4ab047b933a3b1e78bbe5d5fd9eebfeecd1d0a1eab1110fcc1f54398b082ce33

Analysis

max time kernel
161s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 05:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

218bc6d0d52d86454a45447d98ebba2c.exe
Size

208KB
MD5

218bc6d0d52d86454a45447d98ebba2c
SHA1

8bb2c134299b96da7f88c89eed0b2c2f71a3a644
SHA256

4ab047b933a3b1e78bbe5d5fd9eebfeecd1d0a1eab1110fcc1f54398b082ce33
SHA512

6f78cb100fa68d07273048d8cee65068202f0cf735ffe367075bd9d852f002caa1cafc57f9f631e704706401891db79f6ff05b8efbcc86ddaf663b4be9c2f153
SSDEEP

6144:jN0drKPXuapoaCPXbo92ynnZlVrtv35CPX:jm4uqFHo

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ababkdij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhbnqi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcdpakii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgpodk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lechfeoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhijcohe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cknlln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ioppho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnondf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aancojgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajdjcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bllbkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfglpjqo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enkmpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebiffc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Heochp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfqkmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pafcjijo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbmoabde.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcgbmd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfnbnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejklfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjebiq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgfljqia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffobbmpp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbknhqbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngemjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkjhfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbmbiqqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cakjfcfe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcdkdpih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efamkepl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ompfnoci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hdbmfhbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmkibl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giacmggo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doojni32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bibpkiie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqngekl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgacaopj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcpjgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edbhgokc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkfcjh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiaqnagj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecjhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdjapphl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olqofjhn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igedenca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oagpne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llhnpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iffmmihf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bckddn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjljd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngmpmd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfpdcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffmelmbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chfaenfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mginniij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcglfjgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndphpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kngcdkjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkgpleaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdpjeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbefln32.exe

Executes dropped EXE 64 IoCs

pid	Process
3140	Lbebilli.exe
4812	Mklfjm32.exe
2432	Ncjdki32.exe
3576	Nlgbon32.exe
4668	Omcbkl32.exe
3836	Pbbgicnd.exe
1976	Apddce32.exe
3620	Aiabhj32.exe
4168	Bmddihfj.exe
968	Bbefln32.exe
1064	Cleqfb32.exe
1512	Dedkogqm.exe
4872	Dibdeegc.exe
2320	Edakimoo.exe
2384	Fdogjk32.exe
4568	Fcddkggf.exe
4748	Gddqejni.exe
1404	Gloejmld.exe
2756	Gfgjbb32.exe
4412	Gjebiq32.exe
3320	Hdbmfhbi.exe
3812	Ifmldo32.exe
640	Jfoaam32.exe
1572	Knbinhfl.exe
1180	Lmgfod32.exe
2804	Mginniij.exe
3260	Moeoje32.exe
3668	Ngemjg32.exe
2072	Nehjmnei.exe
1632	Okeklcen.exe
2192	Pkjegb32.exe
60	Pklamb32.exe
2940	Abpmpkoh.exe
1748	Afnefieo.exe
4436	Afpbkicl.exe
1016	Aohfdnil.exe
1688	Bnppkj32.exe
3992	Becknc32.exe
2424	Chfaenfb.exe
3196	Cejaobel.exe
3988	Clffalkf.exe
2088	Dlicflic.exe
4592	Dhpdkm32.exe
2104	Dlnlak32.exe
5040	Donecfao.exe
1900	Eldbbjof.exe
4784	Eemgkpef.exe
1076	Ebagdddp.exe
3652	Ehbihj32.exe
2660	Fgcjea32.exe
2932	Fekclnif.exe
3504	Fofdkcmd.exe
4876	Ggafgo32.exe
1504	Ghgljg32.exe
1128	Gjghdj32.exe
1888	Hhleefhe.exe
3976	Hjlaoioh.exe
1164	Ioppho32.exe
2168	Ijngkf32.exe
1760	Kiaqnagj.exe
4212	Ladhkmno.exe
1368	Lipmoo32.exe
4960	Mpchbhjl.exe
2724	Mfomda32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jbkeki32.dll	Lbebilli.exe
File opened for modification	C:\Windows\SysWOW64\Ophbja32.exe	Obdbqm32.exe
File created	C:\Windows\SysWOW64\Mmjdpi32.dll	Aaoadg32.exe
File opened for modification	C:\Windows\SysWOW64\Jncobabm.exe	Jdhndlno.exe
File created	C:\Windows\SysWOW64\Peajngoi.exe	Picchg32.exe
File created	C:\Windows\SysWOW64\Bidefbcg.exe	Alioloje.exe
File opened for modification	C:\Windows\SysWOW64\Bblcda32.exe	Blakhgoo.exe
File created	C:\Windows\SysWOW64\Loeoei32.exe	Lhkghofb.exe
File created	C:\Windows\SysWOW64\Oemofpel.exe	Nppfnige.exe
File opened for modification	C:\Windows\SysWOW64\Picchg32.exe	Ophbja32.exe
File created	C:\Windows\SysWOW64\Mncmck32.exe	Mcnhfb32.exe
File created	C:\Windows\SysWOW64\Imjddmpl.exe	Iecmcpoj.exe
File opened for modification	C:\Windows\SysWOW64\Ddifaqcn.exe	Dnondf32.exe
File opened for modification	C:\Windows\SysWOW64\Okbhlm32.exe	Omjnhiiq.exe
File created	C:\Windows\SysWOW64\Dbghhd32.dll	Cfiiggpg.exe
File created	C:\Windows\SysWOW64\Lffhpnhe.exe	Lplpcc32.exe
File created	C:\Windows\SysWOW64\Eikcmf32.dll	Pgfljqia.exe
File created	C:\Windows\SysWOW64\Nggnjjoo.exe	Nqmfnp32.exe
File opened for modification	C:\Windows\SysWOW64\Fbbhla32.exe	Fgldoi32.exe
File opened for modification	C:\Windows\SysWOW64\Kiaqnagj.exe	Ijngkf32.exe
File created	C:\Windows\SysWOW64\Njmejp32.exe	Mphamg32.exe
File opened for modification	C:\Windows\SysWOW64\Agnkck32.exe	Ababkdij.exe
File created	C:\Windows\SysWOW64\Peiqme32.dll	Nabfcegi.exe
File opened for modification	C:\Windows\SysWOW64\Lfbpcgbl.exe	Lofjam32.exe
File created	C:\Windows\SysWOW64\Nppfnige.exe	Nejbaqgo.exe
File created	C:\Windows\SysWOW64\Fihqfh32.exe	Fbnhjn32.exe
File opened for modification	C:\Windows\SysWOW64\Epndddnk.exe	Ebjckppa.exe
File created	C:\Windows\SysWOW64\Mnhdae32.exe	Mogccnfg.exe
File opened for modification	C:\Windows\SysWOW64\Peajngoi.exe	Picchg32.exe
File created	C:\Windows\SysWOW64\Lehaad32.exe	Lnnidjcg.exe
File opened for modification	C:\Windows\SysWOW64\Dhpdkm32.exe	Dlicflic.exe
File created	C:\Windows\SysWOW64\Jhodeflk.dll	Fofdkcmd.exe
File created	C:\Windows\SysWOW64\Aqhhdgfp.dll	Claenb32.exe
File created	C:\Windows\SysWOW64\Kpfggang.exe	Kgkfil32.exe
File opened for modification	C:\Windows\SysWOW64\Cojqdhid.exe	Cikkga32.exe
File opened for modification	C:\Windows\SysWOW64\Cpljdjnd.exe	Cakjfcfe.exe
File created	C:\Windows\SysWOW64\Ampkil32.exe	Afeblb32.exe
File opened for modification	C:\Windows\SysWOW64\Gfomfo32.exe	Gdppllld.exe
File created	C:\Windows\SysWOW64\Flgaodbm.exe	Epndddnk.exe
File opened for modification	C:\Windows\SysWOW64\Ifgbhbbh.exe	Ilbnkiba.exe
File opened for modification	C:\Windows\SysWOW64\Plbmhadm.exe	Pehekgmp.exe
File created	C:\Windows\SysWOW64\Dnondf32.exe	Dgeegled.exe
File created	C:\Windows\SysWOW64\Hiffij32.dll	Knbinhfl.exe
File created	C:\Windows\SysWOW64\Jmqekg32.exe	Jaekkfcm.exe
File opened for modification	C:\Windows\SysWOW64\Mgbnfb32.exe	Maefnk32.exe
File opened for modification	C:\Windows\SysWOW64\Fjmkhkff.exe	Fllkjd32.exe
File opened for modification	C:\Windows\SysWOW64\Bhgcdjje.exe	Akccje32.exe
File opened for modification	C:\Windows\SysWOW64\Bkibqnah.exe	Bdojdd32.exe
File created	C:\Windows\SysWOW64\Ompfnoci.exe	Offnae32.exe
File created	C:\Windows\SysWOW64\Kcgleaad.dll	Foocegea.exe
File created	C:\Windows\SysWOW64\Mnfooh32.dll	218bc6d0d52d86454a45447d98ebba2c.exe
File created	C:\Windows\SysWOW64\Igehifaa.dll	Npjnbg32.exe
File created	C:\Windows\SysWOW64\Ababkdij.exe	Adnbapjp.exe
File created	C:\Windows\SysWOW64\Agnkck32.exe	Ababkdij.exe
File created	C:\Windows\SysWOW64\Cpljdjnd.exe	Cakjfcfe.exe
File created	C:\Windows\SysWOW64\Aomfme32.dll	Lffhpnhe.exe
File opened for modification	C:\Windows\SysWOW64\Hfnpacjb.exe	Heochp32.exe
File created	C:\Windows\SysWOW64\Kncpqlhj.dll	Nehjmnei.exe
File created	C:\Windows\SysWOW64\Npjnbg32.exe	Njmejp32.exe
File created	C:\Windows\SysWOW64\Ldnjndpo.exe	Kkjejqcl.exe
File created	C:\Windows\SysWOW64\Anlqcl32.dll	Lfbpcgbl.exe
File opened for modification	C:\Windows\SysWOW64\Hfemkdbm.exe	Gkoinlbg.exe
File created	C:\Windows\SysWOW64\Cijdnf32.dll	Hbnjfefo.exe
File created	C:\Windows\SysWOW64\Jececi32.dll	Ocpghj32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5580	8024	WerFault.exe	668
4196	8024	WerFault.exe	668

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Epndddnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgehml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncdckahg.dll"	Nejbaqgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnpognhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfpdcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abpmpkoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ababkdij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckjegk32.dll"	Ipaeedpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdiohhbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqpbboeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgkhec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oaajoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajbmmcii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdgji32.dll"	Igkkdigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bllbkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adnbapjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpcmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddkqo32.dll"	Efhcld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cifdhj32.dll"	Ggfombmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deqqek32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfgjad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Edqdij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egomanpl.dll"	Cldgmgml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opdomjnf.dll"	Cpajdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqgiel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcgbmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Moeoje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkeipiep.dll"	Cpljdjnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnjnjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdpjeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Meiabh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichcim32.dll"	Afhoaahg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaghho32.dll"	Ocamcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccoolcnf.dll"	Igdnkhoe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abdoqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkkbnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehqapd32.dll"	Bidefbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bblcda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klhglj32.dll"	Bhgcdjje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocamcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cndeoqhk.dll"	Ejklfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chfaenfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghjdclhp.dll"	Hnblmnfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lefkfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfcgkj32.dll"	Baickimp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnlnac32.dll"	Iffmmihf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bchjnhhk.dll"	Njghkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blggmjbd.dll"	Kgpodk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fafjdb32.dll"	Fjmkhkff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajdjcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egnhcgeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cikkga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgpajb32.dll"	Eajehd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdfend32.dll"	Lhijcohe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knkkoggp.dll"	Gfgjbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mginniij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkdjpbad.dll"	Cdiohhbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jlhlcnge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jijhom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akpojpic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eobffk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqifkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bidefbcg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4120 wrote to memory of 3140	4120	218bc6d0d52d86454a45447d98ebba2c.exe	96
PID 4120 wrote to memory of 3140	4120	218bc6d0d52d86454a45447d98ebba2c.exe	96
PID 4120 wrote to memory of 3140	4120	218bc6d0d52d86454a45447d98ebba2c.exe	96
PID 3140 wrote to memory of 4812	3140	Lbebilli.exe	97
PID 3140 wrote to memory of 4812	3140	Lbebilli.exe	97
PID 3140 wrote to memory of 4812	3140	Lbebilli.exe	97
PID 4812 wrote to memory of 2432	4812	Mklfjm32.exe	98
PID 4812 wrote to memory of 2432	4812	Mklfjm32.exe	98
PID 4812 wrote to memory of 2432	4812	Mklfjm32.exe	98
PID 2432 wrote to memory of 3576	2432	Ncjdki32.exe	99
PID 2432 wrote to memory of 3576	2432	Ncjdki32.exe	99
PID 2432 wrote to memory of 3576	2432	Ncjdki32.exe	99
PID 3576 wrote to memory of 4668	3576	Nlgbon32.exe	100
PID 3576 wrote to memory of 4668	3576	Nlgbon32.exe	100
PID 3576 wrote to memory of 4668	3576	Nlgbon32.exe	100
PID 4668 wrote to memory of 3836	4668	Omcbkl32.exe	101
PID 4668 wrote to memory of 3836	4668	Omcbkl32.exe	101
PID 4668 wrote to memory of 3836	4668	Omcbkl32.exe	101
PID 3836 wrote to memory of 1976	3836	Pbbgicnd.exe	102
PID 3836 wrote to memory of 1976	3836	Pbbgicnd.exe	102
PID 3836 wrote to memory of 1976	3836	Pbbgicnd.exe	102
PID 1976 wrote to memory of 3620	1976	Apddce32.exe	103
PID 1976 wrote to memory of 3620	1976	Apddce32.exe	103
PID 1976 wrote to memory of 3620	1976	Apddce32.exe	103
PID 3620 wrote to memory of 4168	3620	Aiabhj32.exe	104
PID 3620 wrote to memory of 4168	3620	Aiabhj32.exe	104
PID 3620 wrote to memory of 4168	3620	Aiabhj32.exe	104
PID 4168 wrote to memory of 968	4168	Bmddihfj.exe	105
PID 4168 wrote to memory of 968	4168	Bmddihfj.exe	105
PID 4168 wrote to memory of 968	4168	Bmddihfj.exe	105
PID 968 wrote to memory of 1064	968	Bbefln32.exe	106
PID 968 wrote to memory of 1064	968	Bbefln32.exe	106
PID 968 wrote to memory of 1064	968	Bbefln32.exe	106
PID 1064 wrote to memory of 1512	1064	Cleqfb32.exe	107
PID 1064 wrote to memory of 1512	1064	Cleqfb32.exe	107
PID 1064 wrote to memory of 1512	1064	Cleqfb32.exe	107
PID 1512 wrote to memory of 4872	1512	Dedkogqm.exe	108
PID 1512 wrote to memory of 4872	1512	Dedkogqm.exe	108
PID 1512 wrote to memory of 4872	1512	Dedkogqm.exe	108
PID 4872 wrote to memory of 2320	4872	Dibdeegc.exe	109
PID 4872 wrote to memory of 2320	4872	Dibdeegc.exe	109
PID 4872 wrote to memory of 2320	4872	Dibdeegc.exe	109
PID 2320 wrote to memory of 2384	2320	Edakimoo.exe	110
PID 2320 wrote to memory of 2384	2320	Edakimoo.exe	110
PID 2320 wrote to memory of 2384	2320	Edakimoo.exe	110
PID 2384 wrote to memory of 4568	2384	Fdogjk32.exe	111
PID 2384 wrote to memory of 4568	2384	Fdogjk32.exe	111
PID 2384 wrote to memory of 4568	2384	Fdogjk32.exe	111
PID 4568 wrote to memory of 4748	4568	Fcddkggf.exe	112
PID 4568 wrote to memory of 4748	4568	Fcddkggf.exe	112
PID 4568 wrote to memory of 4748	4568	Fcddkggf.exe	112
PID 4748 wrote to memory of 1404	4748	Gddqejni.exe	113
PID 4748 wrote to memory of 1404	4748	Gddqejni.exe	113
PID 4748 wrote to memory of 1404	4748	Gddqejni.exe	113
PID 1404 wrote to memory of 2756	1404	Gloejmld.exe	114
PID 1404 wrote to memory of 2756	1404	Gloejmld.exe	114
PID 1404 wrote to memory of 2756	1404	Gloejmld.exe	114
PID 2756 wrote to memory of 4412	2756	Gfgjbb32.exe	115
PID 2756 wrote to memory of 4412	2756	Gfgjbb32.exe	115
PID 2756 wrote to memory of 4412	2756	Gfgjbb32.exe	115
PID 4412 wrote to memory of 3320	4412	Gjebiq32.exe	116
PID 4412 wrote to memory of 3320	4412	Gjebiq32.exe	116
PID 4412 wrote to memory of 3320	4412	Gjebiq32.exe	116
PID 3320 wrote to memory of 3812	3320	Hdbmfhbi.exe	117

C:\Users\Admin\AppData\Local\Temp\218bc6d0d52d86454a45447d98ebba2c.exe
"C:\Users\Admin\AppData\Local\Temp\218bc6d0d52d86454a45447d98ebba2c.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4120
- C:\Windows\SysWOW64\Lbebilli.exe
  C:\Windows\system32\Lbebilli.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3140
- - C:\Windows\SysWOW64\Mklfjm32.exe
    C:\Windows\system32\Mklfjm32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4812
  - - C:\Windows\SysWOW64\Ncjdki32.exe
      C:\Windows\system32\Ncjdki32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2432
    - - C:\Windows\SysWOW64\Nlgbon32.exe
        
        C:\Windows\system32\Nlgbon32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3576
      - C:\Windows\SysWOW64\Omcbkl32.exe
        
        C:\Windows\system32\Omcbkl32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\SysWOW64\Pbbgicnd.exe
        
        C:\Windows\system32\Pbbgicnd.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3836
        
        C:\Windows\SysWOW64\Apddce32.exe
        
        C:\Windows\system32\Apddce32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Aiabhj32.exe
        
        C:\Windows\system32\Aiabhj32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Bmddihfj.exe
        
        C:\Windows\system32\Bmddihfj.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Windows\SysWOW64\Bbefln32.exe
        
        C:\Windows\system32\Bbefln32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\SysWOW64\Cleqfb32.exe
        
        C:\Windows\system32\Cleqfb32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\Dedkogqm.exe
        
        C:\Windows\system32\Dedkogqm.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Dibdeegc.exe
        
        C:\Windows\system32\Dibdeegc.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\SysWOW64\Edakimoo.exe
        
        C:\Windows\system32\Edakimoo.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\SysWOW64\Fdogjk32.exe
        
        C:\Windows\system32\Fdogjk32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\Fcddkggf.exe
        
        C:\Windows\system32\Fcddkggf.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\SysWOW64\Gddqejni.exe
        
        C:\Windows\system32\Gddqejni.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\SysWOW64\Gloejmld.exe
        
        C:\Windows\system32\Gloejmld.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\SysWOW64\Gfgjbb32.exe
        
        C:\Windows\system32\Gfgjbb32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\SysWOW64\Gjebiq32.exe
        
        C:\Windows\system32\Gjebiq32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Hdbmfhbi.exe
        
        C:\Windows\system32\Hdbmfhbi.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\SysWOW64\Ifmldo32.exe
        
        C:\Windows\system32\Ifmldo32.exe
        23⤵
        Executes dropped EXE
        
        PID:3812
        
        C:\Windows\SysWOW64\Jfoaam32.exe
        
        C:\Windows\system32\Jfoaam32.exe
        24⤵
        Executes dropped EXE
        
        PID:640
        
        C:\Windows\SysWOW64\Knbinhfl.exe
        
        C:\Windows\system32\Knbinhfl.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1572
        
        C:\Windows\SysWOW64\Lmgfod32.exe
        
        C:\Windows\system32\Lmgfod32.exe
        26⤵
        Executes dropped EXE
        
        PID:1180
        
        C:\Windows\SysWOW64\Mginniij.exe
        
        C:\Windows\system32\Mginniij.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Moeoje32.exe
        
        C:\Windows\system32\Moeoje32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3260
        
        C:\Windows\SysWOW64\Ngemjg32.exe
        
        C:\Windows\system32\Ngemjg32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3668
        
        C:\Windows\SysWOW64\Nehjmnei.exe
        
        C:\Windows\system32\Nehjmnei.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2072
        
        C:\Windows\SysWOW64\Okeklcen.exe
        
        C:\Windows\system32\Okeklcen.exe
        31⤵
        Executes dropped EXE
        
        PID:1632
        
        C:\Windows\SysWOW64\Pkjegb32.exe
        
        C:\Windows\system32\Pkjegb32.exe
        32⤵
        Executes dropped EXE
        
        PID:2192
        
        C:\Windows\SysWOW64\Pklamb32.exe
        
        C:\Windows\system32\Pklamb32.exe
        33⤵
        Executes dropped EXE
        
        PID:60
        
        C:\Windows\SysWOW64\Abpmpkoh.exe
        
        C:\Windows\system32\Abpmpkoh.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Afnefieo.exe
        
        C:\Windows\system32\Afnefieo.exe
        35⤵
        Executes dropped EXE
        
        PID:1748
        
        C:\Windows\SysWOW64\Afpbkicl.exe
        
        C:\Windows\system32\Afpbkicl.exe
        36⤵
        Executes dropped EXE
        
        PID:4436
        
        C:\Windows\SysWOW64\Aohfdnil.exe
        
        C:\Windows\system32\Aohfdnil.exe
        37⤵
        Executes dropped EXE
        
        PID:1016
        
        C:\Windows\SysWOW64\Bnppkj32.exe
        
        C:\Windows\system32\Bnppkj32.exe
        38⤵
        Executes dropped EXE
        
        PID:1688
        
        C:\Windows\SysWOW64\Becknc32.exe
        
        C:\Windows\system32\Becknc32.exe
        39⤵
        Executes dropped EXE
        
        PID:3992
        
        C:\Windows\SysWOW64\Chfaenfb.exe
        
        C:\Windows\system32\Chfaenfb.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Cejaobel.exe
        
        C:\Windows\system32\Cejaobel.exe
        41⤵
        Executes dropped EXE
        
        PID:3196
        
        C:\Windows\SysWOW64\Clffalkf.exe
        
        C:\Windows\system32\Clffalkf.exe
        42⤵
        Executes dropped EXE
        
        PID:3988
        
        C:\Windows\SysWOW64\Dlicflic.exe
        
        C:\Windows\system32\Dlicflic.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2088
        
        C:\Windows\SysWOW64\Dhpdkm32.exe
        
        C:\Windows\system32\Dhpdkm32.exe
        44⤵
        Executes dropped EXE
        
        PID:4592
        
        C:\Windows\SysWOW64\Dlnlak32.exe
        
        C:\Windows\system32\Dlnlak32.exe
        45⤵
        Executes dropped EXE
        
        PID:2104
        
        C:\Windows\SysWOW64\Donecfao.exe
        
        C:\Windows\system32\Donecfao.exe
        46⤵
        Executes dropped EXE
        
        PID:5040
        
        C:\Windows\SysWOW64\Eldbbjof.exe
        
        C:\Windows\system32\Eldbbjof.exe
        47⤵
        Executes dropped EXE
        
        PID:1900
        
        C:\Windows\SysWOW64\Eemgkpef.exe
        
        C:\Windows\system32\Eemgkpef.exe
        48⤵
        Executes dropped EXE
        
        PID:4784
        
        C:\Windows\SysWOW64\Ebagdddp.exe
        
        C:\Windows\system32\Ebagdddp.exe
        49⤵
        Executes dropped EXE
        
        PID:1076
        
        C:\Windows\SysWOW64\Ehbihj32.exe
        
        C:\Windows\system32\Ehbihj32.exe
        50⤵
        Executes dropped EXE
        
        PID:3652
        
        C:\Windows\SysWOW64\Fgcjea32.exe
        
        C:\Windows\system32\Fgcjea32.exe
        51⤵
        Executes dropped EXE
        
        PID:2660
        
        C:\Windows\SysWOW64\Fekclnif.exe
        
        C:\Windows\system32\Fekclnif.exe
        52⤵
        Executes dropped EXE
        
        PID:2932
        
        C:\Windows\SysWOW64\Fofdkcmd.exe
        
        C:\Windows\system32\Fofdkcmd.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3504
        
        C:\Windows\SysWOW64\Ggafgo32.exe
        
        C:\Windows\system32\Ggafgo32.exe
        54⤵
        Executes dropped EXE
        
        PID:4876
        
        C:\Windows\SysWOW64\Ghgljg32.exe
        
        C:\Windows\system32\Ghgljg32.exe
        55⤵
        Executes dropped EXE
        
        PID:1504
        
        C:\Windows\SysWOW64\Gjghdj32.exe
        
        C:\Windows\system32\Gjghdj32.exe
        56⤵
        Executes dropped EXE
        
        PID:1128
        
        C:\Windows\SysWOW64\Hhleefhe.exe
        
        C:\Windows\system32\Hhleefhe.exe
        57⤵
        Executes dropped EXE
        
        PID:1888
        
        C:\Windows\SysWOW64\Hjlaoioh.exe
        
        C:\Windows\system32\Hjlaoioh.exe
        58⤵
        Executes dropped EXE
        
        PID:3976
        
        C:\Windows\SysWOW64\Ioppho32.exe
        
        C:\Windows\system32\Ioppho32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1164
        
        C:\Windows\SysWOW64\Ijngkf32.exe
        
        C:\Windows\system32\Ijngkf32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2168
        
        C:\Windows\SysWOW64\Kiaqnagj.exe
        
        C:\Windows\system32\Kiaqnagj.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1760
        
        C:\Windows\SysWOW64\Ladhkmno.exe
        
        C:\Windows\system32\Ladhkmno.exe
        62⤵
        Executes dropped EXE
        
        PID:4212
        
        C:\Windows\SysWOW64\Lipmoo32.exe
        
        C:\Windows\system32\Lipmoo32.exe
        63⤵
        Executes dropped EXE
        
        PID:1368
        
        C:\Windows\SysWOW64\Mpchbhjl.exe
        
        C:\Windows\system32\Mpchbhjl.exe
        64⤵
        Executes dropped EXE
        
        PID:4960
        
        C:\Windows\SysWOW64\Mfomda32.exe
        
        C:\Windows\system32\Mfomda32.exe
        65⤵
        Executes dropped EXE
        
        PID:2724
        
        C:\Windows\SysWOW64\Mphamg32.exe
        
        C:\Windows\system32\Mphamg32.exe
        66⤵
        Drops file in System32 directory
        
        PID:1944
        
        C:\Windows\SysWOW64\Njmejp32.exe
        
        C:\Windows\system32\Njmejp32.exe
        67⤵
        Drops file in System32 directory
        
        PID:4484
        
        C:\Windows\SysWOW64\Npjnbg32.exe
        
        C:\Windows\system32\Npjnbg32.exe
        68⤵
        Drops file in System32 directory
        
        PID:1708
        
        C:\Windows\SysWOW64\Nmnnlk32.exe
        
        C:\Windows\system32\Nmnnlk32.exe
        69⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\Ngipjp32.exe
        
        C:\Windows\system32\Ngipjp32.exe
        70⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\Omjnhiiq.exe
        
        C:\Windows\system32\Omjnhiiq.exe
        71⤵
        Drops file in System32 directory
        
        PID:4408
        
        C:\Windows\SysWOW64\Okbhlm32.exe
        
        C:\Windows\system32\Okbhlm32.exe
        72⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Pnenchoc.exe
        
        C:\Windows\system32\Pnenchoc.exe
        73⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Pknghk32.exe
        
        C:\Windows\system32\Pknghk32.exe
        74⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Qpkppbho.exe
        
        C:\Windows\system32\Qpkppbho.exe
        75⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Qgehml32.exe
        
        C:\Windows\system32\Qgehml32.exe
        76⤵
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Adnbapjp.exe
        
        C:\Windows\system32\Adnbapjp.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Ababkdij.exe
        
        C:\Windows\system32\Ababkdij.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Agnkck32.exe
        
        C:\Windows\system32\Agnkck32.exe
        79⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Abdoqd32.exe
        
        C:\Windows\system32\Abdoqd32.exe
        80⤵
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Aklciimh.exe
        
        C:\Windows\system32\Aklciimh.exe
        81⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Ahpdcn32.exe
        
        C:\Windows\system32\Ahpdcn32.exe
        82⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Bggnijof.exe
        
        C:\Windows\system32\Bggnijof.exe
        83⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Bqpbboeg.exe
        
        C:\Windows\system32\Bqpbboeg.exe
        84⤵
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Cqghcn32.exe
        
        C:\Windows\system32\Cqghcn32.exe
        85⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Cgejkh32.exe
        
        C:\Windows\system32\Cgejkh32.exe
        86⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\Cbknhqbl.exe
        
        C:\Windows\system32\Cbknhqbl.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5788
        
        C:\Windows\SysWOW64\Djklgb32.exe
        
        C:\Windows\system32\Djklgb32.exe
        88⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Deqqek32.exe
        
        C:\Windows\system32\Deqqek32.exe
        89⤵
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Hhbnqi32.exe
        
        C:\Windows\system32\Hhbnqi32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6012
        
        C:\Windows\SysWOW64\Idpdfija.exe
        
        C:\Windows\system32\Idpdfija.exe
        91⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Kkjejqcl.exe
        
        C:\Windows\system32\Kkjejqcl.exe
        92⤵
        Drops file in System32 directory
        
        PID:6108
        
        C:\Windows\SysWOW64\Ldnjndpo.exe
        
        C:\Windows\system32\Ldnjndpo.exe
        93⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Lfnfhg32.exe
        
        C:\Windows\system32\Lfnfhg32.exe
        94⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Lofjam32.exe
        
        C:\Windows\system32\Lofjam32.exe
        95⤵
        Drops file in System32 directory
        
        PID:5348
        
        C:\Windows\SysWOW64\Lfbpcgbl.exe
        
        C:\Windows\system32\Lfbpcgbl.exe
        96⤵
        Drops file in System32 directory
        
        PID:5404
        
        C:\Windows\SysWOW64\Mkohln32.exe
        
        C:\Windows\system32\Mkohln32.exe
        97⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Mfdlif32.exe
        
        C:\Windows\system32\Mfdlif32.exe
        98⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Mejijcea.exe
        
        C:\Windows\system32\Mejijcea.exe
        99⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Niohap32.exe
        
        C:\Windows\system32\Niohap32.exe
        100⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Npmjij32.exe
        
        C:\Windows\system32\Npmjij32.exe
        101⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\Nejbaqgo.exe
        
        C:\Windows\system32\Nejbaqgo.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Nppfnige.exe
        
        C:\Windows\system32\Nppfnige.exe
        103⤵
        Drops file in System32 directory
        
        PID:5876
        
        C:\Windows\SysWOW64\Oemofpel.exe
        
        C:\Windows\system32\Oemofpel.exe
        104⤵
        
        PID:760
        
        C:\Windows\SysWOW64\Olidijjf.exe
        
        C:\Windows\system32\Olidijjf.exe
        105⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\Olkqnjhd.exe
        
        C:\Windows\system32\Olkqnjhd.exe
        106⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Ofadlbhj.exe
        
        C:\Windows\system32\Ofadlbhj.exe
        107⤵
        
        PID:216
        
        C:\Windows\SysWOW64\Aploae32.exe
        
        C:\Windows\system32\Aploae32.exe
        108⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Alelkf32.exe
        
        C:\Windows\system32\Alelkf32.exe
        109⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Aochga32.exe
        
        C:\Windows\system32\Aochga32.exe
        110⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\Apcead32.exe
        
        C:\Windows\system32\Apcead32.exe
        111⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\Bibpkiie.exe
        
        C:\Windows\system32\Bibpkiie.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5296
        
        C:\Windows\SysWOW64\Bckddn32.exe
        
        C:\Windows\system32\Bckddn32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5028
        
        C:\Windows\SysWOW64\Bidlqhgc.exe
        
        C:\Windows\system32\Bidlqhgc.exe
        114⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Claenb32.exe
        
        C:\Windows\system32\Claenb32.exe
        115⤵
        Drops file in System32 directory
        
        PID:3492
        
        C:\Windows\SysWOW64\Cfiiggpg.exe
        
        C:\Windows\system32\Cfiiggpg.exe
        116⤵
        Drops file in System32 directory
        
        PID:4812
        
        C:\Windows\SysWOW64\Dnhgidka.exe
        
        C:\Windows\system32\Dnhgidka.exe
        117⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\Dcdpakii.exe
        
        C:\Windows\system32\Dcdpakii.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2756
        
        C:\Windows\SysWOW64\Djnhne32.exe
        
        C:\Windows\system32\Djnhne32.exe
        119⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\Dcglfjgf.exe
        
        C:\Windows\system32\Dcglfjgf.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5204
        
        C:\Windows\SysWOW64\Enlqdc32.exe
        
        C:\Windows\system32\Enlqdc32.exe
        121⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Egeemiml.exe
        
        C:\Windows\system32\Egeemiml.exe
        122⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\Ejennd32.exe
        
        C:\Windows\system32\Ejennd32.exe
        123⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Eobffk32.exe
        
        C:\Windows\system32\Eobffk32.exe
        124⤵
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Egnhcgeb.exe
        
        C:\Windows\system32\Egnhcgeb.exe
        125⤵
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Fmkqknci.exe
        
        C:\Windows\system32\Fmkqknci.exe
        126⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\Ffcedd32.exe
        
        C:\Windows\system32\Ffcedd32.exe
        127⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\Ffeaichg.exe
        
        C:\Windows\system32\Ffeaichg.exe
        128⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Fpnfbi32.exe
        
        C:\Windows\system32\Fpnfbi32.exe
        129⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\Gmkibl32.exe
        
        C:\Windows\system32\Gmkibl32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3768
        
        C:\Windows\SysWOW64\Gjojkpdp.exe
        
        C:\Windows\system32\Gjojkpdp.exe
        131⤵
        
        PID:624
        
        C:\Windows\SysWOW64\Hnpognhd.exe
        
        C:\Windows\system32\Hnpognhd.exe
        132⤵
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Hdlhoefk.exe
        
        C:\Windows\system32\Hdlhoefk.exe
        133⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\Hnblmnfa.exe
        
        C:\Windows\system32\Hnblmnfa.exe
        134⤵
        Modifies registry class
        
        PID:904
        
        C:\Windows\SysWOW64\Hjkigojc.exe
        
        C:\Windows\system32\Hjkigojc.exe
        135⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\Hphbpehj.exe
        
        C:\Windows\system32\Hphbpehj.exe
        136⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\Hfajlp32.exe
        
        C:\Windows\system32\Hfajlp32.exe
        137⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\Idfkednq.exe
        
        C:\Windows\system32\Idfkednq.exe
        138⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\Ikdlmmbh.exe
        
        C:\Windows\system32\Ikdlmmbh.exe
        139⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\Ipaeedpp.exe
        
        C:\Windows\system32\Ipaeedpp.exe
        140⤵
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Ikgicmpe.exe
        
        C:\Windows\system32\Ikgicmpe.exe
        141⤵
        
        PID:968
        
        C:\Windows\SysWOW64\Jkkbnl32.exe
        
        C:\Windows\system32\Jkkbnl32.exe
        142⤵
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Jaekkfcm.exe
        
        C:\Windows\system32\Jaekkfcm.exe
        143⤵
        Drops file in System32 directory
        
        PID:5284
        
        C:\Windows\SysWOW64\Jmqekg32.exe
        
        C:\Windows\system32\Jmqekg32.exe
        144⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Jgiiclkl.exe
        
        C:\Windows\system32\Jgiiclkl.exe
        145⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Kgkfil32.exe
        
        C:\Windows\system32\Kgkfil32.exe
        146⤵
        Drops file in System32 directory
        
        PID:5560
        
        C:\Windows\SysWOW64\Kpfggang.exe
        
        C:\Windows\system32\Kpfggang.exe
        147⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\Kgpodk32.exe
        
        C:\Windows\system32\Kgpodk32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Khplnn32.exe
        
        C:\Windows\system32\Khplnn32.exe
        149⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\Lncjgddf.exe
        
        C:\Windows\system32\Lncjgddf.exe
        150⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Lglopjkg.exe
        
        C:\Windows\system32\Lglopjkg.exe
        151⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Lnfgmc32.exe
        
        C:\Windows\system32\Lnfgmc32.exe
        152⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Lkjhfh32.exe
        
        C:\Windows\system32\Lkjhfh32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3668
        
        C:\Windows\SysWOW64\Mqkijnkp.exe
        
        C:\Windows\system32\Mqkijnkp.exe
        154⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\Mqnfon32.exe
        
        C:\Windows\system32\Mqnfon32.exe
        155⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Mkcjlf32.exe
        
        C:\Windows\system32\Mkcjlf32.exe
        156⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\Mbmbiqqp.exe
        
        C:\Windows\system32\Mbmbiqqp.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4732
        
        C:\Windows\SysWOW64\Mqbpjmeg.exe
        
        C:\Windows\system32\Mqbpjmeg.exe
        158⤵
        
        PID:644
        
        C:\Windows\SysWOW64\Nkhdgfen.exe
        
        C:\Windows\system32\Nkhdgfen.exe
        159⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\Ndphpk32.exe
        
        C:\Windows\system32\Ndphpk32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:688
        
        C:\Windows\SysWOW64\Nofmndkd.exe
        
        C:\Windows\system32\Nofmndkd.exe
        161⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\Nqgiel32.exe
        
        C:\Windows\system32\Nqgiel32.exe
        162⤵
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\Ngaabfio.exe
        
        C:\Windows\system32\Ngaabfio.exe
        163⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\Nqifkl32.exe
        
        C:\Windows\system32\Nqifkl32.exe
        164⤵
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Oijqbh32.exe
        
        C:\Windows\system32\Oijqbh32.exe
        165⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Opdiobod.exe
        
        C:\Windows\system32\Opdiobod.exe
        166⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\Oilmhhfd.exe
        
        C:\Windows\system32\Oilmhhfd.exe
        167⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\Obdbqm32.exe
        
        C:\Windows\system32\Obdbqm32.exe
        168⤵
        Drops file in System32 directory
        
        PID:4352
        
        C:\Windows\SysWOW64\Ophbja32.exe
        
        C:\Windows\system32\Ophbja32.exe
        169⤵
        Drops file in System32 directory
        
        PID:2532
        
        C:\Windows\SysWOW64\Picchg32.exe
        
        C:\Windows\system32\Picchg32.exe
        170⤵
        Drops file in System32 directory
        
        PID:4032
        
        C:\Windows\SysWOW64\Peajngoi.exe
        
        C:\Windows\system32\Peajngoi.exe
        171⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Aaoadg32.exe
        
        C:\Windows\system32\Aaoadg32.exe
        172⤵
        Drops file in System32 directory
        
        PID:6048
        
        C:\Windows\SysWOW64\Ahiiqafa.exe
        
        C:\Windows\system32\Ahiiqafa.exe
        173⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\Aaanif32.exe
        
        C:\Windows\system32\Aaanif32.exe
        174⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\Apbngn32.exe
        
        C:\Windows\system32\Apbngn32.exe
        175⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\Aeofoe32.exe
        
        C:\Windows\system32\Aeofoe32.exe
        176⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\Alioloje.exe
        
        C:\Windows\system32\Alioloje.exe
        177⤵
        Drops file in System32 directory
        
        PID:4212
        
        C:\Windows\SysWOW64\Bidefbcg.exe
        
        C:\Windows\system32\Bidefbcg.exe
        178⤵
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Bppjhl32.exe
        
        C:\Windows\system32\Bppjhl32.exe
        179⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\Ciioaa32.exe
        
        C:\Windows\system32\Ciioaa32.exe
        180⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\Cikkga32.exe
        
        C:\Windows\system32\Cikkga32.exe
        181⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Cojqdhid.exe
        
        C:\Windows\system32\Cojqdhid.exe
        182⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\Cipebqij.exe
        
        C:\Windows\system32\Cipebqij.exe
        183⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\Cpjmok32.exe
        
        C:\Windows\system32\Cpjmok32.exe
        184⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\Cakjfcfe.exe
        
        C:\Windows\system32\Cakjfcfe.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1012
        
        C:\Windows\SysWOW64\Cpljdjnd.exe
        
        C:\Windows\system32\Cpljdjnd.exe
        186⤵
        Modifies registry class
        
        PID:756
        
        C:\Windows\SysWOW64\Didnmp32.exe
        
        C:\Windows\system32\Didnmp32.exe
        187⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Djgkbp32.exe
        
        C:\Windows\system32\Djgkbp32.exe
        188⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\Eokjke32.exe
        
        C:\Windows\system32\Eokjke32.exe
        189⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Fomohc32.exe
        
        C:\Windows\system32\Fomohc32.exe
        190⤵
        
        PID:680
        
        C:\Windows\SysWOW64\Fbnhjn32.exe
        
        C:\Windows\system32\Fbnhjn32.exe
        191⤵
        Drops file in System32 directory
        
        PID:5264
        
        C:\Windows\SysWOW64\Fihqfh32.exe
        
        C:\Windows\system32\Fihqfh32.exe
        192⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Gcneca32.exe
        
        C:\Windows\system32\Gcneca32.exe
        193⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Gjgmpkfl.exe
        
        C:\Windows\system32\Gjgmpkfl.exe
        194⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\Gqaeme32.exe
        
        C:\Windows\system32\Gqaeme32.exe
        195⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Gjjjfkdj.exe
        
        C:\Windows\system32\Gjjjfkdj.exe
        196⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Gqdbbelf.exe
        
        C:\Windows\system32\Gqdbbelf.exe
        197⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\Gmkbgf32.exe
        
        C:\Windows\system32\Gmkbgf32.exe
        198⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Gcdkdpih.exe
        
        C:\Windows\system32\Gcdkdpih.exe
        199⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2280
        
        C:\Windows\SysWOW64\Giacmggo.exe
        
        C:\Windows\system32\Giacmggo.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5872
        
        C:\Windows\SysWOW64\Hpenpp32.exe
        
        C:\Windows\system32\Hpenpp32.exe
        201⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Hjjbmhfg.exe
        
        C:\Windows\system32\Hjjbmhfg.exe
        202⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Hpgkeodo.exe
        
        C:\Windows\system32\Hpgkeodo.exe
        203⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Ijmobhdd.exe
        
        C:\Windows\system32\Ijmobhdd.exe
        204⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\Ipihkobl.exe
        
        C:\Windows\system32\Ipihkobl.exe
        205⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\Ipldpo32.exe
        
        C:\Windows\system32\Ipldpo32.exe
        206⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\Iffmmihf.exe
        
        C:\Windows\system32\Iffmmihf.exe
        207⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Ipnaen32.exe
        
        C:\Windows\system32\Ipnaen32.exe
        208⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\Iiffoc32.exe
        
        C:\Windows\system32\Iiffoc32.exe
        209⤵
        
        PID:872
        
        C:\Windows\SysWOW64\Idljll32.exe
        
        C:\Windows\system32\Idljll32.exe
        210⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Ijfbhflj.exe
        
        C:\Windows\system32\Ijfbhflj.exe
        211⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\Iapjeq32.exe
        
        C:\Windows\system32\Iapjeq32.exe
        212⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\Jmpnppap.exe
        
        C:\Windows\system32\Jmpnppap.exe
        213⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\Kkdnjd32.exe
        
        C:\Windows\system32\Kkdnjd32.exe
        214⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\Kmiqfoie.exe
        
        C:\Windows\system32\Kmiqfoie.exe
        215⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Kdcicipb.exe
        
        C:\Windows\system32\Kdcicipb.exe
        216⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Ldjodh32.exe
        
        C:\Windows\system32\Ldjodh32.exe
        217⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\Lgikpc32.exe
        
        C:\Windows\system32\Lgikpc32.exe
        218⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Lanpml32.exe
        
        C:\Windows\system32\Lanpml32.exe
        219⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\Lgkhec32.exe
        
        C:\Windows\system32\Lgkhec32.exe
        220⤵
        Modifies registry class
        
        PID:2072
        
        C:\Windows\SysWOW64\Maefnk32.exe
        
        C:\Windows\system32\Maefnk32.exe
        221⤵
        Drops file in System32 directory
        
        PID:5464
        
        C:\Windows\SysWOW64\Mgbnfb32.exe
        
        C:\Windows\system32\Mgbnfb32.exe
        222⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\Mjqjbn32.exe
        
        C:\Windows\system32\Mjqjbn32.exe
        223⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\Mcklac32.exe
        
        C:\Windows\system32\Mcklac32.exe
        224⤵
        Modifies registry class
        
        PID:992
        
        C:\Windows\SysWOW64\Mnapnl32.exe
        
        C:\Windows\system32\Mnapnl32.exe
        225⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\Mcnhfb32.exe
        
        C:\Windows\system32\Mcnhfb32.exe
        226⤵
        Drops file in System32 directory
        
        PID:6224
        
        C:\Windows\SysWOW64\Mncmck32.exe
        
        C:\Windows\system32\Mncmck32.exe
        227⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\Ncpelbap.exe
        
        C:\Windows\system32\Ncpelbap.exe
        228⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\Ncgkma32.exe
        
        C:\Windows\system32\Ncgkma32.exe
        229⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\Nnmojj32.exe
        
        C:\Windows\system32\Nnmojj32.exe
        230⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\Ncihbaie.exe
        
        C:\Windows\system32\Ncihbaie.exe
        231⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\Pkcepl32.exe
        
        C:\Windows\system32\Pkcepl32.exe
        232⤵
        
        PID:6476
        
        C:\Windows\SysWOW64\Peljha32.exe
        
        C:\Windows\system32\Peljha32.exe
        233⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\Pkebekgo.exe
        
        C:\Windows\system32\Pkebekgo.exe
        234⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\Aanjiqki.exe
        
        C:\Windows\system32\Aanjiqki.exe
        235⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\Blakhgoo.exe
        
        C:\Windows\system32\Blakhgoo.exe
        236⤵
        Drops file in System32 directory
        
        PID:6656
        
        C:\Windows\SysWOW64\Bblcda32.exe
        
        C:\Windows\system32\Bblcda32.exe
        237⤵
        Modifies registry class
        
        PID:6696
        
        C:\Windows\SysWOW64\Bdmpljlj.exe
        
        C:\Windows\system32\Bdmpljlj.exe
        238⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\Cldgmgml.exe
        
        C:\Windows\system32\Cldgmgml.exe
        239⤵
        Modifies registry class
        
        PID:6772
        
        C:\Windows\SysWOW64\Caapfnkd.exe
        
        C:\Windows\system32\Caapfnkd.exe
        240⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\Clfdcgkj.exe
        
        C:\Windows\system32\Clfdcgkj.exe
        241⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\Cbqlpabf.exe
        
        C:\Windows\system32\Cbqlpabf.exe
        242⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\Clknnf32.exe
        
        C:\Windows\system32\Clknnf32.exe
        243⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\Cahffmel.exe
        
        C:\Windows\system32\Cahffmel.exe
        244⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\Clmjcfdb.exe
        
        C:\Windows\system32\Clmjcfdb.exe
        245⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\Cbgbpp32.exe
        
        C:\Windows\system32\Cbgbpp32.exe
        246⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\Cdiohhbm.exe
        
        C:\Windows\system32\Cdiohhbm.exe
        247⤵
        Modifies registry class
        
        PID:7120
        
        C:\Windows\SysWOW64\Dkbgeb32.exe
        
        C:\Windows\system32\Dkbgeb32.exe
        248⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\Dampal32.exe
        
        C:\Windows\system32\Dampal32.exe
        249⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\Dhfhnfhc.exe
        
        C:\Windows\system32\Dhfhnfhc.exe
        250⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\Doqpkq32.exe
        
        C:\Windows\system32\Doqpkq32.exe
        251⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\Dejhgkgm.exe
        
        C:\Windows\system32\Dejhgkgm.exe
        252⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\Eedkniob.exe
        
        C:\Windows\system32\Eedkniob.exe
        253⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\Eefhcimp.exe
        
        C:\Windows\system32\Eefhcimp.exe
        254⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\Elpppcdl.exe
        
        C:\Windows\system32\Elpppcdl.exe
        255⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\Ecjhmm32.exe
        
        C:\Windows\system32\Ecjhmm32.exe
        256⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6704
        
        C:\Windows\SysWOW64\Fcanmlea.exe
        
        C:\Windows\system32\Fcanmlea.exe
        257⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\Ffdddg32.exe
        
        C:\Windows\system32\Ffdddg32.exe
        258⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\Gkoinlbg.exe
        
        C:\Windows\system32\Gkoinlbg.exe
        259⤵
        Drops file in System32 directory
        
        PID:6924
        
        C:\Windows\SysWOW64\Hfemkdbm.exe
        
        C:\Windows\system32\Hfemkdbm.exe
        260⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\Hkaedk32.exe
        
        C:\Windows\system32\Hkaedk32.exe
        261⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\Hfgjad32.exe
        
        C:\Windows\system32\Hfgjad32.exe
        262⤵
        Modifies registry class
        
        PID:7144
        
        C:\Windows\SysWOW64\Hmabnnhg.exe
        
        C:\Windows\system32\Hmabnnhg.exe
        263⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\Hbnjfefo.exe
        
        C:\Windows\system32\Hbnjfefo.exe
        264⤵
        Drops file in System32 directory
        
        PID:6308
        
        C:\Windows\SysWOW64\Hkfookmo.exe
        
        C:\Windows\system32\Hkfookmo.exe
        265⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\Heochp32.exe
        
        C:\Windows\system32\Heochp32.exe
        266⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6436
        
        C:\Windows\SysWOW64\Hfnpacjb.exe
        
        C:\Windows\system32\Hfnpacjb.exe
        267⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\Hkkhjj32.exe
        
        C:\Windows\system32\Hkkhjj32.exe
        268⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Iecmcpoj.exe
        
        C:\Windows\system32\Iecmcpoj.exe
        269⤵
        Drops file in System32 directory
        
        PID:6856
        
        C:\Windows\SysWOW64\Imjddmpl.exe
        
        C:\Windows\system32\Imjddmpl.exe
        270⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\Ifcimb32.exe
        
        C:\Windows\system32\Ifcimb32.exe
        271⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Ilpaei32.exe
        
        C:\Windows\system32\Ilpaei32.exe
        272⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\Ifefbbdj.exe
        
        C:\Windows\system32\Ifefbbdj.exe
        273⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\Ilbnkiba.exe
        
        C:\Windows\system32\Ilbnkiba.exe
        274⤵
        Drops file in System32 directory
        
        PID:5956
        
        C:\Windows\SysWOW64\Ifgbhbbh.exe
        
        C:\Windows\system32\Ifgbhbbh.exe
        275⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\Ildkpiqo.exe
        
        C:\Windows\system32\Ildkpiqo.exe
        276⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\Ifjoma32.exe
        
        C:\Windows\system32\Ifjoma32.exe
        277⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\Ilfhfh32.exe
        
        C:\Windows\system32\Ilfhfh32.exe
        278⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\Jbqpbbfi.exe
        
        C:\Windows\system32\Jbqpbbfi.exe
        279⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\Jijhom32.exe
        
        C:\Windows\system32\Jijhom32.exe
        280⤵
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Jcgbmd32.exe
        
        C:\Windows\system32\Jcgbmd32.exe
        281⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7004
        
        C:\Windows\SysWOW64\Kfhkop32.exe
        
        C:\Windows\system32\Kfhkop32.exe
        282⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\Lefkfk32.exe
        
        C:\Windows\system32\Lefkfk32.exe
        283⤵
        Modifies registry class
        
        PID:6768
        
        C:\Windows\SysWOW64\Lplpcc32.exe
        
        C:\Windows\system32\Lplpcc32.exe
        284⤵
        Drops file in System32 directory
        
        PID:7152
        
        C:\Windows\SysWOW64\Lffhpnhe.exe
        
        C:\Windows\system32\Lffhpnhe.exe
        285⤵
        Drops file in System32 directory
        
        PID:6796
        
        C:\Windows\SysWOW64\Lemagjjj.exe
        
        C:\Windows\system32\Lemagjjj.exe
        286⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\Mpjleadh.exe
        
        C:\Windows\system32\Mpjleadh.exe
        287⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\Mgddal32.exe
        
        C:\Windows\system32\Mgddal32.exe
        288⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\Mdhdkp32.exe
        
        C:\Windows\system32\Mdhdkp32.exe
        289⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\Meiabh32.exe
        
        C:\Windows\system32\Meiabh32.exe
        290⤵
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Mlciobhj.exe
        
        C:\Windows\system32\Mlciobhj.exe
        291⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\Mdjapphl.exe
        
        C:\Windows\system32\Mdjapphl.exe
        292⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5404
        
        C:\Windows\SysWOW64\Nigjifgc.exe
        
        C:\Windows\system32\Nigjifgc.exe
        293⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Npabeq32.exe
        
        C:\Windows\system32\Npabeq32.exe
        294⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\Ngkjbkem.exe
        
        C:\Windows\system32\Ngkjbkem.exe
        295⤵
        
        PID:7216
        
        C:\Windows\SysWOW64\Npfkqpjk.exe
        
        C:\Windows\system32\Npfkqpjk.exe
        296⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\Ngpcmj32.exe
        
        C:\Windows\system32\Ngpcmj32.exe
        297⤵
        Modifies registry class
        
        PID:7300
        
        C:\Windows\SysWOW64\Nnjljd32.exe
        
        C:\Windows\system32\Nnjljd32.exe
        298⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7344
        
        C:\Windows\SysWOW64\Ngdmhimb.exe
        
        C:\Windows\system32\Ngdmhimb.exe
        299⤵
        
        PID:7384
        
        C:\Windows\SysWOW64\Onneeceo.exe
        
        C:\Windows\system32\Onneeceo.exe
        300⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\Odhman32.exe
        
        C:\Windows\system32\Odhman32.exe
        301⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\Oflfoepg.exe
        
        C:\Windows\system32\Oflfoepg.exe
        302⤵
        
        PID:7520
        
        C:\Windows\SysWOW64\Olfolp32.exe
        
        C:\Windows\system32\Olfolp32.exe
        303⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\Ocpghj32.exe
        
        C:\Windows\system32\Ocpghj32.exe
        304⤵
        Drops file in System32 directory
        
        PID:7620
        
        C:\Windows\SysWOW64\Oqfdgn32.exe
        
        C:\Windows\system32\Oqfdgn32.exe
        305⤵
        
        PID:7660
        
        C:\Windows\SysWOW64\Pfcmpdjp.exe
        
        C:\Windows\system32\Pfcmpdjp.exe
        306⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\Pmmelo32.exe
        
        C:\Windows\system32\Pmmelo32.exe
        307⤵
        
        PID:7744
        
        C:\Windows\SysWOW64\Qmhdhm32.exe
        
        C:\Windows\system32\Qmhdhm32.exe
        308⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\Qfaiabnp.exe
        
        C:\Windows\system32\Qfaiabnp.exe
        309⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\Qqfmnk32.exe
        
        C:\Windows\system32\Qqfmnk32.exe
        310⤵
        
        PID:7884
        
        C:\Windows\SysWOW64\Ajoagadf.exe
        
        C:\Windows\system32\Ajoagadf.exe
        311⤵
        
        PID:7936
        
        C:\Windows\SysWOW64\Aedfdjdl.exe
        
        C:\Windows\system32\Aedfdjdl.exe
        312⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\Afeblb32.exe
        
        C:\Windows\system32\Afeblb32.exe
        313⤵
        Drops file in System32 directory
        
        PID:8020
        
        C:\Windows\SysWOW64\Ampkil32.exe
        
        C:\Windows\system32\Ampkil32.exe
        314⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\Afhoaahg.exe
        
        C:\Windows\system32\Afhoaahg.exe
        315⤵
        Modifies registry class
        
        PID:8100
        
        C:\Windows\SysWOW64\Aancojgn.exe
        
        C:\Windows\system32\Aancojgn.exe
        316⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8144
        
        C:\Windows\SysWOW64\Badipiae.exe
        
        C:\Windows\system32\Badipiae.exe
        317⤵
        
        PID:8184
        
        C:\Windows\SysWOW64\Bnhjinpo.exe
        
        C:\Windows\system32\Bnhjinpo.exe
        318⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\Bfcompnj.exe
        
        C:\Windows\system32\Bfcompnj.exe
        319⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Baickimp.exe
        
        C:\Windows\system32\Baickimp.exe
        320⤵
        Modifies registry class
        
        PID:7336
        
        C:\Windows\SysWOW64\Bffkcp32.exe
        
        C:\Windows\system32\Bffkcp32.exe
        321⤵
        
        PID:7372
        
        C:\Windows\SysWOW64\Balpph32.exe
        
        C:\Windows\system32\Balpph32.exe
        322⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\Bfhhho32.exe
        
        C:\Windows\system32\Bfhhho32.exe
        323⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Cclhbcho.exe
        
        C:\Windows\system32\Cclhbcho.exe
        324⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\Cfmacoep.exe
        
        C:\Windows\system32\Cfmacoep.exe
        325⤵
        
        PID:7612
        
        C:\Windows\SysWOW64\Cdabmcdi.exe
        
        C:\Windows\system32\Cdabmcdi.exe
        326⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\Cnffjl32.exe
        
        C:\Windows\system32\Cnffjl32.exe
        327⤵
        
        PID:7708
        
        C:\Windows\SysWOW64\Ceqngekl.exe
        
        C:\Windows\system32\Ceqngekl.exe
        328⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:116
        
        C:\Windows\SysWOW64\Cjpcel32.exe
        
        C:\Windows\system32\Cjpcel32.exe
        329⤵
        
        PID:7824
        
        C:\Windows\SysWOW64\Donlkjng.exe
        
        C:\Windows\system32\Donlkjng.exe
        330⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\Deokhc32.exe
        
        C:\Windows\system32\Deokhc32.exe
        331⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\Eahhcd32.exe
        
        C:\Windows\system32\Eahhcd32.exe
        332⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\Egdqkk32.exe
        
        C:\Windows\system32\Egdqkk32.exe
        333⤵
        
        PID:8120
        
        C:\Windows\SysWOW64\Eajehd32.exe
        
        C:\Windows\system32\Eajehd32.exe
        334⤵
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Ealanc32.exe
        
        C:\Windows\system32\Ealanc32.exe
        335⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Fgppgi32.exe
        
        C:\Windows\system32\Fgppgi32.exe
        336⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\Fgeibicb.exe
        
        C:\Windows\system32\Fgeibicb.exe
        337⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\Fnoboc32.exe
        
        C:\Windows\system32\Fnoboc32.exe
        338⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\Gochceml.exe
        
        C:\Windows\system32\Gochceml.exe
        339⤵
        
        PID:936
        
        C:\Windows\SysWOW64\Gdppllld.exe
        
        C:\Windows\system32\Gdppllld.exe
        340⤵
        Drops file in System32 directory
        
        PID:5772
        
        C:\Windows\SysWOW64\Gfomfo32.exe
        
        C:\Windows\system32\Gfomfo32.exe
        341⤵
        
        PID:7684
        
        C:\Windows\SysWOW64\Hoogpcco.exe
        
        C:\Windows\system32\Hoogpcco.exe
        342⤵
        
        PID:656
        
        C:\Windows\SysWOW64\Hdlphjaf.exe
        
        C:\Windows\system32\Hdlphjaf.exe
        343⤵
        
        PID:7892
        
        C:\Windows\SysWOW64\Ininloda.exe
        
        C:\Windows\system32\Ininloda.exe
        344⤵
        
        PID:7924
        
        C:\Windows\SysWOW64\Jfnbnk32.exe
        
        C:\Windows\system32\Jfnbnk32.exe
        345⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5064
        
        C:\Windows\SysWOW64\Jpffgp32.exe
        
        C:\Windows\system32\Jpffgp32.exe
        346⤵
        
        PID:8032
        
        C:\Windows\SysWOW64\Jfbkijdo.exe
        
        C:\Windows\system32\Jfbkijdo.exe
        347⤵
        
        PID:8108
        
        C:\Windows\SysWOW64\Jlocaabf.exe
        
        C:\Windows\system32\Jlocaabf.exe
        348⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Kicdke32.exe
        
        C:\Windows\system32\Kicdke32.exe
        349⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Kpmlhoil.exe
        
        C:\Windows\system32\Kpmlhoil.exe
        350⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Kldmmp32.exe
        
        C:\Windows\system32\Kldmmp32.exe
        351⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Kbneij32.exe
        
        C:\Windows\system32\Kbneij32.exe
        352⤵
        
        PID:7368
        
        C:\Windows\SysWOW64\Kihnfdmj.exe
        
        C:\Windows\system32\Kihnfdmj.exe
        353⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\Knefnkla.exe
        
        C:\Windows\system32\Knefnkla.exe
        354⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\Kijjldkh.exe
        
        C:\Windows\system32\Kijjldkh.exe
        355⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Kngcdkjo.exe
        
        C:\Windows\system32\Kngcdkjo.exe
        356⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1792
        
        C:\Windows\SysWOW64\Kimgad32.exe
        
        C:\Windows\system32\Kimgad32.exe
        357⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Knipik32.exe
        
        C:\Windows\system32\Knipik32.exe
        358⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\Lechfeoi.exe
        
        C:\Windows\system32\Lechfeoi.exe
        359⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2184
        
        C:\Windows\SysWOW64\Llmpco32.exe
        
        C:\Windows\system32\Llmpco32.exe
        360⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\Lefdld32.exe
        
        C:\Windows\system32\Lefdld32.exe
        361⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Lnnidjcg.exe
        
        C:\Windows\system32\Lnnidjcg.exe
        362⤵
        Drops file in System32 directory
        
        PID:1652
        
        C:\Windows\SysWOW64\Lehaad32.exe
        
        C:\Windows\system32\Lehaad32.exe
        363⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\Loqejjad.exe
        
        C:\Windows\system32\Loqejjad.exe
        364⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\Lhijcohe.exe
        
        C:\Windows\system32\Lhijcohe.exe
        365⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Lbnnphhk.exe
        
        C:\Windows\system32\Lbnnphhk.exe
        366⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\Lhkghofb.exe
        
        C:\Windows\system32\Lhkghofb.exe
        367⤵
        Drops file in System32 directory
        
        PID:5544
        
        C:\Windows\SysWOW64\Loeoei32.exe
        
        C:\Windows\system32\Loeoei32.exe
        368⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\Mikcbb32.exe
        
        C:\Windows\system32\Mikcbb32.exe
        369⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\Mlipomli.exe
        
        C:\Windows\system32\Mlipomli.exe
        370⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\Mimphakb.exe
        
        C:\Windows\system32\Mimphakb.exe
        371⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Ngmpmd32.exe
        
        C:\Windows\system32\Ngmpmd32.exe
        372⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5996
        
        C:\Windows\SysWOW64\Niklip32.exe
        
        C:\Windows\system32\Niklip32.exe
        373⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\Nohdaf32.exe
        
        C:\Windows\system32\Nohdaf32.exe
        374⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\Nllekk32.exe
        
        C:\Windows\system32\Nllekk32.exe
        375⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\Olqofjhn.exe
        
        C:\Windows\system32\Olqofjhn.exe
        376⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4812
        
        C:\Windows\SysWOW64\Ocjgcd32.exe
        
        C:\Windows\system32\Ocjgcd32.exe
        377⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\Oidopn32.exe
        
        C:\Windows\system32\Oidopn32.exe
        378⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\Oghpib32.exe
        
        C:\Windows\system32\Oghpib32.exe
        379⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\Ocamcc32.exe
        
        C:\Windows\system32\Ocamcc32.exe
        380⤵
        Modifies registry class
        
        PID:3260
        
        C:\Windows\SysWOW64\Ohnelj32.exe
        
        C:\Windows\system32\Ohnelj32.exe
        381⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\Pcdjic32.exe
        
        C:\Windows\system32\Pcdjic32.exe
        382⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\Pphjbgfj.exe
        
        C:\Windows\system32\Pphjbgfj.exe
        383⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Pfdbknda.exe
        
        C:\Windows\system32\Pfdbknda.exe
        384⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\Pfgopnbo.exe
        
        C:\Windows\system32\Pfgopnbo.exe
        385⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\Pplcnf32.exe
        
        C:\Windows\system32\Pplcnf32.exe
        386⤵
        
        PID:7848
        
        C:\Windows\SysWOW64\Pgfljqia.exe
        
        C:\Windows\system32\Pgfljqia.exe
        387⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1420
        
        C:\Windows\SysWOW64\Plcdbghi.exe
        
        C:\Windows\system32\Plcdbghi.exe
        388⤵
        
        PID:7976
        
        C:\Windows\SysWOW64\Pcmloa32.exe
        
        C:\Windows\system32\Pcmloa32.exe
        389⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\Qleahgff.exe
        
        C:\Windows\system32\Qleahgff.exe
        390⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\Qcpieamc.exe
        
        C:\Windows\system32\Qcpieamc.exe
        391⤵
        
        PID:7804
        
        C:\Windows\SysWOW64\Amaqde32.exe
        
        C:\Windows\system32\Amaqde32.exe
        392⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\Aobieq32.exe
        
        C:\Windows\system32\Aobieq32.exe
        393⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\Bogcqpdd.exe
        
        C:\Windows\system32\Bogcqpdd.exe
        394⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\Bfqkmj32.exe
        
        C:\Windows\system32\Bfqkmj32.exe
        395⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5508
        
        C:\Windows\SysWOW64\Biadoeib.exe
        
        C:\Windows\system32\Biadoeib.exe
        396⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\Bcghlnih.exe
        
        C:\Windows\system32\Bcghlnih.exe
        397⤵
        
        PID:996
        
        C:\Windows\SysWOW64\Bqkifb32.exe
        
        C:\Windows\system32\Bqkifb32.exe
        398⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\Cifmjd32.exe
        
        C:\Windows\system32\Cifmjd32.exe
        399⤵
        
        PID:644
        
        C:\Windows\SysWOW64\Djcfee32.exe
        
        C:\Windows\system32\Djcfee32.exe
        400⤵
        
        PID:688
        
        C:\Windows\SysWOW64\Dpqonl32.exe
        
        C:\Windows\system32\Dpqonl32.exe
        401⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Dfmcpf32.exe
        
        C:\Windows\system32\Dfmcpf32.exe
        402⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\Dikpla32.exe
        
        C:\Windows\system32\Dikpla32.exe
        403⤵
        
        PID:7328
        
        C:\Windows\SysWOW64\Edqdij32.exe
        
        C:\Windows\system32\Edqdij32.exe
        404⤵
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Ejklfd32.exe
        
        C:\Windows\system32\Ejklfd32.exe
        405⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Efamkepl.exe
        
        C:\Windows\system32\Efamkepl.exe
        406⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3816
        
        C:\Windows\SysWOW64\Emkeho32.exe
        
        C:\Windows\system32\Emkeho32.exe
        407⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\Edemdine.exe
        
        C:\Windows\system32\Edemdine.exe
        408⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Eibfmp32.exe
        
        C:\Windows\system32\Eibfmp32.exe
        409⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\Eplnijdj.exe
        
        C:\Windows\system32\Eplnijdj.exe
        410⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Empococc.exe
        
        C:\Windows\system32\Empococc.exe
        411⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\Efhcld32.exe
        
        C:\Windows\system32\Efhcld32.exe
        412⤵
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Fkflbb32.exe
        
        C:\Windows\system32\Fkflbb32.exe
        413⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\Fpeapilo.exe
        
        C:\Windows\system32\Fpeapilo.exe
        414⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\Fkkemble.exe
        
        C:\Windows\system32\Fkkemble.exe
        415⤵
        
        PID:432
        
        C:\Windows\SysWOW64\Faemjl32.exe
        
        C:\Windows\system32\Faemjl32.exe
        416⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Fgbfbc32.exe
        
        C:\Windows\system32\Fgbfbc32.exe
        417⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\Ggfombmd.exe
        
        C:\Windows\system32\Ggfombmd.exe
        418⤵
        Modifies registry class
        
        PID:4532
        
        C:\Windows\SysWOW64\Gpodfh32.exe
        
        C:\Windows\system32\Gpodfh32.exe
        419⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Gkdhcqcj.exe
        
        C:\Windows\system32\Gkdhcqcj.exe
        420⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\Ghhhmebd.exe
        
        C:\Windows\system32\Ghhhmebd.exe
        421⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Iaaflh32.exe
        
        C:\Windows\system32\Iaaflh32.exe
        422⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\Ignndo32.exe
        
        C:\Windows\system32\Ignndo32.exe
        423⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Igedenca.exe
        
        C:\Windows\system32\Igedenca.exe
        424⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4436
        
        C:\Windows\SysWOW64\Jhlgpp32.exe
        
        C:\Windows\system32\Jhlgpp32.exe
        425⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\Mehcnlie.exe
        
        C:\Windows\system32\Mehcnlie.exe
        426⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\Nejpckgc.exe
        
        C:\Windows\system32\Nejpckgc.exe
        427⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Njghkb32.exe
        
        C:\Windows\system32\Njghkb32.exe
        428⤵
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Noeaaqlq.exe
        
        C:\Windows\system32\Noeaaqlq.exe
        429⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Nijeoikf.exe
        
        C:\Windows\system32\Nijeoikf.exe
        430⤵
        
        PID:680
        
        C:\Windows\SysWOW64\Noijmp32.exe
        
        C:\Windows\system32\Noijmp32.exe
        431⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\Oaajoj32.exe
        
        C:\Windows\system32\Oaajoj32.exe
        432⤵
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Pafcjijo.exe
        
        C:\Windows\system32\Pafcjijo.exe
        433⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4700
        
        C:\Windows\SysWOW64\Phpkgc32.exe
        
        C:\Windows\system32\Phpkgc32.exe
        434⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\Polpim32.exe
        
        C:\Windows\system32\Polpim32.exe
        435⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\Phddbbnf.exe
        
        C:\Windows\system32\Phddbbnf.exe
        436⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\Pehekgmp.exe
        
        C:\Windows\system32\Pehekgmp.exe
        437⤵
        Drops file in System32 directory
        
        PID:536
        
        C:\Windows\SysWOW64\Plbmhadm.exe
        
        C:\Windows\system32\Plbmhadm.exe
        438⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\Qaofphbd.exe
        
        C:\Windows\system32\Qaofphbd.exe
        439⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Acclejeb.exe
        
        C:\Windows\system32\Acclejeb.exe
        440⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Ajbmmcii.exe
        
        C:\Windows\system32\Ajbmmcii.exe
        441⤵
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Ajdjcc32.exe
        
        C:\Windows\system32\Ajdjcc32.exe
        442⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Akffjkme.exe
        
        C:\Windows\system32\Akffjkme.exe
        443⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\Bjgghc32.exe
        
        C:\Windows\system32\Bjgghc32.exe
        444⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Bkhcpkkb.exe
        
        C:\Windows\system32\Bkhcpkkb.exe
        445⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\Bjicnbba.exe
        
        C:\Windows\system32\Bjicnbba.exe
        446⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\Boflfiai.exe
        
        C:\Windows\system32\Boflfiai.exe
        447⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\Bfpdcc32.exe
        
        C:\Windows\system32\Bfpdcc32.exe
        448⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6412
        
        C:\Windows\SysWOW64\Bmjlpnpb.exe
        
        C:\Windows\system32\Bmjlpnpb.exe
        449⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Ciefpn32.exe
        
        C:\Windows\system32\Ciefpn32.exe
        450⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\Cooolhin.exe
        
        C:\Windows\system32\Cooolhin.exe
        451⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Ckfpai32.exe
        
        C:\Windows\system32\Ckfpai32.exe
        452⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Cjgpoq32.exe
        
        C:\Windows\system32\Cjgpoq32.exe
        453⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Codhgg32.exe
        
        C:\Windows\system32\Codhgg32.exe
        454⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\Cfqmjajc.exe
        
        C:\Windows\system32\Cfqmjajc.exe
        455⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\Dkbomgde.exe
        
        C:\Windows\system32\Dkbomgde.exe
        456⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\Ecbjdcml.exe
        
        C:\Windows\system32\Ecbjdcml.exe
        457⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\Emknmi32.exe
        
        C:\Windows\system32\Emknmi32.exe
        458⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\Ebjckppa.exe
        
        C:\Windows\system32\Ebjckppa.exe
        459⤵
        Drops file in System32 directory
        
        PID:6520
        
        C:\Windows\SysWOW64\Epndddnk.exe
        
        C:\Windows\system32\Epndddnk.exe
        460⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Flgaodbm.exe
        
        C:\Windows\system32\Flgaodbm.exe
        461⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\Ffmelmbc.exe
        
        C:\Windows\system32\Ffmelmbc.exe
        462⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5436
        
        C:\Windows\SysWOW64\Flinddpj.exe
        
        C:\Windows\system32\Flinddpj.exe
        463⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\Ffobbmpp.exe
        
        C:\Windows\system32\Ffobbmpp.exe
        464⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1660
        
        C:\Windows\SysWOW64\Fllkjd32.exe
        
        C:\Windows\system32\Fllkjd32.exe
        465⤵
        Drops file in System32 directory
        
        PID:5768
        
        C:\Windows\SysWOW64\Fjmkhkff.exe
        
        C:\Windows\system32\Fjmkhkff.exe
        466⤵
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Gifadggi.exe
        
        C:\Windows\system32\Gifadggi.exe
        467⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Igkkdigp.exe
        
        C:\Windows\system32\Igkkdigp.exe
        468⤵
        Modifies registry class
        
        PID:6708
        
        C:\Windows\SysWOW64\Icalij32.exe
        
        C:\Windows\system32\Icalij32.exe
        469⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\Igbaeh32.exe
        
        C:\Windows\system32\Igbaeh32.exe
        470⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\Iloimopp.exe
        
        C:\Windows\system32\Iloimopp.exe
        471⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\Igdnkhoe.exe
        
        C:\Windows\system32\Igdnkhoe.exe
        472⤵
        Modifies registry class
        
        PID:6344
        
        C:\Windows\SysWOW64\Jdhndlno.exe
        
        C:\Windows\system32\Jdhndlno.exe
        473⤵
        Drops file in System32 directory
        
        PID:6444
        
        C:\Windows\SysWOW64\Jncobabm.exe
        
        C:\Windows\system32\Jncobabm.exe
        474⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\Jkgpleaf.exe
        
        C:\Windows\system32\Jkgpleaf.exe
        475⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6192
        
        C:\Windows\SysWOW64\Jlhlcnge.exe
        
        C:\Windows\system32\Jlhlcnge.exe
        476⤵
        Modifies registry class
        
        PID:6572
        
        C:\Windows\SysWOW64\Jlmfomcp.exe
        
        C:\Windows\system32\Jlmfomcp.exe
        477⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\Kkpbbdil.exe
        
        C:\Windows\system32\Kkpbbdil.exe
        478⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Kmaojl32.exe
        
        C:\Windows\system32\Kmaojl32.exe
        479⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Lnjnjn32.exe
        
        C:\Windows\system32\Lnjnjn32.exe
        480⤵
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Nmenmgab.exe
        
        C:\Windows\system32\Nmenmgab.exe
        481⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Njinfk32.exe
        
        C:\Windows\system32\Njinfk32.exe
        482⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\Nabfcegi.exe
        
        C:\Windows\system32\Nabfcegi.exe
        483⤵
        Drops file in System32 directory
        
        PID:2800
        
        C:\Windows\SysWOW64\Nmighf32.exe
        
        C:\Windows\system32\Nmighf32.exe
        484⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Ndcoeq32.exe
        
        C:\Windows\system32\Ndcoeq32.exe
        485⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\Oagpne32.exe
        
        C:\Windows\system32\Oagpne32.exe
        486⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6812
        
        C:\Windows\SysWOW64\Ojpdgjid.exe
        
        C:\Windows\system32\Ojpdgjid.exe
        487⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\Oajmdd32.exe
        
        C:\Windows\system32\Oajmdd32.exe
        488⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\Ojbamj32.exe
        
        C:\Windows\system32\Ojbamj32.exe
        489⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\Ojdnbj32.exe
        
        C:\Windows\system32\Ojdnbj32.exe
        490⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Paelpcgc.exe
        
        C:\Windows\system32\Paelpcgc.exe
        491⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\Aeodapcl.exe
        
        C:\Windows\system32\Aeodapcl.exe
        492⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\Akccje32.exe
        
        C:\Windows\system32\Akccje32.exe
        493⤵
        Drops file in System32 directory
        
        PID:7056
        
        C:\Windows\SysWOW64\Bhgcdjje.exe
        
        C:\Windows\system32\Bhgcdjje.exe
        494⤵
        Modifies registry class
        
        PID:6612
        
        C:\Windows\SysWOW64\Boqlqd32.exe
        
        C:\Windows\system32\Boqlqd32.exe
        495⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\Bllbkg32.exe
        
        C:\Windows\system32\Bllbkg32.exe
        496⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7120
        
        C:\Windows\SysWOW64\Cdpjeh32.exe
        
        C:\Windows\system32\Cdpjeh32.exe
        497⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Dfglpjqo.exe
        
        C:\Windows\system32\Dfglpjqo.exe
        498⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2172
        
        C:\Windows\SysWOW64\Jplkig32.exe
        
        C:\Windows\system32\Jplkig32.exe
        499⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\Kgacaopj.exe
        
        C:\Windows\system32\Kgacaopj.exe
        500⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5980
        
        C:\Windows\SysWOW64\Kloljf32.exe
        
        C:\Windows\system32\Kloljf32.exe
        501⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\Kchdfpen.exe
        
        C:\Windows\system32\Kchdfpen.exe
        502⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\Knnhdied.exe
        
        C:\Windows\system32\Knnhdied.exe
        503⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\Kgflmo32.exe
        
        C:\Windows\system32\Kgflmo32.exe
        504⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Klceeejl.exe
        
        C:\Windows\system32\Klceeejl.exe
        505⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\Kflink32.exe
        
        C:\Windows\system32\Kflink32.exe
        506⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Kcpjgo32.exe
        
        C:\Windows\system32\Kcpjgo32.exe
        507⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6528
        
        C:\Windows\SysWOW64\Llhnpe32.exe
        
        C:\Windows\system32\Llhnpe32.exe
        508⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6712
        
        C:\Windows\SysWOW64\Lqfgfclm.exe
        
        C:\Windows\system32\Lqfgfclm.exe
        509⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Lnnakg32.exe
        
        C:\Windows\system32\Lnnakg32.exe
        510⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\Lopmbomp.exe
        
        C:\Windows\system32\Lopmbomp.exe
        511⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\Mqafbaap.exe
        
        C:\Windows\system32\Mqafbaap.exe
        512⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\Mfnojh32.exe
        
        C:\Windows\system32\Mfnojh32.exe
        513⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\Mogccnfg.exe
        
        C:\Windows\system32\Mogccnfg.exe
        514⤵
        Drops file in System32 directory
        
        PID:7672
        
        C:\Windows\SysWOW64\Mnhdae32.exe
        
        C:\Windows\system32\Mnhdae32.exe
        515⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\Mmmqbb32.exe
        
        C:\Windows\system32\Mmmqbb32.exe
        516⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\Nnmmleja.exe
        
        C:\Windows\system32\Nnmmleja.exe
        517⤵
        
        PID:7664
        
        C:\Windows\SysWOW64\Nfhbpghl.exe
        
        C:\Windows\system32\Nfhbpghl.exe
        518⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\Nqmfnp32.exe
        
        C:\Windows\system32\Nqmfnp32.exe
        519⤵
        Drops file in System32 directory
        
        PID:7856
        
        C:\Windows\SysWOW64\Nggnjjoo.exe
        
        C:\Windows\system32\Nggnjjoo.exe
        520⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\Nnafgd32.exe
        
        C:\Windows\system32\Nnafgd32.exe
        521⤵
        
        PID:7936
        
        C:\Windows\SysWOW64\Offnae32.exe
        
        C:\Windows\system32\Offnae32.exe
        522⤵
        Drops file in System32 directory
        
        PID:6276
        
        C:\Windows\SysWOW64\Ompfnoci.exe
        
        C:\Windows\system32\Ompfnoci.exe
        523⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6984
        
        C:\Windows\SysWOW64\Ocjokijf.exe
        
        C:\Windows\system32\Ocjokijf.exe
        524⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\Phombg32.exe
        
        C:\Windows\system32\Phombg32.exe
        525⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\Qjdpoacp.exe
        
        C:\Windows\system32\Qjdpoacp.exe
        526⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\Adfgne32.exe
        
        C:\Windows\system32\Adfgne32.exe
        527⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\Akpojpic.exe
        
        C:\Windows\system32\Akpojpic.exe
        528⤵
        Modifies registry class
        
        PID:7580
        
        C:\Windows\SysWOW64\Adhdcepc.exe
        
        C:\Windows\system32\Adhdcepc.exe
        529⤵
        
        PID:7708
        
        C:\Windows\SysWOW64\Bonhqnpi.exe
        
        C:\Windows\system32\Bonhqnpi.exe
        530⤵
        
        PID:7812
        
        C:\Windows\SysWOW64\Bdjqienq.exe
        
        C:\Windows\system32\Bdjqienq.exe
        531⤵
        
        PID:8080
        
        C:\Windows\SysWOW64\Bkdieo32.exe
        
        C:\Windows\system32\Bkdieo32.exe
        532⤵
        
        PID:8132
        
        C:\Windows\SysWOW64\Bpaanfce.exe
        
        C:\Windows\system32\Bpaanfce.exe
        533⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\Bdojdd32.exe
        
        C:\Windows\system32\Bdojdd32.exe
        534⤵
        Drops file in System32 directory
        
        PID:2916
        
        C:\Windows\SysWOW64\Bkibqnah.exe
        
        C:\Windows\system32\Bkibqnah.exe
        535⤵
        
        PID:7556
        
        C:\Windows\SysWOW64\Bogkgmho.exe
        
        C:\Windows\system32\Bogkgmho.exe
        536⤵
        
        PID:7828
        
        C:\Windows\SysWOW64\Bphgoe32.exe
        
        C:\Windows\system32\Bphgoe32.exe
        537⤵
        
        PID:612
        
        C:\Windows\SysWOW64\Cknlln32.exe
        
        C:\Windows\system32\Cknlln32.exe
        538⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7244
        
        C:\Windows\SysWOW64\Cgiflnoa.exe
        
        C:\Windows\system32\Cgiflnoa.exe
        539⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Cpajdc32.exe
        
        C:\Windows\system32\Cpajdc32.exe
        540⤵
        Modifies registry class
        
        PID:6624
        
        C:\Windows\SysWOW64\Cocjbkna.exe
        
        C:\Windows\system32\Cocjbkna.exe
        541⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\Cdpckbli.exe
        
        C:\Windows\system32\Cdpckbli.exe
        542⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Dgbhbm32.exe
        
        C:\Windows\system32\Dgbhbm32.exe
        543⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Dgeegled.exe
        
        C:\Windows\system32\Dgeegled.exe
        544⤵
        Drops file in System32 directory
        
        PID:2960
        
        C:\Windows\SysWOW64\Dnondf32.exe
        
        C:\Windows\system32\Dnondf32.exe
        545⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5272
        
        C:\Windows\SysWOW64\Ddifaqcn.exe
        
        C:\Windows\system32\Ddifaqcn.exe
        546⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Doojni32.exe
        
        C:\Windows\system32\Doojni32.exe
        547⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5908
        
        C:\Windows\SysWOW64\Ddkbfp32.exe
        
        C:\Windows\system32\Ddkbfp32.exe
        548⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\Ednolp32.exe
        
        C:\Windows\system32\Ednolp32.exe
        549⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\Ekggijge.exe
        
        C:\Windows\system32\Ekggijge.exe
        550⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\Ebapednb.exe
        
        C:\Windows\system32\Ebapednb.exe
        551⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\Ekjdnj32.exe
        
        C:\Windows\system32\Ekjdnj32.exe
        552⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\Edbhgokc.exe
        
        C:\Windows\system32\Edbhgokc.exe
        553⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6924
        
        C:\Windows\SysWOW64\Enkmpe32.exe
        
        C:\Windows\system32\Enkmpe32.exe
        554⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7256
        
        C:\Windows\SysWOW64\Egcaij32.exe
        
        C:\Windows\system32\Egcaij32.exe
        555⤵
        
        PID:7272
        
        C:\Windows\SysWOW64\Ebiffc32.exe
        
        C:\Windows\system32\Ebiffc32.exe
        556⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7632
        
        C:\Windows\SysWOW64\Fgenoj32.exe
        
        C:\Windows\system32\Fgenoj32.exe
        557⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Fdiohnek.exe
        
        C:\Windows\system32\Fdiohnek.exe
        558⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\Foocegea.exe
        
        C:\Windows\system32\Foocegea.exe
        559⤵
        Drops file in System32 directory
        
        PID:7624
        
        C:\Windows\SysWOW64\Fbmoabde.exe
        
        C:\Windows\system32\Fbmoabde.exe
        560⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7456
        
        C:\Windows\SysWOW64\Fkfcjh32.exe
        
        C:\Windows\system32\Fkfcjh32.exe
        561⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7732
        
        C:\Windows\SysWOW64\Fgldoi32.exe
        
        C:\Windows\system32\Fgldoi32.exe
        562⤵
        Drops file in System32 directory
        
        PID:512
        
        C:\Windows\SysWOW64\Fbbhla32.exe
        
        C:\Windows\system32\Fbbhla32.exe
        563⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Fkjmeggp.exe
        
        C:\Windows\system32\Fkjmeggp.exe
        564⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8024 -s 400
        565⤵
        Program crash
        
        PID:5580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8024 -s 400
        565⤵
        Program crash
        
        PID:4196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5732 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:5684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 8024 -ip 8024
1⤵
PID:1204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aancojgn.exe

Filesize
208KB

MD5
31a579cabca49fa3805f60eb053f61e1

SHA1
d5a760c28d67d5913a0933984ef702161f3c0df3

SHA256
2830bc7a0db871aa6d48c107d4b920039ba3894a19e62b6a2e7634bd2ae80955

SHA512
826be56272915a707c27426b124513a1ff024dc62b41e5c216ef01190b366932192dbb07001353e1702211be312d38a234c3dd36060be6d452cb04e4aa60a011

Download Submit
C:\Windows\SysWOW64\Aanjiqki.exe

Filesize
208KB

MD5
fa08de537425f055cae17fb312412d96

SHA1
52caa2f4d5d0a0202e65f7331cae3de95258e4e9

SHA256
39d20c48bef33bad520e814eb369eb53279f061748b21a2dee78893ed0deec78

SHA512
cb7241ed45e8e436808e87d9b8afb95303732afb863cebe6991d5c9c84de4004c1aca6d26efc31fffe923980429d20bf6878350053467535bca4b5c6b4496873

Download Submit
C:\Windows\SysWOW64\Aiabhj32.exe

Filesize
208KB

MD5
620e8022233670121973178ffba1032f

SHA1
e50f8bc4eb317e2e120e4630bb3cb6d298a216f3

SHA256
0e6d3ba6d7739d0bb9e876967f59165546f5f0ce41cce1eb5b1f96794b9a266b

SHA512
24c8dcb7b78cc4921a961d86f5a0fdda0d6912ae1000a554ce7d0f6c0e2cecb5cc29d871cc3cc0402a26a3b6a5aa08e458bf24aabfe45bbd263ac87cf3237080

Download Submit
C:\Windows\SysWOW64\Aohfdnil.exe

Filesize
208KB

MD5
f00e852724dad51c7544580e92e2bde1

SHA1
62ae0caf7777758aec4f94b979795c9f0522af96

SHA256
d09e917308a36e67dc5b34139721920f78624081fe7663b6a34fb6c6e05365c6

SHA512
00fa1ce3b4b9e3a2e50022ca9d7d13e0e273649860c9ef7f3109c9c2550a77224c9d0bd8c497514b91ba4c302befb10be1d15e5974f053af40c5849d85d7004b

Download Submit
C:\Windows\SysWOW64\Apddce32.exe

Filesize
208KB

MD5
a6b69444fc4000fb9db1ac3c0ac8344b

SHA1
f3b08d1fa842d224e25634a1e3320c18bba9a6c5

SHA256
fe2ca61f686b81a07d53ce21e0b79329a58cafe9c002d367578cd8187f48610f

SHA512
790c7f750eaaa27e11faf37a9aac99b0f2a8b34dd3e967d65ceb812fe7ab91b7c81592d26b86224e2b9cd6361fef98bf0fac2619def6ccf43e6fef98b795c40f

Download Submit
C:\Windows\SysWOW64\Aploae32.exe

Filesize
128KB

MD5
09bfec47e3a3f075ad0ba9d6d7a2adf7

SHA1
e8c3943f128c036ca8f0153213f59ab180fcc129

SHA256
2828eb1161a687d4b914cda61bc8f4d239ba5c031ee7ba154cbbd763ce82a068

SHA512
8420bea9679123e87aee9aaf87d00b0f1dc0fb4ed050c7e87ced94b28dd5f1871464baf70f53550563d7face193862521657dd9008100f9773fb3d95ed416f82

Download Submit
C:\Windows\SysWOW64\Bbefln32.exe

Filesize
208KB

MD5
03cbbdce081280c7caea0ab3dafa28e5

SHA1
7f2e76b5a9903baec337dffd713642af5d595eb4

SHA256
08df81b8d3341d3f496a7638373dcb246e08e0d28a1f3ca2c1ee46b9f9c1501f

SHA512
e9cdecff0fae676a715a873541dcf1f3bbdac5767ede5e67aba96775a45e70beea881ca643064d820a096fcd25ac47ecfe3a35d0342ccc11800fc1584a361895

Download Submit
C:\Windows\SysWOW64\Bidefbcg.exe

Filesize
208KB

MD5
3f44efe07061688df6dabc0d82c08ef8

SHA1
93aaa446e431d7f086bb91976073b8185386a434

SHA256
b2d842f036a2c63ed959815196eb345b78ecef8918d52962d759b84a44a5b7a6

SHA512
221504562ccd8e486c57d485854899f3f02a4088b992047c8b7ced7407a9f3fb25f733105059bbb540c7d1f351523631051145c6a1c68e38a03aacd054158418

Download Submit
C:\Windows\SysWOW64\Bmddihfj.exe

Filesize
208KB

MD5
41d945cce618f80f68cb7ee7b100409c

SHA1
69db2ef3f6f0747855ebc573ad6cf6a80b7faf51

SHA256
abd272434380e66715f605dbdad874c4a429c477cf0597441544ccf3f5665f8d

SHA512
e29073645bd8fe9668482aeaac75a97b14065a04bc3fefab692b910e7a070bb15ef123ab8c4abfc8dec77d35a1d1fe439be90c5c512a42709317cf5fc1499398

Download Submit
C:\Windows\SysWOW64\Cleqfb32.exe

Filesize
208KB

MD5
59d164fe72bd3342ee835ef4c0219846

SHA1
93a2f3a2ce3a577c1f31ad263a6db91e74d36bad

SHA256
37d7fda5db8fd03ea88604f525bc56950eaf9d10b0025724f1b2fa5483e129a9

SHA512
6052dbe00f05f2936bbd9051d7b0a6d82c30fc52ca97181d8c2d9274af80032834905a6822990cbd59dc7254a9a92080ca322be44890b3dbe352f56145bff90b

Download Submit
C:\Windows\SysWOW64\Cnffjl32.exe

Filesize
208KB

MD5
b6b04ac93e280e01e753947366673ab0

SHA1
febe55708346fc81f01d19214b3a9da063bd2551

SHA256
b2a7f7ed7a9fe62663579f18e0bf92024aecd9d0a32ac430e05e56aa98cd38a1

SHA512
ee47c3a196aa8a2e54777662b391caab467be72439857854b73b0dc891bfc9168ccfa2e3175b1d2d273352135ad4c91009405b8323a56b800f7d74fe2ff8bb4d

Download Submit
C:\Windows\SysWOW64\Dedkogqm.exe

Filesize
208KB

MD5
1b6172a1caebff7b6ac8320360c25e5a

SHA1
79775d2e50708ff909232b32592e2fbde1e46778

SHA256
3b757d20dc7c5bf710e935f245d6aefb84ee8acaef3a9807ffcefc2cabefe5e1

SHA512
5cb25f55796c056129bbdfc0d5d28cae37753a76c42a883085e4c82c69fce06b7ba8b38906f621fd0fa0d3395a6334310e078355b2dd500b43c9543f09403627

Download Submit
C:\Windows\SysWOW64\Dibdeegc.exe

Filesize
208KB

MD5
27dd60208cf5df1d7b784964fcc29868

SHA1
4fbc1aec3e614d03eebd36e8c32ad43f951f35fe

SHA256
0ed906b9337d824e4480aca87d8550f37732e5eedf20df035df532aa41a3345d

SHA512
905a0f479e9d72270293b45e2c329ed0b82ed7ff222ae3feb259c1edc68a6b0e6a39e7903b93bb3b821cbc52954b6c0b033c3b9b65e146c0fc748eacf4520882

Download Submit
C:\Windows\SysWOW64\Donecfao.exe

Filesize
208KB

MD5
f6632ed08d5994c46a09eb1aeec421da

SHA1
8fcd05e55149457958392d60cacf9f84a521c1a8

SHA256
36297689bb2e6322c0ef21d9ab52b1899aea407742941fcd61af5fbf8bf619e4

SHA512
a806ce3c5d3cb2515cc1707c2d31150aaadc131d4b4e0471ea4aa686d5ed3fc02ba1d19ef522958f7c63dcc2c75ad3ce917dd09eb75a30f2c089d51796fa3c70

Download Submit
C:\Windows\SysWOW64\Ebiffc32.exe

Filesize
208KB

MD5
2843f75fd1ec6d725bfd3d152be964ea

SHA1
fa2a6aa639409798da05a2464155345c4e0cedc9

SHA256
21099a8ca4b8fed03f3fe83df1766bf5df59b4ad18fc21e7ae442d0b1745ba76

SHA512
31296f3a4241c54f5c49206463a96ea762b358e7d3185136d5d693d7e3f99e0f15f5a1113df284f80bf64c38d7746d5bcba0a3a1346fc99384fe68e0bfe19ba1

Download Submit
C:\Windows\SysWOW64\Edakimoo.exe

Filesize
208KB

MD5
3f3311946a467e93d7f7197f908579d5

SHA1
e246d76325a0266e87628aca89693a3a63643985

SHA256
524105cf8c193ba86b6b9452669505c0b1c6f28368d128d3eebea6f5a1077b0e

SHA512
5cde0062b7d22357161a4dc891d9feec78866b34ab5c46cf7a514ccaaf3096a6025c3bdbb924760929cd736e82a1b2f48ab560d7ed279dc2ebc355d98429ad57

Download Submit
C:\Windows\SysWOW64\Eedkniob.exe

Filesize
208KB

MD5
0fa65838dabb355197f70b445260aa42

SHA1
583c5dc4e78961118506abee44cea23714e0b32d

SHA256
906b75e44481c14f4fbfe775bacbb1a5585735cd2da7a69c4256fe5a07fd7d32

SHA512
fe57b8dadc88e02561c73c8140bbda17eac11d77d4cb697c1d8db1b29cae79d2e8b474cdef5a84daee19d48ecb859d8c440b4f3f4909cbd2197aa5d2da1ebfbb

Download Submit
C:\Windows\SysWOW64\Ehbihj32.exe

Filesize
128KB

MD5
c453dd744e0fc28f00bc3991a5a933d3

SHA1
d434dce7e481d2a7b9a3784472861b683a81389d

SHA256
a98b983955ff932188e499a0271608ab0b55870d0e2638ce2c866bd20e8908d4

SHA512
199c1029753367b4cb4a653e75895ce36cfd4c9eca13faf6bed2b43cc4b9b482ccca12b5c39d62d65cd23c9125e7244974ed79fd1e585b2a59b418d7424bdd8c

Download Submit
C:\Windows\SysWOW64\Fcddkggf.exe

Filesize
208KB

MD5
12f04170629892a3756c535b9876372f

SHA1
b55828c2e06139f3e0d4d9346d59e3c04c6e41d1

SHA256
67882141d57cea1c2d1eaef2ce7ca5602731526451cc7d6ec961ab238d1e7ae0

SHA512
bfd6720c5180cccd503694f19106d7b2c08c8d4f5f818909ecdd9876d4839737b3d6881ef535dbaf5f5aadd3f1d8671120e2108a51166f1a3129aea04816d8b4

Download Submit
C:\Windows\SysWOW64\Fdogjk32.exe

Filesize
208KB

MD5
e086310fe22357f60b237a1b070c15af

SHA1
23d1a8210a49ed66b5d468b96ed2de14496ce32b

SHA256
546646dad34ee0026027d7b4b41d91155376324a6ab6a2c1d1e9adf7952acb1a

SHA512
10478241e063d9b557cdb79fe814e689496f40a7969cb92f6d9361f04cbdfcc5800971a877ea235801b30383d8f7cb4bc063cadf28edf7e5f48b54cdd216d491

Download Submit
C:\Windows\SysWOW64\Ffcedd32.exe

Filesize
208KB

MD5
485474b625a5bde6858a5450e3c31023

SHA1
7e5de90b12c5767f9b4bc70771c22cb80ae3c604

SHA256
e72c24f94d2bcdb1e8df136f5a2072efafdc8223796dc549d2bf92e1f04c76d8

SHA512
d3624720cab6a7d9268d598020186ade57d6517362471619157a1e28995857f0f5aad667c7870c87a5deacbfd409e0b18f166a8b32d3d6ff77b86e62173436a1

Download Submit
C:\Windows\SysWOW64\Fllkjd32.exe

Filesize
208KB

MD5
370b63f857b29b5472d9c27e3850f4c8

SHA1
11565e7e37021e89569dc6510d20849d3efb3575

SHA256
e5c574054a6565fa28924e4c103beef33a2680944137c923e6b6feb02416f992

SHA512
38c881a3990f9124fd5cf3b49a89b9d74714e5e3440a5adca056352b5112412ac10fdd4cbd1710bcfbc4a102ffcacc8edd45cb2d787addf083e5a80cfdfe8c37

Download Submit
C:\Windows\SysWOW64\Gddqejni.exe

Filesize
208KB

MD5
55ed14be20949f03f36fddc1d1a1156c

SHA1
e44ff8dfe67666780e73d65e2b7187b30d686f1a

SHA256
261b89dc9e86630d8caaa6cd045639ee8106ecf3b6b00c137d1c0d86679b4ac1

SHA512
2891a5324ad006551049302ddb853aa4fc7f6e05f69a771c393742b6e059850622c1a74dc4ac579c5276d6b720befd36e43f043a44d9090b80f554b9acbe80c1

Download Submit
C:\Windows\SysWOW64\Gfgjbb32.exe

Filesize
208KB

MD5
69b41e9c0bee1148b49d56c0b1b669b8

SHA1
cfb73bd9c366b1fb35446e58bac00c531d90fde1

SHA256
63717960c4331b31f0d6e674fdda4d0ad0f38241a63c73ea92b08a8ea4be1575

SHA512
986dab2b9bcf02d61a6cbac91260ad25356ef56548f39322c132de816bcbd901f4e6f31a766e1934a3dfa9bfffcde8bef089598b638c5a5a511bddc269b8a735

Download Submit
C:\Windows\SysWOW64\Gjebiq32.exe

Filesize
208KB

MD5
d83fd70d0a7a9e20339040662e996b37

SHA1
a02b98f2d4cc50aab01f93b1e463724df6f77673

SHA256
7332e6a824ba44be4bf8f7998ec4c97e0a683d620468dc182c2616c9f13791fe

SHA512
dfc86bfc428ec8a973969f89b95170b69d2ebb44b2e70cc142bdca988ede16a36ddbade4d98522ddb089818d047029c72610551f7cbb26cded84d28f8f77fbfb

Download Submit
C:\Windows\SysWOW64\Gloejmld.exe

Filesize
208KB

MD5
34f7e4ba19f26cc9f7e62e93ad92083c

SHA1
c55b06054456538405816105574b4c984341842f

SHA256
1798ae91d630e5390bc46503d0be93ec7d885c38874daf368aab6e9b0b94845c

SHA512
c87354aa0ac3e29d32f7bd6026bc20b9fd1ccbaf751a26c1d40743a3cce3a3f319faa36553332d6fdd0eb5f6859ba7f35ac34dae7bd34016d5d098ad988f4140

Download Submit
C:\Windows\SysWOW64\Gqdbbelf.exe

Filesize
208KB

MD5
70d94c14aa0562315a2dd543fe8389c1

SHA1
374b422a20a03da1c88d2ff44ea85d84b76f72d3

SHA256
731728f59f1247affd93021cdd410d79c68f9f681714688f129626b5a465ba97

SHA512
b9583cd6d1876e0c99e702d402fdd6be51218e8fc325b6591924863ba5446fba428160ff5202b45ff25127eb661b7a6d6edaad86280dace9c8955c6ff6d052d5

Download Submit
C:\Windows\SysWOW64\Hdbmfhbi.exe

Filesize
208KB

MD5
da5b891714d6f413a871426cb4ff72cf

SHA1
6540ccd2b48af8d9c9bd7383b56b804e15c59a73

SHA256
0a2a1f8823279d7cac1bbe0a24d6fd77785c560ccebbf3f3950aca5aaf18adab

SHA512
dd43dfe26b43d26284ceef1fbd3ac230a60ab0ee00708230e44b43fff572ad0b35f83ffa2ae5cb50827a2350d5e6a22a6585cf78306dd5e8cad613336c0de9df

Download Submit
C:\Windows\SysWOW64\Heochp32.exe

Filesize
208KB

MD5
8af538857220b241f2a8834b91d9f030

SHA1
93654bd867370030683d06a56930f562e562217b

SHA256
a4242495852fc7c808771464d0dba01b238208f18b9c37572c6a1d46c71c615c

SHA512
e79ea0f56fbc707f0ec094756a5530c725198bccc81fa2fc6963d9d2e4bdecd27a489b20fa8d73d82ee3e89bc41ffa36e0b621ae32076f16ef0244df96615ac9

Download Submit
C:\Windows\SysWOW64\Hkfookmo.exe

Filesize
208KB

MD5
88a09c1c5f6be450222c1aa011b45af1

SHA1
6ff6780a7d1d7e887f61c441e666068eaeed7ad1

SHA256
b13c9a1b8f2d38b5586930c4edb3a354f937fc2bd81afb3170378c238a2f29bc

SHA512
86c44f2b86bde34848c38b994d2eec0b4cc024f98f109b8b2a9a413c649912c988b8c9e2e311c4cbb2fe80e629e3eb727add4c90a767db5395742c9627ad6ba2

Download Submit
C:\Windows\SysWOW64\Idpdfija.exe

Filesize
208KB

MD5
96cf31b665a9873702eac143e23bc1ec

SHA1
0c6088d9ef88168f0319d02dab6db4e320010cc7

SHA256
d5161f35c43833017e79a57add992018426549f9116a7901dd266e21206112ab

SHA512
061c07c1b79f3ad396298fbac93094af1fa51e4d04de8b4d963700cbdadab000eed88e9d5a9f985e0f93bdfa74f62a76ce7d61d69b3e17999726f0d9d8facfb1

Download Submit
C:\Windows\SysWOW64\Ifmldo32.exe

Filesize
208KB

MD5
f8d9e433b45cfee99a1d637c5cc475fe

SHA1
5c6f7ea591f0ae44f6c112f7ede1ce1b43fff9c8

SHA256
65f11a5740d280bbaf04723cd47ea487f7dd630ab2ee4061d75332968725aa51

SHA512
7a72e258c428a8a3f6308282ca5bd1e284e21e1becff3a40358e948bf4f82fcf297857e5fa35b2947233c9f0e1b6462a8c7ae4e35f71a41c899221c338fd1a77

Download Submit
C:\Windows\SysWOW64\Ipihkobl.exe

Filesize
208KB

MD5
22fdde6bd7f017d3d95d5335355358ca

SHA1
7b3cf17c2cb061ab1fd9f29fadb5562c9234fb17

SHA256
0cdc1d3674bfc6b09726f1c7ad3786e63db376e2facb4cdf89b9e86099d6987e

SHA512
ca58fae04eb4cd62872195bb29c9692342da11550f2ed4816c1c38c33c068d0a326edebea69a3dd74203399fc376db26cd951bc0fbac71e4710c77ae120eedca

Download Submit
C:\Windows\SysWOW64\Jfoaam32.exe

Filesize
208KB

MD5
7bb9677d4f5406dab2b156a130aca896

SHA1
48a4707ea8849eb3acae71f9d937c0cc25d31355

SHA256
bdb9d3184668ad22573b4157fdccfd511c7cabd947b2132b4551894fc39b5e36

SHA512
d55585104615d654afff56e6e69944f6c67ff51524300e83e1e046171302ea1db31aa5a035ca560725cf5627635c1806e495855f59f702cc48715b906f4ea250

Download Submit
C:\Windows\SysWOW64\Knbinhfl.exe

Filesize
208KB

MD5
3a027e8d9fbe72bc05190c45bf4b7188

SHA1
bba43d509cf1293af369a1a8c51544b7e5b30917

SHA256
6f69338717df53896cf44fb7b8cb11274929f835f66d2c33d8d1e7d8defceb77

SHA512
b05a294ba73df5b62142595811a3998b1863e777291d636e5db450e14aef799f3cd62962efc1a0f95d4ffc8a7101fdc102dbe1bae7e7500aa2f0af66d23ccbf4

Download Submit
C:\Windows\SysWOW64\Lbebilli.exe

Filesize
208KB

MD5
293b2c43870daaafe59c9a507e671816

SHA1
349af3d08c04c0d5523e97d727b05e47723897cf

SHA256
adcd54906e318993c4f64a77dd478a4a835231e5232d97ce21bdefbd50188728

SHA512
0bc5d1a3356ac9b8035a0f87c30f773fe482378c6b4fa8aaf2b3e9d10e145021deee3f0f2735de84f7d04a70e7aead6fe5f9d67abcc7a2a2c32fa92960f665c9

Download Submit
C:\Windows\SysWOW64\Lmgfod32.exe

Filesize
208KB

MD5
bd82698d0d0b57685c6ec3d20a522ac5

SHA1
5cecb553f67ac368ab58927a8f3e6292eaa1fe9d

SHA256
22b52bd60bab14c2f47adc6a7efda8c82f71b387fb3aa825bec4eca6bda251f1

SHA512
abc17418d79bbbc736d68cc35e09c15e54250be12790652cb3c85ca0f9dd8d0c3b83d34d557dc09ffc532fc5f24be1682303a803ba94325b40b39b63075922d7

Download Submit
C:\Windows\SysWOW64\Mfomda32.exe

Filesize
208KB

MD5
496b84b56997585b61e2d0a612eacecb

SHA1
8845b0883951fff0b964bd2318cf3758e8c66b92

SHA256
72e972b378700a950f71e5189ce211c1b47f37308ccaf5004dafa45c3547009c

SHA512
ceb242517e14edac508575eb841ac5a1b07c4be637d4fc26d43a2ce8c44f55a68bf4833736d0643de2eea745cc8e96fb1cfefd8f64852ac85c67328a5e855cf8

Download Submit
C:\Windows\SysWOW64\Mginniij.exe

Filesize
208KB

MD5
d7dcca7a95a27394cb1e598801ee27cc

SHA1
96e737d676a345d82c1259dbaa2836e3e8a5a3ff

SHA256
562928fa1c7865ca5217797aca859a7afa7209099329acce8861251bb049e177

SHA512
5881b8875eb519f54c4c410a52c7c9b0cf09f555000276a9fbc1850a0289c84d0c9bfaea63b6613379a084a8fcbe2e8839614ae9e42474ccd43f9a267628ffe8

Download Submit
C:\Windows\SysWOW64\Mklfjm32.exe

Filesize
208KB

MD5
3e13e36e487e2526997c587c2e1dad54

SHA1
3f910e38f8d18de8b21de17c00e48ebae60f4b9b

SHA256
d5eb6a89a3f83526014f0d8ff7917a96c4817a4cb6ad875584265f35b7e59896

SHA512
85f5959c79da6acc2afe7d8f59c534d9c1d6df831335e4831d75cd6a9ac0739586d980676376047a75e8b3cc8806cf03bb5f0ea54000f7802bc648b04c910a12

Download Submit
C:\Windows\SysWOW64\Moeoje32.exe

Filesize
208KB

MD5
a7c7489cca371ff234431808e09880df

SHA1
1e13cff366cc582a95e2a1b99cb0b6c149f9181f

SHA256
9c197c7c2cf8137eba11b3aea153aab7e8bfb2351f85a616a59230fa07c72bb2

SHA512
7d0866cd0f1792e527d32a26ac1a39bf89351a769adde62067547bb1d788e28a805526ef2ddc18a40da625b636572b763fc43b427eaad954e3c7c7b35ac69713

Download Submit
C:\Windows\SysWOW64\Ncjdki32.exe

Filesize
208KB

MD5
90923a8bf274e329b30cfd56f4280d2f

SHA1
5d2d9f894d49ccc40964638c291e248fe23df85d

SHA256
27283edbb7cf69ea45fefbb765d3b8825b3c149071f07940ca5e4b4fdaeedf82

SHA512
90ca055e7f3a7dd2893325613f749b3bc2e2f771d63ea64992275e6170c399cee60ff81e04e15b37c6ac43f0f1ed257ba749b70be9ff0094ceaa58b232a47972

Download Submit
C:\Windows\SysWOW64\Nehjmnei.exe

Filesize
208KB

MD5
031a8e8e909dfc67d8b42a7feb92625e

SHA1
9cd2a4be56f92b55ebfb3bb0065828470bf2d1d3

SHA256
45be9542edd567c2f7f43482ad665a8ec373d97c97544e1f425e2cd5f471bd4f

SHA512
d21ab6c45fb73374002def7384f71026c3850565d558a4c54fdd68bc0718e80b5bbe269d080417e86ce76c1f8a67686def8e670c4d38f3dee41145ee40fb681b

Download Submit
C:\Windows\SysWOW64\Ngemjg32.exe

Filesize
208KB

MD5
fca716c05497a1df2c447d57e170cd7b

SHA1
4959ee54530249ab8028851a13de86cf2bf621a0

SHA256
816dcb576f4080e6ad81b28cf170a5ed15fc4f80cd1f119a7bfac0d6d8f7c37f

SHA512
f5388851b32768c154173b66323f702e4494ff82976d2b6e0bb92036e76f52306bdbef3d9a84925a58198f314dd06dee5085fd23723bd7963a0586ffdc37195f

Download Submit
C:\Windows\SysWOW64\Nkhdgfen.exe

Filesize
208KB

MD5
27de3078e30cf3d1936addf48cd760bb

SHA1
d98347038a4109d6a603826dd9ee5caccfe25538

SHA256
190fc35a6e015cdaf8d6f09580f1a3ef3ef870f32ab945cbc0d2898fbb68ad40

SHA512
f7fa34b24bad2776a6715cb866aef7caca04dba4908882468c7f1378fe44770285a9247470d90244bbbcab81101b631cb290e6c9ae5ee072f34e62fb1a516f97

Download Submit
C:\Windows\SysWOW64\Nlgbon32.exe

Filesize
208KB

MD5
df9dc1b825fd9fd8421d53f736ab8117

SHA1
0ee9131e5a41c4e68a2a069c302ad960591d15f9

SHA256
3f4e2976340874232963ab220e5580dccfe4c7fc1ab3ea4fad56f4f27b0a1e3f

SHA512
04bb39228f33c27e992634bb4aa4f65de43b6b10832df5452d560baaf3094bc27d71a7d1ccb8a9a2637e24ec10205055e3041d32922e32629a195ab4231b2b78

Download Submit
C:\Windows\SysWOW64\Obdbqm32.exe

Filesize
208KB

MD5
f0ba76f7846734ef15adaa63a7dbe4e3

SHA1
5a8dd91f6fe8bfc114fe2b3a2d99e4ceda553737

SHA256
4681a50c9c6eb1c55b69c1501a94d4544a2fdafac6e71237486328da311e54df

SHA512
acd423b5ab272452432f40e78319c7ed8f792a88fb276f7d4a434d11059bc69289dd80cd1da54aff56eaa0b7af2ee74a9cf3da9b7ff753ae65d2fa51dfcee686

Download Submit
C:\Windows\SysWOW64\Okeklcen.exe

Filesize
208KB

MD5
91649939cf4e223ceb6280cf12de45b2

SHA1
6ee4562e9d136b1368da952fe62ba179f6582977

SHA256
aec036024342ac5a31cb42ad634010a75930dceb9e876b94425ee7b467ed21aa

SHA512
af8862390f36799d510db42416c41ff537d0501809eed84bf01bd47ec89e8f9c205f8418acace9f59b1c13e0d770d3f8ca8d156c022c7b880fc362b3831ac06d

Download Submit
C:\Windows\SysWOW64\Olidijjf.exe

Filesize
208KB

MD5
af1d5e56acecafc610014533d9642403

SHA1
5548b005f0e6198667595f4cc618ad1e05143d38

SHA256
2268455b12143561ae14aa62cec2f9ac561600bf0e87a5c02d7a862cecca3856

SHA512
398a7180688e0265d88a2a6ac5639e8857054448d163e1284fffebe702380a7c214d033b7565f0031a64b9c828d3c348686f07c8f9640889ffc9fc48218523f9

Download Submit
C:\Windows\SysWOW64\Omcbkl32.exe

Filesize
208KB

MD5
336420d9abcc84a358f2486444dcf53f

SHA1
e2c187405fb2f0df7ba85b37525b7795acb07568

SHA256
15643f6b02d8498f123343729d5070d2ee0851f0c5bcd1fbf16daa89a2c44f0b

SHA512
fa49dca0b5d9aca633e7097a09cad49e65ef6632a6c5a76a2e7dc7725c5767aec1e0772229c3c03b994f81fcc45d6b4d106a5d3fa43af0fdd0fe423222288438

Download Submit
C:\Windows\SysWOW64\Omjnhiiq.exe

Filesize
208KB

MD5
bd2eaf5881803cbda54c4cf74986c92d

SHA1
bc2aa7931ed67172d845de98d2892ffeb9cde193

SHA256
9e0f547a15ab30cbaa314a32d814a648e53c85d847616debea955196c5c2559f

SHA512
dcb315c7ad9ee49c139c6b46f79c100162dd1e2f2039ef47e7fef9be2a8da92e82c9d7669e539b585a25c8756c10d2b0914e139c65dbb7bab3bb69477494ab8a

Download Submit
C:\Windows\SysWOW64\Pbbgicnd.exe

Filesize
208KB

MD5
8cfdbde05a616120135cdfdbe5747094

SHA1
df668777a07f39947fe8d238423615a7e85e8769

SHA256
67a455722fbcd7004990daef04b30c8d09c71b834c5473bbf95ad1f3140ab51b

SHA512
78db0e759f3f7ef057f21b87b30ec26eb4197792f0f9e704b80b948c0aad4216d9d5c8833cff0d8227b5edf1f1ffa6874b75dde075b6512dda2695583c62e40e

Download Submit
C:\Windows\SysWOW64\Picchg32.exe

Filesize
208KB

MD5
26eb1d115aa3cf47ff815966f4436b36

SHA1
6eb165411cddd1ee6e3cebc30771f7d69aa3c130

SHA256
8676e4e820484b58b8a5db135af48a7e80f1da283764ba4e761f4f52472a2739

SHA512
a5e87dd7891c41737b9b8b93cb95741444e3dfdfdba8ea2da31634be25dacb192ca1bd74c5747f455a1d3d43f28ec2e06c00324672446b9ffe8a743e38dbfc92

Download Submit
C:\Windows\SysWOW64\Pkjegb32.exe

Filesize
208KB

MD5
75858fa82b083ce6ac4f41a5eb84cdd4

SHA1
a692e71006750991be091d42224bea4b659ffc28

SHA256
be0c18965907968338c0147d7c6732cc0a2c28505b079bda714ae5d9ae4c91fc

SHA512
77ca335874ebe9f285b7fee80b18269777235fd8364f77477cc1b518c34706d3e65a2febdc6e60fc33a6db01aae2ff408b36f8232d4b6b6d4021dedfc49d4caa

Download Submit
C:\Windows\SysWOW64\Pklamb32.exe

Filesize
208KB

MD5
c2a1dd05ed95ed2f506193008fbeab22

SHA1
f73bf6ae851f0856931a93f2b4e89c3e77d19a36

SHA256
86bec5393890576ddd0e10416b5a84bb646b096bd08717f195543acc669cd328

SHA512
9d4c93dc989ba2411783dd2c4fa8834ae6cbca298a9f5904da1e11f2e1c757d784a9c22b06852249f34dd6016aa0c4e2fa0afca67c85ca261a4a15afe478632e

Download Submit
C:\Windows\SysWOW64\Qfaiabnp.exe

Filesize
208KB

MD5
0acdd75da88642fb64ab6493d536d078

SHA1
994616b2617286256a4f8f8bef436f9d9d02b607

SHA256
f72ce2cb82b3884b2533212665a0e5245737a3fe14508f48cbde1a336f1bd780

SHA512
324126b303788908c04f19267aac763bf85cfa749088e7685162e9a2c06f63a28c0d721a56cb472ef3a9d8b0329c38a1de9277df28f20c64ebf4d7fd10b11a38

Download Submit
memory/60-258-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/640-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/968-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1016-282-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1064-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1076-354-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1128-396-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1164-414-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1180-202-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1404-145-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1504-390-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1512-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1572-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1632-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1688-288-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1748-270-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1760-431-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1888-402-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1900-342-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1976-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2072-234-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2088-318-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2104-330-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2168-424-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2192-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2320-114-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2384-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2424-300-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2432-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2660-366-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2756-154-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2804-209-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2932-375-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2940-264-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3140-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3196-306-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3260-223-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3320-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3504-378-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3576-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3620-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3652-360-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3668-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3812-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3836-49-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3976-408-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3988-312-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3992-294-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4120-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4120-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4120-1-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4168-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4212-432-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4412-162-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4436-276-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4568-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4592-324-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4668-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4748-138-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4784-348-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4812-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4872-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4876-384-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5040-336-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads