 4960 wrote to memory of 4728	4960	Omcbkl32.exe	106
PID 4728 wrote to memory of 2348	4728	Pbbgicnd.exe	108
PID 4728 wrote to memory of 2348	4728	Pbbgicnd.exe	108
PID 4728 wrote to memory of 2348	4728	Pbbgicnd.exe	108
PID 2348 wrote to memory of 5060	2348	Pfbmdabh.exe	109
PID 2348 wrote to memory of 5060	2348	Pfbmdabh.exe	109
PID 2348 wrote to memory of 5060	2348	Pfbmdabh.exe	109
PID 5060 wrote to memory of 4456	5060	Aeffgkkp.exe	110
PID 5060 wrote to memory of 4456	5060	Aeffgkkp.exe	110
PID 5060 wrote to memory of 4456	5060	Aeffgkkp.exe	110
PID 4456 wrote to memory of 4560	4456	Albkieqj.exe	112
PID 4456 wrote to memory of 4560	4456	Albkieqj.exe	112
PID 4456 wrote to memory of 4560	4456	Albkieqj.exe	112
PID 4560 wrote to memory of 728	4560	Bclppboi.exe	113
PID 4560 wrote to memory of 728	4560	Bclppboi.exe	113
PID 4560 wrote to memory of 728	4560	Bclppboi.exe	113
PID 728 wrote to memory of 3688	728	Cefoni32.exe	114
PID 728 wrote to memory of 3688	728	Cefoni32.exe	114
PID 728 wrote to memory of 3688	728	Cefoni32.exe	114
PID 3688 wrote to memory of 1964	3688	Ciiaogon.exe	115
PID 3688 wrote to memory of 1964	3688	Ciiaogon.exe	115
PID 3688 wrote to memory of 1964	3688	Ciiaogon.exe	115
PID 1964 wrote to memory of 2944	1964	Debnjgcp.exe	116
PID 1964 wrote to memory of 2944	1964	Debnjgcp.exe	116
PID 1964 wrote to memory of 2944	1964	Debnjgcp.exe	116
PID 2944 wrote to memory of 1628	2944	Dbhlikpf.exe	117
PID 2944 wrote to memory of 1628	2944	Dbhlikpf.exe	117
PID 2944 wrote to memory of 1628	2944	Dbhlikpf.exe	117
PID 1628 wrote to memory of 4392	1628	Eennefib.exe	118
PID 1628 wrote to memory of 4392	1628	Eennefib.exe	118
PID 1628 wrote to memory of 4392	1628	Eennefib.exe	118
PID 4392 wrote to memory of 2236	4392	Emioab32.exe	119

C:\Users\Admin\AppData\Local\Temp\5d36e024079b34f5f5ab43381ec3e7beae83bc799142d1c968b061d77383e6fc.exe
"C:\Users\Admin\AppData\Local\Temp\5d36e024079b34f5f5ab43381ec3e7beae83bc799142d1c968b061d77383e6fc.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4624
- C:\Windows\SysWOW64\Hgcmbj32.exe
  C:\Windows\system32\Hgcmbj32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3516
- - C:\Windows\SysWOW64\Llimgb32.exe
    C:\Windows\system32\Llimgb32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:708
  - - C:\Windows\SysWOW64\Lddble32.exe
      C:\Windows\system32\Lddble32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2448
    - - C:\Windows\SysWOW64\Ldfoad32.exe
        
        C:\Windows\system32\Ldfoad32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4964
      - C:\Windows\SysWOW64\Mcabej32.exe
        
        C:\Windows\system32\Mcabej32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\SysWOW64\Mkocol32.exe
        
        C:\Windows\system32\Mkocol32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3396
        
        C:\Windows\SysWOW64\Ncjdki32.exe
        
        C:\Windows\system32\Ncjdki32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\SysWOW64\Nconfh32.exe
        
        C:\Windows\system32\Nconfh32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\Windows\SysWOW64\Ohcmpn32.exe
        
        C:\Windows\system32\Ohcmpn32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\SysWOW64\Omcbkl32.exe
        
        C:\Windows\system32\Omcbkl32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\Pbbgicnd.exe
        
        C:\Windows\system32\Pbbgicnd.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\SysWOW64\Pfbmdabh.exe
        
        C:\Windows\system32\Pfbmdabh.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\Aeffgkkp.exe
        
        C:\Windows\system32\Aeffgkkp.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Albkieqj.exe
        
        C:\Windows\system32\Albkieqj.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\Bclppboi.exe
        
        C:\Windows\system32\Bclppboi.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Cefoni32.exe
        
        C:\Windows\system32\Cefoni32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:728
        
        C:\Windows\SysWOW64\Ciiaogon.exe
        
        C:\Windows\system32\Ciiaogon.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\SysWOW64\Debnjgcp.exe
        
        C:\Windows\system32\Debnjgcp.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SysWOW64\Dbhlikpf.exe
        
        C:\Windows\system32\Dbhlikpf.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\Eennefib.exe
        
        C:\Windows\system32\Eennefib.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\Emioab32.exe
        
        C:\Windows\system32\Emioab32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\SysWOW64\Egdqph32.exe
        
        C:\Windows\system32\Egdqph32.exe
        23⤵
        Executes dropped EXE
        
        PID:2236
        
        C:\Windows\SysWOW64\Fdadpk32.exe
        
        C:\Windows\system32\Fdadpk32.exe
        24⤵
        Executes dropped EXE
        
        PID:1216
        
        C:\Windows\SysWOW64\Gggfme32.exe
        
        C:\Windows\system32\Gggfme32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1096
        
        C:\Windows\SysWOW64\Hjoeoo32.exe
        
        C:\Windows\system32\Hjoeoo32.exe
        26⤵
        Executes dropped EXE
        
        PID:5008
        
        C:\Windows\SysWOW64\Kmncif32.exe
        
        C:\Windows\system32\Kmncif32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4412
        
        C:\Windows\SysWOW64\Ldckan32.exe
        
        C:\Windows\system32\Ldckan32.exe
        28⤵
        Executes dropped EXE
        
        PID:568
        
        C:\Windows\SysWOW64\Mdokmm32.exe
        
        C:\Windows\system32\Mdokmm32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3676
        
        C:\Windows\SysWOW64\Nkgoke32.exe
        
        C:\Windows\system32\Nkgoke32.exe
        30⤵
        Executes dropped EXE
        
        PID:3224
        
        C:\Windows\SysWOW64\Naaghoik.exe
        
        C:\Windows\system32\Naaghoik.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1368
        
        C:\Windows\SysWOW64\Oeamcmmo.exe
        
        C:\Windows\system32\Oeamcmmo.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4672
        
        C:\Windows\SysWOW64\Okqbac32.exe
        
        C:\Windows\system32\Okqbac32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1008
        
        C:\Windows\SysWOW64\Pfkpiled.exe
        
        C:\Windows\system32\Pfkpiled.exe
        34⤵
        Executes dropped EXE
        
        PID:3800
        
        C:\Windows\SysWOW64\Pfmlok32.exe
        
        C:\Windows\system32\Pfmlok32.exe
        35⤵
        Executes dropped EXE
        
        PID:4892
        
        C:\Windows\SysWOW64\Pfpidk32.exe
        
        C:\Windows\system32\Pfpidk32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4368
        
        C:\Windows\SysWOW64\Pgcbbc32.exe
        
        C:\Windows\system32\Pgcbbc32.exe
        37⤵
        Executes dropped EXE
        
        PID:1436
        
        C:\Windows\SysWOW64\Qfilkj32.exe
        
        C:\Windows\system32\Qfilkj32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1236
        
        C:\Windows\SysWOW64\Aoapcood.exe
        
        C:\Windows\system32\Aoapcood.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4416
        
        C:\Windows\SysWOW64\Akhaipei.exe
        
        C:\Windows\system32\Akhaipei.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:660
        
        C:\Windows\SysWOW64\Aohfdnil.exe
        
        C:\Windows\system32\Aohfdnil.exe
        41⤵
        Executes dropped EXE
        
        PID:2516
        
        C:\Windows\SysWOW64\Abipfifn.exe
        
        C:\Windows\system32\Abipfifn.exe
        42⤵
        Executes dropped EXE
        
        PID:1948
        
        C:\Windows\SysWOW64\Bbklli32.exe
        
        C:\Windows\system32\Bbklli32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3532
        
        C:\Windows\SysWOW64\Biedhclh.exe
        
        C:\Windows\system32\Biedhclh.exe
        44⤵
        Executes dropped EXE
        
        PID:4220
        
        C:\Windows\SysWOW64\Bpdfpmoo.exe
        
        C:\Windows\system32\Bpdfpmoo.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4592
        
        C:\Windows\SysWOW64\Bpfcelml.exe
        
        C:\Windows\system32\Bpfcelml.exe
        46⤵
        Executes dropped EXE
        
        PID:4640
        
        C:\Windows\SysWOW64\Cfbhhfbg.exe
        
        C:\Windows\system32\Cfbhhfbg.exe
        47⤵
        Executes dropped EXE
        
        PID:3924
        
        C:\Windows\SysWOW64\Cehdib32.exe
        
        C:\Windows\system32\Cehdib32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5084
        
        C:\Windows\SysWOW64\Cihjeq32.exe
        
        C:\Windows\system32\Cihjeq32.exe
        49⤵
        Executes dropped EXE
        
        PID:3776
        
        C:\Windows\SysWOW64\Dlicflic.exe
        
        C:\Windows\system32\Dlicflic.exe
        50⤵
        Executes dropped EXE
        
        PID:4784
        
        C:\Windows\SysWOW64\Dhdmfljb.exe
        
        C:\Windows\system32\Dhdmfljb.exe
        51⤵
        Executes dropped EXE
        
        PID:3232
        
        C:\Windows\SysWOW64\Dpnbmi32.exe
        
        C:\Windows\system32\Dpnbmi32.exe
        52⤵
        Executes dropped EXE
        
        PID:4800
        
        C:\Windows\SysWOW64\Eppobi32.exe
        
        C:\Windows\system32\Eppobi32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Eohhie32.exe
        
        C:\Windows\system32\Eohhie32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1020
        
        C:\Windows\SysWOW64\Epiaig32.exe
        
        C:\Windows\system32\Epiaig32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4924
        
        C:\Windows\SysWOW64\Fgcjea32.exe
        
        C:\Windows\system32\Fgcjea32.exe
        56⤵
        Executes dropped EXE
        
        PID:2640
        
        C:\Windows\SysWOW64\Feifgnki.exe
        
        C:\Windows\system32\Feifgnki.exe
        57⤵
        Executes dropped EXE
        
        PID:3180
        
        C:\Windows\SysWOW64\Igkadlcd.exe
        
        C:\Windows\system32\Igkadlcd.exe
        58⤵
        Executes dropped EXE
        
        PID:1664
        
        C:\Windows\SysWOW64\Jjcqffkm.exe
        
        C:\Windows\system32\Jjcqffkm.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4992
        
        C:\Windows\SysWOW64\Kaflio32.exe
        
        C:\Windows\system32\Kaflio32.exe
        60⤵
        Executes dropped EXE
        
        PID:1516
        
        C:\Windows\SysWOW64\Kfcdaehf.exe
        
        C:\Windows\system32\Kfcdaehf.exe
        61⤵
        Executes dropped EXE
        
        PID:752
        
        C:\Windows\SysWOW64\Kmbfiokn.exe
        
        C:\Windows\system32\Kmbfiokn.exe
        62⤵
        Executes dropped EXE
        
        PID:1476
        
        C:\Windows\SysWOW64\Liifnp32.exe
        
        C:\Windows\system32\Liifnp32.exe
        63⤵
        Executes dropped EXE
        
        PID:2980
        
        C:\Windows\SysWOW64\Lpbokjho.exe
        
        C:\Windows\system32\Lpbokjho.exe
        64⤵
        Executes dropped EXE
        
        PID:1112
        
        C:\Windows\SysWOW64\Lpelqj32.exe
        
        C:\Windows\system32\Lpelqj32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1544
        
        C:\Windows\SysWOW64\Lfodmdni.exe
        
        C:\Windows\system32\Lfodmdni.exe
        66⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\Lcealh32.exe
        
        C:\Windows\system32\Lcealh32.exe
        67⤵
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Mdjjgggk.exe
        
        C:\Windows\system32\Mdjjgggk.exe
        68⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\Mapgfk32.exe
        
        C:\Windows\system32\Mapgfk32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5124
        
        C:\Windows\SysWOW64\Mhjpceko.exe
        
        C:\Windows\system32\Mhjpceko.exe
        70⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\Njmejp32.exe
        
        C:\Windows\system32\Njmejp32.exe
        71⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Npjnbg32.exe
        
        C:\Windows\system32\Npjnbg32.exe
        72⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Ndmpddfe.exe
        
        C:\Windows\system32\Ndmpddfe.exe
        73⤵
        Drops file in System32 directory
        
        PID:5300
        
        C:\Windows\SysWOW64\Npcaie32.exe
        
        C:\Windows\system32\Npcaie32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5340
        
        C:\Windows\SysWOW64\Ogmiepcf.exe
        
        C:\Windows\system32\Ogmiepcf.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5380
        
        C:\Windows\SysWOW64\Pgkegn32.exe
        
        C:\Windows\system32\Pgkegn32.exe
        76⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\Pphckb32.exe
        
        C:\Windows\system32\Pphckb32.exe
        77⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Pgbkgmao.exe
        
        C:\Windows\system32\Pgbkgmao.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5528
        
        C:\Windows\SysWOW64\Qpmmfbfl.exe
        
        C:\Windows\system32\Qpmmfbfl.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5576
        
        C:\Windows\SysWOW64\Qnamofdf.exe
        
        C:\Windows\system32\Qnamofdf.exe
        80⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\Ahgamo32.exe
        
        C:\Windows\system32\Ahgamo32.exe
        81⤵
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Agnkck32.exe
        
        C:\Windows\system32\Agnkck32.exe
        82⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Aqfolqna.exe
        
        C:\Windows\system32\Aqfolqna.exe
        83⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Bqpbboeg.exe
        
        C:\Windows\system32\Bqpbboeg.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Bqbohocd.exe
        
        C:\Windows\system32\Bqbohocd.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5824
        
        C:\Windows\SysWOW64\Bglgdi32.exe
        
        C:\Windows\system32\Bglgdi32.exe
        86⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Dnnoip32.exe
        
        C:\Windows\system32\Dnnoip32.exe
        87⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Elaobdmm.exe
        
        C:\Windows\system32\Elaobdmm.exe
        88⤵
        Drops file in System32 directory
        
        PID:5964
        
        C:\Windows\SysWOW64\Eejcki32.exe
        
        C:\Windows\system32\Eejcki32.exe
        89⤵
        Drops file in System32 directory
        
        PID:6012
        
        C:\Windows\SysWOW64\Ejglcq32.exe
        
        C:\Windows\system32\Ejglcq32.exe
        90⤵
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Eelpqi32.exe
        
        C:\Windows\system32\Eelpqi32.exe
        91⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Ebpqjmpd.exe
        
        C:\Windows\system32\Ebpqjmpd.exe
        92⤵
        
        PID:536
        
        C:\Windows\SysWOW64\Eeailhme.exe
        
        C:\Windows\system32\Eeailhme.exe
        93⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\Ejnbdp32.exe
        
        C:\Windows\system32\Ejnbdp32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5244
        
        C:\Windows\SysWOW64\Eecfah32.exe
        
        C:\Windows\system32\Eecfah32.exe
        95⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Flmonbbp.exe
        
        C:\Windows\system32\Flmonbbp.exe
        96⤵
        Drops file in System32 directory
        
        PID:5368
        
        C:\Windows\SysWOW64\Fkehdnee.exe
        
        C:\Windows\system32\Fkehdnee.exe
        97⤵
        Modifies registry class
        
        PID:1364
        
        C:\Windows\SysWOW64\Fejlbgek.exe
        
        C:\Windows\system32\Fejlbgek.exe
        98⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Facjlhil.exe
        
        C:\Windows\system32\Facjlhil.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5484
        
        C:\Windows\SysWOW64\Gojgkl32.exe
        
        C:\Windows\system32\Gojgkl32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5560
        
        C:\Windows\SysWOW64\Ghbkdald.exe
        
        C:\Windows\system32\Ghbkdald.exe
        101⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\Geflne32.exe
        
        C:\Windows\system32\Geflne32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5724
        
        C:\Windows\SysWOW64\Gkcdfl32.exe
        
        C:\Windows\system32\Gkcdfl32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5768
        
        C:\Windows\SysWOW64\Hcabhido.exe
        
        C:\Windows\system32\Hcabhido.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5832
        
        C:\Windows\SysWOW64\Hohcmjic.exe
        
        C:\Windows\system32\Hohcmjic.exe
        105⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Hedhoc32.exe
        
        C:\Windows\system32\Hedhoc32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5948
        
        C:\Windows\SysWOW64\Ilqmam32.exe
        
        C:\Windows\system32\Ilqmam32.exe
        107⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Ieiajckh.exe
        
        C:\Windows\system32\Ieiajckh.exe
        108⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Ieknpb32.exe
        
        C:\Windows\system32\Ieknpb32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6128
        
        C:\Windows\SysWOW64\Iocchhof.exe
        
        C:\Windows\system32\Iocchhof.exe
        110⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Ikjcmi32.exe
        
        C:\Windows\system32\Ikjcmi32.exe
        111⤵
        Drops file in System32 directory
        
        PID:5324
        
        C:\Windows\SysWOW64\Jomeoggk.exe
        
        C:\Windows\system32\Jomeoggk.exe
        112⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\Jjbjlpga.exe
        
        C:\Windows\system32\Jjbjlpga.exe
        113⤵
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Kjipmoai.exe
        
        C:\Windows\system32\Kjipmoai.exe
        114⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\Kofheeoq.exe
        
        C:\Windows\system32\Kofheeoq.exe
        115⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Kiomnk32.exe
        
        C:\Windows\system32\Kiomnk32.exe
        116⤵
        Drops file in System32 directory
        
        PID:5812
        
        C:\Windows\SysWOW64\Kcdakd32.exe
        
        C:\Windows\system32\Kcdakd32.exe
        117⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\Kiajck32.exe
        
        C:\Windows\system32\Kiajck32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5960
        
        C:\Windows\SysWOW64\Kjqfmn32.exe
        
        C:\Windows\system32\Kjqfmn32.exe
        119⤵
        Drops file in System32 directory
        
        PID:6084
        
        C:\Windows\SysWOW64\Kkabefqp.exe
        
        C:\Windows\system32\Kkabefqp.exe
        120⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Kfggbope.exe
        
        C:\Windows\system32\Kfggbope.exe
        121⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\Lcndab32.exe
        
        C:\Windows\system32\Lcndab32.exe
        122⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\Lmfhjhdm.exe
        
        C:\Windows\system32\Lmfhjhdm.exe
        123⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Lpgalc32.exe
        
        C:\Windows\system32\Lpgalc32.exe
        124⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Lfqjhmhk.exe
        
        C:\Windows\system32\Lfqjhmhk.exe
        125⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Ljoboloa.exe
        
        C:\Windows\system32\Ljoboloa.exe
        126⤵
        Drops file in System32 directory
        
        PID:5156
        
        C:\Windows\SysWOW64\Llpofd32.exe
        
        C:\Windows\system32\Llpofd32.exe
        127⤵
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\Mjcljk32.exe
        
        C:\Windows\system32\Mjcljk32.exe
        128⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Mclpbqal.exe
        
        C:\Windows\system32\Mclpbqal.exe
        129⤵
        Drops file in System32 directory
        
        PID:6008
        
        C:\Windows\SysWOW64\Mjehok32.exe
        
        C:\Windows\system32\Mjehok32.exe
        130⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Mpbaga32.exe
        
        C:\Windows\system32\Mpbaga32.exe
        131⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Npgjbabk.exe
        
        C:\Windows\system32\Npgjbabk.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:708
        
        C:\Windows\SysWOW64\Nipokfil.exe
        
        C:\Windows\system32\Nipokfil.exe
        133⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\Ncecioib.exe
        
        C:\Windows\system32\Ncecioib.exe
        134⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Nfhipj32.exe
        
        C:\Windows\system32\Nfhipj32.exe
        135⤵
        Drops file in System32 directory
        
        PID:4048
        
        C:\Windows\SysWOW64\Nmbamdkm.exe
        
        C:\Windows\system32\Nmbamdkm.exe
        136⤵
        Modifies registry class
        
        PID:1360
        
        C:\Windows\SysWOW64\Nboiekjd.exe
        
        C:\Windows\system32\Nboiekjd.exe
        137⤵
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Obafjk32.exe
        
        C:\Windows\system32\Obafjk32.exe
        138⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\Opefdo32.exe
        
        C:\Windows\system32\Opefdo32.exe
        139⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Ollgiplp.exe
        
        C:\Windows\system32\Ollgiplp.exe
        140⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Oiphbd32.exe
        
        C:\Windows\system32\Oiphbd32.exe
        141⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\Ofdhlh32.exe
        
        C:\Windows\system32\Ofdhlh32.exe
        142⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\Plcmiofg.exe
        
        C:\Windows\system32\Plcmiofg.exe
        143⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\Qkpmcddi.exe
        
        C:\Windows\system32\Qkpmcddi.exe
        144⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\Agfnhf32.exe
        
        C:\Windows\system32\Agfnhf32.exe
        145⤵
        Drops file in System32 directory
        
        PID:6372
        
        C:\Windows\SysWOW64\Akdfndpd.exe
        
        C:\Windows\system32\Akdfndpd.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6416
        
        C:\Windows\SysWOW64\Admkgifd.exe
        
        C:\Windows\system32\Admkgifd.exe
        147⤵
        Modifies registry class
        
        PID:6472
        
        C:\Windows\SysWOW64\Bnlfqngm.exe
        
        C:\Windows\system32\Bnlfqngm.exe
        148⤵
        Drops file in System32 directory
        
        PID:6556
        
        C:\Windows\SysWOW64\Bjeckojo.exe
        
        C:\Windows\system32\Bjeckojo.exe
        149⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\Bdkghg32.exe
        
        C:\Windows\system32\Bdkghg32.exe
        150⤵
        Drops file in System32 directory
        
        PID:6656
        
        C:\Windows\SysWOW64\Ckiipa32.exe
        
        C:\Windows\system32\Ckiipa32.exe
        151⤵
        Drops file in System32 directory
        
        PID:6720
        
        C:\Windows\SysWOW64\Cnmoglij.exe
        
        C:\Windows\system32\Cnmoglij.exe
        152⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\Hhkgpjqn.exe
        
        C:\Windows\system32\Hhkgpjqn.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7040
        
        C:\Windows\SysWOW64\Idkkki32.exe
        
        C:\Windows\system32\Idkkki32.exe
        154⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\Ioqohb32.exe
        
        C:\Windows\system32\Ioqohb32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7124
        
        C:\Windows\SysWOW64\Ihicah32.exe
        
        C:\Windows\system32\Ihicah32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4988
        
        C:\Windows\SysWOW64\Idpdfija.exe
        
        C:\Windows\system32\Idpdfija.exe
        157⤵
        
        PID:892
        
        C:\Windows\SysWOW64\Ioeicajh.exe
        
        C:\Windows\system32\Ioeicajh.exe
        158⤵
        Drops file in System32 directory
        
        PID:6224
        
        C:\Windows\SysWOW64\Ihnmlg32.exe
        
        C:\Windows\system32\Ihnmlg32.exe
        159⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\Jogeia32.exe
        
        C:\Windows\system32\Jogeia32.exe
        160⤵
        Modifies registry class
        
        PID:6184
        
        C:\Windows\SysWOW64\Jddnah32.exe
        
        C:\Windows\system32\Jddnah32.exe
        161⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\Jedjkkmo.exe
        
        C:\Windows\system32\Jedjkkmo.exe
        162⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\Jkqccbkf.exe
        
        C:\Windows\system32\Jkqccbkf.exe
        163⤵
        Modifies registry class
        
        PID:6460
        
        C:\Windows\SysWOW64\Jlponebi.exe
        
        C:\Windows\system32\Jlponebi.exe
        164⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\Jehcfj32.exe
        
        C:\Windows\system32\Jehcfj32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6544
        
        C:\Windows\SysWOW64\Jlblcdpf.exe
        
        C:\Windows\system32\Jlblcdpf.exe
        166⤵
        Drops file in System32 directory
        
        PID:6576
        
        C:\Windows\SysWOW64\Jaodkk32.exe
        
        C:\Windows\system32\Jaodkk32.exe
        167⤵
        Modifies registry class
        
        PID:6648
        
        C:\Windows\SysWOW64\Kleiid32.exe
        
        C:\Windows\system32\Kleiid32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6688
        
        C:\Windows\SysWOW64\Kfmmajed.exe
        
        C:\Windows\system32\Kfmmajed.exe
        169⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\Koeajo32.exe
        
        C:\Windows\system32\Koeajo32.exe
        170⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3260
        
        C:\Windows\SysWOW64\Kdbjbfjl.exe
        
        C:\Windows\system32\Kdbjbfjl.exe
        171⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\Lmeapbpa.exe
        
        C:\Windows\system32\Lmeapbpa.exe
        172⤵
        Drops file in System32 directory
        
        PID:728
        
        C:\Windows\SysWOW64\Lbbjhini.exe
        
        C:\Windows\system32\Lbbjhini.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4840
        
        C:\Windows\SysWOW64\Mkhkblii.exe
        
        C:\Windows\system32\Mkhkblii.exe
        174⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\Nbgljf32.exe
        
        C:\Windows\system32\Nbgljf32.exe
        175⤵
        Modifies registry class
        
        PID:6900
        
        C:\Windows\SysWOW64\Npkmcj32.exe
        
        C:\Windows\system32\Npkmcj32.exe
        176⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6936
        
        C:\Windows\SysWOW64\Npmjij32.exe
        
        C:\Windows\system32\Npmjij32.exe
        177⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\Oihkgo32.exe
        
        C:\Windows\system32\Oihkgo32.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7060
        
        C:\Windows\SysWOW64\Onecof32.exe
        
        C:\Windows\system32\Onecof32.exe
        179⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\Oeahap32.exe
        
        C:\Windows\system32\Oeahap32.exe
        180⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\Olkqnjhd.exe
        
        C:\Windows\system32\Olkqnjhd.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4960
        
        C:\Windows\SysWOW64\Opiidhoj.exe
        
        C:\Windows\system32\Opiidhoj.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6380
        
        C:\Windows\SysWOW64\Oefamoma.exe
        
        C:\Windows\system32\Oefamoma.exe
        183⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\Olpjii32.exe
        
        C:\Windows\system32\Olpjii32.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6504
        
        C:\Windows\SysWOW64\Plbfohbl.exe
        
        C:\Windows\system32\Plbfohbl.exe
        185⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\Pekkhn32.exe
        
        C:\Windows\system32\Pekkhn32.exe
        186⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\Pldcdhpi.exe
        
        C:\Windows\system32\Pldcdhpi.exe
        187⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\Pihdnloc.exe
        
        C:\Windows\system32\Pihdnloc.exe
        188⤵
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Ppblkffp.exe
        
        C:\Windows\system32\Ppblkffp.exe
        189⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\Peodcmeg.exe
        
        C:\Windows\system32\Peodcmeg.exe
        190⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\Pimmil32.exe
        
        C:\Windows\system32\Pimmil32.exe
        191⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\Qfanbpjg.exe
        
        C:\Windows\system32\Qfanbpjg.exe
        192⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6920
        
        C:\Windows\SysWOW64\Qlnfkgho.exe
        
        C:\Windows\system32\Qlnfkgho.exe
        193⤵
        Drops file in System32 directory
        
        PID:6972
        
        C:\Windows\SysWOW64\Qlpcpffl.exe
        
        C:\Windows\system32\Qlpcpffl.exe
        194⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\Ampojimo.exe
        
        C:\Windows\system32\Ampojimo.exe
        195⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\Amblpikl.exe
        
        C:\Windows\system32\Amblpikl.exe
        196⤵
        
        PID:208
        
        C:\Windows\SysWOW64\Abodhpic.exe
        
        C:\Windows\system32\Abodhpic.exe
        197⤵
        Modifies registry class
        
        PID:6568
        
        C:\Windows\SysWOW64\Algiaepd.exe
        
        C:\Windows\system32\Algiaepd.exe
        198⤵
        Modifies registry class
        
        PID:6644
        
        C:\Windows\SysWOW64\Aljefena.exe
        
        C:\Windows\system32\Aljefena.exe
        199⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\Agojdnng.exe
        
        C:\Windows\system32\Agojdnng.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Bpgnmcdh.exe
        
        C:\Windows\system32\Bpgnmcdh.exe
        201⤵
        Drops file in System32 directory
        
        PID:4480
        
        C:\Windows\SysWOW64\Bidlqhgc.exe
        
        C:\Windows\system32\Bidlqhgc.exe
        202⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\Benjkijd.exe
        
        C:\Windows\system32\Benjkijd.exe
        203⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\Cohkinob.exe
        
        C:\Windows\system32\Cohkinob.exe
        204⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Cfeplh32.exe
        
        C:\Windows\system32\Cfeplh32.exe
        205⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6348
        
        C:\Windows\SysWOW64\Cpjdiadb.exe
        
        C:\Windows\system32\Cpjdiadb.exe
        206⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6716
        
        C:\Windows\SysWOW64\Dlfniafa.exe
        
        C:\Windows\system32\Dlfniafa.exe
        207⤵
        
        PID:532
        
        C:\Windows\SysWOW64\Dgkbfjeg.exe
        
        C:\Windows\system32\Dgkbfjeg.exe
        208⤵
        
        PID:764
        
        C:\Windows\SysWOW64\Dnjdncio.exe
        
        C:\Windows\system32\Dnjdncio.exe
        209⤵
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Enlqdc32.exe
        
        C:\Windows\system32\Enlqdc32.exe
        210⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Eonmkkmj.exe
        
        C:\Windows\system32\Eonmkkmj.exe
        211⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\Enomic32.exe
        
        C:\Windows\system32\Enomic32.exe
        212⤵
        
        PID:568
        
        C:\Windows\SysWOW64\Eqpfknbj.exe
        
        C:\Windows\system32\Eqpfknbj.exe
        213⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\Eflocepa.exe
        
        C:\Windows\system32\Eflocepa.exe
        214⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\Eodclj32.exe
        
        C:\Windows\system32\Eodclj32.exe
        215⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\Egnhcgeb.exe
        
        C:\Windows\system32\Egnhcgeb.exe
        216⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6712
        
        C:\Windows\SysWOW64\Fmkqknci.exe
        
        C:\Windows\system32\Fmkqknci.exe
        217⤵
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Fceihh32.exe
        
        C:\Windows\system32\Fceihh32.exe
        218⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2652
        
        C:\Windows\SysWOW64\Ffhnocfd.exe
        
        C:\Windows\system32\Ffhnocfd.exe
        219⤵
        
        PID:720
        
        C:\Windows\SysWOW64\Fclohg32.exe
        
        C:\Windows\system32\Fclohg32.exe
        220⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\Fmdcamko.exe
        
        C:\Windows\system32\Fmdcamko.exe
        221⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\Gcqhcgqi.exe
        
        C:\Windows\system32\Gcqhcgqi.exe
        222⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\Gadimkpb.exe
        
        C:\Windows\system32\Gadimkpb.exe
        223⤵
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\Gjmmfq32.exe
        
        C:\Windows\system32\Gjmmfq32.exe
        224⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Ihagfb32.exe
        
        C:\Windows\system32\Ihagfb32.exe
        225⤵
        Drops file in System32 directory
        
        PID:1860
        
        C:\Windows\SysWOW64\Ialhdh32.exe
        
        C:\Windows\system32\Ialhdh32.exe
        226⤵
        Drops file in System32 directory
        
        PID:392
        
        C:\Windows\SysWOW64\Iodaikfl.exe
        
        C:\Windows\system32\Iodaikfl.exe
        227⤵
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Jgdphm32.exe
        
        C:\Windows\system32\Jgdphm32.exe
        228⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2936
        
        C:\Windows\SysWOW64\Jmnheggo.exe
        
        C:\Windows\system32\Jmnheggo.exe
        229⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\Jgiiclkl.exe
        
        C:\Windows\system32\Jgiiclkl.exe
        230⤵
        Modifies registry class
        
        PID:6168
        
        C:\Windows\SysWOW64\Kaonaekb.exe
        
        C:\Windows\system32\Kaonaekb.exe
        231⤵
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Kphdma32.exe
        
        C:\Windows\system32\Kphdma32.exe
        232⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\Kolaqh32.exe
        
        C:\Windows\system32\Kolaqh32.exe
        233⤵
        Drops file in System32 directory
        
        PID:3824
        
        C:\Windows\SysWOW64\Lajmmc32.exe
        
        C:\Windows\system32\Lajmmc32.exe
        234⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\Lonnfg32.exe
        
        C:\Windows\system32\Lonnfg32.exe
        235⤵
        Modifies registry class
        
        PID:3380
        
        C:\Windows\SysWOW64\Loqjlg32.exe
        
        C:\Windows\system32\Loqjlg32.exe
        236⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\Lqbgcp32.exe
        
        C:\Windows\system32\Lqbgcp32.exe
        237⤵
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Mbhina32.exe
        
        C:\Windows\system32\Mbhina32.exe
        238⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\Mqnfon32.exe
        
        C:\Windows\system32\Mqnfon32.exe
        239⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4428
        
        C:\Windows\SysWOW64\Mnaghb32.exe
        
        C:\Windows\system32\Mnaghb32.exe
        240⤵
        Drops file in System32 directory
        
        PID:3240
        
        C:\Windows\SysWOW64\Nbibeo32.exe
        
        C:\Windows\system32\Nbibeo32.exe
        241⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6444
        
        C:\Windows\SysWOW64\Picchg32.exe
        
        C:\Windows\system32\Picchg32.exe
        242⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2664
        
        C:\Windows\SysWOW64\Pejdmh32.exe
        
        C:\Windows\system32\Pejdmh32.exe
        243⤵
        
        PID:860
        
        C:\Windows\SysWOW64\Pldljbmn.exe
        
        C:\Windows\system32\Pldljbmn.exe
        244⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\Paqebike.exe
        
        C:\Windows\system32\Paqebike.exe
        245⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\Ppbepp32.exe
        
        C:\Windows\system32\Ppbepp32.exe
        246⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\Pijiif32.exe
        
        C:\Windows\system32\Pijiif32.exe
        247⤵
        Drops file in System32 directory
        
        PID:1544
        
        C:\Windows\SysWOW64\Ppdbfpaa.exe
        
        C:\Windows\system32\Ppdbfpaa.exe
        248⤵
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Qniogl32.exe
        
        C:\Windows\system32\Qniogl32.exe
        249⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\Qnlkllcf.exe
        
        C:\Windows\system32\Qnlkllcf.exe
        250⤵
        Drops file in System32 directory
        
        PID:752
        
        C:\Windows\SysWOW64\Abjdbj32.exe
        
        C:\Windows\system32\Abjdbj32.exe
        251⤵
        Drops file in System32 directory
        
        PID:5460
        
        C:\Windows\SysWOW64\Albikp32.exe
        
        C:\Windows\system32\Albikp32.exe
        252⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:940
        
        C:\Windows\SysWOW64\Aejmdegn.exe
        
        C:\Windows\system32\Aejmdegn.exe
        253⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Appaangd.exe
        
        C:\Windows\system32\Appaangd.exe
        254⤵
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Aemjjeek.exe
        
        C:\Windows\system32\Aemjjeek.exe
        255⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\Aeofoe32.exe
        
        C:\Windows\system32\Aeofoe32.exe
        256⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2032
        
        C:\Windows\SysWOW64\Bimoecio.exe
        
        C:\Windows\system32\Bimoecio.exe
        257⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5384
        
        C:\Windows\SysWOW64\Bbecnipp.exe
        
        C:\Windows\system32\Bbecnipp.exe
        258⤵
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Biolkc32.exe
        
        C:\Windows\system32\Biolkc32.exe
        259⤵
        Drops file in System32 directory
        
        PID:5528
        
        C:\Windows\SysWOW64\Bbjmih32.exe
        
        C:\Windows\system32\Bbjmih32.exe
        260⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\Bpnncl32.exe
        
        C:\Windows\system32\Bpnncl32.exe
        261⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Bifblbad.exe
        
        C:\Windows\system32\Bifblbad.exe
        262⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Bppjhl32.exe
        
        C:\Windows\system32\Bppjhl32.exe
        263⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\Caagpdop.exe
        
        C:\Windows\system32\Caagpdop.exe
        264⤵
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Cadcfd32.exe
        
        C:\Windows\system32\Cadcfd32.exe
        265⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Cebllbcc.exe
        
        C:\Windows\system32\Cebllbcc.exe
        266⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Cediab32.exe
        
        C:\Windows\system32\Cediab32.exe
        267⤵
        Drops file in System32 directory
        
        PID:6852
        
        C:\Windows\SysWOW64\Cpjmok32.exe
        
        C:\Windows\system32\Cpjmok32.exe
        268⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\Cefega32.exe
        
        C:\Windows\system32\Cefega32.exe
        269⤵
        
        PID:7216
        
        C:\Windows\SysWOW64\Coojpg32.exe
        
        C:\Windows\system32\Coojpg32.exe
        270⤵
        
        PID:7256
        
        C:\Windows\SysWOW64\Didnmp32.exe
        
        C:\Windows\system32\Didnmp32.exe
        271⤵
        Drops file in System32 directory
        
        PID:7292
        
        C:\Windows\SysWOW64\Dcmcfeke.exe
        
        C:\Windows\system32\Dcmcfeke.exe
        272⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7332
        
        C:\Windows\SysWOW64\Docckfai.exe
        
        C:\Windows\system32\Docckfai.exe
        273⤵
        
        PID:7368
        
        C:\Windows\SysWOW64\Denlgq32.exe
        
        C:\Windows\system32\Denlgq32.exe
        274⤵
        
        PID:7404
        
        C:\Windows\SysWOW64\Dlgddkpc.exe
        
        C:\Windows\system32\Dlgddkpc.exe
        275⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7444
        
        C:\Windows\SysWOW64\Dfphmp32.exe
        
        C:\Windows\system32\Dfphmp32.exe
        276⤵
        
        PID:7484
        
        C:\Windows\SysWOW64\Dpemjifi.exe
        
        C:\Windows\system32\Dpemjifi.exe
        277⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7524
        
        C:\Windows\SysWOW64\Ecfeldcj.exe
        
        C:\Windows\system32\Ecfeldcj.exe
        278⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\Elojej32.exe
        
        C:\Windows\system32\Elojej32.exe
        279⤵
        Drops file in System32 directory
        
        PID:7624
        
        C:\Windows\SysWOW64\Ejbknnid.exe
        
        C:\Windows\system32\Ejbknnid.exe
        280⤵
        
        PID:7672
        
        C:\Windows\SysWOW64\Eplckh32.exe
        
        C:\Windows\system32\Eplckh32.exe
        281⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\Ebnocpfp.exe
        
        C:\Windows\system32\Ebnocpfp.exe
        282⤵
        
        PID:7752
        
        C:\Windows\SysWOW64\Fbeeco32.exe
        
        C:\Windows\system32\Fbeeco32.exe
        283⤵
        Drops file in System32 directory
        
        PID:7848
        
        C:\Windows\SysWOW64\Fjnjjlog.exe
        
        C:\Windows\system32\Fjnjjlog.exe
        284⤵
        
        PID:7908
        
        C:\Windows\SysWOW64\Fbiooolb.exe
        
        C:\Windows\system32\Fbiooolb.exe
        285⤵
        Drops file in System32 directory
        
        PID:7960
        
        C:\Windows\SysWOW64\Fqjolfda.exe
        
        C:\Windows\system32\Fqjolfda.exe
        286⤵
        
        PID:8016
        
        C:\Windows\SysWOW64\Fjccel32.exe
        
        C:\Windows\system32\Fjccel32.exe
        287⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\Fbnhjn32.exe
        
        C:\Windows\system32\Fbnhjn32.exe
        288⤵
        Drops file in System32 directory
        
        PID:8108
        
        C:\Windows\SysWOW64\Gflapl32.exe
        
        C:\Windows\system32\Gflapl32.exe
        289⤵
        
        PID:8164
        
        C:\Windows\SysWOW64\Gcpaiq32.exe
        
        C:\Windows\system32\Gcpaiq32.exe
        290⤵
        Modifies registry class
        
        PID:7172
        
        C:\Windows\SysWOW64\Giofggia.exe
        
        C:\Windows\system32\Giofggia.exe
        291⤵
        Modifies registry class
        
        PID:7244
        
        C:\Windows\SysWOW64\Gqhknd32.exe
        
        C:\Windows\system32\Gqhknd32.exe
        292⤵
        Drops file in System32 directory
        
        PID:7340
        
        C:\Windows\SysWOW64\Hakhcd32.exe
        
        C:\Windows\system32\Hakhcd32.exe
        293⤵
        Modifies registry class
        
        PID:7432
        
        C:\Windows\SysWOW64\Hfhqkk32.exe
        
        C:\Windows\system32\Hfhqkk32.exe
        294⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7480
        
        C:\Windows\SysWOW64\Hmdend32.exe
        
        C:\Windows\system32\Hmdend32.exe
        295⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\Hbanfk32.exe
        
        C:\Windows\system32\Hbanfk32.exe
        296⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5824
        
        C:\Windows\SysWOW64\Idjmfmgp.exe
        
        C:\Windows\system32\Idjmfmgp.exe
        297⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\Iiffoc32.exe
        
        C:\Windows\system32\Iiffoc32.exe
        298⤵
        Modifies registry class
        
        PID:7872
        
        C:\Windows\SysWOW64\Ifjfhh32.exe
        
        C:\Windows\system32\Ifjfhh32.exe
        299⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\Ibagmiie.exe
        
        C:\Windows\system32\Ibagmiie.exe
        300⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\Jjklcf32.exe
        
        C:\Windows\system32\Jjklcf32.exe
        301⤵
        Modifies registry class
        
        PID:8000
        
        C:\Windows\SysWOW64\Jdcplkoe.exe
        
        C:\Windows\system32\Jdcplkoe.exe
        302⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\Jiphebml.exe
        
        C:\Windows\system32\Jiphebml.exe
        303⤵
        Modifies registry class
        
        PID:8092
        
        C:\Windows\SysWOW64\Jbhmnhcm.exe
        
        C:\Windows\system32\Jbhmnhcm.exe
        304⤵
        Drops file in System32 directory
        
        PID:5276
        
        C:\Windows\SysWOW64\Jibejb32.exe
        
        C:\Windows\system32\Jibejb32.exe
        305⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\Jkaadebl.exe
        
        C:\Windows\system32\Jkaadebl.exe
        306⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\Jbmfig32.exe
        
        C:\Windows\system32\Jbmfig32.exe
        307⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5368
        
        C:\Windows\SysWOW64\Kgkooeen.exe
        
        C:\Windows\system32\Kgkooeen.exe
        308⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\Kapclned.exe
        
        C:\Windows\system32\Kapclned.exe
        309⤵
        Drops file in System32 directory
        
        PID:7468
        
        C:\Windows\SysWOW64\Kkihedld.exe
        
        C:\Windows\system32\Kkihedld.exe
        310⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Kpepmkjl.exe
        
        C:\Windows\system32\Kpepmkjl.exe
        311⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5640
        
        C:\Windows\SysWOW64\Kkkdjcjb.exe
        
        C:\Windows\system32\Kkkdjcjb.exe
        312⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\Kaemgn32.exe
        
        C:\Windows\system32\Kaemgn32.exe
        313⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Kagimmol.exe
        
        C:\Windows\system32\Kagimmol.exe
        314⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Lnccmnak.exe
        
        C:\Windows\system32\Lnccmnak.exe
        315⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\Lijdbofo.exe
        
        C:\Windows\system32\Lijdbofo.exe
        316⤵
        
        PID:7836
        
        C:\Windows\SysWOW64\Lngmhm32.exe
        
        C:\Windows\system32\Lngmhm32.exe
        317⤵
        Drops file in System32 directory
        
        PID:7904
        
        C:\Windows\SysWOW64\Mgdklb32.exe
        
        C:\Windows\system32\Mgdklb32.exe
        318⤵
        Drops file in System32 directory
        
        PID:8028
        
        C:\Windows\SysWOW64\Ncpelbap.exe
        
        C:\Windows\system32\Ncpelbap.exe
        319⤵
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Naaejj32.exe
        
        C:\Windows\system32\Naaejj32.exe
        320⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Oqpeaeel.exe
        
        C:\Windows\system32\Oqpeaeel.exe
        321⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1364
        
        C:\Windows\SysWOW64\Oboakhmo.exe
        
        C:\Windows\system32\Oboakhmo.exe
        322⤵
        
        PID:7512
        
        C:\Windows\SysWOW64\Ogljcokf.exe
        
        C:\Windows\system32\Ogljcokf.exe
        323⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\Pqkdmc32.exe
        
        C:\Windows\system32\Pqkdmc32.exe
        324⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5760 -s 400
        325⤵
        Program crash
        
        PID:6392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5760 -s 400
        325⤵
        Program crash
        
        PID:6664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1036 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
1⤵
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5760 -ip 5760
1⤵
PID:5456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeffgkkp.exe

Filesize
412KB

MD5
12fd8cd6b140d878128b8bd5afaca2de

SHA1
88bbb23c3d79b709f057fb89b0438d76d4a0a03d

SHA256
c6b02f26ab25f9ca61687177cf1bf0415269f8bb00c7aa46caa6a8446e1fedc6

SHA512
a95e4d5f124ffc093b324b17f10be74060321dcb4f00eef46ab6d39a2b7d68771498d94e7abd167438eb11ee5c7edc481f672b150b3c8ea2481f818e2d565b95

Download Submit
C:\Windows\SysWOW64\Albkieqj.exe

Filesize
412KB

MD5
dc0075e3fc426219ba1acb5f3648b9a3

SHA1
5bea169c3dfbcb638dd1913a43e30f9c23eef7ce

SHA256
34b60fc6b81ece88cc6003f9496b5f6e391dbfc73469ac4f5eff5978792a41ba

SHA512
32161119fc6905804859b23b8fa739bacd7faaf652ad6f0fbccdc91d051acfe3081a383937220526f6e10156a72b25a6d3d86eb250e0354297f24b8d6518c979

Download Submit
C:\Windows\SysWOW64\Bclppboi.exe

Filesize
412KB

MD5
9dd7343e64a0a78f2eea8ed77d8e479b

SHA1
287efab4df35dc8065f922fca6183f007347a159

SHA256
aee5fe096bbf21082256c413d7cec7077aaf6c84f07409bd611ac4deef2a8a74

SHA512
321d0a6500ad9d41001b22b14643ac3aa5bfa695b54234fc2a3e9c35b39ad89e5898cd462a4afa67aaa446b3c00708f90e84d55ebf460fd3184410bbafa20f54

Download Submit
C:\Windows\SysWOW64\Bpdfpmoo.exe

Filesize
412KB

MD5
67c0747799d2eee0acfc55286b24070d

SHA1
d1abf86e2b718760d03e8cb3fe60e4a8bb29e796

SHA256
0d8687571103d60c991d9371a82620f02125828ed8ee4fbdbd61a9e2791dba10

SHA512
e31037812fcb46dff30d3b733ab69496580cfa77323b2c9dc2a145b8b40cf1ac9581022df7632e80fed5748fc4ab00586e9ed49cdc0c63a0d5e3f6780f116e20

Download Submit
C:\Windows\SysWOW64\Cefoni32.exe

Filesize
412KB

MD5
8d8eb903587b11db4c1bba1a2a89440e

SHA1
e359c5cbe44bb77216dd48988a7cf1dee2abf88d

SHA256
9c203a11e713cc09658299faa3bc57504b899d044c09c8cbd1024433d110c8af

SHA512
25ed110370d9e7c384661e2241f306f986df8f8c4d1a55a2124060e1d215feb80c8a12678c7aeb8287ffec36b2ca25479ca3932cda68789bfea5e718573e79ac

Download Submit
C:\Windows\SysWOW64\Cehdib32.exe

Filesize
412KB

MD5
e6071c2645fd3281b07ad1c268dfd28f

SHA1
646b2083cf1400c2bb937a7fbd564ba85d1bcbec

SHA256
8977d4be847cc19ad8943e001fb3f101d658b21dd16225c9e1c6f5e5401bf240

SHA512
c0515526679401a589554bf7da6a360dfbc57bd517be2c67e7825f10649a7cdb65a1469867d06f2cf1e7f1595b7d10dc1f0abd0422fd4ab782f62f1f87856a21

Download Submit
C:\Windows\SysWOW64\Ciiaogon.exe

Filesize
412KB

MD5
a4ae24bf34a750d02987c41a9ad352a2

SHA1
b6b445d7ab2f7390584a993ec4cd963e0d3a93c2

SHA256
5075e7dd6e94b2dbc1bc6fecc957b732b461ab1fb87d45e4d7c1b1189d2fe75e

SHA512
cc291d8868f4f2c59c7486ac25b86ed2ec527e9433e12292a70009361500bcc89e3132c0d0e218fde098dd762b581cd5b57d14e4471c4172876f395985576412

Download Submit
C:\Windows\SysWOW64\Dbhlikpf.exe

Filesize
412KB

MD5
615f3e9257f650aa216cba34d9904b53

SHA1
e60ce9e4536d19bfa830bfb24e3ef16dc19239f5

SHA256
13848493b6b4cbe8fd7e0e9925ed78a11e4122727b4d3b907bc12fc01d695fa1

SHA512
c768c5db5b5fe730d2b04b19fe341da1de28537c3d56af59534c50c201db595efa120238f8b850cbe22fd06ef0a358e3fa145e6b0e754fb6b5826d4e8aa1f186

Download Submit
C:\Windows\SysWOW64\Debnjgcp.exe

Filesize
412KB

MD5
49f4d85c0c3503aad19d8d2d71270b2d

SHA1
d24a74646706ed53d75ff471f5e5a26184c15ea2

SHA256
23a9aabac58ecd8afc4733f389835ca86316eb2d524fe402082f8bf9567357de

SHA512
782642ddee0a0589fc98a53067aa4686315e94de10b9c7382d98ee0c33d4b76d6ab393a19dc4be399c73f615dcf801ce471b6a357f122b76cf30e58627752a84

Download Submit
C:\Windows\SysWOW64\Dlicflic.exe

Filesize
412KB

MD5
1b953aa66314a7af9c22ffb760f8abeb

SHA1
3941c409d0887bc62063aa5a76a07fafec465169

SHA256
187ba7f2a72b4ab92feba30a4780e91e4678f1fa885c098a24b4211339b5dddb

SHA512
3f4ca0f1e9ba216ef0a7786759491cdb025960bd3a21a6935921599e394e75d727e27ab8d72198a011a4107b39d63c2636cc8996cb641c0aa037ebd580b75482

Download Submit
C:\Windows\SysWOW64\Dpnbmi32.exe

Filesize
412KB

MD5
b8e793127542670f6ca8fe9f6d94005a

SHA1
ca1ab3888ea700be586e4eb0340fb4a2a943fb7f

SHA256
19c60e0a6184ffd6fabc240ea2ea26f480c09f6d01b1d2b4e2c22819ca58a8da

SHA512
276d19f6d0de17b89cc12dd12438c19919b03a48fd7f8f3f76df757100dcf51fa87ac4ba79324431f273377be7dcc37556e85a2bda6d495f9a2d260651d762d5

Download Submit
C:\Windows\SysWOW64\Eennefib.exe

Filesize
412KB

MD5
38889ebe93ec8a196d799257fb9e1193

SHA1
0dd8f94264281e805ad913ea0b4c93906a6aee53

SHA256
bcddaa064a22d055985357461d648ded8976d194edcbf7b8c20516813013ce1e

SHA512
ff3bf3571a60d4274f419334301ae3bf6752189f3663684dee5c5ebbe3e21aec9d4a9be3ec27c74556d0645fce4f8eb2997ea03bd48a22d83519e49414d8f3b7

Download Submit
C:\Windows\SysWOW64\Egdqph32.exe

Filesize
412KB

MD5
c1811d35d0a2c7738f94d7ad01226002

SHA1
82afb9f9168749fcdc29c016832fc82377b63b0e

SHA256
4c7042fcdf09543d251bb883e83cc8ff94bebeb5db21a31c398957c797254dd2

SHA512
ea512ff223896875127e7f8d8c72fa1281d53241fbff2b3738b4cb7c83716621bf16682db475aa016ecbff0abf5547000939a0e860ff0dbcc789ad95aac633b7

Download Submit
C:\Windows\SysWOW64\Emioab32.exe

Filesize
412KB

MD5
77c621c5d8f97a366b1e0b10c9e7eb9b

SHA1
89252bbf62a1a23b94fa6b2321f29c9792629725

SHA256
32c5ddfa325dfed2facf3c648a7ebc1f7cf83a7766e4e4c776f1e1a63ed7787e

SHA512
bcb231a5a8fdfc6708dcaa0919b118f2585ac0b701191541d4b98588db74f2f1c9b746a3e3671f6276addd4cbf49324597a15b3a3239d63e5634a745d792614b

Download Submit
C:\Windows\SysWOW64\Fdadpk32.exe

Filesize
412KB

MD5
4c8a7d10725968b29292a1030aaeba26

SHA1
f1c7432c1fb96b19aaf437a3dfafb341725da319

SHA256
710e61bedd062ade6f6ce76613aeffad75d2fd0be34a9a81e0fdb8b4ed19fcb9

SHA512
a0ec365ef465e812c285793a311b73ecc76b5cace9a415f176a6eaeca2b9d52835e3dc72942aee361aeb25e0974c5e3a9e581e9b4184c766341c2fe1111aa32c

Download Submit
C:\Windows\SysWOW64\Gggfme32.exe

Filesize
412KB

MD5
3b40968647e70a215a33ed80d838b2dd

SHA1
3c2f67275d80a8319d66ca9cea4454554ef52add

SHA256
d56b72761f1ff4b9eac02c35c9a534e3d40be62e093cb4dfa988bf5d9aae4d99

SHA512
34ce7d6d6c51dbf0f0f265451c8cb04a824bda96df4a2bb791342577ab48ae32e3cf76ce4394eb0b0b8de5d56e58e1cfcef213ae8383c0757c0da27d841142d2

Download Submit
C:\Windows\SysWOW64\Hgcmbj32.exe

Filesize
412KB

MD5
114ae342939cd97360b6bc8f66e48336

SHA1
530a738c2948cceabfd2e0aadfe3931d64227a8c

SHA256
0cba30257deebe1ebb2667c97282bd35dddd6d362eeca1f1abc08244c1bf0fb6

SHA512
b7c22b8a8cfe876bd8cdb4fd64e32224de52fb16c396f5e560f218e2aa2c3b40dc9325b38b42ab11f42b6afc42d2f60c01ad9a2f31b89cf0dcd8cb91a7c0e29c

Download Submit
C:\Windows\SysWOW64\Hjoeoo32.exe

Filesize
412KB

MD5
697454c5fd34722a6595c028429ed3f1

SHA1
1c77b00e3c6c6d004c87c1d6e8433459a8661a5d

SHA256
1eae3f59e3429eb0a10fd9fad92547d71510a7e856220c17dc4802c508d79a37

SHA512
2169f1b30ac3d92d9e93917d089d056cc9d84dc1bdf598101feb9ee72fef0dfd4c4bbafbc455e9373f9dacfabb8848cf22f605a0406284301cbd771222d34468

Download Submit
C:\Windows\SysWOW64\Iocchhof.exe

Filesize
412KB

MD5
d1264ed4f2f900bb55ae2badaba0be11

SHA1
c1de791e4bf450d083fe7b2139d431b4d6fd17b4

SHA256
61797e75b38690c4ecd933aaf59afe737ac1b16d2f7b69a686f65f041c0813be

SHA512
adf530c8d5b8c1e8795d5df2b1d07a987105754ba4371001aded2ac34f8e03ba15c57f3d1d944f5b581c0129340ca0f4360920945a5c39c7d210478212dc1ee5

Download Submit
C:\Windows\SysWOW64\Jjcqffkm.exe

Filesize
412KB

MD5
ea3cbf77a16519b4d46eecd1b4d8ea92

SHA1
aaaf3e5ce17df8d7331a019d49debd2ca960283f

SHA256
f5b76b43b036129f477015418e231fbc9b5cd882b7b7dc3eb6c14f881e5b7a63

SHA512
a71fb7157e77e90ff1dd02d39c092e4db0c3821c4ca791a92919587345ed854540563b0d16a870e3ee52da13aeacd3b75f2f3a70ccd96efda7806040c7d01feb

Download Submit
C:\Windows\SysWOW64\Kmncif32.exe

Filesize
412KB

MD5
b12f7883f9365b51f0345a81187e0888

SHA1
20370c3baae767e7526b13eb003b24587b9abece

SHA256
012bcefc1b36ca652aaac73185ab779498292816d93f3cae1fd34feda2c82b66

SHA512
e072cf6165d1dd6e623c00128b6e26de67fd304a4a697a6399dd22ce556d77afdea9ff511e06ffc6dfa67daee1dd2e4bfe885ab9a52b31af2ba7988f5944017e

Download Submit
C:\Windows\SysWOW64\Lcealh32.exe

Filesize
412KB

MD5
c21c3674a74b269c61d6d488ec11ef5b

SHA1
c084dd5f11b94ae6d242f88b04fd7e46fe8df6b5

SHA256
6147b90241d6145085fa40c78fda9011af603f1fd75f8722e3cfc07799f13a3d

SHA512
4d71448eaa84e8bad33405b4f52a9e3eeb83ecba82768335b138a0c76ef026c4cc5f72b8130a4c21428519d016361569af74ee1ae294c8eaea7c0ee0ad24e408

Download Submit
C:\Windows\SysWOW64\Ldckan32.exe

Filesize
412KB

MD5
5eaa15295af3819876cd0cfdb393bd7c

SHA1
472759ab03c843f53f686a89f279c690c7f8544a

SHA256
20e7d5f10d160e6693931dd9318b1b6344b8548138639bf5b7386175f2b0d3fb

SHA512
ec6d1393d8b08a837b0cfe6e2cad62046417cc38849ebd49f833a84a386c125c931d4598d7c35ad5f8d80f1e953ef6cd8a3d8d317522ae38c46d3f70674a55a8

Download Submit
C:\Windows\SysWOW64\Lddble32.exe

Filesize
412KB

MD5
36ec8601ccf94eb994014cf240afe8fd

SHA1
a6900c6720d439ac8ca22faea9997304e4786739

SHA256
5844f721fce8603b98f8b2f5b515ae305ae8937cf7c4a908127c8c3f4cac3e32

SHA512
1616129d2f3893f76090e6415a3c6f94b9b10fda339f554a1b0dab9c68ab0a8c1a2a97f8e382b21e335a14b4df0ab2b6ee0980b85643175984bde5889f7078bd

Download Submit
C:\Windows\SysWOW64\Ldfoad32.exe

Filesize
412KB

MD5
8cbd8cfd8f23d2fa5c57e69c2b75d7cd

SHA1
73b4bee6793a0e3d1f568683b8f03f51519bbe07

SHA256
67806305b6cfabe3677ea11e087b2e735d32faf90b11ea13f7d6de3dd48fbfbe

SHA512
ed158d189e2a5e106d606107aff55d8b1784e7f99daa527850357c312ac57526281869073c7cde027d18d35c7034cac4f3ecf6e426da74121dfab76ab020a13f

Download Submit
C:\Windows\SysWOW64\Llimgb32.exe

Filesize
412KB

MD5
62329a5599b02ac4a192c0357f305d1b

SHA1
acb09201380efe0bf29df4cd97b3537db159d134

SHA256
a633af274088ab7ec25b6ae78e56b9b31e8ed97f0a5dbb7d0c6af54babcdf09a

SHA512
7820f306e4664bf41c65c396f2bed3ac102cdd1ed5fe2bf52888d4584d301849ab41b86e33c7def9ba6460dae742bdda4f180843a7b0a26472f0360077ca03ab

Download Submit
C:\Windows\SysWOW64\Mcabej32.exe

Filesize
412KB

MD5
3022a526bd049d688ea45af57a4cde37

SHA1
def094c0612f77e75b2957b4d7a3a850ecc64d6b

SHA256
5fec9288485d186002135fe3d80d6a30cc48a5b53d7242197011b7b2f96e131a

SHA512
44d76762cf038fb2e38db5d2980526b8cc92758275e7b38cc8615c2158c5752a6a777fd7080ad1f8943c652375d3b2c5f71a9f1119a7cf73f16b424c8cf58f52

Download Submit
C:\Windows\SysWOW64\Mdokmm32.exe

Filesize
412KB

MD5
8b185078aa13bd2c4dcf0785f0a2d30e

SHA1
d67bbf8c5aca180fb1ac4d0211c1e859b62159ae

SHA256
e92e5a1be53ccd5edd0bf2e90bb4cd4fdc181f942db703c4de65e259c994de0d

SHA512
433ea1dd47ce4a256c1e9cec94c33267183a41681cd772cc7f70d3e6ca96f7356719e8d5cd591c7b95dbbe1ca51ea7dd2cb298d9e248053eb697beaa6f4fefff

Download Submit
C:\Windows\SysWOW64\Mkocol32.exe

Filesize
412KB

MD5
7da7e790dd2e72f9af6f65ef3dc1160e

SHA1
6869aefcd009f3a8c5e50286f1270215b5625b53

SHA256
6127e3ed8c08b90346e3c560dbe46104a01b100ab1e434ecd31634d1df22b2a4

SHA512
a6a600c1ab9b73d12a090ea3b353da0065ee3bb31b8666bf79aab0f2d310e7489cd9fe562850ab2274b364f260acda63bf83ba87df854c945782789c310b428f

Download Submit
C:\Windows\SysWOW64\Naaghoik.exe

Filesize
412KB

MD5
14f63da44d37de4be40b76b4335ea27a

SHA1
be7884fd7a82ad89827aebf468eb4450ec461c66

SHA256
bdb352ee1ff2ff9422194fe8e872d8e19a250a9d32a93ff7115c401961332a9a

SHA512
ae41ef5e31d66f5d7d692b3774acca980854f06198aa8f0a8e993820a17b75e4a9efafb17af530b5a63f9070371bdfc8f059aec410a65375348ba859fb91a360

Download Submit
C:\Windows\SysWOW64\Ncjdki32.exe

Filesize
412KB

MD5
dc1f44443385113d2638a7c797413188

SHA1
40289bda9efefdbe6caa837bc41abc160bc8ade4

SHA256
e3e4e808ea82f3678fc5a31ea8ba1570f56b5d19d3bfbd629329d81b492360be

SHA512
c8b3e725c1b8c67157f465726b6dd3ac8a690fc8aa5f9d28ae6851ca32482690fa959ca7d6d6847cfb45053b6bbb7994751f453294c4d2b56a2688e02b0195fb

Download Submit
C:\Windows\SysWOW64\Nconfh32.exe

Filesize
412KB

MD5
e396b979f691d3261fddbae27e7fd4e9

SHA1
409cc33b3de10158753d6a83614ff81e6e7b2bde

SHA256
812ee577e32120071d0185d7e528896443774c784c480338aeee98b69482d7d9

SHA512
88251d375c4eda4c3fca64bcd5fbc043585e4e318b520674033d45373733996df547a8685949b2af2026fbea42397f70867ed7f874720c7864811278b62c9803

Download Submit
C:\Windows\SysWOW64\Nkgoke32.exe

Filesize
412KB

MD5
8667401e02d483cd1521f862b7bcfbb1

SHA1
75421feece054383af86a39d910ee5f7f5c069c3

SHA256
76474768e625273631649929df428e2c5f0587c8135e2bca81a09acf61405913

SHA512
2b3d491788b7dbcb2d4c9aacbce954eb72846128174df3f40c41f6efbf845a93522be19b4c6a573f93f824635d36e68a649775f4f2c50f51d5783d1f0c0f9186

Download Submit
C:\Windows\SysWOW64\Oeamcmmo.exe

Filesize
412KB

MD5
684aca9a19bc247081dcd1e518f08711

SHA1
0acd32f357f4b8271b70e2a4a768cdb46afc2748

SHA256
b976659971aa573d80cab7dd7fb16769a60a35390d08f3a505141864c5a341f2

SHA512
b95647dec2b17fb684dfca15bd30a009387c94ea5c26ab914d70d9e208a6e7d8dc72f9620267935370ef38bb136c936a0a15a5ee0232e33078c5b61e98ff6904

Download Submit
C:\Windows\SysWOW64\Ohcmpn32.exe

Filesize
412KB

MD5
4985382ce86d655fcd605750e7d1e6b1

SHA1
f206742729f8f0b7073fec4acc5cab12167446bf

SHA256
efc3ed50b4fe3378ea343cf2c331c4faaad3f4adbd11da2472cdda5adccf48f1

SHA512
bb2cb813ef464cc3f6d12a499069d35ce1742e63045e30b1b7e371a44f34e7ca887958716b02674a1ed33f2798702f88a1d4c8a16f80015e72da3e95e82ba0e7

Download Submit
C:\Windows\SysWOW64\Okqbac32.exe

Filesize
412KB

MD5
33ef12a93427040af5b4924daf6937ac

SHA1
8134a77cd20f11f9df27158cdd6428b38cc5db63

SHA256
e856037aa87a36a5eaa6da65be83f63e6b94728e86c121977adfd0f409656805

SHA512
c7825f5eda398a6c1a2e87a1b91f957bfbf1fd001c49a5aff3db4d5eaf6811f0fc38ffe869c176dabcf53d3025dd3bb0a0cc0f631200c7bc7029cc6c411059ed

Download Submit
C:\Windows\SysWOW64\Omcbkl32.exe

Filesize
412KB

MD5
926c1bfd3c2f11996a1de4544a181000

SHA1
fbf452379d47b68495fcc7d4349557e6f74daaed

SHA256
c8d4e2c59bce76a0567cd4da7396b55ae888dc4c586d9e86fdaa503a48e4d877

SHA512
846c1c69efa095bf60dffe0bb0af0ce36d829301ce35b14777bb1e17c46a3214728449ad6f9b2868a02bc29675ac80f1d72d60c6bd91e6ae86720323bf90aaf2

Download Submit
C:\Windows\SysWOW64\Pbbgicnd.exe

Filesize
412KB

MD5
552aa32e34bad2c485b85ea493bb0099

SHA1
64405c7fb8f57615f58e1b41c12e96e3cbaa0b89

SHA256
85fe120ac553388c41f1450677fbe0079faf52a781622d829d0db71742bba29b

SHA512
9de482b5599ffc36aefc84581aa662d13d35d45fec0c0a4947dbdcf9b89cf00c0d4b5b12cd69480de1246cffd5d395f44b59f21f7c9a772a35270788457f1996

Download Submit
C:\Windows\SysWOW64\Pfbmdabh.exe

Filesize
412KB

MD5
b53b2d4c21473e4e401785f689e1b3a5

SHA1
71c17c526006a65815326d963a778f0279fa8b22

SHA256
df677a1939ca496619e87d8f052b17f4bff7dfc29ae2253bfcf6af77169b53c0

SHA512
e73d490c329fa1e5e0b8749743efda03c5cdd333c33c1f7de68d2bd1e22ce36d425861da9b6f1886023483f8530d1aca010a0b0fc503aaaf4bac53372e64abe5

Download Submit
memory/568-224-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/660-312-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/708-22-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/728-130-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/752-449-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1008-273-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1020-404-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1096-194-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1112-475-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1216-187-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1236-299-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1368-250-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1436-293-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1476-462-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1516-448-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1544-483-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1628-163-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1664-430-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1948-331-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1964-147-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2236-179-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2348-98-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2448-26-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2516-320-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2640-415-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2820-57-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2944-155-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2980-468-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3100-41-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3180-424-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3256-65-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3396-50-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3468-484-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3516-8-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3532-336-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3676-246-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3688-139-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3776-370-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3800-276-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3924-357-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4220-338-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4368-287-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4392-171-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4412-219-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4416-310-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4456-114-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4520-402-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4560-122-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4592-347-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4624-0-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4624-82-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4624-1-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4640-351-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4672-259-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4728-90-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4772-73-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4784-379-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4800-390-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4960-83-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4964-33-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4992-445-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/5008-202-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/5060-106-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/5084-369-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads