986576561673ef2fbc28efca5be5e42d3b26a087f06934addf4b58f4e45e20b0

Analysis

max time kernel
114s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 01:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

986576561673ef2fbc28efca5be5e42d3b26a087f06934addf4b58f4e45e20b0.exe
Size

377KB
MD5

0e5d30ea19ce2f88a0c28a9c40270606
SHA1

7c37e52ebf905419022f8378f8353bb8b36b92d8
SHA256

986576561673ef2fbc28efca5be5e42d3b26a087f06934addf4b58f4e45e20b0
SHA512

d6bec92188ae7e8c68bb54a65c1b800904abb530a28a9cf6914bfc19f79fc96903c916443c7b8304bdcb1a340a752737753138b7a6f32926b3f09750225ba9d1
SSDEEP

6144:pQTOcoZjNaGSgnohijgAUv5fKx/SgnohignC5V:GTOcadMTv5i1dayV

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mledmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qamago32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbdnne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilcldb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpkknmgd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgqlcg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omfekbdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpfkpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doojec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjhbfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojomcopk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqgedh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loacdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqphic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahdged32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enpmld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahofoogd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkgeainn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fiqjke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcoljagj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nciopppp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njbgmjgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojdgnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pffgom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcffnbee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejojljqa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgibpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmaffnce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eiokinbk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chdialdl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccmhdg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agdcpkll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hehdfdek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jblmgf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqoefand.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdlqqcnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnindhpg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebimgcfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Modgdicm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omdppiif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgeenfog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekjded32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bllbaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koajmepf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfkkqmiq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dakikoom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcanll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjffpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehndnh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gokbgpeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omdppiif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdjgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhbcfbjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dngjff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npgmpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcbdgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phdnngdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhoahh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcidmkpq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omfekbdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fganqbgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jllhpkfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfeaopqo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfgmnfp.exe

UPX dump on OEP (original entry point) 55 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023244-7.dat	UPX
behavioral2/memory/2264-8-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/files/0x000800000002324a-17.dat	UPX
behavioral2/files/0x000700000002324d-25.dat	UPX
behavioral2/files/0x000700000002324f-31.dat	UPX
behavioral2/files/0x0007000000023251-40.dat	UPX
behavioral2/files/0x0007000000023253-47.dat	UPX
behavioral2/memory/2972-49-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/files/0x0007000000023255-56.dat	UPX
behavioral2/files/0x0007000000023257-64.dat	UPX
behavioral2/files/0x0007000000023259-72.dat	UPX
behavioral2/memory/220-65-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/files/0x000700000002325e-89.dat	UPX
behavioral2/files/0x0008000000023248-112.dat	UPX
behavioral2/files/0x0008000000023248-107.dat	UPX
behavioral2/files/0x0007000000023260-97.dat	UPX
behavioral2/files/0x0007000000023267-130.dat	UPX
behavioral2/files/0x000700000002326b-139.dat	UPX
behavioral2/files/0x0007000000023269-137.dat	UPX
behavioral2/files/0x000700000002326f-155.dat	UPX
behavioral2/files/0x000700000002326f-160.dat	UPX
behavioral2/memory/1664-161-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/memory/916-170-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/files/0x0007000000023271-169.dat	UPX
behavioral2/files/0x0007000000023275-185.dat	UPX
behavioral2/files/0x0007000000023277-192.dat	UPX
behavioral2/files/0x0007000000023279-200.dat	UPX
behavioral2/files/0x000700000002327c-208.dat	UPX
behavioral2/files/0x000700000002327e-218.dat	UPX
behavioral2/files/0x0007000000023282-233.dat	UPX
behavioral2/files/0x0007000000023284-241.dat	UPX
behavioral2/files/0x0007000000023286-248.dat	UPX
behavioral2/memory/4500-250-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/memory/1340-264-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/memory/1212-297-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/memory/2232-306-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/memory/3612-325-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/files/0x00070000000232a8-349.dat	UPX
behavioral2/memory/3260-402-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/memory/2848-437-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/memory/4084-391-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/files/0x00070000000232ea-543.dat	UPX
behavioral2/memory/1020-381-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/memory/2880-354-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/memory/4888-270-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/files/0x0007000000023288-257.dat	UPX
behavioral2/memory/2480-242-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/files/0x0007000000023280-225.dat	UPX
behavioral2/files/0x00070000000233f9-1375.dat	UPX
behavioral2/files/0x0007000000023409-1422.dat	UPX
behavioral2/files/0x0007000000023273-177.dat	UPX
behavioral2/files/0x0007000000023461-1678.dat	UPX
behavioral2/files/0x0007000000023530-2268.dat	UPX
behavioral2/files/0x0007000000023265-121.dat	UPX
behavioral2/files/0x000700000002325c-80.dat	UPX

Executes dropped EXE 64 IoCs

pid	Process
2264	Ijqmhnko.exe
4836	Icknfcol.exe
4188	Icnklbmj.exe
2996	Jgkdbacp.exe
4968	Jcbdgb32.exe
2972	Jdaaaeqg.exe
3268	Jcgnbaeo.exe
220	Kjccdkki.exe
3672	Kclgmq32.exe
1076	Kjmfjj32.exe
5068	Lklbdm32.exe
3920	Lcggio32.exe
3372	Ldgccb32.exe
2660	Ldipha32.exe
3140	Ljfhqh32.exe
3776	Mkhapk32.exe
3188	Mccfdmmo.exe
3772	Mebcop32.exe
1964	Mmnhcb32.exe
1664	Mkohaj32.exe
916	Mnpabe32.exe
5104	Nlcalieg.exe
1200	Ncofplba.exe
1856	Nmgjia32.exe
4412	Njkkbehl.exe
4100	Neclenfo.exe
2864	Onnmdcjm.exe
4124	Omcjep32.exe
4212	Odmbaj32.exe
2480	Oelolmnd.exe
4500	Ohmhmh32.exe
1032	Pddhbipj.exe
1340	Pecellgl.exe
4888	Pmoiqneg.exe
1800	Phdnngdn.exe
1868	Pmaffnce.exe
1648	Plbfdekd.exe
1212	Pdmkhgho.exe
4956	Pkgcea32.exe
2232	Qemhbj32.exe
5116	Qoelkp32.exe
4324	Qdbdcg32.exe
3612	Aafemk32.exe
336	Aahbbkaq.exe
412	Anobgl32.exe
4328	Ahdged32.exe
2384	Aamknj32.exe
2880	Albpkc32.exe
4036	Alelqb32.exe
1196	Bemqih32.exe
4128	Boeebnhp.exe
1020	Bdbnjdfg.exe
4536	Bnkbcj32.exe
4084	Bllbaa32.exe
1016	Bahkih32.exe
3260	Bhbcfbjk.exe
2992	Bnoknihb.exe
1484	Bheplb32.exe
4748	Cdlqqcnl.exe
4584	Cfkmkf32.exe
2848	Cbbnpg32.exe
4236	Cnindhpg.exe
964	Cohkokgj.exe
840	Cdecgbfa.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ipeeobbe.exe	Iikmbh32.exe
File opened for modification	C:\Windows\SysWOW64\Chdialdl.exe	Bnoddcef.exe
File created	C:\Windows\SysWOW64\Fallih32.dll	Heegad32.exe
File opened for modification	C:\Windows\SysWOW64\Icnklbmj.exe	Icknfcol.exe
File created	C:\Windows\SysWOW64\Koajmepf.exe	Khgbqkhj.exe
File created	C:\Windows\SysWOW64\Hghklqmm.dll	Kiikpnmj.exe
File created	C:\Windows\SysWOW64\Bmladm32.exe	Bmdkcnie.exe
File created	C:\Windows\SysWOW64\Cpogkhnl.exe	Cienon32.exe
File opened for modification	C:\Windows\SysWOW64\Dmadco32.exe	Domdjj32.exe
File created	C:\Windows\SysWOW64\Omcjep32.exe	Onnmdcjm.exe
File opened for modification	C:\Windows\SysWOW64\Pddhbipj.exe	Ohmhmh32.exe
File created	C:\Windows\SysWOW64\Lfjfecno.exe	Lopmii32.exe
File created	C:\Windows\SysWOW64\Jencdebl.dll	Lgibpf32.exe
File opened for modification	C:\Windows\SysWOW64\Boihcf32.exe	Bddcenpi.exe
File opened for modification	C:\Windows\SysWOW64\Dpkmal32.exe	Dojqjdbl.exe
File created	C:\Windows\SysWOW64\Ngckdnpn.dll	Gnpphljo.exe
File opened for modification	C:\Windows\SysWOW64\Kjccdkki.exe	Jcgnbaeo.exe
File opened for modification	C:\Windows\SysWOW64\Ephbhd32.exe	Ejojljqa.exe
File created	C:\Windows\SysWOW64\Ekfkeh32.dll	Keimof32.exe
File created	C:\Windows\SysWOW64\Aooold32.dll	Lopmii32.exe
File opened for modification	C:\Windows\SysWOW64\Nceefd32.exe	Nfaemp32.exe
File created	C:\Windows\SysWOW64\Kfcfimfi.dll	Ppjbmc32.exe
File created	C:\Windows\SysWOW64\Edeeci32.exe	Enkmfolf.exe
File created	C:\Windows\SysWOW64\Jlbejloe.exe	Iehmmb32.exe
File created	C:\Windows\SysWOW64\Icembg32.dll	Egnajocq.exe
File created	C:\Windows\SysWOW64\Pfkbfh32.dll	Anobgl32.exe
File created	C:\Windows\SysWOW64\Ghkogl32.dll	Mokmdh32.exe
File opened for modification	C:\Windows\SysWOW64\Lgpoihnl.exe	Lpfgmnfp.exe
File created	C:\Windows\SysWOW64\Kcidmkpq.exe	Jnlkedai.exe
File opened for modification	C:\Windows\SysWOW64\Kcidmkpq.exe	Jnlkedai.exe
File created	C:\Windows\SysWOW64\Nmdkcj32.dll	Lancko32.exe
File created	C:\Windows\SysWOW64\Jobfelii.dll	Jcanll32.exe
File opened for modification	C:\Windows\SysWOW64\Nlcalieg.exe	Mnpabe32.exe
File created	C:\Windows\SysWOW64\Ondhkbee.dll	Ekjded32.exe
File opened for modification	C:\Windows\SysWOW64\Pmmlla32.exe	Pcegclgp.exe
File created	C:\Windows\SysWOW64\Mkhapk32.exe	Ljfhqh32.exe
File created	C:\Windows\SysWOW64\Jhdnigno.dll	Icknfcol.exe
File opened for modification	C:\Windows\SysWOW64\Kflide32.exe	Koaagkcb.exe
File opened for modification	C:\Windows\SysWOW64\Mfchlbfd.exe	Mqfpckhm.exe
File opened for modification	C:\Windows\SysWOW64\Fqphic32.exe	Fjeplijj.exe
File created	C:\Windows\SysWOW64\Eiokinbk.exe	Emhkdmlg.exe
File opened for modification	C:\Windows\SysWOW64\Agdcpkll.exe	Apjkcadp.exe
File created	C:\Windows\SysWOW64\Ndikch32.dll	Bogkmgba.exe
File created	C:\Windows\SysWOW64\Dllfqd32.dll	Dpiplm32.exe
File created	C:\Windows\SysWOW64\Bdbbme32.dll	Ckpamabg.exe
File created	C:\Windows\SysWOW64\Fmplqd32.dll	Lcgpni32.exe
File created	C:\Windows\SysWOW64\Bpcaaeme.dll	Qhhpop32.exe
File created	C:\Windows\SysWOW64\Apaadpng.exe	Akdilipp.exe
File created	C:\Windows\SysWOW64\Emcnmpcj.dll	Geohklaa.exe
File created	C:\Windows\SysWOW64\Igpoaebh.dll	Pecellgl.exe
File created	C:\Windows\SysWOW64\Ggpcfd32.dll	Ebimgcfi.exe
File created	C:\Windows\SysWOW64\Ljcpchlo.dll	Igfclkdj.exe
File created	C:\Windows\SysWOW64\Akkffkhk.exe	Qhhpop32.exe
File created	C:\Windows\SysWOW64\Ahofoogd.exe	Aaenbd32.exe
File created	C:\Windows\SysWOW64\Icnklbmj.exe	Icknfcol.exe
File opened for modification	C:\Windows\SysWOW64\Ncnofeof.exe	Nmdgikhi.exe
File created	C:\Windows\SysWOW64\Gmbjqfjb.dll	Nfaemp32.exe
File created	C:\Windows\SysWOW64\Enalem32.dll	Ipihpkkd.exe
File created	C:\Windows\SysWOW64\Enpmld32.exe	Emoadlfo.exe
File created	C:\Windows\SysWOW64\Bemqih32.exe	Alelqb32.exe
File opened for modification	C:\Windows\SysWOW64\Cnindhpg.exe	Cbbnpg32.exe
File created	C:\Windows\SysWOW64\Gemkelcd.exe	Gppcmeem.exe
File created	C:\Windows\SysWOW64\Fbjieo32.dll	Baannc32.exe
File created	C:\Windows\SysWOW64\Ipgkjlmg.exe	Ieagmcmq.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
10720	10532	WerFault.exe	503

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdafpj32.dll"	Kclgmq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aahbbkaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjbog32.dll"	Jikoopij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfaemp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njjmni32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejjaqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eacdhhjj.dll"	Eqmlccdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	986576561673ef2fbc28efca5be5e42d3b26a087f06934addf4b58f4e45e20b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncnofeof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hodlgn32.dll"	Gokbgpeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khgbqkhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ppjbmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmhijd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjeplijj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jgkdbacp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Domdjj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcanll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjbmjjno.dll"	Kjblje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apmhiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipbaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipihpkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jafdcbge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmgjia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fklenm32.dll"	Phdnngdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jgkmgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcgpni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqobhgmh.dll"	Mqjbddpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngmnjok.dll"	Qjffpe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daeifj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pddhbipj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Flfkkhid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlepcdoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Doojec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpnoncim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mokmdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Phonha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egopbhnc.dll"	Lomjicei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edommp32.dll"	Ebgpad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfhndpol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfjdqmng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nglhld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncofplba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pecellgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qoelkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgfeip32.dll"	Cohkokgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcegclgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgdkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	986576561673ef2fbc28efca5be5e42d3b26a087f06934addf4b58f4e45e20b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mfbaalbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjeplijj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iplkpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgkfnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbhafkok.dll"	Njhgbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ondhkbee.dll"	Ekjded32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkohaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bllbaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddligq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hidgai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppadalgj.dll"	Klpakj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpeipb32.dll"	Amkhmoap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfmlghd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkhpmopi.dll"	Fbdnne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hankellh.dll"	Ijqmhnko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dolqpa32.dll"	Lfjfecno.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 2264	2148	986576561673ef2fbc28efca5be5e42d3b26a087f06934addf4b58f4e45e20b0.exe	90
PID 2148 wrote to memory of 2264	2148	986576561673ef2fbc28efca5be5e42d3b26a087f06934addf4b58f4e45e20b0.exe	90
PID 2148 wrote to memory of 2264	2148	986576561673ef2fbc28efca5be5e42d3b26a087f06934addf4b58f4e45e20b0.exe	90
PID 2264 wrote to memory of 4836	2264	Ijqmhnko.exe	91
PID 2264 wrote to memory of 4836	2264	Ijqmhnko.exe	91
PID 2264 wrote to memory of 4836	2264	Ijqmhnko.exe	91
PID 4836 wrote to memory of 4188	4836	Icknfcol.exe	92
PID 4836 wrote to memory of 4188	4836	Icknfcol.exe	92
PID 4836 wrote to memory of 4188	4836	Icknfcol.exe	92
PID 4188 wrote to memory of 2996	4188	Icnklbmj.exe	93
PID 4188 wrote to memory of 2996	4188	Icnklbmj.exe	93
PID 4188 wrote to memory of 2996	4188	Icnklbmj.exe	93
PID 2996 wrote to memory of 4968	2996	Jgkdbacp.exe	94
PID 2996 wrote to memory of 4968	2996	Jgkdbacp.exe	94
PID 2996 wrote to memory of 4968	2996	Jgkdbacp.exe	94
PID 4968 wrote to memory of 2972	4968	Jcbdgb32.exe	95
PID 4968 wrote to memory of 2972	4968	Jcbdgb32.exe	95
PID 4968 wrote to memory of 2972	4968	Jcbdgb32.exe	95
PID 2972 wrote to memory of 3268	2972	Jdaaaeqg.exe	96
PID 2972 wrote to memory of 3268	2972	Jdaaaeqg.exe	96
PID 2972 wrote to memory of 3268	2972	Jdaaaeqg.exe	96
PID 3268 wrote to memory of 220	3268	Jcgnbaeo.exe	97
PID 3268 wrote to memory of 220	3268	Jcgnbaeo.exe	97
PID 3268 wrote to memory of 220	3268	Jcgnbaeo.exe	97
PID 220 wrote to memory of 3672	220	Kjccdkki.exe	98
PID 220 wrote to memory of 3672	220	Kjccdkki.exe	98
PID 220 wrote to memory of 3672	220	Kjccdkki.exe	98
PID 3672 wrote to memory of 1076	3672	Kclgmq32.exe	99
PID 3672 wrote to memory of 1076	3672	Kclgmq32.exe	99
PID 3672 wrote to memory of 1076	3672	Kclgmq32.exe	99
PID 1076 wrote to memory of 5068	1076	Kjmfjj32.exe	100
PID 1076 wrote to memory of 5068	1076	Kjmfjj32.exe	100
PID 1076 wrote to memory of 5068	1076	Kjmfjj32.exe	100
PID 5068 wrote to memory of 3920	5068	Lklbdm32.exe	101
PID 5068 wrote to memory of 3920	5068	Lklbdm32.exe	101
PID 5068 wrote to memory of 3920	5068	Lklbdm32.exe	101
PID 3920 wrote to memory of 3372	3920	Lcggio32.exe	102
PID 3920 wrote to memory of 3372	3920	Lcggio32.exe	102
PID 3920 wrote to memory of 3372	3920	Lcggio32.exe	102
PID 3372 wrote to memory of 2660	3372	Ldgccb32.exe	103
PID 3372 wrote to memory of 2660	3372	Ldgccb32.exe	103
PID 3372 wrote to memory of 2660	3372	Ldgccb32.exe	103
PID 2660 wrote to memory of 3140	2660	Ldipha32.exe	104
PID 2660 wrote to memory of 3140	2660	Ldipha32.exe	104
PID 2660 wrote to memory of 3140	2660	Ldipha32.exe	104
PID 3140 wrote to memory of 3776	3140	Ljfhqh32.exe	105
PID 3140 wrote to memory of 3776	3140	Ljfhqh32.exe	105
PID 3140 wrote to memory of 3776	3140	Ljfhqh32.exe	105
PID 3776 wrote to memory of 3188	3776	Mkhapk32.exe	106
PID 3776 wrote to memory of 3188	3776	Mkhapk32.exe	106
PID 3776 wrote to memory of 3188	3776	Mkhapk32.exe	106
PID 3188 wrote to memory of 3772	3188	Mccfdmmo.exe	107
PID 3188 wrote to memory of 3772	3188	Mccfdmmo.exe	107
PID 3188 wrote to memory of 3772	3188	Mccfdmmo.exe	107
PID 3772 wrote to memory of 1964	3772	Mebcop32.exe	108
PID 3772 wrote to memory of 1964	3772	Mebcop32.exe	108
PID 3772 wrote to memory of 1964	3772	Mebcop32.exe	108
PID 1964 wrote to memory of 1664	1964	Mmnhcb32.exe	109
PID 1964 wrote to memory of 1664	1964	Mmnhcb32.exe	109
PID 1964 wrote to memory of 1664	1964	Mmnhcb32.exe	109
PID 1664 wrote to memory of 916	1664	Mkohaj32.exe	110
PID 1664 wrote to memory of 916	1664	Mkohaj32.exe	110
PID 1664 wrote to memory of 916	1664	Mkohaj32.exe	110
PID 916 wrote to memory of 5104	916	Mnpabe32.exe	111

C:\Users\Admin\AppData\Local\Temp\986576561673ef2fbc28efca5be5e42d3b26a087f06934addf4b58f4e45e20b0.exe
"C:\Users\Admin\AppData\Local\Temp\986576561673ef2fbc28efca5be5e42d3b26a087f06934addf4b58f4e45e20b0.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\SysWOW64\Ijqmhnko.exe
  C:\Windows\system32\Ijqmhnko.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\SysWOW64\Icknfcol.exe
    C:\Windows\system32\Icknfcol.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4836
  - - C:\Windows\SysWOW64\Icnklbmj.exe
      C:\Windows\system32\Icnklbmj.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4188
    - - C:\Windows\SysWOW64\Jgkdbacp.exe
        
        C:\Windows\system32\Jgkdbacp.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2996
      - C:\Windows\SysWOW64\Jcbdgb32.exe
        
        C:\Windows\system32\Jcbdgb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Jdaaaeqg.exe
        
        C:\Windows\system32\Jdaaaeqg.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Jcgnbaeo.exe
        
        C:\Windows\system32\Jcgnbaeo.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3268
        
        C:\Windows\SysWOW64\Kjccdkki.exe
        
        C:\Windows\system32\Kjccdkki.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\Kclgmq32.exe
        
        C:\Windows\system32\Kclgmq32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\SysWOW64\Kjmfjj32.exe
        
        C:\Windows\system32\Kjmfjj32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\Lklbdm32.exe
        
        C:\Windows\system32\Lklbdm32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Lcggio32.exe
        
        C:\Windows\system32\Lcggio32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3920
        
        C:\Windows\SysWOW64\Ldgccb32.exe
        
        C:\Windows\system32\Ldgccb32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3372
        
        C:\Windows\SysWOW64\Ldipha32.exe
        
        C:\Windows\system32\Ldipha32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Ljfhqh32.exe
        
        C:\Windows\system32\Ljfhqh32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Windows\SysWOW64\Mkhapk32.exe
        
        C:\Windows\system32\Mkhapk32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3776
        
        C:\Windows\SysWOW64\Mccfdmmo.exe
        
        C:\Windows\system32\Mccfdmmo.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\SysWOW64\Mebcop32.exe
        
        C:\Windows\system32\Mebcop32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Windows\SysWOW64\Mmnhcb32.exe
        
        C:\Windows\system32\Mmnhcb32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SysWOW64\Mkohaj32.exe
        
        C:\Windows\system32\Mkohaj32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\SysWOW64\Mnpabe32.exe
        
        C:\Windows\system32\Mnpabe32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\Nlcalieg.exe
        
        C:\Windows\system32\Nlcalieg.exe
        23⤵
        Executes dropped EXE
        
        PID:5104
        
        C:\Windows\SysWOW64\Ncofplba.exe
        
        C:\Windows\system32\Ncofplba.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1200
        
        C:\Windows\SysWOW64\Nmgjia32.exe
        
        C:\Windows\system32\Nmgjia32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Njkkbehl.exe
        
        C:\Windows\system32\Njkkbehl.exe
        26⤵
        Executes dropped EXE
        
        PID:4412
        
        C:\Windows\SysWOW64\Neclenfo.exe
        
        C:\Windows\system32\Neclenfo.exe
        27⤵
        Executes dropped EXE
        
        PID:4100
        
        C:\Windows\SysWOW64\Onnmdcjm.exe
        
        C:\Windows\system32\Onnmdcjm.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2864
        
        C:\Windows\SysWOW64\Omcjep32.exe
        
        C:\Windows\system32\Omcjep32.exe
        29⤵
        Executes dropped EXE
        
        PID:4124
        
        C:\Windows\SysWOW64\Odmbaj32.exe
        
        C:\Windows\system32\Odmbaj32.exe
        30⤵
        Executes dropped EXE
        
        PID:4212
        
        C:\Windows\SysWOW64\Oelolmnd.exe
        
        C:\Windows\system32\Oelolmnd.exe
        31⤵
        Executes dropped EXE
        
        PID:2480
        
        C:\Windows\SysWOW64\Ohmhmh32.exe
        
        C:\Windows\system32\Ohmhmh32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4500
        
        C:\Windows\SysWOW64\Pddhbipj.exe
        
        C:\Windows\system32\Pddhbipj.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1032
        
        C:\Windows\SysWOW64\Pecellgl.exe
        
        C:\Windows\system32\Pecellgl.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Pmoiqneg.exe
        
        C:\Windows\system32\Pmoiqneg.exe
        35⤵
        Executes dropped EXE
        
        PID:4888
        
        C:\Windows\SysWOW64\Phdnngdn.exe
        
        C:\Windows\system32\Phdnngdn.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\Pmaffnce.exe
        
        C:\Windows\system32\Pmaffnce.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1868
        
        C:\Windows\SysWOW64\Plbfdekd.exe
        
        C:\Windows\system32\Plbfdekd.exe
        38⤵
        Executes dropped EXE
        
        PID:1648
        
        C:\Windows\SysWOW64\Pdmkhgho.exe
        
        C:\Windows\system32\Pdmkhgho.exe
        39⤵
        Executes dropped EXE
        
        PID:1212
        
        C:\Windows\SysWOW64\Pkgcea32.exe
        
        C:\Windows\system32\Pkgcea32.exe
        40⤵
        Executes dropped EXE
        
        PID:4956
        
        C:\Windows\SysWOW64\Qemhbj32.exe
        
        C:\Windows\system32\Qemhbj32.exe
        41⤵
        Executes dropped EXE
        
        PID:2232
        
        C:\Windows\SysWOW64\Qoelkp32.exe
        
        C:\Windows\system32\Qoelkp32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5116
        
        C:\Windows\SysWOW64\Qdbdcg32.exe
        
        C:\Windows\system32\Qdbdcg32.exe
        43⤵
        Executes dropped EXE
        
        PID:4324
        
        C:\Windows\SysWOW64\Aafemk32.exe
        
        C:\Windows\system32\Aafemk32.exe
        44⤵
        Executes dropped EXE
        
        PID:3612
        
        C:\Windows\SysWOW64\Aahbbkaq.exe
        
        C:\Windows\system32\Aahbbkaq.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:336
        
        C:\Windows\SysWOW64\Anobgl32.exe
        
        C:\Windows\system32\Anobgl32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:412
        
        C:\Windows\SysWOW64\Ahdged32.exe
        
        C:\Windows\system32\Ahdged32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4328
        
        C:\Windows\SysWOW64\Aamknj32.exe
        
        C:\Windows\system32\Aamknj32.exe
        48⤵
        Executes dropped EXE
        
        PID:2384
        
        C:\Windows\SysWOW64\Albpkc32.exe
        
        C:\Windows\system32\Albpkc32.exe
        49⤵
        Executes dropped EXE
        
        PID:2880
        
        C:\Windows\SysWOW64\Alelqb32.exe
        
        C:\Windows\system32\Alelqb32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4036
        
        C:\Windows\SysWOW64\Bemqih32.exe
        
        C:\Windows\system32\Bemqih32.exe
        51⤵
        Executes dropped EXE
        
        PID:1196
        
        C:\Windows\SysWOW64\Boeebnhp.exe
        
        C:\Windows\system32\Boeebnhp.exe
        52⤵
        Executes dropped EXE
        
        PID:4128
        
        C:\Windows\SysWOW64\Bdbnjdfg.exe
        
        C:\Windows\system32\Bdbnjdfg.exe
        53⤵
        Executes dropped EXE
        
        PID:1020
        
        C:\Windows\SysWOW64\Bnkbcj32.exe
        
        C:\Windows\system32\Bnkbcj32.exe
        54⤵
        Executes dropped EXE
        
        PID:4536
        
        C:\Windows\SysWOW64\Bllbaa32.exe
        
        C:\Windows\system32\Bllbaa32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\Bahkih32.exe
        
        C:\Windows\system32\Bahkih32.exe
        56⤵
        Executes dropped EXE
        
        PID:1016
        
        C:\Windows\SysWOW64\Bhbcfbjk.exe
        
        C:\Windows\system32\Bhbcfbjk.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3260
        
        C:\Windows\SysWOW64\Bnoknihb.exe
        
        C:\Windows\system32\Bnoknihb.exe
        58⤵
        Executes dropped EXE
        
        PID:2992
        
        C:\Windows\SysWOW64\Bheplb32.exe
        
        C:\Windows\system32\Bheplb32.exe
        59⤵
        Executes dropped EXE
        
        PID:1484
        
        C:\Windows\SysWOW64\Cdlqqcnl.exe
        
        C:\Windows\system32\Cdlqqcnl.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4748
        
        C:\Windows\SysWOW64\Cfkmkf32.exe
        
        C:\Windows\system32\Cfkmkf32.exe
        61⤵
        Executes dropped EXE
        
        PID:4584
        
        C:\Windows\SysWOW64\Cbbnpg32.exe
        
        C:\Windows\system32\Cbbnpg32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2848
        
        C:\Windows\SysWOW64\Cnindhpg.exe
        
        C:\Windows\system32\Cnindhpg.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4236
        
        C:\Windows\SysWOW64\Cohkokgj.exe
        
        C:\Windows\system32\Cohkokgj.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:964
        
        C:\Windows\SysWOW64\Cdecgbfa.exe
        
        C:\Windows\system32\Cdecgbfa.exe
        65⤵
        Executes dropped EXE
        
        PID:840
        
        C:\Windows\SysWOW64\Dkokcl32.exe
        
        C:\Windows\system32\Dkokcl32.exe
        66⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\Dbicpfdk.exe
        
        C:\Windows\system32\Dbicpfdk.exe
        67⤵
        
        PID:952
        
        C:\Windows\SysWOW64\Dhclmp32.exe
        
        C:\Windows\system32\Dhclmp32.exe
        68⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Domdjj32.exe
        
        C:\Windows\system32\Domdjj32.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Dmadco32.exe
        
        C:\Windows\system32\Dmadco32.exe
        70⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Ddligq32.exe
        
        C:\Windows\system32\Ddligq32.exe
        71⤵
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Dflfac32.exe
        
        C:\Windows\system32\Dflfac32.exe
        72⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Dngjff32.exe
        
        C:\Windows\system32\Dngjff32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5332
        
        C:\Windows\SysWOW64\Emhkdmlg.exe
        
        C:\Windows\system32\Emhkdmlg.exe
        74⤵
        Drops file in System32 directory
        
        PID:5372
        
        C:\Windows\SysWOW64\Eiokinbk.exe
        
        C:\Windows\system32\Eiokinbk.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5448
        
        C:\Windows\SysWOW64\Ebgpad32.exe
        
        C:\Windows\system32\Ebgpad32.exe
        76⤵
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Emmdom32.exe
        
        C:\Windows\system32\Emmdom32.exe
        77⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Ebimgcfi.exe
        
        C:\Windows\system32\Ebimgcfi.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5572
        
        C:\Windows\SysWOW64\Emoadlfo.exe
        
        C:\Windows\system32\Emoadlfo.exe
        79⤵
        Drops file in System32 directory
        
        PID:5616
        
        C:\Windows\SysWOW64\Enpmld32.exe
        
        C:\Windows\system32\Enpmld32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5656
        
        C:\Windows\SysWOW64\Eejeiocj.exe
        
        C:\Windows\system32\Eejeiocj.exe
        81⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Eppjfgcp.exe
        
        C:\Windows\system32\Eppjfgcp.exe
        82⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\Felbnn32.exe
        
        C:\Windows\system32\Felbnn32.exe
        83⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\Flfkkhid.exe
        
        C:\Windows\system32\Flfkkhid.exe
        84⤵
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Fbpchb32.exe
        
        C:\Windows\system32\Fbpchb32.exe
        85⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\Fmfgek32.exe
        
        C:\Windows\system32\Fmfgek32.exe
        86⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Fbbpmb32.exe
        
        C:\Windows\system32\Fbbpmb32.exe
        87⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Fimhjl32.exe
        
        C:\Windows\system32\Fimhjl32.exe
        88⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Ffqhcq32.exe
        
        C:\Windows\system32\Ffqhcq32.exe
        89⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Fmkqpkla.exe
        
        C:\Windows\system32\Fmkqpkla.exe
        90⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Fiaael32.exe
        
        C:\Windows\system32\Fiaael32.exe
        91⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\Gfeaopqo.exe
        
        C:\Windows\system32\Gfeaopqo.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3384
        
        C:\Windows\SysWOW64\Gmojkj32.exe
        
        C:\Windows\system32\Gmojkj32.exe
        93⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Gfhndpol.exe
        
        C:\Windows\system32\Gfhndpol.exe
        94⤵
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Gppcmeem.exe
        
        C:\Windows\system32\Gppcmeem.exe
        95⤵
        Drops file in System32 directory
        
        PID:688
        
        C:\Windows\SysWOW64\Gemkelcd.exe
        
        C:\Windows\system32\Gemkelcd.exe
        96⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Geohklaa.exe
        
        C:\Windows\system32\Geohklaa.exe
        97⤵
        Drops file in System32 directory
        
        PID:5480
        
        C:\Windows\SysWOW64\Gfodeohd.exe
        
        C:\Windows\system32\Gfodeohd.exe
        98⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Gbeejp32.exe
        
        C:\Windows\system32\Gbeejp32.exe
        99⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\Hlnjbedi.exe
        
        C:\Windows\system32\Hlnjbedi.exe
        100⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Hfcnpn32.exe
        
        C:\Windows\system32\Hfcnpn32.exe
        101⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Hlpfhe32.exe
        
        C:\Windows\system32\Hlpfhe32.exe
        102⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Hidgai32.exe
        
        C:\Windows\system32\Hidgai32.exe
        103⤵
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Hpnoncim.exe
        
        C:\Windows\system32\Hpnoncim.exe
        104⤵
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Hekgfj32.exe
        
        C:\Windows\system32\Hekgfj32.exe
        105⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Hlepcdoa.exe
        
        C:\Windows\system32\Hlepcdoa.exe
        106⤵
        Modifies registry class
        
        PID:6140
        
        C:\Windows\SysWOW64\Hfjdqmng.exe
        
        C:\Windows\system32\Hfjdqmng.exe
        107⤵
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Hlglidlo.exe
        
        C:\Windows\system32\Hlglidlo.exe
        108⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\Iikmbh32.exe
        
        C:\Windows\system32\Iikmbh32.exe
        109⤵
        Drops file in System32 directory
        
        PID:5520
        
        C:\Windows\SysWOW64\Ipeeobbe.exe
        
        C:\Windows\system32\Ipeeobbe.exe
        110⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Iebngial.exe
        
        C:\Windows\system32\Iebngial.exe
        111⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Illfdc32.exe
        
        C:\Windows\system32\Illfdc32.exe
        112⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Igajal32.exe
        
        C:\Windows\system32\Igajal32.exe
        113⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Imkbnf32.exe
        
        C:\Windows\system32\Imkbnf32.exe
        114⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Igdgglfl.exe
        
        C:\Windows\system32\Igdgglfl.exe
        115⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\Iplkpa32.exe
        
        C:\Windows\system32\Iplkpa32.exe
        116⤵
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Igfclkdj.exe
        
        C:\Windows\system32\Igfclkdj.exe
        117⤵
        Drops file in System32 directory
        
        PID:6032
        
        C:\Windows\SysWOW64\Ilcldb32.exe
        
        C:\Windows\system32\Ilcldb32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5124
        
        C:\Windows\SysWOW64\Jghpbk32.exe
        
        C:\Windows\system32\Jghpbk32.exe
        119⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Jgkmgk32.exe
        
        C:\Windows\system32\Jgkmgk32.exe
        120⤵
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Jcanll32.exe
        
        C:\Windows\system32\Jcanll32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Johnamkm.exe
        
        C:\Windows\system32\Johnamkm.exe
        122⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Jnlkedai.exe
        
        C:\Windows\system32\Jnlkedai.exe
        123⤵
        Drops file in System32 directory
        
        PID:6164
        
        C:\Windows\SysWOW64\Kcidmkpq.exe
        
        C:\Windows\system32\Kcidmkpq.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6208
        
        C:\Windows\SysWOW64\Kjblje32.exe
        
        C:\Windows\system32\Kjblje32.exe
        125⤵
        Modifies registry class
        
        PID:6252
        
        C:\Windows\SysWOW64\Koodbl32.exe
        
        C:\Windows\system32\Koodbl32.exe
        126⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\Keimof32.exe
        
        C:\Windows\system32\Keimof32.exe
        127⤵
        Drops file in System32 directory
        
        PID:6336
        
        C:\Windows\SysWOW64\Koaagkcb.exe
        
        C:\Windows\system32\Koaagkcb.exe
        128⤵
        Drops file in System32 directory
        
        PID:6372
        
        C:\Windows\SysWOW64\Kflide32.exe
        
        C:\Windows\system32\Kflide32.exe
        129⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\Kpanan32.exe
        
        C:\Windows\system32\Kpanan32.exe
        130⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\Kgkfnh32.exe
        
        C:\Windows\system32\Kgkfnh32.exe
        131⤵
        Modifies registry class
        
        PID:6512
        
        C:\Windows\SysWOW64\Kofkbk32.exe
        
        C:\Windows\system32\Kofkbk32.exe
        132⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\Kjlopc32.exe
        
        C:\Windows\system32\Kjlopc32.exe
        133⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\Lpfgmnfp.exe
        
        C:\Windows\system32\Lpfgmnfp.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6636
        
        C:\Windows\SysWOW64\Lgpoihnl.exe
        
        C:\Windows\system32\Lgpoihnl.exe
        135⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\Lnjgfb32.exe
        
        C:\Windows\system32\Lnjgfb32.exe
        136⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\Lcgpni32.exe
        
        C:\Windows\system32\Lcgpni32.exe
        137⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6764
        
        C:\Windows\SysWOW64\Lnldla32.exe
        
        C:\Windows\system32\Lnldla32.exe
        138⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\Lomqcjie.exe
        
        C:\Windows\system32\Lomqcjie.exe
        139⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\Lnoaaaad.exe
        
        C:\Windows\system32\Lnoaaaad.exe
        140⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\Lopmii32.exe
        
        C:\Windows\system32\Lopmii32.exe
        141⤵
        Drops file in System32 directory
        
        PID:6940
        
        C:\Windows\SysWOW64\Lfjfecno.exe
        
        C:\Windows\system32\Lfjfecno.exe
        142⤵
        Modifies registry class
        
        PID:6980
        
        C:\Windows\SysWOW64\Lqojclne.exe
        
        C:\Windows\system32\Lqojclne.exe
        143⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\Lgibpf32.exe
        
        C:\Windows\system32\Lgibpf32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7072
        
        C:\Windows\SysWOW64\Mmfkhmdi.exe
        
        C:\Windows\system32\Mmfkhmdi.exe
        145⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\Modgdicm.exe
        
        C:\Windows\system32\Modgdicm.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7156
        
        C:\Windows\SysWOW64\Mjjkaabc.exe
        
        C:\Windows\system32\Mjjkaabc.exe
        147⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\Mogcihaj.exe
        
        C:\Windows\system32\Mogcihaj.exe
        148⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\Mfqlfb32.exe
        
        C:\Windows\system32\Mfqlfb32.exe
        149⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\Mqfpckhm.exe
        
        C:\Windows\system32\Mqfpckhm.exe
        150⤵
        Drops file in System32 directory
        
        PID:5720
        
        C:\Windows\SysWOW64\Mfchlbfd.exe
        
        C:\Windows\system32\Mfchlbfd.exe
        151⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\Mokmdh32.exe
        
        C:\Windows\system32\Mokmdh32.exe
        152⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6528
        
        C:\Windows\SysWOW64\Mfeeabda.exe
        
        C:\Windows\system32\Mfeeabda.exe
        153⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\Mqkiok32.exe
        
        C:\Windows\system32\Mqkiok32.exe
        154⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\Mgeakekd.exe
        
        C:\Windows\system32\Mgeakekd.exe
        155⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\Nnojho32.exe
        
        C:\Windows\system32\Nnojho32.exe
        156⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\Nopfpgip.exe
        
        C:\Windows\system32\Nopfpgip.exe
        157⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\Nmdgikhi.exe
        
        C:\Windows\system32\Nmdgikhi.exe
        158⤵
        Drops file in System32 directory
        
        PID:6928
        
        C:\Windows\SysWOW64\Ncnofeof.exe
        
        C:\Windows\system32\Ncnofeof.exe
        159⤵
        Modifies registry class
        
        PID:7000
        
        C:\Windows\SysWOW64\Njhgbp32.exe
        
        C:\Windows\system32\Njhgbp32.exe
        160⤵
        Modifies registry class
        
        PID:7084
        
        C:\Windows\SysWOW64\Nglhld32.exe
        
        C:\Windows\system32\Nglhld32.exe
        161⤵
        Modifies registry class
        
        PID:7140
        
        C:\Windows\SysWOW64\Nnfpinmi.exe
        
        C:\Windows\system32\Nnfpinmi.exe
        162⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Npgmpf32.exe
        
        C:\Windows\system32\Npgmpf32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6304
        
        C:\Windows\SysWOW64\Nfaemp32.exe
        
        C:\Windows\system32\Nfaemp32.exe
        164⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6468
        
        C:\Windows\SysWOW64\Nceefd32.exe
        
        C:\Windows\system32\Nceefd32.exe
        165⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\Ojomcopk.exe
        
        C:\Windows\system32\Ojomcopk.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3156
        
        C:\Windows\SysWOW64\Ogcnmc32.exe
        
        C:\Windows\system32\Ogcnmc32.exe
        167⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\Ocjoadei.exe
        
        C:\Windows\system32\Ocjoadei.exe
        168⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\Ojdgnn32.exe
        
        C:\Windows\system32\Ojdgnn32.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6924
        
        C:\Windows\SysWOW64\Opqofe32.exe
        
        C:\Windows\system32\Opqofe32.exe
        170⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\Ofkgcobj.exe
        
        C:\Windows\system32\Ofkgcobj.exe
        171⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\Omdppiif.exe
        
        C:\Windows\system32\Omdppiif.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6316
        
        C:\Windows\SysWOW64\Ofmdio32.exe
        
        C:\Windows\system32\Ofmdio32.exe
        173⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\Ocaebc32.exe
        
        C:\Windows\system32\Ocaebc32.exe
        174⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        175⤵
        
        PID:260
        
        C:\Windows\SysWOW64\Phonha32.exe
        
        C:\Windows\system32\Phonha32.exe
        176⤵
        Modifies registry class
        
        PID:7016
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        177⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\Ppjbmc32.exe
        
        C:\Windows\system32\Ppjbmc32.exe
        178⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6320
        
        C:\Windows\SysWOW64\Pmnbfhal.exe
        
        C:\Windows\system32\Pmnbfhal.exe
        179⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6816
        
        C:\Windows\SysWOW64\Pmpolgoi.exe
        
        C:\Windows\system32\Pmpolgoi.exe
        181⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\Pdjgha32.exe
        
        C:\Windows\system32\Pdjgha32.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6292
        
        C:\Windows\SysWOW64\Pjdpelnc.exe
        
        C:\Windows\system32\Pjdpelnc.exe
        183⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\Ppahmb32.exe
        
        C:\Windows\system32\Ppahmb32.exe
        184⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\Qhhpop32.exe
        
        C:\Windows\system32\Qhhpop32.exe
        185⤵
        Drops file in System32 directory
        
        PID:6704
        
        C:\Windows\SysWOW64\Akkffkhk.exe
        
        C:\Windows\system32\Akkffkhk.exe
        186⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\Aaenbd32.exe
        
        C:\Windows\system32\Aaenbd32.exe
        187⤵
        Drops file in System32 directory
        
        PID:6964
        
        C:\Windows\SysWOW64\Ahofoogd.exe
        
        C:\Windows\system32\Ahofoogd.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7204
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        189⤵
        
        PID:7240
        
        C:\Windows\SysWOW64\Apjkcadp.exe
        
        C:\Windows\system32\Apjkcadp.exe
        190⤵
        Drops file in System32 directory
        
        PID:7272
        
        C:\Windows\SysWOW64\Agdcpkll.exe
        
        C:\Windows\system32\Agdcpkll.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7316
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        192⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\Apmhiq32.exe
        
        C:\Windows\system32\Apmhiq32.exe
        193⤵
        Modifies registry class
        
        PID:7392
        
        C:\Windows\SysWOW64\Akblfj32.exe
        
        C:\Windows\system32\Akblfj32.exe
        194⤵
        
        PID:7428
        
        C:\Windows\SysWOW64\Aaldccip.exe
        
        C:\Windows\system32\Aaldccip.exe
        195⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\Akdilipp.exe
        
        C:\Windows\system32\Akdilipp.exe
        196⤵
        Drops file in System32 directory
        
        PID:7520
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        197⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7612
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        199⤵
        Drops file in System32 directory
        
        PID:7656
        
        C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        200⤵
        
        PID:7696
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        201⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7784
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        203⤵
        Drops file in System32 directory
        
        PID:7824
        
        C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        204⤵
        Drops file in System32 directory
        
        PID:7872
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        205⤵
        
        PID:7936
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        206⤵
        
        PID:7976
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        207⤵
        Drops file in System32 directory
        
        PID:8024
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        208⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8064
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        209⤵
        
        PID:8100
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        210⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        211⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        212⤵
        
        PID:7232
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        213⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7324
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        214⤵
        Drops file in System32 directory
        
        PID:3016
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        215⤵
        Drops file in System32 directory
        
        PID:7464
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        216⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\Dgeenfog.exe
        
        C:\Windows\system32\Dgeenfog.exe
        217⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7620
        
        C:\Windows\SysWOW64\Dakikoom.exe
        
        C:\Windows\system32\Dakikoom.exe
        218⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7680
        
        C:\Windows\SysWOW64\Dhdbhifj.exe
        
        C:\Windows\system32\Dhdbhifj.exe
        219⤵
        
        PID:7736
        
        C:\Windows\SysWOW64\Doojec32.exe
        
        C:\Windows\system32\Doojec32.exe
        220⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7808
        
        C:\Windows\SysWOW64\Dqpfmlce.exe
        
        C:\Windows\system32\Dqpfmlce.exe
        221⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\Dgjoif32.exe
        
        C:\Windows\system32\Dgjoif32.exe
        222⤵
        
        PID:8016
        
        C:\Windows\SysWOW64\Dhikci32.exe
        
        C:\Windows\system32\Dhikci32.exe
        223⤵
        
        PID:8096
        
        C:\Windows\SysWOW64\Doccpcja.exe
        
        C:\Windows\system32\Doccpcja.exe
        224⤵
        
        PID:8184
        
        C:\Windows\SysWOW64\Eqdpgk32.exe
        
        C:\Windows\system32\Eqdpgk32.exe
        225⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\Ekjded32.exe
        
        C:\Windows\system32\Ekjded32.exe
        226⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7304
        
        C:\Windows\SysWOW64\Ebdlangb.exe
        
        C:\Windows\system32\Ebdlangb.exe
        227⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\Ehndnh32.exe
        
        C:\Windows\system32\Ehndnh32.exe
        228⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7556
        
        C:\Windows\SysWOW64\Enkmfolf.exe
        
        C:\Windows\system32\Enkmfolf.exe
        229⤵
        Drops file in System32 directory
        
        PID:7672
        
        C:\Windows\SysWOW64\Edeeci32.exe
        
        C:\Windows\system32\Edeeci32.exe
        230⤵
        
        PID:7880
        
        C:\Windows\SysWOW64\Ekonpckp.exe
        
        C:\Windows\system32\Ekonpckp.exe
        231⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\Eqlfhjig.exe
        
        C:\Windows\system32\Eqlfhjig.exe
        232⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\Ekajec32.exe
        
        C:\Windows\system32\Ekajec32.exe
        233⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\Ebkbbmqj.exe
        
        C:\Windows\system32\Ebkbbmqj.exe
        234⤵
        
        PID:7412
        
        C:\Windows\SysWOW64\Fooclapd.exe
        
        C:\Windows\system32\Fooclapd.exe
        235⤵
        
        PID:7664
        
        C:\Windows\SysWOW64\Figgdg32.exe
        
        C:\Windows\system32\Figgdg32.exe
        236⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\Fdnhih32.exe
        
        C:\Windows\system32\Fdnhih32.exe
        237⤵
        
        PID:8088
        
        C:\Windows\SysWOW64\Fbbicl32.exe
        
        C:\Windows\system32\Fbbicl32.exe
        238⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\Filapfbo.exe
        
        C:\Windows\system32\Filapfbo.exe
        239⤵
        
        PID:7732
        
        C:\Windows\SysWOW64\Fofilp32.exe
        
        C:\Windows\system32\Fofilp32.exe
        240⤵
        
        PID:8084
        
        C:\Windows\SysWOW64\Fqgedh32.exe
        
        C:\Windows\system32\Fqgedh32.exe
        241⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7652
        
        C:\Windows\SysWOW64\Fganqbgg.exe
        
        C:\Windows\system32\Fganqbgg.exe
        242⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7236
        
        C:\Windows\SysWOW64\Fbgbnkfm.exe
        
        C:\Windows\system32\Fbgbnkfm.exe
        243⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\Fiqjke32.exe
        
        C:\Windows\system32\Fiqjke32.exe
        244⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8200
        
        C:\Windows\SysWOW64\Gokbgpeg.exe
        
        C:\Windows\system32\Gokbgpeg.exe
        245⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8240
        
        C:\Windows\SysWOW64\Galoohke.exe
        
        C:\Windows\system32\Galoohke.exe
        246⤵
        
        PID:8280
        
        C:\Windows\SysWOW64\Ggfglb32.exe
        
        C:\Windows\system32\Ggfglb32.exe
        247⤵
        
        PID:8320
        
        C:\Windows\SysWOW64\Gnpphljo.exe
        
        C:\Windows\system32\Gnpphljo.exe
        248⤵
        Drops file in System32 directory
        
        PID:8360
        
        C:\Windows\SysWOW64\Gejhef32.exe
        
        C:\Windows\system32\Gejhef32.exe
        249⤵
        
        PID:8400
        
        C:\Windows\SysWOW64\Gpolbo32.exe
        
        C:\Windows\system32\Gpolbo32.exe
        250⤵
        
        PID:8440
        
        C:\Windows\SysWOW64\Gaqhjggp.exe
        
        C:\Windows\system32\Gaqhjggp.exe
        251⤵
        
        PID:8484
        
        C:\Windows\SysWOW64\Ggkqgaol.exe
        
        C:\Windows\system32\Ggkqgaol.exe
        252⤵
        
        PID:8524
        
        C:\Windows\SysWOW64\Gndick32.exe
        
        C:\Windows\system32\Gndick32.exe
        253⤵
        
        PID:8572
        
        C:\Windows\SysWOW64\Geoapenf.exe
        
        C:\Windows\system32\Geoapenf.exe
        254⤵
        
        PID:8608
        
        C:\Windows\SysWOW64\Gpdennml.exe
        
        C:\Windows\system32\Gpdennml.exe
        255⤵
        
        PID:8652
        
        C:\Windows\SysWOW64\Gaebef32.exe
        
        C:\Windows\system32\Gaebef32.exe
        256⤵
        
        PID:8712
        
        C:\Windows\SysWOW64\Ghojbq32.exe
        
        C:\Windows\system32\Ghojbq32.exe
        257⤵
        
        PID:8752
        
        C:\Windows\SysWOW64\Hnibokbd.exe
        
        C:\Windows\system32\Hnibokbd.exe
        258⤵
        
        PID:8788
        
        C:\Windows\SysWOW64\Hecjke32.exe
        
        C:\Windows\system32\Hecjke32.exe
        259⤵
        
        PID:8828
        
        C:\Windows\SysWOW64\Hpioin32.exe
        
        C:\Windows\system32\Hpioin32.exe
        260⤵
        
        PID:8868
        
        C:\Windows\SysWOW64\Heegad32.exe
        
        C:\Windows\system32\Heegad32.exe
        261⤵
        Drops file in System32 directory
        
        PID:8908
        
        C:\Windows\SysWOW64\Hpkknmgd.exe
        
        C:\Windows\system32\Hpkknmgd.exe
        262⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8948
        
        C:\Windows\SysWOW64\Hehdfdek.exe
        
        C:\Windows\system32\Hehdfdek.exe
        263⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8984
        
        C:\Windows\SysWOW64\Hlblcn32.exe
        
        C:\Windows\system32\Hlblcn32.exe
        264⤵
        
        PID:9020
        
        C:\Windows\SysWOW64\Haodle32.exe
        
        C:\Windows\system32\Haodle32.exe
        265⤵
        
        PID:9056
        
        C:\Windows\SysWOW64\Hppeim32.exe
        
        C:\Windows\system32\Hppeim32.exe
        266⤵
        
        PID:9092
        
        C:\Windows\SysWOW64\Hemmac32.exe
        
        C:\Windows\system32\Hemmac32.exe
        267⤵
        
        PID:9136
        
        C:\Windows\SysWOW64\Ipbaol32.exe
        
        C:\Windows\system32\Ipbaol32.exe
        268⤵
        Modifies registry class
        
        PID:9172
        
        C:\Windows\SysWOW64\Ieojgc32.exe
        
        C:\Windows\system32\Ieojgc32.exe
        269⤵
        
        PID:9212
        
        C:\Windows\SysWOW64\Iogopi32.exe
        
        C:\Windows\system32\Iogopi32.exe
        270⤵
        
        PID:8236
        
        C:\Windows\SysWOW64\Ieagmcmq.exe
        
        C:\Windows\system32\Ieagmcmq.exe
        271⤵
        Drops file in System32 directory
        
        PID:8288
        
        C:\Windows\SysWOW64\Ipgkjlmg.exe
        
        C:\Windows\system32\Ipgkjlmg.exe
        272⤵
        
        PID:8336
        
        C:\Windows\SysWOW64\Ieccbbkn.exe
        
        C:\Windows\system32\Ieccbbkn.exe
        273⤵
        
        PID:8432
        
        C:\Windows\SysWOW64\Ipihpkkd.exe
        
        C:\Windows\system32\Ipihpkkd.exe
        274⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7804
        
        C:\Windows\SysWOW64\Iefphb32.exe
        
        C:\Windows\system32\Iefphb32.exe
        275⤵
        
        PID:8560
        
        C:\Windows\SysWOW64\Ipkdek32.exe
        
        C:\Windows\system32\Ipkdek32.exe
        276⤵
        
        PID:8644
        
        C:\Windows\SysWOW64\Iehmmb32.exe
        
        C:\Windows\system32\Iehmmb32.exe
        277⤵
        Drops file in System32 directory
        
        PID:8696
        
        C:\Windows\SysWOW64\Jlbejloe.exe
        
        C:\Windows\system32\Jlbejloe.exe
        278⤵
        
        PID:8784
        
        C:\Windows\SysWOW64\Jblmgf32.exe
        
        C:\Windows\system32\Jblmgf32.exe
        279⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8848
        
        C:\Windows\SysWOW64\Jifecp32.exe
        
        C:\Windows\system32\Jifecp32.exe
        280⤵
        
        PID:8916
        
        C:\Windows\SysWOW64\Jppnpjel.exe
        
        C:\Windows\system32\Jppnpjel.exe
        281⤵
        
        PID:8980
        
        C:\Windows\SysWOW64\Jbojlfdp.exe
        
        C:\Windows\system32\Jbojlfdp.exe
        282⤵
        
        PID:9044
        
        C:\Windows\SysWOW64\Jihbip32.exe
        
        C:\Windows\system32\Jihbip32.exe
        283⤵
        
        PID:9124
        
        C:\Windows\SysWOW64\Joekag32.exe
        
        C:\Windows\system32\Joekag32.exe
        284⤵
        
        PID:9192
        
        C:\Windows\SysWOW64\Jikoopij.exe
        
        C:\Windows\system32\Jikoopij.exe
        285⤵
        Modifies registry class
        
        PID:8232
        
        C:\Windows\SysWOW64\Jpegkj32.exe
        
        C:\Windows\system32\Jpegkj32.exe
        286⤵
        
        PID:8348
        
        C:\Windows\SysWOW64\Jafdcbge.exe
        
        C:\Windows\system32\Jafdcbge.exe
        287⤵
        Modifies registry class
        
        PID:8456
        
        C:\Windows\SysWOW64\Jllhpkfk.exe
        
        C:\Windows\system32\Jllhpkfk.exe
        288⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8520
        
        C:\Windows\SysWOW64\Khbiello.exe
        
        C:\Windows\system32\Khbiello.exe
        289⤵
        
        PID:8616
        
        C:\Windows\SysWOW64\Kbhmbdle.exe
        
        C:\Windows\system32\Kbhmbdle.exe
        290⤵
        
        PID:8740
        
        C:\Windows\SysWOW64\Kefiopki.exe
        
        C:\Windows\system32\Kefiopki.exe
        291⤵
        
        PID:8892
        
        C:\Windows\SysWOW64\Klpakj32.exe
        
        C:\Windows\system32\Klpakj32.exe
        292⤵
        Modifies registry class
        
        PID:9016
        
        C:\Windows\SysWOW64\Kcjjhdjb.exe
        
        C:\Windows\system32\Kcjjhdjb.exe
        293⤵
        
        PID:9132
        
        C:\Windows\SysWOW64\Khgbqkhj.exe
        
        C:\Windows\system32\Khgbqkhj.exe
        294⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7960
        
        C:\Windows\SysWOW64\Koajmepf.exe
        
        C:\Windows\system32\Koajmepf.exe
        295⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8376
        
        C:\Windows\SysWOW64\Kekbjo32.exe
        
        C:\Windows\system32\Kekbjo32.exe
        296⤵
        
        PID:8492
        
        C:\Windows\SysWOW64\Khiofk32.exe
        
        C:\Windows\system32\Khiofk32.exe
        297⤵
        
        PID:8736
        
        C:\Windows\SysWOW64\Kocgbend.exe
        
        C:\Windows\system32\Kocgbend.exe
        298⤵
        
        PID:8836
        
        C:\Windows\SysWOW64\Kiikpnmj.exe
        
        C:\Windows\system32\Kiikpnmj.exe
        299⤵
        Drops file in System32 directory
        
        PID:9112
        
        C:\Windows\SysWOW64\Kpccmhdg.exe
        
        C:\Windows\system32\Kpccmhdg.exe
        300⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1764
        
        C:\Windows\SysWOW64\Kadpdp32.exe
        
        C:\Windows\system32\Kadpdp32.exe
        301⤵
        
        PID:972
        
        C:\Windows\SysWOW64\Lhnhajba.exe
        
        C:\Windows\system32\Lhnhajba.exe
        302⤵
        
        PID:8884
        
        C:\Windows\SysWOW64\Lcclncbh.exe
        
        C:\Windows\system32\Lcclncbh.exe
        303⤵
        
        PID:8196
        
        C:\Windows\SysWOW64\Lindkm32.exe
        
        C:\Windows\system32\Lindkm32.exe
        304⤵
        
        PID:8660
        
        C:\Windows\SysWOW64\Lpgmhg32.exe
        
        C:\Windows\system32\Lpgmhg32.exe
        305⤵
        
        PID:9084
        
        C:\Windows\SysWOW64\Laiipofp.exe
        
        C:\Windows\system32\Laiipofp.exe
        306⤵
        
        PID:9064
        
        C:\Windows\SysWOW64\Lhcali32.exe
        
        C:\Windows\system32\Lhcali32.exe
        307⤵
        
        PID:9100
        
        C:\Windows\SysWOW64\Lomjicei.exe
        
        C:\Windows\system32\Lomjicei.exe
        308⤵
        Modifies registry class
        
        PID:9256
        
        C:\Windows\SysWOW64\Legben32.exe
        
        C:\Windows\system32\Legben32.exe
        309⤵
        
        PID:9288
        
        C:\Windows\SysWOW64\Llqjbhdc.exe
        
        C:\Windows\system32\Llqjbhdc.exe
        310⤵
        
        PID:9328
        
        C:\Windows\SysWOW64\Lancko32.exe
        
        C:\Windows\system32\Lancko32.exe
        311⤵
        Drops file in System32 directory
        
        PID:9368
        
        C:\Windows\SysWOW64\Lhgkgijg.exe
        
        C:\Windows\system32\Lhgkgijg.exe
        312⤵
        
        PID:9404
        
        C:\Windows\SysWOW64\Loacdc32.exe
        
        C:\Windows\system32\Loacdc32.exe
        313⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9440
        
        C:\Windows\SysWOW64\Mfkkqmiq.exe
        
        C:\Windows\system32\Mfkkqmiq.exe
        314⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9480
        
        C:\Windows\SysWOW64\Mledmg32.exe
        
        C:\Windows\system32\Mledmg32.exe
        315⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9524
        
        C:\Windows\SysWOW64\Mcoljagj.exe
        
        C:\Windows\system32\Mcoljagj.exe
        316⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9560
        
        C:\Windows\SysWOW64\Mjidgkog.exe
        
        C:\Windows\system32\Mjidgkog.exe
        317⤵
        
        PID:9600
        
        C:\Windows\SysWOW64\Mpclce32.exe
        
        C:\Windows\system32\Mpclce32.exe
        318⤵
        
        PID:9644
        
        C:\Windows\SysWOW64\Mbdiknlb.exe
        
        C:\Windows\system32\Mbdiknlb.exe
        319⤵
        
        PID:9684
        
        C:\Windows\SysWOW64\Mhoahh32.exe
        
        C:\Windows\system32\Mhoahh32.exe
        320⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9724
        
        C:\Windows\SysWOW64\Mfbaalbi.exe
        
        C:\Windows\system32\Mfbaalbi.exe
        321⤵
        Modifies registry class
        
        PID:9768
        
        C:\Windows\SysWOW64\Mlljnf32.exe
        
        C:\Windows\system32\Mlljnf32.exe
        322⤵
        
        PID:9812
        
        C:\Windows\SysWOW64\Mcfbkpab.exe
        
        C:\Windows\system32\Mcfbkpab.exe
        323⤵
        
        PID:9852
        
        C:\Windows\SysWOW64\Mjpjgj32.exe
        
        C:\Windows\system32\Mjpjgj32.exe
        324⤵
        
        PID:9892
        
        C:\Windows\SysWOW64\Mqjbddpl.exe
        
        C:\Windows\system32\Mqjbddpl.exe
        325⤵
        Modifies registry class
        
        PID:9932
        
        C:\Windows\SysWOW64\Nciopppp.exe
        
        C:\Windows\system32\Nciopppp.exe
        326⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9972
        
        C:\Windows\SysWOW64\Njbgmjgl.exe
        
        C:\Windows\system32\Njbgmjgl.exe
        327⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10012
        
        C:\Windows\SysWOW64\Nqmojd32.exe
        
        C:\Windows\system32\Nqmojd32.exe
        328⤵
        
        PID:10052
        
        C:\Windows\SysWOW64\Nfihbk32.exe
        
        C:\Windows\system32\Nfihbk32.exe
        329⤵
        
        PID:10092
        
        C:\Windows\SysWOW64\Nmcpoedn.exe
        
        C:\Windows\system32\Nmcpoedn.exe
        330⤵
        
        PID:10132
        
        C:\Windows\SysWOW64\Noblkqca.exe
        
        C:\Windows\system32\Noblkqca.exe
        331⤵
        
        PID:10180
        
        C:\Windows\SysWOW64\Nfldgk32.exe
        
        C:\Windows\system32\Nfldgk32.exe
        332⤵
        
        PID:10220
        
        C:\Windows\SysWOW64\Nmfmde32.exe
        
        C:\Windows\system32\Nmfmde32.exe
        333⤵
        
        PID:9220
        
        C:\Windows\SysWOW64\Ncpeaoih.exe
        
        C:\Windows\system32\Ncpeaoih.exe
        334⤵
        
        PID:9284
        
        C:\Windows\SysWOW64\Njjmni32.exe
        
        C:\Windows\system32\Njjmni32.exe
        335⤵
        Modifies registry class
        
        PID:9364
        
        C:\Windows\SysWOW64\Nmhijd32.exe
        
        C:\Windows\system32\Nmhijd32.exe
        336⤵
        Modifies registry class
        
        PID:9400
        
        C:\Windows\SysWOW64\Njljch32.exe
        
        C:\Windows\system32\Njljch32.exe
        337⤵
        
        PID:9468
        
        C:\Windows\SysWOW64\Ocdnln32.exe
        
        C:\Windows\system32\Ocdnln32.exe
        338⤵
        
        PID:9548
        
        C:\Windows\SysWOW64\Ommceclc.exe
        
        C:\Windows\system32\Ommceclc.exe
        339⤵
        
        PID:9576
        
        C:\Windows\SysWOW64\Objkmkjj.exe
        
        C:\Windows\system32\Objkmkjj.exe
        340⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Ofgdcipq.exe
        
        C:\Windows\system32\Ofgdcipq.exe
        341⤵
        
        PID:9676
        
        C:\Windows\SysWOW64\Ojemig32.exe
        
        C:\Windows\system32\Ojemig32.exe
        342⤵
        
        PID:9744
        
        C:\Windows\SysWOW64\Oqoefand.exe
        
        C:\Windows\system32\Oqoefand.exe
        343⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9804
        
        C:\Windows\SysWOW64\Obqanjdb.exe
        
        C:\Windows\system32\Obqanjdb.exe
        344⤵
        
        PID:9884
        
        C:\Windows\SysWOW64\Omfekbdh.exe
        
        C:\Windows\system32\Omfekbdh.exe
        345⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9944
        
        C:\Windows\SysWOW64\Pcpnhl32.exe
        
        C:\Windows\system32\Pcpnhl32.exe
        346⤵
        
        PID:10008
        
        C:\Windows\SysWOW64\Pjjfdfbb.exe
        
        C:\Windows\system32\Pjjfdfbb.exe
        347⤵
        
        PID:10084
        
        C:\Windows\SysWOW64\Ppgomnai.exe
        
        C:\Windows\system32\Ppgomnai.exe
        348⤵
        
        PID:10108
        
        C:\Windows\SysWOW64\Pfagighf.exe
        
        C:\Windows\system32\Pfagighf.exe
        349⤵
        
        PID:10208
        
        C:\Windows\SysWOW64\Pmkofa32.exe
        
        C:\Windows\system32\Pmkofa32.exe
        350⤵
        
        PID:8476
        
        C:\Windows\SysWOW64\Pcegclgp.exe
        
        C:\Windows\system32\Pcegclgp.exe
        351⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:9316
        
        C:\Windows\SysWOW64\Pmmlla32.exe
        
        C:\Windows\system32\Pmmlla32.exe
        352⤵
        
        PID:9412
        
        C:\Windows\SysWOW64\Pidlqb32.exe
        
        C:\Windows\system32\Pidlqb32.exe
        353⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\Pciqnk32.exe
        
        C:\Windows\system32\Pciqnk32.exe
        354⤵
        
        PID:9588
        
        C:\Windows\SysWOW64\Pjcikejg.exe
        
        C:\Windows\system32\Pjcikejg.exe
        355⤵
        
        PID:9584
        
        C:\Windows\SysWOW64\Qamago32.exe
        
        C:\Windows\system32\Qamago32.exe
        356⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8420
        
        C:\Windows\SysWOW64\Qjffpe32.exe
        
        C:\Windows\system32\Qjffpe32.exe
        357⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:9760
        
        C:\Windows\SysWOW64\Qapnmopa.exe
        
        C:\Windows\system32\Qapnmopa.exe
        358⤵
        
        PID:9844
        
        C:\Windows\SysWOW64\Qjhbfd32.exe
        
        C:\Windows\system32\Qjhbfd32.exe
        359⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10004
        
        C:\Windows\SysWOW64\Acqgojmb.exe
        
        C:\Windows\system32\Acqgojmb.exe
        360⤵
        
        PID:10060
        
        C:\Windows\SysWOW64\Aimogakj.exe
        
        C:\Windows\system32\Aimogakj.exe
        361⤵
        
        PID:10140
        
        C:\Windows\SysWOW64\Acccdj32.exe
        
        C:\Windows\system32\Acccdj32.exe
        362⤵
        
        PID:9252
        
        C:\Windows\SysWOW64\Amkhmoap.exe
        
        C:\Windows\system32\Amkhmoap.exe
        363⤵
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Ajohfcpj.exe
        
        C:\Windows\system32\Ajohfcpj.exe
        364⤵
        
        PID:9512
        
        C:\Windows\SysWOW64\Ampaho32.exe
        
        C:\Windows\system32\Ampaho32.exe
        365⤵
        
        PID:9692
        
        C:\Windows\SysWOW64\Banjnm32.exe
        
        C:\Windows\system32\Banjnm32.exe
        366⤵
        
        PID:9832
        
        C:\Windows\SysWOW64\Bmdkcnie.exe
        
        C:\Windows\system32\Bmdkcnie.exe
        367⤵
        Drops file in System32 directory
        
        PID:10124
        
        C:\Windows\SysWOW64\Bmladm32.exe
        
        C:\Windows\system32\Bmladm32.exe
        368⤵
        
        PID:9360
        
        C:\Windows\SysWOW64\Ckpamabg.exe
        
        C:\Windows\system32\Ckpamabg.exe
        369⤵
        Drops file in System32 directory
        
        PID:9636
        
        C:\Windows\SysWOW64\Cpljehpo.exe
        
        C:\Windows\system32\Cpljehpo.exe
        370⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\Cienon32.exe
        
        C:\Windows\system32\Cienon32.exe
        371⤵
        Drops file in System32 directory
        
        PID:9236
        
        C:\Windows\SysWOW64\Cpogkhnl.exe
        
        C:\Windows\system32\Cpogkhnl.exe
        372⤵
        
        PID:9736
        
        C:\Windows\SysWOW64\Ckdkhq32.exe
        
        C:\Windows\system32\Ckdkhq32.exe
        373⤵
        
        PID:324
        
        C:\Windows\SysWOW64\Cancekeo.exe
        
        C:\Windows\system32\Cancekeo.exe
        374⤵
        
        PID:9872
        
        C:\Windows\SysWOW64\Ckggnp32.exe
        
        C:\Windows\system32\Ckggnp32.exe
        375⤵
        
        PID:9596
        
        C:\Windows\SysWOW64\Cdolgfbp.exe
        
        C:\Windows\system32\Cdolgfbp.exe
        376⤵
        
        PID:10244
        
        C:\Windows\SysWOW64\Cildom32.exe
        
        C:\Windows\system32\Cildom32.exe
        377⤵
        
        PID:10280
        
        C:\Windows\SysWOW64\Cpfmlghd.exe
        
        C:\Windows\system32\Cpfmlghd.exe
        378⤵
        Modifies registry class
        
        PID:10316
        
        C:\Windows\SysWOW64\Dgpeha32.exe
        
        C:\Windows\system32\Dgpeha32.exe
        379⤵
        
        PID:10356
        
        C:\Windows\SysWOW64\Daeifj32.exe
        
        C:\Windows\system32\Daeifj32.exe
        380⤵
        Modifies registry class
        
        PID:10392
        
        C:\Windows\SysWOW64\Dcffnbee.exe
        
        C:\Windows\system32\Dcffnbee.exe
        381⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10432
        
        C:\Windows\SysWOW64\Dpjfgf32.exe
        
        C:\Windows\system32\Dpjfgf32.exe
        382⤵
        
        PID:10472
        
        C:\Windows\SysWOW64\Dajbaika.exe
        
        C:\Windows\system32\Dajbaika.exe
        383⤵
        
        PID:10512
        
        C:\Windows\SysWOW64\Dggkipii.exe
        
        C:\Windows\system32\Dggkipii.exe
        384⤵
        
        PID:10548
        
        C:\Windows\SysWOW64\Ddklbd32.exe
        
        C:\Windows\system32\Ddklbd32.exe
        385⤵
        
        PID:10592
        
        C:\Windows\SysWOW64\Djgdkk32.exe
        
        C:\Windows\system32\Djgdkk32.exe
        386⤵
        Modifies registry class
        
        PID:10632
        
        C:\Windows\SysWOW64\Ejjaqk32.exe
        
        C:\Windows\system32\Ejjaqk32.exe
        387⤵
        Modifies registry class
        
        PID:10664
        
        C:\Windows\SysWOW64\Egnajocq.exe
        
        C:\Windows\system32\Egnajocq.exe
        388⤵
        Drops file in System32 directory
        
        PID:10708
        
        C:\Windows\SysWOW64\Enhifi32.exe
        
        C:\Windows\system32\Enhifi32.exe
        389⤵
        
        PID:10748
        
        C:\Windows\SysWOW64\Ecdbop32.exe
        
        C:\Windows\system32\Ecdbop32.exe
        390⤵
        
        PID:10788
        
        C:\Windows\SysWOW64\Ejojljqa.exe
        
        C:\Windows\system32\Ejojljqa.exe
        391⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:10828
        
        C:\Windows\SysWOW64\Ephbhd32.exe
        
        C:\Windows\system32\Ephbhd32.exe
        392⤵
        
        PID:10868
        
        C:\Windows\SysWOW64\Egbken32.exe
        
        C:\Windows\system32\Egbken32.exe
        393⤵
        
        PID:10904
        
        C:\Windows\SysWOW64\Eahobg32.exe
        
        C:\Windows\system32\Eahobg32.exe
        394⤵
        
        PID:10940
        
        C:\Windows\SysWOW64\Ekqckmfb.exe
        
        C:\Windows\system32\Ekqckmfb.exe
        395⤵
        
        PID:10972
        
        C:\Windows\SysWOW64\Eqmlccdi.exe
        
        C:\Windows\system32\Eqmlccdi.exe
        396⤵
        Modifies registry class
        
        PID:11020
        
        C:\Windows\SysWOW64\Fjeplijj.exe
        
        C:\Windows\system32\Fjeplijj.exe
        397⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:11060
        
        C:\Windows\SysWOW64\Fqphic32.exe
        
        C:\Windows\system32\Fqphic32.exe
        398⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11096
        
        C:\Windows\SysWOW64\Fjhmbihg.exe
        
        C:\Windows\system32\Fjhmbihg.exe
        399⤵
        
        PID:11136
        
        C:\Windows\SysWOW64\Fdmaoahm.exe
        
        C:\Windows\system32\Fdmaoahm.exe
        400⤵
        
        PID:11176
        
        C:\Windows\SysWOW64\Fkgillpj.exe
        
        C:\Windows\system32\Fkgillpj.exe
        401⤵
        
        PID:11212
        
        C:\Windows\SysWOW64\Fqdbdbna.exe
        
        C:\Windows\system32\Fqdbdbna.exe
        402⤵
        
        PID:11248
        
        C:\Windows\SysWOW64\Fgnjqm32.exe
        
        C:\Windows\system32\Fgnjqm32.exe
        403⤵
        
        PID:10268
        
        C:\Windows\SysWOW64\Fbdnne32.exe
        
        C:\Windows\system32\Fbdnne32.exe
        404⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:10324
        
        C:\Windows\SysWOW64\Fgqgfl32.exe
        
        C:\Windows\system32\Fgqgfl32.exe
        405⤵
        
        PID:10416
        
        C:\Windows\SysWOW64\Fnjocf32.exe
        
        C:\Windows\system32\Fnjocf32.exe
        406⤵
        
        PID:10464
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        407⤵
        
        PID:10532
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10532 -s 400
        408⤵
        Program crash
        
        PID:10720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 10532 -ip 10532
1⤵
PID:10648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2268 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
1⤵
PID:10852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Albpkc32.exe

Filesize
377KB

MD5
5ca39c50e0aa8884229a1f0e59cb375b

SHA1
029940a11643bdd02f5b566148a585c2b8e7b070

SHA256
464a2d4121abb10708c3482a933a72b7e3effc48ca274b1783d6a79f317f2a98

SHA512
6da857df1ce94d73dcf0024efb8f86e893358b802a7e9223ab918068605bba8340f6d822bf1ab18f9480f7e71b5e0ca1ab2ca5facb8ec5ac4fdfead2fa0b1672

Download Submit
C:\Windows\SysWOW64\Bmdkcnie.exe

Filesize
377KB

MD5
b9c3645a2bd0f03a62997f286c03e14d

SHA1
d356b994e1f29f770baf7c354c884b5656b55942

SHA256
d67eb79d2b7bf69c36682387149590cab0ceb3a24bf8ea58dc042748cf008f80

SHA512
65278f976c0cb8ed74ed0e31c774c95d6de5a6e60536450ab501d41004d95739ada35a77f5fe3d081b39a615e09efdc3cb683f9cec059bb12427c54d98e413fd

Download Submit
C:\Windows\SysWOW64\Dhikci32.exe

Filesize
377KB

MD5
e0037902ec3d3291f50c878043129c29

SHA1
fdadc4e85b8e920c14a8048a93ccf8cfae2e78dc

SHA256
f058d42d1ccca59e79c8aee67f9e802d4d4a739393a8bb6762b9a7d6b1ef6405

SHA512
5625a2c7f0b433050840e8759990405cade23d2bda56adcfaa156e593b9be89b82358ea1c204adab51df658511a67d6e44d72fc4e0dba83cb9be9a7da58efad6

Download Submit
C:\Windows\SysWOW64\Dojqjdbl.exe

Filesize
377KB

MD5
034197582a8efe7010330f2045f0fbe7

SHA1
dc970db1f78cddf10d9f33fc95eb764002e370ee

SHA256
988aed261da55a4daa80a9350ae07d4e42ead4287e18eae81ee8d3bfa5ac7e81

SHA512
033e218b6582047315e0b8140c63488d0e4b6e627333c55ef7b9f6cfb5d1534e4e12e268c799959fa2f3c60ddc313b52e8e603a9e3359c223cd91c272f506faa

Download Submit
C:\Windows\SysWOW64\Eppjfgcp.exe

Filesize
377KB

MD5
526fc048452b078c8ee4b57abfae7966

SHA1
33cab3937bd3fc242506700cdc64a14511f5c8f7

SHA256
15868772a912f6fb985c79f8fac64ac2a67022746fe38a3e2acb338cd460ca33

SHA512
4721e70edb46c41b1b052a9b879adda1e44b096de94e88e7984b3574fd8cf480bcfe30cfa3fd14bc6f98d99011a138c54fce9e5d80b056b346ecc4cf9c127c45

Download Submit
C:\Windows\SysWOW64\Hemmac32.exe

Filesize
377KB

MD5
ea34e9a13ea8b53a892510f73784cfc5

SHA1
4e42bc8baad556d7e21ad3af4d0a2e085f68dc74

SHA256
ebe149cfe3c7b6a6d74b97d638ed3a62ae2e222e282f9ab70669bcf259891a2c

SHA512
24df3dd0a1dd5ec84910c62d1e5ff5a8fbcc37a40c61b8bb0183ab57b0a5911c599fb5c092f7bce25f9ba0cbd8ca224e39e22ce22f631ad455b9107f855a08f9

Download Submit
C:\Windows\SysWOW64\Icknfcol.exe

Filesize
377KB

MD5
12136aa383387c9030913786b582c66f

SHA1
db6fbac4eb65e82353e999842be21fc08d9f9725

SHA256
7923c661b7c85112065a980b3437e7e60878ddea0df7119d8105d07a0292fe12

SHA512
9c3b38ea4702067ddf20d7bb0ab0bc640e9a6251a52019e353d38ccd2af64e791a4a001644e6a333e45e38a5ef8c7db89b10819c6a0ecbad4b015657b8db5cb6

Download Submit
C:\Windows\SysWOW64\Icnklbmj.exe

Filesize
377KB

MD5
0e9e0377a5ef4165fe0de4c7ca7354eb

SHA1
4cd99aa26c9b2f53b361b7e6a20f8c6b77a4d75a

SHA256
9dbe5a9a1b2244194818c255edbf28327e2377e9dff49caa155e3f411f570153

SHA512
ba2f3c8ba4d5cbbe81700a476808e7d9c44cdb96c7d78a94d0975cd0ab291ec52c38e160ffc58c829807d8c68f3eafec56a4a1ea156ba5214a0b1928b6dd89d4

Download Submit
C:\Windows\SysWOW64\Ijqmhnko.exe

Filesize
377KB

MD5
0f1cd1832847a59cfd53f5f721fe9ab3

SHA1
4e8e40c8e0f55a71a93e8e6246039afa4bf4fce9

SHA256
6a6592023c12a9bd9052311374f17f57d678b1fffb7d9f0fb7c87f6eac1e253c

SHA512
f113b42632ddc8711b31680bab00bb3fba75a0672995e9f92959eec4f2aa3047279a5f38ae9469f637fd555c01defb06bf6af31d59a2cabe2be7cdec559000df

Download Submit
C:\Windows\SysWOW64\Jcbdgb32.exe

Filesize
377KB

MD5
64c97dd9c7260aa716a375e7f3d66b17

SHA1
55ed9a4d9af63100430141646179156fcc1e2861

SHA256
02a805debf6834e8b3a3f3b293946356d44db34367b3c7560ca6a2fe3d0477c6

SHA512
bd57c86fc7c98f12dc7eee64321e746c5c3588c6970857032f167d843457126a7245e344950509513b5c93b7b30a54c0061adc595c8b9f6e4ff7169f280af65b

Download Submit
C:\Windows\SysWOW64\Jcgnbaeo.exe

Filesize
377KB

MD5
8b4ad01b3cb0a16bfb1bbefaf931e9bc

SHA1
569fc9314f1c1c74acd3fce628abf29ae523863c

SHA256
c750cc9f54ca538d989dd125b05f9f8d426fa4f9e0ad9aac9ab52648d02952b4

SHA512
73640be3264ef9ab4f016164fd6747cf5116f7001ec9879e5397a882a97dae5ff343f6fbcfd4e86a110bc0d7d7d561fd2e50fbe2a6da5246233c752a87e262ba

Download Submit
C:\Windows\SysWOW64\Jdaaaeqg.exe

Filesize
377KB

MD5
ef5fc986b39b5ddcc103dc21db3e69ce

SHA1
6a488857f65289f18b5fa7652bc85ca83953df9f

SHA256
9dce270583d438235310c9c9bc66dd95417e756777470944b427d4dfff7ba6b1

SHA512
1ed308e90d7b9dbb0182d1e4541db353999c21bb0a6d499ead3584115b7c831697ebee2de727c22a337bb06ea1613d0fbdb0e0d47a0a61f1d8bbda7e415f9f62

Download Submit
C:\Windows\SysWOW64\Jgkdbacp.exe

Filesize
377KB

MD5
3511978bf83b47517c6c6f27ede82a74

SHA1
6a35959ef759b7e0db783b4b9c6d960b48d42896

SHA256
ba63eca78316e5a6538b32af2b21f3b8cc8d8b292f639da5f9912f9486617f7e

SHA512
196dc3ccd7bdbbd0800202877e43fa5a2710f99f8e665979d9a85bc28f46253d16a9486addc685b2f79487a6226003c72703b06cd18d40ad3874361359115ec7

Download Submit
C:\Windows\SysWOW64\Kclgmq32.exe

Filesize
377KB

MD5
3d7750144cf807803a801737d22b4a50

SHA1
4d00b4969d4e8f5e8d52ca407fa9126625bee5a8

SHA256
578521fd0fd97bab6ff99567ca3c465e6a61474090e703903b1825aee0d71ffa

SHA512
b999c8926eadc9d8a752c2b9f0824dcc0f2189e5e1ce23196d0003025a0f801b8c40231f4fdfaea65a419e165a92dce8b1b724ee245b81f20bc1b2080a88ec10

Download Submit
C:\Windows\SysWOW64\Kjccdkki.exe

Filesize
377KB

MD5
65d79741b96fb9d3bbc84eaa5271b664

SHA1
b8bb8f59b139b1159971124c3754df968c16a991

SHA256
e5562745cb0638ade472bc6c52519381ddb39fba67b8b4acc9209ac328939ade

SHA512
80003303363dfd402a9cd2781c8ee034c7c427a69785ef24c6e9bdf4f14ea0df89be28046329fb784b517dfab3251e444d9119b1dd47428edcba66820a635379

Download Submit
C:\Windows\SysWOW64\Kjmfjj32.exe

Filesize
377KB

MD5
d1d45eb3b53e9743f6e98130e1468c00

SHA1
db3db7990060de698bf5b6f15b3e30afaea5bdb6

SHA256
1a6a1a1e0e82a2e3157941f458d7ab8cae350ef68c74efe4b10bc538978e1f5a

SHA512
7cceaf46d5f2cf89535cc502f8ea10eff90621fe4466270b8bd92500e751778284eb7dc0512ec4121763d7a8099c43bd63450d297947f8a1aecd1346e5f6f1ad

Download Submit
C:\Windows\SysWOW64\Lcggio32.exe

Filesize
192KB

MD5
18f36690130b4ead2ca94a4d46033e94

SHA1
e61057ca591ce9010fb1e8733244d21ed3d859e6

SHA256
e9c92a656a19ff4e75321d9ca6d305a46039f61391381e98a8612e07cbd84783

SHA512
d89ab3a2e51046a61428afe6727b2e551836a223d17ffce3f15ad053558ca849ffb7c6555e9c06a24c3dcb9c001fcc6e9a9421cbd81152f03d65300e3a876a66

Download Submit
C:\Windows\SysWOW64\Lcggio32.exe

Filesize
377KB

MD5
94fc9aaccbeaecc1f2dca1f4552ed90b

SHA1
43c09897857a85a11e4a5a44662bc116ca1deb5a

SHA256
325bfcd6e9a0cac4fc251bfedf3a7e2002a211cfbb68a17cb8023d86534eb413

SHA512
f2bf1cfeb4f3703a6ced55e1d06f6699862065191faac3312cf514c18dcf85c58781d310a21334af5fff3f6956a7020a12203271c6a8be9aa099a74d8b212221

Download Submit
C:\Windows\SysWOW64\Ldipha32.exe

Filesize
377KB

MD5
4fea2f995a1949c5019f0fa241f9939e

SHA1
a60c4590c1acb8cae445ce71d282d431831699f3

SHA256
54bbac8819cce1ca07bc9eebfd18725541e41c8ece683e8c5769b8426e045bae

SHA512
d3cc784e0ece381b6a39a76a18371eb67190bbe8efc1e7ca186452ab247625d36bf8c234fc17f6a61c6ff8605af2213b4d0944687bf23528c5bf63d80370a457

Download Submit
C:\Windows\SysWOW64\Ldipha32.exe

Filesize
377KB

MD5
8d9b34377590e22802d58f5e99be7f7d

SHA1
2e10bb0d93bbc8f1dd7e6ea2d799aea3a0f98ec1

SHA256
65514bade21da707fbd2d372b768363b617d72640f8db9b97350496b6b488bbc

SHA512
60d0fe68d4f349fbd4f781adb0cc2c6f799c1fe18696ba7073b418bcb7f7b83da19b982c47246a3419111086de9d82d7c2f49ad2c4d39356ba0465cabb139574

Download Submit
C:\Windows\SysWOW64\Ldipha32.exe

Filesize
192KB

MD5
82be5bbd75b1dc310404921a750787f4

SHA1
b64d881facd27195caa4889b6e6b5b73fd256163

SHA256
a25e2f24bd0ff8f24cf9431f294f1fdbcf5eb45599738106eabd8332dd4880b8

SHA512
122a8b99c7b5c1d109c576a98041704150ed29b1cb07d8b167f99fd3a65a6a996332f69d963230607b72094a845cbba93aeb8a7baba2f09f5bddb36dbbe5d16a

Download Submit
C:\Windows\SysWOW64\Ljfhqh32.exe

Filesize
377KB

MD5
379d7190b81467dc149bfcc384fd137b

SHA1
d9f494e7a653fd5d1cd91dca8849c14e6a5df524

SHA256
7fb79b4c88c15e96f6e606276ffcf796f54d9523971d049929cd4d4b5469e368

SHA512
d06c63edf802ac917f73dd1c26bf583975716665b25ba3a49f934aabfae182edff53d98fde6e379309d1eb1a03f2b50b18f578e2094147b9cd7900fcd6cbf154

Download Submit
C:\Windows\SysWOW64\Lklbdm32.exe

Filesize
377KB

MD5
3517060a6b7cca2c4ef7638afd070d89

SHA1
7ca8ae28b941d75e8949e76a5f5a56bd2390626e

SHA256
0793ab7ce8b56115107f6654e2684af556f1a4ce1880ba9d292d1c4d220a4ecb

SHA512
d1453512b36e2a3b9cb7b91235bb1b347ef71c3fcf8b6189e2a1406a7590528d154403106a8bbf089898631cc347fb26a6af1a23d07c9c4af24ccc19f1c01765

Download Submit
C:\Windows\SysWOW64\Mccfdmmo.exe

Filesize
377KB

MD5
e325391d393e71355866729d2041be45

SHA1
1943743c4dcd9220be28d65a9242aab89d23a6e7

SHA256
588f30373e63a877151b463fbc8a0d5a06cfb88bc6a567fb515a88964e02a325

SHA512
af24ab1e9a3da91ea29d386a9442354c45ed1e4a4b68ce2957d336493fc68e41011a33fe1cce89df7ca5e5e794b9cfb999341d819ae3bac25a1198b494df4f38

Download Submit
C:\Windows\SysWOW64\Mebcop32.exe

Filesize
377KB

MD5
ee0176c70aa54211c0fc6a687c45a124

SHA1
34d3edc98282ebaa08cb7bebb6191f9984be5515

SHA256
ec462151fc9fbce69ef320e4e0e0904d4c008d6ceb7fce021bcd349268b5759a

SHA512
9e797b9f2e85cd948f7b5a31c2869681207ef97b75795a10bbfdf99a23d7895ed1f36ba38f545b5d0d3127a5803de6829050a7180c2b9b5e6451773722964966

Download Submit
C:\Windows\SysWOW64\Mkhapk32.exe

Filesize
192KB

MD5
3e8a0be9c5a589fe5c12727422590d43

SHA1
2cf88fc006b83cb46c2bd512e27eecc0e4b0f6a5

SHA256
3f09842b00ab0ab2e063066d54764e47be71d8aeb0b844079c4a514dc2906871

SHA512
f79585604e8c7be81b4f23866bbd63e40ac89e1a1ec8e410d0945a7665c1669fc064f6f4ab3c09a9c4e33b483777d584ae2b58555034c90ea9465e6aa3aa10ee

Download Submit
C:\Windows\SysWOW64\Mkhapk32.exe

Filesize
377KB

MD5
64a0d2f87bba2c3efaf6394ec6f0861d

SHA1
76b773fbcb2011ab60271112651400865e81a202

SHA256
f3a3d732a2a6d5b6f8f7bf6105d65397eb3a4e6d0e63ad71756bdc05ab8f1be6

SHA512
b2776cdf4d35818a1d6e0e0885f2c8806eae47e76d315add6e19c1ae9d3df9aee39b18f9f0721b02b0a45d9392049220b1bdcf5bc8138640bb2638de9f0dcb72

Download Submit
C:\Windows\SysWOW64\Mkohaj32.exe

Filesize
377KB

MD5
9aa2766562cc0ed6206a420f3738bdeb

SHA1
545ee0449dda05f6c6300e8ac008ab62d56b9413

SHA256
1b23bbd4d0254a4892aa8dd1bfb89d8a2bc04b27e0b761979bd6536063a5f0d5

SHA512
29002682c17aecda8b068fce42501891db3f57b15b3404623e09d95d788599e91c0913b55eede7c9204586a632ad3a3dbb8172470e74b34904774d06d0b2af90

Download Submit
C:\Windows\SysWOW64\Mkohaj32.exe

Filesize
377KB

MD5
6de0b9b30100925b01dcaa15c9176361

SHA1
8c0ee26cc07d2da24e1054821527010afe55bd28

SHA256
a0dfa1b6a6e86a4e200a830050fb98b9c0030d52d4a5d66cef3ad937e27c4d01

SHA512
b990c31faba0f8cbffc2549d172cf591a2673e8638eb9acf3104b5aa146ad2463e312af96c07c4d5accd0dbd62c0dae4f8617d9ab90fbfe84e722965257944cb

Download Submit
C:\Windows\SysWOW64\Mmnhcb32.exe

Filesize
192KB

MD5
974b9d9f14fcdd704556dc89d4297d6c

SHA1
d1f237ef8770feb2dfc6fb3a69c60bc3c5309c41

SHA256
cb4527baebc267bdd39c2669537c9368f8707dccada5ccac6c6ba6fdc4f85393

SHA512
e7e656fbb91b3832a4fd9687b6e3d00fdfd801b5287d9e3756b4e51ff20499c799b0b06568df762ec5dbd923908b5446b5e3f4fff6ef99b7c4aace90db42fb29

Download Submit
C:\Windows\SysWOW64\Mnpabe32.exe

Filesize
377KB

MD5
7f47d99820c4fd3bcddc8b341c2a2559

SHA1
7792a70860315380e319a7abf2fa3b7d371e1447

SHA256
852631a6b48519988f9e1ed471b1430272cb64aefb26855de6763e810af6d654

SHA512
ffbf6bf1b07279d126f06a4e4f4d437434a04f8784564125d0885e0bb74fb8407d11470c2ad628869dbe5d3f2ae15f533880873d0972b32ee15c8a9d00763553

Download Submit
C:\Windows\SysWOW64\Ncofplba.exe

Filesize
377KB

MD5
cb19d6e5c7565b15c9af7243bc021f24

SHA1
e77454d187fa2699b2729e299ec0223a560220cc

SHA256
c85eb4dba24729d60d8fb3b8692aa99a99952fab4dbd519e0ab5cd4ba5155636

SHA512
c0bea1349e3817d24ca38ed9ce9ca51f76b1f258d7663826ac41a18732dc2dd34b9443f38725ee3d2c995a3e4a627577042b046439226a5abf88604beebdf09a

Download Submit
C:\Windows\SysWOW64\Neclenfo.exe

Filesize
377KB

MD5
bcbcc4e5a57b694cc1aec9e220944f21

SHA1
92f6cf564aa9eb00ddefc3d047c0c2fde939b02f

SHA256
87ba5897cf70ad855cb28178e19c4a3d34a1eafefd8716be204acbbaafd4536d

SHA512
efa4d4190c1a4915e82e031027adba275bc2c5ae252a17b513136f85c62d28b04bf883c844c2280e63592b7eb92acde14dcbf82ffafbb8b6615b2b709d9a6d0d

Download Submit
C:\Windows\SysWOW64\Njkkbehl.exe

Filesize
377KB

MD5
7e9f84f8cd2187fe018e927bd1e99db8

SHA1
d6e3e47a1f8bc5aaa0a7841f8311de027d10f410

SHA256
840b7bcab808dfbbbd9a2b60b2c739507df3be215cac2880efcf90029c70f0c9

SHA512
7754187ebbff8bd1b6a3b66d6858b565b9a69f26a4e0e5702f2051ff701b17e19d095232a2f29ced88a0c5ede082ce5a398addb5d709aa600eb8de95482399f1

Download Submit
C:\Windows\SysWOW64\Nlcalieg.exe

Filesize
192KB

MD5
95755d551abb7590950b849da3e34cf9

SHA1
a07998f1011a125242b932a325cc9ad4f985e961

SHA256
ff2fbdbbd81c07cb61751e30b983a1e0d658d23fadb1d2bd566a94ef51d461e1

SHA512
4608febe4ad3038e041e43ca38f560982e95beb62f51ffbaddcb40e7b925eeec4b72894a622536241c12afde6c12d4a6fe28e4344d6564658caccc89eb57e454

Download Submit
C:\Windows\SysWOW64\Nlcalieg.exe

Filesize
377KB

MD5
e69a439b5a69c08e3022288475eb2679

SHA1
7f48b30aebd39d158e4e7be53f6cc595b1a04dde

SHA256
6035755bc442ef98bd4d739356fea1852c3590c5bff8106b6f513eae242d503d

SHA512
f29b6b42714b9b3a6f383045aff429bd711bd0d69660cacb42b9b51e7d155ebf235e4fa94c95ed3632b6baafa29c46e328937e709c6d17180f5b4f978ee27e53

Download Submit
C:\Windows\SysWOW64\Nmgjia32.exe

Filesize
377KB

MD5
9ac1100d9021520ff41ad7c22e772b80

SHA1
db753263c0b37f3d0c05928a663111e8733f8413

SHA256
b9ed849ddd6ac1ea5995c00b1e4cea2dbeae82305d3bc889dfe49cd34abae9a8

SHA512
4286284d436ce3cc590226f50ff5f56d936695d2ab2c53442eb3e5794aee6ddd9cb6e972200f5b49d81d204dfbabe4cb707b4bf052cd637af960639654680a8e

Download Submit
C:\Windows\SysWOW64\Odmbaj32.exe

Filesize
377KB

MD5
7db847ab66d53c1de77e9f8e5ebc7b74

SHA1
fd56aef2364f66915beee02822e85fc4c3a0f5a1

SHA256
4d2aeb60133e0b56dc321162855d41b2000c3894d4e0fbecea2b2c400474a0a4

SHA512
8956092503c18d3e47fc2f027867f3cf49651aae51d33e8901962275384b4dc212b3f953931c7f2d529a163922058d397e5dad99e86b07225dee1db4cd0373fb

Download Submit
C:\Windows\SysWOW64\Oelolmnd.exe

Filesize
377KB

MD5
a5918f079e5157b8f0df012812d23026

SHA1
03b4ffed8512b1e011f83cd20fc3988ee4c91ea7

SHA256
708a1fb3d67a960a2ab106674e467ca97b7043bf45baa8bd29616d23cf1b7b29

SHA512
2a61b94172fa359a34d46510aa8c632f75d309d29b9a767f5816ac73b86e030edff48519b16d307a92f14b558ba3985cc1bcce7a2400fb1a6eae5d900b434f29

Download Submit
C:\Windows\SysWOW64\Ohmhmh32.exe

Filesize
377KB

MD5
f05c4868fb1266e27cc5166b93063fd2

SHA1
b19f70175d95085ddb34ab2b7d33e297318929dc

SHA256
cd7f26ac63857666cc80f8d822594706bedd2e7566537b96bfca52d8c248d033

SHA512
b039bb41c8dc78e365692a4af6f908da8266265f88f4ae9c1c20b7b0732be9ed08fed498431468f3ae2b6549a8137647878dfcc41049f0afd430ba588026516e

Download Submit
C:\Windows\SysWOW64\Omcjep32.exe

Filesize
192KB

MD5
70a4fbd5f4806fb616ff2243e2e8105b

SHA1
65024e2596f79a5b12d9e72ee3548c2ace19c0ba

SHA256
a29602caed45317456c31a3144496909503822d6acad7f4762582831e3eeaadd

SHA512
bfef3d0d24faaeeffcd10ba8cf4bd98a7184b1870979ebb5d65653ebc57c5dd219fbf8df56f1ddac2b953fccd30ffb8565519c67a7023aca0cfb64d809e4c010

Download Submit
C:\Windows\SysWOW64\Omcjep32.exe

Filesize
377KB

MD5
370fca7fd7f12fee706d245666e873c6

SHA1
273d392e8d2e3b04973f94cb6b8364cc58b7266c

SHA256
dd4d083d9f9ba1b240b25d3e2dc239b784935a67be14bbcd8c215e174469009a

SHA512
e42239d6f9fcdbdbf4224c720a3acbd38c9833fd6ca16e78fd6f808eff69b5235395cc511c316afbdaf64a29b460680c9c7ea10077936b8d011ecfe7511b8329

Download Submit
C:\Windows\SysWOW64\Onnmdcjm.exe

Filesize
377KB

MD5
4140e012c1c1b2470c9f581f9f1f5128

SHA1
88fe6b4656fb4690136c06faa01f82b703cd20df

SHA256
6876eb0ff7dd583c8208b86403f6a949ba403b8b9389a0ddc653cb96b4f65ec5

SHA512
ca9a0c06aab524d01455d91926af029b8e2c1d439e7261e8bdaaed27b4062ddcc4a965eba649dc8959b5799e029b2b40b56b8e5db23961147b248b85a53be0bf

Download Submit
C:\Windows\SysWOW64\Pddhbipj.exe

Filesize
377KB

MD5
755187f2d263e1f3797a44c20a0dd0b4

SHA1
6cb4796a07e4a1f7c27e0eb42262c44af9aae4b3

SHA256
fe39473707de06f5b8ee96d245e15e747663b39f314bbf94d1ba80d642b340fb

SHA512
4cef361eb45e1ae2bc318ca0b682e0bb7a29f39956be3b0a7279a5b97aab614be75e354b7adc4035984111ae080fad5b25c1787a9351427f3edc2de1306bb9d6

Download Submit
memory/220-65-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/336-330-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/412-336-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/916-170-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1016-396-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1020-381-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1032-258-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1076-82-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1196-366-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1200-186-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1212-297-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1340-264-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1484-414-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1648-288-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1664-161-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1800-276-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1856-194-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1868-282-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1964-154-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2148-81-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2148-0-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2148-1-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2232-306-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2264-8-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2384-348-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2480-242-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2660-114-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2848-437-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2864-217-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2880-354-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2972-49-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2992-408-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2996-33-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3140-122-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3188-138-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3260-402-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3268-61-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3372-106-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3612-325-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3672-73-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3772-146-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3776-129-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3920-98-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4036-360-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4084-391-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4100-210-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4124-230-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4128-372-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4188-24-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4212-234-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4324-318-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4328-342-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4412-202-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4500-250-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4536-384-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4584-426-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4748-420-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4836-16-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4888-270-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4956-300-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4968-41-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/5068-90-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/5104-178-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/5116-312-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads