99e10bfa589131c7cb47c1eba2b637bea6fb3d6bfc105001a1337a1fe0a17494

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2024, 00:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

99e10bfa589131c7cb47c1eba2b637bea6fb3d6bfc105001a1337a1fe0a17494.exe
Size

384KB
MD5

1a82b449bdd3cd96471ccd71c06ffe07
SHA1

e4d6abe884cb05a492a0b011b49ef11756b2e6d7
SHA256

99e10bfa589131c7cb47c1eba2b637bea6fb3d6bfc105001a1337a1fe0a17494
SHA512

a8a734b8f59b0fa5e5d4c44f90ab6decb4513050643a655722b9ef371f9f7f79f51742e50760ecb479aab7d13a906d263fc1c49af730b6670364ab95baab3be6
SSDEEP

6144:WKljA73GrDJwyWExJP4yJw6/eKxSlKKZ74ueKxff0qjwszeX9z6/ojwszeXmOEgn:N1A73GrDJwyWEH4Dlr54ujjgj+HH

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lebkhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imakkfdg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlcifmbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecandfpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmabdibj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkalchij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbnafb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcfqfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldjhpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffgqqaip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnlhfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdcdbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hofdacke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fllpbldb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdeqhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hflcbngh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mchhggno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkffog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbdgfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcojed32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdgdgnbm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gofkje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlopkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkopnh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkffog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdnjgmle.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gohhpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcmnpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkmlofol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghaliknf.exe

Executes dropped EXE 64 IoCs

pid	Process
228	Ednaqo32.exe
4924	Ekhjmiad.exe
1704	Ecoangbg.exe
3068	Ehljfnpn.exe
4660	Ecandfpd.exe
2060	Ehnglm32.exe
4844	Fdegandp.exe
2028	Fllpbldb.exe
4516	Fkopnh32.exe
212	Fcfhof32.exe
3968	Faihkbci.exe
1352	Fdgdgnbm.exe
4464	Flnlhk32.exe
3024	Fkalchij.exe
1964	Fchddejl.exe
1084	Ffgqqaip.exe
5092	Fdialn32.exe
2372	Flqimk32.exe
4024	Fkciihgg.exe
916	Fooeif32.exe
2940	Fbnafb32.exe
816	Ffimfqgm.exe
4544	Fdlnbm32.exe
4928	Flceckoj.exe
4076	Fkffog32.exe
2240	Fcmnpe32.exe
4000	Ffkjlp32.exe
5088	Fdnjgmle.exe
1356	Glebhjlg.exe
920	Gkhbdg32.exe
4816	Gcojed32.exe
2332	Gbbkaako.exe
224	Gfngap32.exe
1236	Gdqgmmjb.exe
5020	Glhonj32.exe
2148	Gkkojgao.exe
4384	Gofkje32.exe
2216	Gbdgfa32.exe
1496	Gfpcgpae.exe
1552	Gdcdbl32.exe
2988	Ghopckpi.exe
3888	Gkmlofol.exe
4652	Gohhpe32.exe
4740	Gbgdlq32.exe
5044	Gfbploob.exe
3624	Gdeqhl32.exe
3296	Ghaliknf.exe
404	Gkoiefmj.exe
3680	Gokdeeec.exe
4792	Gcfqfc32.exe
3636	Gfembo32.exe
3908	Gdhmnlcj.exe
1884	Gmoeoidl.exe
2896	Gomakdcp.exe
4976	Gblngpbd.exe
3032	Gfgjgo32.exe
548	Hiefcj32.exe
5056	Hmabdibj.exe
2416	Hopnqdan.exe
2024	Hbnjmp32.exe
4968	Hihbijhn.exe
2256	Hmcojh32.exe
3828	Hkfoeega.exe
4572	Hcmgfbhd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hcpclbfa.exe	Hodgkc32.exe
File created	C:\Windows\SysWOW64\Efmolq32.dll	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Hhhbcf32.dll	Ffkjlp32.exe
File opened for modification	C:\Windows\SysWOW64\Mgimcebb.exe	Mdjagjco.exe
File opened for modification	C:\Windows\SysWOW64\Aclpap32.exe	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Aminee32.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Hbbdholl.exe	Hcpclbfa.exe
File created	C:\Windows\SysWOW64\Ndokbi32.exe	Mnebeogl.exe
File created	C:\Windows\SysWOW64\Hmmblqfc.dll	Pdmpje32.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Gdeqhl32.exe	Gfbploob.exe
File created	C:\Windows\SysWOW64\Imoneg32.exe	Icgjmapi.exe
File opened for modification	C:\Windows\SysWOW64\Ecandfpd.exe	Ehljfnpn.exe
File created	C:\Windows\SysWOW64\Pjhlml32.exe	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Pnlaml32.exe	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Pcbmka32.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Gmdkpdef.dll	Olmeci32.exe
File created	C:\Windows\SysWOW64\Pmoahijl.exe	Pnlaml32.exe
File opened for modification	C:\Windows\SysWOW64\Pfhfan32.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Hmcojh32.exe	Hihbijhn.exe
File created	C:\Windows\SysWOW64\Ngpccdlj.exe	Ndaggimg.exe
File created	C:\Windows\SysWOW64\Jilkmnni.dll	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Pmfhig32.exe	Pjhlml32.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Lebkhc32.exe	Ldoaklml.exe
File opened for modification	C:\Windows\SysWOW64\Ogifjcdp.exe	Odkjng32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjlpo32.exe	Ngpccdlj.exe
File opened for modification	C:\Windows\SysWOW64\Ojgbfocc.exe	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Booogccm.dll	Odmgcgbi.exe
File created	C:\Windows\SysWOW64\Fcfhof32.exe	Fkopnh32.exe
File created	C:\Windows\SysWOW64\Qegnoi32.dll	Iefioj32.exe
File created	C:\Windows\SysWOW64\Npfkgjdn.exe	Nngokoej.exe
File created	C:\Windows\SysWOW64\Jocbigff.dll	Pnakhkol.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Ngknngal.dll	Gkhbdg32.exe
File created	C:\Windows\SysWOW64\Hflheb32.dll	Lmdina32.exe
File opened for modification	C:\Windows\SysWOW64\Iihkpg32.exe	Imakkfdg.exe
File created	C:\Windows\SysWOW64\Mibpda32.exe	Megdccmb.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Gjhilj32.dll	Gfngap32.exe
File created	C:\Windows\SysWOW64\Hmhhehlb.exe	Himldi32.exe
File created	C:\Windows\SysWOW64\Neimdg32.dll	Megdccmb.exe
File opened for modification	C:\Windows\SysWOW64\Nggjdc32.exe	Nlaegk32.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Gpiaib32.dll	Gkkojgao.exe
File created	C:\Windows\SysWOW64\Iblfnn32.exe	Icifbang.exe
File created	C:\Windows\SysWOW64\Hfligghk.dll	Njciko32.exe
File created	C:\Windows\SysWOW64\Kmcjho32.dll	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Baicac32.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Balpgb32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Hopnqdan.exe	Hmabdibj.exe
File created	C:\Windows\SysWOW64\Kiljkifg.dll	Mlcifmbl.exe
File created	C:\Windows\SysWOW64\Mmcdaagm.dll	Oddmdf32.exe
File opened for modification	C:\Windows\SysWOW64\Ffimfqgm.exe	Fbnafb32.exe
File created	C:\Windows\SysWOW64\Nghjpm32.dll	Gcojed32.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Anadoi32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8960	8876	WerFault.exe	383

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fkffog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceacpg32.dll"	Iiaephpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lffnijnj.dll"	Mcpnhfhf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijfjal32.dll"	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnmfki.dll"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjakkfbf.dll"	Iifokh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hodgkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbbkg32.dll"	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fdegandp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkcfedla.dll"	Himldi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kldggoeb.dll"	Fcfhof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbnjmp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfcbjk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhoholen.dll"	Ednaqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfkgaokd.dll"	Fllpbldb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naqcfnjk.dll"	Faihkbci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbbdholl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jlkagbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Miifeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nghjpm32.dll"	Gcojed32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcfqfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldjhpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipbdmaah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfkaag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fchddejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghopckpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkmlofol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pacghh32.dll"	Iihkpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifjigbdo.dll"	Hbeqmoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lemphdgj.dll"	Miifeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbljp32.dll"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gohhpe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hiefcj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcmgfbhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Heapdjlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhclbphg.dll"	Fbnafb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcbifaej.dll"	Jeaikh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aceghl32.dll"	Kepelfam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kefkme32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4264 wrote to memory of 228	4264	99e10bfa589131c7cb47c1eba2b637bea6fb3d6bfc105001a1337a1fe0a17494.exe	86
PID 4264 wrote to memory of 228	4264	99e10bfa589131c7cb47c1eba2b637bea6fb3d6bfc105001a1337a1fe0a17494.exe	86
PID 4264 wrote to memory of 228	4264	99e10bfa589131c7cb47c1eba2b637bea6fb3d6bfc105001a1337a1fe0a17494.exe	86
PID 228 wrote to memory of 4924	228	Ednaqo32.exe	87
PID 228 wrote to memory of 4924	228	Ednaqo32.exe	87
PID 228 wrote to memory of 4924	228	Ednaqo32.exe	87
PID 4924 wrote to memory of 1704	4924	Ekhjmiad.exe	88
PID 4924 wrote to memory of 1704	4924	Ekhjmiad.exe	88
PID 4924 wrote to memory of 1704	4924	Ekhjmiad.exe	88
PID 1704 wrote to memory of 3068	1704	Ecoangbg.exe	89
PID 1704 wrote to memory of 3068	1704	Ecoangbg.exe	89
PID 1704 wrote to memory of 3068	1704	Ecoangbg.exe	89
PID 3068 wrote to memory of 4660	3068	Ehljfnpn.exe	90
PID 3068 wrote to memory of 4660	3068	Ehljfnpn.exe	90
PID 3068 wrote to memory of 4660	3068	Ehljfnpn.exe	90
PID 4660 wrote to memory of 2060	4660	Ecandfpd.exe	91
PID 4660 wrote to memory of 2060	4660	Ecandfpd.exe	91
PID 4660 wrote to memory of 2060	4660	Ecandfpd.exe	91
PID 2060 wrote to memory of 4844	2060	Ehnglm32.exe	92
PID 2060 wrote to memory of 4844	2060	Ehnglm32.exe	92
PID 2060 wrote to memory of 4844	2060	Ehnglm32.exe	92
PID 4844 wrote to memory of 2028	4844	Fdegandp.exe	93
PID 4844 wrote to memory of 2028	4844	Fdegandp.exe	93
PID 4844 wrote to memory of 2028	4844	Fdegandp.exe	93
PID 2028 wrote to memory of 4516	2028	Fllpbldb.exe	94
PID 2028 wrote to memory of 4516	2028	Fllpbldb.exe	94
PID 2028 wrote to memory of 4516	2028	Fllpbldb.exe	94
PID 4516 wrote to memory of 212	4516	Fkopnh32.exe	95
PID 4516 wrote to memory of 212	4516	Fkopnh32.exe	95
PID 4516 wrote to memory of 212	4516	Fkopnh32.exe	95
PID 212 wrote to memory of 3968	212	Fcfhof32.exe	96
PID 212 wrote to memory of 3968	212	Fcfhof32.exe	96
PID 212 wrote to memory of 3968	212	Fcfhof32.exe	96
PID 3968 wrote to memory of 1352	3968	Faihkbci.exe	97
PID 3968 wrote to memory of 1352	3968	Faihkbci.exe	97
PID 3968 wrote to memory of 1352	3968	Faihkbci.exe	97
PID 1352 wrote to memory of 4464	1352	Fdgdgnbm.exe	98
PID 1352 wrote to memory of 4464	1352	Fdgdgnbm.exe	98
PID 1352 wrote to memory of 4464	1352	Fdgdgnbm.exe	98
PID 4464 wrote to memory of 3024	4464	Flnlhk32.exe	99
PID 4464 wrote to memory of 3024	4464	Flnlhk32.exe	99
PID 4464 wrote to memory of 3024	4464	Flnlhk32.exe	99
PID 3024 wrote to memory of 1964	3024	Fkalchij.exe	100
PID 3024 wrote to memory of 1964	3024	Fkalchij.exe	100
PID 3024 wrote to memory of 1964	3024	Fkalchij.exe	100
PID 1964 wrote to memory of 1084	1964	Fchddejl.exe	101
PID 1964 wrote to memory of 1084	1964	Fchddejl.exe	101
PID 1964 wrote to memory of 1084	1964	Fchddejl.exe	101
PID 1084 wrote to memory of 5092	1084	Ffgqqaip.exe	102
PID 1084 wrote to memory of 5092	1084	Ffgqqaip.exe	102
PID 1084 wrote to memory of 5092	1084	Ffgqqaip.exe	102
PID 5092 wrote to memory of 2372	5092	Fdialn32.exe	103
PID 5092 wrote to memory of 2372	5092	Fdialn32.exe	103
PID 5092 wrote to memory of 2372	5092	Fdialn32.exe	103
PID 2372 wrote to memory of 4024	2372	Flqimk32.exe	104
PID 2372 wrote to memory of 4024	2372	Flqimk32.exe	104
PID 2372 wrote to memory of 4024	2372	Flqimk32.exe	104
PID 4024 wrote to memory of 916	4024	Fkciihgg.exe	105
PID 4024 wrote to memory of 916	4024	Fkciihgg.exe	105
PID 4024 wrote to memory of 916	4024	Fkciihgg.exe	105
PID 916 wrote to memory of 2940	916	Fooeif32.exe	106
PID 916 wrote to memory of 2940	916	Fooeif32.exe	106
PID 916 wrote to memory of 2940	916	Fooeif32.exe	106
PID 2940 wrote to memory of 816	2940	Fbnafb32.exe	107

C:\Users\Admin\AppData\Local\Temp\99e10bfa589131c7cb47c1eba2b637bea6fb3d6bfc105001a1337a1fe0a17494.exe
"C:\Users\Admin\AppData\Local\Temp\99e10bfa589131c7cb47c1eba2b637bea6fb3d6bfc105001a1337a1fe0a17494.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Windows\SysWOW64\Ednaqo32.exe
  C:\Windows\system32\Ednaqo32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Windows\SysWOW64\Ekhjmiad.exe
    C:\Windows\system32\Ekhjmiad.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4924
  - - C:\Windows\SysWOW64\Ecoangbg.exe
      C:\Windows\system32\Ecoangbg.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1704
    - - C:\Windows\SysWOW64\Ehljfnpn.exe
        
        C:\Windows\system32\Ehljfnpn.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3068
      - C:\Windows\SysWOW64\Ecandfpd.exe
        
        C:\Windows\system32\Ecandfpd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\SysWOW64\Ehnglm32.exe
        
        C:\Windows\system32\Ehnglm32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\SysWOW64\Fdegandp.exe
        
        C:\Windows\system32\Fdegandp.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SysWOW64\Fllpbldb.exe
        
        C:\Windows\system32\Fllpbldb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Fkopnh32.exe
        
        C:\Windows\system32\Fkopnh32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Fcfhof32.exe
        
        C:\Windows\system32\Fcfhof32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\SysWOW64\Faihkbci.exe
        
        C:\Windows\system32\Faihkbci.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\SysWOW64\Fdgdgnbm.exe
        
        C:\Windows\system32\Fdgdgnbm.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\SysWOW64\Flnlhk32.exe
        
        C:\Windows\system32\Flnlhk32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\SysWOW64\Fkalchij.exe
        
        C:\Windows\system32\Fkalchij.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\Fchddejl.exe
        
        C:\Windows\system32\Fchddejl.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SysWOW64\Ffgqqaip.exe
        
        C:\Windows\system32\Ffgqqaip.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\SysWOW64\Fdialn32.exe
        
        C:\Windows\system32\Fdialn32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\Flqimk32.exe
        
        C:\Windows\system32\Flqimk32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\SysWOW64\Fkciihgg.exe
        
        C:\Windows\system32\Fkciihgg.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\SysWOW64\Fooeif32.exe
        
        C:\Windows\system32\Fooeif32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\Fbnafb32.exe
        
        C:\Windows\system32\Fbnafb32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Ffimfqgm.exe
        
        C:\Windows\system32\Ffimfqgm.exe
        23⤵
        Executes dropped EXE
        
        PID:816
        
        C:\Windows\SysWOW64\Fdlnbm32.exe
        
        C:\Windows\system32\Fdlnbm32.exe
        24⤵
        Executes dropped EXE
        
        PID:4544
        
        C:\Windows\SysWOW64\Flceckoj.exe
        
        C:\Windows\system32\Flceckoj.exe
        25⤵
        Executes dropped EXE
        
        PID:4928
        
        C:\Windows\SysWOW64\Fkffog32.exe
        
        C:\Windows\system32\Fkffog32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4076
        
        C:\Windows\SysWOW64\Fcmnpe32.exe
        
        C:\Windows\system32\Fcmnpe32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2240
        
        C:\Windows\SysWOW64\Ffkjlp32.exe
        
        C:\Windows\system32\Ffkjlp32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4000
        
        C:\Windows\SysWOW64\Fdnjgmle.exe
        
        C:\Windows\system32\Fdnjgmle.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5088
        
        C:\Windows\SysWOW64\Glebhjlg.exe
        
        C:\Windows\system32\Glebhjlg.exe
        30⤵
        Executes dropped EXE
        
        PID:1356
        
        C:\Windows\SysWOW64\Gkhbdg32.exe
        
        C:\Windows\system32\Gkhbdg32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:920
        
        C:\Windows\SysWOW64\Gcojed32.exe
        
        C:\Windows\system32\Gcojed32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Gbbkaako.exe
        
        C:\Windows\system32\Gbbkaako.exe
        33⤵
        Executes dropped EXE
        
        PID:2332
        
        C:\Windows\SysWOW64\Gfngap32.exe
        
        C:\Windows\system32\Gfngap32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:224
        
        C:\Windows\SysWOW64\Gdqgmmjb.exe
        
        C:\Windows\system32\Gdqgmmjb.exe
        35⤵
        Executes dropped EXE
        
        PID:1236
        
        C:\Windows\SysWOW64\Glhonj32.exe
        
        C:\Windows\system32\Glhonj32.exe
        36⤵
        Executes dropped EXE
        
        PID:5020
        
        C:\Windows\SysWOW64\Gkkojgao.exe
        
        C:\Windows\system32\Gkkojgao.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2148
        
        C:\Windows\SysWOW64\Gofkje32.exe
        
        C:\Windows\system32\Gofkje32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4384
        
        C:\Windows\SysWOW64\Gbdgfa32.exe
        
        C:\Windows\system32\Gbdgfa32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2216
        
        C:\Windows\SysWOW64\Gfpcgpae.exe
        
        C:\Windows\system32\Gfpcgpae.exe
        40⤵
        Executes dropped EXE
        
        PID:1496
        
        C:\Windows\SysWOW64\Gdcdbl32.exe
        
        C:\Windows\system32\Gdcdbl32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1552
        
        C:\Windows\SysWOW64\Ghopckpi.exe
        
        C:\Windows\system32\Ghopckpi.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Gkmlofol.exe
        
        C:\Windows\system32\Gkmlofol.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3888
        
        C:\Windows\SysWOW64\Gohhpe32.exe
        
        C:\Windows\system32\Gohhpe32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4652
        
        C:\Windows\SysWOW64\Gbgdlq32.exe
        
        C:\Windows\system32\Gbgdlq32.exe
        45⤵
        Executes dropped EXE
        
        PID:4740
        
        C:\Windows\SysWOW64\Gfbploob.exe
        
        C:\Windows\system32\Gfbploob.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5044
        
        C:\Windows\SysWOW64\Gdeqhl32.exe
        
        C:\Windows\system32\Gdeqhl32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3624
        
        C:\Windows\SysWOW64\Ghaliknf.exe
        
        C:\Windows\system32\Ghaliknf.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3296
        
        C:\Windows\SysWOW64\Gkoiefmj.exe
        
        C:\Windows\system32\Gkoiefmj.exe
        49⤵
        Executes dropped EXE
        
        PID:404
        
        C:\Windows\SysWOW64\Gokdeeec.exe
        
        C:\Windows\system32\Gokdeeec.exe
        50⤵
        Executes dropped EXE
        
        PID:3680
        
        C:\Windows\SysWOW64\Gcfqfc32.exe
        
        C:\Windows\system32\Gcfqfc32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Gfembo32.exe
        
        C:\Windows\system32\Gfembo32.exe
        52⤵
        Executes dropped EXE
        
        PID:3636
        
        C:\Windows\SysWOW64\Gdhmnlcj.exe
        
        C:\Windows\system32\Gdhmnlcj.exe
        53⤵
        Executes dropped EXE
        
        PID:3908
        
        C:\Windows\SysWOW64\Gmoeoidl.exe
        
        C:\Windows\system32\Gmoeoidl.exe
        54⤵
        Executes dropped EXE
        
        PID:1884
        
        C:\Windows\SysWOW64\Gomakdcp.exe
        
        C:\Windows\system32\Gomakdcp.exe
        55⤵
        Executes dropped EXE
        
        PID:2896
        
        C:\Windows\SysWOW64\Gblngpbd.exe
        
        C:\Windows\system32\Gblngpbd.exe
        56⤵
        Executes dropped EXE
        
        PID:4976
        
        C:\Windows\SysWOW64\Gfgjgo32.exe
        
        C:\Windows\system32\Gfgjgo32.exe
        57⤵
        Executes dropped EXE
        
        PID:3032
        
        C:\Windows\SysWOW64\Hiefcj32.exe
        
        C:\Windows\system32\Hiefcj32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\Hmabdibj.exe
        
        C:\Windows\system32\Hmabdibj.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5056
        
        C:\Windows\SysWOW64\Hopnqdan.exe
        
        C:\Windows\system32\Hopnqdan.exe
        60⤵
        Executes dropped EXE
        
        PID:2416
        
        C:\Windows\SysWOW64\Hbnjmp32.exe
        
        C:\Windows\system32\Hbnjmp32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Hihbijhn.exe
        
        C:\Windows\system32\Hihbijhn.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4968
        
        C:\Windows\SysWOW64\Hmcojh32.exe
        
        C:\Windows\system32\Hmcojh32.exe
        63⤵
        Executes dropped EXE
        
        PID:2256
        
        C:\Windows\SysWOW64\Hkfoeega.exe
        
        C:\Windows\system32\Hkfoeega.exe
        64⤵
        Executes dropped EXE
        
        PID:3828
        
        C:\Windows\SysWOW64\Hcmgfbhd.exe
        
        C:\Windows\system32\Hcmgfbhd.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Hbpgbo32.exe
        
        C:\Windows\system32\Hbpgbo32.exe
        66⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\Hflcbngh.exe
        
        C:\Windows\system32\Hflcbngh.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2852
        
        C:\Windows\SysWOW64\Hijooifk.exe
        
        C:\Windows\system32\Hijooifk.exe
        68⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\Hmfkoh32.exe
        
        C:\Windows\system32\Hmfkoh32.exe
        69⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\Hodgkc32.exe
        
        C:\Windows\system32\Hodgkc32.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Hcpclbfa.exe
        
        C:\Windows\system32\Hcpclbfa.exe
        71⤵
        Drops file in System32 directory
        
        PID:4548
        
        C:\Windows\SysWOW64\Hbbdholl.exe
        
        C:\Windows\system32\Hbbdholl.exe
        72⤵
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\Heapdjlp.exe
        
        C:\Windows\system32\Heapdjlp.exe
        73⤵
        Modifies registry class
        
        PID:1116
        
        C:\Windows\SysWOW64\Himldi32.exe
        
        C:\Windows\system32\Himldi32.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Hmhhehlb.exe
        
        C:\Windows\system32\Hmhhehlb.exe
        75⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\Hofdacke.exe
        
        C:\Windows\system32\Hofdacke.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4884
        
        C:\Windows\SysWOW64\Hcbpab32.exe
        
        C:\Windows\system32\Hcbpab32.exe
        77⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\Hbeqmoji.exe
        
        C:\Windows\system32\Hbeqmoji.exe
        78⤵
        Modifies registry class
        
        PID:3748
        
        C:\Windows\SysWOW64\Hecmijim.exe
        
        C:\Windows\system32\Hecmijim.exe
        79⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\Hioiji32.exe
        
        C:\Windows\system32\Hioiji32.exe
        80⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\Hkmefd32.exe
        
        C:\Windows\system32\Hkmefd32.exe
        81⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\Hoiafcic.exe
        
        C:\Windows\system32\Hoiafcic.exe
        82⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\Hbgmcnhf.exe
        
        C:\Windows\system32\Hbgmcnhf.exe
        83⤵
        
        PID:396
        
        C:\Windows\SysWOW64\Hfcicmqp.exe
        
        C:\Windows\system32\Hfcicmqp.exe
        84⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\Iefioj32.exe
        
        C:\Windows\system32\Iefioj32.exe
        85⤵
        Drops file in System32 directory
        
        PID:4892
        
        C:\Windows\SysWOW64\Iiaephpc.exe
        
        C:\Windows\system32\Iiaephpc.exe
        86⤵
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Icgjmapi.exe
        
        C:\Windows\system32\Icgjmapi.exe
        87⤵
        Drops file in System32 directory
        
        PID:4168
        
        C:\Windows\SysWOW64\Imoneg32.exe
        
        C:\Windows\system32\Imoneg32.exe
        88⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\Icifbang.exe
        
        C:\Windows\system32\Icifbang.exe
        89⤵
        Drops file in System32 directory
        
        PID:1564
        
        C:\Windows\SysWOW64\Iblfnn32.exe
        
        C:\Windows\system32\Iblfnn32.exe
        90⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\Iifokh32.exe
        
        C:\Windows\system32\Iifokh32.exe
        91⤵
        Modifies registry class
        
        PID:3516
        
        C:\Windows\SysWOW64\Imakkfdg.exe
        
        C:\Windows\system32\Imakkfdg.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2760
        
        C:\Windows\SysWOW64\Iihkpg32.exe
        
        C:\Windows\system32\Iihkpg32.exe
        93⤵
        Modifies registry class
        
        PID:3656
        
        C:\Windows\SysWOW64\Ipbdmaah.exe
        
        C:\Windows\system32\Ipbdmaah.exe
        94⤵
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\Ifllil32.exe
        
        C:\Windows\system32\Ifllil32.exe
        95⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\Imfdff32.exe
        
        C:\Windows\system32\Imfdff32.exe
        96⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Jeaikh32.exe
        
        C:\Windows\system32\Jeaikh32.exe
        97⤵
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Jlkagbej.exe
        
        C:\Windows\system32\Jlkagbej.exe
        98⤵
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Jfaedkdp.exe
        
        C:\Windows\system32\Jfaedkdp.exe
        99⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        100⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Jcefno32.exe
        
        C:\Windows\system32\Jcefno32.exe
        101⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        102⤵
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        103⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        104⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5496
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        106⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        107⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        108⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        109⤵
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        110⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        111⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        112⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        113⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        114⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        115⤵
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        117⤵
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        118⤵
        Drops file in System32 directory
        
        PID:6132
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        119⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5220
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        121⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        122⤵
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5460
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        124⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5476
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        126⤵
        Drops file in System32 directory
        
        PID:5636
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5708
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        128⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        129⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        131⤵
        Drops file in System32 directory
        
        PID:5880
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        132⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6116
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        134⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        136⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        137⤵
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        138⤵
        Drops file in System32 directory
        
        PID:5504
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        139⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        140⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        141⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        142⤵
        Drops file in System32 directory
        
        PID:5904
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        143⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        144⤵
        Drops file in System32 directory
        
        PID:6076
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        145⤵
        Drops file in System32 directory
        
        PID:2268
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        146⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        147⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        148⤵
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5836
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        150⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        151⤵
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        152⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        153⤵
        Drops file in System32 directory
        
        PID:5200
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        154⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        155⤵
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        156⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        157⤵
        Drops file in System32 directory
        
        PID:6184
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        158⤵
        Drops file in System32 directory
        
        PID:6224
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        159⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        160⤵
        Modifies registry class
        
        PID:6300
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        161⤵
        Drops file in System32 directory
        
        PID:6336
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        162⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        163⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        164⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6488
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        166⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        167⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        168⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        169⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        170⤵
        Drops file in System32 directory
        
        PID:6708
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        171⤵
        Drops file in System32 directory
        
        PID:6752
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        172⤵
        Drops file in System32 directory
        
        PID:6788
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        173⤵
        Drops file in System32 directory
        
        PID:6832
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6876
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        175⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        176⤵
        Drops file in System32 directory
        
        PID:6952
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6996
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        178⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        179⤵
        Modifies registry class
        
        PID:7076
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7108
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        181⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        182⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        183⤵
        Drops file in System32 directory
        
        PID:6212
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        184⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6356
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6424
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        187⤵
        Drops file in System32 directory
        
        PID:6496
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        188⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        189⤵
        Drops file in System32 directory
        
        PID:6648
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        190⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6772
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        192⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6900
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        194⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7028
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5444
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        197⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        198⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        199⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        200⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        201⤵
        Modifies registry class
        
        PID:6780
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        202⤵
        Modifies registry class
        
        PID:6896
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        203⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        204⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6248
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        205⤵
        Modifies registry class
        
        PID:6400
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        206⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        207⤵
        Drops file in System32 directory
        
        PID:6888
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        208⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        209⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6468
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        210⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        211⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6272
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        212⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        213⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        214⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        215⤵
        Drops file in System32 directory
        
        PID:7176
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        216⤵
        Drops file in System32 directory
        
        PID:7228
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        217⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7272
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        218⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        219⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7352
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        220⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        221⤵
        
        PID:7444
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        222⤵
        
        PID:7480
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        223⤵
        
        PID:7528
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        224⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7580
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        225⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        226⤵
        Drops file in System32 directory
        
        PID:7664
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        227⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7708
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        228⤵
        
        PID:7752
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        229⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7792
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        230⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        231⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7888
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        232⤵
        Drops file in System32 directory
        
        PID:7924
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        233⤵
        
        PID:7964
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        234⤵
        Drops file in System32 directory
        
        PID:8008
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        235⤵
        
        PID:8056
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        236⤵
        
        PID:8100
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        237⤵
        Drops file in System32 directory
        
        PID:8144
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        238⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        239⤵
        
        PID:7216
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        240⤵
        
        PID:7304
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        241⤵
        
        PID:7656
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        242⤵
        
        PID:7732
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        243⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7776
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        244⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        245⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7916
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        246⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        247⤵
        
        PID:8052
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        248⤵
        
        PID:8116
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        249⤵
        
        PID:8180
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        250⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        251⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7368
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        252⤵
        Drops file in System32 directory
        
        PID:7632
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        253⤵
        
        PID:7720
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        254⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        255⤵
        Drops file in System32 directory
        
        PID:7872
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        256⤵
        
        PID:7956
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        257⤵
        
        PID:8044
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        258⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7544
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        259⤵
        Modifies registry class
        
        PID:7516
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        260⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7348
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        261⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        262⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7604
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        263⤵
        
        PID:7804
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        264⤵
        
        PID:7884
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        265⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        266⤵
        
        PID:8080
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        267⤵
        Drops file in System32 directory
        
        PID:7512
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        268⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7536
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        269⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        270⤵
        Modifies registry class
        
        PID:6924
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        271⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        272⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7224
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        273⤵
        Modifies registry class
        
        PID:7652
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        274⤵
        Modifies registry class
        
        PID:7372
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        275⤵
        
        PID:7384
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        276⤵
        Modifies registry class
        
        PID:7812
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        277⤵
        Drops file in System32 directory
        
        PID:7576
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        278⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        279⤵
        
        PID:8236
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        280⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8284
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        281⤵
        
        PID:8324
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        282⤵
        
        PID:8368
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        283⤵
        Drops file in System32 directory
        
        PID:8404
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        284⤵
        Drops file in System32 directory
        
        PID:8440
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        285⤵
        
        PID:8488
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        286⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8524
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        287⤵
        
        PID:8568
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        288⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8604
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        289⤵
        
        PID:8656
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        290⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8720
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        291⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8760
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        292⤵
        
        PID:8800
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        293⤵
        Modifies registry class
        
        PID:8836
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        294⤵
        
        PID:8876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8876 -s 400
        295⤵
        Program crash
        
        PID:8960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 8876 -ip 8876
1⤵
PID:8912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ecandfpd.exe

Filesize
384KB

MD5
26ccf4de34d589dc9224aa178dfb766d

SHA1
c0ee856c752b51fa7190232511f05e02da7bfb8f

SHA256
2eb1e01717b654a5987cf1ed1e5e9522c9ec72f5a04fc75f9dfd49d6b5068ad9

SHA512
2887ec354996ac9e3d6edec35a89272eb5ee12933e58ca9f6978829fa4ef80ad7eb6a83b225954b8e540302973da65001ef174a32989372a1c0688a0e844eed3

Download Submit
C:\Windows\SysWOW64\Ecoangbg.exe

Filesize
384KB

MD5
6b6ce83af46e6f9ff7aeba697564bff0

SHA1
7d54c826e56388f8e01e6a9e470c48ec4ea008c7

SHA256
86d1b852a8d980e64ef4faad50a233ab675f0517ce3c50e7cea0896a56e08b29

SHA512
2f4762fc3f9ba9b2b42f0c47ebac29b637e0331185322a793c83e384c6ea406172d9d6fa4f908ea0afc1defe2f607db86c716255eca19cf80868a3478e6c74b2

Download Submit
C:\Windows\SysWOW64\Ednaqo32.exe

Filesize
384KB

MD5
b83363ecddb66d589058e7ea8d2efb9f

SHA1
02386a074ec250cb533a51bd6a8265bb95238315

SHA256
74328164f5d734cb5d5745db3b39fa87b01c205a8f71e4ea134fa8e981f21fcb

SHA512
9d6507b60b7f85d649fd611152e0e37edba3c6c2e30e075312b4bb1b085ed004b399812c4d6328125fc9aa075f60a817accbabaf5529e70b73f478854350709c

Download Submit
C:\Windows\SysWOW64\Ehljfnpn.exe

Filesize
384KB

MD5
6e9e710a867749dd799b4434317626e3

SHA1
8f7663ffbb97624b23f6f8d36ee9b47bf4d717ab

SHA256
cff9c213be3d31333f82a1bc110e0551122ec2690d713114fc23625900d0eeb4

SHA512
46604a1898b611cc235351cd83288e6703b79fea3b4da69a312313c8cb2e646625e76c765d1a45ce5d21b502ba25a50c48770cfe0d31c5b965e15b706daf3042

Download Submit
C:\Windows\SysWOW64\Ehnglm32.exe

Filesize
384KB

MD5
def46510b43e6af210da210c62f8a0b6

SHA1
8d089810522caa048ef626992118affb59fbd43e

SHA256
2207ab853a959d57d19741d613c756a0f7f69688ef78e3581f4bf3c8a1017884

SHA512
a062fdea6a8a41cdb27562c5c1eee20647330b453098dbdbd2cb44aef96baf82eefd31c5e335544a628ef3bb1d010ad6dbce52f467f7e130ec0e45e1dd851198

Download Submit
C:\Windows\SysWOW64\Ekhjmiad.exe

Filesize
384KB

MD5
e6b5a516953ad42e17670d8b3ed50198

SHA1
47fbc4e98308ca5848d091961fb2c6f198b43bfd

SHA256
943452d8c08a81b8a331ccedbcb9fe7bf8c62698a79ea550068fcd0072c66cde

SHA512
1a347221d7e4d54daea8c5b220cfc290c51d8ec0e3f6676d9c24e5d992c09fa4faf7c86a8427f0a4bf461c2567ac0be2d2308cceb7414796188d533e83351169

Download Submit
C:\Windows\SysWOW64\Faihkbci.exe

Filesize
384KB

MD5
dabc4a94916f99b232541889e7b81f3f

SHA1
c1ea4a7c70f42a54de8638b4091ca6d312f721d5

SHA256
c51cf254c6291bbcc72dea360447916af03aa3de3d6214c15c39f827ebb819c2

SHA512
f3a930b3dc2cf61c2208035e9782ce51091b878c16f9b2263b42c005186735d1ccea8b696e7e7db80a5d6981974eb87c50ab8be4b9d0ffb1719b3d32145b3d13

Download Submit
C:\Windows\SysWOW64\Fbnafb32.exe

Filesize
384KB

MD5
1be13e6839dc584d7bb768a38036c218

SHA1
470e03e01453ffd5261392cfc5aafcbec608bf4e

SHA256
264e3bbd66061fde8665651349f092db04e5e6fc22d9a92ed591ce5eae73e0e2

SHA512
ed5f8bf55a8942e86e093debb8b520d34c06d8ba2466479fe6e784f27f7d60fd870a92015426d8aaa2df05453e635274bc11e1d6c2017a1f9a0f8a380182174d

Download Submit
C:\Windows\SysWOW64\Fcfhof32.exe

Filesize
384KB

MD5
252f75fadb09e79936ab6832306fec72

SHA1
b4beb24180d5ee9de78e67294eff89ec30d366a6

SHA256
62c56821173ed827c0e7553f829846270d5bd9031c0a09601d31c0601b8328a2

SHA512
31e0afae5679b64889708fe99593edb1160e17f688dcbfb7e67a37c97af5cec6e06e192022ef69c89601accf4db75b3592341ef5df0a501ca3c515c078134eeb

Download Submit
C:\Windows\SysWOW64\Fchddejl.exe

Filesize
384KB

MD5
c384e3dfd5f1ceaa36b03291a565a5ab

SHA1
4078cdb48832dddac25c9e7006fdaac022915872

SHA256
45d162717f81409a205bfbefc9f4096b07eed93ca7f1a00c538e6c2e86461c3e

SHA512
761de8d87351b922d292367f2bc54e363950a24e81b18741ce0782580e5be1fb9cc6ee9c15b08f41a10340a565c0b74ab536649ca148560bd807c42bda88a25f

Download Submit
C:\Windows\SysWOW64\Fcmnpe32.exe

Filesize
384KB

MD5
177e9d8d1e6bbc5770b1ae5237ab91a5

SHA1
0c680d4dfc9c68278aa74bb03583884ecd458179

SHA256
4bb3174eb2e85f79b83240a5d474511b9a5dbffe5a4ac03155bec1fcbb93096e

SHA512
c12fb25b0183b931988a865966b6863eee8be3097bb88255a19b6fdeb8f116fb4fbed73b82fd4828685bdbfa2f033ce76ad19231248c4a00250bcca0bb6975a0

Download Submit
C:\Windows\SysWOW64\Fdegandp.exe

Filesize
384KB

MD5
6d3d9535d6627660789179881d648519

SHA1
f2556a64654d76b96cf5a09dde12743d58c5bc3a

SHA256
91ce92fc196ce8635f9adaea63f6ad0847a4e72c3cdbaaed9f71fca7ac08337b

SHA512
41448e444bc12c5e393c03daa3e9f1a39a32a01355c210adc068f9fdd01e02089437ec01b7232d709e23b5febd4a0810435b1dcdd7f6c49ab034f1c685414953

Download Submit
C:\Windows\SysWOW64\Fdgdgnbm.exe

Filesize
384KB

MD5
10b4bf16d30baf67af4a6d992131863e

SHA1
f18b35c43cdb45df248c574accd2cea8ef5aa5a0

SHA256
3f819a7ebe65c091741b48d7e431fbc7d37108a0c37ee412f056c29d8795a1b6

SHA512
5340a91834705b2d9eb921f77f302cbf0d1e726d1bbe147003703e38266006b1f42678af3f1449332eaac65aca7b82181905d7fa98ee56ad4ae58bdd76b98c70

Download Submit
C:\Windows\SysWOW64\Fdialn32.exe

Filesize
384KB

MD5
aa34a832a6e2f45fcc80f48b1ab534c1

SHA1
675ce9775175c66b88424ff65bbc0af33b98f043

SHA256
84b64da74f1b3eace22c5f46de04e4e716b1ee1bfe57cdfb7144bb81e2c2c78a

SHA512
b8011f1f78ee1188191256a13f9eab6cbb9c018c5abbc6dc390646aae7f5037a4d6f1da18e9b1882c6442c02afcfc4825466cd7771e711effc72dc2ac701f5ce

Download Submit
C:\Windows\SysWOW64\Fdlnbm32.exe

Filesize
384KB

MD5
2df595823882666d4b9cb4ca9fff6255

SHA1
226be652200376303aa7d3dfd51c99359fd4198c

SHA256
2e8e12c29bc48113cc8f9e0f8c5456b29100ed0bbea9d5bcea1ec50b065524db

SHA512
fec6ae09123854c98871ca8448c7fea838661279d168b54632fa46894b85cc9f3f1e1cf8bb5ab0bed1549a2c9762bd097f65d8f273188844d43695d2f778e2e1

Download Submit
C:\Windows\SysWOW64\Fdnjgmle.exe

Filesize
384KB

MD5
9538d533749e88264c9524b6fd190aca

SHA1
622c489e506c1ce36acbcfaeb994c0e824b9a4f2

SHA256
6096214e3fef9a479788b5a4d0adfd1a1af2399c1b5c35e9f9f184991f40dc30

SHA512
c5a4824d68118ada4f83a13afc90688ec6df36031f6a464db53cc47f98cba3faf41cfc7d719d54b890f60dc78ed1892c27f6b26ebbca300b9e8a8a15bd873112

Download Submit
C:\Windows\SysWOW64\Ffgqqaip.exe

Filesize
384KB

MD5
aaeefa068ba18d6ab3ebdcf54bf49690

SHA1
65dd54f3c30441a10c611667528820807678bde5

SHA256
2e82211486f5cf0296a6ecf5a448f81dcc4f28e82df4a304ccc13a27c3057d4b

SHA512
5c4bc3b0f46d08e51c5fd700f29ab631ab5d129589c7742ba083d245a717bc5dfc6f0bb3429b79d571903c2cc8b8b4b4f91954310f9756ff621a4c76b77f198a

Download Submit
C:\Windows\SysWOW64\Ffimfqgm.exe

Filesize
384KB

MD5
0b16905e01b762bb3303433ed1cb1c41

SHA1
05002b256ab2d932b40db5b5bd69b6e86a944276

SHA256
f9e913b1e8ec0c342244aca0ddb5decb773a16394d771471b10dc8c373c8c222

SHA512
c90c60f2e07dd26e2be4f460831bb8d67e1cbcb22874e3548e846ebd8ef764c8ba1443e0312f514031c250b22b8bfdf55fa1c4e6d0458893335e83b1644f5b18

Download Submit
C:\Windows\SysWOW64\Ffkjlp32.exe

Filesize
384KB

MD5
9b5b3adb607d0af9fc10334866cfbffa

SHA1
32d7ed61a266fcec8c2f078de7cf7b9713329df3

SHA256
aec12e9f5767840d42fbeb24dc6f129e42ae462215905be7daaee4c36f0bcccd

SHA512
4fd957ea7f4ee950df5059c599cdfb1f86955ab789735e0c11a71c97b1bc9baeb4aae7d499414849f277108e50a26be012385df264e35445987dc8c42371af91

Download Submit
C:\Windows\SysWOW64\Fkalchij.exe

Filesize
384KB

MD5
ae0f18a5980629603953040c0147d7ca

SHA1
f60d1cb7c9fd5714618a248e4197f69ebd4a128c

SHA256
b5f08a390e2926e14f6a86a527c8425a6d80b57e69f738ae7e09530736db30b4

SHA512
e8919f23085a923f26dc9c4fc835c618830aed7aa753a6434dd116a6abae68540f89a4c964c312b9a594fb1382e3c01b5b82c329072b275643054a5313612190

Download Submit
C:\Windows\SysWOW64\Fkciihgg.exe

Filesize
384KB

MD5
1de2a468aea35d6852724cb3864049ed

SHA1
b1675e8f23f68a7daffb1e996b9f366d65d2e237

SHA256
65febe600c1fbdda9b760e0dc058b3e524012b0df9c382f00b51a83126a7a34c

SHA512
9bb26e5e7960b471c879b50fdd2fb64427c2851af31feddee7e29a250325d693d643c5baacc867c5ec5152196b988d559038a44e98079bbf32eb4536a6b70ca8

Download Submit
C:\Windows\SysWOW64\Fkffog32.exe

Filesize
384KB

MD5
27a1183edf1c532f1d1f5b2a069c1802

SHA1
b76b43c9462468154c5dcab8cdc81988815d326c

SHA256
5b10cc00615341f9b3df9e3ca3eb91220b5cd5a8a568477f629b0fb9e805d94c

SHA512
6a69f3cddad740df460a373e8e6175574c3d3774901064c4b8d80d8a405a49ac388a9378841290c2938e9592703ca357b90e1d22b3ee07ee6c84287791e32d09

Download Submit
C:\Windows\SysWOW64\Fkopnh32.exe

Filesize
384KB

MD5
2cea9387fed4ddf535931d74173b3e83

SHA1
e3d9d6d6fae331b709544db98317a242d532fa10

SHA256
400f2fdf0a9991f3c356b3f93228a86b7108c821ca66ad465944b80f40377112

SHA512
b12d325791a01528c24a9c150ce94600fd98c5302701c3cd96cec82c3ec6e72df455c71a7c92bb158cb3bae5b3a6122b180de516359a7642d3fc15e722ae054e

Download Submit
C:\Windows\SysWOW64\Flceckoj.exe

Filesize
384KB

MD5
a0941de5132b2a1a848229e0287db644

SHA1
d876046c3211832b867d60a13fa21ba3e39c1f44

SHA256
89b6198ef36cc9bc49ce0f2dabf09244bfc7b8c766d5a6b3759145161a582bd7

SHA512
cff43ff87ee85bd0d8cf45de5300dc1949e91a4cfe1cfa73f0b3440bba9447bab46fdb56ce73d80397eb8c336dde9fa5ff179095dacfd31834868997543e08ac

Download Submit
C:\Windows\SysWOW64\Fllpbldb.exe

Filesize
384KB

MD5
68e5370cabce0a6f267f4ae188e3442c

SHA1
106134859e0ec7a6ba80e4530c32cfe4ff3d85ba

SHA256
b18073b0e41fd53a9f3b1b4c1f1ac9f1140381869abad8b93fde7a06b6a14274

SHA512
29649826f9da3b9bf68ca060abe381fd8cf6f3c5430b44ac13cc8c4be6cf4b657b705b1aa71d7acbc0a395a849cd6fe6190539eda2e0006e73be95ec1ffad2c7

Download Submit
C:\Windows\SysWOW64\Flnlhk32.exe

Filesize
384KB

MD5
3f2892945086d245d5497693e3d24f65

SHA1
507157b988ed64fafbcde5fa2308b6c07b98cd0a

SHA256
89d48209fe54e595fcd6f9a8d45e6b15a2fde29ba7d916e85e5c01ab9b42ecab

SHA512
01debca846aade94f4835c4625c0ac0dfedb6e18b8a4277178fb79fd397bb423e57b90276db8933bb49e0c1c3a37115e5ceb578032dc88f89e1665fb149d537d

Download Submit
C:\Windows\SysWOW64\Flqimk32.exe

Filesize
384KB

MD5
0f6c3bc9bab4b2cf64b097380d07adeb

SHA1
89def7ea9592528dddd6afc0173f7bebfb320459

SHA256
47707161c63dcf27a715bc89138874607795b8b6e88e270924ea0f1b68319be8

SHA512
49673a354210e14770841e25d7e4417e520cd0ec6da53676f88534beac33e2bde6cfad3108a16b3c3affd0e50ba8779cb410384bd7ac7ef0f4f65616ba6c9cc6

Download Submit
C:\Windows\SysWOW64\Fooeif32.exe

Filesize
384KB

MD5
5d6f7d13f3f60c00f381078c09569e0a

SHA1
ed56621be42aaf65e0ade3aef6b61a0a9aeb924a

SHA256
caf3ca95adc256496b48e639c5340a8cc279bc109718a84dd4eb979d3c0a713e

SHA512
59afe0df257f0d7426936ac63c0e148a8ce064e8b5cca8d176acd3b80fe1e31628fd7b7e7307e0cd4d59b7f164f3573adbaa9531c4754344ed8164a4f510de6e

Download Submit
C:\Windows\SysWOW64\Gbbkaako.exe

Filesize
384KB

MD5
3f426c5d87d56c762f87095ab1568b4a

SHA1
0e524b8430b431f6927973f5db8e6b73bddfaae1

SHA256
5533310194e06987c0b4c4646181776456f0f9a9e206e91fcfb2676d57aaaa0e

SHA512
b508a6c2fd8d53aed19e4d26b3a55588fc549819aa08c51e7d84ed5bea3ae883e436818dadbdff313a7fcb31ec5aad87593e6de43cf6786f8bb880488e004b81

Download Submit
C:\Windows\SysWOW64\Gcojed32.exe

Filesize
384KB

MD5
471cb0c30f5ceebd72607d3aaaa74237

SHA1
1961984d0c424017bd976fb8312059a4b9a74697

SHA256
89a159ec61e86620ed4e51733008cdf065e0683c84b25f947bce5757c2332484

SHA512
f6e9a5fd9446011912ebf63d7aeb350e2779ca216af791ce0ba941bf092586170f9d4a2b53073d49a5a2ddbd5d37d4d63d3eb411390cd0b8847cd4bec58514c5

Download Submit
C:\Windows\SysWOW64\Gkhbdg32.exe

Filesize
384KB

MD5
241a912a6902d89e17dd5180f695e4f2

SHA1
3f10900518248e9f23337370e62046af744100a8

SHA256
49b4b0f57a476a4f1c54a43dca32d3a7445c9de23db774f855a392c520a643bc

SHA512
5879b0567ff4d438912e3371028caa50ea14151ef9634e6c648984a14e6e68ba4ffadc19a311a1865cc3227e3354207318767083ef76da6bc3286c5c39897340

Download Submit
C:\Windows\SysWOW64\Glebhjlg.exe

Filesize
384KB

MD5
8088adcde405992839e051030dfef5b4

SHA1
3759a67e71b5b34812bd571219dd39a28f4d3f4f

SHA256
01a8462b8b05b3056a3d2ba6be6a3b5cd7349fe77a24ed4406a26fefd258cdd5

SHA512
44f3ba30b713f51f50e62b15380e905600deed9c1bfedab661403cddecc96d718d98b1688703b2657d186ff4655b4a13b562a0cb803876f0cbc17a3dd612ca42

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
320KB

MD5
c2ca9020a0bee6e0fc609d532da0c122

SHA1
e4807d97d716c80d1d622cb0fed25b8b758b37bb

SHA256
4cf08ca900d73df6becbb5739fc2af4be3db7774ac8876aa45824ba8e7c511e2

SHA512
c3aa680d471348af3380a8408494444365239afb67171cb076060c7202b84f18c04cde858029572567a085cc7eabd7a82f4757306b37c218d60e893279704927

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
384KB

MD5
7c6cc2ea1a39899a6709b37b89331b4a

SHA1
a7f67473de07a09e03c986a609f5bdb48a5b9a77

SHA256
1919e5c5209b3b41f766d313df925484af1a3498131d2da68f78078c53fd43e8

SHA512
948a1eb2904984fa4e160e0adc7d1087ff4f2bb1ea2007704bb155472cb1f3dcabc3c19176139843d1403fbd7dcc3b61b989d989df8c58ee765847cdb56563c4

Download Submit
memory/224-573-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/228-16-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/396-686-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/404-621-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/548-636-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/816-540-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1084-510-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1236-579-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1352-502-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1356-560-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1552-607-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1564-708-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1696-657-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1704-29-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1884-629-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1964-505-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2060-496-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2148-585-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2240-553-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2256-650-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2332-572-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2372-516-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2416-643-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2896-634-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2940-537-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3016-677-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3024-504-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3068-37-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3192-663-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3516-694-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3636-628-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3680-622-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3744-702-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3888-608-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3968-497-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4000-559-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4024-518-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4076-547-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4100-684-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4132-709-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4264-2-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4264-0-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4272-670-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4384-594-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4544-541-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4548-668-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4572-656-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4592-671-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4660-45-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4740-614-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4776-691-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4816-566-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4884-682-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4892-693-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4912-685-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4924-22-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4968-649-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/5044-620-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/5056-642-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/5116-715-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/5132-716-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/5176-717-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/5376-695-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/5416-696-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads