8ed542a23e94c3de5a9a98effb28d89474657fde9b5d0c36a801de122c7aca0a

Analysis

max time kernel
92s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed34b2d3d5d14f2e2b9f3d3669956cfa.exe
Size

42KB
MD5

ed34b2d3d5d14f2e2b9f3d3669956cfa
SHA1

a13d2e5e4168c50579e35bb9b7ad547f9682e11e
SHA256

8ed542a23e94c3de5a9a98effb28d89474657fde9b5d0c36a801de122c7aca0a
SHA512

621325316f3aa74cbb977bb8fe1bb3dcfd0b3d8e23de61d097ff69b836b447828bf14f1d262f2ea4536a15e8ebbef6aedc22b3177ead80978747325de6f9ed33
SSDEEP

768:bk2GbH/4rRfpJkruknilv8uDucGbyK7Nle9xG/W7acVQoGcS8LBWXx/1H5f:bhSH/MForuknQNGPN9vwmcS8LBW7p

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehljfnpn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmjdjgjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Elgfgl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jianff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liddbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajcbgml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdialn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcmgfbhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfjhkjle.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klimip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elppfmoo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbbdholl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jioaqfcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kikame32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdjagjco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balfaiil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gomakdcp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Himldi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjdkjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipdqba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpbmco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckedalaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imoneg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmppcbjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcojed32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcmgfbhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcbpab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jidklf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhdbhcck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dahode32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Elppfmoo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcmnpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jehokgge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkalchij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdqgmmjb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odapnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmhja32.exe

Executes dropped EXE 64 IoCs

pid	Process
2480	Beeflhdh.exe
244	Bhdbhcck.exe
820	Bnnjen32.exe
3504	Balfaiil.exe
1704	Bdkcmdhp.exe
2920	Bjdkjo32.exe
5024	Baocghgi.exe
1804	Bhikcb32.exe
3340	Bjghpn32.exe
4668	Bbnpqk32.exe
1576	Bdolhc32.exe
392	Blfdia32.exe
2104	Cacmah32.exe
3108	Cdainc32.exe
1152	Cliaoq32.exe
984	Chpada32.exe
2172	Cknnpm32.exe
1920	Cahfmgoo.exe
1472	Cdfbibnb.exe
2712	Clnjjpod.exe
3044	Cajcbgml.exe
860	Cdiooblp.exe
3640	Clpgpp32.exe
4988	Cbjoljdo.exe
3476	Chghdqbf.exe
3288	Ckedalaj.exe
3512	Daolnf32.exe
116	Ddmhja32.exe
404	Dldpkoil.exe
224	Daaicfgd.exe
1088	Dhkapp32.exe
1332	Dkjmlk32.exe
1584	Deoaid32.exe
4196	Ddbbeade.exe
1824	Dkljak32.exe
1928	Dccbbhld.exe
1456	Dafbne32.exe
4444	Dddojq32.exe
4588	Dkoggkjo.exe
3760	Dojcgi32.exe
2948	Dahode32.exe
2212	Ddgkpp32.exe
1992	Eolpmi32.exe
592	Eaklidoi.exe
3572	Edihepnm.exe
4584	Elppfmoo.exe
3696	Eoolbinc.exe
4904	Eamhodmf.exe
1488	Edkdkplj.exe
3672	Elbmlmml.exe
1740	Eoaihhlp.exe
3448	Eapedd32.exe
2396	Ehimanbq.exe
1372	Ekhjmiad.exe
3436	Ecoangbg.exe
540	Eemnjbaj.exe
3028	Ehljfnpn.exe
1100	Elgfgl32.exe
4080	Eofbch32.exe
4132	Eadopc32.exe
1656	Edbklofb.exe
1232	Fkmchi32.exe
5016	Fcckif32.exe
452	Febgea32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jpppnp32.exe	Jlednamo.exe
File created	C:\Windows\SysWOW64\Kboljk32.exe	Jpppnp32.exe
File created	C:\Windows\SysWOW64\Oncofm32.exe	Oflgep32.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Icplcpgo.exe	Ipdqba32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dkoggkjo.exe	Dddojq32.exe
File created	C:\Windows\SysWOW64\Icfpbq32.dll	Fooeif32.exe
File created	C:\Windows\SysWOW64\Gfembo32.exe	Gcfqfc32.exe
File created	C:\Windows\SysWOW64\Jbjcolha.exe	Jcgbco32.exe
File created	C:\Windows\SysWOW64\Olkhmi32.exe	Ojllan32.exe
File created	C:\Windows\SysWOW64\Ciopbjik.dll	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Clnjjpod.exe	Cdfbibnb.exe
File created	C:\Windows\SysWOW64\Gfbploob.exe	Gcddpdpo.exe
File created	C:\Windows\SysWOW64\Gomakdcp.exe	Gmoeoidl.exe
File opened for modification	C:\Windows\SysWOW64\Cdfbibnb.exe	Cahfmgoo.exe
File created	C:\Windows\SysWOW64\Nfjjppmm.exe	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Oqhacgdh.exe	Olmeci32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Icplcpgo.exe	Ipdqba32.exe
File opened for modification	C:\Windows\SysWOW64\Flqimk32.exe	Fdialn32.exe
File opened for modification	C:\Windows\SysWOW64\Gfembo32.exe	Gcfqfc32.exe
File created	C:\Windows\SysWOW64\Kdqejn32.exe	Klimip32.exe
File opened for modification	C:\Windows\SysWOW64\Pclgkb32.exe	Pmannhhj.exe
File opened for modification	C:\Windows\SysWOW64\Ddbbeade.exe	Deoaid32.exe
File opened for modification	C:\Windows\SysWOW64\Fllpbldb.exe	Febgea32.exe
File created	C:\Windows\SysWOW64\Qghlmgij.dll	Gmlhii32.exe
File created	C:\Windows\SysWOW64\Laffdj32.dll	Hkkhqd32.exe
File created	C:\Windows\SysWOW64\Bfajji32.dll	Lboeaifi.exe
File opened for modification	C:\Windows\SysWOW64\Pdkcde32.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Bjdkjo32.exe	Bdkcmdhp.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bganhm32.exe
File created	C:\Windows\SysWOW64\Pkbbae32.dll	Hcbpab32.exe
File created	C:\Windows\SysWOW64\Kdcbom32.exe	Kmijbcpl.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aadifclh.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Ffddka32.exe	Fllpbldb.exe
File created	C:\Windows\SysWOW64\Pkfcej32.dll	Lgokmgjm.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Jioaqfcc.exe	Jedeph32.exe
File created	C:\Windows\SysWOW64\Naqcfnjk.dll	Ffddka32.exe
File created	C:\Windows\SysWOW64\Gbdgfa32.exe	Gcagkdba.exe
File created	C:\Windows\SysWOW64\Jholncde.dll	Mgfqmfde.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Jcpfco32.dll	Ckedalaj.exe
File created	C:\Windows\SysWOW64\Lcgdbi32.dll	Gcagkdba.exe
File opened for modification	C:\Windows\SysWOW64\Klqcioba.exe	Kefkme32.exe
File opened for modification	C:\Windows\SysWOW64\Ojoign32.exe	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Cdiooblp.exe	Cajcbgml.exe
File opened for modification	C:\Windows\SysWOW64\Gmjlcj32.exe	Gdcdbl32.exe
File opened for modification	C:\Windows\SysWOW64\Kpjcdn32.exe	Klngdpdd.exe
File opened for modification	C:\Windows\SysWOW64\Mmlpoqpg.exe	Medgncoe.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
10232	10068	WerFault.exe	463

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdoemjgn.dll"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjdgcbkb.dll"	ed34b2d3d5d14f2e2b9f3d3669956cfa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcfqfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfnhlp32.dll"	Jplfcpin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Febgea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Donfhp32.dll"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfgkmfoj.dll"	Glhonj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klqcioba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Miifeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clncadfb.dll"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keoakjca.dll"	Chpada32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gdeqhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adopjh32.dll"	Ifjodl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcefno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kedoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qciaajej.dll"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddgkpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eoaihhlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcgdbi32.dll"	Gcagkdba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifefimom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eicplccq.dll"	Bdolhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfbploob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbnjmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npjebj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkhbdg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfbploob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nabqkgan.dll"	Ifllil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjdkjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjghpn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmjdjgjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djkahqga.dll"	Kmfmmcbo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cahfmgoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijmanlfp.dll"	Fkmchi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oggacefk.dll"	Fdialn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eikdngcl.dll"	Kikame32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipdqba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmolq32.dll"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Likjcbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ippggbck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ickchq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ed34b2d3d5d14f2e2b9f3d3669956cfa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clnjjpod.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 2480	4808	ed34b2d3d5d14f2e2b9f3d3669956cfa.exe	86
PID 4808 wrote to memory of 2480	4808	ed34b2d3d5d14f2e2b9f3d3669956cfa.exe	86
PID 4808 wrote to memory of 2480	4808	ed34b2d3d5d14f2e2b9f3d3669956cfa.exe	86
PID 2480 wrote to memory of 244	2480	Beeflhdh.exe	87
PID 2480 wrote to memory of 244	2480	Beeflhdh.exe	87
PID 2480 wrote to memory of 244	2480	Beeflhdh.exe	87
PID 244 wrote to memory of 820	244	Bhdbhcck.exe	88
PID 244 wrote to memory of 820	244	Bhdbhcck.exe	88
PID 244 wrote to memory of 820	244	Bhdbhcck.exe	88
PID 820 wrote to memory of 3504	820	Bnnjen32.exe	89
PID 820 wrote to memory of 3504	820	Bnnjen32.exe	89
PID 820 wrote to memory of 3504	820	Bnnjen32.exe	89
PID 3504 wrote to memory of 1704	3504	Balfaiil.exe	90
PID 3504 wrote to memory of 1704	3504	Balfaiil.exe	90
PID 3504 wrote to memory of 1704	3504	Balfaiil.exe	90
PID 1704 wrote to memory of 2920	1704	Bdkcmdhp.exe	91
PID 1704 wrote to memory of 2920	1704	Bdkcmdhp.exe	91
PID 1704 wrote to memory of 2920	1704	Bdkcmdhp.exe	91
PID 2920 wrote to memory of 5024	2920	Bjdkjo32.exe	92
PID 2920 wrote to memory of 5024	2920	Bjdkjo32.exe	92
PID 2920 wrote to memory of 5024	2920	Bjdkjo32.exe	92
PID 5024 wrote to memory of 1804	5024	Baocghgi.exe	93
PID 5024 wrote to memory of 1804	5024	Baocghgi.exe	93
PID 5024 wrote to memory of 1804	5024	Baocghgi.exe	93
PID 1804 wrote to memory of 3340	1804	Bhikcb32.exe	94
PID 1804 wrote to memory of 3340	1804	Bhikcb32.exe	94
PID 1804 wrote to memory of 3340	1804	Bhikcb32.exe	94
PID 3340 wrote to memory of 4668	3340	Bjghpn32.exe	95
PID 3340 wrote to memory of 4668	3340	Bjghpn32.exe	95
PID 3340 wrote to memory of 4668	3340	Bjghpn32.exe	95
PID 4668 wrote to memory of 1576	4668	Bbnpqk32.exe	97
PID 4668 wrote to memory of 1576	4668	Bbnpqk32.exe	97
PID 4668 wrote to memory of 1576	4668	Bbnpqk32.exe	97
PID 1576 wrote to memory of 392	1576	Bdolhc32.exe	98
PID 1576 wrote to memory of 392	1576	Bdolhc32.exe	98
PID 1576 wrote to memory of 392	1576	Bdolhc32.exe	98
PID 392 wrote to memory of 2104	392	Blfdia32.exe	99
PID 392 wrote to memory of 2104	392	Blfdia32.exe	99
PID 392 wrote to memory of 2104	392	Blfdia32.exe	99
PID 2104 wrote to memory of 3108	2104	Cacmah32.exe	100
PID 2104 wrote to memory of 3108	2104	Cacmah32.exe	100
PID 2104 wrote to memory of 3108	2104	Cacmah32.exe	100
PID 3108 wrote to memory of 1152	3108	Cdainc32.exe	101
PID 3108 wrote to memory of 1152	3108	Cdainc32.exe	101
PID 3108 wrote to memory of 1152	3108	Cdainc32.exe	101
PID 1152 wrote to memory of 984	1152	Cliaoq32.exe	103
PID 1152 wrote to memory of 984	1152	Cliaoq32.exe	103
PID 1152 wrote to memory of 984	1152	Cliaoq32.exe	103
PID 984 wrote to memory of 2172	984	Chpada32.exe	104
PID 984 wrote to memory of 2172	984	Chpada32.exe	104
PID 984 wrote to memory of 2172	984	Chpada32.exe	104
PID 2172 wrote to memory of 1920	2172	Cknnpm32.exe	105
PID 2172 wrote to memory of 1920	2172	Cknnpm32.exe	105
PID 2172 wrote to memory of 1920	2172	Cknnpm32.exe	105
PID 1920 wrote to memory of 1472	1920	Cahfmgoo.exe	106
PID 1920 wrote to memory of 1472	1920	Cahfmgoo.exe	106
PID 1920 wrote to memory of 1472	1920	Cahfmgoo.exe	106
PID 1472 wrote to memory of 2712	1472	Cdfbibnb.exe	107
PID 1472 wrote to memory of 2712	1472	Cdfbibnb.exe	107
PID 1472 wrote to memory of 2712	1472	Cdfbibnb.exe	107
PID 2712 wrote to memory of 3044	2712	Clnjjpod.exe	109
PID 2712 wrote to memory of 3044	2712	Clnjjpod.exe	109
PID 2712 wrote to memory of 3044	2712	Clnjjpod.exe	109
PID 3044 wrote to memory of 860	3044	Cajcbgml.exe	110

C:\Users\Admin\AppData\Local\Temp\ed34b2d3d5d14f2e2b9f3d3669956cfa.exe
"C:\Users\Admin\AppData\Local\Temp\ed34b2d3d5d14f2e2b9f3d3669956cfa.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Windows\SysWOW64\Beeflhdh.exe
  C:\Windows\system32\Beeflhdh.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\SysWOW64\Bhdbhcck.exe
    C:\Windows\system32\Bhdbhcck.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:244
  - - C:\Windows\SysWOW64\Bnnjen32.exe
      C:\Windows\system32\Bnnjen32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:820
    - - C:\Windows\SysWOW64\Balfaiil.exe
        
        C:\Windows\system32\Balfaiil.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3504
      - C:\Windows\SysWOW64\Bdkcmdhp.exe
        
        C:\Windows\system32\Bdkcmdhp.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\Bjdkjo32.exe
        
        C:\Windows\system32\Bjdkjo32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Baocghgi.exe
        
        C:\Windows\system32\Baocghgi.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Bhikcb32.exe
        
        C:\Windows\system32\Bhikcb32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SysWOW64\Bjghpn32.exe
        
        C:\Windows\system32\Bjghpn32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\SysWOW64\Bbnpqk32.exe
        
        C:\Windows\system32\Bbnpqk32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\SysWOW64\Bdolhc32.exe
        
        C:\Windows\system32\Bdolhc32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\SysWOW64\Blfdia32.exe
        
        C:\Windows\system32\Blfdia32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Windows\SysWOW64\Cacmah32.exe
        
        C:\Windows\system32\Cacmah32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Cdainc32.exe
        
        C:\Windows\system32\Cdainc32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3108
        
        C:\Windows\SysWOW64\Cliaoq32.exe
        
        C:\Windows\system32\Cliaoq32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\SysWOW64\Chpada32.exe
        
        C:\Windows\system32\Chpada32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:984
        
        C:\Windows\SysWOW64\Cknnpm32.exe
        
        C:\Windows\system32\Cknnpm32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\Cahfmgoo.exe
        
        C:\Windows\system32\Cahfmgoo.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\Cdfbibnb.exe
        
        C:\Windows\system32\Cdfbibnb.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\Clnjjpod.exe
        
        C:\Windows\system32\Clnjjpod.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\Cajcbgml.exe
        
        C:\Windows\system32\Cajcbgml.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\Cdiooblp.exe
        
        C:\Windows\system32\Cdiooblp.exe
        23⤵
        Executes dropped EXE
        
        PID:860
        
        C:\Windows\SysWOW64\Clpgpp32.exe
        
        C:\Windows\system32\Clpgpp32.exe
        24⤵
        Executes dropped EXE
        
        PID:3640
        
        C:\Windows\SysWOW64\Cbjoljdo.exe
        
        C:\Windows\system32\Cbjoljdo.exe
        25⤵
        Executes dropped EXE
        
        PID:4988
        
        C:\Windows\SysWOW64\Chghdqbf.exe
        
        C:\Windows\system32\Chghdqbf.exe
        26⤵
        Executes dropped EXE
        
        PID:3476
        
        C:\Windows\SysWOW64\Ckedalaj.exe
        
        C:\Windows\system32\Ckedalaj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3288
        
        C:\Windows\SysWOW64\Daolnf32.exe
        
        C:\Windows\system32\Daolnf32.exe
        28⤵
        Executes dropped EXE
        
        PID:3512
        
        C:\Windows\SysWOW64\Ddmhja32.exe
        
        C:\Windows\system32\Ddmhja32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:116
        
        C:\Windows\SysWOW64\Dldpkoil.exe
        
        C:\Windows\system32\Dldpkoil.exe
        30⤵
        Executes dropped EXE
        
        PID:404
        
        C:\Windows\SysWOW64\Daaicfgd.exe
        
        C:\Windows\system32\Daaicfgd.exe
        31⤵
        Executes dropped EXE
        
        PID:224
        
        C:\Windows\SysWOW64\Dhkapp32.exe
        
        C:\Windows\system32\Dhkapp32.exe
        32⤵
        Executes dropped EXE
        
        PID:1088
        
        C:\Windows\SysWOW64\Dkjmlk32.exe
        
        C:\Windows\system32\Dkjmlk32.exe
        33⤵
        Executes dropped EXE
        
        PID:1332
        
        C:\Windows\SysWOW64\Deoaid32.exe
        
        C:\Windows\system32\Deoaid32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1584
        
        C:\Windows\SysWOW64\Ddbbeade.exe
        
        C:\Windows\system32\Ddbbeade.exe
        35⤵
        Executes dropped EXE
        
        PID:4196
        
        C:\Windows\SysWOW64\Dkljak32.exe
        
        C:\Windows\system32\Dkljak32.exe
        36⤵
        Executes dropped EXE
        
        PID:1824
        
        C:\Windows\SysWOW64\Dccbbhld.exe
        
        C:\Windows\system32\Dccbbhld.exe
        37⤵
        Executes dropped EXE
        
        PID:1928
        
        C:\Windows\SysWOW64\Dafbne32.exe
        
        C:\Windows\system32\Dafbne32.exe
        38⤵
        Executes dropped EXE
        
        PID:1456
        
        C:\Windows\SysWOW64\Dddojq32.exe
        
        C:\Windows\system32\Dddojq32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4444
        
        C:\Windows\SysWOW64\Dkoggkjo.exe
        
        C:\Windows\system32\Dkoggkjo.exe
        40⤵
        Executes dropped EXE
        
        PID:4588
        
        C:\Windows\SysWOW64\Dojcgi32.exe
        
        C:\Windows\system32\Dojcgi32.exe
        41⤵
        Executes dropped EXE
        
        PID:3760
        
        C:\Windows\SysWOW64\Dahode32.exe
        
        C:\Windows\system32\Dahode32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2948
        
        C:\Windows\SysWOW64\Ddgkpp32.exe
        
        C:\Windows\system32\Ddgkpp32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Eolpmi32.exe
        
        C:\Windows\system32\Eolpmi32.exe
        44⤵
        Executes dropped EXE
        
        PID:1992
        
        C:\Windows\SysWOW64\Eaklidoi.exe
        
        C:\Windows\system32\Eaklidoi.exe
        45⤵
        Executes dropped EXE
        
        PID:592
        
        C:\Windows\SysWOW64\Edihepnm.exe
        
        C:\Windows\system32\Edihepnm.exe
        46⤵
        Executes dropped EXE
        
        PID:3572
        
        C:\Windows\SysWOW64\Elppfmoo.exe
        
        C:\Windows\system32\Elppfmoo.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4584
        
        C:\Windows\SysWOW64\Eoolbinc.exe
        
        C:\Windows\system32\Eoolbinc.exe
        48⤵
        Executes dropped EXE
        
        PID:3696
        
        C:\Windows\SysWOW64\Eamhodmf.exe
        
        C:\Windows\system32\Eamhodmf.exe
        49⤵
        Executes dropped EXE
        
        PID:4904
        
        C:\Windows\SysWOW64\Edkdkplj.exe
        
        C:\Windows\system32\Edkdkplj.exe
        50⤵
        Executes dropped EXE
        
        PID:1488
        
        C:\Windows\SysWOW64\Elbmlmml.exe
        
        C:\Windows\system32\Elbmlmml.exe
        51⤵
        Executes dropped EXE
        
        PID:3672
        
        C:\Windows\SysWOW64\Eoaihhlp.exe
        
        C:\Windows\system32\Eoaihhlp.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Eapedd32.exe
        
        C:\Windows\system32\Eapedd32.exe
        53⤵
        Executes dropped EXE
        
        PID:3448
        
        C:\Windows\SysWOW64\Ehimanbq.exe
        
        C:\Windows\system32\Ehimanbq.exe
        54⤵
        Executes dropped EXE
        
        PID:2396
        
        C:\Windows\SysWOW64\Ekhjmiad.exe
        
        C:\Windows\system32\Ekhjmiad.exe
        55⤵
        Executes dropped EXE
        
        PID:1372
        
        C:\Windows\SysWOW64\Ecoangbg.exe
        
        C:\Windows\system32\Ecoangbg.exe
        56⤵
        Executes dropped EXE
        
        PID:3436
        
        C:\Windows\SysWOW64\Eemnjbaj.exe
        
        C:\Windows\system32\Eemnjbaj.exe
        57⤵
        Executes dropped EXE
        
        PID:540
        
        C:\Windows\SysWOW64\Ehljfnpn.exe
        
        C:\Windows\system32\Ehljfnpn.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3028
        
        C:\Windows\SysWOW64\Elgfgl32.exe
        
        C:\Windows\system32\Elgfgl32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1100
        
        C:\Windows\SysWOW64\Eofbch32.exe
        
        C:\Windows\system32\Eofbch32.exe
        60⤵
        Executes dropped EXE
        
        PID:4080
        
        C:\Windows\SysWOW64\Eadopc32.exe
        
        C:\Windows\system32\Eadopc32.exe
        61⤵
        Executes dropped EXE
        
        PID:4132
        
        C:\Windows\SysWOW64\Edbklofb.exe
        
        C:\Windows\system32\Edbklofb.exe
        62⤵
        Executes dropped EXE
        
        PID:1656
        
        C:\Windows\SysWOW64\Fkmchi32.exe
        
        C:\Windows\system32\Fkmchi32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Fcckif32.exe
        
        C:\Windows\system32\Fcckif32.exe
        64⤵
        Executes dropped EXE
        
        PID:5016
        
        C:\Windows\SysWOW64\Febgea32.exe
        
        C:\Windows\system32\Febgea32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Fllpbldb.exe
        
        C:\Windows\system32\Fllpbldb.exe
        66⤵
        Drops file in System32 directory
        
        PID:2432
        
        C:\Windows\SysWOW64\Ffddka32.exe
        
        C:\Windows\system32\Ffddka32.exe
        67⤵
        Drops file in System32 directory
        
        PID:3992
        
        C:\Windows\SysWOW64\Fdgdgnbm.exe
        
        C:\Windows\system32\Fdgdgnbm.exe
        68⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\Flnlhk32.exe
        
        C:\Windows\system32\Flnlhk32.exe
        69⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\Fkalchij.exe
        
        C:\Windows\system32\Fkalchij.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1612
        
        C:\Windows\SysWOW64\Fakdpb32.exe
        
        C:\Windows\system32\Fakdpb32.exe
        71⤵
        
        PID:216
        
        C:\Windows\SysWOW64\Fdialn32.exe
        
        C:\Windows\system32\Fdialn32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Flqimk32.exe
        
        C:\Windows\system32\Flqimk32.exe
        73⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\Fooeif32.exe
        
        C:\Windows\system32\Fooeif32.exe
        74⤵
        Drops file in System32 directory
        
        PID:2768
        
        C:\Windows\SysWOW64\Fckajehi.exe
        
        C:\Windows\system32\Fckajehi.exe
        75⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\Ffimfqgm.exe
        
        C:\Windows\system32\Ffimfqgm.exe
        76⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\Flceckoj.exe
        
        C:\Windows\system32\Flceckoj.exe
        77⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\Foabofnn.exe
        
        C:\Windows\system32\Foabofnn.exe
        78⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\Fcmnpe32.exe
        
        C:\Windows\system32\Fcmnpe32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5080
        
        C:\Windows\SysWOW64\Ffkjlp32.exe
        
        C:\Windows\system32\Ffkjlp32.exe
        80⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\Fhjfhl32.exe
        
        C:\Windows\system32\Fhjfhl32.exe
        81⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\Gkhbdg32.exe
        
        C:\Windows\system32\Gkhbdg32.exe
        82⤵
        Modifies registry class
        
        PID:388
        
        C:\Windows\SysWOW64\Gcojed32.exe
        
        C:\Windows\system32\Gcojed32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1136
        
        C:\Windows\SysWOW64\Gdqgmmjb.exe
        
        C:\Windows\system32\Gdqgmmjb.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1908
        
        C:\Windows\SysWOW64\Glhonj32.exe
        
        C:\Windows\system32\Glhonj32.exe
        85⤵
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Gcagkdba.exe
        
        C:\Windows\system32\Gcagkdba.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\Gbdgfa32.exe
        
        C:\Windows\system32\Gbdgfa32.exe
        87⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\Gdcdbl32.exe
        
        C:\Windows\system32\Gdcdbl32.exe
        88⤵
        Drops file in System32 directory
        
        PID:4052
        
        C:\Windows\SysWOW64\Gmjlcj32.exe
        
        C:\Windows\system32\Gmjlcj32.exe
        89⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\Gohhpe32.exe
        
        C:\Windows\system32\Gohhpe32.exe
        90⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\Gcddpdpo.exe
        
        C:\Windows\system32\Gcddpdpo.exe
        91⤵
        Drops file in System32 directory
        
        PID:2188
        
        C:\Windows\SysWOW64\Gfbploob.exe
        
        C:\Windows\system32\Gfbploob.exe
        92⤵
        Modifies registry class
        
        PID:1120
        
        C:\Windows\SysWOW64\Gdeqhl32.exe
        
        C:\Windows\system32\Gdeqhl32.exe
        93⤵
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Gmlhii32.exe
        
        C:\Windows\system32\Gmlhii32.exe
        94⤵
        Drops file in System32 directory
        
        PID:4912
        
        C:\Windows\SysWOW64\Gkoiefmj.exe
        
        C:\Windows\system32\Gkoiefmj.exe
        95⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Gcfqfc32.exe
        
        C:\Windows\system32\Gcfqfc32.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Gfembo32.exe
        
        C:\Windows\system32\Gfembo32.exe
        97⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Gdhmnlcj.exe
        
        C:\Windows\system32\Gdhmnlcj.exe
        98⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Gmoeoidl.exe
        
        C:\Windows\system32\Gmoeoidl.exe
        99⤵
        Drops file in System32 directory
        
        PID:5304
        
        C:\Windows\SysWOW64\Gomakdcp.exe
        
        C:\Windows\system32\Gomakdcp.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5344
        
        C:\Windows\SysWOW64\Gblngpbd.exe
        
        C:\Windows\system32\Gblngpbd.exe
        101⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Gdjjckag.exe
        
        C:\Windows\system32\Gdjjckag.exe
        102⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Hopnqdan.exe
        
        C:\Windows\system32\Hopnqdan.exe
        103⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Hbnjmp32.exe
        
        C:\Windows\system32\Hbnjmp32.exe
        104⤵
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Hmcojh32.exe
        
        C:\Windows\system32\Hmcojh32.exe
        105⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Hcmgfbhd.exe
        
        C:\Windows\system32\Hcmgfbhd.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5612
        
        C:\Windows\SysWOW64\Hflcbngh.exe
        
        C:\Windows\system32\Hflcbngh.exe
        107⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Hijooifk.exe
        
        C:\Windows\system32\Hijooifk.exe
        108⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Hkikkeeo.exe
        
        C:\Windows\system32\Hkikkeeo.exe
        109⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Hodgkc32.exe
        
        C:\Windows\system32\Hodgkc32.exe
        110⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Hbbdholl.exe
        
        C:\Windows\system32\Hbbdholl.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5840
        
        C:\Windows\SysWOW64\Himldi32.exe
        
        C:\Windows\system32\Himldi32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5884
        
        C:\Windows\SysWOW64\Hkkhqd32.exe
        
        C:\Windows\system32\Hkkhqd32.exe
        113⤵
        Drops file in System32 directory
        
        PID:5924
        
        C:\Windows\SysWOW64\Hofdacke.exe
        
        C:\Windows\system32\Hofdacke.exe
        114⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Hcbpab32.exe
        
        C:\Windows\system32\Hcbpab32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6012
        
        C:\Windows\SysWOW64\Hfqlnm32.exe
        
        C:\Windows\system32\Hfqlnm32.exe
        116⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Hioiji32.exe
        
        C:\Windows\system32\Hioiji32.exe
        117⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Hmjdjgjo.exe
        
        C:\Windows\system32\Hmjdjgjo.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Hoiafcic.exe
        
        C:\Windows\system32\Hoiafcic.exe
        119⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Hbgmcnhf.exe
        
        C:\Windows\system32\Hbgmcnhf.exe
        120⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\Hfcicmqp.exe
        
        C:\Windows\system32\Hfcicmqp.exe
        121⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Iiaephpc.exe
        
        C:\Windows\system32\Iiaephpc.exe
        122⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Ikpaldog.exe
        
        C:\Windows\system32\Ikpaldog.exe
        123⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\Ipknlb32.exe
        
        C:\Windows\system32\Ipknlb32.exe
        124⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Ibjjhn32.exe
        
        C:\Windows\system32\Ibjjhn32.exe
        125⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Ifefimom.exe
        
        C:\Windows\system32\Ifefimom.exe
        126⤵
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Iicbehnq.exe
        
        C:\Windows\system32\Iicbehnq.exe
        127⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Imoneg32.exe
        
        C:\Windows\system32\Imoneg32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5800
        
        C:\Windows\SysWOW64\Ipnjab32.exe
        
        C:\Windows\system32\Ipnjab32.exe
        129⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Icifbang.exe
        
        C:\Windows\system32\Icifbang.exe
        130⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\Ifgbnlmj.exe
        
        C:\Windows\system32\Ifgbnlmj.exe
        131⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Iejcji32.exe
        
        C:\Windows\system32\Iejcji32.exe
        132⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Imakkfdg.exe
        
        C:\Windows\system32\Imakkfdg.exe
        133⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\Ippggbck.exe
        
        C:\Windows\system32\Ippggbck.exe
        134⤵
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Ickchq32.exe
        
        C:\Windows\system32\Ickchq32.exe
        135⤵
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Ibnccmbo.exe
        
        C:\Windows\system32\Ibnccmbo.exe
        136⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Ifjodl32.exe
        
        C:\Windows\system32\Ifjodl32.exe
        137⤵
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Iihkpg32.exe
        
        C:\Windows\system32\Iihkpg32.exe
        138⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Ilghlc32.exe
        
        C:\Windows\system32\Ilghlc32.exe
        139⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Icnpmp32.exe
        
        C:\Windows\system32\Icnpmp32.exe
        140⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Ifllil32.exe
        
        C:\Windows\system32\Ifllil32.exe
        141⤵
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Imfdff32.exe
        
        C:\Windows\system32\Imfdff32.exe
        142⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Ipdqba32.exe
        
        C:\Windows\system32\Ipdqba32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Icplcpgo.exe
        
        C:\Windows\system32\Icplcpgo.exe
        144⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Jbeidl32.exe
        
        C:\Windows\system32\Jbeidl32.exe
        145⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        146⤵
        Drops file in System32 directory
        
        PID:5704
        
        C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1104
        
        C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        148⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Jcefno32.exe
        
        C:\Windows\system32\Jcefno32.exe
        149⤵
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        150⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Jianff32.exe
        
        C:\Windows\system32\Jianff32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5600
        
        C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        152⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        153⤵
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        154⤵
        Drops file in System32 directory
        
        PID:5568
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        155⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5932
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5876
        
        C:\Windows\SysWOW64\Jmpgldhg.exe
        
        C:\Windows\system32\Jmpgldhg.exe
        158⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        159⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        160⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        161⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        162⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        163⤵
        Drops file in System32 directory
        
        PID:6376
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        164⤵
        Drops file in System32 directory
        
        PID:6416
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        165⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6496
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        167⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        168⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6616
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        170⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        171⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6752
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        173⤵
        Modifies registry class
        
        PID:6796
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6832
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        175⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        176⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        177⤵
        Drops file in System32 directory
        
        PID:6956
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        178⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        179⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        180⤵
        Modifies registry class
        
        PID:7092
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        181⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        182⤵
        Drops file in System32 directory
        
        PID:6080
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        183⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        184⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        185⤵
        Drops file in System32 directory
        
        PID:6328
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        186⤵
        Modifies registry class
        
        PID:6388
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6488
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6540
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        189⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        190⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        191⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        192⤵
        Drops file in System32 directory
        
        PID:6808
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        193⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        194⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        195⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        196⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        197⤵
        Modifies registry class
        
        PID:6196
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        198⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        199⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        200⤵
        Drops file in System32 directory
        
        PID:6608
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        201⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        202⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        203⤵
        Modifies registry class
        
        PID:6936
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        204⤵
        Drops file in System32 directory
        
        PID:6988
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        205⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        206⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        207⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        208⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        209⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        210⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        211⤵
        Drops file in System32 directory
        
        PID:6556
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        212⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        213⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        214⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6596
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        215⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        216⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        217⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        218⤵
        
        PID:7184
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        219⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        220⤵
        Modifies registry class
        
        PID:7272
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        221⤵
        
        PID:7312
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        222⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7348
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        223⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        224⤵
        Modifies registry class
        
        PID:7428
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        225⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7476
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        226⤵
        
        PID:7520
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        227⤵
        
        PID:7560
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        228⤵
        
        PID:7604
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        229⤵
        Modifies registry class
        
        PID:7660
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        230⤵
        
        PID:7696
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        231⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        232⤵
        
        PID:7812
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        233⤵
        
        PID:7856
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        234⤵
        Modifies registry class
        
        PID:7908
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        235⤵
        
        PID:7964
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        236⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        237⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        238⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        239⤵
        Drops file in System32 directory
        
        PID:8136
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        240⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        241⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7212
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        242⤵
        Drops file in System32 directory
        
        PID:7304
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        243⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        244⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        245⤵
        
        PID:7552
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        246⤵
        Modifies registry class
        
        PID:7644
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        247⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        248⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7848
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        249⤵
        
        PID:7924
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        250⤵
        Drops file in System32 directory
        
        PID:7992
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        251⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        252⤵
        
        PID:8148
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        253⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7256
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        254⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7420
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        255⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7556
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        256⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        257⤵
        Drops file in System32 directory
        
        PID:7832
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        258⤵
        Modifies registry class
        
        PID:7972
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        259⤵
        
        PID:8100
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        260⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        261⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        262⤵
        
        PID:7656
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        263⤵
        
        PID:7892
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        264⤵
        
        PID:8080
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        265⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        266⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7648
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        267⤵
        Drops file in System32 directory
        
        PID:8164
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        268⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        269⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        270⤵
        Drops file in System32 directory
        
        PID:7300
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        271⤵
        
        PID:8236
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        272⤵
        
        PID:8284
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        273⤵
        
        PID:8324
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        274⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8364
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        275⤵
        Drops file in System32 directory
        
        PID:8416
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        276⤵
        
        PID:8452
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        277⤵
        
        PID:8496
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        278⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8536
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        279⤵
        
        PID:8580
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        280⤵
        Modifies registry class
        
        PID:8628
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        281⤵
        
        PID:8668
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        282⤵
        
        PID:8712
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        283⤵
        
        PID:8752
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        284⤵
        
        PID:8788
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        285⤵
        Modifies registry class
        
        PID:8832
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        286⤵
        
        PID:8880
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        287⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8932
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        288⤵
        
        PID:8972
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        289⤵
        
        PID:9008
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        290⤵
        Drops file in System32 directory
        
        PID:9048
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        291⤵
        
        PID:9092
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        292⤵
        
        PID:9136
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        293⤵
        Modifies registry class
        
        PID:9176
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        294⤵
        Modifies registry class
        
        PID:7204
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        295⤵
        Modifies registry class
        
        PID:8244
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        296⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8316
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        297⤵
        
        PID:8392
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        298⤵
        Drops file in System32 directory
        
        PID:8484
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        299⤵
        
        PID:8544
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        300⤵
        
        PID:8616
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        301⤵
        
        PID:8680
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        302⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8740
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        303⤵
        
        PID:8816
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        304⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8892
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        305⤵
        
        PID:8948
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        306⤵
        
        PID:9004
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        307⤵
        
        PID:9084
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        308⤵
        
        PID:9148
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        309⤵
        
        PID:8200
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        310⤵
        Drops file in System32 directory
        
        PID:8312
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        311⤵
        
        PID:8444
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        312⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        313⤵
        
        PID:8568
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        314⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        315⤵
        Modifies registry class
        
        PID:8720
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        316⤵
        Drops file in System32 directory
        
        PID:8828
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        317⤵
        Drops file in System32 directory
        
        PID:8908
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        318⤵
        Modifies registry class
        
        PID:9036
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        319⤵
        
        PID:9128
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        320⤵
        
        PID:8220
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        321⤵
        Modifies registry class
        
        PID:8340
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        322⤵
        
        PID:8532
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        323⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8640
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        324⤵
        
        PID:8784
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        325⤵
        
        PID:8888
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        326⤵
        Drops file in System32 directory
        
        PID:9124
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        327⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8308
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        328⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5056
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        329⤵
        
        PID:8732
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        330⤵
        Modifies registry class
        
        PID:9000
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        331⤵
        
        PID:8208
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        332⤵
        Modifies registry class
        
        PID:8612
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        333⤵
        Drops file in System32 directory
        
        PID:9088
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        334⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3892
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        335⤵
        
        PID:9204
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        336⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9192
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        337⤵
        
        PID:9264
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        338⤵
        Drops file in System32 directory
        
        PID:9332
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        339⤵
        
        PID:9376
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        340⤵
        
        PID:9420
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        341⤵
        Drops file in System32 directory
        
        PID:9480
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        342⤵
        
        PID:9528
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        343⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9568
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        344⤵
        
        PID:9608
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        345⤵
        
        PID:9656
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        346⤵
        
        PID:9696
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        347⤵
        
        PID:9740
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        348⤵
        Drops file in System32 directory
        
        PID:9784
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        349⤵
        
        PID:9824
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        350⤵
        Modifies registry class
        
        PID:9872
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        351⤵
        
        PID:9916
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        352⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:9956
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        353⤵
        Modifies registry class
        
        PID:10000
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        354⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10048
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        355⤵
        
        PID:10084
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        356⤵
        
        PID:10128
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        357⤵
        
        PID:10172
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        358⤵
        
        PID:10224
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        359⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7180
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        360⤵
        Drops file in System32 directory
        
        PID:9288
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        361⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:9404
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        362⤵
        
        PID:9448
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        363⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9536
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        364⤵
        
        PID:9584
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        365⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:9664
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        366⤵
        Drops file in System32 directory
        
        PID:9736
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        367⤵
        Drops file in System32 directory
        
        PID:9808
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        368⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9868
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        369⤵
        
        PID:9924
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        370⤵
        
        PID:9992
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        371⤵
        
        PID:10068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10068 -s 396
        372⤵
        Program crash
        
        PID:10232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 10068 -ip 10068
1⤵
PID:10164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Balfaiil.exe

Filesize
42KB

MD5
d64990c185c6a7259ea8f611a6b078c0

SHA1
4a7d3a19b527ae6e22d1e2cc59de14f98abe7c48

SHA256
2f4a8060978d7f319b308c1df44162d2c97dd83934ed4bf95f4990ee13ba3567

SHA512
ca684119078154842dc781b168156fc7955e1b1ed703603d6668ffc6067f82ba1349247f24a236a03e5317fba8dcbce5a33df3dec977794f37f4a9f3219a0a32

Download Submit
C:\Windows\SysWOW64\Baocghgi.exe

Filesize
42KB

MD5
0c6b5934249385cdab5be53e917a2226

SHA1
9d701fd1f602281b77d7d6b2e2928eeba6f76cda

SHA256
500dacfcf4b14d4f49654160159ffb7d1008c5f5167cde32c8ce7c37264da29b

SHA512
0b92877055937e1080a99702dd6bddbfce94e61758233bdd908da0228e8134200c5d6dbf724a6f48c0dcffb9346c7d659eaa2635822cf5cd8fe244a5be9d9951

Download Submit
C:\Windows\SysWOW64\Bbnpqk32.exe

Filesize
42KB

MD5
2920ddad990a5a25b5ebeafe06f2df90

SHA1
a2296fb93da09220550fd12fe85fc341afd1da5c

SHA256
d39784cdac3e2374b50b0299ba96b6eb6f2e38d32eceb2b630788fb20d84b261

SHA512
7a4374e00934d306290840f190dab55143cb6bca8f90d5857e7de9bf5f58a4e16263a265ac317544ba0811a5086ceefa7110e565f877c081502be0a61f066270

Download Submit
C:\Windows\SysWOW64\Bdkcmdhp.exe

Filesize
42KB

MD5
184aa73557b59abd54d5761f836d2b10

SHA1
0840624bbf4246ccf22fbeb0470d450d3f0a8170

SHA256
3ba61378c610bf167477e06af13190e1a7b2f0476b196858fc3570e2f7d11454

SHA512
ad7a94dbad526663c0718baa04997f0647a637f66c36a972971c733eeb0eae763984e672166d618c11f278ad064ed2318d92166b8b8467b1981780ce08525a60

Download Submit
C:\Windows\SysWOW64\Bdolhc32.exe

Filesize
42KB

MD5
3b7aea65e6fcc49241cf8dcb64651352

SHA1
11175b0ddb229605ecb97e0b4e470d142c95d15e

SHA256
0f9e151e768058619e3f6f411a0fef519900f755a575869bf742b845cc2cfbe5

SHA512
4d6d28142c6b3348d85fa94f49d74066e9bdce719c7fa8438d57fa01ff4654f0d4ca541dc3753c52a9697bb3e1c48529a30e0a2782bfedfc553a65290eeb572f

Download Submit
C:\Windows\SysWOW64\Beeflhdh.exe

Filesize
42KB

MD5
e5f3f5aedeff16db177ae9315dd0cce5

SHA1
a16c8144bac5726a0f1bdfed3f14a3d0a8102de9

SHA256
9b76e452e8ceac2e19ce7a9ce7713223c4ee9fdf47c5689ad50e202ef7e47514

SHA512
8ae2f9c4469df7414842cd14e109877a6cc2ae3c1cc6eb6d277dfc611b6984965617aeabc013b3b85e8992126142ce29e2c93fc55ebed714de2997185fc9aa5e

Download Submit
C:\Windows\SysWOW64\Bhdbhcck.exe

Filesize
42KB

MD5
2bd123045eda2b499aa10c19547b457f

SHA1
10f4480808877815a9c0b2a19f1b2accd092e1e5

SHA256
aa0cace14abb35a93c9839632c767422d6b55fd22f6a1942b8a8639bb44f9b56

SHA512
da6f3b72dd158b63b86c57dcbfff2f06a59a3dfec0d09a37db8ab34a6f1f4f928759f79de78b545d1b4e8c757a209782d3957df2db17d40fc38991d0749e3e9d

Download Submit
C:\Windows\SysWOW64\Bhikcb32.exe

Filesize
42KB

MD5
ad88e2af901646144572a3058c5bb5d9

SHA1
9de1100464879163334f89e76e74e7c5a30213b2

SHA256
654dc598793fde2077df5e8927e8fcba310647c628bef431600178878d88bed2

SHA512
f25849cc548cd923a656db06f9ed44f70f13cf046e953ce2337ea541f0db90222d35fe159cefd44a72c2114f5277a27a9ca42d106a2d81a6c8e18dbbf92509db

Download Submit
C:\Windows\SysWOW64\Bjdkjo32.exe

Filesize
42KB

MD5
011e9adb93b52607d98927d8ad31bfb2

SHA1
9ee0abe0106954fb4c95279348ba82d1d1f3c1d3

SHA256
5fcd43b2e0b62771d679a0a44a70893f6b6ba1f9cacfa15c6fe775bfb9f2f3cb

SHA512
1afe816d8a407e796f4861dee2ca14a98961675b7a3a12ce83401fa4042aa0bc40a877e0c7199e836d09c54ada6591a7c0c518354a9f4b4944fc7ae1e0e8c972

Download Submit
C:\Windows\SysWOW64\Bjghpn32.exe

Filesize
42KB

MD5
e9fbcb59128b0b13bd166da81c455ad8

SHA1
331fbdcf01ea67afa8537a79896ba3108e49fa5d

SHA256
01b68370d7ed3c25c3355ad121019c9acbce09f14d1a014540b03df84a8eaeb7

SHA512
5ce5a9f494500bfe9c2f3fbcf6524f28fa416c70029ce3e629634719fd65ee25b33eeb8b7d9350d4f819f90562d844bcb73194214c7dad8d888fefa4e1c08063

Download Submit
C:\Windows\SysWOW64\Blfdia32.exe

Filesize
42KB

MD5
e4011d055f216afeff24cb2ebd94ba99

SHA1
1100637cb3845a92dcc6d25b479722a9d41d2c51

SHA256
e2c3b6be4d3fe85d23ed18f646cee21221f824d765a14910c26c4597aa01827f

SHA512
d460172c066fe34cd83cb2c88bba0547539123772e2ae0dff9f8f5ab1b8b1bf804d1ec64e870bc307bf4b123762c4a6104861da8dbeff0745f7a94d9e76cafc8

Download Submit
C:\Windows\SysWOW64\Bnnjen32.exe

Filesize
42KB

MD5
0713191811bcd79f7bafe27587f63cbd

SHA1
10dd637a10b2d9b3d6fc0660e76d8216aa529e6e

SHA256
ac4f96179213e0aaceae501c7fd1f8644c2824fbebf6f66d754dcb1ea4e5d2d3

SHA512
afda62aaccf8fa8f575cf825af9bbc1febef9f458593e26f39e9356569995000f0d4d950ff8551daccc0dd5b82cf9102b053b7aa5bc80a190d2ca9a9b37cde44

Download Submit
C:\Windows\SysWOW64\Cacmah32.exe

Filesize
42KB

MD5
cc9eb4019a48173fdea6b4481a3016f2

SHA1
3b346caeef0ae788f502b3549d4e516f1cc4d87a

SHA256
cd1ed793ff7f5762d368ec5ad9108f56d718824a4c24465acacf38a171b5066b

SHA512
22cb0d44019d5ea20d620b36c5ac5a6606237db622963fb7696166bf16b2199111bf8bd4674ccabac4118447657dcc90864361c9e5a821192e5d74c72e885655

Download Submit
C:\Windows\SysWOW64\Cahfmgoo.exe

Filesize
42KB

MD5
d97412392c70d1773bd90cbe2cc424ac

SHA1
9434d25dc4f390dff4bad56d23e7e5407a7d6bbe

SHA256
b970d94612abac8fe66a00cd9abaa37e6e9d11e35969eec34c5ff8ab5d27b9e0

SHA512
d32ce402f13d99538d276dd22529d945ae8afc575de2c6e3f080e510de694712314f3b11e5cd411f5768b08883a99eaf24e85b3b811dcf3e8a2d9af95f7a1ae4

Download Submit
C:\Windows\SysWOW64\Cajcbgml.exe

Filesize
42KB

MD5
bf5435cfe9c557784564022908ffd85f

SHA1
e1e0e0b940b8edd4cb75e9645e2d27f739dcd5f0

SHA256
9cc872742121af112080ed6f5e6b413b6954cb4883d7d142bd9c8fd6ce44043b

SHA512
46a7836d50f4f30b590f9ddb83700f54ec0efc64c01bce0c03e617e23ed02cb3c0254023d60caa0ea5a757af35f92ea2999e9e6a9acfbf03e0366c4e87db54f3

Download Submit
C:\Windows\SysWOW64\Cbjoljdo.exe

Filesize
42KB

MD5
9ee5d2f2cab452231059ae1d93628629

SHA1
5677248a621bb0e3895c37483fbb01403814eab3

SHA256
c2a980228c48787ca820cbb2d43abb5bb04bbbbfb3ac78e09a85bbe8ff8ea8d5

SHA512
cf7b313c5bef8f9a7c3d1bbf557e48e791268dc5f9b5269f9ad26d4daac589b9fcaf3f352e5e49b4c4174da56b5e14b2db3a4d491f623c8d2914f68425dc2b1b

Download Submit
C:\Windows\SysWOW64\Cdainc32.exe

Filesize
42KB

MD5
319f894a9b3009b2ef62f00729dba3e2

SHA1
02949171a2d147adbeeefdcd21d5e2bfd8b7e5d0

SHA256
3057d21b67e8cda4f482cae7741f85016f46b1c7c863197ef414ca3207b11072

SHA512
05d20cbb53d39f7099d479c5170833d7e7f11c6130482acf4576041340777270786e4def2eaaa5dc31478e0cc174894c699eb564f6a3123f623cd7968c3d3226

Download Submit
C:\Windows\SysWOW64\Cdfbibnb.exe

Filesize
42KB

MD5
b3197e658be430841057ba4b7a77d91c

SHA1
59b872d3b951d187acd944c0603cf786380fc4f4

SHA256
730c18765f9e18aad4321af007fd198c31e91e2fbbd3f8187eef6952afeae623

SHA512
d5f63dd4340ebdccab94d8c8b737bd1d910ec0615bc396ca41196e5a2a33591a0d08942eff429aadaaf4834855e5a3ba9a2fccdcd0c01e622c62a4c341d661d0

Download Submit
C:\Windows\SysWOW64\Cdiooblp.exe

Filesize
42KB

MD5
0cf523487c26de2f68d9337966b02543

SHA1
8fe072dff90f5fe02f23a99ab6e9f87eea894325

SHA256
cc96d46a48d7aefc49d312878c06b00f1b7ee1647c594b537c4a2211df8fb50e

SHA512
76935532d50a5af8fc5bb1b5c3046c715cdf8eb13d0214b0052872755e58dd6704ee93ba99eb1d385adb275c9623e0775f3822ee9495c6565febb61c7baa355e

Download Submit
C:\Windows\SysWOW64\Chghdqbf.exe

Filesize
42KB

MD5
b67aaf8644aaf571379cd11e777ca7a4

SHA1
e9e1899fb2f3979609eabe8cdcd967280491a6d4

SHA256
0d9286510928525193f447d2131ac43a545071775e38c1c8c9f9bd6a324d422d

SHA512
6ca5924b93494a1a3a281f89792048ad74a69bb2a4249469124b95153760c86ef01dd1112fe6575bd93f772ed37ffeb08bec683418ea03152f853b83f6b9aba2

Download Submit
C:\Windows\SysWOW64\Chpada32.exe

Filesize
42KB

MD5
54c4b7b8e1a24db6b65edeaead2aa478

SHA1
64d37a5c5ad0af1608ba2fccafeeed02f9e6ebb0

SHA256
9782717f3e430add0f30f237dae9686e0c44e323a4de39da21d467b43fb9fbc1

SHA512
935f9eaaeeeda23f753d6025536ac5889d61f49a5f3424a84abe8da71c930cc4492ba17d15955074545d578dc711e97746fbb849fa60344dc4ef35643b40f06b

Download Submit
C:\Windows\SysWOW64\Ckedalaj.exe

Filesize
42KB

MD5
bbb518c51315e559e11f2334b055e726

SHA1
6e30da41be986e9883399b013ac41c7f171f4efe

SHA256
7598d0027cbadde98b02ae9259c4b58745272d26dae8e2e04b865a492e933cd5

SHA512
b9efd36c12e756b19a105ec91d908b78fe08d82fbdc4400e97fd4648c62f3566bd4fe1e764bbb47abb526129908e94493d0c3ca37866cf150f935f7a4bf0a04d

Download Submit
C:\Windows\SysWOW64\Cknnpm32.exe

Filesize
42KB

MD5
16b1d636d4b551457f27492609096519

SHA1
2bc2f070ea778639b011dc14152b5fa051395273

SHA256
9903d3f3c0ab1a9fb3fd2cd77faeb52c77a9da6d6d591648fc246dfd73806f02

SHA512
a3b2ae56e663cc9b19cfa8d4cdf78a68d94e0e808417c0c130e651045515ad380bceee9c375f07353ec619cabede4fd710fdd2ca3dc3edba2f47c0cddb0c102f

Download Submit
C:\Windows\SysWOW64\Cliaoq32.exe

Filesize
42KB

MD5
ad9173d65dcb94be6366c2e4f10caab6

SHA1
872e7d50922bb9b60fc704a53b85611137e08d73

SHA256
da0041bff5d545afe9742b9ce4ccf53f2f2b94cdbb7a76b230f651bfd381dbc5

SHA512
75eb49605e0b3caeb725cfd140f5f97d5d57df58a8b908927d7b384e1ab91157ffaa036417da61840efcf89af6d6a6d22127076222e2f0b53877a397523dfa6b

Download Submit
C:\Windows\SysWOW64\Clnjjpod.exe

Filesize
42KB

MD5
4a26dbfaf03383ca9aedef6329d92c94

SHA1
3cd826330539adca6b0e957d5d6d1a33bde0117b

SHA256
0fbb10b963920c2dfd506c36649f4fca8d311175e27842c460bdc111e58a68d3

SHA512
9412d7ef77e132eee978c25c235ecc57e2b6542fe80135e8c573935069a0f4d7ab1a703e1171990c7fb4de37c30896e0f18237ce16198c50a7a649ae44c957a7

Download Submit
C:\Windows\SysWOW64\Clpgpp32.exe

Filesize
42KB

MD5
f1ccbe721201b59ba36958b65772d4a2

SHA1
1b3267cc741836a03e73d35e4c11f92eb0b22489

SHA256
c17a02f96ec344e8524ef6dfa0dee23c80917e273f64204156e99b8e87a98ba0

SHA512
af1b4852da6460459f79939b89326f125b73f4572d09c9cf115c7ca409ad16faedc9b4ec852e0f25539ed8f9ca3d505d6d54c7295bd7fe36a018c401a81f35cc

Download Submit
C:\Windows\SysWOW64\Daaicfgd.exe

Filesize
42KB

MD5
8abc9c26c401fe01397390df58a25956

SHA1
20ff974976440cd9143b66f4115ea6249c1f613b

SHA256
c5ffa11fec49510498e725e80aea1fa539d10840972f2764ddf09e27d5d69e43

SHA512
7cf37d935d40061803cabfe16aaa91b62799f572792d9546b03f2934bf9b0ee98507bf2209f11d510664bf2f3dfb21c02b0507a925467d53822c670dbbc11299

Download Submit
C:\Windows\SysWOW64\Daolnf32.exe

Filesize
42KB

MD5
bff75252bec60e055439bdd5d5868db4

SHA1
86293bc1613ceb61b54b69401e1ce99ee4c30113

SHA256
437baed845d40c258f1884035b7a4b462ae45f8ca257e631041fd9b8ff145a18

SHA512
7dd1ac5d47c49104a58272f7c7cde8ea9b2100a6c309f8eee2cb75f2ede6e2794d98b206eccfe829f029760e97e526d021c26c3d6c146556d5c2fa3d538d0f56

Download Submit
C:\Windows\SysWOW64\Ddmhja32.exe

Filesize
42KB

MD5
ffc98bc79c08a28f984842ab4159bc37

SHA1
bd2f4e93241060219a28c36d7c70c57c6eb6a5c3

SHA256
e682a42d34115be8311503950d01c2e06818fe35ab89cc2db736fa2235ae0090

SHA512
addf9e793ebff47c456789fae1ebd9751763a50a39532798bd37902be972df99da819efe58071a77be97d04d2c8bd3b0ab5ed40327ded2fe482f35b5a5e9fa63

Download Submit
C:\Windows\SysWOW64\Dhkapp32.exe

Filesize
42KB

MD5
df77e78c6d5b4cf8826eded55bd7a7bf

SHA1
50bb0f52ad11d994217ecb4d76303fe8b31c41ca

SHA256
6e21ef7788575e9fa50d198037b76b4dca454a6d80dd40dbcae22718ea0a3f00

SHA512
d57332605d28f36cbc2c42ddf9a5649c95d28ea23c3db26ee14af61d4a35da24c493cac215eddba36093b2eb5d079adebeb8d42e853052473095b52a24f03d01

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
42KB

MD5
56f5e8c74afba2f89139f1e0b64b4e30

SHA1
df689fc93d9964d6723673e0ecde9fd9941c16e8

SHA256
3b6d4f42bf5ade83208677f4140ab5007e0ff4437ccb077892acab392bacfb01

SHA512
0c2559980eca06bb0e70956d4c083ddd6771391d022d33fd42a998fab983fd0f17340f46d30e588eef46bc15a20ceba9b27ae5e370cb383b0c47f7ff5662c942

Download Submit
C:\Windows\SysWOW64\Dkjmlk32.exe

Filesize
42KB

MD5
d0bd795a1b070a4dc7bab53dc5af18cf

SHA1
07e3fd8e2020328f0f10ab66828db252082f1efb

SHA256
048d4517c28ea14351c41c308ff8f570c72c0e36daf94bcbe210862de5962f58

SHA512
7ae80a46614f8fa299b085392b15664bcce0297781fdc4cd4a0ac2b3dcb7f17b6cfb784e0935c29e086c9dcaf0c7123d82d0c6f2bf4f14606af250722734a17e

Download Submit
C:\Windows\SysWOW64\Dldpkoil.exe

Filesize
42KB

MD5
ef78fe25e69f9cd27fdff3a0595ef598

SHA1
4dd73f4277e5f963a466ad0f3151be3cb5946b1c

SHA256
4b060adea4c5d5ab001109919f355c6b5a768f0474b5d850d84592deb3109568

SHA512
fcd9e05aa3394f5b1484dcfc12b50cf40ff0f144e2696bdea9b04d806fbee64359ed3b77ab93e580e538705482efa1b9373162cae90d1ad7db3e37c76828d48c

Download Submit
C:\Windows\SysWOW64\Flqimk32.exe

Filesize
42KB

MD5
665c050637583a68dbe957b393ab7f7f

SHA1
4a41436b964c7ca4629c11846f1ac106b8cd34c5

SHA256
b50f3c96f84a410f799dae74a7a95803a21b19925b670412b0ab1849f293fa11

SHA512
759576afbb627162eed6102556056d4a9412321485e6234deb8e15ebccf69429b3d9d6989f80e013e4f537b93b822c2cc502b0cd6ef9a4c58f18065a57753048

Download Submit
C:\Windows\SysWOW64\Kikame32.exe

Filesize
42KB

MD5
8936d17fd6e23cd156f7ffcbb98c6cf5

SHA1
3c18eb399c4a515d98bb5e2d31afa0ae4d25fdc3

SHA256
e3160025efe2fa4d4386613c4f16529395eeaaedfa82bd52364f8dfe52f01253

SHA512
edffcb6187ed52d68a55ef13f53410e57099214df1d18a661bddb5c58eb0e2dd691e96e221aec17a81c28c830905578bd1a9da9ceb33718eabcd1875b130e15f

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
42KB

MD5
4aafd167e2c315360b4666c426467abb

SHA1
d78fded8d1199fbe1a23c1181c3f2ce9ab9c06a8

SHA256
135f96f3d9158d922b1905ebec6af63c460f148c010d9f7f191c24e176522a11

SHA512
ac87445bd9d37a54f89a37d2c7a3192e25dd5b1e8d6a15f187bd13fcbd137ac77369a31690dffd2ff364d66480b2a10526cd255ec9f27360b97392aed21c1861

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
42KB

MD5
57e59d52df794a68128e62da90eadd4e

SHA1
e33c890f422a2c60bfd3b3201b44f9ccd2326e41

SHA256
25e1886ae9ba65d6670e4d3ec76127c999da2d21a1a3795f76f1c27bedd2f669

SHA512
ec997d5bfbd1a70b0416a42ef7234bf0c7282a72f7195eb3ccfef47cdfb34bab50ba9826b359c407a3acc947c4d5b46766b4544a3be4d591a1cb4697d9ecebb6

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
42KB

MD5
69e9b7d15590039ebc8a08e9ccc9f137

SHA1
ea24d9978ac9eb6efd4ebaa16b0235d85c1d7c20

SHA256
f3f209df77523872df4bff943dea05eb1ee141ce913a7982826cc7182c0fcbd8

SHA512
3020660053cfb9f9c2737b3f4799456aaaef43f9d5bcad573c6839a91f1b82801f6274af1d87fbd08287d94035fdc00429777760aaa181ae81c50561029e9ced

Download Submit
memory/116-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/224-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/244-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/392-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/404-236-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/540-405-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/592-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/820-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/860-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/984-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1088-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1100-416-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1152-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1232-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1332-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1372-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1456-287-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1472-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1488-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1576-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1584-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1656-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1704-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1740-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1804-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1824-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1920-148-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1928-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1992-326-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2104-108-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2172-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2212-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2396-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2480-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2712-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2920-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2948-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3028-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3044-172-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3108-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3288-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3340-73-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3436-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3448-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3476-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3504-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3512-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3572-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3640-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3672-368-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3696-350-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3760-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4080-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4132-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4196-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4444-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4584-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4588-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4668-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4808-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4904-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4988-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5016-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5024-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/9404-2483-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/9584-2480-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/9664-2479-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/9736-2478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/9808-2477-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/9868-2476-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/9924-2475-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/9992-2474-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/10048-2490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/10172-2487-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads