bfb35db31171eef4eb189998435718cd430cd0fa85bc4523c3f083a5f7eb9571

Resubmissions

16/04/2024, 01:46

240416-b7cx4sgb8x 10

16/04/2024, 01:40

240416-b3h9bsga7v 10

Analysis

max time kernel
102s
max time network
126s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
16/04/2024, 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfb35db31171eef4eb189998435718cd430cd0fa85bc4523c3f083a5f7eb9571.exe
Size

80KB
MD5

52e59a3f50af9bf76936e7e7f682afaf
SHA1

8d9e6bd2afb90bdc5a7a5f0c73fc6222cd4ee99b
SHA256

bfb35db31171eef4eb189998435718cd430cd0fa85bc4523c3f083a5f7eb9571
SHA512

726409abf756e37d4ef9eafae7a4e828d7d120584fd23773be81e51300fe2a46b0db1f4d85550afe02e121bfa469cdbe0b4780b8dee54e1c39d80bf63eca114c
SSDEEP

1536:nMXLXQ2VEmF/QncOw1CCbhgOLzDfWqdMVrlEFtyb7IYOOqw4Tv:Is25QcOwcC6+zTWqAhELy1MTTv

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmbmibhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mibpda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdiooblp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddpeoafg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbaipkbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hoiafcic.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmmjgejj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liimncmf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmbfpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iefioj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlkagbej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgagbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cojjqlpk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eocenh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkmefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmbdbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddbbeade.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghaliknf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hflcbngh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmeobkq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbpnkama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eaklidoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hckjacjg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaedkdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgkjhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nljofl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmfmmcbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mckemg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecoangbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcckif32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbnjmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlbgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfoafi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpoefk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbfbkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boepel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbgmcnhf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kboljk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbhoqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pflplnlg.exe

Executes dropped EXE 64 IoCs

pid	Process
3596	Boepel32.exe
1760	Cacmah32.exe
484	Cdainc32.exe
1920	Chmeobkq.exe
1644	Cklaknjd.exe
3636	Cbcilkjg.exe
1888	Cafigg32.exe
4600	Ceaehfjj.exe
972	Cddecc32.exe
4888	Clkndpag.exe
1316	Cknnpm32.exe
4832	Cojjqlpk.exe
3584	Cbefaj32.exe
3372	Cecbmf32.exe
1132	Cdfbibnb.exe
4208	Clnjjpod.exe
3496	Colffknh.exe
5044	Cajcbgml.exe
4484	Cdiooblp.exe
380	Camphf32.exe
4348	Cehkhecb.exe
3152	Clbceo32.exe
2792	Doqpak32.exe
1156	Dbllbibl.exe
1756	Dekhneap.exe
4252	Dhidjpqc.exe
1892	Dldpkoil.exe
132	Dboigi32.exe
2860	Demecd32.exe
3728	Ddpeoafg.exe
5104	Dlgmpogj.exe
1852	Doeiljfn.exe
5040	Dbaemi32.exe
2744	Dadeieea.exe
1648	Ddbbeade.exe
4380	Dhnnep32.exe
428	Dddojq32.exe
988	Dhpjkojk.exe
2984	Dllfkn32.exe
2240	Dojcgi32.exe
5072	Dahode32.exe
4896	Dhbgqohi.exe
5052	Ekacmjgl.exe
3176	Eaklidoi.exe
4056	Edihepnm.exe
4072	Ekcpbj32.exe
4552	Ecjhcg32.exe
4120	Eeidoc32.exe
1620	Ehgqln32.exe
4536	Eoaihhlp.exe
2236	Eapedd32.exe
3732	Eekaebcm.exe
828	Eocenh32.exe
4248	Ecoangbg.exe
3500	Eemnjbaj.exe
3000	Ekjfcipa.exe
1124	Eofbch32.exe
1264	Eepjpb32.exe
1608	Ehnglm32.exe
800	Fkmchi32.exe
4680	Fcckif32.exe
4768	Fdegandp.exe
2360	Fkopnh32.exe
240	Ffddka32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Clnjjpod.exe	Cdfbibnb.exe
File created	C:\Windows\SysWOW64\Hjqaij32.dll	Dllfkn32.exe
File created	C:\Windows\SysWOW64\Gfpggnan.dll	Ekacmjgl.exe
File opened for modification	C:\Windows\SysWOW64\Kpgfooop.exe	Kmijbcpl.exe
File opened for modification	C:\Windows\SysWOW64\Nnlhfn32.exe	Neeqea32.exe
File created	C:\Windows\SysWOW64\Cefofm32.dll	Jedeph32.exe
File created	C:\Windows\SysWOW64\Jjbedgde.dll	Jmmjgejj.exe
File opened for modification	C:\Windows\SysWOW64\Meiaib32.exe	Mckemg32.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Gokgpogl.dll	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Cdiooblp.exe	Cajcbgml.exe
File created	C:\Windows\SysWOW64\Icfpbq32.dll	Fkciihgg.exe
File created	C:\Windows\SysWOW64\Pkbbae32.dll	Hkkhqd32.exe
File created	C:\Windows\SysWOW64\Ipknlb32.exe	Immapg32.exe
File created	C:\Windows\SysWOW64\Mnodjf32.dll	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Jinpgcmg.dll	Dbllbibl.exe
File opened for modification	C:\Windows\SysWOW64\Gomakdcp.exe	Gicinj32.exe
File created	C:\Windows\SysWOW64\Bncfnnbj.dll	Ifjodl32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Hnigkegh.dll	Cknnpm32.exe
File created	C:\Windows\SysWOW64\Kpmmhi32.dll	Dojcgi32.exe
File opened for modification	C:\Windows\SysWOW64\Ipknlb32.exe	Immapg32.exe
File created	C:\Windows\SysWOW64\Cojlbcgp.dll	Ldjhpl32.exe
File created	C:\Windows\SysWOW64\Onliio32.dll	Mpablkhc.exe
File created	C:\Windows\SysWOW64\Pjcbnbmg.dll	Nckndeni.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Icplcpgo.exe	Ilidbbgl.exe
File opened for modification	C:\Windows\SysWOW64\Cdfbibnb.exe	Cecbmf32.exe
File created	C:\Windows\SysWOW64\Collmj32.dll	Ekjfcipa.exe
File created	C:\Windows\SysWOW64\Ieakglmn.dll	Hmjdjgjo.exe
File created	C:\Windows\SysWOW64\Ikkokgea.dll	Lllcen32.exe
File created	C:\Windows\SysWOW64\Ofnckp32.exe	Opakbi32.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	Qfcfml32.exe
File opened for modification	C:\Windows\SysWOW64\Cojjqlpk.exe	Cknnpm32.exe
File opened for modification	C:\Windows\SysWOW64\Fkciihgg.exe	Fdialn32.exe
File created	C:\Windows\SysWOW64\Ghaliknf.exe	Gfbploob.exe
File created	C:\Windows\SysWOW64\Laapnj32.dll	Ildkgc32.exe
File created	C:\Windows\SysWOW64\Gbmgladp.dll	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Gfembo32.exe	Gokdeeec.exe
File created	C:\Windows\SysWOW64\Iifokh32.exe	Iejcji32.exe
File created	C:\Windows\SysWOW64\Kemhff32.exe	Kboljk32.exe
File opened for modification	C:\Windows\SysWOW64\Kbfbkj32.exe	Kpgfooop.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Jcgbco32.exe	Jlpkba32.exe
File created	C:\Windows\SysWOW64\Lenamdem.exe	Ldleel32.exe
File created	C:\Windows\SysWOW64\Mgagbf32.exe	Mdckfk32.exe
File opened for modification	C:\Windows\SysWOW64\Nckndeni.exe	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Pgnilpah.exe	Pcbmka32.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Jiopcppf.dll	Jfaedkdp.exe
File created	C:\Windows\SysWOW64\Jfnbea32.dll	Kpgfooop.exe
File created	C:\Windows\SysWOW64\Gfkfpo32.dll	Kdgljmcd.exe
File created	C:\Windows\SysWOW64\Ojgbfocc.exe	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Ejfenk32.dll	Pdfjifjo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7916	8924	WerFault.exe	423

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecjhcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odocigqg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doqpak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lffhfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kboljk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbfbkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjpqmmkb.dll"	Ddbbeade.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekjfcipa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkoiefmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkcfedla.dll"	Himldi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Choehhlk.dll"	Hfqlnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Colffknh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Camphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmphmhjc.dll"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ainpbi32.dll"	Gicinj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqplhmkl.dll"	Jpijnqkp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqoieqhe.dll"	Ehgqln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eapedd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imhkcaln.dll"	Hbnjmp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jefbfgig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmjdjgjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liddbc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oneklm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eeidoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbpnkama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbhoqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjqaij32.dll"	Dllfkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgagbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdmaef32.dll"	Doeiljfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glccbn32.dll"	Iicbehnq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhkngh32.dll"	Kmncnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmijbcpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmijbcpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpijnqkp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmgladp.dll"	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddpeoafg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hiefcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciglpe32.dll"	Helfik32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 3596	1900	bfb35db31171eef4eb189998435718cd430cd0fa85bc4523c3f083a5f7eb9571.exe	78
PID 1900 wrote to memory of 3596	1900	bfb35db31171eef4eb189998435718cd430cd0fa85bc4523c3f083a5f7eb9571.exe	78
PID 1900 wrote to memory of 3596	1900	bfb35db31171eef4eb189998435718cd430cd0fa85bc4523c3f083a5f7eb9571.exe	78
PID 3596 wrote to memory of 1760	3596	Boepel32.exe	79
PID 3596 wrote to memory of 1760	3596	Boepel32.exe	79
PID 3596 wrote to memory of 1760	3596	Boepel32.exe	79
PID 1760 wrote to memory of 484	1760	Cacmah32.exe	80
PID 1760 wrote to memory of 484	1760	Cacmah32.exe	80
PID 1760 wrote to memory of 484	1760	Cacmah32.exe	80
PID 484 wrote to memory of 1920	484	Cdainc32.exe	81
PID 484 wrote to memory of 1920	484	Cdainc32.exe	81
PID 484 wrote to memory of 1920	484	Cdainc32.exe	81
PID 1920 wrote to memory of 1644	1920	Chmeobkq.exe	82
PID 1920 wrote to memory of 1644	1920	Chmeobkq.exe	82
PID 1920 wrote to memory of 1644	1920	Chmeobkq.exe	82
PID 1644 wrote to memory of 3636	1644	Cklaknjd.exe	83
PID 1644 wrote to memory of 3636	1644	Cklaknjd.exe	83
PID 1644 wrote to memory of 3636	1644	Cklaknjd.exe	83
PID 3636 wrote to memory of 1888	3636	Cbcilkjg.exe	84
PID 3636 wrote to memory of 1888	3636	Cbcilkjg.exe	84
PID 3636 wrote to memory of 1888	3636	Cbcilkjg.exe	84
PID 1888 wrote to memory of 4600	1888	Cafigg32.exe	85
PID 1888 wrote to memory of 4600	1888	Cafigg32.exe	85
PID 1888 wrote to memory of 4600	1888	Cafigg32.exe	85
PID 4600 wrote to memory of 972	4600	Ceaehfjj.exe	86
PID 4600 wrote to memory of 972	4600	Ceaehfjj.exe	86
PID 4600 wrote to memory of 972	4600	Ceaehfjj.exe	86
PID 972 wrote to memory of 4888	972	Cddecc32.exe	87
PID 972 wrote to memory of 4888	972	Cddecc32.exe	87
PID 972 wrote to memory of 4888	972	Cddecc32.exe	87
PID 4888 wrote to memory of 1316	4888	Clkndpag.exe	88
PID 4888 wrote to memory of 1316	4888	Clkndpag.exe	88
PID 4888 wrote to memory of 1316	4888	Clkndpag.exe	88
PID 1316 wrote to memory of 4832	1316	Cknnpm32.exe	89
PID 1316 wrote to memory of 4832	1316	Cknnpm32.exe	89
PID 1316 wrote to memory of 4832	1316	Cknnpm32.exe	89
PID 4832 wrote to memory of 3584	4832	Cojjqlpk.exe	90
PID 4832 wrote to memory of 3584	4832	Cojjqlpk.exe	90
PID 4832 wrote to memory of 3584	4832	Cojjqlpk.exe	90
PID 3584 wrote to memory of 3372	3584	Cbefaj32.exe	91
PID 3584 wrote to memory of 3372	3584	Cbefaj32.exe	91
PID 3584 wrote to memory of 3372	3584	Cbefaj32.exe	91
PID 3372 wrote to memory of 1132	3372	Cecbmf32.exe	92
PID 3372 wrote to memory of 1132	3372	Cecbmf32.exe	92
PID 3372 wrote to memory of 1132	3372	Cecbmf32.exe	92
PID 1132 wrote to memory of 4208	1132	Cdfbibnb.exe	93
PID 1132 wrote to memory of 4208	1132	Cdfbibnb.exe	93
PID 1132 wrote to memory of 4208	1132	Cdfbibnb.exe	93
PID 4208 wrote to memory of 3496	4208	Clnjjpod.exe	94
PID 4208 wrote to memory of 3496	4208	Clnjjpod.exe	94
PID 4208 wrote to memory of 3496	4208	Clnjjpod.exe	94
PID 3496 wrote to memory of 5044	3496	Colffknh.exe	95
PID 3496 wrote to memory of 5044	3496	Colffknh.exe	95
PID 3496 wrote to memory of 5044	3496	Colffknh.exe	95
PID 5044 wrote to memory of 4484	5044	Cajcbgml.exe	96
PID 5044 wrote to memory of 4484	5044	Cajcbgml.exe	96
PID 5044 wrote to memory of 4484	5044	Cajcbgml.exe	96
PID 4484 wrote to memory of 380	4484	Cdiooblp.exe	97
PID 4484 wrote to memory of 380	4484	Cdiooblp.exe	97
PID 4484 wrote to memory of 380	4484	Cdiooblp.exe	97
PID 380 wrote to memory of 4348	380	Camphf32.exe	98
PID 380 wrote to memory of 4348	380	Camphf32.exe	98
PID 380 wrote to memory of 4348	380	Camphf32.exe	98
PID 4348 wrote to memory of 3152	4348	Cehkhecb.exe	99

C:\Users\Admin\AppData\Local\Temp\bfb35db31171eef4eb189998435718cd430cd0fa85bc4523c3f083a5f7eb9571.exe
"C:\Users\Admin\AppData\Local\Temp\bfb35db31171eef4eb189998435718cd430cd0fa85bc4523c3f083a5f7eb9571.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\SysWOW64\Boepel32.exe
  C:\Windows\system32\Boepel32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3596
- - C:\Windows\SysWOW64\Cacmah32.exe
    C:\Windows\system32\Cacmah32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1760
  - - C:\Windows\SysWOW64\Cdainc32.exe
      C:\Windows\system32\Cdainc32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:484
    - - C:\Windows\SysWOW64\Chmeobkq.exe
        
        C:\Windows\system32\Chmeobkq.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1920
      - C:\Windows\SysWOW64\Cklaknjd.exe
        
        C:\Windows\system32\Cklaknjd.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Cbcilkjg.exe
        
        C:\Windows\system32\Cbcilkjg.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3636
        
        C:\Windows\SysWOW64\Cafigg32.exe
        
        C:\Windows\system32\Cafigg32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\SysWOW64\Ceaehfjj.exe
        
        C:\Windows\system32\Ceaehfjj.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\SysWOW64\Cddecc32.exe
        
        C:\Windows\system32\Cddecc32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\SysWOW64\Clkndpag.exe
        
        C:\Windows\system32\Clkndpag.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\Cknnpm32.exe
        
        C:\Windows\system32\Cknnpm32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\SysWOW64\Cojjqlpk.exe
        
        C:\Windows\system32\Cojjqlpk.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Cbefaj32.exe
        
        C:\Windows\system32\Cbefaj32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\SysWOW64\Cecbmf32.exe
        
        C:\Windows\system32\Cecbmf32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3372
        
        C:\Windows\SysWOW64\Cdfbibnb.exe
        
        C:\Windows\system32\Cdfbibnb.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\SysWOW64\Clnjjpod.exe
        
        C:\Windows\system32\Clnjjpod.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\Windows\SysWOW64\Colffknh.exe
        
        C:\Windows\system32\Colffknh.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\SysWOW64\Cajcbgml.exe
        
        C:\Windows\system32\Cajcbgml.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Cdiooblp.exe
        
        C:\Windows\system32\Cdiooblp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\SysWOW64\Camphf32.exe
        
        C:\Windows\system32\Camphf32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Windows\SysWOW64\Cehkhecb.exe
        
        C:\Windows\system32\Cehkhecb.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\SysWOW64\Clbceo32.exe
        
        C:\Windows\system32\Clbceo32.exe
        23⤵
        Executes dropped EXE
        
        PID:3152
        
        C:\Windows\SysWOW64\Doqpak32.exe
        
        C:\Windows\system32\Doqpak32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Dbllbibl.exe
        
        C:\Windows\system32\Dbllbibl.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1156
        
        C:\Windows\SysWOW64\Dekhneap.exe
        
        C:\Windows\system32\Dekhneap.exe
        26⤵
        Executes dropped EXE
        
        PID:1756
        
        C:\Windows\SysWOW64\Dhidjpqc.exe
        
        C:\Windows\system32\Dhidjpqc.exe
        27⤵
        Executes dropped EXE
        
        PID:4252
        
        C:\Windows\SysWOW64\Dldpkoil.exe
        
        C:\Windows\system32\Dldpkoil.exe
        28⤵
        Executes dropped EXE
        
        PID:1892
        
        C:\Windows\SysWOW64\Dboigi32.exe
        
        C:\Windows\system32\Dboigi32.exe
        29⤵
        Executes dropped EXE
        
        PID:132
        
        C:\Windows\SysWOW64\Demecd32.exe
        
        C:\Windows\system32\Demecd32.exe
        30⤵
        Executes dropped EXE
        
        PID:2860
        
        C:\Windows\SysWOW64\Ddpeoafg.exe
        
        C:\Windows\system32\Ddpeoafg.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Dlgmpogj.exe
        
        C:\Windows\system32\Dlgmpogj.exe
        32⤵
        Executes dropped EXE
        
        PID:5104
        
        C:\Windows\SysWOW64\Doeiljfn.exe
        
        C:\Windows\system32\Doeiljfn.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Dbaemi32.exe
        
        C:\Windows\system32\Dbaemi32.exe
        34⤵
        Executes dropped EXE
        
        PID:5040
        
        C:\Windows\SysWOW64\Dadeieea.exe
        
        C:\Windows\system32\Dadeieea.exe
        35⤵
        Executes dropped EXE
        
        PID:2744
        
        C:\Windows\SysWOW64\Ddbbeade.exe
        
        C:\Windows\system32\Ddbbeade.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Dhnnep32.exe
        
        C:\Windows\system32\Dhnnep32.exe
        37⤵
        Executes dropped EXE
        
        PID:4380
        
        C:\Windows\SysWOW64\Dkljak32.exe
        
        C:\Windows\system32\Dkljak32.exe
        38⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\Dddojq32.exe
        
        C:\Windows\system32\Dddojq32.exe
        39⤵
        Executes dropped EXE
        
        PID:428
        
        C:\Windows\SysWOW64\Dhpjkojk.exe
        
        C:\Windows\system32\Dhpjkojk.exe
        40⤵
        Executes dropped EXE
        
        PID:988
        
        C:\Windows\SysWOW64\Dllfkn32.exe
        
        C:\Windows\system32\Dllfkn32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Dojcgi32.exe
        
        C:\Windows\system32\Dojcgi32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2240
        
        C:\Windows\SysWOW64\Dahode32.exe
        
        C:\Windows\system32\Dahode32.exe
        43⤵
        Executes dropped EXE
        
        PID:5072
        
        C:\Windows\SysWOW64\Dhbgqohi.exe
        
        C:\Windows\system32\Dhbgqohi.exe
        44⤵
        Executes dropped EXE
        
        PID:4896
        
        C:\Windows\SysWOW64\Ekacmjgl.exe
        
        C:\Windows\system32\Ekacmjgl.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5052
        
        C:\Windows\SysWOW64\Eaklidoi.exe
        
        C:\Windows\system32\Eaklidoi.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3176
        
        C:\Windows\SysWOW64\Edihepnm.exe
        
        C:\Windows\system32\Edihepnm.exe
        47⤵
        Executes dropped EXE
        
        PID:4056
        
        C:\Windows\SysWOW64\Ekcpbj32.exe
        
        C:\Windows\system32\Ekcpbj32.exe
        48⤵
        Executes dropped EXE
        
        PID:4072
        
        C:\Windows\SysWOW64\Ecjhcg32.exe
        
        C:\Windows\system32\Ecjhcg32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Eeidoc32.exe
        
        C:\Windows\system32\Eeidoc32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4120
        
        C:\Windows\SysWOW64\Ehgqln32.exe
        
        C:\Windows\system32\Ehgqln32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Eoaihhlp.exe
        
        C:\Windows\system32\Eoaihhlp.exe
        52⤵
        Executes dropped EXE
        
        PID:4536
        
        C:\Windows\SysWOW64\Eapedd32.exe
        
        C:\Windows\system32\Eapedd32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Eekaebcm.exe
        
        C:\Windows\system32\Eekaebcm.exe
        54⤵
        Executes dropped EXE
        
        PID:3732
        
        C:\Windows\SysWOW64\Eocenh32.exe
        
        C:\Windows\system32\Eocenh32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:828
        
        C:\Windows\SysWOW64\Ecoangbg.exe
        
        C:\Windows\system32\Ecoangbg.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4248
        
        C:\Windows\SysWOW64\Eemnjbaj.exe
        
        C:\Windows\system32\Eemnjbaj.exe
        57⤵
        Executes dropped EXE
        
        PID:3500
        
        C:\Windows\SysWOW64\Ekjfcipa.exe
        
        C:\Windows\system32\Ekjfcipa.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Eofbch32.exe
        
        C:\Windows\system32\Eofbch32.exe
        59⤵
        Executes dropped EXE
        
        PID:1124
        
        C:\Windows\SysWOW64\Eepjpb32.exe
        
        C:\Windows\system32\Eepjpb32.exe
        60⤵
        Executes dropped EXE
        
        PID:1264
        
        C:\Windows\SysWOW64\Ehnglm32.exe
        
        C:\Windows\system32\Ehnglm32.exe
        61⤵
        Executes dropped EXE
        
        PID:1608
        
        C:\Windows\SysWOW64\Fkmchi32.exe
        
        C:\Windows\system32\Fkmchi32.exe
        62⤵
        Executes dropped EXE
        
        PID:800
        
        C:\Windows\SysWOW64\Fcckif32.exe
        
        C:\Windows\system32\Fcckif32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4680
        
        C:\Windows\SysWOW64\Fdegandp.exe
        
        C:\Windows\system32\Fdegandp.exe
        64⤵
        Executes dropped EXE
        
        PID:4768
        
        C:\Windows\SysWOW64\Fkopnh32.exe
        
        C:\Windows\system32\Fkopnh32.exe
        65⤵
        Executes dropped EXE
        
        PID:2360
        
        C:\Windows\SysWOW64\Ffddka32.exe
        
        C:\Windows\system32\Ffddka32.exe
        66⤵
        Executes dropped EXE
        
        PID:240
        
        C:\Windows\SysWOW64\Fhcpgmjf.exe
        
        C:\Windows\system32\Fhcpgmjf.exe
        67⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\Fkalchij.exe
        
        C:\Windows\system32\Fkalchij.exe
        68⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\Ffgqqaip.exe
        
        C:\Windows\system32\Ffgqqaip.exe
        69⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\Fdialn32.exe
        
        C:\Windows\system32\Fdialn32.exe
        70⤵
        Drops file in System32 directory
        
        PID:3012
        
        C:\Windows\SysWOW64\Fkciihgg.exe
        
        C:\Windows\system32\Fkciihgg.exe
        71⤵
        Drops file in System32 directory
        
        PID:5032
        
        C:\Windows\SysWOW64\Fckajehi.exe
        
        C:\Windows\system32\Fckajehi.exe
        72⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\Fdlnbm32.exe
        
        C:\Windows\system32\Fdlnbm32.exe
        73⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\Fkffog32.exe
        
        C:\Windows\system32\Fkffog32.exe
        74⤵
        
        PID:984
        
        C:\Windows\SysWOW64\Fbpnkama.exe
        
        C:\Windows\system32\Fbpnkama.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1104
        
        C:\Windows\SysWOW64\Fdnjgmle.exe
        
        C:\Windows\system32\Fdnjgmle.exe
        76⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\Glebhjlg.exe
        
        C:\Windows\system32\Glebhjlg.exe
        77⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\Gcojed32.exe
        
        C:\Windows\system32\Gcojed32.exe
        78⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\Gdqgmmjb.exe
        
        C:\Windows\system32\Gdqgmmjb.exe
        79⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\Glhonj32.exe
        
        C:\Windows\system32\Glhonj32.exe
        80⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\Gbdgfa32.exe
        
        C:\Windows\system32\Gbdgfa32.exe
        81⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\Gdcdbl32.exe
        
        C:\Windows\system32\Gdcdbl32.exe
        82⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\Gkmlofol.exe
        
        C:\Windows\system32\Gkmlofol.exe
        83⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\Gfbploob.exe
        
        C:\Windows\system32\Gfbploob.exe
        84⤵
        Drops file in System32 directory
        
        PID:1844
        
        C:\Windows\SysWOW64\Ghaliknf.exe
        
        C:\Windows\system32\Ghaliknf.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:252
        
        C:\Windows\SysWOW64\Gkoiefmj.exe
        
        C:\Windows\system32\Gkoiefmj.exe
        86⤵
        Modifies registry class
        
        PID:628
        
        C:\Windows\SysWOW64\Gokdeeec.exe
        
        C:\Windows\system32\Gokdeeec.exe
        87⤵
        Drops file in System32 directory
        
        PID:1940
        
        C:\Windows\SysWOW64\Gfembo32.exe
        
        C:\Windows\system32\Gfembo32.exe
        88⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\Gicinj32.exe
        
        C:\Windows\system32\Gicinj32.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Gomakdcp.exe
        
        C:\Windows\system32\Gomakdcp.exe
        90⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\Hiefcj32.exe
        
        C:\Windows\system32\Hiefcj32.exe
        91⤵
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Hkdbpe32.exe
        
        C:\Windows\system32\Hkdbpe32.exe
        92⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\Hopnqdan.exe
        
        C:\Windows\system32\Hopnqdan.exe
        93⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\Hckjacjg.exe
        
        C:\Windows\system32\Hckjacjg.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1984
        
        C:\Windows\SysWOW64\Hbnjmp32.exe
        
        C:\Windows\system32\Hbnjmp32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Helfik32.exe
        
        C:\Windows\system32\Helfik32.exe
        96⤵
        Modifies registry class
        
        PID:3572
        
        C:\Windows\SysWOW64\Hcmgfbhd.exe
        
        C:\Windows\system32\Hcmgfbhd.exe
        97⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\Hbpgbo32.exe
        
        C:\Windows\system32\Hbpgbo32.exe
        98⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\Hflcbngh.exe
        
        C:\Windows\system32\Hflcbngh.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4824
        
        C:\Windows\SysWOW64\Heocnk32.exe
        
        C:\Windows\system32\Heocnk32.exe
        100⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\Hodgkc32.exe
        
        C:\Windows\system32\Hodgkc32.exe
        101⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\Hbbdholl.exe
        
        C:\Windows\system32\Hbbdholl.exe
        102⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\Himldi32.exe
        
        C:\Windows\system32\Himldi32.exe
        103⤵
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Hmhhehlb.exe
        
        C:\Windows\system32\Hmhhehlb.exe
        104⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\Hkkhqd32.exe
        
        C:\Windows\system32\Hkkhqd32.exe
        105⤵
        Drops file in System32 directory
        
        PID:1328
        
        C:\Windows\SysWOW64\Hfqlnm32.exe
        
        C:\Windows\system32\Hfqlnm32.exe
        106⤵
        Modifies registry class
        
        PID:2780
        
        C:\Windows\SysWOW64\Hmjdjgjo.exe
        
        C:\Windows\system32\Hmjdjgjo.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Hkmefd32.exe
        
        C:\Windows\system32\Hkmefd32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3696
        
        C:\Windows\SysWOW64\Hoiafcic.exe
        
        C:\Windows\system32\Hoiafcic.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5124
        
        C:\Windows\SysWOW64\Hbgmcnhf.exe
        
        C:\Windows\system32\Hbgmcnhf.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5168
        
        C:\Windows\SysWOW64\Hfcicmqp.exe
        
        C:\Windows\system32\Hfcicmqp.exe
        111⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Iefioj32.exe
        
        C:\Windows\system32\Iefioj32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5252
        
        C:\Windows\SysWOW64\Immapg32.exe
        
        C:\Windows\system32\Immapg32.exe
        113⤵
        Drops file in System32 directory
        
        PID:5296
        
        C:\Windows\SysWOW64\Ipknlb32.exe
        
        C:\Windows\system32\Ipknlb32.exe
        114⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Iicbehnq.exe
        
        C:\Windows\system32\Iicbehnq.exe
        115⤵
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Imoneg32.exe
        
        C:\Windows\system32\Imoneg32.exe
        116⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Ipnjab32.exe
        
        C:\Windows\system32\Ipnjab32.exe
        117⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Iblfnn32.exe
        
        C:\Windows\system32\Iblfnn32.exe
        118⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Iejcji32.exe
        
        C:\Windows\system32\Iejcji32.exe
        119⤵
        Drops file in System32 directory
        
        PID:5556
        
        C:\Windows\SysWOW64\Iifokh32.exe
        
        C:\Windows\system32\Iifokh32.exe
        120⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\Ildkgc32.exe
        
        C:\Windows\system32\Ildkgc32.exe
        121⤵
        Drops file in System32 directory
        
        PID:5648
        
        C:\Windows\SysWOW64\Ifjodl32.exe
        
        C:\Windows\system32\Ifjodl32.exe
        122⤵
        Drops file in System32 directory
        
        PID:5692
        
        C:\Windows\SysWOW64\Iemppiab.exe
        
        C:\Windows\system32\Iemppiab.exe
        123⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\Iihkpg32.exe
        
        C:\Windows\system32\Iihkpg32.exe
        124⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Ipbdmaah.exe
        
        C:\Windows\system32\Ipbdmaah.exe
        125⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Ieolehop.exe
        
        C:\Windows\system32\Ieolehop.exe
        126⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Iikhfg32.exe
        
        C:\Windows\system32\Iikhfg32.exe
        127⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Ilidbbgl.exe
        
        C:\Windows\system32\Ilidbbgl.exe
        128⤵
        Drops file in System32 directory
        
        PID:5956
        
        C:\Windows\SysWOW64\Icplcpgo.exe
        
        C:\Windows\system32\Icplcpgo.exe
        129⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\Ibcmom32.exe
        
        C:\Windows\system32\Ibcmom32.exe
        130⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Jimekgff.exe
        
        C:\Windows\system32\Jimekgff.exe
        131⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Jlkagbej.exe
        
        C:\Windows\system32\Jlkagbej.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6128
        
        C:\Windows\SysWOW64\Jbeidl32.exe
        
        C:\Windows\system32\Jbeidl32.exe
        133⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Jfaedkdp.exe
        
        C:\Windows\system32\Jfaedkdp.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5196
        
        C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        135⤵
        Drops file in System32 directory
        
        PID:5272
        
        C:\Windows\SysWOW64\Jmknaell.exe
        
        C:\Windows\system32\Jmknaell.exe
        136⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        137⤵
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        138⤵
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5552
        
        C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        140⤵
        Drops file in System32 directory
        
        PID:5592
        
        C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        141⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        142⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        143⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5884
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        145⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        146⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6096
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        148⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        150⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        151⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        152⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5656
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        154⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5864
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        156⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        157⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2352
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        159⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        160⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        161⤵
        Drops file in System32 directory
        
        PID:5640
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        163⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        164⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        166⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        167⤵
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        168⤵
        Drops file in System32 directory
        
        PID:5400
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        169⤵
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        170⤵
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        171⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        172⤵
        Drops file in System32 directory
        
        PID:5720
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        173⤵
        Modifies registry class
        
        PID:6152
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        174⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6236
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        176⤵
        Drops file in System32 directory
        
        PID:6280
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        177⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6364
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        179⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        180⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        181⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        182⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        183⤵
        Modifies registry class
        
        PID:6572
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        184⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        185⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        186⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        187⤵
        Drops file in System32 directory
        
        PID:6748
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        188⤵
        Drops file in System32 directory
        
        PID:6788
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6824
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        190⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        191⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        192⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        193⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        194⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7080
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7124
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        197⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        198⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        199⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6252
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        200⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        201⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6432
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        203⤵
        Drops file in System32 directory
        
        PID:6520
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        204⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        205⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6644
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        206⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        207⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        208⤵
        Modifies registry class
        
        PID:6848
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        209⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        210⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6976
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        211⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        212⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        213⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        214⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6244
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        215⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        216⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6488
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        217⤵
        Modifies registry class
        
        PID:6608
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        218⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6732
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        219⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        220⤵
        Modifies registry class
        
        PID:6940
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        221⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7016
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        222⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        223⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        224⤵
        Drops file in System32 directory
        
        PID:6412
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        225⤵
        Drops file in System32 directory
        
        PID:6660
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        226⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        227⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7028
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        228⤵
        Modifies registry class
        
        PID:6220
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        229⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6580
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        230⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        231⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        232⤵
        Drops file in System32 directory
        
        PID:6428
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        233⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        234⤵
        Modifies registry class
        
        PID:6232
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        235⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        236⤵
        Modifies registry class
        
        PID:6420
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        237⤵
        Modifies registry class
        
        PID:7208
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        238⤵
        Modifies registry class
        
        PID:7248
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        239⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        240⤵
        
        PID:7328
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        241⤵
        
        PID:7360
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        242⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        243⤵
        
        PID:7448
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        244⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7492
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        245⤵
        
        PID:7528
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        246⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        247⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7616
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        248⤵
        Modifies registry class
        
        PID:7652
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        249⤵
        
        PID:7696
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        250⤵
        
        PID:7732
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        251⤵
        
        PID:7776
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        252⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        253⤵
        
        PID:7864
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        254⤵
        Modifies registry class
        
        PID:7904
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        255⤵
        
        PID:7952
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        256⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7988
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        257⤵
        
        PID:8032
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        258⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        259⤵
        
        PID:8112
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        260⤵
        
        PID:8148
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        261⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        262⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        263⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7280
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        264⤵
        
        PID:7372
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        265⤵
        Modifies registry class
        
        PID:7436
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        266⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7484
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        267⤵
        
        PID:7556
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        268⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        269⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7704
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        270⤵
        Drops file in System32 directory
        
        PID:7808
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        271⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        272⤵
        
        PID:7920
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        273⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        274⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8064
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        275⤵
        
        PID:8132
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        276⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8188
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        277⤵
        
        PID:7272
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        278⤵
        
        PID:7356
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        279⤵
        
        PID:7480
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        280⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7596
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        281⤵
        
        PID:7692
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        282⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7812
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        283⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        284⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8028
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        285⤵
        Drops file in System32 directory
        
        PID:8140
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        286⤵
        Drops file in System32 directory
        
        PID:7188
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        287⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7380
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        288⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7540
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        289⤵
        
        PID:7684
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        290⤵
        Modifies registry class
        
        PID:7940
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        291⤵
        
        PID:8056
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        292⤵
        Modifies registry class
        
        PID:7304
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        293⤵
        
        PID:7560
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        294⤵
        
        PID:7892
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        295⤵
        Drops file in System32 directory
        
        PID:8184
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        296⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        297⤵
        
        PID:8120
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        298⤵
        
        PID:7444
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        299⤵
        Modifies registry class
        
        PID:7548
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        300⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7884
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        301⤵
        
        PID:8240
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        302⤵
        Modifies registry class
        
        PID:8284
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        303⤵
        
        PID:8324
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        304⤵
        
        PID:8364
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        305⤵
        Drops file in System32 directory
        
        PID:8408
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        306⤵
        Modifies registry class
        
        PID:8444
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        307⤵
        Modifies registry class
        
        PID:8488
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        308⤵
        
        PID:8528
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        309⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8572
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        310⤵
        Drops file in System32 directory
        
        PID:8616
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        311⤵
        Drops file in System32 directory
        
        PID:8656
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        312⤵
        
        PID:8692
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        313⤵
        
        PID:8736
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        314⤵
        
        PID:8776
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        315⤵
        Drops file in System32 directory
        
        PID:8824
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        316⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8860
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        317⤵
        
        PID:8900
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        318⤵
        
        PID:8940
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        319⤵
        
        PID:8984
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        320⤵
        
        PID:9020
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        321⤵
        
        PID:9060
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        322⤵
        
        PID:9104
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        323⤵
        Modifies registry class
        
        PID:9148
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        324⤵
        
        PID:9192
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        325⤵
        Modifies registry class
        
        PID:8208
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        326⤵
        
        PID:8268
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        327⤵
        
        PID:8344
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        328⤵
        
        PID:8396
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        329⤵
        Drops file in System32 directory
        
        PID:8472
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        330⤵
        
        PID:8536
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        331⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8596
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        332⤵
        
        PID:8680
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        333⤵
        Modifies registry class
        
        PID:8712
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        334⤵
        
        PID:8816
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        335⤵
        Modifies registry class
        
        PID:8884
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        336⤵
        Drops file in System32 directory
        
        PID:8956
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        337⤵
        
        PID:9028
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        338⤵
        
        PID:9080
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        339⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:9144
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        340⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        341⤵
        
        PID:8256
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        342⤵
        Drops file in System32 directory
        
        PID:8384
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        343⤵
        
        PID:8508
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        344⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8588
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        345⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8704
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        346⤵
        Drops file in System32 directory
        
        PID:8832
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        347⤵
        
        PID:8924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8924 -s 408
        348⤵
        Program crash
        
        PID:7916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 8924 -ip 8924
1⤵
PID:9140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:9160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
80KB

MD5
8ea7418762575789aa84ba1b8cfb8921

SHA1
cf6ec6aca725aaeaaaa64f2eb92277bb762ca045

SHA256
a1990e74a8c60b3e2ce2f617517dfef3c18b686a59a8731805ca353836ce9a90

SHA512
6319b19b582cad0adbcf01b8aa5e97cf25226f9cef7d76a9a38218e4e5f408485f9dc616b3c106df941b3eba1c7738bc3f02af7809330e562ffd432ed42195ad

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
80KB

MD5
4c738e078adb52090a6d29af32e0eff4

SHA1
0bf86f302d1b7d450fd1796898d15e86088ac5ed

SHA256
5e2467cecb66eceb157e289e7d8d1b23f4acba1c26422c00f388440bf3ed3a40

SHA512
a1177d81cfd2caac416e0563deb606fa2710aa68456aebe603cd4b1a2eb82ac5dfd324157a9395425a64ccc7a5228f97579902df4e00e5a84569e0c344830678

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
80KB

MD5
e8f473f968552c8b2cb26843d27df752

SHA1
9c6bcf086df94221ba85d5d5712c0611c4657e82

SHA256
587d8c0a19e7c01d46a5999a7e877d20349dd00385e0e13922bc435381365ec5

SHA512
ad2f7c8c40072005c8b55fbdbacde5f88dca5d562f160a3743b9223b312543b8e3c4befef6a7b4198f1aa7565f6eba63b394956496d420942b6b2da1c8fd3a35

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
80KB

MD5
99d591deb4fcb4802370ee5b9035d320

SHA1
a9d6814fecdf6c0e6f67c97086858ae679a5ae23

SHA256
d719930c2cc5e0a6d7c8b0cfd01245d9d7caec8aa1d4f44d2c946c29217b53e6

SHA512
ceb4f3ee4267bb157013dbaf5c8a509d45eacb5f3668ac989ddde318c9b5f63c639c9ce60a9dbafc91fe064b80a141e1d67905a944b5cd9559a203c9ede6255f

Download Submit
C:\Windows\SysWOW64\Boepel32.exe

Filesize
80KB

MD5
a364cdb6e70edabb647b77901ca063f0

SHA1
6c59b8e3476f22fb6cbf3311c336056109addd1d

SHA256
b6926a5658320cbad99c275d8f4f4d269ae1ca4283adc7a1ea7a023ddfe600ff

SHA512
0dfd43a6cdb01a86844e0a5f99a8369bab437333e454e233b98213a74b34581c09e3a75d828ce32bb656d7d23ca698a5716a90f15686180c083b3b1ae5011eef

Download Submit
C:\Windows\SysWOW64\Cacmah32.exe

Filesize
80KB

MD5
f7c121304275e7f7d7f7a7261aa7f80b

SHA1
3bbe25408c0030513c71e6719c03cb607169eb6c

SHA256
569419d4d52d83dd0e0e223c1304299cb7baa8d4e4af83c1e591889a30fc8c8d

SHA512
4100e4b9e7724890ea98a0b805a318fb6a3d6e641d1e0ac07e3a1adee0b88e64a92e57489548e6fd48617d3231a4077707c0ade873004597b65fce468e0eb190

Download Submit
C:\Windows\SysWOW64\Cafigg32.exe

Filesize
80KB

MD5
269f67b4c4717fe4df92c62c3b71a4b9

SHA1
850c20a5f6ca103df3c76acb7cc0ba843dfadac6

SHA256
b7d09cdb42d6768ae26d5b91f7f2a83ea54cfad2c1676c029d4a63bb508a4935

SHA512
20603a525c7ca47598488194e8c3b7c1fb322d38afa873fff6bb77fc79d6b8bed15a27b3248a5b4e98b70fd2efbb501b3e629f24db88ac78a2890cc91437a490

Download Submit
C:\Windows\SysWOW64\Cajcbgml.exe

Filesize
80KB

MD5
30da0dc2ca577d99370318584ee2c83d

SHA1
5ce80bea9375df6458d8c2f4af80e9910450a1b2

SHA256
f30b520a158910aca114327c32beb0a9ec03e1f49eaea1160019f6ee72114c8a

SHA512
bda4dee2c7bcbc4fbb704e2d1de17c97353e9f4205bec6c3692f3791f6f57567336076ad4d93865433b23443e28615e3eb52d043a8808133d060d76719268fd2

Download Submit
C:\Windows\SysWOW64\Camphf32.exe

Filesize
80KB

MD5
8ac369c1e288d25b270a831d6aafb5d6

SHA1
9cca384f4c1bad4c8bedd950b2573e052c666743

SHA256
b50d7250bfb71f05124e16ba66043e5818e4b159b7f43d10a449e75499d054c3

SHA512
37b883211a9750e9187c19aea48868a18cb5b8bcdaecb2a63677204d34261464de9e0155ace8c6d12c12cbae46438926287c458d19c2eaf13fd0dcff61cc92f4

Download Submit
C:\Windows\SysWOW64\Cbcilkjg.exe

Filesize
80KB

MD5
7bb24a481764c2d310cf41fee266f63e

SHA1
824e774f6cb4f98dd3bb3195ba2e5f7df6e53b18

SHA256
f1e2031a32a6766f38dbed963766eb4bb9d15e30cbc47a96c370dce088362d13

SHA512
ab84c625ea912f75cb64da74886480c3feb8a548f3f1b50e74f648ee70836c53f525f0437f56ffa456abb6c7cd56785e2e3924eeed7623bc2878daff02503cf8

Download Submit
C:\Windows\SysWOW64\Cbefaj32.exe

Filesize
80KB

MD5
4405fa662f224e4243eb0cfb427f4ae3

SHA1
c52191c15ca2b12edd5f54a498263f02e22fac80

SHA256
4c6ecf74e94b377d00cfa57d32753489d2d2595e0a3e574bbc6bd1cc73c4b4e8

SHA512
1f709e5b4e3ffe1d45f8b38c9a3494da2e0d99cef84280e9e2e897e06287ca187f74898207d3bc2b42a2c05d9011f47c3aca5dc0fbb3f053acb79e1dfa4c7423

Download Submit
C:\Windows\SysWOW64\Cdainc32.exe

Filesize
80KB

MD5
c11a8bfcaa97eaaa8c36100f8f8d6a7d

SHA1
f9173652bab363d2d24e8601f402cf81910374ed

SHA256
6ecfaa747ff4fa44dabbf9599a621fa3946794192ab62adb27690a58606e352f

SHA512
f21689022c845faf0386c67cb8584d6b0836f4b094e79076d840ecaa6daba9e8ac60b71275e67eb566deed76b8345f5891aaa74364492e0aa45f701417e111bf

Download Submit
C:\Windows\SysWOW64\Cddecc32.exe

Filesize
80KB

MD5
4973a229721394f94b0e9bdb77354ceb

SHA1
89527b76ec031c74c9d2c700bb86ebc517a33d5c

SHA256
8d995b2c28404fd3d9e024f8a61d243cea53a7c21f32f811f6ac6bf1d63e7df6

SHA512
2aeb51ed464997ce6a99db893311d0cab6a71d55a460d13190f806ad6967d8232f610d02ccb0c50529410c756e2a215d9ab64ffd15183e8d1417a2de7851ad1e

Download Submit
C:\Windows\SysWOW64\Cdfbibnb.exe

Filesize
80KB

MD5
4cc1ac89de17e0a249e02f2de7591ba4

SHA1
820ac1fa9eadb4a21bfe4c5c6983136618db3feb

SHA256
7aff047b8a4c0d22b701bd7e98bc8896036773ce0f74a4218fffcfe9032085b3

SHA512
09c6ce4eae81820171c483315fd831325937f63a2250584bb8dce6ef55bfe220cb278957883fb60acb06389ff66b8f9ed7f74710a15191a14732f0f061d7e0e3

Download Submit
C:\Windows\SysWOW64\Cdiooblp.exe

Filesize
80KB

MD5
637fd020f7a90296d46cd6bbe683038c

SHA1
f5c1451d6edecb4ac9617096288ed423136b2e0e

SHA256
1a36e14db3989bb4b9b9bab8fde22eb7c959fdb3e38df7b63ec2264227870322

SHA512
e4f05afe00bb86990d9b7b06a9d6bc68cecd98e59673eb91d99b5e999245a20e1b63ca8860e6c06df5de2763c47d113f7e53c1afe2d410cbb093e9d44a260efa

Download Submit
C:\Windows\SysWOW64\Ceaehfjj.exe

Filesize
80KB

MD5
c245cd2e7d364315dee02ca4e4c9ffb1

SHA1
011aa6c1e587f86d5d0443a666f3ad10cc9c43ec

SHA256
9fa21cadf2c5943adbe170455216cf3dc9d3e6bfe46256afc40c0efb37a1e488

SHA512
c093fe9d1de4bef36d798b4ef5612dbd3f406286bdd7a1a670b7f1a6dffe1b646fbd05ff2c7973fabc5f5a1c0a73a836781de759eddd571a5871a9f0e18d1e61

Download Submit
C:\Windows\SysWOW64\Cecbmf32.exe

Filesize
80KB

MD5
e3015262a82b04d211f18e8a06ce7692

SHA1
d78d3a4b6d8d28ca69e0d90d0d830d64775f57c4

SHA256
2962b6afe85320682cfda59ea59de3cc838c3802f925dde583cb8747f6967888

SHA512
f34df15856c935737ba7ebde5b3c70599cbae75bbf00901747d2245c9391acb8bbc8d07bc63ae5abe8be353af383f2600c986d2ca87c74d21f1dc191cca6f96d

Download Submit
C:\Windows\SysWOW64\Cehkhecb.exe

Filesize
80KB

MD5
a0ac4b3db3afc82524c567c1a0300fd9

SHA1
121d8693722dc235214a35324b28d4506366deb2

SHA256
5a2d15630be46ecf81cfd395b09238b7c7e17b73ed49dc70c9af35f978c72ee3

SHA512
f5bf2445ada4731ef829ff3080455e6c7a3aef60e80dfb61e31f27042cf96dc7f5978c50af3dea420789dc0d0ca0b4f154d30cb5b959e13ccae8f4317641bab9

Download Submit
C:\Windows\SysWOW64\Chmeobkq.exe

Filesize
80KB

MD5
14b82f7667eb4a5279acfbe7f5faa395

SHA1
19a94732395824ae3ad1041a866275d8f4f4e14d

SHA256
b6e424449d8301b0791f64968739a6bc7f78284edcd806abc625eb0eefdb7cf7

SHA512
b1f97f17e20028e48cad140f4ab56a64ac64613696b4721c3c2560bd57ef4b3825a7a84a7f240924baf98c235a7cde79c06d2737363516b759480401a5c85406

Download Submit
C:\Windows\SysWOW64\Cklaknjd.exe

Filesize
80KB

MD5
13a810a6a0004c12743ab512095dc325

SHA1
34370016a5b5b2618b9e88f95763baf2a8f6e413

SHA256
f96740ae5484da2606b55f349d7074938f3317cbedfaa5ecfe9b7e2379c1f94c

SHA512
06490b90c8ec49c65a4e69bf95ec792ba6a84745b041449d0c7f119712dc91cadfb48597bf61f9df62ee2dd001612a8dc061364afa63148b8ef4064a6556167a

Download Submit
C:\Windows\SysWOW64\Cknnpm32.exe

Filesize
80KB

MD5
d136c124040df2921e525996787fdedd

SHA1
62ef3c654d4ff2e8857c06cad30a0613bf57a3dc

SHA256
d3fd3c7b3e1d6659eaba92036e20d1c06586ac4ce0d5f36fef9a7b0e4962748f

SHA512
5d86c09b38429522a2eb96ef29e59d3c36286bb3b2d98c64d06ab3dffcbbfad6e4f9a1a747a54278a1ba5f57cbc1162e9f6454fe3a35c1390308f4c0c648fa42

Download Submit
C:\Windows\SysWOW64\Clbceo32.exe

Filesize
80KB

MD5
f890178bfcf8a5058a5b35358ffa7e9d

SHA1
e66e25b36c97aff4163dc4b8f6b8adf71ed6ee92

SHA256
0c93b96ba4eb242c14c4102e8c984dcc32fd15a037b03a6513fc7b8d101f8c41

SHA512
e7cd4d6f2bce995233ad8ccd7f5fde8cfca21661f3ee43711a53a6a2f1493cd64a1f8df08b53c048ac28099f38208435b4bbd60203ab62d375b5eb4e1fb22727

Download Submit
C:\Windows\SysWOW64\Clkndpag.exe

Filesize
80KB

MD5
1f7643b155882d4575e37ad1da69a3ae

SHA1
1c1dddd559f8e8a9edaa49367cda9bf97a285636

SHA256
bc22735bd1775fec4edc64f5be7932f7e1001f59fdfcf5c79d4516d153be30ac

SHA512
348e84b73e2fcc6fd0e0324807f7bab3173b749c039d229c6ad5cc6573709562e56d835b55960afb28e66611e4a570c38a0104418411db922c6fdcd640b0fec3

Download Submit
C:\Windows\SysWOW64\Clnjjpod.exe

Filesize
80KB

MD5
141dadcf6854de76a1841d1377554e04

SHA1
e1736395b4af4eec2cfa5b0fdd66e61459402724

SHA256
2c669049be9b84f81fc4d9bec8717af9ecc3dcc8e72268b5eec025b73ab02682

SHA512
a653309863eb19cea3005d6b7bcf12ce1299324cb40eba341fccea83f2eb000328ff665ae6b5b5efdf42340ceb4abb3b6f99e11dd560a5315d7d3ecd2e058a00

Download Submit
C:\Windows\SysWOW64\Cojjqlpk.exe

Filesize
80KB

MD5
7730d884f54d8cb04ecafdeeadf8538d

SHA1
cd0fa359b126f71ae4b117e9e84bc03350659c94

SHA256
4a5613f600fa0a7ccb081c14d5a05b1c680c62626c6580851749818bb4da697d

SHA512
56c83088b11167353300af789f993d6a4c324fcecd18b69670d2491369fa8b72eb4827c6c5af7d4cb020ca240ddb96cb07fd0ab4dba3fe2396d5a3d0c5f7843b

Download Submit
C:\Windows\SysWOW64\Colffknh.exe

Filesize
80KB

MD5
e8093c8fd0c6fa643fd90eb5419b046d

SHA1
56f44aaf7967355509db371271b44c5cfd2fd393

SHA256
07b6b77d75ada66c45f0c853861aa6aaecb14c148183808aff0f17a59fc5c1a6

SHA512
e961e585121150dc9d0ceb7548d53aba73a7a14e8e06fcc0b881e226f1abeb52326af0aea8273064263f9f202ad41b747e5d57bffd4d039d09c626b2e8cee311

Download Submit
C:\Windows\SysWOW64\Dbllbibl.exe

Filesize
80KB

MD5
f67acd8e98af1ffefa279902d988e1d2

SHA1
a580c68ceb3b87f2d2d437e79d2693e6440f6677

SHA256
02dd4eccf9bf45009e800b1bae8ff20ab47ecb363d19a96374922fabbd8ce4fd

SHA512
ddce42c8932c3ae8bc17f47ea7ccc1318b49e6a5a5f8ef55dc94c991a31fcae1adbe7c93fd2072ce7806903bca51836794643c6381ed5611ee584abad09d7602

Download Submit
C:\Windows\SysWOW64\Dboigi32.exe

Filesize
80KB

MD5
d88bdbad81e93b9f734bbeb335b4fc41

SHA1
aa252ca47439a8a52fb711ad6595193426ac2dcd

SHA256
dbfdac7e88ca22013c914d097cd23d26337ea234e81ae87e9e4f8ff073be2925

SHA512
4861613dff81f7d91c610774cfab8fd807db5e9abe18e58431ed3d97e3ed595d661880328b6abd551acc5793beaa108cd715624ada77116ab3b963871b1da438

Download Submit
C:\Windows\SysWOW64\Ddbbeade.exe

Filesize
80KB

MD5
5ddf4ca97b49784eb6b519b9c1c25ab6

SHA1
b65283067274f8f8efcb3548c113bc9bcc850bfd

SHA256
7ea8ef43ba5900025ee418d7204abbb7f9ae804df3846726408db2437619ab82

SHA512
c66f7860b86310bab6eead4f4ddf408e9d379a64c0ffbae2c9ffd316192bddffd2aa0bee63839092c1a4d8a9f3d139b52a84ef903dae42711a36eb9bded0cb31

Download Submit
C:\Windows\SysWOW64\Ddpeoafg.exe

Filesize
80KB

MD5
c06531b8dae4501f4cf4baf9615cabf5

SHA1
f732b618d3112201de6b9a132ab095fe70790137

SHA256
5330457d9f741dcec6fb2d2b4868cfa4a97d3bd1a539653975d52a7b98567223

SHA512
6c498fa4d0325d0ed623e21ae2a6de4809afadd500cd4e0171ddb0fc99e1d361a836740a92282d5ce7846c13d297787c5184a6cfd8ba23170f8c2c069f655f44

Download Submit
C:\Windows\SysWOW64\Dekhneap.exe

Filesize
80KB

MD5
d333c231c97f8b4b093ed80fe0f1ddf1

SHA1
2c22cc28a0ec733455698aabbe6a76d83648ddee

SHA256
a194dd3940bee4c3b6ff8289a2501c7423e8ded48c11c2ba18751d22a791c913

SHA512
8c75e46f1c70bcf3217498fb2816c32abdf808769fb73d92acb541ad398ac3d3f3536fa28af2be64bc8056a0018356a6b4fe8b38580bf018ec7a4b7f769a9cd3

Download Submit
C:\Windows\SysWOW64\Demecd32.exe

Filesize
80KB

MD5
299211379c80ff0933e6d037a58e9769

SHA1
11f026d1aaf15631d410bacf8fbda19a1cce2dc2

SHA256
788d30b5cbeeb67cab36bd8bf4c2dd9b1a3939e2fd59f0a3d9b1d21da36bd0c3

SHA512
1fe89d4c5d167e148c49c167160acbaa70aca4e09fabdb6bd9465b1d99a7221c2b09b01ea63dc7240b299f879a105c9b79f03f10442add6df10079ee7bc41366

Download Submit
C:\Windows\SysWOW64\Dhidjpqc.exe

Filesize
80KB

MD5
571283199d6a5acea5b34f8d7b56ffec

SHA1
cd551dba2203d02e26b9d48184ddbdc3a237d94f

SHA256
7173d577459516f99325f8b30a152fe04d3d8f2cbf20221c221649775e1d18c9

SHA512
1baf52af5c9950d93dcf562c40bfbd1025c40822863cce58c6eb28d8bcf32f8927a27c4cd06df28aa1995768ff4172e3ab5a838ba2956ea42e7970ed76a66f13

Download Submit
C:\Windows\SysWOW64\Dldpkoil.exe

Filesize
80KB

MD5
f4d744f7a0725447df673425d853ff11

SHA1
a4c4ac62a5d5edf873bf7107ee1618c10716526c

SHA256
1398589efe2e4c338b99fea7bcb540f0dade3fc413c66cb892c834476f9b011e

SHA512
5ba2075472c37ecaf0648a4b3c3b4a8d9a6303abfae83bfd2fbc8f2697a6b3b7d57ea3d875e4169fa8a1fbbbb291b4ad5112abd66de5fabd1053de643cbbde13

Download Submit
C:\Windows\SysWOW64\Dlgmpogj.exe

Filesize
80KB

MD5
3eb259a6d63e0fc22a6f229a59588fac

SHA1
e918d11a04d5cf7228a89981021d5946ccc158ab

SHA256
3c104f3bed4da3e7f04ec8b5dd393ae2677b2c9176c3db55c1880b618b08c302

SHA512
ea4421013ff8a4c25c372026413fe35a4ca4ce4ff7220102b1471aa997aa5c67767e55feebe50934b74b72b70d178c1b622194d38a374e1675e1306b19519ca8

Download Submit
C:\Windows\SysWOW64\Doeiljfn.exe

Filesize
80KB

MD5
974a5783ce19ccf9e61b1536c27953ad

SHA1
b49e2af37236a4ba3b9f262e7c6d407fb0e84254

SHA256
8e51af6d8bbbf6e959947f008fd79ee18686aaa5f4be9bc6bd4ef0b437ea2499

SHA512
4e319a92f87b523b497fec226950c77add89f4f7dcf4ec44f7eae482d726c1ec7ab273ed9d1b80f1959d10cba46af921cc32e212f2c763640c1149798656b9bc

Download Submit
C:\Windows\SysWOW64\Doqpak32.exe

Filesize
80KB

MD5
2a375bb565123dccf671e197a0addf4f

SHA1
4e3a7df3951d0df37d090522c3226496d69daa8a

SHA256
173978b73b5a7c888151d010dc30671c99525c0b687d61253c3484b4a961bbd9

SHA512
81e1f16eee09c364ef68b2a20c9e3b53534232f659e6dd3edc3b9db8dc364d1cdc7bb870284e63dda69f7c4085eda95cad32becbca0638d47e84884565b86bb6

Download Submit
C:\Windows\SysWOW64\Eaklidoi.exe

Filesize
80KB

MD5
a81bf76b899fe492fe644fc0ab33aac6

SHA1
d8371fc488af64470734a0e3232ad6965773fcb3

SHA256
e7c1b1ae936da3a8a5ca7ebaf434f00f3b95439cb9c560631e50689d41e390dd

SHA512
36fee127d1589936b9b857e778d9cdef67d0edca2037d974a73a909f55b6459d7efa558784cc2b0bd07b3f7f2d7c6d2a1352f61ab3fcb70321c705123a8a31e3

Download Submit
C:\Windows\SysWOW64\Fdlnbm32.exe

Filesize
80KB

MD5
9538e54abb058f9980fa2ec3e48f7d85

SHA1
a79be8fb93b7f1bef5781b6199dd4fc2c4b38a24

SHA256
218f8e4b506fe7fcd05a9defedca717f7385ec8ce93afdfb8dc155f75f91f891

SHA512
c1b97f5878823c9eb6d9a4781b709ca433a852147c2b6d1b2b13bc110881a0aa83440fe145cac28eaeba8afdd349b6513314540af3b4f150037dfdf750f7747e

Download Submit
C:\Windows\SysWOW64\Ffddka32.exe

Filesize
80KB

MD5
5f2dade11ea5cc9bd2b6645a135acd97

SHA1
f5dadbfc3152f48784ae1bdd194f01e9d7e2e6cc

SHA256
7264a527c224470905becc9f316a81630e710f53531e1cd8be192e3a1c078cb2

SHA512
e57794329e424c5fbeb6a107a6d82ca14b38d2d39854eda3e8671d3018adeaa7124ec8cfb4f9fe46865504e9d72ccd64691dc5261151a15431d865e0a4356e4a

Download Submit
C:\Windows\SysWOW64\Ilidbbgl.exe

Filesize
80KB

MD5
7e818475ab20f647ef54f98d2c6afd2a

SHA1
0e7fcecf9258501751551bf493e954a81636d407

SHA256
4000c2926cb31522dbfe583c239e63595ecfe25a1c2cd26c9e803a4a0f8644b3

SHA512
87e96b233294317645016be6efd322973414056e6986be0984b8a8b7fbea6b5053264ce3d481b17f1421692fe7ce2baf8656424d3504a5841a1aa2dbd899218d

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
80KB

MD5
bb47b6672994929e35075ae95f20d779

SHA1
fbe5f903239e997a284101a92e282a235a136359

SHA256
edd0cccfee765d6bbf3efbf81b07f140787cbcbfbf81244983344bab6681e678

SHA512
6c47d37ad44fced482977d2e3da2d539cb23e5b7bc6d9bcc38671db77f6d3e2fa3646da182f9e77147247c1a7e966275256db185434243f7db0e31a8d9131b70

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
80KB

MD5
324eba581677710342fd49bed27b22ed

SHA1
e512d10542b085391803eda18570517323c8ef09

SHA256
96c0265413d83068c6c4d958a1b3622b78d02a5149fcbb3802281f8efccc6201

SHA512
0010549fc3fa10345185db362784725432c83c810919c1c980220322c699b15eaf76747632b27e3d7db00e4d9f29440d87a553213b768f4fc7583827f13c0f3f

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
80KB

MD5
8ed75b8c71922414e18d4a568fbdcc55

SHA1
3bb2cad3b9e939e572a436358d1f2c6751366c4f

SHA256
0567f081052ebb79b247662a4c38b4638e2b1d1807bbe8ea1eab764fda070dd7

SHA512
7b3bc02a8f765e5db928a4da6ff0c261d413e07782e0ee200984202894f33f316b67d7e7d5b15fd5f8131bc06530d91d7668a996308a82f03e7bd37e7810eb48

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
80KB

MD5
82f1982e5592483740194f87f82d3013

SHA1
4310981ba3bf8bddf0850535fd5d2bd35dc2fc98

SHA256
f0cd53ec96f33bf610d0c46efa4835d46cf3e5ba9bb3413f7ff8d121fa5ef0f8

SHA512
47e2f0e907facee06a5a938576aad7e5b0675db42891f276f9d5d28966d11da99b5251fa4773f10fe22c6f84bb4500d12bf8ac73b9d3cd35b2e4a656d03eafb1

Download Submit
memory/132-225-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/380-165-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/428-288-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/484-25-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/800-426-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/828-384-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/972-73-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/988-294-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1124-408-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1132-121-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1156-193-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1264-414-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1316-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1608-420-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1620-360-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1644-41-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1648-275-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1756-205-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1760-17-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1852-257-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1888-61-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1892-216-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1900-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1900-5-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1920-33-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2236-376-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2240-306-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2744-269-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2792-189-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2860-233-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2984-300-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3000-407-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3152-184-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3176-330-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3372-113-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3496-137-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3500-396-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3584-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3596-9-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3636-49-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3728-240-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3732-378-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4056-336-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4072-342-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4120-354-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4208-128-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4248-390-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4252-209-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4348-169-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4380-281-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4484-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4536-366-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4552-348-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4600-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4680-435-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4736-282-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4832-97-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4888-85-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4896-318-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5040-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5044-149-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5052-324-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5072-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5104-252-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads