09b718ddf391f638f759c1a9dbe6a3c257dfd3cb51cd8dcdccffcb94540880a5

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
26-04-2024 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7790b146631e785dfe95da83c22bd59.exe
Size

74KB
MD5

d7790b146631e785dfe95da83c22bd59
SHA1

644d6b29da7da8487304355099034d8cec1f614a
SHA256

09b718ddf391f638f759c1a9dbe6a3c257dfd3cb51cd8dcdccffcb94540880a5
SHA512

7e4ccb42faa091e4510286f723ea60099864c00f991937eabf3892a8ef5fad461b9bfd555cf907f2c77de7518f28c98a4bf8f8ac993378a14007bda42382332b
SSDEEP

1536:TMuMS9iDM9jvy2JWpfk2Ktjy70MVtraIZoKUXJcGH:oWBjamWWZyvfGIZUGGH

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jibeql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ehjdldfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fcikolnh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gimjhafg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efneehef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hibljoco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dofpgqji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djnaji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Elhmablc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icljbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dljqpd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcekkjcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpemacql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjhfnccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcikolnh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dllmfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eleplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqaeco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnolfdcn.exe

Executes dropped EXE 64 IoCs

pid	Process
2304	Denlnk32.exe
2868	Diihojkb.exe
4656	Dlgdkeje.exe
1896	Dofpgqji.exe
3760	Dadlclim.exe
2320	Djlddi32.exe
4964	Dljqpd32.exe
3220	Dpemacql.exe
1956	Dohmlp32.exe
3212	Dagiil32.exe
2984	Djnaji32.exe
1248	Dllmfd32.exe
2256	Dokjbp32.exe
4696	Daifnk32.exe
3140	Djpnohej.exe
3728	Dhcnke32.exe
2208	Dpjflb32.exe
3608	Dchbhn32.exe
4664	Dakbckbe.exe
4336	Ejbkehcg.exe
1308	Ehekqe32.exe
1564	Epmcab32.exe
1904	Eoocmoao.exe
1740	Ebnoikqb.exe
3048	Efikji32.exe
1868	Ehhgfdho.exe
388	Elccfc32.exe
1964	Eoapbo32.exe
4712	Ebploj32.exe
4016	Eflhoigi.exe
3532	Ehjdldfl.exe
1728	Eleplc32.exe
1684	Eqalmafo.exe
1600	Eodlho32.exe
548	Ebbidj32.exe
4880	Efneehef.exe
3596	Elhmablc.exe
3060	Eqciba32.exe
4748	Ecbenm32.exe
60	Ebeejijj.exe
3600	Ejlmkgkl.exe
2460	Emjjgbjp.exe
4960	Eoifcnid.exe
1188	Ecdbdl32.exe
3584	Ffbnph32.exe
4800	Fhajlc32.exe
3428	Fmmfmbhn.exe
1596	Fokbim32.exe
3156	Ffekegon.exe
5104	Ficgacna.exe
4588	Fmocba32.exe
2760	Fomonm32.exe
3280	Fcikolnh.exe
4660	Ffggkgmk.exe
2036	Fifdgblo.exe
3068	Fmapha32.exe
1116	Fopldmcl.exe
2204	Fckhdk32.exe
2228	Fbnhphbp.exe
4816	Fjepaecb.exe
1288	Fihqmb32.exe
716	Fobiilai.exe
816	Fflaff32.exe
5040	Fijmbb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Jdcpcf32.exe	Jpgdbg32.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Eoocmoao.exe	Epmcab32.exe
File created	C:\Windows\SysWOW64\Imbaemhc.exe	Iiffen32.exe
File created	C:\Windows\SysWOW64\Omfnojog.dll	Jibeql32.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Dadlclim.exe	Dofpgqji.exe
File created	C:\Windows\SysWOW64\Emjjgbjp.exe	Ejlmkgkl.exe
File created	C:\Windows\SysWOW64\Lpdcae32.dll	Fmapha32.exe
File created	C:\Windows\SysWOW64\Gmhfhp32.exe	Gimjhafg.exe
File created	C:\Windows\SysWOW64\Hpbaqj32.exe	Hapaemll.exe
File created	C:\Windows\SysWOW64\Iiibkn32.exe	Icljbg32.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Jfhbppbc.exe	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Ihaoimoh.dll	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Dohmlp32.exe	Dpemacql.exe
File created	C:\Windows\SysWOW64\Jfjdddho.dll	Daifnk32.exe
File opened for modification	C:\Windows\SysWOW64\Daifnk32.exe	Dokjbp32.exe
File opened for modification	C:\Windows\SysWOW64\Gqfooodg.exe	Gmkbnp32.exe
File created	C:\Windows\SysWOW64\Chbijmok.dll	Gqfooodg.exe
File opened for modification	C:\Windows\SysWOW64\Hfachc32.exe	Hbeghene.exe
File created	C:\Windows\SysWOW64\Ecppdbpl.dll	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Jflepa32.dll	Jkfkfohj.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Gfnnlffc.exe	Gcpapkgp.exe
File opened for modification	C:\Windows\SysWOW64\Hmfbjnbp.exe	Hikfip32.exe
File opened for modification	C:\Windows\SysWOW64\Icjmmg32.exe	Iakaql32.exe
File opened for modification	C:\Windows\SysWOW64\Kpmfddnf.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mciobn32.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Djnaji32.exe	Dagiil32.exe
File created	C:\Windows\SysWOW64\Hfcpncdk.exe	Hpihai32.exe
File opened for modification	C:\Windows\SysWOW64\Ehhgfdho.exe	Efikji32.exe
File created	C:\Windows\SysWOW64\Eodlho32.exe	Eqalmafo.exe
File created	C:\Windows\SysWOW64\Iakaql32.exe	Impepm32.exe
File opened for modification	C:\Windows\SysWOW64\Iiffen32.exe	Ibmmhdhm.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Adijolgl.dll	Gqkhjn32.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Hippdo32.exe	Hfachc32.exe
File created	C:\Windows\SysWOW64\Ipckgh32.exe	Iiibkn32.exe
File created	C:\Windows\SysWOW64\Kpmfddnf.exe	Kajfig32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Jjblgaie.dll	Kmgdgjek.exe
File opened for modification	C:\Windows\SysWOW64\Jplmmfmi.exe	Jaimbj32.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Jiikak32.exe	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Eleplc32.exe	Ehjdldfl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8508	8424	WerFault.exe	359

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fckhdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkindkmi.dll"	d7790b146631e785dfe95da83c22bd59.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhngp32.dll"	Dohmlp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dokjbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eleplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilljncf.dll"	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhollf32.dll"	Dllmfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akkfba32.dll"	Dpjflb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmcglkid.dll"	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclhoo32.dll"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Diihojkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eqciba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphqml32.dll"	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fmmfmbhn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ffbnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Haggelfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ecbenm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jokmgc32.dll"	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gcidfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omlami32.dll"	Dlgdkeje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fijmbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbkmec32.dll"	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gbenqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldooifgl.dll"	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjekdho.dll"	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fbqefhpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hakfehok.dll"	Fmficqpc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gcekkjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnplgc32.dll"	Hcqjfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eoocmoao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gbgkfg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gameonno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hjhfnccl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3312 wrote to memory of 2304	3312	d7790b146631e785dfe95da83c22bd59.exe	86
PID 3312 wrote to memory of 2304	3312	d7790b146631e785dfe95da83c22bd59.exe	86
PID 3312 wrote to memory of 2304	3312	d7790b146631e785dfe95da83c22bd59.exe	86
PID 2304 wrote to memory of 2868	2304	Denlnk32.exe	87
PID 2304 wrote to memory of 2868	2304	Denlnk32.exe	87
PID 2304 wrote to memory of 2868	2304	Denlnk32.exe	87
PID 2868 wrote to memory of 4656	2868	Diihojkb.exe	88
PID 2868 wrote to memory of 4656	2868	Diihojkb.exe	88
PID 2868 wrote to memory of 4656	2868	Diihojkb.exe	88
PID 4656 wrote to memory of 1896	4656	Dlgdkeje.exe	89
PID 4656 wrote to memory of 1896	4656	Dlgdkeje.exe	89
PID 4656 wrote to memory of 1896	4656	Dlgdkeje.exe	89
PID 1896 wrote to memory of 3760	1896	Dofpgqji.exe	90
PID 1896 wrote to memory of 3760	1896	Dofpgqji.exe	90
PID 1896 wrote to memory of 3760	1896	Dofpgqji.exe	90
PID 3760 wrote to memory of 2320	3760	Dadlclim.exe	91
PID 3760 wrote to memory of 2320	3760	Dadlclim.exe	91
PID 3760 wrote to memory of 2320	3760	Dadlclim.exe	91
PID 2320 wrote to memory of 4964	2320	Djlddi32.exe	92
PID 2320 wrote to memory of 4964	2320	Djlddi32.exe	92
PID 2320 wrote to memory of 4964	2320	Djlddi32.exe	92
PID 4964 wrote to memory of 3220	4964	Dljqpd32.exe	93
PID 4964 wrote to memory of 3220	4964	Dljqpd32.exe	93
PID 4964 wrote to memory of 3220	4964	Dljqpd32.exe	93
PID 3220 wrote to memory of 1956	3220	Dpemacql.exe	94
PID 3220 wrote to memory of 1956	3220	Dpemacql.exe	94
PID 3220 wrote to memory of 1956	3220	Dpemacql.exe	94
PID 1956 wrote to memory of 3212	1956	Dohmlp32.exe	95
PID 1956 wrote to memory of 3212	1956	Dohmlp32.exe	95
PID 1956 wrote to memory of 3212	1956	Dohmlp32.exe	95
PID 3212 wrote to memory of 2984	3212	Dagiil32.exe	97
PID 3212 wrote to memory of 2984	3212	Dagiil32.exe	97
PID 3212 wrote to memory of 2984	3212	Dagiil32.exe	97
PID 2984 wrote to memory of 1248	2984	Djnaji32.exe	98
PID 2984 wrote to memory of 1248	2984	Djnaji32.exe	98
PID 2984 wrote to memory of 1248	2984	Djnaji32.exe	98
PID 1248 wrote to memory of 2256	1248	Dllmfd32.exe	99
PID 1248 wrote to memory of 2256	1248	Dllmfd32.exe	99
PID 1248 wrote to memory of 2256	1248	Dllmfd32.exe	99
PID 2256 wrote to memory of 4696	2256	Dokjbp32.exe	100
PID 2256 wrote to memory of 4696	2256	Dokjbp32.exe	100
PID 2256 wrote to memory of 4696	2256	Dokjbp32.exe	100
PID 4696 wrote to memory of 3140	4696	Daifnk32.exe	101
PID 4696 wrote to memory of 3140	4696	Daifnk32.exe	101
PID 4696 wrote to memory of 3140	4696	Daifnk32.exe	101
PID 3140 wrote to memory of 3728	3140	Djpnohej.exe	102
PID 3140 wrote to memory of 3728	3140	Djpnohej.exe	102
PID 3140 wrote to memory of 3728	3140	Djpnohej.exe	102
PID 3728 wrote to memory of 2208	3728	Dhcnke32.exe	103
PID 3728 wrote to memory of 2208	3728	Dhcnke32.exe	103
PID 3728 wrote to memory of 2208	3728	Dhcnke32.exe	103
PID 2208 wrote to memory of 3608	2208	Dpjflb32.exe	104
PID 2208 wrote to memory of 3608	2208	Dpjflb32.exe	104
PID 2208 wrote to memory of 3608	2208	Dpjflb32.exe	104
PID 3608 wrote to memory of 4664	3608	Dchbhn32.exe	105
PID 3608 wrote to memory of 4664	3608	Dchbhn32.exe	105
PID 3608 wrote to memory of 4664	3608	Dchbhn32.exe	105
PID 4664 wrote to memory of 4336	4664	Dakbckbe.exe	106
PID 4664 wrote to memory of 4336	4664	Dakbckbe.exe	106
PID 4664 wrote to memory of 4336	4664	Dakbckbe.exe	106
PID 4336 wrote to memory of 1308	4336	Ejbkehcg.exe	107
PID 4336 wrote to memory of 1308	4336	Ejbkehcg.exe	107
PID 4336 wrote to memory of 1308	4336	Ejbkehcg.exe	107
PID 1308 wrote to memory of 1564	1308	Ehekqe32.exe	108

C:\Users\Admin\AppData\Local\Temp\2920449914\zmstage.exe
C:\Users\Admin\AppData\Local\Temp\2920449914\zmstage.exe
1⤵
PID:716

C:\Users\Admin\AppData\Local\Temp\d7790b146631e785dfe95da83c22bd59.exe
"C:\Users\Admin\AppData\Local\Temp\d7790b146631e785dfe95da83c22bd59.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3312
- C:\Windows\SysWOW64\Denlnk32.exe
  C:\Windows\system32\Denlnk32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\SysWOW64\Diihojkb.exe
    C:\Windows\system32\Diihojkb.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Windows\SysWOW64\Dlgdkeje.exe
      C:\Windows\system32\Dlgdkeje.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4656
    - - C:\Windows\SysWOW64\Dofpgqji.exe
        
        C:\Windows\system32\Dofpgqji.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1896
      - C:\Windows\SysWOW64\Dadlclim.exe
        
        C:\Windows\system32\Dadlclim.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3760
        
        C:\Windows\SysWOW64\Djlddi32.exe
        
        C:\Windows\system32\Djlddi32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\SysWOW64\Dljqpd32.exe
        
        C:\Windows\system32\Dljqpd32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\Dpemacql.exe
        
        C:\Windows\system32\Dpemacql.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3220
        
        C:\Windows\SysWOW64\Dohmlp32.exe
        
        C:\Windows\system32\Dohmlp32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Dagiil32.exe
        
        C:\Windows\system32\Dagiil32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\SysWOW64\Djnaji32.exe
        
        C:\Windows\system32\Djnaji32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\Dllmfd32.exe
        
        C:\Windows\system32\Dllmfd32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\SysWOW64\Dokjbp32.exe
        
        C:\Windows\system32\Dokjbp32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\Daifnk32.exe
        
        C:\Windows\system32\Daifnk32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\Djpnohej.exe
        
        C:\Windows\system32\Djpnohej.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Windows\SysWOW64\Dhcnke32.exe
        
        C:\Windows\system32\Dhcnke32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\SysWOW64\Dpjflb32.exe
        
        C:\Windows\system32\Dpjflb32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\Dchbhn32.exe
        
        C:\Windows\system32\Dchbhn32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\SysWOW64\Dakbckbe.exe
        
        C:\Windows\system32\Dakbckbe.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Windows\SysWOW64\Ejbkehcg.exe
        
        C:\Windows\system32\Ejbkehcg.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\SysWOW64\Ehekqe32.exe
        
        C:\Windows\system32\Ehekqe32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1564
        
        C:\Windows\SysWOW64\Eoocmoao.exe
        
        C:\Windows\system32\Eoocmoao.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\Ebnoikqb.exe
        
        C:\Windows\system32\Ebnoikqb.exe
        25⤵
        Executes dropped EXE
        
        PID:1740
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3048
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        27⤵
        Executes dropped EXE
        
        PID:1868
        
        C:\Windows\SysWOW64\Elccfc32.exe
        
        C:\Windows\system32\Elccfc32.exe
        28⤵
        Executes dropped EXE
        
        PID:388
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        29⤵
        Executes dropped EXE
        
        PID:1964
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        30⤵
        Executes dropped EXE
        
        PID:4712
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        31⤵
        Executes dropped EXE
        
        PID:4016
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3532
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1684
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        35⤵
        Executes dropped EXE
        
        PID:1600
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        36⤵
        Executes dropped EXE
        
        PID:548
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4880
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3596
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        41⤵
        Executes dropped EXE
        
        PID:60
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3600
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        43⤵
        Executes dropped EXE
        
        PID:2460
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        44⤵
        Executes dropped EXE
        
        PID:4960
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        45⤵
        Executes dropped EXE
        
        PID:1188
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        47⤵
        Executes dropped EXE
        
        PID:4800
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3428
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        49⤵
        Executes dropped EXE
        
        PID:1596
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        50⤵
        Executes dropped EXE
        
        PID:3156
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        51⤵
        Executes dropped EXE
        
        PID:5104
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        52⤵
        Executes dropped EXE
        
        PID:4588
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        53⤵
        Executes dropped EXE
        
        PID:2760
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3280
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        55⤵
        Executes dropped EXE
        
        PID:4660
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        56⤵
        Executes dropped EXE
        
        PID:2036
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3068
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        58⤵
        Executes dropped EXE
        
        PID:1116
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        60⤵
        Executes dropped EXE
        
        PID:2228
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        61⤵
        Executes dropped EXE
        
        PID:4816
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        62⤵
        Executes dropped EXE
        
        PID:1288
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:716
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        64⤵
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        65⤵
        Executes dropped EXE
        
        PID:816
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        66⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        67⤵
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4684
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1872
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        70⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3496
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        72⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        73⤵
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3696
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        75⤵
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        76⤵
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        77⤵
        Drops file in System32 directory
        
        PID:4232
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        78⤵
        Drops file in System32 directory
        
        PID:2200
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        80⤵
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        81⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        82⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        83⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        84⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        85⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        86⤵
        Drops file in System32 directory
        
        PID:5192
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        87⤵
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        88⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5324
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        90⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        91⤵
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        92⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5504
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        94⤵
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        95⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        96⤵
        Drops file in System32 directory
        
        PID:5636
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        98⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5808
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        101⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        102⤵
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5936
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        104⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        105⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        106⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        107⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        108⤵
        Drops file in System32 directory
        
        PID:5124
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5208
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        110⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        111⤵
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5424
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5556
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5628
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        116⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        117⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        118⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5888
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        120⤵
        Drops file in System32 directory
        
        PID:5964
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        121⤵
        Drops file in System32 directory
        
        PID:6052
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        123⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        124⤵
        Drops file in System32 directory
        
        PID:5292
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5396
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        126⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5624
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        128⤵
        Drops file in System32 directory
        
        PID:5692
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        129⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        130⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        131⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        132⤵
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        133⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        134⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        135⤵
        Drops file in System32 directory
        
        PID:5748
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        136⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        137⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        138⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        139⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        140⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        141⤵
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        142⤵
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5260
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5848
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3148
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        146⤵
        Modifies registry class
        
        PID:6164
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        147⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6240
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        149⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        150⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        151⤵
        Modifies registry class
        
        PID:6372
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6420
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        153⤵
        Drops file in System32 directory
        
        PID:6464
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        154⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        155⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        156⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        157⤵
        Drops file in System32 directory
        
        PID:6624
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        158⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6716
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        160⤵
        Modifies registry class
        
        PID:6764
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        161⤵
        Drops file in System32 directory
        
        PID:6808
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        162⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        163⤵
        Modifies registry class
        
        PID:6892
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        164⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6976
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7012
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        167⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        168⤵
        Modifies registry class
        
        PID:7100
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7140
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        170⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        171⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        172⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        173⤵
        Modifies registry class
        
        PID:6364
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        174⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        175⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        176⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6632
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        178⤵
        Modifies registry class
        
        PID:6704
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        179⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6772
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        180⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        181⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        182⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        183⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        184⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        185⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6272
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6396
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        187⤵
        Drops file in System32 directory
        
        PID:6532
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        188⤵
        Drops file in System32 directory
        
        PID:6712
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        189⤵
        Drops file in System32 directory
        
        PID:6788
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6416
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        191⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        192⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        193⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        194⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        195⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        196⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7124
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        198⤵
        Drops file in System32 directory
        
        PID:6412
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        199⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6728
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7128
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        201⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        202⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        203⤵
        Drops file in System32 directory
        
        PID:7064
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        204⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        205⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7260
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        206⤵
        
        PID:7300
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        207⤵
        
        PID:7336
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        208⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        209⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        210⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7464
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        211⤵
        Modifies registry class
        
        PID:7504
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        212⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        213⤵
        Drops file in System32 directory
        
        PID:7588
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        214⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        215⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7668
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        216⤵
        Drops file in System32 directory
        
        PID:7716
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        217⤵
        Drops file in System32 directory
        
        PID:7760
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        218⤵
        Drops file in System32 directory
        
        PID:7796
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        219⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        220⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7876
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        221⤵
        Drops file in System32 directory
        
        PID:7924
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        222⤵
        
        PID:7964
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        223⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8008
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        224⤵
        
        PID:8052
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        225⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        226⤵
        
        PID:8128
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        227⤵
        Modifies registry class
        
        PID:8176
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        228⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7180
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        229⤵
        
        PID:7240
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        230⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        231⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7368
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        232⤵
        
        PID:7444
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        233⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7532
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        234⤵
        Modifies registry class
        
        PID:7572
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        235⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        236⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7708
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        237⤵
        Drops file in System32 directory
        
        PID:7780
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        238⤵
        
        PID:7848
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        239⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        240⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        241⤵
        
        PID:8028
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        242⤵
        
        PID:8112
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        243⤵
        Drops file in System32 directory
        
        PID:8164
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        244⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7188
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        245⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        246⤵
        Drops file in System32 directory
        
        PID:7452
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        247⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        248⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7696
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        249⤵
        Drops file in System32 directory
        
        PID:7748
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        250⤵
        Modifies registry class
        
        PID:7872
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        251⤵
        
        PID:7956
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        252⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        253⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7176
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        254⤵
        Drops file in System32 directory
        
        PID:7276
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        255⤵
        Drops file in System32 directory
        
        PID:7596
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        256⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        257⤵
        
        PID:7900
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        258⤵
        Drops file in System32 directory
        
        PID:7860
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        259⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        260⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        261⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7828
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        262⤵
        
        PID:8080
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        263⤵
        
        PID:7460
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        264⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8040
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        265⤵
        
        PID:8076
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        266⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        267⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        268⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8208
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        269⤵
        
        PID:8252
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        270⤵
        Modifies registry class
        
        PID:8300
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        271⤵
        Modifies registry class
        
        PID:8344
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        272⤵
        Modifies registry class
        
        PID:8380
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        273⤵
        
        PID:8424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8424 -s 412
        274⤵
        Program crash
        
        PID:8508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 8424 -ip 8424
1⤵
PID:8484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dadlclim.exe

Filesize
74KB

MD5
5733fcfeee1e2889a2b04e79d711b7ca

SHA1
ea6f2b40a82efaeee9c944fb356cad8f0cbfc4c8

SHA256
859448ee163c678062b14b284b416473bd0f5a404cd6cf60ead0c22fef2b5e98

SHA512
d11fe632ad41b56c0e8d545bb0bb2059ccdef9a41083bf275b5ac46fb8d42bd895b74510d8c0a2a4cfc52d841dc49fd49f6aa8b5b1b31e8b7023e1a5e8501148

Download Submit
C:\Windows\SysWOW64\Dadlclim.exe

Filesize
74KB

MD5
de5a658381e60eccc8534e14ca1917d8

SHA1
a4fb5c268e31120432fc79e9ff36c892e22ce978

SHA256
62dc4fd94b1843377ce7a2e93003e9d589659a20035fe0703d925ddb651b2120

SHA512
ddea84c8315afd6937b79bf1a639f35d944e91436d7a64976781014724299646f80d97a981cab4859ace6a3f24f320e615a2ebc07a85cfaaf8d40d8cefd00d1f

Download Submit
C:\Windows\SysWOW64\Dagiil32.exe

Filesize
74KB

MD5
a359552de487f34d578523ec38ec9628

SHA1
96233b41cfc7035f0c8e6c3c150848917fdc5b66

SHA256
2e84b93f522d027979d26b2a61ca31cafbec1d4060d4281bb3a325e8c1789607

SHA512
544129c11ccf38c51587eb6f6ecf2630ecbef17ad21fff7027aacd085d6752bf6f1d00b5d1913f395dfc51bbcd0e927d593b2974359a94cad2c817285d7abe0a

Download Submit
C:\Windows\SysWOW64\Daifnk32.exe

Filesize
74KB

MD5
6d777ce52dd2d14832028e78bb62313c

SHA1
eeb09e810a5cb8a2f1b056bf5e0eca05ddad857b

SHA256
74ca2c49552fdbd827726080a49070650a12b763b0ae3238175e9f430c8169e8

SHA512
20bcbee2ffc9b8256dc8b649875be85bc1306337849f46dad9a8b977b9a236ffe51fba9b4dd80894be9f8e37d4d0c4309204394e60ef882997882382584d4d28

Download Submit
C:\Windows\SysWOW64\Dakbckbe.exe

Filesize
74KB

MD5
f6164922402b80406742ebf0ba027845

SHA1
d816bd16170ec70c0e02b3f3b806d6207341052e

SHA256
a5e26f8873d2c9e72f6c8474ad9005544f76946e68f252fb4a22691609f121a5

SHA512
ccd4b3ba0b1a84c0411d467ed9d46a34a51277a9fecae2e367f16bfcf2a44afa8c0aa5a015baddfc2ca94f70b5f638b06552c2bf8de6abff51643b4323be17be

Download Submit
C:\Windows\SysWOW64\Dchbhn32.exe

Filesize
74KB

MD5
3406ddc394c017f5ee7c2a2b4d3c838a

SHA1
5e0901173c1d13ea403025d78919455d562dfb45

SHA256
a9ec9138699b3ecb032cb37687ce7c5512f709ce99eba2177fbf599caf221db3

SHA512
9edd62f885aa6f6356a9af5add7b25d5e643495479e370a5a1f48a53651a3ce463460e1adf7ba18540529427f2ccfa84234e1d8b13aee02b30dc9e4ca2e485a1

Download Submit
C:\Windows\SysWOW64\Denlnk32.exe

Filesize
74KB

MD5
ab472691ae4c5e3a1feea8fdb42bdc0a

SHA1
656ed557737ae1661371f8dfd60c85af17130a28

SHA256
c09b47b080904e52ee8eada0e0fd3c1a574418e7d46a174046d95a3745057520

SHA512
47ec77675d639fe4532383641b6a1b3d5fa4b5a3db2a44132edf83e53114defeb2475f5151f2c13d1026e4b405dcb6a5d521ff4c5b51c3830316d2bf23e6753f

Download Submit
C:\Windows\SysWOW64\Dhcnke32.exe

Filesize
74KB

MD5
b97c2136ace05928f7d0f32a74b570ec

SHA1
6125b05e325120c7ffa28d5904cdadbcfd189804

SHA256
f8527ff06cce90d8f4c035cbbb598c3c07c12665af1768c9ad7703b495486f3f

SHA512
47946e0b21bd93aec9c08a3afdb6d607dae9d7a75f047f170c0d930653a8f6671784688a8e323d98d8bfe671e6843a2612a5115ec694419e3db0b01422de67f4

Download Submit
C:\Windows\SysWOW64\Diihojkb.exe

Filesize
74KB

MD5
da6aa4fecd4218feb8cff8ec664d0634

SHA1
4c077e16a742769c0d40fa86004d6f11477f1f99

SHA256
6e44d4294fdee134943916b55a3fb0e24e0f8fb1eae89d94cfdff5fe3d8f13af

SHA512
0e115e797b556aca8be6fa62846b1d3908a1b9991fc61f4c11503402f4afd8a9dc4bb58f81f6773bc5d125327b66f6099f241bab1edf0f6d3064376cd2db59d2

Download Submit
C:\Windows\SysWOW64\Djlddi32.exe

Filesize
74KB

MD5
d787b346809f22e55640f4561e93035d

SHA1
cbfd8ac6a374af6fcee233b30e7dd4d921137136

SHA256
ee89e8863b7cb4a4c3607ad7e37b9f6e7611629d45d1eeb8b3fd26514c274364

SHA512
385d7962b5ab3a574d7c801af38f0d7779bd09a3806904283fd177cd1e93be91f5f0c8b06e8c98a610e7b71cc46d15a0ef562797d74a88a95dbcab5846fd6e18

Download Submit
C:\Windows\SysWOW64\Djnaji32.exe

Filesize
74KB

MD5
4d83d4b55bc98e5fd8cbf54a789bffb1

SHA1
53d89d98be67403f998202209c4617d848e1d045

SHA256
c1a1eba2f2eaa9c32e60347959b00020a34aaa6742622ab4a1b8da444e242141

SHA512
2b4497699f0d52c067f8cbf4fd8b9b2b9b6728eb97e44e3a0d98c3d4432d6ebbb925a864dad26c5d922e45dd5857e0903af5b82b446452d05a917cdcf6b507f4

Download Submit
C:\Windows\SysWOW64\Djpnohej.exe

Filesize
74KB

MD5
857c75a0ace42194ce1110dba6f7986d

SHA1
63612c2ebfabe7a980d46eef421486051ca836c0

SHA256
cd15e702fc95b20f9974195d82b5b4d28b8d2df8545549ca982a469393988a24

SHA512
4a59ed86d9943bcd2fac638e6ee069e1a937e320e1fa2f25f72b06e9843afe7b1ef9243932b758516fdc96dba2bf1289de1d8492e5d5098a4682693b1ac2d441

Download Submit
C:\Windows\SysWOW64\Dlgdkeje.exe

Filesize
74KB

MD5
fb7f270c92a4ef9636d6f5a2c056f844

SHA1
2e30a4a801275ee231b3896f24394a9e9579c086

SHA256
fc88062c47606078569a1c0d35b43992a7926bc14ada3b18580452156754dad9

SHA512
f4a6ae7aee0171d5df2edcc4b02a2bac92e06836f6ffa2298755fb4fcfd6e419356abb13e007dcd5a4e8c3c95f844dbadc120030eb20252aba3e37aed7343d30

Download Submit
C:\Windows\SysWOW64\Dljqpd32.exe

Filesize
74KB

MD5
8d35df22447157a4fdade808eedb1619

SHA1
90b226f977677c496b24c1e5d9a9879be76a9549

SHA256
e6fee6f7b859e5de2e10deccf4cf78087a9cbc9c61b17cd75682772c0727c9a1

SHA512
e34a377b4281666c876f12de0d1663fe48b796a19f4f07c80eb221dce2cdefa01201f8c6343f155250b37bced7403b7967fd4e76a9bed0e47e7477bb558616fc

Download Submit
C:\Windows\SysWOW64\Dllmfd32.exe

Filesize
74KB

MD5
5290a49f641277b416c1a00c8405abb8

SHA1
0425e900aaa19262ab469df0f915f4093d8b85b7

SHA256
3dc12cdaa5325bb665040492cffb4b6170d5e1d6be646a76d473cfaa07523db6

SHA512
7a140f18708aed6483511c2daa51120f4d3603c219336bc1639423850f8fc771c297b73df84f6879c3400682600e909b26520a5dafb8088cb879986fa3b9742d

Download Submit
C:\Windows\SysWOW64\Dofpgqji.exe

Filesize
74KB

MD5
78c56ed077832301755f81e4aa85e1a3

SHA1
e0fbbf3d662f86738412fea17d9a0774aa636b77

SHA256
b39b45ca2b00ad20154bd675d92db15c142159f4e45c61be5b44982476dcfd71

SHA512
c913f11912b52586e5ac1dad581e5dbe27181987a8328b9c2780e5a2efca3ed82754c1e1144de26a628a1b2f086c178c66e4f6c46d992b3f76c026b1cd68cdd6

Download Submit
C:\Windows\SysWOW64\Dohmlp32.exe

Filesize
74KB

MD5
b7bec3d129a2fbe26745a6ed693695d3

SHA1
314524a83b9ea1da94c1a31c535a6b2ecebc242f

SHA256
00ac636d121351f5a9e1e2aabfb8ea8d20be1b42786f8b60c7cf8c5ec6d9b01f

SHA512
1f53a113a5200887123859774e14bae1beacd2bbb630dc262c3657ea00fef6c665c6e62fcc455185e0deb3921db977163dc40d9db937b5b6ece46b25852b109e

Download Submit
C:\Windows\SysWOW64\Dokjbp32.exe

Filesize
74KB

MD5
bab80d86bef612001683b9efa86878cb

SHA1
71ce770cbd282bb6bd23c03f9b9cf7140343fc15

SHA256
87f8516eff71f3506432d3b5cd25c00bcec0137525f16a80cc9b97a42606cb00

SHA512
8e9bebf69a865ebd06743d29840cfb1d985d8b2f1c89a4487583e42a61b6a7bea7a0357fba720927cd810f43e39248993c2300ee193b9ead2551249ddc5bed41

Download Submit
C:\Windows\SysWOW64\Dpemacql.exe

Filesize
74KB

MD5
69f5a61d593ef42f97238ba46c1850cb

SHA1
87306c5a72e078fe49e594fd74076ee87803e0e0

SHA256
4fe7252697db78ebc48da05702cb5812eb8213d6ea69b5cd2ff693f740fb32eb

SHA512
b57f039aaf427576560be8276421181a208d1895fe7e2e6d5199287a3a5927e6c333e269dc22575d7217da304613d40871234e752a23639b304a8d9a0e31ac94

Download Submit
C:\Windows\SysWOW64\Dpjflb32.exe

Filesize
74KB

MD5
1df5b4548c41d5fa8a0a2e35deca38a6

SHA1
40c24cf32dce7e247abcacc842f1dee9a92ca570

SHA256
e781f0f864d9ed59c3543b1e09e1ec2baf724ce5928e73d421e9cec5307c99a8

SHA512
0e8e1318fa974f18ff02bb48ea291c12b43b5a15a1df12dfa9bce5f6629df893aa2543e2d7b92f94c939c33cb7332209b6188f31a8b0446b9d1862cf17868312

Download Submit
C:\Windows\SysWOW64\Ebnoikqb.exe

Filesize
74KB

MD5
b5d73e8a8e9113218311881bf8c4b815

SHA1
716c9f619cb540177da8d58de18d2fffc0af4f2d

SHA256
d6e85289941546082a588bbe737f66ca9401c31739d2aeb9fe4bc7a083a53943

SHA512
0ef68b3742f7ca75ae08e555900bfdf46eac52707631b1555180caa90f5f3b8599c2e7a6ee91ef96f888ab50658e4c7d83540ea54b2026c139825331d93ddf0d

Download Submit
C:\Windows\SysWOW64\Ebploj32.exe

Filesize
74KB

MD5
4060257b0e74dcd0459ecc02eb915080

SHA1
c555387d3fa240297a9358ea411d25096b789a5d

SHA256
0d16e1f27f632145e8e317d60d2a438488bf6eb8597fb49330cab0d8f2091f26

SHA512
3dd86c2b3966cd60448b5b4ba6fe29a7e6667bc7eca718a54d367d61a725ea05e77aee8a81733c516184c69ca034a9dd90f514c3719615120ca65446b132a01e

Download Submit
C:\Windows\SysWOW64\Efikji32.exe

Filesize
74KB

MD5
ecf5b35413d623de8f41e9ebccdb1d53

SHA1
e16f829571a57b9bebfa2bef204b352c308fb72c

SHA256
f29e534828a71867a0bb79f9bb0aae2c5a10177fda67a62fbecb5cefbe33d5a8

SHA512
9f9e2c5e5cab1480db1daf5b12d36f55e39b6d3e9b6bfe35425944b05069f3dbda6cd3a21d85a45a07c61a8a730345f857851d711a0d44c396d4d88cd56ed074

Download Submit
C:\Windows\SysWOW64\Eflhoigi.exe

Filesize
74KB

MD5
80cf23631340b9258434d5058d668469

SHA1
60b62fe0924ec0f6c15ee824819a16da2f70808f

SHA256
f7c6fa43fe7648970d155d1e65c74a667cd6032e56dcfbddd16eb0fa98b100af

SHA512
c4aa41b1b57a89afec1334f270cab483fb48f75fd309cad42b24eb222662848cf7d0aeb4ceae7136f10dc022d2e8282b44d631801ad183879a88469b3aafa4f1

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
74KB

MD5
c2078792841ace29b3630440dbd8518b

SHA1
7fcc14f3eaab5d81b79bc4e69d7a0c2b85c01479

SHA256
9dde95112bbdbea47aae070f1cff2887465dc88569d4cf97f81684878ea9e852

SHA512
d74b4244e7f069e9f9221f0802202ba4f253d32e6e36a336b84413ca79452783c6644ae88c1caa7b737cd67c4288e58825a157369d40b4c3a827b83cd8cde157

Download Submit
C:\Windows\SysWOW64\Ehekqe32.exe

Filesize
74KB

MD5
a1c2f93ae7394e64e2d6862b8429296d

SHA1
dd60a21f4890b632cb288af13d0fb9a9f55409eb

SHA256
66094af6069fa488b166074e57c165bc2dba746e9d520661a1a3d375b7e371ba

SHA512
2072db34e88f00dcbc489a8ed19a32b2e66e5da8f216a56961564a4396988fee54c7b44aed0d036b98d4034bd5bd3a6dc1f480bf264da32f1811e3ae422df693

Download Submit
C:\Windows\SysWOW64\Ehhgfdho.exe

Filesize
74KB

MD5
48cfa6b59ea230b1cfb9b798d899574a

SHA1
32486ee0cc1daa765125959dd3dd93baeb117d4c

SHA256
3c3bdb4d1761a0e44a681796513a27996a6231c1d329670fe53977a3911d6f0a

SHA512
e77eab219d3efd3d98fd53875c1417f62d30cd82f4b52c1439e95ea4d760e7564b484f58dddad4b3e9fc1308e8d68f614de30c53373e1542431834a9971a2e4d

Download Submit
C:\Windows\SysWOW64\Ehjdldfl.exe

Filesize
74KB

MD5
a78bdb18864b79179313dec0f1401211

SHA1
46f3437bafe3879aeda904141e65fdb8f7c09c3d

SHA256
54a96b22531bdbac7693d1d9fc09fe0729418db6c05eda9da6f6d98db7dda4fb

SHA512
e0e06ad36c85b6bc5bd141a00a13b78a32bf31fe647636be16ba97d4efb2f038dcdf53f139b3a6704b685dfae12d149cc055f86106e03989647c0872a223e58c

Download Submit
C:\Windows\SysWOW64\Ejbkehcg.exe

Filesize
74KB

MD5
9232985a71f3136e5eae2cfc78d9f94b

SHA1
7c563b71951302bdba8cf3651e7efdf0a885c83f

SHA256
1045828a94571d655da7729f9fe499845069e4c475cfbfe4fdda751e6f3ad4e0

SHA512
97889abb3d5f552d00c312358bfdb8c7a1faf0f4efbdc4cab66145da704147bd8b7cb79e1dd85b5c538e84b6621c58dbba97d740428a01d80402711b7afb5957

Download Submit
C:\Windows\SysWOW64\Elccfc32.exe

Filesize
74KB

MD5
ab4cdfba41f11a30d82437b0783fae36

SHA1
7131afa227ba1113e81fa462e2ff42eb6a8714e7

SHA256
e0c43928e9183d5963afc1c2823e21fe7b53ec736569e5102db7f0ff11c8f6e3

SHA512
b19c54b4d360dd46a6616d40645d5a6499943e47bb7d9d52f8c53857a7589be180a5e777ab174d05155ee8f254524cc44bf49bd8c08a72da00bdcf17ab725542

Download Submit
C:\Windows\SysWOW64\Eleplc32.exe

Filesize
74KB

MD5
be3159d133d4abf262eb3b7905660269

SHA1
4083eee1281c4baa6f1ae88248f2867278c9dfe9

SHA256
aff472c586ec19f20e2858dd34c6f6b297cada0a6ef53e84129dd8d1d599ae6b

SHA512
e98cfef61da565b41939e38a434a1d4102ebd922eb59f5470fe4fe8b473c766fc674142043a1cf122f77199cbba4fc17b5b004d0207252c79f3693752ca4eaba

Download Submit
C:\Windows\SysWOW64\Eoapbo32.exe

Filesize
74KB

MD5
a1914a408b967f76fcfdf6c1baaf7b08

SHA1
3cb8fd4445ba198d3ff09ac4b01b3d5bfff7ce06

SHA256
8b993cf5ee3dcbf6c5656afd9db97a5aa22c2dbd8cb0b3bdb9fe60b1690be75d

SHA512
1efb750a895e543ffe0ddfde61ce60c716dec0d93e02b435b34bf58254fa2bbc3a3e3a163d315560b64fed589e7dc069d92b74ec44cd80ff6771f3d0fed0c052

Download Submit
C:\Windows\SysWOW64\Eoocmoao.exe

Filesize
74KB

MD5
e2b91fda10ee3997cfc679918d8b541d

SHA1
69e1518560a6a488bfb2b54471986723a381f4d7

SHA256
3bfe686e02b9f0a4b7ccfa0067580cd744288d46f1ad7e09eede8a6fb663a5ae

SHA512
22588aa2522e711f2c2150c6faac8a30d84a32d739087c111b2e56716924b3662e2687e9f113635cb9cff30284510479d6a1169a3ef85f7aa4ac6b97102ed5f5

Download Submit
C:\Windows\SysWOW64\Epmcab32.exe

Filesize
74KB

MD5
0be34cc2c119443d0c4a319ffaa352c2

SHA1
cbd51b90d584075f3c826e00d4cc539cbffb379d

SHA256
5cc258b91d5d7dd50d6411fcca4d8ec44a393dac5932386d8ba876313078ea49

SHA512
0ef040c373a264094cf6b6d15f6e852dc3ea0e93744de63b01c464f5a9d0f6b18c37d8f732e487f6239d11288ab992393926584de5d2f9e031325573be32880e

Download Submit
C:\Windows\SysWOW64\Eqalmafo.exe

Filesize
74KB

MD5
7861acd087ec5f162d6543904a0b4d39

SHA1
6f3493753fb1804401f21ee03f34291fa3442276

SHA256
8c43b9c74da9c829f6b674da3069d7e52c61ededc6bd61f180cd6ea3fef87230

SHA512
0e9fb40a84bfd2333f8578b68f6370621e916c6d0177a351e0e09c52e639884ec5d786a2cd9b9e0a4e41a8e7671380a07e2b33c7236bc853fdd20caec62282d6

Download Submit
C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
74KB

MD5
5d77d1fee5485a935464d718ef6ad036

SHA1
595b367bc362b2dc98a208f88997bbdd72737780

SHA256
9bdb62d2a06eb884ee4e2704eb3442d539957a8ae372afc4db231d177c6045d6

SHA512
982be5a5561a2a8708b3dd53c509463ca132fc3a67cdd5f5d45a972f2fb99ffcaeeb6c448bfa0871daa96011a12b8f277e6c15f8248474342f3ae36b011530bc

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
74KB

MD5
e37551b1eb56d57d4c8943366acaeec8

SHA1
27a7f057399d0f9afc0fbfc130b0f4a1f9a52068

SHA256
88d883bc2c761af7e48faf3e4b24fa3bdd1e1ff4f1489a823916493b32d43e18

SHA512
18b78fd158b8e0eb504fbe2f56e759837f9b5a5abb42ff77087d2412f3866238bb3f7efa1f45036c626d63703b77e7b0ff1ecf40d5f05c67b9e738b92297946e

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
74KB

MD5
489b3fc22699173afa61033498ed5087

SHA1
1a7f4ed821cde22ba3c24d790686d6ce89a94616

SHA256
f7dfabf98b137cc63251b7144102d9f5f836847171bd4bc72279ef5e60b2c068

SHA512
03b2749a4863996c8eec454e62906cb6c687d8aecbdb687126bfe64417982e4b21dcbe9abaf9a698f48498f1415610a5dec3631f9aa5739b54eb6e090b062ccc

Download Submit
C:\Windows\SysWOW64\Hfachc32.exe

Filesize
74KB

MD5
bb7f210d10908f37079421401ba93877

SHA1
1dad57e77a403805fd020a3986a2486f7f8241fd

SHA256
5609b10d01b3a8c2d2b55fd5fa093226d0531f147dc8804fd5d7f733f005b875

SHA512
5389eb572c57bb6e79ff7b389765380c6fa24a28414187be90459ea9f49706315d07fe77308cf6ecbe1a59735766005c987b997ca9016e4fc9d71939097de2df

Download Submit
C:\Windows\SysWOW64\Hqlqig32.dll

Filesize
7KB

MD5
0cbdfd65543e31a8da69c20823d2f931

SHA1
8574ce4d537e3c86657a7ed278b94bf872058ba4

SHA256
d889fd9009b01f945209793170cc7a9fdbe15835b916bccaa3ae202b77d4b032

SHA512
e1932d72c6c5ce86d8e98fedbd69cbc5aef8f7161585c1687080fc36689c3de95ccb41a0cee4d71ff0fe89ff1599bca54e1f5dcd6dc400142717b42cedfde69c

Download Submit
C:\Windows\SysWOW64\Ibmmhdhm.exe

Filesize
74KB

MD5
472e88ea060e7236ce2c67efddea604a

SHA1
cafa8dd645ebd6ccaefa532cc408fa981e38da21

SHA256
68ef05b071a10e7ee2dd1992fac20e404c954ab4fdcd1154a9d16669dd57d150

SHA512
cdf16e105037d4a48b22b6d572e5bca7b4308506219df17033541d6cebf36c3ba918b9826e64e52dca4bd143db2511c8ada0fcf3c74eb26867dde52145d4e039

Download Submit
C:\Windows\SysWOW64\Imihfl32.exe

Filesize
74KB

MD5
38e915aed93e4ad6d3e0348f2398037c

SHA1
3f36d4edfb02fbf0b51b3ff324836eb6162c4a6e

SHA256
1e158a6250408dd92967f7e73cbc92d9c0482966c277f89d9e69478eb3041819

SHA512
a62b164a9ee86142b7f82e57b95a70c5a4a8b9d756536340754c02b35edc404bedf120dd6ec4dbc5e42fe383099d38438c3305e4a0f8d570872e36b5551e2a68

Download Submit
C:\Windows\SysWOW64\Jdcpcf32.exe

Filesize
74KB

MD5
8a016ec8fa8cc794d3886aa05140bc2d

SHA1
b3911ce97fa7f8ff745b1b3c85cff9d305e3ca18

SHA256
2bafd4e28a5a63da7e8594f990dfc980ec8e5288e512ed0914f6882356d9caa4

SHA512
88a4dac81ffb98a2304da7965a67083f74e64774a1fd6c92a48e26ecaf67871b75163c4c782f09c84655156c1059c33a7d27833809b45b4ec1c023341d4e2372

Download Submit
C:\Windows\SysWOW64\Jdjfcecp.exe

Filesize
74KB

MD5
83a582ec3b5594aca3a2bfd6d6e5a3ca

SHA1
e9bdd47fc714085014490bb66cc06f7359b42d25

SHA256
d0c1f11f963235c041d26492614005d9f447190ca08c0476e0a5388eb5dc6490

SHA512
f6fafd10fb0086ba0fdd9fe23a84e25ff8eb029825a0de80fe9db293601fe8f59117fc6022ce22a938a24b72143a6b03471822c1fed70f874a2d233bd1855dcf

Download Submit
C:\Windows\SysWOW64\Jfffjqdf.exe

Filesize
74KB

MD5
bd66d2e6a0caf7fb5e7e6e43d48717d2

SHA1
5a255e0dd14be2967c4ae17979dac05d38348411

SHA256
f673d8111e7d080da1fd2f49853d5affedbe424ab447f89cadd2f37bfa1f148a

SHA512
840866205b8d6c8dd9a553ec3a47f80496090e632d8342c7daa1b358fd94724449085f9a50c5ac7c8fbc424ec00073a9521352ac3e4057e37f39e2607d416750

Download Submit
C:\Windows\SysWOW64\Jkfkfohj.exe

Filesize
74KB

MD5
b12d10ade9acedd4561120a0ad6b6734

SHA1
885684a62c4509afe7aba47eeefd0435c92d17e2

SHA256
c074e766253769ed22016eae5e91e073f995fca04226d8b36c37a8dc11308c0c

SHA512
f35c2fe9976f969928c81c61c7f2a813cc6b3f71c3e218450a91dc1736d0d8fca112fab7b083c300f9d47c8cc7d387059fef89675018ff0439d284eab3f80f92

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
74KB

MD5
06eb8cac7d29398c495904bec187e1c5

SHA1
e18c32debe8b636bf2f97b7393196eb9c6809df9

SHA256
fb1293b6708911ef17df19461aef9d007b0a4cd056e7117f47eb50e03755d534

SHA512
e92d3d35ab237cd4ec9ed908c8775be7d1d1fe07f7022b313c7c7c898dbbd993208e5a227ed90ddb74a9aa9377956a1ed0702172d622ff808a13eff380bce0e5

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
74KB

MD5
a4646469e9bd05ac1aa53788cd47b834

SHA1
7d76c93d27a6be2019eadaecc13779a89610a446

SHA256
591a902f44b58b87010f8f9ccf9c5cdfb7eb5f0aa1991ef03c273dcecbaafa5a

SHA512
66b090b51a89ea39bb31df9c3dabd6ebedce253fe2f7bca413510eb151e19da12b660c43473843916c359ed64a956d660638208d5bb85fc7997037e05efb45d2

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
74KB

MD5
d8e84ef60225e337ee13db24dcda5c30

SHA1
82dd7bab6042f3840659ea4be4370192d33e4f0c

SHA256
98a2f5acf808a2a014c526aacf0fc9875d86ae77f8c74683f8318599227e186e

SHA512
9b8a2505e5b5b902f3382e4088224d2e2cf195599d702b371269a7e9b55cf2c081e3011710640c7b79ede528245fffa7b80efc0b8152cc1942da59acb5344798

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
74KB

MD5
e02cc8db41213d5e9c462ccb596a60a0

SHA1
4b610d6b6d508f3f47e5999d256be0c221fe4389

SHA256
31449f4a8201ebae983ff341b401a7103bab641189fe30e5d773222d118ae3b1

SHA512
f7c37bcfcbb773af32672168b615addc35172b6d16236fe2a9a6b02fb87ed52dd880f9ceb57180a4d8b6fb89ad49e4d232b9b09cfb00cff6978e465d34afda71

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
74KB

MD5
85d12acbf2ba913193a8800617a86e3b

SHA1
338eefefd2cf4a73a7ef281399a917c400fed4c6

SHA256
173a1413d464791c6ea57304b6fe437d75f4c77e48f0faaace9bad5cb9c92ada

SHA512
d2c19beda46b4af3d600f7d79f2271a28c457d56c7fe79aca87b646ae750912472a3740cf155686c8a86c4000d134cd8bb0a12adbce52358355b820078beeaf2

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
74KB

MD5
9a5004882e14c9d0b5530f99324705b4

SHA1
078131f647288d11fa1dccfacb3e797d17d364a0

SHA256
0e16355c17928589107e1dc105007a221b82400cb7ab5b46d3b21f96cbc1fe04

SHA512
e66e91f392f969ed03fa10ba4555d910486efba6e974b6d7acdddcd57f2831b1575cd537b4a84e83469e8816373387bd16990fcccc30bd0804c0ce9dcef029a7

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
74KB

MD5
c6797f6a71e7ae92a63052b100582917

SHA1
b6489b91b3f3b988869aa34358ba9e641d65bc31

SHA256
dc891c39dab193f82fdea3a4645bd4e5402877549637b73490eee7a9a592d315

SHA512
2e32ddb0a3c2ed1b7817e0eb7f3c87ade1ff38ef069c9f597605b4589f2fa16a60faf8c03b07bec01da7bdd0ab78c471624fa354c4d9561eda3f6900420392d0

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
74KB

MD5
d40bc976d2b000e88b09d958f38017d3

SHA1
921632a65917513f0539bae28c1ea15072761a98

SHA256
4692c77d6cfd01ec27170d656c97d08e99ad982fb0ae786bbdb060f0ac3588a7

SHA512
0478b2596f63a00c8517a8013e4320dbb378454753f4cc567a827a9e48fee7cb6a5496cb5d31246e6217025219749e90fbbfa0ccf5907d4ef21a884f70e1c8cc

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
74KB

MD5
81de903470f02234322973ce7182a8e8

SHA1
71aa1a5232e3040958f875d4221eab426e14d5f9

SHA256
dd2983eace9a44b742595440b98d04b761f94de73ecdb9e3450191e0960d110b

SHA512
9ec5fd052abe8e2dc84ac0d8c8a01180a0d5ccc0e3989552966913b91114ff97406e11ddb5ee03c68d446c9e042b3d55bd4e7f6817c71490e5f203b90e894e66

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
74KB

MD5
0f575212f0574eae79c77acf603d85bf

SHA1
3d5390cdf71f789aaa6d144fad9a97808b1fb1b7

SHA256
edd423b3007ba1f276a6410a5609cbe014295cce302aab0de55089f8da085f80

SHA512
35674511967f2b1606118b3a57a3cf4812801fb1eda27ae6467107b80f06e1bcd0383c695fed2d4731356636268711922b55a2ceea68c9693f591727e698cbc6

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
74KB

MD5
2716888afbe554b6dbfd254ec03fa2fd

SHA1
f98f8d8716aad624a42ba90879683822c7fd4d9b

SHA256
3b25c0db6560f7cb88ae34749cb7e11e6582c9a99f32e6b36f7e79b7e795e6e7

SHA512
4086e944ec8b0de161b63774381583aef3e4e1a1b79ed494bbb8659f97171b277441c5e1c534894aeae8d508c49d2460de2d155e0c74d4632a0b11123a308a83

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
74KB

MD5
3037223ae631b853b432b2ce73f4e6fd

SHA1
dfdb925b68af73433cb7417f54a4909493cb4573

SHA256
3199e7b2b06d259d189e9f9a2d30c60edf01a27a9a54746e431ce565725d6a5d

SHA512
be956ad9eb47452bade97d64f44bf3046a010dc1af6cf417fab61c0f3ac48e138407f941b1b90320191965a14168eebd68b3d55fa2b820c988aebee776fdf252

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
74KB

MD5
fe6f5974b007d946900323991b32f83f

SHA1
27d4d295108f234fedb29399c6029c0411c6be97

SHA256
83662156b5f1ca0b03d89f73de82fb6704215a941dec8cb1d56c0ad7e4f8a7e7

SHA512
56a24ea5dfd0846eec31892d5d62cdf7bec8926c3df37fcb096129f08dffdef1e1e134971999685dd304029eb95077d2fff0d899c5fc665af7eaab01a29e0754

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
74KB

MD5
ae9d4c70a6c7bed207af214456dc5fb8

SHA1
a49cb200ea9c8544463dcb1bfedaacc764ddabcb

SHA256
41a79a98ab66b08a0028db2d69873c68afd96d0bacdb14074197f3cd35a24f34

SHA512
48ba8881d2633aabdcdf8a671b1cfba143cea505a70eb7e8bc28081d517bf65fce4957898ca1c2cf92fe719fc1ff61e69ea2e1a954b1040ba2abe5c8d5b03f14

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
74KB

MD5
3521ca47aae6a67317fa8a37cd00a066

SHA1
75faf1a7cf0570fb4d3f74bd869687be5e4ce470

SHA256
f98a7899186b2c99021388e4f558fa7ab951ae97226cb61faba7f8226b25f8d6

SHA512
62b7f48112b93a5a908f66d9e90980f9c9544ba6ecc77d3d977362dff89eb9d376e22f14b2530c40a05f71f9784de73cdbee9e46cc62b7c2f5ca883f55dd0d52

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
74KB

MD5
4f3b9fbd9ebcb6192e57af391ebab430

SHA1
a1b6e9e96d5441373e621fea8782b9cfb2400eff

SHA256
da9abec28ccedb889313254010322e99285d417cf414bfb2e1414952c7776113

SHA512
e34c4ee293437ce91ddb5d55f05fd32d69924c6aea9ffbe5cf6a07fc23380bfa677df7fc1cc8e40507eb3fb2cd083ea58726ca57b222ebe4dc3a862b0f30055c

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
74KB

MD5
b85892decc59d301ef36ab5d51a38225

SHA1
169102fc7b01886e84fc9ff00198ffa5297ea0fd

SHA256
0fe1b97785ad0c588365129ab228176ff376001696be903af0cd7484f9fa6d4d

SHA512
1ce7922e627dde70518e15fdaacdac40a28771218b18fe0daeb41adf4615f94318204b3afbfb554500af482883084e7573601dffb2f206c14ad5d22903476920

Download Submit
memory/60-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/388-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/548-279-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/716-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1116-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1188-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1248-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1288-434-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1308-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1564-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1596-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1600-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1684-266-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1728-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1740-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1868-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1896-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1904-186-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1956-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1964-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2036-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2204-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2208-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2228-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2256-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2304-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2320-52-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2460-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2760-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2868-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2984-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3048-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3060-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3068-404-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3140-122-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3156-362-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3212-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3220-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3280-386-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3312-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3428-350-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3532-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3584-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3596-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3600-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3608-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3728-132-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3760-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4016-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4336-164-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4360-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4588-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4656-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4660-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4664-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4696-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4712-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4748-302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4800-344-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4816-429-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4880-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4960-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4964-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5104-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7180-1834-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7284-1817-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7296-1806-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7336-1855-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7368-1831-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7416-1853-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7444-1830-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7452-1816-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7460-1802-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7464-1852-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7532-1829-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7544-1850-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7568-1815-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7580-1805-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7588-1849-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7716-1846-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7740-1809-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7796-1844-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7848-1824-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7860-1807-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7876-1842-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7964-1840-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7996-1822-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/8008-1839-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/8104-1811-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/8128-1836-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/8176-1835-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/8300-1795-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/8424-1792-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads