07545fd696ce939d25838e9c2da2bc573be8802ca801afe9010356de7dba91f5

Analysis

max time kernel
57s
max time network
41s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07545fd696ce939d25838e9c2da2bc573be8802ca801afe9010356de7dba91f5.exe
Size

64KB
MD5

27925b707ccdc2a09a7730a55d944462
SHA1

eb840ccdbcbb3e96f949950c45e2587959627269
SHA256

07545fd696ce939d25838e9c2da2bc573be8802ca801afe9010356de7dba91f5
SHA512

f8d1c3f323b5a2951ec011db87107d13fea6d2931b1b5375975ab158b79719613b711c879417bf6adb7cfe39945eae29e72d53db8e9746dfa70bf4cd4a54b384
SSDEEP

768:H6AaNOUza5XwGSRBbEDhJtblO8neRFX/eEjyrJ+TVJlZo2p/1H5w8RXdnhYakM8J:Hp3URGeBSjtblOYgdeJMo2LvAMCeW

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caqpkjcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnfgcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moobbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Embkoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fndpmndl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddcebe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibpiogmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fibojhim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fiodpl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpbjkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pakdbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekefmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Plagcbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cocacl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gifkpknp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnonkq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gghdaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqgojmb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nomncpcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnkpnclp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgcjfbed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbnaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiphjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nofefp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Knlleepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibpiogmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlnbgddc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpmggb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmehb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckpbnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbocfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kiphjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkkhbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfenglqf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdcjlb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alpbecod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Offnhpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkfcqb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaebef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jifecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlgoek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efdjgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmbgdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Modpib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjhkmbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dphiaffa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlklkgei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nefped32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccpdoqgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmalne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfcfmlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqgojmb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlihle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdamgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjjlkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejlbhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qhjmdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmggingc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbjddh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdcmkgmm.exe

Executes dropped EXE 64 IoCs

pid	Process
972	Amgapeea.exe
4236	Afoeiklb.exe
4408	Agoabn32.exe
1976	Bebblb32.exe
636	Bjagjhnc.exe
1564	Bfhhoi32.exe
2240	Banllbdn.exe
4292	Bhhdil32.exe
1464	Bmemac32.exe
180	Bcoenmao.exe
2536	Cmgjgcgo.exe
4696	Cjkjpgfi.exe
3020	Cfbkeh32.exe
4076	Ceckcp32.exe
4752	Cnkplejl.exe
3700	Cffdpghg.exe
2276	Dhfajjoj.exe
4732	Dfknkg32.exe
2200	Daqbip32.exe
1784	Dkifae32.exe
1572	Dfpgffpm.exe
1600	Dknpmdfc.exe
2104	Ekpmbddq.exe
2648	Eggmge32.exe
1476	Ekefmc32.exe
4004	Hgabkoee.exe
4552	Igcoqocb.exe
2036	Idgojc32.exe
1636	Ikaggmii.exe
1800	Iiehpahb.exe
868	Ieliebnf.exe
2560	Ibpiogmp.exe
4536	Igmagnkg.exe
4380	Jngjch32.exe
3880	Jeqbpb32.exe
3428	Jiokfpph.exe
2156	Jnkcogno.exe
1168	Jkodhk32.exe
2932	Jfehed32.exe
2368	Jkaqnk32.exe
1596	Keonap32.exe
4884	Khpgckkb.exe
2884	Kbekqdjh.exe
4460	Klmpiiai.exe
2388	Knlleepl.exe
4316	Lhdqnj32.exe
2012	Lnnikdnj.exe
2420	Lehaho32.exe
220	Mlklkgei.exe
4896	Miomdk32.exe
1256	Molelb32.exe
1132	Mibijk32.exe
2016	Moobbb32.exe
1308	Mhgfkg32.exe
2448	Mfhfhong.exe
3216	Mleoafmn.exe
3680	Mbognp32.exe
3364	Niipjj32.exe
2968	Nbadcpbh.exe
4564	Nlihle32.exe
1512	Ngomin32.exe
4288	Nedjjj32.exe
1108	Nlnbgddc.exe
5084	Nomncpcg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dphiaffa.exe	Dmjmekgn.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Nlihle32.exe	Nbadcpbh.exe
File opened for modification	C:\Windows\SysWOW64\Cfipef32.exe	Ckclhn32.exe
File created	C:\Windows\SysWOW64\Fniihmpf.exe	Fgoakc32.exe
File created	C:\Windows\SysWOW64\Gaebef32.exe	Glhimp32.exe
File opened for modification	C:\Windows\SysWOW64\Ngomin32.exe	Nlihle32.exe
File opened for modification	C:\Windows\SysWOW64\Fkkeclfh.exe	Fdamgb32.exe
File opened for modification	C:\Windows\SysWOW64\Jifecp32.exe	Jblmgf32.exe
File created	C:\Windows\SysWOW64\Glllagck.dll	Lchfib32.exe
File created	C:\Windows\SysWOW64\Ofgdcipq.exe	Oblhcj32.exe
File opened for modification	C:\Windows\SysWOW64\Hgabkoee.exe	Ekefmc32.exe
File created	C:\Windows\SysWOW64\Gmnagpbq.dll	Jkodhk32.exe
File created	C:\Windows\SysWOW64\Fjjcdn32.dll	Fielph32.exe
File created	C:\Windows\SysWOW64\Bfcklp32.dll	Fniihmpf.exe
File opened for modification	C:\Windows\SysWOW64\Iiehpahb.exe	Ikaggmii.exe
File opened for modification	C:\Windows\SysWOW64\Dmalne32.exe	Dblgpl32.exe
File created	C:\Windows\SysWOW64\Acankf32.dll	Doojec32.exe
File created	C:\Windows\SysWOW64\Fgoakc32.exe	Foclgq32.exe
File created	C:\Windows\SysWOW64\Occomh32.dll	Ealkjh32.exe
File created	C:\Windows\SysWOW64\Fkdjqkoj.dll	Gbkkik32.exe
File created	C:\Windows\SysWOW64\Pekihfdc.dll	Jeapcq32.exe
File created	C:\Windows\SysWOW64\Khbiello.exe	Kiphjo32.exe
File opened for modification	C:\Windows\SysWOW64\Oblhcj32.exe	Oonlfo32.exe
File created	C:\Windows\SysWOW64\Mjhjimfo.dll	Dnonkq32.exe
File created	C:\Windows\SysWOW64\Oiagde32.exe	Ocdnln32.exe
File created	C:\Windows\SysWOW64\Efdjgo32.exe	Pckppl32.exe
File created	C:\Windows\SysWOW64\Ohghgodi.exe	Objpoh32.exe
File created	C:\Windows\SysWOW64\Kofkbk32.exe	Gfjkjo32.exe
File created	C:\Windows\SysWOW64\Gdlfcb32.dll	Adhdjpjf.exe
File created	C:\Windows\SysWOW64\Nbadcpbh.exe	Niipjj32.exe
File created	C:\Windows\SysWOW64\Pikcfnkf.dll	Gpaqbbld.exe
File opened for modification	C:\Windows\SysWOW64\Iojkeh32.exe	Ibcjqgnm.exe
File created	C:\Windows\SysWOW64\Pbplbf32.dll	Moobbb32.exe
File opened for modification	C:\Windows\SysWOW64\Fhflnpoi.exe	Fielph32.exe
File created	C:\Windows\SysWOW64\Hpopgneq.dll	Nlnkmnah.exe
File created	C:\Windows\SysWOW64\Oenqhaga.dll	Ejlbhh32.exe
File created	C:\Windows\SysWOW64\Mmjpbc32.dll	Alpbecod.exe
File created	C:\Windows\SysWOW64\Fpnkah32.dll	Nbbeml32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Bblnindg.exe	Ohghgodi.exe
File created	C:\Windows\SysWOW64\Mjaonjaj.dll	Ebkbbmqj.exe
File created	C:\Windows\SysWOW64\Odaodc32.dll	Glfmgp32.exe
File opened for modification	C:\Windows\SysWOW64\Keifdpif.exe	Khbiello.exe
File opened for modification	C:\Windows\SysWOW64\Emnbdioi.exe	Efdjgo32.exe
File created	C:\Windows\SysWOW64\Jjqkamhk.dll	Ohghgodi.exe
File created	C:\Windows\SysWOW64\Qppaclio.exe	Pblajhje.exe
File created	C:\Windows\SysWOW64\Ibpiogmp.exe	Ieliebnf.exe
File opened for modification	C:\Windows\SysWOW64\Moobbb32.exe	Mibijk32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Objpoh32.exe	Nefped32.exe
File created	C:\Windows\SysWOW64\Ccmgiaig.exe	Cmcolgbj.exe
File opened for modification	C:\Windows\SysWOW64\Mjnnbk32.exe	Mcdeeq32.exe
File created	C:\Windows\SysWOW64\Bihice32.dll	Oifppdpd.exe
File opened for modification	C:\Windows\SysWOW64\Amkhmoap.exe	Abfdpfaj.exe
File opened for modification	C:\Windows\SysWOW64\Miomdk32.exe	Mlklkgei.exe
File created	C:\Windows\SysWOW64\Fngdja32.dll	Oileggkb.exe
File created	C:\Windows\SysWOW64\Gpcpak32.dll	Emnbdioi.exe
File created	C:\Windows\SysWOW64\Nojjcj32.exe	Gpfjma32.exe
File opened for modification	C:\Windows\SysWOW64\Ccbadp32.exe	Ckkiccep.exe
File created	C:\Windows\SysWOW64\Nofefp32.exe	Njjmni32.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Gkgeoklj.exe	Gpaqbbld.exe
File opened for modification	C:\Windows\SysWOW64\Eplgeokq.exe	Eiaoid32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6448	7164	WerFault.exe	419

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gakiqbgc.dll"	Ccgjopal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlhbih32.dll"	Fohfbpgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Glfmgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omopjcjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Podbibma.dll"	Bfkbfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekpmbddq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjiepeok.dll"	Efdjgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laahglpp.dll"	Gkgeoklj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmdkbp32.dll"	Bblnindg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebhglj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bapgdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclgdl32.dll"	Mbognp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Melmcj32.dll"	Objpoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfqmpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpnkdq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klambq32.dll"	Fbmohmoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Likage32.dll"	Ofjqihnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cacmpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jngjch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjbfklei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckpbnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Elnoopdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffcpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgqaip32.dll"	Dkkaiphj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpkhqmjb.dll"	Aopemh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Edionhpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fnbcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mledmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbekii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmkkkihe.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Edjgfcec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fngcmcfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gnqfcbnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gldglf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fgoakc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ikaggmii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhgfkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mbognp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plhfdjfl.dll"	Opemca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Henjapmn.dll"	Gilapgqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fnlmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pggdhe32.dll"	Hbgkei32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofegni32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpljehpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clbidkde.dll"	Cacmpj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doojec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmcfjdp.dll"	Nmaciefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adepji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbgdmb32.dll"	Dbocfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknmplfo.dll"	Omopjcjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deiljq32.dll"	Adepji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpljehpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahlom32.dll"	Ddcebe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ohghgodi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmcolgbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eiaoid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmbdpnaj.dll"	Gghdaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gihpkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmpjoloh.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 392 wrote to memory of 972	392	07545fd696ce939d25838e9c2da2bc573be8802ca801afe9010356de7dba91f5.exe	83
PID 392 wrote to memory of 972	392	07545fd696ce939d25838e9c2da2bc573be8802ca801afe9010356de7dba91f5.exe	83
PID 392 wrote to memory of 972	392	07545fd696ce939d25838e9c2da2bc573be8802ca801afe9010356de7dba91f5.exe	83
PID 972 wrote to memory of 4236	972	Amgapeea.exe	84
PID 972 wrote to memory of 4236	972	Amgapeea.exe	84
PID 972 wrote to memory of 4236	972	Amgapeea.exe	84
PID 4236 wrote to memory of 4408	4236	Afoeiklb.exe	85
PID 4236 wrote to memory of 4408	4236	Afoeiklb.exe	85
PID 4236 wrote to memory of 4408	4236	Afoeiklb.exe	85
PID 4408 wrote to memory of 1976	4408	Agoabn32.exe	86
PID 4408 wrote to memory of 1976	4408	Agoabn32.exe	86
PID 4408 wrote to memory of 1976	4408	Agoabn32.exe	86
PID 1976 wrote to memory of 636	1976	Bebblb32.exe	87
PID 1976 wrote to memory of 636	1976	Bebblb32.exe	87
PID 1976 wrote to memory of 636	1976	Bebblb32.exe	87
PID 636 wrote to memory of 1564	636	Bjagjhnc.exe	88
PID 636 wrote to memory of 1564	636	Bjagjhnc.exe	88
PID 636 wrote to memory of 1564	636	Bjagjhnc.exe	88
PID 1564 wrote to memory of 2240	1564	Bfhhoi32.exe	89
PID 1564 wrote to memory of 2240	1564	Bfhhoi32.exe	89
PID 1564 wrote to memory of 2240	1564	Bfhhoi32.exe	89
PID 2240 wrote to memory of 4292	2240	Banllbdn.exe	90
PID 2240 wrote to memory of 4292	2240	Banllbdn.exe	90
PID 2240 wrote to memory of 4292	2240	Banllbdn.exe	90
PID 4292 wrote to memory of 1464	4292	Bhhdil32.exe	91
PID 4292 wrote to memory of 1464	4292	Bhhdil32.exe	91
PID 4292 wrote to memory of 1464	4292	Bhhdil32.exe	91
PID 1464 wrote to memory of 180	1464	Bmemac32.exe	92
PID 1464 wrote to memory of 180	1464	Bmemac32.exe	92
PID 1464 wrote to memory of 180	1464	Bmemac32.exe	92
PID 180 wrote to memory of 2536	180	Bcoenmao.exe	93
PID 180 wrote to memory of 2536	180	Bcoenmao.exe	93
PID 180 wrote to memory of 2536	180	Bcoenmao.exe	93
PID 2536 wrote to memory of 4696	2536	Cmgjgcgo.exe	94
PID 2536 wrote to memory of 4696	2536	Cmgjgcgo.exe	94
PID 2536 wrote to memory of 4696	2536	Cmgjgcgo.exe	94
PID 4696 wrote to memory of 3020	4696	Cjkjpgfi.exe	95
PID 4696 wrote to memory of 3020	4696	Cjkjpgfi.exe	95
PID 4696 wrote to memory of 3020	4696	Cjkjpgfi.exe	95
PID 3020 wrote to memory of 4076	3020	Cfbkeh32.exe	96
PID 3020 wrote to memory of 4076	3020	Cfbkeh32.exe	96
PID 3020 wrote to memory of 4076	3020	Cfbkeh32.exe	96
PID 4076 wrote to memory of 4752	4076	Ceckcp32.exe	97
PID 4076 wrote to memory of 4752	4076	Ceckcp32.exe	97
PID 4076 wrote to memory of 4752	4076	Ceckcp32.exe	97
PID 4752 wrote to memory of 3700	4752	Cnkplejl.exe	98
PID 4752 wrote to memory of 3700	4752	Cnkplejl.exe	98
PID 4752 wrote to memory of 3700	4752	Cnkplejl.exe	98
PID 3700 wrote to memory of 2276	3700	Cffdpghg.exe	99
PID 3700 wrote to memory of 2276	3700	Cffdpghg.exe	99
PID 3700 wrote to memory of 2276	3700	Cffdpghg.exe	99
PID 2276 wrote to memory of 4732	2276	Dhfajjoj.exe	100
PID 2276 wrote to memory of 4732	2276	Dhfajjoj.exe	100
PID 2276 wrote to memory of 4732	2276	Dhfajjoj.exe	100
PID 4732 wrote to memory of 2200	4732	Dfknkg32.exe	101
PID 4732 wrote to memory of 2200	4732	Dfknkg32.exe	101
PID 4732 wrote to memory of 2200	4732	Dfknkg32.exe	101
PID 2200 wrote to memory of 1784	2200	Daqbip32.exe	102
PID 2200 wrote to memory of 1784	2200	Daqbip32.exe	102
PID 2200 wrote to memory of 1784	2200	Daqbip32.exe	102
PID 1784 wrote to memory of 1572	1784	Dkifae32.exe	103
PID 1784 wrote to memory of 1572	1784	Dkifae32.exe	103
PID 1784 wrote to memory of 1572	1784	Dkifae32.exe	103
PID 1572 wrote to memory of 1600	1572	Dfpgffpm.exe	104

C:\Users\Admin\AppData\Local\Temp\07545fd696ce939d25838e9c2da2bc573be8802ca801afe9010356de7dba91f5.exe
"C:\Users\Admin\AppData\Local\Temp\07545fd696ce939d25838e9c2da2bc573be8802ca801afe9010356de7dba91f5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:392
- C:\Windows\SysWOW64\Amgapeea.exe
  C:\Windows\system32\Amgapeea.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:972
- - C:\Windows\SysWOW64\Afoeiklb.exe
    C:\Windows\system32\Afoeiklb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4236
  - - C:\Windows\SysWOW64\Agoabn32.exe
      C:\Windows\system32\Agoabn32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4408
    - - C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1976
      - C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:180
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Ekpmbddq.exe
        
        C:\Windows\system32\Ekpmbddq.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Eggmge32.exe
        
        C:\Windows\system32\Eggmge32.exe
        25⤵
        Executes dropped EXE
        
        PID:2648
        
        C:\Windows\SysWOW64\Ekefmc32.exe
        
        C:\Windows\system32\Ekefmc32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1476
        
        C:\Windows\SysWOW64\Hgabkoee.exe
        
        C:\Windows\system32\Hgabkoee.exe
        27⤵
        Executes dropped EXE
        
        PID:4004
        
        C:\Windows\SysWOW64\Igcoqocb.exe
        
        C:\Windows\system32\Igcoqocb.exe
        28⤵
        Executes dropped EXE
        
        PID:4552
        
        C:\Windows\SysWOW64\Idgojc32.exe
        
        C:\Windows\system32\Idgojc32.exe
        29⤵
        Executes dropped EXE
        
        PID:2036
        
        C:\Windows\SysWOW64\Ikaggmii.exe
        
        C:\Windows\system32\Ikaggmii.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Iiehpahb.exe
        
        C:\Windows\system32\Iiehpahb.exe
        31⤵
        Executes dropped EXE
        
        PID:1800
        
        C:\Windows\SysWOW64\Ieliebnf.exe
        
        C:\Windows\system32\Ieliebnf.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:868
        
        C:\Windows\SysWOW64\Ibpiogmp.exe
        
        C:\Windows\system32\Ibpiogmp.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2560
        
        C:\Windows\SysWOW64\Igmagnkg.exe
        
        C:\Windows\system32\Igmagnkg.exe
        34⤵
        Executes dropped EXE
        
        PID:4536
        
        C:\Windows\SysWOW64\Jngjch32.exe
        
        C:\Windows\system32\Jngjch32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Jeqbpb32.exe
        
        C:\Windows\system32\Jeqbpb32.exe
        36⤵
        Executes dropped EXE
        
        PID:3880
        
        C:\Windows\SysWOW64\Jiokfpph.exe
        
        C:\Windows\system32\Jiokfpph.exe
        37⤵
        Executes dropped EXE
        
        PID:3428
        
        C:\Windows\SysWOW64\Jnkcogno.exe
        
        C:\Windows\system32\Jnkcogno.exe
        38⤵
        Executes dropped EXE
        
        PID:2156
        
        C:\Windows\SysWOW64\Jkodhk32.exe
        
        C:\Windows\system32\Jkodhk32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1168
        
        C:\Windows\SysWOW64\Jfehed32.exe
        
        C:\Windows\system32\Jfehed32.exe
        40⤵
        Executes dropped EXE
        
        PID:2932
        
        C:\Windows\SysWOW64\Jkaqnk32.exe
        
        C:\Windows\system32\Jkaqnk32.exe
        41⤵
        Executes dropped EXE
        
        PID:2368
        
        C:\Windows\SysWOW64\Keonap32.exe
        
        C:\Windows\system32\Keonap32.exe
        42⤵
        Executes dropped EXE
        
        PID:1596
        
        C:\Windows\SysWOW64\Khpgckkb.exe
        
        C:\Windows\system32\Khpgckkb.exe
        43⤵
        Executes dropped EXE
        
        PID:4884
        
        C:\Windows\SysWOW64\Kbekqdjh.exe
        
        C:\Windows\system32\Kbekqdjh.exe
        44⤵
        Executes dropped EXE
        
        PID:2884
        
        C:\Windows\SysWOW64\Klmpiiai.exe
        
        C:\Windows\system32\Klmpiiai.exe
        45⤵
        Executes dropped EXE
        
        PID:4460
        
        C:\Windows\SysWOW64\Knlleepl.exe
        
        C:\Windows\system32\Knlleepl.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2388
        
        C:\Windows\SysWOW64\Lhdqnj32.exe
        
        C:\Windows\system32\Lhdqnj32.exe
        47⤵
        Executes dropped EXE
        
        PID:4316
        
        C:\Windows\SysWOW64\Lnnikdnj.exe
        
        C:\Windows\system32\Lnnikdnj.exe
        48⤵
        Executes dropped EXE
        
        PID:2012
        
        C:\Windows\SysWOW64\Lehaho32.exe
        
        C:\Windows\system32\Lehaho32.exe
        49⤵
        Executes dropped EXE
        
        PID:2420
        
        C:\Windows\SysWOW64\Mlklkgei.exe
        
        C:\Windows\system32\Mlklkgei.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:220
        
        C:\Windows\SysWOW64\Miomdk32.exe
        
        C:\Windows\system32\Miomdk32.exe
        51⤵
        Executes dropped EXE
        
        PID:4896
        
        C:\Windows\SysWOW64\Molelb32.exe
        
        C:\Windows\system32\Molelb32.exe
        52⤵
        Executes dropped EXE
        
        PID:1256
        
        C:\Windows\SysWOW64\Mibijk32.exe
        
        C:\Windows\system32\Mibijk32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1132
        
        C:\Windows\SysWOW64\Moobbb32.exe
        
        C:\Windows\system32\Moobbb32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2016
        
        C:\Windows\SysWOW64\Mhgfkg32.exe
        
        C:\Windows\system32\Mhgfkg32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1308
        
        C:\Windows\SysWOW64\Mfhfhong.exe
        
        C:\Windows\system32\Mfhfhong.exe
        56⤵
        Executes dropped EXE
        
        PID:2448
        
        C:\Windows\SysWOW64\Mleoafmn.exe
        
        C:\Windows\system32\Mleoafmn.exe
        57⤵
        Executes dropped EXE
        
        PID:3216
        
        C:\Windows\SysWOW64\Mbognp32.exe
        
        C:\Windows\system32\Mbognp32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3680
        
        C:\Windows\SysWOW64\Niipjj32.exe
        
        C:\Windows\system32\Niipjj32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3364
        
        C:\Windows\SysWOW64\Nbadcpbh.exe
        
        C:\Windows\system32\Nbadcpbh.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2968
        
        C:\Windows\SysWOW64\Nlihle32.exe
        
        C:\Windows\system32\Nlihle32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4564
        
        C:\Windows\SysWOW64\Ngomin32.exe
        
        C:\Windows\system32\Ngomin32.exe
        62⤵
        Executes dropped EXE
        
        PID:1512
        
        C:\Windows\SysWOW64\Nedjjj32.exe
        
        C:\Windows\system32\Nedjjj32.exe
        63⤵
        Executes dropped EXE
        
        PID:4288
        
        C:\Windows\SysWOW64\Nlnbgddc.exe
        
        C:\Windows\system32\Nlnbgddc.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1108
        
        C:\Windows\SysWOW64\Nomncpcg.exe
        
        C:\Windows\system32\Nomncpcg.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5084
        
        C:\Windows\SysWOW64\Nookip32.exe
        
        C:\Windows\system32\Nookip32.exe
        66⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\Oeicejia.exe
        
        C:\Windows\system32\Oeicejia.exe
        67⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\Olckbd32.exe
        
        C:\Windows\system32\Olckbd32.exe
        68⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\Ohjlgefb.exe
        
        C:\Windows\system32\Ohjlgefb.exe
        69⤵
        
        PID:384
        
        C:\Windows\SysWOW64\Oocddono.exe
        
        C:\Windows\system32\Oocddono.exe
        70⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\Oiihahme.exe
        
        C:\Windows\system32\Oiihahme.exe
        71⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\Opcqnb32.exe
        
        C:\Windows\system32\Opcqnb32.exe
        72⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\Ocamjm32.exe
        
        C:\Windows\system32\Ocamjm32.exe
        73⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\Oileggkb.exe
        
        C:\Windows\system32\Oileggkb.exe
        74⤵
        Drops file in System32 directory
        
        PID:4728
        
        C:\Windows\SysWOW64\Opemca32.exe
        
        C:\Windows\system32\Opemca32.exe
        75⤵
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Oebflhaf.exe
        
        C:\Windows\system32\Oebflhaf.exe
        76⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\Plagcbdn.exe
        
        C:\Windows\system32\Plagcbdn.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2808
        
        C:\Windows\SysWOW64\Pckppl32.exe
        
        C:\Windows\system32\Pckppl32.exe
        78⤵
        Drops file in System32 directory
        
        PID:2436
        
        C:\Windows\SysWOW64\Efdjgo32.exe
        
        C:\Windows\system32\Efdjgo32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Emnbdioi.exe
        
        C:\Windows\system32\Emnbdioi.exe
        80⤵
        Drops file in System32 directory
        
        PID:2040
        
        C:\Windows\SysWOW64\Ealkjh32.exe
        
        C:\Windows\system32\Ealkjh32.exe
        81⤵
        Drops file in System32 directory
        
        PID:1720
        
        C:\Windows\SysWOW64\Edjgfcec.exe
        
        C:\Windows\system32\Edjgfcec.exe
        82⤵
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Embkoi32.exe
        
        C:\Windows\system32\Embkoi32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2804
        
        C:\Windows\SysWOW64\Epagkd32.exe
        
        C:\Windows\system32\Epagkd32.exe
        84⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\Eiildjag.exe
        
        C:\Windows\system32\Eiildjag.exe
        85⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\Edopabqn.exe
        
        C:\Windows\system32\Edopabqn.exe
        86⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\Filiii32.exe
        
        C:\Windows\system32\Filiii32.exe
        87⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\Fdamgb32.exe
        
        C:\Windows\system32\Fdamgb32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3484
        
        C:\Windows\SysWOW64\Fkkeclfh.exe
        
        C:\Windows\system32\Fkkeclfh.exe
        89⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\Fdcjlb32.exe
        
        C:\Windows\system32\Fdcjlb32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:872
        
        C:\Windows\SysWOW64\Fipbdikp.exe
        
        C:\Windows\system32\Fipbdikp.exe
        91⤵
        
        PID:404
        
        C:\Windows\SysWOW64\Fpjjac32.exe
        
        C:\Windows\system32\Fpjjac32.exe
        92⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\Fgdbnmji.exe
        
        C:\Windows\system32\Fgdbnmji.exe
        93⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\Fibojhim.exe
        
        C:\Windows\system32\Fibojhim.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4528
        
        C:\Windows\SysWOW64\Fpmggb32.exe
        
        C:\Windows\system32\Fpmggb32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1932
        
        C:\Windows\SysWOW64\Fielph32.exe
        
        C:\Windows\system32\Fielph32.exe
        96⤵
        Drops file in System32 directory
        
        PID:432
        
        C:\Windows\SysWOW64\Fhflnpoi.exe
        
        C:\Windows\system32\Fhflnpoi.exe
        97⤵
        
        PID:980
        
        C:\Windows\SysWOW64\Gpaqbbld.exe
        
        C:\Windows\system32\Gpaqbbld.exe
        98⤵
        Drops file in System32 directory
        
        PID:4760
        
        C:\Windows\SysWOW64\Gkgeoklj.exe
        
        C:\Windows\system32\Gkgeoklj.exe
        99⤵
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Gilapgqb.exe
        
        C:\Windows\system32\Gilapgqb.exe
        100⤵
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Gpfjma32.exe
        
        C:\Windows\system32\Gpfjma32.exe
        101⤵
        Drops file in System32 directory
        
        PID:2888
        
        C:\Windows\SysWOW64\Nojjcj32.exe
        
        C:\Windows\system32\Nojjcj32.exe
        102⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\Nlnkmnah.exe
        
        C:\Windows\system32\Nlnkmnah.exe
        103⤵
        Drops file in System32 directory
        
        PID:4336
        
        C:\Windows\SysWOW64\Nolgijpk.exe
        
        C:\Windows\system32\Nolgijpk.exe
        104⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\Nefped32.exe
        
        C:\Windows\system32\Nefped32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3260
        
        C:\Windows\SysWOW64\Objpoh32.exe
        
        C:\Windows\system32\Objpoh32.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Ohghgodi.exe
        
        C:\Windows\system32\Ohghgodi.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Bblnindg.exe
        
        C:\Windows\system32\Bblnindg.exe
        108⤵
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Bjbfklei.exe
        
        C:\Windows\system32\Bjbfklei.exe
        109⤵
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Bopocbcq.exe
        
        C:\Windows\system32\Bopocbcq.exe
        110⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Cfigpm32.exe
        
        C:\Windows\system32\Cfigpm32.exe
        111⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Cmcolgbj.exe
        
        C:\Windows\system32\Cmcolgbj.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Ccmgiaig.exe
        
        C:\Windows\system32\Ccmgiaig.exe
        113⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Cijpahho.exe
        
        C:\Windows\system32\Cijpahho.exe
        114⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Ccpdoqgd.exe
        
        C:\Windows\system32\Ccpdoqgd.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5564
        
        C:\Windows\SysWOW64\Cjjlkk32.exe
        
        C:\Windows\system32\Cjjlkk32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5644
        
        C:\Windows\SysWOW64\Ckkiccep.exe
        
        C:\Windows\system32\Ckkiccep.exe
        117⤵
        Drops file in System32 directory
        
        PID:5704
        
        C:\Windows\SysWOW64\Ccbadp32.exe
        
        C:\Windows\system32\Ccbadp32.exe
        118⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Cfqmpl32.exe
        
        C:\Windows\system32\Cfqmpl32.exe
        119⤵
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Cioilg32.exe
        
        C:\Windows\system32\Cioilg32.exe
        120⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Ckmehb32.exe
        
        C:\Windows\system32\Ckmehb32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5924
        
        C:\Windows\SysWOW64\Ckpbnb32.exe
        
        C:\Windows\system32\Ckpbnb32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Ccgjopal.exe
        
        C:\Windows\system32\Ccgjopal.exe
        123⤵
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Dpnkdq32.exe
        
        C:\Windows\system32\Dpnkdq32.exe
        124⤵
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Dblgpl32.exe
        
        C:\Windows\system32\Dblgpl32.exe
        125⤵
        Drops file in System32 directory
        
        PID:6108
        
        C:\Windows\SysWOW64\Dmalne32.exe
        
        C:\Windows\system32\Dmalne32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:456
        
        C:\Windows\SysWOW64\Dckdjomg.exe
        
        C:\Windows\system32\Dckdjomg.exe
        127⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Dbndfl32.exe
        
        C:\Windows\system32\Dbndfl32.exe
        128⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Dihlbf32.exe
        
        C:\Windows\system32\Dihlbf32.exe
        129⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Ecbjkngo.exe
        
        C:\Windows\system32\Ecbjkngo.exe
        130⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Efafgifc.exe
        
        C:\Windows\system32\Efafgifc.exe
        131⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Ejlbhh32.exe
        
        C:\Windows\system32\Ejlbhh32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5572
        
        C:\Windows\SysWOW64\Elnoopdj.exe
        
        C:\Windows\system32\Elnoopdj.exe
        133⤵
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Ebhglj32.exe
        
        C:\Windows\system32\Ebhglj32.exe
        134⤵
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Eiaoid32.exe
        
        C:\Windows\system32\Eiaoid32.exe
        135⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Eplgeokq.exe
        
        C:\Windows\system32\Eplgeokq.exe
        136⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\Efepbi32.exe
        
        C:\Windows\system32\Efepbi32.exe
        137⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\Nhmofj32.exe
        
        C:\Windows\system32\Nhmofj32.exe
        138⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Nnfgcd32.exe
        
        C:\Windows\system32\Nnfgcd32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5340
        
        C:\Windows\SysWOW64\Neqopnhb.exe
        
        C:\Windows\system32\Neqopnhb.exe
        140⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Nmlddqem.exe
        
        C:\Windows\system32\Nmlddqem.exe
        141⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Neclenfo.exe
        
        C:\Windows\system32\Neclenfo.exe
        142⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Nhahaiec.exe
        
        C:\Windows\system32\Nhahaiec.exe
        143⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Nnkpnclp.exe
        
        C:\Windows\system32\Nnkpnclp.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6012
        
        C:\Windows\SysWOW64\Najmjokc.exe
        
        C:\Windows\system32\Najmjokc.exe
        145⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\Alpbecod.exe
        
        C:\Windows\system32\Alpbecod.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5232
        
        C:\Windows\SysWOW64\Bomkcm32.exe
        
        C:\Windows\system32\Bomkcm32.exe
        147⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Bffcpg32.exe
        
        C:\Windows\system32\Bffcpg32.exe
        148⤵
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Bheplb32.exe
        
        C:\Windows\system32\Bheplb32.exe
        149⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Ckclhn32.exe
        
        C:\Windows\system32\Ckclhn32.exe
        150⤵
        Drops file in System32 directory
        
        PID:5944
        
        C:\Windows\SysWOW64\Cfipef32.exe
        
        C:\Windows\system32\Cfipef32.exe
        151⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Chglab32.exe
        
        C:\Windows\system32\Chglab32.exe
        152⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\Cocacl32.exe
        
        C:\Windows\system32\Cocacl32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5316
        
        C:\Windows\SysWOW64\Fmfgek32.exe
        
        C:\Windows\system32\Fmfgek32.exe
        154⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\Fngcmcfe.exe
        
        C:\Windows\system32\Fngcmcfe.exe
        155⤵
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Ffnknafg.exe
        
        C:\Windows\system32\Ffnknafg.exe
        156⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Fealin32.exe
        
        C:\Windows\system32\Fealin32.exe
        157⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\Fnipbc32.exe
        
        C:\Windows\system32\Fnipbc32.exe
        158⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\Fiodpl32.exe
        
        C:\Windows\system32\Fiodpl32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4072
        
        C:\Windows\SysWOW64\Flmqlg32.exe
        
        C:\Windows\system32\Flmqlg32.exe
        160⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\Fnlmhc32.exe
        
        C:\Windows\system32\Fnlmhc32.exe
        161⤵
        Modifies registry class
        
        PID:4076
        
        C:\Windows\SysWOW64\Ffceip32.exe
        
        C:\Windows\system32\Ffceip32.exe
        162⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\Fiaael32.exe
        
        C:\Windows\system32\Fiaael32.exe
        163⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\Fmmmfj32.exe
        
        C:\Windows\system32\Fmmmfj32.exe
        164⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\Fpkibf32.exe
        
        C:\Windows\system32\Fpkibf32.exe
        165⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\Fbjena32.exe
        
        C:\Windows\system32\Fbjena32.exe
        166⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\Gfeaopqo.exe
        
        C:\Windows\system32\Gfeaopqo.exe
        167⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\Gmojkj32.exe
        
        C:\Windows\system32\Gmojkj32.exe
        168⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\Gnqfcbnj.exe
        
        C:\Windows\system32\Gnqfcbnj.exe
        169⤵
        Modifies registry class
        
        PID:180
        
        C:\Windows\SysWOW64\Gifkpknp.exe
        
        C:\Windows\system32\Gifkpknp.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2284
        
        C:\Windows\SysWOW64\Gldglf32.exe
        
        C:\Windows\system32\Gldglf32.exe
        171⤵
        Modifies registry class
        
        PID:3700
        
        C:\Windows\SysWOW64\Gfjkjo32.exe
        
        C:\Windows\system32\Gfjkjo32.exe
        172⤵
        Drops file in System32 directory
        
        PID:644
        
        C:\Windows\SysWOW64\Kofkbk32.exe
        
        C:\Windows\system32\Kofkbk32.exe
        173⤵
        
        PID:464
        
        C:\Windows\SysWOW64\Offnhpfo.exe
        
        C:\Windows\system32\Offnhpfo.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:392
        
        C:\Windows\SysWOW64\Qhjmdp32.exe
        
        C:\Windows\system32\Qhjmdp32.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5472
        
        C:\Windows\SysWOW64\Adhdjpjf.exe
        
        C:\Windows\system32\Adhdjpjf.exe
        176⤵
        Drops file in System32 directory
        
        PID:2176
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        177⤵
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Cpbjkn32.exe
        
        C:\Windows\system32\Cpbjkn32.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2528
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        179⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        180⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4776
        
        C:\Windows\SysWOW64\Chnlgjlb.exe
        
        C:\Windows\system32\Chnlgjlb.exe
        182⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        183⤵
        
        PID:368
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        184⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\Dhphmj32.exe
        
        C:\Windows\system32\Dhphmj32.exe
        185⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        186⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\Dnonkq32.exe
        
        C:\Windows\system32\Dnonkq32.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2508
        
        C:\Windows\SysWOW64\Doojec32.exe
        
        C:\Windows\system32\Doojec32.exe
        188⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Dbocfo32.exe
        
        C:\Windows\system32\Dbocfo32.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1256
        
        C:\Windows\SysWOW64\Dkhgod32.exe
        
        C:\Windows\system32\Dkhgod32.exe
        190⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\Ebfign32.exe
        
        C:\Windows\system32\Ebfign32.exe
        191⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\Eojiqb32.exe
        
        C:\Windows\system32\Eojiqb32.exe
        192⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\Eqlfhjig.exe
        
        C:\Windows\system32\Eqlfhjig.exe
        193⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\Ebkbbmqj.exe
        
        C:\Windows\system32\Ebkbbmqj.exe
        194⤵
        Drops file in System32 directory
        
        PID:5856
        
        C:\Windows\SysWOW64\Edionhpn.exe
        
        C:\Windows\system32\Edionhpn.exe
        195⤵
        Modifies registry class
        
        PID:3696
        
        C:\Windows\SysWOW64\Fnbcgn32.exe
        
        C:\Windows\system32\Fnbcgn32.exe
        196⤵
        Modifies registry class
        
        PID:3344
        
        C:\Windows\SysWOW64\Fbmohmoh.exe
        
        C:\Windows\system32\Fbmohmoh.exe
        197⤵
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Fkfcqb32.exe
        
        C:\Windows\system32\Fkfcqb32.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4728
        
        C:\Windows\SysWOW64\Fndpmndl.exe
        
        C:\Windows\system32\Fndpmndl.exe
        199⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5996
        
        C:\Windows\SysWOW64\Foclgq32.exe
        
        C:\Windows\system32\Foclgq32.exe
        200⤵
        Drops file in System32 directory
        
        PID:4828
        
        C:\Windows\SysWOW64\Fgoakc32.exe
        
        C:\Windows\system32\Fgoakc32.exe
        201⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Fniihmpf.exe
        
        C:\Windows\system32\Fniihmpf.exe
        202⤵
        Drops file in System32 directory
        
        PID:5048
        
        C:\Windows\SysWOW64\Fqgedh32.exe
        
        C:\Windows\system32\Fqgedh32.exe
        203⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\Fganqbgg.exe
        
        C:\Windows\system32\Fganqbgg.exe
        204⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\Fohfbpgi.exe
        
        C:\Windows\system32\Fohfbpgi.exe
        205⤵
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Fajbjh32.exe
        
        C:\Windows\system32\Fajbjh32.exe
        206⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\Fgcjfbed.exe
        
        C:\Windows\system32\Fgcjfbed.exe
        207⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2200
        
        C:\Windows\SysWOW64\Gbiockdj.exe
        
        C:\Windows\system32\Gbiockdj.exe
        208⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\Gicgpelg.exe
        
        C:\Windows\system32\Gicgpelg.exe
        209⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\Gkaclqkk.exe
        
        C:\Windows\system32\Gkaclqkk.exe
        210⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\Gbkkik32.exe
        
        C:\Windows\system32\Gbkkik32.exe
        211⤵
        Drops file in System32 directory
        
        PID:1420
        
        C:\Windows\SysWOW64\Gghdaa32.exe
        
        C:\Windows\system32\Gghdaa32.exe
        212⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1100
        
        C:\Windows\SysWOW64\Gpolbo32.exe
        
        C:\Windows\system32\Gpolbo32.exe
        213⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\Gaqhjggp.exe
        
        C:\Windows\system32\Gaqhjggp.exe
        214⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\Gihpkd32.exe
        
        C:\Windows\system32\Gihpkd32.exe
        215⤵
        Modifies registry class
        
        PID:492
        
        C:\Windows\SysWOW64\Glfmgp32.exe
        
        C:\Windows\system32\Glfmgp32.exe
        216⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Glhimp32.exe
        
        C:\Windows\system32\Glhimp32.exe
        217⤵
        Drops file in System32 directory
        
        PID:2040
        
        C:\Windows\SysWOW64\Gaebef32.exe
        
        C:\Windows\system32\Gaebef32.exe
        218⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4156
        
        C:\Windows\SysWOW64\Hnibokbd.exe
        
        C:\Windows\system32\Hnibokbd.exe
        219⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Hbgkei32.exe
        
        C:\Windows\system32\Hbgkei32.exe
        220⤵
        Modifies registry class
        
        PID:4724
        
        C:\Windows\SysWOW64\Hlppno32.exe
        
        C:\Windows\system32\Hlppno32.exe
        221⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\Halhfe32.exe
        
        C:\Windows\system32\Halhfe32.exe
        222⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\Hbnaeh32.exe
        
        C:\Windows\system32\Hbnaeh32.exe
        223⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4596
        
        C:\Windows\SysWOW64\Inebjihf.exe
        
        C:\Windows\system32\Inebjihf.exe
        224⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\Ibcjqgnm.exe
        
        C:\Windows\system32\Ibcjqgnm.exe
        225⤵
        Drops file in System32 directory
        
        PID:1844
        
        C:\Windows\SysWOW64\Iojkeh32.exe
        
        C:\Windows\system32\Iojkeh32.exe
        226⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\Ipihpkkd.exe
        
        C:\Windows\system32\Ipihpkkd.exe
        227⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\Iondqhpl.exe
        
        C:\Windows\system32\Iondqhpl.exe
        228⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\Jhgiim32.exe
        
        C:\Windows\system32\Jhgiim32.exe
        229⤵
        
        PID:700
        
        C:\Windows\SysWOW64\Jlbejloe.exe
        
        C:\Windows\system32\Jlbejloe.exe
        230⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\Jblmgf32.exe
        
        C:\Windows\system32\Jblmgf32.exe
        231⤵
        Drops file in System32 directory
        
        PID:2544
        
        C:\Windows\SysWOW64\Jifecp32.exe
        
        C:\Windows\system32\Jifecp32.exe
        232⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:876
        
        C:\Windows\SysWOW64\Jppnpjel.exe
        
        C:\Windows\system32\Jppnpjel.exe
        233⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\Jemfhacc.exe
        
        C:\Windows\system32\Jemfhacc.exe
        234⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\Jlgoek32.exe
        
        C:\Windows\system32\Jlgoek32.exe
        235⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1344
        
        C:\Windows\SysWOW64\Jeocna32.exe
        
        C:\Windows\system32\Jeocna32.exe
        236⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Johggfha.exe
        
        C:\Windows\system32\Johggfha.exe
        237⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\Jeapcq32.exe
        
        C:\Windows\system32\Jeapcq32.exe
        238⤵
        Drops file in System32 directory
        
        PID:3664
        
        C:\Windows\SysWOW64\Jllhpkfk.exe
        
        C:\Windows\system32\Jllhpkfk.exe
        239⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\Jahqiaeb.exe
        
        C:\Windows\system32\Jahqiaeb.exe
        240⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\Kiphjo32.exe
        
        C:\Windows\system32\Kiphjo32.exe
        241⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3484
        
        C:\Windows\SysWOW64\Khbiello.exe
        
        C:\Windows\system32\Khbiello.exe
        242⤵
        Drops file in System32 directory
        
        PID:2184
        
        C:\Windows\SysWOW64\Keifdpif.exe
        
        C:\Windows\system32\Keifdpif.exe
        243⤵
        
        PID:404
        
        C:\Windows\SysWOW64\Klggli32.exe
        
        C:\Windows\system32\Klggli32.exe
        244⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\Lcclncbh.exe
        
        C:\Windows\system32\Lcclncbh.exe
        245⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\Lindkm32.exe
        
        C:\Windows\system32\Lindkm32.exe
        246⤵
        
        PID:744
        
        C:\Windows\SysWOW64\Lojmcdgl.exe
        
        C:\Windows\system32\Lojmcdgl.exe
        247⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\Lhcali32.exe
        
        C:\Windows\system32\Lhcali32.exe
        248⤵
        
        PID:540
        
        C:\Windows\SysWOW64\Lchfib32.exe
        
        C:\Windows\system32\Lchfib32.exe
        249⤵
        Drops file in System32 directory
        
        PID:864
        
        C:\Windows\SysWOW64\Lhenai32.exe
        
        C:\Windows\system32\Lhenai32.exe
        250⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\Mfkkqmiq.exe
        
        C:\Windows\system32\Mfkkqmiq.exe
        251⤵
        
        PID:488
        
        C:\Windows\SysWOW64\Mledmg32.exe
        
        C:\Windows\system32\Mledmg32.exe
        252⤵
        Modifies registry class
        
        PID:3168
        
        C:\Windows\SysWOW64\Modpib32.exe
        
        C:\Windows\system32\Modpib32.exe
        253⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1600
        
        C:\Windows\SysWOW64\Mcdeeq32.exe
        
        C:\Windows\system32\Mcdeeq32.exe
        254⤵
        Drops file in System32 directory
        
        PID:4936
        
        C:\Windows\SysWOW64\Mjnnbk32.exe
        
        C:\Windows\system32\Mjnnbk32.exe
        255⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\Mcfbkpab.exe
        
        C:\Windows\system32\Mcfbkpab.exe
        256⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\Mfenglqf.exe
        
        C:\Windows\system32\Mfenglqf.exe
        257⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4884
        
        C:\Windows\SysWOW64\Nblolm32.exe
        
        C:\Windows\system32\Nblolm32.exe
        258⤵
        
        PID:448
        
        C:\Windows\SysWOW64\Nmaciefp.exe
        
        C:\Windows\system32\Nmaciefp.exe
        259⤵
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Nqoloc32.exe
        
        C:\Windows\system32\Nqoloc32.exe
        260⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\Nfldgk32.exe
        
        C:\Windows\system32\Nfldgk32.exe
        261⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\Nmfmde32.exe
        
        C:\Windows\system32\Nmfmde32.exe
        262⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\Nbbeml32.exe
        
        C:\Windows\system32\Nbbeml32.exe
        263⤵
        Drops file in System32 directory
        
        PID:1088
        
        C:\Windows\SysWOW64\Njjmni32.exe
        
        C:\Windows\system32\Njjmni32.exe
        264⤵
        Drops file in System32 directory
        
        PID:4036
        
        C:\Windows\SysWOW64\Nofefp32.exe
        
        C:\Windows\system32\Nofefp32.exe
        265⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4604
        
        C:\Windows\SysWOW64\Ncbafoge.exe
        
        C:\Windows\system32\Ncbafoge.exe
        266⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\Ocdnln32.exe
        
        C:\Windows\system32\Ocdnln32.exe
        267⤵
        Drops file in System32 directory
        
        PID:3676
        
        C:\Windows\SysWOW64\Oiagde32.exe
        
        C:\Windows\system32\Oiagde32.exe
        268⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Ofegni32.exe
        
        C:\Windows\system32\Ofegni32.exe
        269⤵
        Modifies registry class
        
        PID:6152
        
        C:\Windows\SysWOW64\Omopjcjp.exe
        
        C:\Windows\system32\Omopjcjp.exe
        270⤵
        Modifies registry class
        
        PID:6200
        
        C:\Windows\SysWOW64\Oonlfo32.exe
        
        C:\Windows\system32\Oonlfo32.exe
        271⤵
        Drops file in System32 directory
        
        PID:6244
        
        C:\Windows\SysWOW64\Oblhcj32.exe
        
        C:\Windows\system32\Oblhcj32.exe
        272⤵
        Drops file in System32 directory
        
        PID:6284
        
        C:\Windows\SysWOW64\Ofgdcipq.exe
        
        C:\Windows\system32\Ofgdcipq.exe
        273⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\Oifppdpd.exe
        
        C:\Windows\system32\Oifppdpd.exe
        274⤵
        Drops file in System32 directory
        
        PID:6368
        
        C:\Windows\SysWOW64\Ockdmmoj.exe
        
        C:\Windows\system32\Ockdmmoj.exe
        275⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Ofjqihnn.exe
        
        C:\Windows\system32\Ofjqihnn.exe
        276⤵
        Modifies registry class
        
        PID:6452
        
        C:\Windows\SysWOW64\Opbean32.exe
        
        C:\Windows\system32\Opbean32.exe
        277⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\Omfekbdh.exe
        
        C:\Windows\system32\Omfekbdh.exe
        278⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\Pfojdh32.exe
        
        C:\Windows\system32\Pfojdh32.exe
        279⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\Pbekii32.exe
        
        C:\Windows\system32\Pbekii32.exe
        280⤵
        Modifies registry class
        
        PID:6620
        
        C:\Windows\SysWOW64\Pmmlla32.exe
        
        C:\Windows\system32\Pmmlla32.exe
        281⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\Pcgdhkem.exe
        
        C:\Windows\system32\Pcgdhkem.exe
        282⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Pbjddh32.exe
        
        C:\Windows\system32\Pbjddh32.exe
        283⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6744
        
        C:\Windows\SysWOW64\Pakdbp32.exe
        
        C:\Windows\system32\Pakdbp32.exe
        284⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6792
        
        C:\Windows\SysWOW64\Pblajhje.exe
        
        C:\Windows\system32\Pblajhje.exe
        285⤵
        Drops file in System32 directory
        
        PID:6836
        
        C:\Windows\SysWOW64\Qppaclio.exe
        
        C:\Windows\system32\Qppaclio.exe
        286⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\Qfjjpf32.exe
        
        C:\Windows\system32\Qfjjpf32.exe
        287⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\Amfobp32.exe
        
        C:\Windows\system32\Amfobp32.exe
        288⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\Acqgojmb.exe
        
        C:\Windows\system32\Acqgojmb.exe
        289⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7004
        
        C:\Windows\SysWOW64\Afockelf.exe
        
        C:\Windows\system32\Afockelf.exe
        290⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\Ajjokd32.exe
        
        C:\Windows\system32\Ajjokd32.exe
        291⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\Amikgpcc.exe
        
        C:\Windows\system32\Amikgpcc.exe
        292⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Apggckbf.exe
        
        C:\Windows\system32\Apggckbf.exe
        293⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\Abfdpfaj.exe
        
        C:\Windows\system32\Abfdpfaj.exe
        294⤵
        Drops file in System32 directory
        
        PID:3760
        
        C:\Windows\SysWOW64\Amkhmoap.exe
        
        C:\Windows\system32\Amkhmoap.exe
        295⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\Apjdikqd.exe
        
        C:\Windows\system32\Apjdikqd.exe
        296⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\Adepji32.exe
        
        C:\Windows\system32\Adepji32.exe
        297⤵
        Modifies registry class
        
        PID:6352
        
        C:\Windows\SysWOW64\Bdlfjh32.exe
        
        C:\Windows\system32\Bdlfjh32.exe
        298⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\Bfkbfd32.exe
        
        C:\Windows\system32\Bfkbfd32.exe
        299⤵
        Modifies registry class
        
        PID:3260
        
        C:\Windows\SysWOW64\Bapgdm32.exe
        
        C:\Windows\system32\Bapgdm32.exe
        300⤵
        Modifies registry class
        
        PID:6544
        
        C:\Windows\SysWOW64\Bfmolc32.exe
        
        C:\Windows\system32\Bfmolc32.exe
        301⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\Bjhkmbho.exe
        
        C:\Windows\system32\Bjhkmbho.exe
        302⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6680
        
        C:\Windows\SysWOW64\Bmggingc.exe
        
        C:\Windows\system32\Bmggingc.exe
        303⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6732
        
        C:\Windows\SysWOW64\Bpedeiff.exe
        
        C:\Windows\system32\Bpedeiff.exe
        304⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\Bkkhbb32.exe
        
        C:\Windows\system32\Bkkhbb32.exe
        305⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6876
        
        C:\Windows\SysWOW64\Baepolni.exe
        
        C:\Windows\system32\Baepolni.exe
        306⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\Bdcmkgmm.exe
        
        C:\Windows\system32\Bdcmkgmm.exe
        307⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7028
        
        C:\Windows\SysWOW64\Bbfmgd32.exe
        
        C:\Windows\system32\Bbfmgd32.exe
        308⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\Bbhildae.exe
        
        C:\Windows\system32\Bbhildae.exe
        309⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\Cmnnimak.exe
        
        C:\Windows\system32\Cmnnimak.exe
        310⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\Cpljehpo.exe
        
        C:\Windows\system32\Cpljehpo.exe
        311⤵
        Modifies registry class
        
        PID:6316
        
        C:\Windows\SysWOW64\Ckbncapd.exe
        
        C:\Windows\system32\Ckbncapd.exe
        312⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\Cmpjoloh.exe
        
        C:\Windows\system32\Cmpjoloh.exe
        313⤵
        Modifies registry class
        
        PID:6460
        
        C:\Windows\SysWOW64\Cpogkhnl.exe
        
        C:\Windows\system32\Cpogkhnl.exe
        314⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\Cgiohbfi.exe
        
        C:\Windows\system32\Cgiohbfi.exe
        315⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\Cmbgdl32.exe
        
        C:\Windows\system32\Cmbgdl32.exe
        316⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6784
        
        C:\Windows\SysWOW64\Cpacqg32.exe
        
        C:\Windows\system32\Cpacqg32.exe
        317⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\Ccppmc32.exe
        
        C:\Windows\system32\Ccppmc32.exe
        318⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\Ckggnp32.exe
        
        C:\Windows\system32\Ckggnp32.exe
        319⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Ciihjmcj.exe
        
        C:\Windows\system32\Ciihjmcj.exe
        320⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Caqpkjcl.exe
        
        C:\Windows\system32\Caqpkjcl.exe
        321⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6192
        
        C:\Windows\SysWOW64\Cdolgfbp.exe
        
        C:\Windows\system32\Cdolgfbp.exe
        322⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\Ckidcpjl.exe
        
        C:\Windows\system32\Ckidcpjl.exe
        323⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Cacmpj32.exe
        
        C:\Windows\system32\Cacmpj32.exe
        324⤵
        Modifies registry class
        
        PID:6520
        
        C:\Windows\SysWOW64\Cdaile32.exe
        
        C:\Windows\system32\Cdaile32.exe
        325⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\Dkkaiphj.exe
        
        C:\Windows\system32\Dkkaiphj.exe
        326⤵
        Modifies registry class
        
        PID:6716
        
        C:\Windows\SysWOW64\Dmjmekgn.exe
        
        C:\Windows\system32\Dmjmekgn.exe
        327⤵
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\Dphiaffa.exe
        
        C:\Windows\system32\Dphiaffa.exe
        328⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6932
        
        C:\Windows\SysWOW64\Ddcebe32.exe
        
        C:\Windows\system32\Ddcebe32.exe
        329⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7056
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        330⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7164 -s 408
        331⤵
        Program crash
        
        PID:6448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7164 -ip 7164
1⤵
PID:5988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
64KB

MD5
71f7e178e2d15fb4cb534cc1b8b55908

SHA1
e7cc1a1e77c8b6d81748817d7c80f9b0352488dc

SHA256
6e65e6d6e20f581d39f6a1a852035bf2adc5dea16ce35babb2700abfc6a8228e

SHA512
10b97e070eb6ca564c0f67528f8c5bbbff3bc848fd7df6cb464c0f61c39ccf6949b0fde317fd190aca0863f957d428247f7c4fb97dc8f6efbb2094a6c51eeeba

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
64KB

MD5
f5bac73feb54da5a07e28e8818cb6fac

SHA1
b738e4a1e04cdba5410dc13d917281f3b3706e0d

SHA256
7565889d3348bc0086bc8d0fa9646ad271cd5bf64d3e3e33534a54842ec937c5

SHA512
e554bae3a37e592980b43a08edc9bb20d05bf7f1e52e6d50cffcee633b30cb31304be5adcebf896fa42a5e693951b089cdb122b696034d7167c29a8e740ca1c2

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
64KB

MD5
e119bdcc41907643ff5ad40639e5791b

SHA1
4c97995a8e14de7c9aa07b6b30057a536036911a

SHA256
5d3622a2afc0ccd31898c4fba9127b6fa390e24af429fff8541c3b9442b51f03

SHA512
c4e702380c6ecce94aebb5bd18d9db7d2780ef795374456b820ad644169578571d48550b519dde17fd525b941868da75f3188e8a4f15dc1a694d39839dd45db0

Download Submit
C:\Windows\SysWOW64\Aopemh32.exe

Filesize
64KB

MD5
9765ca6f966c04d719fe72b5ac0452fa

SHA1
9c0fcea3adab7d7d4a142b83f01c9134e30659ea

SHA256
929adcf862b8daa6e43021eab883bb9d61eb5f91d8a3189765d40d16aa3fed02

SHA512
d4dd858552a9bcd8f8f688ede60530dcb61a1328698ec85639f2ef512e6120189a09df78dce84a47442bea8d513c70d61a6836b0eb07cfb031181fde7782b7a4

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
64KB

MD5
d851e3cfa33619fc95e2e008a47ba3da

SHA1
20534677245c2d276d44f7c7ff9d31b5349c4482

SHA256
f2bfd18e1e66dbc8bc8c897340e2a46953d6acab42be52ea9a1ffdf9729370b0

SHA512
d98f7281866fe3c4b251e905c03ea20a5f5049d576bc61b393462a4ae98cac67b8340e4af3ce4b82efba0c25bf5bba75f00721eb3ca2992bb877e5e956b0a558

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
64KB

MD5
f8b53570dc61f79e439e866ba20ab3fb

SHA1
6ac60b1036dbdd7d3f61a9f330a7f77505c9b6d5

SHA256
9b0173649452e4fc2c714e8138554cdcca506cb0a031fe00c1662a84daba6e97

SHA512
f199f5daa555169c942ffdba6127b1cc16b46d4c33055a4521bd544dd201fd6271c68725eaa648e9fb7fbd19811a2e668cb11686d67810416eabffd4a6d4e87e

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
64KB

MD5
3b4ae05e4337d7270fd2657f3500bfe0

SHA1
53469fa919b636ab913f69db458be974903e8883

SHA256
59e0289383c6582ce97d0b8d5559d5bc8a70daae563e46924f4a48b2e0cb7f1b

SHA512
5788b764fa657068a263bf36995cd3b3df3678d6fe09e5c4965f31013b25219c617625e09c9b0a08da095247755e8228b77930b83cc95783a3ab24b94c01888b

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
64KB

MD5
18c884250eed0d05c6c711573ff70aff

SHA1
7f5a6f3610996a9a5a2831f3d440ae40f1689700

SHA256
fe980c1c8b52789648726fdaf4146f3f01647bcdfb7c31e62ab58f600fcd8520

SHA512
5ea600c63ee2718709604e6b7dcd66645f91265db421210f2b619bc7d1f1b45c7b9cc172564383528137fa2fabe40bbc01b1493d358ac96efb01b69ce75d892a

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
64KB

MD5
691442a797a4fd1e7972e639253dc276

SHA1
07e447d7d368f2c0c915680b09a3e9a8856bfb6a

SHA256
766160566ce30a9d718286ef0041af6b35295b0dfd770333cf2d2a95d35c83b1

SHA512
dc7a3cffe3b9d407042a6120e3657d4443d014f4d5c019faa2b7ac9c648a14ee9b27c727981fd66818d93cc43cd82eb59b3a98afa62943d1621c70bb69b8ca49

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
64KB

MD5
415c3e2e8f55b35756cc7b4298467a79

SHA1
dec515d229ef638e0943e3c70aa44e2ad5c4b65a

SHA256
286456177a033dedfa5557e18da056252a77dd18d653d9b74f324e3ea2846ab5

SHA512
47bb61b665b239cd83a14e501381cdce740c6c128e88554be396f304b4a108ec17ef33bd267e913ae443f0c298b167b575763743db8da9ae7bd5f3ca6cec9b02

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
64KB

MD5
5afce27e749c6a69e78a8485e6c84612

SHA1
402a173be5555231ab7279cae5d6e92ec3067fb6

SHA256
709ebb917a681ebc09d8381c253f426e11c71d10d5a3d35493edbec8b53ccb46

SHA512
10645a1873f117bb82b4e51a06767efafac1450aeecbd7287868c75497a5668e02e2379a154401ad7426dae575f3a37ed3cb58403dccaeb91e1cc01122e9b040

Download Submit
C:\Windows\SysWOW64\Bomkcm32.exe

Filesize
64KB

MD5
6df437d925cdc8bd67ee4cffa155b675

SHA1
720f41ccca8e2b24de3274a0bda30bfeabdaddef

SHA256
154a1d0bcdea1fd4b064991a7bb45d090ee2641f779c2bdd806c495fdefc46b2

SHA512
a7890230337668bcf28a25fc1e0e15501b89c7cdcae039e0e763b743b7cee2388c99158a30473e89ff9e65b9eac1e08edd3df8133495295a32b6e4b79f54b210

Download Submit
C:\Windows\SysWOW64\Caageq32.exe

Filesize
64KB

MD5
c7c9c3204e735b5f2e8aeaf3fe8c2e54

SHA1
a8728bc2c54074b1df6cf14945c3d51f6d757e69

SHA256
44511a81aa8ce282d2ab0b4fc00d235745a0d5d7c81feb437e199b4e9283972b

SHA512
38cdf98ca7c8e33369a113708dc9c7b284f84c8be8dfac9735bf0ca0cf38ec15987ec8400672847c1382dd5c4472c30ff8611be231cf005187306b8b86af06b7

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
64KB

MD5
51881ee1967ab78bee92deac69f13df7

SHA1
a0813448b5c20ec98bde16eb4fe24952934f73e1

SHA256
b9331fc4774073630448761bec7e7016c9c77ae77d68c83ba4941e507cd6ece6

SHA512
8c6669056d9d96a2c6477ffe80a0c0012778ab32f7a7648599972dd8256eeafbaad5f26bdf739b6bfb1e1d564e6ff4a5a6c41c7f49747fbdf22ce5ae58f75248

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
64KB

MD5
9853d4d738b941d818a1e5f4fcff1f4d

SHA1
b7907b3a5e4b9f15ff7df045d85c53457d5d2da7

SHA256
2ce976f24c39b6e1f6c8d3a27db8b425b63a13821616dd659663f721834a8477

SHA512
76d712b1029ce57b6c13631090812c695f31669ce0eda7a735cad57b16ea1c672d5b1164e7c6884eb01ad9e696d7959090f44629f68d83e441ee34b04b2a1cd6

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
64KB

MD5
7393ee663f3262735032c92c1447150c

SHA1
7c22b2bd1f7df7046d80267b12d72e9124a37ab6

SHA256
6bd86ec0901bebd99140ad24134fba4e41c20d1dadaa315ee15abf4b1d08f75e

SHA512
ae88895d7e1bc18e9355273466f6cae3b68f6d73a5dc099fe63374f24a9e64d5ce4e846d584072b535b3c890c09cf3bf341734f34ec164aade16334fa6076806

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
64KB

MD5
d276f2645c2c8ab5e33764ce83d3157d

SHA1
4c2e464e132d3b4b99b4bee729c911075d289321

SHA256
98f47cfb1bc318ac924c1a35445e916745d33355b2780dfc8a00b844198503d8

SHA512
fe85ee9da1b03a874c5bb398585e709094bffb3b70965871cd0488bab462c9bc2b81c16ce285650c9c1ab0b090b4dbf8fa91f91c2385e9eae425c86bb7825a13

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
64KB

MD5
a42eb761d8232c38d806b9e21a587a6e

SHA1
c3f1b4b3eeb98eb03d8cd0de3f13c456bbea2a73

SHA256
f1fa23e1f7b45c3279f86a5eff40bcd6368adbd15db45e155b511382290a46f9

SHA512
802233b9019686f40eb6f07df4261cffcd72edd90035098b4a04b4a5dfb94df5a937569380165185a47dde20c9ba759073c0e3ec17a8305702531dcb42e618b3

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
64KB

MD5
96b79315f291eb8eeed40ef9a57f369a

SHA1
e128a5d54de5acc386d26243b4dff7095d7f2e20

SHA256
866031177ba2145827b206dc7952294ae3dd3e680ce6fd79ae375d278f2eba7a

SHA512
dc49be203e2ba81dc1635ded8dfdcebc96060914db9572fbc40b38826f7d44b64d9f039741946980031c7fc5cfe78601d29265d67c99fed980729f6f4e2a5572

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
64KB

MD5
7ee44e1430ec57bae5dc0957b7c73204

SHA1
13474a337fb1e91dd1edfbab621c96c9b02ac9ec

SHA256
78fcee6a4c87b2ac205e5b4e6ac76da33a1c332d9f56939dc4351663ba69aef2

SHA512
108c51c96bd87dcdb4b1db85257721337fc0541c0fd0abe692d684bbc7f826c3977bf8a7c5186fe7dab9c73dcfa494388e11fb912ffbde66e03826586bc0b165

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
64KB

MD5
1a49f33616097dadd10d10de7f0afd0d

SHA1
5a5c4f00f2cc8db443913fe564ed09ec18d35aec

SHA256
2f9582469a33eda766c6ccc821daeabeb43b6f8bf99277d7a15508c5b8109fc6

SHA512
474a3f567f9c1582aa3e6b00cf67474a2be0e0cb1814ce15d8f8a8537161ac9b8e34eb6366d3da1bc12255805ff3d4c39dc22f0409a7246340f72f0e314d8306

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
64KB

MD5
20ff2e61a6c9b774b935963efaaad3a9

SHA1
1dc67ed6cbd6e5090f32d89c95c839836b78b7ba

SHA256
88e18ec5bbad4796d0bb08a401c60673e003dbd6211571de0862f27d20793f84

SHA512
ac45ef0052606c9b2e2230bda54a0489fe799b3d03984f5be948a21d2a63146ffac04750228df374e46c87b357aea5ade594153db8974711fb3f7a177e68328a

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
64KB

MD5
3b274b4ef63c152f134de72691631169

SHA1
cee04ad7e7d987fd78b172c986424ce998622044

SHA256
f5c62cead63f0c1bc522416c99894009b858dd5eaea1f0e0b5242447f4347345

SHA512
5ac1cedcc0afaee00d7a4b2f4361c584fed7d0796d2cd5a5de22ac56f60633eb866f30a31b1ea3fdbd5b1be65f2712200e194a0e49dee0aba112fda8c827617a

Download Submit
C:\Windows\SysWOW64\Dkhgod32.exe

Filesize
64KB

MD5
811de31de582e2a2008acee4c09b098f

SHA1
9d94349a622de3af75eff144bbdb8011de39ae95

SHA256
c814ab21764346d25b44d7c22c266c96347e6fcb0004341b1dd1830f323c8b6b

SHA512
f9bbd87e8ee946c1f62f3af39eb738e389af8165b7d3d0fc396154b3c2def51e4845a83adcf5b8fc30f7e06050882d4b550a9e6f9a67fb963cc78d08b5831bdb

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
64KB

MD5
c87aad5f29c5b673961ac6a7d67ce17b

SHA1
599d8ceff5596a3305c0b585030b2274b4423703

SHA256
6eae6774aa369ae88d3efe9a2310e4561fd5efa48dbe82db4b94ef1ca86c915c

SHA512
d1acd7fdd073da01af268a9725ecaf5c76785a1647542328294c215d0f1d4689950472ed5ba0af2eb9e16fdc0fb0779cddc7325c6592ae0e1e7c6029b7f07afc

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
64KB

MD5
f8f6ca770edd3bf581ebdded0127d9ff

SHA1
9027f4dd245c0c3f264a58cb4577c0d5a645593d

SHA256
0653bd629c37ac5b6ec60a11880b6d3c3b1844cf0858f15d4a08d6de3b2d8f66

SHA512
faf175445e8c30453ca4ca0629591e7cd9c87f0893a3ad66af2e8753c3b23e098904522e5005f3d07e813959a36daf02b1d3387fd7681485610dd67a5bc10abe

Download Submit
C:\Windows\SysWOW64\Dnonkq32.exe

Filesize
64KB

MD5
d46dc1f37695401b3605011eec7b4705

SHA1
de5387c038aea1b544612fa32c684994f1a262f4

SHA256
d325bdea351a8229445f588c51153b21bb2068df15e42603ad660d90b7028ac0

SHA512
59f96b9d8c29ceae06a8b382e9f9a3bde186adf7a95bcf1571952190b8ca3f549167ac500ce97726f9637b473d85690efeefd81db17ac1ace22c489953590b45

Download Submit
C:\Windows\SysWOW64\Eggmge32.exe

Filesize
64KB

MD5
ceec9ad1988b395c99fb30bdc5b646cf

SHA1
c202d951ef7cb5d3f07cb1f8a650bb3157d319bc

SHA256
10c1553de9f3b5d3860361e2b2171476a880e3d15ee221ba45c9f64466e9f590

SHA512
d524adba2481524aa3f9428ff5fb52607187dd83152b6ef60baece7e3422fbc9b7bcc84cc067169584e296ceeb137cd4ad7f0c32d113e198ce049cfee5e1c755

Download Submit
C:\Windows\SysWOW64\Ekefmc32.exe

Filesize
64KB

MD5
a42e35ed0720bb182e8d28c33315e74a

SHA1
69a62540637bbd95bb1e54b21a78f8f950e6db0f

SHA256
07ac97d9202c1e8aad0e7b70117f668a999a92b70afd0c7f5e555af007ea92de

SHA512
b0cd820615a8b81f5589f7780222c2ab7f8fd87c8a3ef22185b89d68f7ffaf9ae96473b3dde4c79b092c641f23659623d9ea4bf9efb8d1767429a4fe1e9bb542

Download Submit
C:\Windows\SysWOW64\Ekpmbddq.exe

Filesize
64KB

MD5
83eab11e1bf84e51e1dc928d9ad2a885

SHA1
f0e59a5e0a49a9728cb5685d3bede6037e67e4b7

SHA256
e30f6a5262965a0e5b1ed24fb14f544d42eee9fe25dda9b94fc6d4fb4744de74

SHA512
d029e02d5e0763d3407d9e82d849d7f34f0c5cbabcfb16d88398313ea86e3a82c180cdb82343c8942aed1bfc968f9f9d88c70be9f37a555166e93fd45a924f1b

Download Submit
C:\Windows\SysWOW64\Eqlfhjig.exe

Filesize
64KB

MD5
fe3a1ec35ce1283f57e0d6f27c993993

SHA1
c9ef8b107d5f1066ae86631a100d890e0b4f40e9

SHA256
32512a18c477397cff1920c3ba2c647e8ac119944eef0c1458259ea0d507647a

SHA512
46657afc7a67d0ea7d7820686a85ecf88367b7290b948b8b0a958146f1023f59f2d9673e0ba439a1b915eb63955968f0c4b5f1c70fec1a90ed056cb6ce916263

Download Submit
C:\Windows\SysWOW64\Foclgq32.exe

Filesize
64KB

MD5
d64afe7f16966e71ecb77e592e2cbd40

SHA1
1cf378ea1571077f8b991d42e925e54213df2ed4

SHA256
17310d96e66391f6eda1d6356ecbe50993f4a566748538d6f99dab2c4b1836f2

SHA512
1b5dc35c90552483d6c5053fb8b08733bbd21418a82bc0f44f5fab62feb5d2d5efd776e056c85bebaad705c95c7dd65403232fa48d2b14a42ef78e4bcc2d0fba

Download Submit
C:\Windows\SysWOW64\Glhimp32.exe

Filesize
64KB

MD5
9f4190b7067ab1e65ca058e639d4b541

SHA1
d503bf8d5c9994aff31440e888c7cab7cbd043fa

SHA256
e231407bbfbdd882414beeaff0c70d25f79735d4cd38d8f47718a83f48ba53f2

SHA512
f81eaf5c5611a03a13a10fd56b56b2cc6fe2216b0da35ea6bf4f667cf7497b422ba0983496f6303589cbe5a19f848cb059d3b9af73c6a4972380cefc3ecf7e48

Download Submit
C:\Windows\SysWOW64\Hbgkei32.exe

Filesize
64KB

MD5
ac3318fbe5baf183b582e3c214983213

SHA1
e6a29aaa3510826a94c7d107b5f915e9bea45250

SHA256
fb2c731b87c08cb909dc2213d06191c640e2baa77604e19bd052530198c437ca

SHA512
9c07488a5da3da78960054a4a5325e25f77af09e5fd31a16b3f6430d1a3989a596d6723f33c1c5a1d38cfa9125be2e90d0e8289e671c36884e6cbf51ed0671e1

Download Submit
C:\Windows\SysWOW64\Hbnaeh32.exe

Filesize
64KB

MD5
7ceda3917f93dc7bd4097695dc75c118

SHA1
cd47025c720d6bc096b9de9a9da04eaec158bb75

SHA256
e35f8683411d7f9695d6c199453c0fea9d8f5b806eb8a480f64bcecfaa45ac6b

SHA512
3816e365010bbe73a9768894773ff1dd5dcc41cf8de255920c6fbe7882a29b28d1a976257a2a2106886eb765821efee2fb1a69a8cc6f779df6a1ce0a8b8e833f

Download Submit
C:\Windows\SysWOW64\Hgabkoee.exe

Filesize
64KB

MD5
c63fda687c2b81ea5f1b0bb37ec57be9

SHA1
c6e243491c8984f85dae19f0539226c8b69f13cb

SHA256
08503653e91cc3c31b340abacf0cbbfb7310047e59d9ae1c983b086580a0bd7b

SHA512
1dd4738c5f82d3ccdc1d11cd8cb3dd26e61c887113be160b5cc3d229fb6e7b655e374f212beab9f94e53b00275294615824b3854c7a7e155d06f764e1fa7a37d

Download Submit
C:\Windows\SysWOW64\Ibcjqgnm.exe

Filesize
64KB

MD5
d9e8b95b63fad188e1d74be88b866133

SHA1
eb35d292428b8960c9334c4e10b9fc40de911828

SHA256
bca0152682448ea89df37fd5a61e874465132367799be8c804d18b938a2a50d9

SHA512
086b00f8ae90e1b9b5be297a17ca428d3f4e704945c5bec3179d45723b78d1641acb0005b6768b4b7899a1ec7e49b12a38c985a5c02b51b67f1d08e9110bbfbf

Download Submit
C:\Windows\SysWOW64\Ibpiogmp.exe

Filesize
64KB

MD5
f538bab60518964f270e3ab42ce19976

SHA1
fcb9ece668d9dd4b5fc4fe4fc79243e90fea702e

SHA256
4c660fa5d620189895c913f3750990923cfe39af28cd923641130ceeaa436eae

SHA512
6af344b148447b6f6e2168ff67d4b8729c0ccd87aa333a3aee42ae03ccc719f022eedc9576272d29030a4e14ba568894a1df678b04eb7acc7a45c3c810912939

Download Submit
C:\Windows\SysWOW64\Idgojc32.exe

Filesize
64KB

MD5
98c933f53f9bfbfa81254db46ed602b6

SHA1
d4b31407777d4b41b493b8499af8434f3b54017b

SHA256
e6e9672b3a258dbf196c525ea0b4691ee94fa99142bbf2016bdf91b592473bfa

SHA512
53ca38bdeb1b0fd1ecc2b39afe3e3a7b0433fd0f2fa9dbee67dbc3925faabb06935a3b4750ceb904cf4ec6edc522f52a8a892470ec432939a946507c78bdf95c

Download Submit
C:\Windows\SysWOW64\Ieliebnf.exe

Filesize
64KB

MD5
9524bf6377070b3f0048aabe6ba97eaa

SHA1
555099cadd83bdcd65ec54fdbc24a12e16705006

SHA256
086359969908bbd8676f7963aace375901dfa0d0ff9f32ce9cc4e1a0e503f56d

SHA512
2fdd8e0969c147caeada0b0c8ad7aac203ae287b7388c96e030f082954c95bc42c8d0863cb838577d0043857cbfaa8ec5cb4e30c414b3dca905e040d37491735

Download Submit
C:\Windows\SysWOW64\Igcoqocb.exe

Filesize
64KB

MD5
774bb6335b8a960f6e731dfac13ac803

SHA1
8428d6970b259f787f023adc36fa351b1b633f22

SHA256
3e5e4c06706f28612db6ed58bf4b0882f6f60e02b3dd5466ceeba9e2cd40299f

SHA512
6ee21a9f8b4a2e293679749a80f560b8812d140fdeeafed4480a2f07d44790809e4fbff6179cb0a20c87479eff1e7db83a6c4ec6baba4d9f7db8b0141288cc55

Download Submit
C:\Windows\SysWOW64\Iiehpahb.exe

Filesize
64KB

MD5
0d98dffdec6dc6cd371c3be570b13769

SHA1
a8d851eb5190ab48fad04cf5d1f1edfd19bea31a

SHA256
ddb6591674753f3862cfb674b9014958570bb60a7342c3dfc0b5532c25418355

SHA512
0dd5557ef95cce41d183939762dc72b0872336bd27d0cb694004bd9ec964427cdaf59f0a057680cdc8357ec78c9b4c4c1904a20e41319be1256c14b732a0d98e

Download Submit
C:\Windows\SysWOW64\Ikaggmii.exe

Filesize
64KB

MD5
ff724d78f59a365b19ae62de0a2e28ce

SHA1
719d815a3c0f420944bb9aa69e30ed2d08752428

SHA256
c8670c85260d84a42b8e727ed8f6bcddd9527fe721de662c5f1a06aaa25bd181

SHA512
739498c2654bc24ae38d5279381a2e478e3031cb79d6c7861318ae657aab602cd0a98ec13432450025ab51d815defca578859daecfcf6477bd8f0b6ee67ea067

Download Submit
C:\Windows\SysWOW64\Mfenglqf.exe

Filesize
64KB

MD5
e37bda2b49d0802c0b091cd210970a7c

SHA1
2708089c4e6c92f7146ea7a37292b1b972743133

SHA256
44d576514066b66f2e67c088d87f2c977bb0f1f1b910feec6248a1845e02cf7e

SHA512
3d2032362b886da814370e50e439d236830ee6b1f1b07822ef4c70e3cb436faf9052c9e84d4fe72c4e49a88c912cf4fe038900fe29091c373331a6c08154bd9a

Download Submit
C:\Windows\SysWOW64\Miomdk32.exe

Filesize
64KB

MD5
06ec15dccc930f49ecfeae4fb9381295

SHA1
728f2519d165a061c735708315626f6ca4d9254a

SHA256
89495f7b445fed4aa0480439ee91dcd84b831c0ed5984728422568d0e2f585e3

SHA512
1a90661c11fb53ba4160256699b9d0cc52eff914b9cbc92de8a1dd3f955d93d93060190deb8830c961d60279308282820b5035780027c6a43c6f504e98f05cd8

Download Submit
C:\Windows\SysWOW64\Modpib32.exe

Filesize
64KB

MD5
88739759e29ba9ab46d2ce5191b3b688

SHA1
a8f89b5856148584d6bc31c7a05ceec3df1afd99

SHA256
447a680c2951ec9f751587e0022409f47d3100c52fb55cb41452bff595b67f0f

SHA512
c367a85588a0f81c710bcb6945df007a98cacb4134bef087314ec087fe63d87f3d880d652c75b739cac69f6a71d2224295ecbea4af26f91ae92993d00f79ff5e

Download Submit
C:\Windows\SysWOW64\Nlihle32.exe

Filesize
64KB

MD5
85461b6990f512fbdb5bdb3c8169478a

SHA1
7e2ca2c59048531da8c7eb06e41d7aa71da0eb99

SHA256
0ead2eed49458e4e5fbfadba368f97a30af3284e4c91782bb9c77a25499138bd

SHA512
74dea2b49672dd5d01afe400d04454f4f591cade9c655855dca8c4e0232dce06b7fb6b01e1792a3afcd73de15aa0d19d92f19f2a62d6efc001f8b3950284658f

Download Submit
memory/180-80-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/220-359-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/392-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/392-5-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/636-40-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/868-248-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/972-9-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1132-377-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1168-293-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1256-371-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1308-389-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1464-73-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1476-200-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1512-431-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1564-48-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1572-169-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1596-311-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1600-177-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1636-233-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1784-161-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1800-240-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1976-32-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2012-347-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2016-383-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2036-225-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2104-184-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2156-287-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2200-152-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2240-57-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2276-136-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2368-305-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2388-335-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2420-353-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2448-395-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2536-88-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2560-256-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2648-192-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2884-323-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2932-299-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2968-419-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3020-105-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3216-401-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3364-413-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3428-281-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3680-407-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3700-128-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3880-275-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4004-208-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4076-113-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4236-16-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4288-437-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4292-64-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4316-346-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4380-269-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4408-24-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4460-330-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4536-263-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4552-217-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4564-425-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4696-96-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4732-144-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4752-120-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4884-317-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4896-369-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads