630cc55eb2c6198d81772c7fb47f5f04d8f2ddf3984755ef47c9ea9a2c8da5c0

Analysis

max time kernel
139s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24/04/2024, 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

630cc55eb2c6198d81772c7fb47f5f04d8f2ddf3984755ef47c9ea9a2c8da5c0.exe
Size

235KB
MD5

a5d9b693be13652eb804b45d3416d529
SHA1

49764b8df13b68cfd4daa87ae30cf70ade1e4edb
SHA256

630cc55eb2c6198d81772c7fb47f5f04d8f2ddf3984755ef47c9ea9a2c8da5c0
SHA512

aa72047b589e390f59bd9ae2021727c1af045747f6d7a6582499e4cf61a651a6dc32f16551e21f7c7a76dca2681b8d3089bf3da679280b9e3fcc25400cadd8ec
SSDEEP

3072:Qb9uo9pAZT2waV0upHOVMgu+tAcrbFAJc+RsUi1aVDkOvhJjvJ4vnZy7L5AuJaWL:Qb9uo9pAZT2wYpulrtMsQB+vn87L5A5

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dagiil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eofinnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fodeolof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Giofnacd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hapaemll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aedpaoif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doccaall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gogbdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahncbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abedecjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bekfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcalgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcgoilpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhnepfpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhlocipo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcgoilpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djlddi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjnjqfij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbacqape.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffggkgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aogkoedl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eoocmoao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqdbiofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djnaji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebeejijj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffbnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iffmccbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Appahiag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahkflk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dephckaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbhdmd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bemcgmak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe

Executes dropped EXE 64 IoCs

pid	Process
1636	Appahiag.exe
1648	Abnnddpj.exe
4892	Aemjpp32.exe
3212	Ahkflk32.exe
2504	Apbnnh32.exe
1540	Ahncbk32.exe
3268	Aliobieh.exe
4152	Aogkoedl.exe
1092	Aafgkpcp.exe
3356	Aimoln32.exe
5072	Alkkhi32.exe
1460	Abedecjb.exe
3656	Aedpaoif.exe
3064	Blnhni32.exe
3120	Bpidngil.exe
2540	Befmfngc.exe
796	Bhdibj32.exe
4196	Bpladg32.exe
4884	Bbjmpb32.exe
840	Behiln32.exe
2664	Bhgehi32.exe
4228	Boanecla.exe
4752	Bbljeb32.exe
668	Bekfan32.exe
4744	Bhibni32.exe
4728	Bockjc32.exe
4392	Baaggo32.exe
5060	Bemcgmak.exe
1732	Bhlocipo.exe
3860	Bpcgdfaa.exe
876	Bbacqape.exe
3208	Chnlihnl.exe
1760	Cpedjf32.exe
3600	Cohdebfi.exe
2848	Cccpfa32.exe
5112	Ceblbm32.exe
1420	Cimhckeo.exe
2792	Clldogdc.exe
4020	Cpgqpe32.exe
2220	Ccfmla32.exe
536	Cedihl32.exe
2888	Clnadfbp.exe
4516	Commqb32.exe
2972	Cchiaqjm.exe
2768	Cefemliq.exe
4936	Cibank32.exe
3224	Cpljkdig.exe
2344	Ccjfgphj.exe
4460	Ceibclgn.exe
4624	Chgoogfa.exe
4864	Cpofpdgd.exe
392	Coagla32.exe
5056	Cekohk32.exe
1520	Digkijmd.exe
4380	Dlegeemh.exe
1908	Dpacfd32.exe
1980	Doccaall.exe
1036	Dabpnlkp.exe
1004	Denlnk32.exe
3488	Dhlhjf32.exe
2800	Dlgdkeje.exe
1544	Dcalgo32.exe
2612	Dephckaf.exe
2204	Djlddi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gpklpkio.exe	Gqikdn32.exe
File opened for modification	C:\Windows\SysWOW64\Ibagcc32.exe	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Jilbbcha.dll	Cedihl32.exe
File created	C:\Windows\SysWOW64\Epmcab32.exe	Dchbhn32.exe
File created	C:\Windows\SysWOW64\Elhmablc.exe	Ejjqeg32.exe
File created	C:\Windows\SysWOW64\Pmcglkid.dll	Fodeolof.exe
File opened for modification	C:\Windows\SysWOW64\Gmaioo32.exe	Gifmnpnl.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Ejegjh32.exe	Ebnoikqb.exe
File created	C:\Windows\SysWOW64\Fcgoilpj.exe	Fqhbmqqg.exe
File created	C:\Windows\SysWOW64\Mmpfpdoi.dll	Iidipnal.exe
File created	C:\Windows\SysWOW64\Kbmebabl.dll	Iiffen32.exe
File opened for modification	C:\Windows\SysWOW64\Cccpfa32.exe	Cohdebfi.exe
File created	C:\Windows\SysWOW64\Hihicplj.exe	Hfjmgdlf.exe
File created	C:\Windows\SysWOW64\Miimhchp.dll	Eqciba32.exe
File opened for modification	C:\Windows\SysWOW64\Gfqjafdq.exe	Gbenqg32.exe
File opened for modification	C:\Windows\SysWOW64\Gmmocpjk.exe	Gcekkjcj.exe
File created	C:\Windows\SysWOW64\Hifqbnpb.dll	Gfqjafdq.exe
File created	C:\Windows\SysWOW64\Ipmack32.dll	Ibccic32.exe
File created	C:\Windows\SysWOW64\Jeiooj32.dll	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kajfig32.exe
File created	C:\Windows\SysWOW64\Iedonm32.dll	Epopgbia.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Apbnnh32.exe	Ahkflk32.exe
File created	C:\Windows\SysWOW64\Pakbej32.dll	Bbljeb32.exe
File created	C:\Windows\SysWOW64\Mepgghma.dll	Gqdbiofi.exe
File opened for modification	C:\Windows\SysWOW64\Gcekkjcj.exe	Goiojk32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Abnnddpj.exe	Appahiag.exe
File opened for modification	C:\Windows\SysWOW64\Aimoln32.exe	Aafgkpcp.exe
File opened for modification	C:\Windows\SysWOW64\Bekfan32.exe	Bbljeb32.exe
File created	C:\Windows\SysWOW64\Cibank32.exe	Cefemliq.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Jfhlfk32.dll	Fifdgblo.exe
File created	C:\Windows\SysWOW64\Ibjqcd32.exe	Ipldfi32.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Ddhbep32.dll	Ffekegon.exe
File opened for modification	C:\Windows\SysWOW64\Kgdbkohf.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Dchbhn32.exe	Dpjflb32.exe
File created	C:\Windows\SysWOW64\Ffbnph32.exe	Fbgbpihg.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Goiojk32.exe	Giofnacd.exe
File opened for modification	C:\Windows\SysWOW64\Gpklpkio.exe	Gqikdn32.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kgdbkohf.exe
File opened for modification	C:\Windows\SysWOW64\Ficgacna.exe	Ffekegon.exe
File created	C:\Windows\SysWOW64\Agbpag32.dll	Fomonm32.exe
File created	C:\Windows\SysWOW64\Egmhjb32.dll	Hapaemll.exe
File created	C:\Windows\SysWOW64\Fogjfmfe.dll	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Cfjbmnlq.dll	Fihqmb32.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Ffbnph32.exe	Fbgbpihg.exe
File created	C:\Windows\SysWOW64\Lbdcekmm.dll	Ffbnph32.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Abedecjb.exe	Alkkhi32.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Baaggo32.exe	Bockjc32.exe
File created	C:\Windows\SysWOW64\Jmbklj32.exe	Jkdnpo32.exe
File opened for modification	C:\Windows\SysWOW64\Gfnnlffc.exe	Fodeolof.exe
File created	C:\Windows\SysWOW64\Jjblgaie.dll	Kmgdgjek.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8432	8280	WerFault.exe	369

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chgoogfa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfhqbe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmljla32.dll"	Ccjfgphj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbdfmi32.dll"	Fjepaecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebeejijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqohnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dohmlp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhenep.dll"	Bpidngil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cefemliq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dofqcl32.dll"	Fqhbmqqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfolabba.dll"	Alkkhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gibgla32.dll"	Cekohk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcplce32.dll"	Ffggkgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmficqpc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iiffen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Einnhi32.dll"	Bpcgdfaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkcdljbo.dll"	Efpajh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnplgc32.dll"	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcojmgm.dll"	630cc55eb2c6198d81772c7fb47f5f04d8f2ddf3984755ef47c9ea9a2c8da5c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmgkno32.dll"	Baaggo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dphifcoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Befmfngc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chgoogfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aimoln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhgehi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebbidj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecbenm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbdcekmm.dll"	Ffbnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhlocipo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gagaaq32.dll"	Ejegjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmggiogn.dll"	Elhmablc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncldlbah.dll"	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkomif32.dll"	Cohdebfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpladg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblgaie.dll"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diefokle.dll"	Gcidfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfhlfk32.dll"	Fifdgblo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 1636	1132	630cc55eb2c6198d81772c7fb47f5f04d8f2ddf3984755ef47c9ea9a2c8da5c0.exe	85
PID 1132 wrote to memory of 1636	1132	630cc55eb2c6198d81772c7fb47f5f04d8f2ddf3984755ef47c9ea9a2c8da5c0.exe	85
PID 1132 wrote to memory of 1636	1132	630cc55eb2c6198d81772c7fb47f5f04d8f2ddf3984755ef47c9ea9a2c8da5c0.exe	85
PID 1636 wrote to memory of 1648	1636	Appahiag.exe	86
PID 1636 wrote to memory of 1648	1636	Appahiag.exe	86
PID 1636 wrote to memory of 1648	1636	Appahiag.exe	86
PID 1648 wrote to memory of 4892	1648	Abnnddpj.exe	87
PID 1648 wrote to memory of 4892	1648	Abnnddpj.exe	87
PID 1648 wrote to memory of 4892	1648	Abnnddpj.exe	87
PID 4892 wrote to memory of 3212	4892	Aemjpp32.exe	88
PID 4892 wrote to memory of 3212	4892	Aemjpp32.exe	88
PID 4892 wrote to memory of 3212	4892	Aemjpp32.exe	88
PID 3212 wrote to memory of 2504	3212	Ahkflk32.exe	89
PID 3212 wrote to memory of 2504	3212	Ahkflk32.exe	89
PID 3212 wrote to memory of 2504	3212	Ahkflk32.exe	89
PID 2504 wrote to memory of 1540	2504	Apbnnh32.exe	90
PID 2504 wrote to memory of 1540	2504	Apbnnh32.exe	90
PID 2504 wrote to memory of 1540	2504	Apbnnh32.exe	90
PID 1540 wrote to memory of 3268	1540	Ahncbk32.exe	91
PID 1540 wrote to memory of 3268	1540	Ahncbk32.exe	91
PID 1540 wrote to memory of 3268	1540	Ahncbk32.exe	91
PID 3268 wrote to memory of 4152	3268	Aliobieh.exe	92
PID 3268 wrote to memory of 4152	3268	Aliobieh.exe	92
PID 3268 wrote to memory of 4152	3268	Aliobieh.exe	92
PID 4152 wrote to memory of 1092	4152	Aogkoedl.exe	93
PID 4152 wrote to memory of 1092	4152	Aogkoedl.exe	93
PID 4152 wrote to memory of 1092	4152	Aogkoedl.exe	93
PID 1092 wrote to memory of 3356	1092	Aafgkpcp.exe	95
PID 1092 wrote to memory of 3356	1092	Aafgkpcp.exe	95
PID 1092 wrote to memory of 3356	1092	Aafgkpcp.exe	95
PID 3356 wrote to memory of 5072	3356	Aimoln32.exe	96
PID 3356 wrote to memory of 5072	3356	Aimoln32.exe	96
PID 3356 wrote to memory of 5072	3356	Aimoln32.exe	96
PID 5072 wrote to memory of 1460	5072	Alkkhi32.exe	97
PID 5072 wrote to memory of 1460	5072	Alkkhi32.exe	97
PID 5072 wrote to memory of 1460	5072	Alkkhi32.exe	97
PID 1460 wrote to memory of 3656	1460	Abedecjb.exe	98
PID 1460 wrote to memory of 3656	1460	Abedecjb.exe	98
PID 1460 wrote to memory of 3656	1460	Abedecjb.exe	98
PID 3656 wrote to memory of 3064	3656	Aedpaoif.exe	99
PID 3656 wrote to memory of 3064	3656	Aedpaoif.exe	99
PID 3656 wrote to memory of 3064	3656	Aedpaoif.exe	99
PID 3064 wrote to memory of 3120	3064	Blnhni32.exe	101
PID 3064 wrote to memory of 3120	3064	Blnhni32.exe	101
PID 3064 wrote to memory of 3120	3064	Blnhni32.exe	101
PID 3120 wrote to memory of 2540	3120	Bpidngil.exe	102
PID 3120 wrote to memory of 2540	3120	Bpidngil.exe	102
PID 3120 wrote to memory of 2540	3120	Bpidngil.exe	102
PID 2540 wrote to memory of 796	2540	Befmfngc.exe	103
PID 2540 wrote to memory of 796	2540	Befmfngc.exe	103
PID 2540 wrote to memory of 796	2540	Befmfngc.exe	103
PID 796 wrote to memory of 4196	796	Bhdibj32.exe	104
PID 796 wrote to memory of 4196	796	Bhdibj32.exe	104
PID 796 wrote to memory of 4196	796	Bhdibj32.exe	104
PID 4196 wrote to memory of 4884	4196	Bpladg32.exe	106
PID 4196 wrote to memory of 4884	4196	Bpladg32.exe	106
PID 4196 wrote to memory of 4884	4196	Bpladg32.exe	106
PID 4884 wrote to memory of 840	4884	Bbjmpb32.exe	107
PID 4884 wrote to memory of 840	4884	Bbjmpb32.exe	107
PID 4884 wrote to memory of 840	4884	Bbjmpb32.exe	107
PID 840 wrote to memory of 2664	840	Behiln32.exe	108
PID 840 wrote to memory of 2664	840	Behiln32.exe	108
PID 840 wrote to memory of 2664	840	Behiln32.exe	108
PID 2664 wrote to memory of 4228	2664	Bhgehi32.exe	109

C:\Users\Admin\AppData\Local\Temp\630cc55eb2c6198d81772c7fb47f5f04d8f2ddf3984755ef47c9ea9a2c8da5c0.exe
"C:\Users\Admin\AppData\Local\Temp\630cc55eb2c6198d81772c7fb47f5f04d8f2ddf3984755ef47c9ea9a2c8da5c0.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Windows\SysWOW64\Appahiag.exe
  C:\Windows\system32\Appahiag.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\SysWOW64\Abnnddpj.exe
    C:\Windows\system32\Abnnddpj.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1648
  - - C:\Windows\SysWOW64\Aemjpp32.exe
      C:\Windows\system32\Aemjpp32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4892
    - - C:\Windows\SysWOW64\Ahkflk32.exe
        
        C:\Windows\system32\Ahkflk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3212
      - C:\Windows\SysWOW64\Apbnnh32.exe
        
        C:\Windows\system32\Apbnnh32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\Ahncbk32.exe
        
        C:\Windows\system32\Ahncbk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\SysWOW64\Aliobieh.exe
        
        C:\Windows\system32\Aliobieh.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3268
        
        C:\Windows\SysWOW64\Aogkoedl.exe
        
        C:\Windows\system32\Aogkoedl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4152
        
        C:\Windows\SysWOW64\Aafgkpcp.exe
        
        C:\Windows\system32\Aafgkpcp.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\SysWOW64\Aimoln32.exe
        
        C:\Windows\system32\Aimoln32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3356
        
        C:\Windows\SysWOW64\Alkkhi32.exe
        
        C:\Windows\system32\Alkkhi32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Abedecjb.exe
        
        C:\Windows\system32\Abedecjb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\Aedpaoif.exe
        
        C:\Windows\system32\Aedpaoif.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3656
        
        C:\Windows\SysWOW64\Blnhni32.exe
        
        C:\Windows\system32\Blnhni32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Bpidngil.exe
        
        C:\Windows\system32\Bpidngil.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3120
        
        C:\Windows\SysWOW64\Befmfngc.exe
        
        C:\Windows\system32\Befmfngc.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Bhdibj32.exe
        
        C:\Windows\system32\Bhdibj32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:796
        
        C:\Windows\SysWOW64\Bpladg32.exe
        
        C:\Windows\system32\Bpladg32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\SysWOW64\Bbjmpb32.exe
        
        C:\Windows\system32\Bbjmpb32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\SysWOW64\Behiln32.exe
        
        C:\Windows\system32\Behiln32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\SysWOW64\Bhgehi32.exe
        
        C:\Windows\system32\Bhgehi32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Boanecla.exe
        
        C:\Windows\system32\Boanecla.exe
        23⤵
        Executes dropped EXE
        
        PID:4228
        
        C:\Windows\SysWOW64\Bbljeb32.exe
        
        C:\Windows\system32\Bbljeb32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4752
        
        C:\Windows\SysWOW64\Bekfan32.exe
        
        C:\Windows\system32\Bekfan32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:668
        
        C:\Windows\SysWOW64\Bhibni32.exe
        
        C:\Windows\system32\Bhibni32.exe
        26⤵
        Executes dropped EXE
        
        PID:4744
        
        C:\Windows\SysWOW64\Blennh32.exe
        
        C:\Windows\system32\Blennh32.exe
        27⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\Bockjc32.exe
        
        C:\Windows\system32\Bockjc32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4728
        
        C:\Windows\SysWOW64\Baaggo32.exe
        
        C:\Windows\system32\Baaggo32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Bemcgmak.exe
        
        C:\Windows\system32\Bemcgmak.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5060
        
        C:\Windows\SysWOW64\Bhlocipo.exe
        
        C:\Windows\system32\Bhlocipo.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Bpcgdfaa.exe
        
        C:\Windows\system32\Bpcgdfaa.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3860
        
        C:\Windows\SysWOW64\Bbacqape.exe
        
        C:\Windows\system32\Bbacqape.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:876
        
        C:\Windows\SysWOW64\Chnlihnl.exe
        
        C:\Windows\system32\Chnlihnl.exe
        34⤵
        Executes dropped EXE
        
        PID:3208
        
        C:\Windows\SysWOW64\Cpedjf32.exe
        
        C:\Windows\system32\Cpedjf32.exe
        35⤵
        Executes dropped EXE
        
        PID:1760
        
        C:\Windows\SysWOW64\Cohdebfi.exe
        
        C:\Windows\system32\Cohdebfi.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\Cccpfa32.exe
        
        C:\Windows\system32\Cccpfa32.exe
        37⤵
        Executes dropped EXE
        
        PID:2848
        
        C:\Windows\SysWOW64\Ceblbm32.exe
        
        C:\Windows\system32\Ceblbm32.exe
        38⤵
        Executes dropped EXE
        
        PID:5112
        
        C:\Windows\SysWOW64\Cimhckeo.exe
        
        C:\Windows\system32\Cimhckeo.exe
        39⤵
        Executes dropped EXE
        
        PID:1420
        
        C:\Windows\SysWOW64\Clldogdc.exe
        
        C:\Windows\system32\Clldogdc.exe
        40⤵
        Executes dropped EXE
        
        PID:2792
        
        C:\Windows\SysWOW64\Cpgqpe32.exe
        
        C:\Windows\system32\Cpgqpe32.exe
        41⤵
        Executes dropped EXE
        
        PID:4020
        
        C:\Windows\SysWOW64\Ccfmla32.exe
        
        C:\Windows\system32\Ccfmla32.exe
        42⤵
        Executes dropped EXE
        
        PID:2220
        
        C:\Windows\SysWOW64\Cedihl32.exe
        
        C:\Windows\system32\Cedihl32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:536
        
        C:\Windows\SysWOW64\Clnadfbp.exe
        
        C:\Windows\system32\Clnadfbp.exe
        44⤵
        Executes dropped EXE
        
        PID:2888
        
        C:\Windows\SysWOW64\Commqb32.exe
        
        C:\Windows\system32\Commqb32.exe
        45⤵
        Executes dropped EXE
        
        PID:4516
        
        C:\Windows\SysWOW64\Cchiaqjm.exe
        
        C:\Windows\system32\Cchiaqjm.exe
        46⤵
        Executes dropped EXE
        
        PID:2972
        
        C:\Windows\SysWOW64\Cefemliq.exe
        
        C:\Windows\system32\Cefemliq.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Cibank32.exe
        
        C:\Windows\system32\Cibank32.exe
        48⤵
        Executes dropped EXE
        
        PID:4936
        
        C:\Windows\SysWOW64\Cpljkdig.exe
        
        C:\Windows\system32\Cpljkdig.exe
        49⤵
        Executes dropped EXE
        
        PID:3224
        
        C:\Windows\SysWOW64\Ccjfgphj.exe
        
        C:\Windows\system32\Ccjfgphj.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Ceibclgn.exe
        
        C:\Windows\system32\Ceibclgn.exe
        51⤵
        Executes dropped EXE
        
        PID:4460
        
        C:\Windows\SysWOW64\Chgoogfa.exe
        
        C:\Windows\system32\Chgoogfa.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Cpofpdgd.exe
        
        C:\Windows\system32\Cpofpdgd.exe
        53⤵
        Executes dropped EXE
        
        PID:4864
        
        C:\Windows\SysWOW64\Coagla32.exe
        
        C:\Windows\system32\Coagla32.exe
        54⤵
        Executes dropped EXE
        
        PID:392
        
        C:\Windows\SysWOW64\Cekohk32.exe
        
        C:\Windows\system32\Cekohk32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Digkijmd.exe
        
        C:\Windows\system32\Digkijmd.exe
        56⤵
        Executes dropped EXE
        
        PID:1520
        
        C:\Windows\SysWOW64\Dlegeemh.exe
        
        C:\Windows\system32\Dlegeemh.exe
        57⤵
        Executes dropped EXE
        
        PID:4380
        
        C:\Windows\SysWOW64\Dpacfd32.exe
        
        C:\Windows\system32\Dpacfd32.exe
        58⤵
        Executes dropped EXE
        
        PID:1908
        
        C:\Windows\SysWOW64\Doccaall.exe
        
        C:\Windows\system32\Doccaall.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1980
        
        C:\Windows\SysWOW64\Dabpnlkp.exe
        
        C:\Windows\system32\Dabpnlkp.exe
        60⤵
        Executes dropped EXE
        
        PID:1036
        
        C:\Windows\SysWOW64\Denlnk32.exe
        
        C:\Windows\system32\Denlnk32.exe
        61⤵
        Executes dropped EXE
        
        PID:1004
        
        C:\Windows\SysWOW64\Dhlhjf32.exe
        
        C:\Windows\system32\Dhlhjf32.exe
        62⤵
        Executes dropped EXE
        
        PID:3488
        
        C:\Windows\SysWOW64\Dlgdkeje.exe
        
        C:\Windows\system32\Dlgdkeje.exe
        63⤵
        Executes dropped EXE
        
        PID:2800
        
        C:\Windows\SysWOW64\Dcalgo32.exe
        
        C:\Windows\system32\Dcalgo32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1544
        
        C:\Windows\SysWOW64\Dephckaf.exe
        
        C:\Windows\system32\Dephckaf.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2612
        
        C:\Windows\SysWOW64\Djlddi32.exe
        
        C:\Windows\system32\Djlddi32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2204
        
        C:\Windows\SysWOW64\Dhnepfpj.exe
        
        C:\Windows\system32\Dhnepfpj.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4428
        
        C:\Windows\SysWOW64\Dohmlp32.exe
        
        C:\Windows\system32\Dohmlp32.exe
        68⤵
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Dagiil32.exe
        
        C:\Windows\system32\Dagiil32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4180
        
        C:\Windows\SysWOW64\Djnaji32.exe
        
        C:\Windows\system32\Djnaji32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4768
        
        C:\Windows\SysWOW64\Dphifcoi.exe
        
        C:\Windows\system32\Dphifcoi.exe
        71⤵
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Dcfebonm.exe
        
        C:\Windows\system32\Dcfebonm.exe
        72⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\Djpnohej.exe
        
        C:\Windows\system32\Djpnohej.exe
        73⤵
        
        PID:100
        
        C:\Windows\SysWOW64\Dlojkddn.exe
        
        C:\Windows\system32\Dlojkddn.exe
        74⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\Dpjflb32.exe
        
        C:\Windows\system32\Dpjflb32.exe
        75⤵
        Drops file in System32 directory
        
        PID:5024
        
        C:\Windows\SysWOW64\Dchbhn32.exe
        
        C:\Windows\system32\Dchbhn32.exe
        76⤵
        Drops file in System32 directory
        
        PID:2988
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        77⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\Eoocmoao.exe
        
        C:\Windows\system32\Eoocmoao.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5140
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        79⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Ebnoikqb.exe
        
        C:\Windows\system32\Ebnoikqb.exe
        80⤵
        Drops file in System32 directory
        
        PID:5224
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        81⤵
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        82⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        83⤵
        Drops file in System32 directory
        
        PID:5340
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        84⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Ecmlcmhe.exe
        
        C:\Windows\system32\Ecmlcmhe.exe
        85⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        86⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        87⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        88⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Ecphimfb.exe
        
        C:\Windows\system32\Ecphimfb.exe
        89⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        90⤵
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        91⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        92⤵
        Drops file in System32 directory
        
        PID:5732
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        93⤵
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        94⤵
        Drops file in System32 directory
        
        PID:5820
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5860
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        96⤵
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        98⤵
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        99⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        100⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        101⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        102⤵
        Drops file in System32 directory
        
        PID:5136
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5292
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        105⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5324
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        108⤵
        Drops file in System32 directory
        
        PID:5588
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        109⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        110⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        111⤵
        Drops file in System32 directory
        
        PID:5760
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        112⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        115⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        116⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        117⤵
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        118⤵
        Drops file in System32 directory
        
        PID:5348
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        119⤵
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        120⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        121⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        122⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        123⤵
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5976
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        125⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        126⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5368
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5552
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        129⤵
        Drops file in System32 directory
        
        PID:5728
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        130⤵
        Drops file in System32 directory
        
        PID:5812
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6024
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        132⤵
        Drops file in System32 directory
        
        PID:5216
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        133⤵
        Drops file in System32 directory
        
        PID:5544
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        134⤵
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        135⤵
        Drops file in System32 directory
        
        PID:5876
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        136⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        137⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        138⤵
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        139⤵
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        140⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        141⤵
        Modifies registry class
        
        PID:6204
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        142⤵
        Modifies registry class
        
        PID:6248
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        143⤵
        Drops file in System32 directory
        
        PID:6288
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6332
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        145⤵
        Drops file in System32 directory
        
        PID:6376
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        146⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6456
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        148⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        149⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        150⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6632
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        152⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        153⤵
        Modifies registry class
        
        PID:6724
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        154⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        155⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        156⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6880
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6924
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        159⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        160⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        161⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7096
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        163⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        164⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        165⤵
        Drops file in System32 directory
        
        PID:6172
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        166⤵
        Modifies registry class
        
        PID:6240
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6344
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6400
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        169⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        170⤵
        Modifies registry class
        
        PID:6572
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        171⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6708
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        173⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6784
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6840
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        175⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        176⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        177⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4356
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        179⤵
        Drops file in System32 directory
        
        PID:5432
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        180⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        181⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        182⤵
        Modifies registry class
        
        PID:6536
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6640
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        184⤵
        Drops file in System32 directory
        
        PID:6732
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6836
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        186⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        187⤵
        Modifies registry class
        
        PID:7084
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        188⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6368
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        190⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        191⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6888
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        193⤵
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        194⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6704
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        196⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        197⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        198⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        199⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        200⤵
        Drops file in System32 directory
        
        PID:6660
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        201⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6296
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        202⤵
        Drops file in System32 directory
        
        PID:7220
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        203⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        204⤵
        Modifies registry class
        
        PID:7308
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        205⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        206⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        207⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7456
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        208⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7508
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        209⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        210⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        211⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7652
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        212⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        213⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7756
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        214⤵
        Modifies registry class
        
        PID:7800
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        215⤵
        Drops file in System32 directory
        
        PID:7848
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        216⤵
        
        PID:7896
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        217⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        218⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        219⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8048
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        220⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:8108
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        221⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8148
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        222⤵
        Drops file in System32 directory
        
        PID:8188
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        223⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7232
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        224⤵
        
        PID:7300
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        225⤵
        
        PID:7384
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        226⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        227⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7580
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        228⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7644
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        229⤵
        Modifies registry class
        
        PID:7744
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        230⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        231⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        232⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        233⤵
        
        PID:8100
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        234⤵
        
        PID:8160
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        235⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        236⤵
        Drops file in System32 directory
        
        PID:7364
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        237⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7544
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        238⤵
        
        PID:7680
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        239⤵
        
        PID:7780
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        240⤵
        
        PID:7904
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        241⤵
        Drops file in System32 directory
        
        PID:8116
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        242⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7228
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        243⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7284
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        244⤵
        Modifies registry class
        
        PID:7660
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        245⤵
        Drops file in System32 directory
        
        PID:7888
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        246⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8076
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        247⤵
        Modifies registry class
        
        PID:7372
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        248⤵
        
        PID:7552
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        249⤵
        
        PID:8044
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        250⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7548
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        251⤵
        Drops file in System32 directory
        
        PID:7944
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        252⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        253⤵
        Drops file in System32 directory
        
        PID:7692
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        254⤵
        
        PID:8204
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        255⤵
        Drops file in System32 directory
        
        PID:8248
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        256⤵
        
        PID:8296
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        257⤵
        Modifies registry class
        
        PID:8340
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        258⤵
        
        PID:8384
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        259⤵
        
        PID:8424
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        260⤵
        
        PID:8464
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        261⤵
        
        PID:8504
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        262⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8552
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        263⤵
        Modifies registry class
        
        PID:8592
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        264⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8636
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        265⤵
        
        PID:8676
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        266⤵
        
        PID:8720
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        267⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8760
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        268⤵
        Modifies registry class
        
        PID:8800
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        269⤵
        Modifies registry class
        
        PID:8844
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        270⤵
        
        PID:8884
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        271⤵
        
        PID:8928
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        272⤵
        Modifies registry class
        
        PID:8968
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        273⤵
        
        PID:9012
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        274⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9060
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        275⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9100
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        276⤵
        
        PID:9144
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        277⤵
        
        PID:9188
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        278⤵
        Drops file in System32 directory
        
        PID:8196
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        279⤵
        
        PID:8280
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8280 -s 400
        280⤵
        Program crash
        
        PID:8432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 8280 -ip 8280
1⤵
PID:8392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aafgkpcp.exe

Filesize
235KB

MD5
d44fd81cd88aca745e46ca78bea5ff34

SHA1
23a08e2d329cbec1d4f69d706e4cec1676065d07

SHA256
2a2950aecd35bc1ac6d01bcee082457196c63519850cbb37a8d92b76507559f5

SHA512
a3c18e4aeb7bbd3603ddd1003fd93012cccad67fb662fc61108dc79f2131d89547e81916665447a753e7c5f72efcd5a8b811f6a5d44b3fbbc7655789f3e31b8a

Download Submit
C:\Windows\SysWOW64\Abedecjb.exe

Filesize
235KB

MD5
913dd624e2172e07e0f3ac5d5f84e30b

SHA1
4b3272ce0c96990d5462ed685b0d4dfa2e34f5de

SHA256
2477252fa14e46eafc71be3486aed7ebb90de8b60b1f18b68d4e61de66eeaeb8

SHA512
053fb5b5b9286cf6226816fb81669b332862b6903ea8aea0161ea54ddf143a8206986fbf53964930230bae21e0b240e5c3b92958e24e2465504cad93d5fadd71

Download Submit
C:\Windows\SysWOW64\Abnnddpj.exe

Filesize
235KB

MD5
cdebc3f2d812f93291de381b17d74748

SHA1
5dce064c976b05ba3090f7e128d096267d1c429c

SHA256
20a4d01ee994917f9c19a4e947bb837200e10bdd60dc4fa65de591c088c533a2

SHA512
a70e780b276c966db2bc058a50020c390ba6ebbf0d0d87cff7adc204d0e6958756752b01b624be8ded9856f40667af61eb1edfa5a70103c02c5705be8eb71408

Download Submit
C:\Windows\SysWOW64\Aedpaoif.exe

Filesize
235KB

MD5
b5c600f3b13529ef094d3a14c5407d02

SHA1
611750e8cd7527e7df2fcd88e66a44c0f5559eaa

SHA256
68402f6a6a1b432b6b1085b461355403aa98cd0a9a5f680e162c4e28e5f888e2

SHA512
beaecbfdead172259b8a52fcff738267044a71c790d12a75fc3bc4225279b003ab02c726b85e78df4ee41b0ad0c094fbc1c541966d57f3fe166257f7da9bd9e2

Download Submit
C:\Windows\SysWOW64\Aemjpp32.exe

Filesize
235KB

MD5
0309fae64a34747bd0208d0360aefd61

SHA1
75348869471dce06599d19b828641eb619b4f296

SHA256
3ccac8db49f42ece8eb712bbb90def812643e8b11a04a9afcdb0cdc0594a8d13

SHA512
fe42cd3a5bf1e735a9cd41e0df8b9d13e6313e30bf0a4da620f16eb0b261cdbb6324d711e88a64b7838149519455bf5c1f44e7b9d1a7ce78942d3e9b9697fa9d

Download Submit
C:\Windows\SysWOW64\Ahkflk32.exe

Filesize
235KB

MD5
76bd3449cdc221bf902efc7c7c521ee8

SHA1
3cafc73ee24bbc2fa57d005dded3343942afa9ea

SHA256
5637003dc3e419e45d9b66d04aa44ba5931e187e81de2a04ee9029939fd1ed07

SHA512
e9b3cf8556f8c8b4dc23423bcc273b8f567e62a63b1303c92767cb5711508c212f49ef983c3937b938cbc660014160df6ce661d78809bbd5607ea81a873ed57d

Download Submit
C:\Windows\SysWOW64\Ahncbk32.exe

Filesize
235KB

MD5
346bbc154457556891863a9ca057e71f

SHA1
26767fe4fbeac7dd5be21e41fd86dd6d204a4bbd

SHA256
db3173c115cc5091856a55bb18182dbc4df029cb2c4892df0bc08ab319e6a124

SHA512
6180b555b7925a190898e06526e03c86b74650cf72355f646f6802cb0c290a310415421d634754eea7ae85dc604371bc28b55c764199accafc4321681f5838ef

Download Submit
C:\Windows\SysWOW64\Aimoln32.exe

Filesize
235KB

MD5
cb42345de461f6a30e1998542bffe9c4

SHA1
44d433fce24dc91a3770a0eb8befe965777252c5

SHA256
d035c67e6ef7ba0ab30b7e1dc2f160e41ee132964b25ebbc10c5460c03cba51f

SHA512
b5090ec5755c7c3d1fc2a556f8d33fa3fbd376bc64f76aa3227032f546844ebc5a29f605dc81da6ada792951787dcd3d058b5173e5a6dd6d4c13998fe05ff280

Download Submit
C:\Windows\SysWOW64\Aliobieh.exe

Filesize
235KB

MD5
ae72eb21de368064eea255090d40a2f4

SHA1
02da300190e9a0db01c5eb59063f18f6700b0c27

SHA256
5aa355f8055d869d49a28ed8319038933cdc7a8c2f67ae07a446a79448c7fca4

SHA512
e2c5f0475f358658d6406dea56924f23295bd6591a39ade569a46533abb5f83884fd0ad245a5cc509da5b4228a0d7cfdbbd472c87dda18c5c9582f821fda8217

Download Submit
C:\Windows\SysWOW64\Alkkhi32.exe

Filesize
235KB

MD5
a432787b43bf24608d50aa0d98523c37

SHA1
8b4daf83f6e97d92fecaa09578f885111e9af2b2

SHA256
560b892c9bdc42b66e2a02f1202a7917312a0fe0281e31cedd9e79df5cff9cf9

SHA512
b243aebe87b95873558068df8d1e2acc87088eb2598174ac7f5889c762e1ca6f7b036ead2594fe12e16edc66f89be875bff58ac8f7fe3315fd455df0bc6c3fd7

Download Submit
C:\Windows\SysWOW64\Aogkoedl.exe

Filesize
235KB

MD5
372a0e474f5e14f42921a9e1e655a0e8

SHA1
a1a7831a5bad06dd02af41629a36746fc085cbac

SHA256
409add7e48a8aff6b3261b01cd071eb65e78ccdd85dd86743249f4f4efafe86c

SHA512
03a43717cf9a29acf18c1d4a33001fc0e7ba9aecfbc8a64a7da1c3ed3f42b1bec919b4c30b1dfae5e9a616a38dd8ad44609457b2444d2cb075fbe69a80141991

Download Submit
C:\Windows\SysWOW64\Apbnnh32.exe

Filesize
235KB

MD5
c9e436a88ba550b86a4d2a022e824e00

SHA1
7e82a2cbdc1368717902710ae529c44ec6624c18

SHA256
0ba27af5f14e32a6bdcc00e780b7ed93f664d2d81026eb853d82f152f3a7966b

SHA512
ccff221ea072780be70d7d8337fc9d190f09b9f327d5256db075af166f2491e0dce71a6ec9bda654b8fff84620e2dad07c2f56e83b9f507b167ebb6d2c614e04

Download Submit
C:\Windows\SysWOW64\Appahiag.exe

Filesize
235KB

MD5
679ea9e27a1ab3c2e4fc689b34b8c36c

SHA1
c5213c9cc9c1895c1e1ad876312308652302de33

SHA256
24f3770663ce95988b80c98bc40d597d90e495a869cd886b788b8b8c996e29ba

SHA512
47fea6d0666558fcf19908622178deb444d433874fdf8e37de93d2a4709e217c0d39a9ae708708afb3b10b9ef840183fa1ce3b893127dafc6dc408f291e4ab58

Download Submit
C:\Windows\SysWOW64\Baaggo32.exe

Filesize
235KB

MD5
ecb0ba0bfa2a10e41efc92c84aa48539

SHA1
274b16e1ed0a0e62a08439bc5c379805c1247ef2

SHA256
63dd9c4bb176c5354e12bb0408f65663feaf8bfa7a29b851fb35010990a98de9

SHA512
ac9df2fd67daa214c2162bf63bb40861b8ee44d1eabc80ed676612073aa25e42c255dc3dac82586da410267e248241c29a4e2a7d276239169f79d3dc30bd8a7a

Download Submit
C:\Windows\SysWOW64\Bbacqape.exe

Filesize
235KB

MD5
ddcc406568cf3052f32eae2dbb325700

SHA1
9b47246155df3dc263e83e33bb9c636690494e70

SHA256
a9d25c07d60e3c51b673229ef0fee0d7e7c7793de92c8c80a9b4cf695c72038c

SHA512
13d43198e1ae4813536817ca33de6503d3089675aea585581d82999139cb1ec1113e8a809fff4b248308dc0595cef9697b3f22950eec4b75a514db790d64ace6

Download Submit
C:\Windows\SysWOW64\Bbjmpb32.exe

Filesize
235KB

MD5
e0f1e43502154f6a83158dcf06e2b1d3

SHA1
8357e5954f0f1fe05cecac6f491592cf96a192f2

SHA256
af3774cc1877f1ab45bbc9f7a06ebf7b1b0a803ac873fe99140f07325d69731a

SHA512
e6bd6c1a3ceabdbc9c9f11750d07f2df6bb7040a791259abda549a2ff756c937a78ce074e7096049660a879f4a995303b0fc85bb5d879f4a2321fceb1701d17c

Download Submit
C:\Windows\SysWOW64\Bbljeb32.exe

Filesize
235KB

MD5
4d7de3340340e2f66eaf9f9557bbe085

SHA1
8927df5eddea8ede240cdd245add4bf1af5bd657

SHA256
f5ab7ab16562955358648efe44a9e58ae5912a633eed5d0f938ff176ea06e859

SHA512
413d7ab42b0f8d9d85a2b14b42e23f0032c82d950798f34ad35aafb11bb6a1ad370dbe160018f829ac8df0dff503728d21c9ee1ade323040266cf76f826fabc5

Download Submit
C:\Windows\SysWOW64\Befmfngc.exe

Filesize
235KB

MD5
ceb6e5f88803d888012e9e4351833261

SHA1
be86bbcfb2259d99ac6847d3ba37fe0281d1cf5d

SHA256
dec850a5b45b4bca2c5d2db45bfc7f7ffb756d779b012280ad442a7c6974c157

SHA512
d1b8b2b758f7c411f2b4e909d934984551610bedf31b3145a7851a7de1ed934a3fd12ed6955bf4748668798e9bd3a97e88afa40ad7f03a5ace403157e9f9a2e7

Download Submit
C:\Windows\SysWOW64\Bekfan32.exe

Filesize
235KB

MD5
ee710f361e86b099938a92d0b438b552

SHA1
3b8a7ee75448122f573149777415cdd239986f05

SHA256
a5f7d34dba6e156ec09fa8f582a14c0e4c814c79a62277e2bf32255afdbc4baf

SHA512
df11ea941f3983c561d515e51b9e37d56c7fb53ab0585b3d400cb579893c5dfc84c959d858593e51d64f38c91f7adfafcfd8d81e9548dadffd6366d812ca8bb7

Download Submit
C:\Windows\SysWOW64\Bemcgmak.exe

Filesize
235KB

MD5
c8d394cdb418f2fc80dcefb143713785

SHA1
d450d96fb106d9fad565219b9857990c5e9b6563

SHA256
18f9a291e2d9884f4f2a06307e080a6ed6de05f6b396d2bbff2b90e51c302a88

SHA512
f02a91249111c140e6bc37b355e6b65e766f9a40eb97efb93ddcdcaa400a4d60e2627b7a515c8e1a15a0ab10d29b876c2bbc68a596b0f83d67546d47f004d014

Download Submit
C:\Windows\SysWOW64\Bhdibj32.exe

Filesize
235KB

MD5
b08b604081b9cd3aa7d5fd9c5da87ada

SHA1
456712d290eb7c44ee7ea5cf16b89d290085ef1c

SHA256
216c2771d6aca4137c65488781bd2ec5e48eb6bd518be4f5fc2cb018ed6a5906

SHA512
b1d2b8852287aa0fb5ab0b5a3f72bd8d397812ef38989a1ceabf3eaeb89067ff817304dc273ed1f8613f9ecc3ba22bd2d3269bc26dfae07607bc95ac650b776d

Download Submit
C:\Windows\SysWOW64\Bhgehi32.exe

Filesize
235KB

MD5
024fc0559847771d3c2551bd12ac9325

SHA1
7b183c35cb1a0daa5244c4889ce84ea09ed104dd

SHA256
e2d65ab75708dd1add449866862c3c57b35d6add0260b9cc0ae1bc481ba11f08

SHA512
ebfebe1bb6c16dbdc8e5f6fd2b92b05523026e8dbe8d99c82c6df1a70533c605d279671f975eec1274e74ea0ef2a4ac7f9defbc7a7da3897c1bdca616551f371

Download Submit
C:\Windows\SysWOW64\Bhgehi32.exe

Filesize
235KB

MD5
9c901d3388452c6cf55582f0f556aa60

SHA1
20ec43ba8c09e6b31f88a94d570e0ea9e2c1083a

SHA256
3c67a01d4b20f659594912f414050add082863e1e7a04314bbafb348dbd5cd8f

SHA512
b18ea9ef56962b3cd59e3c607e0357f55add0683c35be3d9d1ab1c0ecab5aaa2f969be5cca00b496cfee2b7d3b88c8b7add70ebd69fc4d1f3f0b8d91eae4f200

Download Submit
C:\Windows\SysWOW64\Bhibni32.exe

Filesize
235KB

MD5
b72b7ed39d5687ebf8a5edf6829c853f

SHA1
11701f1c9b529377c1485c8af1896533125f316f

SHA256
bdbd8083be33a445b85f8f6753922fd68caabe1e67f40032abbd70cfc51081e0

SHA512
1e709a025ebd91fbec95baf940b4d29acddf9dac07a08a540df73cc0b2d43d644644cf4acd364b252828fca08986c8901e79c6794c285ece01dc0418eb3f9b57

Download Submit
C:\Windows\SysWOW64\Bhlocipo.exe

Filesize
235KB

MD5
4c22490c7446bc889b57d47ef68115ed

SHA1
c1adfb8e510cd81c9ee93e1a0e4436f7f186ff64

SHA256
2ff0f531cc10d08bde0283bc6fec3ddaec846d91463c593805a7f69c32694de6

SHA512
1fa888ec8f78fa87ffd687f203dd4a925c05cfe7739ee1aa4337875c892d950e7fde13edbe323483ecb73f98803c8ab9b4eeafc9c5cdd22c1811691bac86dc5c

Download Submit
C:\Windows\SysWOW64\Blnhni32.exe

Filesize
235KB

MD5
bfbd1cbd0f519d867ae1a21df674cf4b

SHA1
85a78042af752fef9635b1a576ad36f92355a4ad

SHA256
1adea05d9aacf8f0d2bb1acdebd5c9b6d37e41f97aac9a0fcc199fb7479c8e49

SHA512
706a5a7f7ff864e5c8ce6d1ceea1647350ce60334287e489cbecddde5a0196a9a36a6bfb7fb99292bf179c515fbd726534ffc22e1c41c6b274a8abee6f321753

Download Submit
C:\Windows\SysWOW64\Boanecla.exe

Filesize
235KB

MD5
1d246280312cb3c3b3484a1053adaba2

SHA1
d7b0800cf873ac5eda829eb2a53b962c4368a40e

SHA256
7d45f1fbb26759bd90051bee9c04c954277617b5b65a754630f1f9f45c9b6cf0

SHA512
d2d98fdbd7870c996c5c63d53370115d0a49c447feacca72cbfd97722bbfe63392c55b2509bad566af0e851e2cf22fee74151561650d17f102c641f3961835df

Download Submit
C:\Windows\SysWOW64\Bockjc32.exe

Filesize
235KB

MD5
3c1e45d9ddaafa5d2fb7fb4e4a97c665

SHA1
f129677e369945ec91fffcf31a3a72dcd565df9e

SHA256
0906aa9b4ca8d07dfaebe59fed767553faf6a6f2afe8b78993618a1bc6b3d145

SHA512
d62f15f542d63670ad03d936ddef5fb2e4127ea70b8e2f79d91e3e54d3e55c18c72aeb354ece9821a52c0edbb2cb9dcc9efb4df64779d75ae9e2c09faeee1a63

Download Submit
C:\Windows\SysWOW64\Bpcgdfaa.exe

Filesize
235KB

MD5
8ada3de5093353eca4f7c4f9843b5ab4

SHA1
2862049e2e994e17d0803fdfcc83d6f9023bdb0c

SHA256
0d5cce80a6bed6bf63fa15405481c3b786c6eefa48c4098851e74c6b66e17a21

SHA512
fc331e75c005660d12c8db66f4d3559b9ff43c3836b82a6d777f8430d1a89cf0f73d80f9f7c85e45a6a4b7aedf792c164b33e1cd23f767a0caf12f2a4a3294af

Download Submit
C:\Windows\SysWOW64\Bpidngil.exe

Filesize
235KB

MD5
48d5db766a874e22721c403d83bc0d49

SHA1
cf2948f4ade15f430f8f7fa36cc6e57b06fc886e

SHA256
ee59772d1c31844b27c474dc00441e4cdda98d1a04507e4f67fad5154f0e7015

SHA512
1273c115eb0bcc18d8177fe5ed323ba2934881f998d1b0c4dbbf01ad0ca53d5e7574ac5da9ce4a5c1da2e7fdc4999aee366e61f9e0e8fd58311c62f52ec62f0e

Download Submit
C:\Windows\SysWOW64\Bpladg32.exe

Filesize
235KB

MD5
c97974e50543983e0538eee871dbaaf1

SHA1
2d967d2b220167fc65d2f5aa09e83d35f9931fad

SHA256
206d0d4b7b8d50b98da6329fd5a750415795ba3e0ab3c46b474fb32129fd9c65

SHA512
0d073e50fe185e940e321106d3a5a3fef331392b7b0d201832836a4fbddc79f0f645fbfff313e05cc08cc3158cecf5374d3fd13fed1cab87344c45d5985d33d7

Download Submit
C:\Windows\SysWOW64\Chnlihnl.exe

Filesize
235KB

MD5
33dc84f1c43bdbd236038662c57e3133

SHA1
60765cf2abc7937b01f672f4ffc2512ab9366372

SHA256
411b238f0e80bf0eef8e0352c36eb27dfbe738720da7662f972d1f0a651ea6ae

SHA512
e6c0bbcc696c3e3716814e84b626732df0ffb09004089e25df8af4ab8022c9a0889ef643657e295a3ebab3a1e97320b3e6368c1fe535c3930db97762ead6a025

Download Submit
C:\Windows\SysWOW64\Cpedjf32.exe

Filesize
235KB

MD5
4c75bda69129e641d419619e9f524faf

SHA1
17895bf7681049dad8a4f0649231d2a99b043f6f

SHA256
86703fc2def6c7a87f0e633bc296891f6a6674d27bbeea5f1fe7fe4b489110b4

SHA512
a15ca69ca8ceaeb4cd2128fe46530f7c1c8178ab5a70a81f18f3695873900ba7f48d5d12be33f108f8cb067feb85b5570e6ea0a98aee47762175a004ad8cffc9

Download Submit
C:\Windows\SysWOW64\Cpgqpe32.exe

Filesize
235KB

MD5
6e902622bac8feca43a931578e2708d0

SHA1
8210747b51402899840e57a096c58adc0c5b1d3a

SHA256
94be44ed509b0343fbfd6d9b01ab1a95c3711fba2e21b0fe5583a009bd460357

SHA512
613de7e1a12d0206fafbeb3aaaf3ee07aa8f1905956e8c02932196b09246202dd1337d399a9ff503588f2ae916944871c977bc29293085be4a27676f6e80956e

Download Submit
C:\Windows\SysWOW64\Dchbhn32.exe

Filesize
235KB

MD5
164be0ac294b602cbd318b7be3e222c7

SHA1
18e01a594e25ab6fbabfb0cbec07b3a4a7fce92c

SHA256
6036a12c38d84c81fbf52d6ba53f15820b01f7c22b7c2fd62828760f477ea1bf

SHA512
257f244df42cef87358fa60cb13c295c3f5639ef6da582d2c417d48316779fece3d92362bf58fe3d90cfaef26ce70655c4b50fce20602d44cc0b5d877560dbb8

Download Submit
C:\Windows\SysWOW64\Denlnk32.exe

Filesize
235KB

MD5
a73664e557b465595d2ae7fe30c6a712

SHA1
70737024144458c60ee7f373bedfcda19dbfd03f

SHA256
997d007f5f316dc3b3ef1f840477fdfed491157f283e98d93a8054e2d2cface2

SHA512
fe47ace4d91b5877498b9d173e17d85f81fd8a76acd3913becebe98c18372efc0039d30cdbd1d2620292b5fcdec02f1cff7d96d34072babfaa43ddbbd576fd64

Download Submit
C:\Windows\SysWOW64\Dpacfd32.exe

Filesize
235KB

MD5
026a9187bbbdf26794bf557a035f8338

SHA1
07f629dc80a70692cf204971ff8d7e5933ed2301

SHA256
04dbaf01c8b3a7ccf8ccdf052259a71092647299308989dcf6c625f6e747e2c8

SHA512
316710f6acf7f519843440a62694561824ebc7533e39d52001303ec086a60b86a1bab810f9068301f759aa5a3d89eadb6d75786a62a00e0aaf8cdec34721d79a

Download Submit
C:\Windows\SysWOW64\Eckonn32.exe

Filesize
235KB

MD5
efc99b4f5740f7646fc0844e472d5e36

SHA1
39cb2ee7484afd3bb2c71fd9c6864247e0e53f87

SHA256
87b5d047e9d458f0f0d86912120f942a0fa58c28085c270c4b444633c3c53b9c

SHA512
d29a0655c2316b020022c45778714e03adc5baccbe70653182f7589227c4fe51e018e4f907f54390d452f5b764999ecc24b4f3682f951d15e797929db70916c8

Download Submit
C:\Windows\SysWOW64\Eflhoigi.exe

Filesize
235KB

MD5
d2b8b58fe090eae580494e61e59eedef

SHA1
53212540d0f6fd8160dd37da3906a9c21aa4e745

SHA256
debfdd81eb6f6e36ce6d885ae60da41eccf4ea1b33457043bdac8b6de07d234e

SHA512
6e2174177a447cecea482c03ae4e19b66083422a1d7189ea55bb6aa74effabf50d964abbfa4c1f1d7d794efa9289bca533ac57e7499aeec232603fdab1fee865

Download Submit
C:\Windows\SysWOW64\Efpajh32.exe

Filesize
235KB

MD5
9d98d574d660e66227ff813ff4cfa775

SHA1
dbe870b6744c306cee20ffa61abd1783084bde48

SHA256
87f13801df1d36493049134a9922b5383e3dea61baca4bcb7d8597ce5e2f8bf8

SHA512
9f78d8691bb9f5c35821f827d912e0717c60e5956449cd81838ba19a09338110035f4b90531c4fa3bf2d15dd7d8a2b819e1b6a153d09d3c1b33045b3574be096

Download Submit
C:\Windows\SysWOW64\Eoifcnid.exe

Filesize
235KB

MD5
42e1f30e6aefb16c84d17a41616e6778

SHA1
15a23b15ab5fe4e48b6567d0b6cda4120c40c72f

SHA256
a0ce7c72bcbbe24196cd01d636a38954aafe0bb1d9dd9cd07660df1db29a59b7

SHA512
927b78f3502e16714ed69f5f8903e040c9975f0181981270ac35284a8b8a228545db4b11f42d5fa015a5888fe74df4ccb7b8dcd318bda39117674119f3d64982

Download Submit
C:\Windows\SysWOW64\Epopgbia.exe

Filesize
235KB

MD5
dba7a42be3fe6b0dcb5aff3289279777

SHA1
71ff4ddc584267e929c5e87ab30fbf6b024e1898

SHA256
9827c87d6434a2294a1061c9cc670cd8c0100f0cc49e1e10551b3947e4d83e18

SHA512
b43752d7ec6bdce728c69507aa79d4d8ed9ca508eeb15a2e56702a837ee3fd34157fff43e5f3dc8727ba26d4f2557c592fe6571bfde7ec431ae54d89552e790e

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
235KB

MD5
7cece598b571ab79302b00ee1325a3c5

SHA1
433d9bcd7a48f98447413ee1218dd049bfdd5644

SHA256
14156a8092933c6ff925248a1148e1d8cbeff61a03f2ef4ed556baef19bf16c8

SHA512
dd9daab94e790cc8d03f928025638b46bd9818aab07791cd487799c8132928516177032d9189931637fcdb125551265063bae5d2c314930abbaa045d1d733678

Download Submit
C:\Windows\SysWOW64\Hbhdmd32.exe

Filesize
235KB

MD5
36e0ab6e98d4e52d2e29831e5fb84d05

SHA1
1c3f11bc96b2523403c4e09c3f27ad0cc7bffc1a

SHA256
90bab04bf23132ab673582edb884914cd495f8f00b1e7f275b85c168675b511f

SHA512
7fbe7f147a68b36bf40015cb3e3718c29d137e60fafdc84de04fe677c144fbdc1200837676b961ae3d3ad2300ff58557d39399b9ab8e195131848f22f81208d1

Download Submit
C:\Windows\SysWOW64\Hmmhjm32.exe

Filesize
235KB

MD5
ca7b0748e380bb82df2593351624000c

SHA1
4e6096881f7a303d87aeb17bde275fed3c9858c0

SHA256
a5ca4f45986c2dfd9b068056b87e3a163ee20f0e9ec2c37fd6f241061ce799f0

SHA512
5532e4912ce4a1fef4a0398f4ac7c81956c5b39109032303c4d27aa487d09bf2de012fa860cf3185319ba6619a3b4447d1020e4671301d2e4dd9af2b58ce03e4

Download Submit
C:\Windows\SysWOW64\Jjbako32.exe

Filesize
235KB

MD5
19e050d812796c160f400b243027cc7a

SHA1
0938d37dffa9d528bd72959f5493bcebe62d52b9

SHA256
0fc190b97af24d8961897a1379af5221d13d3d55b7b7c4efda09b1031ca21315

SHA512
94f519e9515616450a517ff2d9e43ec0dc4f53177d6394e0defb8789f2b7b25709b49b165da3a0be845ee10b8f58567fee85030ed0ac42813578af18e156fa1b

Download Submit
memory/392-383-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/536-313-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/668-198-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/796-138-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/840-162-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/876-250-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1004-426-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1036-419-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1092-73-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1132-5-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1132-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1132-81-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1420-289-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1460-97-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1520-395-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1540-48-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1636-9-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1648-17-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1732-234-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1760-279-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1908-403-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1980-409-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2220-311-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2344-359-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2504-41-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2540-130-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2664-170-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2768-341-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2792-299-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2848-286-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2888-324-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2972-331-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3064-113-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3120-124-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3208-274-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3212-33-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3224-353-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3268-57-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3356-82-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3488-431-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3600-281-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3656-110-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3860-242-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4020-301-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4048-202-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4152-65-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4196-150-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4228-182-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4380-402-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4392-218-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4460-365-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4516-325-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4624-367-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4728-210-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4744-201-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4752-186-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4864-377-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4884-153-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4892-25-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4936-347-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5056-385-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5060-226-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5072-89-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5112-288-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads