62c5d6172ef9692b3ff31bf6bc029fc84b8f73bd6ba70235897286c074507a49

Analysis

max time kernel
93s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 22:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

62c5d6172ef9692b3ff31bf6bc029fc84b8f73bd6ba70235897286c074507a49.exe
Size

860KB
MD5

d4b6ea6cf92292c267c648f3817f1301
SHA1

254610f9facaafd0cdffbe36fc99c717ccfbba47
SHA256

62c5d6172ef9692b3ff31bf6bc029fc84b8f73bd6ba70235897286c074507a49
SHA512

813a2689e3e57bf19c54c2db666a4d036643bb48c5f09973ed0808123b7aa07d0ec209b530da420c2c7b4e594fcc548976c0b57cc8200a61861fad3e5beadde5
SSDEEP

24576:OE5hPuh2kkkkK4kXkkkkkkkkhLX3a20R0v50+YS:O7bazR0vD

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dadeieea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdhmnlcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcpclbfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icnpmp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Helfik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kemhff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	62c5d6172ef9692b3ff31bf6bc029fc84b8f73bd6ba70235897286c074507a49.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eolpmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekcpbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eeidoc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhkhibmc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Echknh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jioaqfcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lebkhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bajjli32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bobcpmfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjjhn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdehlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfhlejnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdgljmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldoaklml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceaehfjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doqpak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Echknh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lboeaifi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nckndeni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eapedd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imoneg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmnldp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibgmdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibnccmbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blpnib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbaemi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anbkio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhfonc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmjdjgjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miemjaci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opakbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cecbmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Conclk32.exe

Executes dropped EXE 64 IoCs

pid	Process
1160	Aanjpk32.exe
3684	Anbkio32.exe
892	Aelcfilb.exe
2884	Adapgfqj.exe
4720	Aealah32.exe
3068	Ahoimd32.exe
4784	Bdfibe32.exe
3508	Bajjli32.exe
1376	Blpnib32.exe
1428	Behbag32.exe
3860	Bhfonc32.exe
3516	Bblckl32.exe
4956	Bejogg32.exe
8	Bdmpcdfm.exe
1640	Bldgdago.exe
3000	Bobcpmfc.exe
1624	Bbnpqk32.exe
1820	Bemlmgnp.exe
1488	Bhkhibmc.exe
4656	Cacmah32.exe
2264	Ceoibflm.exe
2352	Cdainc32.exe
4544	Cliaoq32.exe
4904	Cklaknjd.exe
4272	Cbcilkjg.exe
2160	Cafigg32.exe
636	Ceaehfjj.exe
3472	Chpada32.exe
3300	Clkndpag.exe
868	Cojjqlpk.exe
4288	Cbefaj32.exe
3748	Cecbmf32.exe
64	Cdfbibnb.exe
2064	Clnjjpod.exe
3272	Ckpjfm32.exe
3724	Colffknh.exe
4312	Cajcbgml.exe
2144	Cefoce32.exe
2864	Cdiooblp.exe
3520	Chdkoa32.exe
2512	Clpgpp32.exe
1380	Conclk32.exe
1784	Cbjoljdo.exe
4824	Camphf32.exe
2140	Cdkldb32.exe
1520	Chghdqbf.exe
2404	Clbceo32.exe
3488	Doqpak32.exe
1804	Dbllbibl.exe
4396	Daolnf32.exe
4768	Ddmhja32.exe
3816	Dhidjpqc.exe
4760	Dkgqfl32.exe
1064	Docmgjhp.exe
3700	Daaicfgd.exe
3288	Demecd32.exe
1848	Dhkapp32.exe
4820	Dkjmlk32.exe
4892	Dbaemi32.exe
3608	Dadeieea.exe
1256	Dhnnep32.exe
1512	Dlijfneg.exe
4036	Dohfbj32.exe
3304	Dccbbhld.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Edbklofb.exe	Elgfgl32.exe
File created	C:\Windows\SysWOW64\Ccdlci32.dll	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Bejogg32.exe	Bblckl32.exe
File created	C:\Windows\SysWOW64\Akalojih.dll	Cajcbgml.exe
File created	C:\Windows\SysWOW64\Nekfmb32.dll	Hcmgfbhd.exe
File opened for modification	C:\Windows\SysWOW64\Ngdmod32.exe	Ndfqbhia.exe
File created	C:\Windows\SysWOW64\Ceoibflm.exe	Cacmah32.exe
File created	C:\Windows\SysWOW64\Liddbc32.exe	Kdgljmcd.exe
File created	C:\Windows\SysWOW64\Liimncmf.exe	Lfkaag32.exe
File created	C:\Windows\SysWOW64\Jholncde.dll	Mgfqmfde.exe
File created	C:\Windows\SysWOW64\Mlcifmbl.exe	Miemjaci.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Kemhff32.exe	Kboljk32.exe
File created	C:\Windows\SysWOW64\Llmglb32.dll	Olhlhjpd.exe
File created	C:\Windows\SysWOW64\Pgnilpah.exe	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Ckpjfm32.exe	Clnjjpod.exe
File created	C:\Windows\SysWOW64\Dhpjkojk.exe	Deanodkh.exe
File created	C:\Windows\SysWOW64\Lcgdbi32.dll	Gofkje32.exe
File created	C:\Windows\SysWOW64\Jidklf32.exe	Jehokgge.exe
File created	C:\Windows\SysWOW64\Pqbdjfln.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Cefoce32.exe	Cajcbgml.exe
File created	C:\Windows\SysWOW64\Empbnb32.dll	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Mgfqmfde.exe	Mplhql32.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Cdkldb32.exe	Camphf32.exe
File created	C:\Windows\SysWOW64\Dhidjpqc.exe	Ddmhja32.exe
File created	C:\Windows\SysWOW64\Fkopnh32.exe	Febgea32.exe
File opened for modification	C:\Windows\SysWOW64\Hopnqdan.exe	Gdjjckag.exe
File created	C:\Windows\SysWOW64\Fqplhmkl.dll	Jcefno32.exe
File opened for modification	C:\Windows\SysWOW64\Njefqo32.exe	Nckndeni.exe
File created	C:\Windows\SysWOW64\Nconcm32.dll	Bdmpcdfm.exe
File created	C:\Windows\SysWOW64\Docmgjhp.exe	Dkgqfl32.exe
File created	C:\Windows\SysWOW64\Eekaebcm.exe	Eapedd32.exe
File created	C:\Windows\SysWOW64\Gmjlcj32.exe	Gbdgfa32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Ijnlbk32.dll	Cecbmf32.exe
File created	C:\Windows\SysWOW64\Lboeaifi.exe	Lpqiemge.exe
File opened for modification	C:\Windows\SysWOW64\Liimncmf.exe	Lfkaag32.exe
File opened for modification	C:\Windows\SysWOW64\Dedkdcie.exe	Dahode32.exe
File created	C:\Windows\SysWOW64\Ogpmjb32.exe	Odapnf32.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Chpada32.exe	Ceaehfjj.exe
File created	C:\Windows\SysWOW64\Eefhjc32.exe	Echknh32.exe
File created	C:\Windows\SysWOW64\Eifbkgjd.dll	Jeaikh32.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Accfbokl.exe
File created	C:\Windows\SysWOW64\Jioaqfcc.exe	Jcbihpel.exe
File created	C:\Windows\SysWOW64\Klgqcqkl.exe	Kemhff32.exe
File opened for modification	C:\Windows\SysWOW64\Pdmpje32.exe	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Fpeohm32.dll	Hbeqmoji.exe
File opened for modification	C:\Windows\SysWOW64\Kibgmdcn.exe	Kdeoemeg.exe
File opened for modification	C:\Windows\SysWOW64\Llcpoo32.exe	Liddbc32.exe
File opened for modification	C:\Windows\SysWOW64\Mlopkm32.exe	Medgncoe.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Pdfjifjo.exe	Pmoahijl.exe
File opened for modification	C:\Windows\SysWOW64\Eekaebcm.exe	Eapedd32.exe
File opened for modification	C:\Windows\SysWOW64\Nljofl32.exe	Nepgjaeg.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8328	7608	WerFault.exe	377

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbagnedl.dll"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cecbmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpihae32.dll"	Gmoeoidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcioiood.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebinhj32.dll"	Mdehlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dlijfneg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgepdkpo.dll"	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gogiek32.dll"	Eeidoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibnccmbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opakbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Conclk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gofkje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjiol32.dll"	Mmnldp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnambi32.dll"	Dccbbhld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Camphf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckpjfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcadgkl.dll"	Docmgjhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhbgqohi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdainc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eabbjc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmijbcpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdgljmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbjoljdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pejjde32.dll"	Elppfmoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naekcf32.dll"	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bchdhnom.dll"	Mgkjhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phaedfje.dll"	Jmhale32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlgnafam.dll"	Dhidjpqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fkopnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdeoemeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cilkoi32.dll"	Cacmah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhbgqohi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Choehhlk.dll"	Hioiji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcbihpel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 1160	1732	62c5d6172ef9692b3ff31bf6bc029fc84b8f73bd6ba70235897286c074507a49.exe	85
PID 1732 wrote to memory of 1160	1732	62c5d6172ef9692b3ff31bf6bc029fc84b8f73bd6ba70235897286c074507a49.exe	85
PID 1732 wrote to memory of 1160	1732	62c5d6172ef9692b3ff31bf6bc029fc84b8f73bd6ba70235897286c074507a49.exe	85
PID 1160 wrote to memory of 3684	1160	Aanjpk32.exe	86
PID 1160 wrote to memory of 3684	1160	Aanjpk32.exe	86
PID 1160 wrote to memory of 3684	1160	Aanjpk32.exe	86
PID 3684 wrote to memory of 892	3684	Anbkio32.exe	87
PID 3684 wrote to memory of 892	3684	Anbkio32.exe	87
PID 3684 wrote to memory of 892	3684	Anbkio32.exe	87
PID 892 wrote to memory of 2884	892	Aelcfilb.exe	88
PID 892 wrote to memory of 2884	892	Aelcfilb.exe	88
PID 892 wrote to memory of 2884	892	Aelcfilb.exe	88
PID 2884 wrote to memory of 4720	2884	Adapgfqj.exe	89
PID 2884 wrote to memory of 4720	2884	Adapgfqj.exe	89
PID 2884 wrote to memory of 4720	2884	Adapgfqj.exe	89
PID 4720 wrote to memory of 3068	4720	Aealah32.exe	90
PID 4720 wrote to memory of 3068	4720	Aealah32.exe	90
PID 4720 wrote to memory of 3068	4720	Aealah32.exe	90
PID 3068 wrote to memory of 4784	3068	Ahoimd32.exe	91
PID 3068 wrote to memory of 4784	3068	Ahoimd32.exe	91
PID 3068 wrote to memory of 4784	3068	Ahoimd32.exe	91
PID 4784 wrote to memory of 3508	4784	Bdfibe32.exe	92
PID 4784 wrote to memory of 3508	4784	Bdfibe32.exe	92
PID 4784 wrote to memory of 3508	4784	Bdfibe32.exe	92
PID 3508 wrote to memory of 1376	3508	Bajjli32.exe	93
PID 3508 wrote to memory of 1376	3508	Bajjli32.exe	93
PID 3508 wrote to memory of 1376	3508	Bajjli32.exe	93
PID 1376 wrote to memory of 1428	1376	Blpnib32.exe	94
PID 1376 wrote to memory of 1428	1376	Blpnib32.exe	94
PID 1376 wrote to memory of 1428	1376	Blpnib32.exe	94
PID 1428 wrote to memory of 3860	1428	Behbag32.exe	95
PID 1428 wrote to memory of 3860	1428	Behbag32.exe	95
PID 1428 wrote to memory of 3860	1428	Behbag32.exe	95
PID 3860 wrote to memory of 3516	3860	Bhfonc32.exe	96
PID 3860 wrote to memory of 3516	3860	Bhfonc32.exe	96
PID 3860 wrote to memory of 3516	3860	Bhfonc32.exe	96
PID 3516 wrote to memory of 4956	3516	Bblckl32.exe	97
PID 3516 wrote to memory of 4956	3516	Bblckl32.exe	97
PID 3516 wrote to memory of 4956	3516	Bblckl32.exe	97
PID 4956 wrote to memory of 8	4956	Bejogg32.exe	98
PID 4956 wrote to memory of 8	4956	Bejogg32.exe	98
PID 4956 wrote to memory of 8	4956	Bejogg32.exe	98
PID 8 wrote to memory of 1640	8	Bdmpcdfm.exe	99
PID 8 wrote to memory of 1640	8	Bdmpcdfm.exe	99
PID 8 wrote to memory of 1640	8	Bdmpcdfm.exe	99
PID 1640 wrote to memory of 3000	1640	Bldgdago.exe	100
PID 1640 wrote to memory of 3000	1640	Bldgdago.exe	100
PID 1640 wrote to memory of 3000	1640	Bldgdago.exe	100
PID 3000 wrote to memory of 1624	3000	Bobcpmfc.exe	101
PID 3000 wrote to memory of 1624	3000	Bobcpmfc.exe	101
PID 3000 wrote to memory of 1624	3000	Bobcpmfc.exe	101
PID 1624 wrote to memory of 1820	1624	Bbnpqk32.exe	102
PID 1624 wrote to memory of 1820	1624	Bbnpqk32.exe	102
PID 1624 wrote to memory of 1820	1624	Bbnpqk32.exe	102
PID 1820 wrote to memory of 1488	1820	Bemlmgnp.exe	103
PID 1820 wrote to memory of 1488	1820	Bemlmgnp.exe	103
PID 1820 wrote to memory of 1488	1820	Bemlmgnp.exe	103
PID 1488 wrote to memory of 4656	1488	Bhkhibmc.exe	104
PID 1488 wrote to memory of 4656	1488	Bhkhibmc.exe	104
PID 1488 wrote to memory of 4656	1488	Bhkhibmc.exe	104
PID 4656 wrote to memory of 2264	4656	Cacmah32.exe	105
PID 4656 wrote to memory of 2264	4656	Cacmah32.exe	105
PID 4656 wrote to memory of 2264	4656	Cacmah32.exe	105
PID 2264 wrote to memory of 2352	2264	Ceoibflm.exe	106

C:\Users\Admin\AppData\Local\Temp\62c5d6172ef9692b3ff31bf6bc029fc84b8f73bd6ba70235897286c074507a49.exe
"C:\Users\Admin\AppData\Local\Temp\62c5d6172ef9692b3ff31bf6bc029fc84b8f73bd6ba70235897286c074507a49.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\SysWOW64\Aanjpk32.exe
  C:\Windows\system32\Aanjpk32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1160
- - C:\Windows\SysWOW64\Anbkio32.exe
    C:\Windows\system32\Anbkio32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3684
  - - C:\Windows\SysWOW64\Aelcfilb.exe
      C:\Windows\system32\Aelcfilb.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:892
    - - C:\Windows\SysWOW64\Adapgfqj.exe
        
        C:\Windows\system32\Adapgfqj.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2884
      - C:\Windows\SysWOW64\Aealah32.exe
        
        C:\Windows\system32\Aealah32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4720
        
        C:\Windows\SysWOW64\Ahoimd32.exe
        
        C:\Windows\system32\Ahoimd32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\SysWOW64\Bdfibe32.exe
        
        C:\Windows\system32\Bdfibe32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\SysWOW64\Bajjli32.exe
        
        C:\Windows\system32\Bajjli32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Windows\SysWOW64\Blpnib32.exe
        
        C:\Windows\system32\Blpnib32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Windows\SysWOW64\Behbag32.exe
        
        C:\Windows\system32\Behbag32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\SysWOW64\Bhfonc32.exe
        
        C:\Windows\system32\Bhfonc32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Windows\SysWOW64\Bblckl32.exe
        
        C:\Windows\system32\Bblckl32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\SysWOW64\Bejogg32.exe
        
        C:\Windows\system32\Bejogg32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\SysWOW64\Bdmpcdfm.exe
        
        C:\Windows\system32\Bdmpcdfm.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\Bldgdago.exe
        
        C:\Windows\system32\Bldgdago.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\Bobcpmfc.exe
        
        C:\Windows\system32\Bobcpmfc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Bbnpqk32.exe
        
        C:\Windows\system32\Bbnpqk32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Bemlmgnp.exe
        
        C:\Windows\system32\Bemlmgnp.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\Bhkhibmc.exe
        
        C:\Windows\system32\Bhkhibmc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\SysWOW64\Cacmah32.exe
        
        C:\Windows\system32\Cacmah32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\SysWOW64\Ceoibflm.exe
        
        C:\Windows\system32\Ceoibflm.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\Cdainc32.exe
        
        C:\Windows\system32\Cdainc32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2352
        
        C:\Windows\SysWOW64\Cliaoq32.exe
        
        C:\Windows\system32\Cliaoq32.exe
        24⤵
        Executes dropped EXE
        
        PID:4544
        
        C:\Windows\SysWOW64\Cklaknjd.exe
        
        C:\Windows\system32\Cklaknjd.exe
        25⤵
        Executes dropped EXE
        
        PID:4904
        
        C:\Windows\SysWOW64\Cbcilkjg.exe
        
        C:\Windows\system32\Cbcilkjg.exe
        26⤵
        Executes dropped EXE
        
        PID:4272
        
        C:\Windows\SysWOW64\Cafigg32.exe
        
        C:\Windows\system32\Cafigg32.exe
        27⤵
        Executes dropped EXE
        
        PID:2160
        
        C:\Windows\SysWOW64\Ceaehfjj.exe
        
        C:\Windows\system32\Ceaehfjj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:636
        
        C:\Windows\SysWOW64\Chpada32.exe
        
        C:\Windows\system32\Chpada32.exe
        29⤵
        Executes dropped EXE
        
        PID:3472
        
        C:\Windows\SysWOW64\Clkndpag.exe
        
        C:\Windows\system32\Clkndpag.exe
        30⤵
        Executes dropped EXE
        
        PID:3300
        
        C:\Windows\SysWOW64\Cojjqlpk.exe
        
        C:\Windows\system32\Cojjqlpk.exe
        31⤵
        Executes dropped EXE
        
        PID:868
        
        C:\Windows\SysWOW64\Cbefaj32.exe
        
        C:\Windows\system32\Cbefaj32.exe
        32⤵
        Executes dropped EXE
        
        PID:4288
        
        C:\Windows\SysWOW64\Cecbmf32.exe
        
        C:\Windows\system32\Cecbmf32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3748
        
        C:\Windows\SysWOW64\Cdfbibnb.exe
        
        C:\Windows\system32\Cdfbibnb.exe
        34⤵
        Executes dropped EXE
        
        PID:64
        
        C:\Windows\SysWOW64\Clnjjpod.exe
        
        C:\Windows\system32\Clnjjpod.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2064
        
        C:\Windows\SysWOW64\Ckpjfm32.exe
        
        C:\Windows\system32\Ckpjfm32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3272
        
        C:\Windows\SysWOW64\Colffknh.exe
        
        C:\Windows\system32\Colffknh.exe
        37⤵
        Executes dropped EXE
        
        PID:3724
        
        C:\Windows\SysWOW64\Cajcbgml.exe
        
        C:\Windows\system32\Cajcbgml.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4312
        
        C:\Windows\SysWOW64\Cefoce32.exe
        
        C:\Windows\system32\Cefoce32.exe
        39⤵
        Executes dropped EXE
        
        PID:2144
        
        C:\Windows\SysWOW64\Cdiooblp.exe
        
        C:\Windows\system32\Cdiooblp.exe
        40⤵
        Executes dropped EXE
        
        PID:2864
        
        C:\Windows\SysWOW64\Chdkoa32.exe
        
        C:\Windows\system32\Chdkoa32.exe
        41⤵
        Executes dropped EXE
        
        PID:3520
        
        C:\Windows\SysWOW64\Clpgpp32.exe
        
        C:\Windows\system32\Clpgpp32.exe
        42⤵
        Executes dropped EXE
        
        PID:2512
        
        C:\Windows\SysWOW64\Conclk32.exe
        
        C:\Windows\system32\Conclk32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Cbjoljdo.exe
        
        C:\Windows\system32\Cbjoljdo.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Camphf32.exe
        
        C:\Windows\system32\Camphf32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Cdkldb32.exe
        
        C:\Windows\system32\Cdkldb32.exe
        46⤵
        Executes dropped EXE
        
        PID:2140
        
        C:\Windows\SysWOW64\Chghdqbf.exe
        
        C:\Windows\system32\Chghdqbf.exe
        47⤵
        Executes dropped EXE
        
        PID:1520
        
        C:\Windows\SysWOW64\Clbceo32.exe
        
        C:\Windows\system32\Clbceo32.exe
        48⤵
        Executes dropped EXE
        
        PID:2404
        
        C:\Windows\SysWOW64\Doqpak32.exe
        
        C:\Windows\system32\Doqpak32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3488
        
        C:\Windows\SysWOW64\Dbllbibl.exe
        
        C:\Windows\system32\Dbllbibl.exe
        50⤵
        Executes dropped EXE
        
        PID:1804
        
        C:\Windows\SysWOW64\Daolnf32.exe
        
        C:\Windows\system32\Daolnf32.exe
        51⤵
        Executes dropped EXE
        
        PID:4396
        
        C:\Windows\SysWOW64\Ddmhja32.exe
        
        C:\Windows\system32\Ddmhja32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4768
        
        C:\Windows\SysWOW64\Dhidjpqc.exe
        
        C:\Windows\system32\Dhidjpqc.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3816
        
        C:\Windows\SysWOW64\Dkgqfl32.exe
        
        C:\Windows\system32\Dkgqfl32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4760
        
        C:\Windows\SysWOW64\Docmgjhp.exe
        
        C:\Windows\system32\Docmgjhp.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Daaicfgd.exe
        
        C:\Windows\system32\Daaicfgd.exe
        56⤵
        Executes dropped EXE
        
        PID:3700
        
        C:\Windows\SysWOW64\Demecd32.exe
        
        C:\Windows\system32\Demecd32.exe
        57⤵
        Executes dropped EXE
        
        PID:3288
        
        C:\Windows\SysWOW64\Dhkapp32.exe
        
        C:\Windows\system32\Dhkapp32.exe
        58⤵
        Executes dropped EXE
        
        PID:1848
        
        C:\Windows\SysWOW64\Dkjmlk32.exe
        
        C:\Windows\system32\Dkjmlk32.exe
        59⤵
        Executes dropped EXE
        
        PID:4820
        
        C:\Windows\SysWOW64\Dbaemi32.exe
        
        C:\Windows\system32\Dbaemi32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4892
        
        C:\Windows\SysWOW64\Dadeieea.exe
        
        C:\Windows\system32\Dadeieea.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3608
        
        C:\Windows\SysWOW64\Dhnnep32.exe
        
        C:\Windows\system32\Dhnnep32.exe
        62⤵
        Executes dropped EXE
        
        PID:1256
        
        C:\Windows\SysWOW64\Dlijfneg.exe
        
        C:\Windows\system32\Dlijfneg.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Dohfbj32.exe
        
        C:\Windows\system32\Dohfbj32.exe
        64⤵
        Executes dropped EXE
        
        PID:4036
        
        C:\Windows\SysWOW64\Dccbbhld.exe
        
        C:\Windows\system32\Dccbbhld.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3304
        
        C:\Windows\SysWOW64\Deanodkh.exe
        
        C:\Windows\system32\Deanodkh.exe
        66⤵
        Drops file in System32 directory
        
        PID:4960
        
        C:\Windows\SysWOW64\Dhpjkojk.exe
        
        C:\Windows\system32\Dhpjkojk.exe
        67⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\Dllfkn32.exe
        
        C:\Windows\system32\Dllfkn32.exe
        68⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\Dojcgi32.exe
        
        C:\Windows\system32\Dojcgi32.exe
        69⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\Dahode32.exe
        
        C:\Windows\system32\Dahode32.exe
        70⤵
        Drops file in System32 directory
        
        PID:4948
        
        C:\Windows\SysWOW64\Dedkdcie.exe
        
        C:\Windows\system32\Dedkdcie.exe
        71⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\Dhbgqohi.exe
        
        C:\Windows\system32\Dhbgqohi.exe
        72⤵
        Modifies registry class
        
        PID:1020
        
        C:\Windows\SysWOW64\Ekacmjgl.exe
        
        C:\Windows\system32\Ekacmjgl.exe
        73⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\Eolpmi32.exe
        
        C:\Windows\system32\Eolpmi32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1568
        
        C:\Windows\SysWOW64\Echknh32.exe
        
        C:\Windows\system32\Echknh32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4088
        
        C:\Windows\SysWOW64\Eefhjc32.exe
        
        C:\Windows\system32\Eefhjc32.exe
        76⤵
        
        PID:720
        
        C:\Windows\SysWOW64\Ehedfo32.exe
        
        C:\Windows\system32\Ehedfo32.exe
        77⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\Elppfmoo.exe
        
        C:\Windows\system32\Elppfmoo.exe
        78⤵
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Ekcpbj32.exe
        
        C:\Windows\system32\Ekcpbj32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1904
        
        C:\Windows\SysWOW64\Ecjhcg32.exe
        
        C:\Windows\system32\Ecjhcg32.exe
        80⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\Eeidoc32.exe
        
        C:\Windows\system32\Eeidoc32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Ekemhj32.exe
        
        C:\Windows\system32\Ekemhj32.exe
        82⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\Eapedd32.exe
        
        C:\Windows\system32\Eapedd32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3064
        
        C:\Windows\SysWOW64\Eekaebcm.exe
        
        C:\Windows\system32\Eekaebcm.exe
        84⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\Eocenh32.exe
        
        C:\Windows\system32\Eocenh32.exe
        85⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\Eabbjc32.exe
        
        C:\Windows\system32\Eabbjc32.exe
        86⤵
        Modifies registry class
        
        PID:840
        
        C:\Windows\SysWOW64\Elgfgl32.exe
        
        C:\Windows\system32\Elgfgl32.exe
        87⤵
        Drops file in System32 directory
        
        PID:4012
        
        C:\Windows\SysWOW64\Edbklofb.exe
        
        C:\Windows\system32\Edbklofb.exe
        88⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\Febgea32.exe
        
        C:\Windows\system32\Febgea32.exe
        89⤵
        Drops file in System32 directory
        
        PID:2412
        
        C:\Windows\SysWOW64\Fkopnh32.exe
        
        C:\Windows\system32\Fkopnh32.exe
        90⤵
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Flnlhk32.exe
        
        C:\Windows\system32\Flnlhk32.exe
        91⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\Fkalchij.exe
        
        C:\Windows\system32\Fkalchij.exe
        92⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\Fakdpb32.exe
        
        C:\Windows\system32\Fakdpb32.exe
        93⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\Fhemmlhc.exe
        
        C:\Windows\system32\Fhemmlhc.exe
        94⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\Foabofnn.exe
        
        C:\Windows\system32\Foabofnn.exe
        95⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\Ffkjlp32.exe
        
        C:\Windows\system32\Ffkjlp32.exe
        96⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\Gofkje32.exe
        
        C:\Windows\system32\Gofkje32.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Gbdgfa32.exe
        
        C:\Windows\system32\Gbdgfa32.exe
        98⤵
        Drops file in System32 directory
        
        PID:4420
        
        C:\Windows\SysWOW64\Gmjlcj32.exe
        
        C:\Windows\system32\Gmjlcj32.exe
        99⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\Gohhpe32.exe
        
        C:\Windows\system32\Gohhpe32.exe
        100⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\Gdhmnlcj.exe
        
        C:\Windows\system32\Gdhmnlcj.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1880
        
        C:\Windows\SysWOW64\Gmoeoidl.exe
        
        C:\Windows\system32\Gmoeoidl.exe
        102⤵
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Gkaejf32.exe
        
        C:\Windows\system32\Gkaejf32.exe
        103⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\Gdjjckag.exe
        
        C:\Windows\system32\Gdjjckag.exe
        104⤵
        Drops file in System32 directory
        
        PID:2044
        
        C:\Windows\SysWOW64\Hopnqdan.exe
        
        C:\Windows\system32\Hopnqdan.exe
        105⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\Helfik32.exe
        
        C:\Windows\system32\Helfik32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4636
        
        C:\Windows\SysWOW64\Hcmgfbhd.exe
        
        C:\Windows\system32\Hcmgfbhd.exe
        107⤵
        Drops file in System32 directory
        
        PID:5168
        
        C:\Windows\SysWOW64\Hmfkoh32.exe
        
        C:\Windows\system32\Hmfkoh32.exe
        108⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Hcpclbfa.exe
        
        C:\Windows\system32\Hcpclbfa.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5260
        
        C:\Windows\SysWOW64\Hfnphn32.exe
        
        C:\Windows\system32\Hfnphn32.exe
        110⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Hbeqmoji.exe
        
        C:\Windows\system32\Hbeqmoji.exe
        111⤵
        Drops file in System32 directory
        
        PID:5356
        
        C:\Windows\SysWOW64\Hioiji32.exe
        
        C:\Windows\system32\Hioiji32.exe
        112⤵
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Hmjdjgjo.exe
        
        C:\Windows\system32\Hmjdjgjo.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5456
        
        C:\Windows\SysWOW64\Iiaephpc.exe
        
        C:\Windows\system32\Iiaephpc.exe
        114⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Ibjjhn32.exe
        
        C:\Windows\system32\Ibjjhn32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5564
        
        C:\Windows\SysWOW64\Imoneg32.exe
        
        C:\Windows\system32\Imoneg32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5608
        
        C:\Windows\SysWOW64\Ipnjab32.exe
        
        C:\Windows\system32\Ipnjab32.exe
        117⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Iblfnn32.exe
        
        C:\Windows\system32\Iblfnn32.exe
        118⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\Iifokh32.exe
        
        C:\Windows\system32\Iifokh32.exe
        119⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Ibnccmbo.exe
        
        C:\Windows\system32\Ibnccmbo.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Iemppiab.exe
        
        C:\Windows\system32\Iemppiab.exe
        121⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Imdgqfbd.exe
        
        C:\Windows\system32\Imdgqfbd.exe
        122⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Icnpmp32.exe
        
        C:\Windows\system32\Icnpmp32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5916
        
        C:\Windows\SysWOW64\Imfdff32.exe
        
        C:\Windows\system32\Imfdff32.exe
        124⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Jeaikh32.exe
        
        C:\Windows\system32\Jeaikh32.exe
        125⤵
        Drops file in System32 directory
        
        PID:6016
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        126⤵
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Jcbihpel.exe
        
        C:\Windows\system32\Jcbihpel.exe
        127⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6140
        
        C:\Windows\SysWOW64\Jcefno32.exe
        
        C:\Windows\system32\Jcefno32.exe
        129⤵
        Drops file in System32 directory
        
        PID:5164
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        130⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        131⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        132⤵
        Drops file in System32 directory
        
        PID:5368
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        133⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        134⤵
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5544
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        136⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        137⤵
        Drops file in System32 directory
        
        PID:5680
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5736
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        139⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        140⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        141⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        142⤵
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        143⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        144⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        145⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5268
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5516
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        149⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        150⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        151⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        152⤵
        Drops file in System32 directory
        
        PID:5912
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6044
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        154⤵
        Drops file in System32 directory
        
        PID:5208
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        155⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5448
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        157⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5896
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6076
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        160⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        161⤵
        Drops file in System32 directory
        
        PID:5644
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5868
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        164⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        166⤵
        Drops file in System32 directory
        
        PID:6112
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        167⤵
        Drops file in System32 directory
        
        PID:5804
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6184
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        169⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        170⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        171⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        172⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        173⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        174⤵
        Modifies registry class
        
        PID:6424
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6464
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        176⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        177⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        178⤵
        Drops file in System32 directory
        
        PID:6588
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        179⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        180⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6708
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        182⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        183⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        184⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        185⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        186⤵
        Drops file in System32 directory
        
        PID:6908
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        187⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6988
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        189⤵
        Modifies registry class
        
        PID:7032
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7072
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        191⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        192⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        193⤵
        Modifies registry class
        
        PID:6176
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        194⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        195⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6408
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        197⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        198⤵
        Drops file in System32 directory
        
        PID:6536
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        199⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        200⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        201⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5604
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        202⤵
        Modifies registry class
        
        PID:6848
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        203⤵
        Drops file in System32 directory
        
        PID:6888
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        204⤵
        Modifies registry class
        
        PID:6980
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        205⤵
        Modifies registry class
        
        PID:7068
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        206⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        207⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        208⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6264
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        209⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6372
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        210⤵
        Modifies registry class
        
        PID:6472
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        211⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        212⤵
        Modifies registry class
        
        PID:6716
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        213⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6780
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        214⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6944
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        215⤵
        Modifies registry class
        
        PID:7040
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        216⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        217⤵
        Modifies registry class
        
        PID:6304
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        218⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6456
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        219⤵
        Drops file in System32 directory
        
        PID:6676
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        220⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        221⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7056
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        222⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6216
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        223⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        224⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        225⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        226⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        227⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        228⤵
        Modifies registry class
        
        PID:6416
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        229⤵
        Modifies registry class
        
        PID:7104
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        230⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        231⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        232⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        233⤵
        Modifies registry class
        
        PID:7288
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        234⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        235⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7372
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        236⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7416
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        237⤵
        Modifies registry class
        
        PID:7460
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        238⤵
        
        PID:7512
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        239⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7556
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        240⤵
        
        PID:7600
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        241⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        242⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        243⤵
        Drops file in System32 directory
        
        PID:7732
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        244⤵
        
        PID:7776
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        245⤵
        Modifies registry class
        
        PID:7816
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        246⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7864
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        247⤵
        
        PID:7912
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        248⤵
        Drops file in System32 directory
        
        PID:7952
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        249⤵
        
        PID:8004
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        250⤵
        Modifies registry class
        
        PID:8048
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        251⤵
        
        PID:8096
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        252⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8140
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        253⤵
        
        PID:8184
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        254⤵
        
        PID:7176
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        255⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7228
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        256⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        257⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        258⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7500
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        259⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7544
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        260⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        261⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        262⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        263⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7848
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        264⤵
        Drops file in System32 directory
        
        PID:7920
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        265⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7972
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        266⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8032
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        267⤵
        
        PID:8108
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        268⤵
        
        PID:8168
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        269⤵
        Drops file in System32 directory
        
        PID:7264
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        270⤵
        Modifies registry class
        
        PID:7340
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        271⤵
        Drops file in System32 directory
        
        PID:7444
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        272⤵
        
        PID:7528
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        273⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7652
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        274⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        275⤵
        Modifies registry class
        
        PID:7844
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        276⤵
        Modifies registry class
        
        PID:7980
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        277⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8056
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        278⤵
        Modifies registry class
        
        PID:8172
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        279⤵
        
        PID:7244
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        280⤵
        Modifies registry class
        
        PID:7432
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        281⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7592
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        282⤵
        
        PID:7788
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        283⤵
        
        PID:8012
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        284⤵
        
        PID:8152
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        285⤵
        Modifies registry class
        
        PID:7388
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        286⤵
        
        PID:7584
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        287⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7684
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        288⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        289⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        290⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7728
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        291⤵
        Drops file in System32 directory
        
        PID:7232
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        292⤵
        
        PID:7812
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        293⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        294⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7608 -s 212
        295⤵
        Program crash
        
        PID:8328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 7608 -ip 7608
1⤵
PID:8252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aanjpk32.exe

Filesize
860KB

MD5
ffecddf66a241153941b9fe2515ae05d

SHA1
d0277dd85b34e393358446e2fc52cf28ad8242ec

SHA256
d107b39bb4fbcd1dca5b3328094586b5eac542b4e235e90ef08a073d90f1fa2e

SHA512
44d2e67a039308840a897d5fecead487f0a02c58422ad3d68905f382ab677fb7922f5b5ae7d4caa51790bcba975b4f7bb04ca4bcb2202ea813a5b1ee9833fa82

Download Submit
C:\Windows\SysWOW64\Adapgfqj.exe

Filesize
860KB

MD5
aa63dc3789f0dc09b20d8e3a5f044836

SHA1
8867e10d78cfe0bda8651a886c6eb2ed004d1d79

SHA256
a2e5ed8873906a7beb6981f53cac64b1b40264154f57e293aa42aecf5be198e8

SHA512
8e8adaa4626c2deadd4d847113f5ba5a5df99146321eda4c48b10188b1d1f5225167879f06a2ec2a8f51807b05766c9c404a32a822c9aa2d42fafd300426e30a

Download Submit
C:\Windows\SysWOW64\Aealah32.exe

Filesize
860KB

MD5
6728be6737d375908ec12e1e7a3e507f

SHA1
5cacd525a7e5ef47d129a74d3865c7afc4896b70

SHA256
2825b62fbf8c174d57b724a1da54c297c2bf037f11df2afff1c1efb2e5b55393

SHA512
3559fff8f882b751d951d8d11a837cca376ba4ba9c1dc26a4aaeab8794dab61b2f11ddffa0112bb9eb91de23897bf8067983cf2741b712e332ca9c037de4b0b3

Download Submit
C:\Windows\SysWOW64\Aelcfilb.exe

Filesize
860KB

MD5
e8b78c699d213608c78bfd03c7a3ba98

SHA1
ec8c1a3e33f5794de9660bc6c25e10586d1e0dad

SHA256
b051389a29ca821f34b7ff9c92bc34530eac057c5b6c800f46873b1479c2b6aa

SHA512
4c72d9700ab743b194936679b7bb4406aed7eb0be76ce8d50618f0ebe6f594f2b84b4fb9734fda4fd2e309b87284c3a0453bad44494d33379f5db75a61ea14fe

Download Submit
C:\Windows\SysWOW64\Ahoimd32.exe

Filesize
860KB

MD5
ce44bc1f7765e676270899b9575485eb

SHA1
7cac3c7b04c157e7add61b243d57c2fa0503ee30

SHA256
30e058365172f0fbe7ead9ab761a0d67cf0575ea0d7f2793086fef9697902ea5

SHA512
84ab8692548eed186c9fd81a7dffbe30b6d62d2423baf3bf6cf700e72c7195514b58b334508b85e75294370fd9377d983d6021e99fa27908f0d33f7f3f8123f2

Download Submit
C:\Windows\SysWOW64\Anbkio32.exe

Filesize
860KB

MD5
26fa1b9b9e8f3f033218e8fe1a359a84

SHA1
713b70c45eb79b6833b91f63a35a42f061e6135d

SHA256
4f060c86ba33ae179796af8074854650bd89ab0703ce3a2cc11d4d9829d637af

SHA512
60dbdc7cf6dc7cfc294b77b50a8727df47cd7ef2a046afca19ecd5defa7761a1517f5f17724a4adeeaf1364497c8dfddf0155466d043ad5afddfefe37cc0ef89

Download Submit
C:\Windows\SysWOW64\Bajjli32.exe

Filesize
860KB

MD5
a4336b135aef9f17cc3c6df330f4fab4

SHA1
090f504e2705b14ea84259a9fb5d8649d96fff6b

SHA256
04b8b739a980f8f441eb3edd455b75c74e0d815593754bcf87b99a4a8ef43228

SHA512
17fea910d415c9bed17462bf94d9f12bdfade5a3a8ac9c8c4b0cbfa3a211804aac7ee2eee4130334e47356afc77086b760af07718d899703ba620e9d0560a3bf

Download Submit
C:\Windows\SysWOW64\Bblckl32.exe

Filesize
860KB

MD5
659fe36143b4d60ec0e35b1378677be5

SHA1
d9c60405c35f81980f3a07e01bdb2abc64decb39

SHA256
30abb83dcf5c054577bd5b4255f6a5b91884bc216348789657e8acb4ee76a44c

SHA512
77015b5de6271de327c19c25ed525611380a4b26f2698709b5f2515c0b3ac513084e0e10ab3fdf3afa1a2bf67a857feb45b9f4c2c13e44922f68029f16b910a7

Download Submit
C:\Windows\SysWOW64\Bbnpqk32.exe

Filesize
860KB

MD5
4f587e0a0625953a9375831c5a5dae80

SHA1
93e14bb00e45b5f8a65537df81a7730a296f912b

SHA256
88e4cf3c1c9755924cf9346a9677ad66a6e7233764fa5eb54ef10f1612f1dbd1

SHA512
d90089d15c69d49981545e73cbaee6019705234aaa71feab7a34a4361038e1e9db2226ac1d531f13eefb7d2bf1b8ac290ab10c6563109d08c7e039fdb8aff4c3

Download Submit
C:\Windows\SysWOW64\Bdfibe32.exe

Filesize
860KB

MD5
542c17668ff4b68de6a913ee1785d319

SHA1
590aefdc729b89d69fb06cc945ea88aeb97a7170

SHA256
8e02bc16025991522ddc744e3983d2d97063404516a2b36aafd647b84bc836e5

SHA512
ba693e7749d515df6d09e404b3e7afebe1ee04052116ca9bedc1b426443ff19d53a61b5f081e2ccd954dbd0651bdfd7db2584606cbc0bbc7b70274a6ec7816d3

Download Submit
C:\Windows\SysWOW64\Bdmpcdfm.exe

Filesize
860KB

MD5
0f6d0cf8ff16df7033c00ca25b2f41db

SHA1
7448e8c5c6da5dfb946414a845f15313f7bb2883

SHA256
6d01fc4a2da52d56f7f165633c844213e5151a594d7d3491cb4a14916dca9c31

SHA512
3662c144b86543f0f3f22a7985070a6bb6099d1538492dd0f9bb3a3036738c14ea9b1261ffc1fa33aaff65560efe618492bfcef0012366f68513064f52a267b3

Download Submit
C:\Windows\SysWOW64\Behbag32.exe

Filesize
860KB

MD5
385b38e823ec7cbe50e0cc57cb546ec9

SHA1
addaba602d7ec7ddfea78848e29f304b4257cddc

SHA256
5c736b18e3e91d718dc935230223cadb2d982911be0dbceeab780dd2e8fbb426

SHA512
a1170f8379d72b62d3a7aa49d7a4640aa00b1a0704c85ee8edfbaadc4163d43752bc0568413d7ef8269e7eacce63bcc071a95c8b1ca18350386a6968d23c51e0

Download Submit
C:\Windows\SysWOW64\Bejogg32.exe

Filesize
860KB

MD5
ec147836e9ea3c53e2b89d5fae8af759

SHA1
bba41025f381af93fa9acdb22e51335a656d2e51

SHA256
d86ff86192859f9da17686ca058b8bb4d20c94585bff9061ce864ca382b2e068

SHA512
0955c1b2521a36e9e7384429de97107cd9b510d05fe7020f5a735254447c1aaed1b05942abf714fe017ba69e21d5b74d92249f8250a2078776f43656ec47a5ea

Download Submit
C:\Windows\SysWOW64\Bemlmgnp.exe

Filesize
860KB

MD5
4822e649fedc98d48b4bd0ad0ce72def

SHA1
f087e4de41c3fe2b849b009244ff68a737dd1b7d

SHA256
dd0624ee5db5203abc0a32d5a66b610b261b2a1f38e619b5f5dc708185088e8b

SHA512
bba6122e3a08996f6df64c122d798e5596ca656222d9fb8e6c296b0433c41bddc9d6195410197e9142f3c1c4f1e54b02ffb7a2c4630ba7e6948489e8d9897347

Download Submit
C:\Windows\SysWOW64\Bhfonc32.exe

Filesize
860KB

MD5
ae3ec5f479c69b2c8138ae5207189f4d

SHA1
a59b76a8429bd85d97e5093ad8904f00915e1ee7

SHA256
9f6a6e57555ea7ce3ec64e7b32b9952616c2a2f88f6b73bc33f7346407cd45de

SHA512
3506524c15bd632ddc3a050bc7a9a401ecdd09f80c29bf313ca896e494c42c783141791cde4918239dc08f37c3fe137c9cc28312d55f6d07f82acee23dfda1d9

Download Submit
C:\Windows\SysWOW64\Bhkhibmc.exe

Filesize
860KB

MD5
46e9afb7c45d334954813cec0cc3418a

SHA1
891e3f7b70e250cf8e3575c35d541de653a8f3bd

SHA256
5aad9ba9b30752f3f21d87af9af2a610a05e30482aec3b4d157f7cb8f5e512bf

SHA512
b3db62e7c7a3e5c93bf1b290eef7f643030951fc9284912405271688c6c767f28a08fb92853d759e2fa907226fdff48c203d64dd2372b071e92d39956c82f8fe

Download Submit
C:\Windows\SysWOW64\Bldgdago.exe

Filesize
860KB

MD5
57cdf72e5cac8dc1cfdfcbe3d4f6a0c4

SHA1
665ce2481e4017f0d689918b3e08f1e7a3d5891a

SHA256
b7d18396204a72bcdcbff9c1a39cfb946922f3c82ac55e27a9e17a0b745cf619

SHA512
c447df3fa58ca2e92dc793ecf29aaa63ac92d72ea9b579fd7a1b03baa410b09fe84bec2b9f7e33c8cd7ebe35e2e8998f56d412dc03e3bd457c6892905b7972ab

Download Submit
C:\Windows\SysWOW64\Blpnib32.exe

Filesize
860KB

MD5
1ee34f9b200f8f3f8142bd96b243d08b

SHA1
dbdbc7aea02d66938e51cc8d129a7fa9e48ae470

SHA256
df7bb683f8e7a66c45476c1e61d0a46158a5be0ecb36e2389dc3ece4f7fd94bf

SHA512
28a092906e08c2d510463901427e7f4c306d352c97aa38f9051ac575278dd27d77529ee715c14db82861f9923b209cba4aa8fcfc08c8374be0770546bea6b8c5

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
860KB

MD5
4eea224435773c0a06d11c9a2e407b74

SHA1
6e5217a09d14323e8f74cabc4eaf649aa31633e5

SHA256
ad59396bca67be544977f87fc53626dc0f658796365f7be0777d8caf2a5e3b4f

SHA512
cb1d53ff322c6194eb536f4bea604dac52b1c77caaf90646aba35e93107ba4d2b8f84d37122aa8a02ae6dcf277afa4246af0a6d40af073a1607c3d447b71e5e0

Download Submit
C:\Windows\SysWOW64\Bobcpmfc.exe

Filesize
860KB

MD5
86530dbfd3ff9dd6f7c1d39fa2fa214c

SHA1
abf31fd21748d4c8c513555ea0dc1109180583ac

SHA256
b6d3c6f6e6fbd992eb4c9e38f421b18267af95172f5c7b50bca4167d14a6a32e

SHA512
47bae759e06213cc0fda9aa81b5339d542e4df9e06861ee9add9107aa56fde30545c64db040bffffea430ffbfcd81e81e40ddbcfb5a66232b28fbbc6ed508a09

Download Submit
C:\Windows\SysWOW64\Cacmah32.exe

Filesize
860KB

MD5
8ce3e1087dcbd195e35fb0a29afcf4ae

SHA1
ebba6cf46e410172b0ea29ad937afe85a1697ebd

SHA256
cab4c42c81db8760f835f573cd451c6805adfb1a53fb3599aa96aa81e25344e1

SHA512
b5ee6c64d4bd26167a4079de8d6f98284874d92b8323e58507d0be391f456f042db3b8012a9f93a3bffb7f20c8d0791889cb9b42d5129bee8b2830e75ad2f973

Download Submit
C:\Windows\SysWOW64\Cafigg32.exe

Filesize
860KB

MD5
c22e43664b459271a81e4064c56b5d19

SHA1
a5e8020f2c3ad08e907b9622b174b8f3aa28bb30

SHA256
19c271c05ca61e7449efe3ee37e0950b38aa73878756160e3e64c84502368195

SHA512
ade9e3a8e2a6005d3e6e15369e5d20be55dfe4405a213cc4f398a2025eecf5a4433fa4ddb6079d4efaa53d4d788b0c0c0b04b532325e305a7b8ced1f5f7b0220

Download Submit
C:\Windows\SysWOW64\Cbcilkjg.exe

Filesize
860KB

MD5
eccc6fadd870a03a86d9bfabce80f42c

SHA1
2c9a5006c1b68399685a301e948f263b7e8e2636

SHA256
efe4520482b1a18b459b406078b4dfb2df1e14feabff728b7b38d4346390b9d8

SHA512
b5bd121fd716dcd04d46485d26313e71b890904e47175ab030f54df54a457a0f6074cc557c609512f9aa111568edda0ba3e56206b9e578495258c5e207b4f36e

Download Submit
C:\Windows\SysWOW64\Cbefaj32.exe

Filesize
860KB

MD5
ea2075a41588361dd8adf1569d532e27

SHA1
237acb250cbb432474cb8734e06212a9df234c2d

SHA256
cfb9d01612fa444528f088c6d1337da35a3ce77efe4091685e423e1b8e844ebd

SHA512
50551620dc80b7d6b84870494507061baf63cf68f534c582ec8d4625e71066321b14cead3e72709a27e4424728dadd3e684808660313f115fd8002f5060c3bf3

Download Submit
C:\Windows\SysWOW64\Cdainc32.exe

Filesize
860KB

MD5
57ae711f1a25e3737c28263feec0d146

SHA1
34fcf5a3d560c75fe020de270c1cd20ac9bb9809

SHA256
6aaed3e25d19623f59c12b31523cfe6304209aa8b7fde12fe5d8816407bf4651

SHA512
c0c997dd6c595dd61d1184b78f3cbbecdff1ad508071a2166f7e70138ce8809eef99caa81a04884fc2ed50ec09d5d74949daa5771ba4b44bb1f1d9966770ea3d

Download Submit
C:\Windows\SysWOW64\Ceaehfjj.exe

Filesize
860KB

MD5
2c960c9d3c77eceb1bf3e67fc6599b8f

SHA1
7e1ce07d31ded937a9a5821fcf5aff8eb4609c39

SHA256
ae528348e6e597bac014bf5cc2ebfbefb59026573974315510cf8aac6ea8ca03

SHA512
b7dfe6123a143d3d2a9367f9d3239bcbddd692947dbb14fde4fc65ca33661ad62473e533a41461f1a1566d0523968751d9a6021cdc04f31d105c03ebcbdd77ca

Download Submit
C:\Windows\SysWOW64\Cecbmf32.exe

Filesize
860KB

MD5
1b2aca5c89837a6a5acd750215f7bc92

SHA1
e79d9603222f56cda300f963b4b866932322cafa

SHA256
9eb2e67081300da1c6f442018c581ef8dbcf6bbb6faffa1aee47f1ead97336e8

SHA512
24f842c8e9e8acc2efb7cc1b3ddb36b7d4aaa720217ee6fa85ba65a93c1d1c3ef0b963df9bf7dafb5157a499c1d58ddbdeb1422ee7d1808ccac345917ffb88cf

Download Submit
C:\Windows\SysWOW64\Ceoibflm.exe

Filesize
860KB

MD5
bd667417649e73a28d3cd6a18d5e15a3

SHA1
d15156bbb1b2cd8cecfd1faee722e72e4279e463

SHA256
409e548b22cf30ea94382cd110c4283a7151376f4c08b55a118707e883210210

SHA512
1f8f35e872d69145571c95aa19452e65b426e540f4b19a96cd7d13a330f5e269ebc56d8a1088dd7cce05f3b1815cb4a6247c20d3656d6195626376edd07633a0

Download Submit
C:\Windows\SysWOW64\Chpada32.exe

Filesize
860KB

MD5
9cc5d6c0b9ab0cc0ab0a6fd64916455e

SHA1
854489ea03a914fa87745ded2bd800bb31ea97f2

SHA256
8ec42f27f5f04b4ee453064b0ddeaea1d8b36f01eb5a570edd966d7aeadd1c63

SHA512
e488fb7cdd6daeaab974f13bfae65fdbeafa0f59dc296aa9c62d98dd04fe916ea468f0abc5032ca66903fa67dbf4c6f61fb1e43fea107c1e166c27e652cf718e

Download Submit
C:\Windows\SysWOW64\Cklaknjd.exe

Filesize
860KB

MD5
f48d4594dcc5e58e8d9c78ed2510876e

SHA1
9376ed3b73a3c5031328f012480ddc6c61c2317d

SHA256
82b648efd14cb80283faae6156ddbcf899338e237c14794f884e3df40c411aa4

SHA512
02f700af1f69bfe4df6baa397d92daee75ce1941cf9962ce437e94a2ffce204e119a56d0d74c1d415b2b28bfd0009b70acdc27a9afef35e2ec90fa0fcbf90a1e

Download Submit
C:\Windows\SysWOW64\Cliaoq32.exe

Filesize
860KB

MD5
eb939a93d334137ce8f95aff323d6bcd

SHA1
19849bbf7bb2a8f79b7010f9298e7c7fad8dd580

SHA256
76cdc7e221830300d023e4f256ff134511e8fe4d93d39d405d7442e82ef2a9ae

SHA512
bf6c4609247de31d798f83fc47347a53a06478bf4b3f56bd373e676358cdad900d3b65144c29d38617fb3e11b5dec230898d36cf24b711c86604909c8f52c94a

Download Submit
C:\Windows\SysWOW64\Clkndpag.exe

Filesize
860KB

MD5
3a9dae875c2009b6b3afab7381692ab1

SHA1
54923df19c0bc63b2c4e3e7fc72f4128cd7a11fa

SHA256
0df5556ab85b08efe9af46d21bd832499fc6133baf010f298e1f162660ab8cb0

SHA512
4d5d3fed0a8b1f7d3ccdf64877b5bf55eb0b66f3b42c03feebdd73ceb0b870092fddff84cdececf73f4d088838533658c9697fa1ea1ea5d276955b2305346e4c

Download Submit
C:\Windows\SysWOW64\Cojjqlpk.exe

Filesize
860KB

MD5
2d3a9a4d91654b98c4b76917f5b0aa0a

SHA1
c567b00df4536816d02009547c040dc28cc20a01

SHA256
3e22b2a37d2c3276447a5d92dd379a10c3ea15ac8b377cd3ab20e1d7c425b3a4

SHA512
857988cc2a5b6b9b026055410fd5ed1418006a44f5a7fcc8fd501adaa9da5056f993e8656b40ac2c84272991e45510f8c39bc9fe96aa6155db2d05c0185ac3db

Download Submit
C:\Windows\SysWOW64\Kdqejn32.exe

Filesize
860KB

MD5
3b9094652fbb6a12b5bf3fc14e15d23a

SHA1
41e2718361355f41cfbeefae9c6427c5c55c8fd6

SHA256
edb74ade2790d9520ba829c7842562140d6ae200dc483a245b4ae68c997cb510

SHA512
666e3b5fc2e42c64e414c28c9ca8e6110fa215c43c2c21dcc28fd05462a55fdf2f93fecf5e6850eb93932a8f3e72c34addf443775a3012014f32ad829717f5b9

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
860KB

MD5
7febf9d5d4105629c07057bc6d6de10c

SHA1
cb2fbacb88b841dddae7411bee9489c0a43e84ae

SHA256
2dbbd66b1dfb976fb4d47f1e8b393d7f4c0e5a746b221ac58637d511e4e93bc7

SHA512
51f1c7399147a24ba94136ce9ffdd3cdbadf012e16a0f99f3d3b66c3e94e9288c089e7807a0f9e024aa0ed3284211665eea1a0adc93b9a8b6097ff19b1759e7d

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
860KB

MD5
b7c30e9a160962b91a8c584a5f26154f

SHA1
1f4aab6aeac71758744ad0e231d04a7153ecbec2

SHA256
714fd71e3cf6557b8a367b1c4b652f74e4ac894e0aafe5e83a446cfcf32907af

SHA512
9622feaee7d05d61c7d6b46c14d38db742c9998072862b74e33f365507a396db2531a395560bbca136b5901aa10672bdd23b190b57dec7ae47c30f21a5f672d2

Download Submit
memory/8-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/64-531-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/636-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/868-525-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/892-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-592-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1160-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1256-610-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1376-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1380-556-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1428-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1488-493-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1512-616-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1520-570-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-486-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1640-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1732-5-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1732-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1732-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1784-557-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1804-578-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1820-487-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1848-596-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2064-532-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2140-564-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2144-542-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2160-510-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2264-500-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2352-501-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2404-571-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2512-554-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-548-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3000-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3272-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3288-595-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3300-523-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3472-517-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-572-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3508-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-549-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3608-609-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3684-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3700-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3724-534-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3748-530-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3816-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4036-622-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4044-1923-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4272-508-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4288-529-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4312-536-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4396-579-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-502-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-499-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4720-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4760-591-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4784-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4820-597-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4824-563-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4892-603-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4904-506-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4956-476-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7592-1931-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7764-1938-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7812-1920-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8012-1929-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads