e5e9b69af0e1cd4d20135677689a0bd780d0674511cf2feb86b0f38600d5bbe7

Analysis

max time kernel
138s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2024, 05:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5e9b69af0e1cd4d20135677689a0bd780d0674511cf2feb86b0f38600d5bbe7.exe
Size

74KB
MD5

11cd3cfb26d5d5f7073c09d713015976
SHA1

ac13e619e1ba04592f318c151a15f9c1241740f0
SHA256

e5e9b69af0e1cd4d20135677689a0bd780d0674511cf2feb86b0f38600d5bbe7
SHA512

f0682fca114fc1ce548e5e7fec940f4d873b013c12af8a26976abd86a52bfbc4252cfb8a0c5e3579932af76ff38c03eb5ab7bfcb748d1e1e3a3718f35a68dc72
SSDEEP

1536:/gQLUiKK4PO9P6hAeBoeeE7lWAMqJNkgDpnEQPnvMBIVykZRo:IQLUipyAGHlRM4mOVAYo

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gimjhafg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjlfbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hadkpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haidklda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bibigmpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhdibj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfdbojmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chnlihnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cekohk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iannfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caimgncj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcdimopp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dcdimopp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hapaemll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpenfjad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dcalgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gfnnlffc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Camfbm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbllkh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfcgge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dchbhn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emjjgbjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cekohk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehhgfdho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Clnadfbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djnaji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daifnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebbidj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bemcgmak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbacqape.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bemcgmak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceblbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fodeolof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoocmoao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fodeolof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe

Executes dropped EXE 64 IoCs

pid	Process
3452	Bakqfp32.exe
2044	Bibigmpl.exe
4652	Bhdibj32.exe
2164	Booaodnd.exe
4364	Bammlomg.exe
1452	Bidemmnj.exe
2812	Blbaihmn.exe
3948	Bpnnig32.exe
1104	Bbljeb32.exe
4828	Bhibni32.exe
3600	Bpqjofcd.exe
220	Bemcgmak.exe
1484	Bhlocipo.exe
2528	Bpcgdfaa.exe
1560	Bbacqape.exe
4016	Bikkml32.exe
1496	Chnlihnl.exe
4480	Cpedjf32.exe
3652	Cccpfa32.exe
2452	Ceblbm32.exe
3688	Chphoh32.exe
608	Cpgqpe32.exe
3408	Caimgncj.exe
2496	Cipehkcl.exe
4204	Clnadfbp.exe
4940	Cakjmm32.exe
876	Cefemliq.exe
5072	Chebighd.exe
2116	Cpljkdig.exe
2308	Camfbm32.exe
3044	Cidncj32.exe
4804	Cpofpdgd.exe
5080	Cekohk32.exe
3704	Dhjkdg32.exe
4044	Dpacfd32.exe
4968	Dcopbp32.exe
2820	Denlnk32.exe
208	Dlgdkeje.exe
1880	Dcalgo32.exe
3836	Dephckaf.exe
3992	Djlddi32.exe
532	Dljqpd32.exe
3064	Dcdimopp.exe
3720	Djnaji32.exe
1072	Dllmfd32.exe
2928	Daifnk32.exe
4180	Dfdbojmq.exe
3692	Dhcnke32.exe
4256	Dpjflb32.exe
3628	Dchbhn32.exe
4816	Efgodj32.exe
3620	Ejbkehcg.exe
1516	Ehekqe32.exe
4672	Eoocmoao.exe
4296	Ebnoikqb.exe
4600	Ejegjh32.exe
2336	Ehhgfdho.exe
4760	Epopgbia.exe
4456	Ecmlcmhe.exe
3956	Eflhoigi.exe
1396	Ehjdldfl.exe
2320	Eleplc32.exe
4496	Eodlho32.exe
1480	Ebbidj32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ejbkehcg.exe	Efgodj32.exe
File created	C:\Windows\SysWOW64\Fbnhphbp.exe	Fopldmcl.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Ebbidj32.exe	Eodlho32.exe
File created	C:\Windows\SysWOW64\Ghmfdf32.dll	Jaimbj32.exe
File opened for modification	C:\Windows\SysWOW64\Jbmfoa32.exe	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Gmlfmg32.dll	Hbeghene.exe
File created	C:\Windows\SysWOW64\Kdopod32.exe	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Kgdbkohf.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Jkfkfohj.exe	Jbocea32.exe
File created	C:\Windows\SysWOW64\Ghamqdaj.dll	Cpgqpe32.exe
File opened for modification	C:\Windows\SysWOW64\Hjfihc32.exe	Hfjmgdlf.exe
File created	C:\Windows\SysWOW64\Icjmmg32.exe	Ipnalhii.exe
File opened for modification	C:\Windows\SysWOW64\Jaimbj32.exe	Jibeql32.exe
File created	C:\Windows\SysWOW64\Feambf32.dll	Jbkjjblm.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Hmklen32.exe	Hjmoibog.exe
File opened for modification	C:\Windows\SysWOW64\Cpgqpe32.exe	Chphoh32.exe
File created	C:\Windows\SysWOW64\Bdghlnlo.dll	Ebnoikqb.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Ggcjqj32.dll	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Kbapjafe.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Lpdcae32.dll	Fmapha32.exe
File created	C:\Windows\SysWOW64\Bbamkcqa.dll	Hmdedo32.exe
File opened for modification	C:\Windows\SysWOW64\Emjjgbjp.exe	Ejlmkgkl.exe
File created	C:\Windows\SysWOW64\Himcoo32.exe	Hfofbd32.exe
File created	C:\Windows\SysWOW64\Qekdppan.dll	Jidbflcj.exe
File opened for modification	C:\Windows\SysWOW64\Ejbkehcg.exe	Efgodj32.exe
File opened for modification	C:\Windows\SysWOW64\Ehekqe32.exe	Ejbkehcg.exe
File created	C:\Windows\SysWOW64\Dadofijl.dll	Gqfooodg.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Cakjmm32.exe	Clnadfbp.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Hopeje32.dll	Ebbidj32.exe
File opened for modification	C:\Windows\SysWOW64\Gqdbiofi.exe	Gimjhafg.exe
File opened for modification	C:\Windows\SysWOW64\Jidbflcj.exe	Jjbako32.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Bpqjofcd.exe	Bhibni32.exe
File created	C:\Windows\SysWOW64\Ceblbm32.exe	Cccpfa32.exe
File created	C:\Windows\SysWOW64\Eagncfoj.dll	Gameonno.exe
File created	C:\Windows\SysWOW64\Hjmoibog.exe	Hbeghene.exe
File created	C:\Windows\SysWOW64\Lppaheqp.dll	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Nphqml32.dll	Kmegbjgn.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Bemcgmak.exe	Bpqjofcd.exe
File created	C:\Windows\SysWOW64\Jehocmdp.dll	Dljqpd32.exe
File created	C:\Windows\SysWOW64\Iffmccbi.exe	Icgqggce.exe
File created	C:\Windows\SysWOW64\Jbocea32.exe	Jdmcidam.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Eflhoigi.exe	Ecmlcmhe.exe
File opened for modification	C:\Windows\SysWOW64\Hbhdmd32.exe	Hpihai32.exe
File opened for modification	C:\Windows\SysWOW64\Fobiilai.exe	Fjepaecb.exe
File opened for modification	C:\Windows\SysWOW64\Gfnnlffc.exe	Fodeolof.exe
File created	C:\Windows\SysWOW64\Ijaida32.exe	Iffmccbi.exe
File opened for modification	C:\Windows\SysWOW64\Jdemhe32.exe	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Khkchobp.dll	Cefemliq.exe
File opened for modification	C:\Windows\SysWOW64\Dllmfd32.exe	Djnaji32.exe
File opened for modification	C:\Windows\SysWOW64\Hfljmdjc.exe	Hbanme32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8972	8828	WerFault.exe	366

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilbbcha.dll"	Cipehkcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lihoogdd.dll"	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhdibj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjdia32.dll"	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmeid32.dll"	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgdnaigp.dll"	Hfcpncdk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hapaemll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bpcgdfaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fodeolof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijaida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Caimgncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqqjmnii.dll"	Eflhoigi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fobiilai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hbeghene.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpgqpe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djlddi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbdcekmm.dll"	Eoifcnid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmebabl.dll"	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Denlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdqdffoc.dll"	Bikkml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlfmg32.dll"	Hbeghene.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibmndm32.dll"	Bammlomg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbdgmn32.dll"	Bemcgmak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djnaji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoodnhmi.dll"	Epopgbia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honckk32.dll"	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dcdimopp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpgqpe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bammlomg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbcicn32.dll"	Bhdibj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 3452	1464	e5e9b69af0e1cd4d20135677689a0bd780d0674511cf2feb86b0f38600d5bbe7.exe	83
PID 1464 wrote to memory of 3452	1464	e5e9b69af0e1cd4d20135677689a0bd780d0674511cf2feb86b0f38600d5bbe7.exe	83
PID 1464 wrote to memory of 3452	1464	e5e9b69af0e1cd4d20135677689a0bd780d0674511cf2feb86b0f38600d5bbe7.exe	83
PID 3452 wrote to memory of 2044	3452	Bakqfp32.exe	84
PID 3452 wrote to memory of 2044	3452	Bakqfp32.exe	84
PID 3452 wrote to memory of 2044	3452	Bakqfp32.exe	84
PID 2044 wrote to memory of 4652	2044	Bibigmpl.exe	85
PID 2044 wrote to memory of 4652	2044	Bibigmpl.exe	85
PID 2044 wrote to memory of 4652	2044	Bibigmpl.exe	85
PID 4652 wrote to memory of 2164	4652	Bhdibj32.exe	86
PID 4652 wrote to memory of 2164	4652	Bhdibj32.exe	86
PID 4652 wrote to memory of 2164	4652	Bhdibj32.exe	86
PID 2164 wrote to memory of 4364	2164	Booaodnd.exe	87
PID 2164 wrote to memory of 4364	2164	Booaodnd.exe	87
PID 2164 wrote to memory of 4364	2164	Booaodnd.exe	87
PID 4364 wrote to memory of 1452	4364	Bammlomg.exe	88
PID 4364 wrote to memory of 1452	4364	Bammlomg.exe	88
PID 4364 wrote to memory of 1452	4364	Bammlomg.exe	88
PID 1452 wrote to memory of 2812	1452	Bidemmnj.exe	89
PID 1452 wrote to memory of 2812	1452	Bidemmnj.exe	89
PID 1452 wrote to memory of 2812	1452	Bidemmnj.exe	89
PID 2812 wrote to memory of 3948	2812	Blbaihmn.exe	90
PID 2812 wrote to memory of 3948	2812	Blbaihmn.exe	90
PID 2812 wrote to memory of 3948	2812	Blbaihmn.exe	90
PID 3948 wrote to memory of 1104	3948	Bpnnig32.exe	91
PID 3948 wrote to memory of 1104	3948	Bpnnig32.exe	91
PID 3948 wrote to memory of 1104	3948	Bpnnig32.exe	91
PID 1104 wrote to memory of 4828	1104	Bbljeb32.exe	92
PID 1104 wrote to memory of 4828	1104	Bbljeb32.exe	92
PID 1104 wrote to memory of 4828	1104	Bbljeb32.exe	92
PID 4828 wrote to memory of 3600	4828	Bhibni32.exe	93
PID 4828 wrote to memory of 3600	4828	Bhibni32.exe	93
PID 4828 wrote to memory of 3600	4828	Bhibni32.exe	93
PID 3600 wrote to memory of 220	3600	Bpqjofcd.exe	94
PID 3600 wrote to memory of 220	3600	Bpqjofcd.exe	94
PID 3600 wrote to memory of 220	3600	Bpqjofcd.exe	94
PID 220 wrote to memory of 1484	220	Bemcgmak.exe	95
PID 220 wrote to memory of 1484	220	Bemcgmak.exe	95
PID 220 wrote to memory of 1484	220	Bemcgmak.exe	95
PID 1484 wrote to memory of 2528	1484	Bhlocipo.exe	96
PID 1484 wrote to memory of 2528	1484	Bhlocipo.exe	96
PID 1484 wrote to memory of 2528	1484	Bhlocipo.exe	96
PID 2528 wrote to memory of 1560	2528	Bpcgdfaa.exe	97
PID 2528 wrote to memory of 1560	2528	Bpcgdfaa.exe	97
PID 2528 wrote to memory of 1560	2528	Bpcgdfaa.exe	97
PID 1560 wrote to memory of 4016	1560	Bbacqape.exe	98
PID 1560 wrote to memory of 4016	1560	Bbacqape.exe	98
PID 1560 wrote to memory of 4016	1560	Bbacqape.exe	98
PID 4016 wrote to memory of 1496	4016	Bikkml32.exe	99
PID 4016 wrote to memory of 1496	4016	Bikkml32.exe	99
PID 4016 wrote to memory of 1496	4016	Bikkml32.exe	99
PID 1496 wrote to memory of 4480	1496	Chnlihnl.exe	100
PID 1496 wrote to memory of 4480	1496	Chnlihnl.exe	100
PID 1496 wrote to memory of 4480	1496	Chnlihnl.exe	100
PID 4480 wrote to memory of 3652	4480	Cpedjf32.exe	101
PID 4480 wrote to memory of 3652	4480	Cpedjf32.exe	101
PID 4480 wrote to memory of 3652	4480	Cpedjf32.exe	101
PID 3652 wrote to memory of 2452	3652	Cccpfa32.exe	102
PID 3652 wrote to memory of 2452	3652	Cccpfa32.exe	102
PID 3652 wrote to memory of 2452	3652	Cccpfa32.exe	102
PID 2452 wrote to memory of 3688	2452	Ceblbm32.exe	103
PID 2452 wrote to memory of 3688	2452	Ceblbm32.exe	103
PID 2452 wrote to memory of 3688	2452	Ceblbm32.exe	103
PID 3688 wrote to memory of 608	3688	Chphoh32.exe	104

C:\Users\Admin\AppData\Local\Temp\e5e9b69af0e1cd4d20135677689a0bd780d0674511cf2feb86b0f38600d5bbe7.exe
"C:\Users\Admin\AppData\Local\Temp\e5e9b69af0e1cd4d20135677689a0bd780d0674511cf2feb86b0f38600d5bbe7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Windows\SysWOW64\Bakqfp32.exe
  C:\Windows\system32\Bakqfp32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3452
- - C:\Windows\SysWOW64\Bibigmpl.exe
    C:\Windows\system32\Bibigmpl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Windows\SysWOW64\Bhdibj32.exe
      C:\Windows\system32\Bhdibj32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4652
    - - C:\Windows\SysWOW64\Booaodnd.exe
        
        C:\Windows\system32\Booaodnd.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2164
      - C:\Windows\SysWOW64\Bammlomg.exe
        
        C:\Windows\system32\Bammlomg.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Windows\SysWOW64\Bidemmnj.exe
        
        C:\Windows\system32\Bidemmnj.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\SysWOW64\Blbaihmn.exe
        
        C:\Windows\system32\Blbaihmn.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\Bpnnig32.exe
        
        C:\Windows\system32\Bpnnig32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\SysWOW64\Bbljeb32.exe
        
        C:\Windows\system32\Bbljeb32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Windows\SysWOW64\Bhibni32.exe
        
        C:\Windows\system32\Bhibni32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\SysWOW64\Bpqjofcd.exe
        
        C:\Windows\system32\Bpqjofcd.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\SysWOW64\Bemcgmak.exe
        
        C:\Windows\system32\Bemcgmak.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\Bhlocipo.exe
        
        C:\Windows\system32\Bhlocipo.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\Bpcgdfaa.exe
        
        C:\Windows\system32\Bpcgdfaa.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Bbacqape.exe
        
        C:\Windows\system32\Bbacqape.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\SysWOW64\Bikkml32.exe
        
        C:\Windows\system32\Bikkml32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\Chnlihnl.exe
        
        C:\Windows\system32\Chnlihnl.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\Cpedjf32.exe
        
        C:\Windows\system32\Cpedjf32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\Cccpfa32.exe
        
        C:\Windows\system32\Cccpfa32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\SysWOW64\Ceblbm32.exe
        
        C:\Windows\system32\Ceblbm32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\Chphoh32.exe
        
        C:\Windows\system32\Chphoh32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\SysWOW64\Cpgqpe32.exe
        
        C:\Windows\system32\Cpgqpe32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:608
        
        C:\Windows\SysWOW64\Caimgncj.exe
        
        C:\Windows\system32\Caimgncj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3408
        
        C:\Windows\SysWOW64\Cipehkcl.exe
        
        C:\Windows\system32\Cipehkcl.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Clnadfbp.exe
        
        C:\Windows\system32\Clnadfbp.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4204
        
        C:\Windows\SysWOW64\Cakjmm32.exe
        
        C:\Windows\system32\Cakjmm32.exe
        27⤵
        Executes dropped EXE
        
        PID:4940
        
        C:\Windows\SysWOW64\Cefemliq.exe
        
        C:\Windows\system32\Cefemliq.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:876
        
        C:\Windows\SysWOW64\Chebighd.exe
        
        C:\Windows\system32\Chebighd.exe
        29⤵
        Executes dropped EXE
        
        PID:5072
        
        C:\Windows\SysWOW64\Cpljkdig.exe
        
        C:\Windows\system32\Cpljkdig.exe
        30⤵
        Executes dropped EXE
        
        PID:2116
        
        C:\Windows\SysWOW64\Camfbm32.exe
        
        C:\Windows\system32\Camfbm32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2308
        
        C:\Windows\SysWOW64\Cidncj32.exe
        
        C:\Windows\system32\Cidncj32.exe
        32⤵
        Executes dropped EXE
        
        PID:3044
        
        C:\Windows\SysWOW64\Cpofpdgd.exe
        
        C:\Windows\system32\Cpofpdgd.exe
        33⤵
        Executes dropped EXE
        
        PID:4804
        
        C:\Windows\SysWOW64\Cekohk32.exe
        
        C:\Windows\system32\Cekohk32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5080
        
        C:\Windows\SysWOW64\Dhjkdg32.exe
        
        C:\Windows\system32\Dhjkdg32.exe
        35⤵
        Executes dropped EXE
        
        PID:3704
        
        C:\Windows\SysWOW64\Dpacfd32.exe
        
        C:\Windows\system32\Dpacfd32.exe
        36⤵
        Executes dropped EXE
        
        PID:4044
        
        C:\Windows\SysWOW64\Dcopbp32.exe
        
        C:\Windows\system32\Dcopbp32.exe
        37⤵
        Executes dropped EXE
        
        PID:4968
        
        C:\Windows\SysWOW64\Denlnk32.exe
        
        C:\Windows\system32\Denlnk32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Dlgdkeje.exe
        
        C:\Windows\system32\Dlgdkeje.exe
        39⤵
        Executes dropped EXE
        
        PID:208
        
        C:\Windows\SysWOW64\Dcalgo32.exe
        
        C:\Windows\system32\Dcalgo32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1880
        
        C:\Windows\SysWOW64\Dephckaf.exe
        
        C:\Windows\system32\Dephckaf.exe
        41⤵
        Executes dropped EXE
        
        PID:3836
        
        C:\Windows\SysWOW64\Djlddi32.exe
        
        C:\Windows\system32\Djlddi32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Dljqpd32.exe
        
        C:\Windows\system32\Dljqpd32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:532
        
        C:\Windows\SysWOW64\Dcdimopp.exe
        
        C:\Windows\system32\Dcdimopp.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Djnaji32.exe
        
        C:\Windows\system32\Djnaji32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3720
        
        C:\Windows\SysWOW64\Dllmfd32.exe
        
        C:\Windows\system32\Dllmfd32.exe
        46⤵
        Executes dropped EXE
        
        PID:1072
        
        C:\Windows\SysWOW64\Daifnk32.exe
        
        C:\Windows\system32\Daifnk32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2928
        
        C:\Windows\SysWOW64\Dfdbojmq.exe
        
        C:\Windows\system32\Dfdbojmq.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4180
        
        C:\Windows\SysWOW64\Dhcnke32.exe
        
        C:\Windows\system32\Dhcnke32.exe
        49⤵
        Executes dropped EXE
        
        PID:3692
        
        C:\Windows\SysWOW64\Dpjflb32.exe
        
        C:\Windows\system32\Dpjflb32.exe
        50⤵
        Executes dropped EXE
        
        PID:4256
        
        C:\Windows\SysWOW64\Dchbhn32.exe
        
        C:\Windows\system32\Dchbhn32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3628
        
        C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4816
        
        C:\Windows\SysWOW64\Ejbkehcg.exe
        
        C:\Windows\system32\Ejbkehcg.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3620
        
        C:\Windows\SysWOW64\Ehekqe32.exe
        
        C:\Windows\system32\Ehekqe32.exe
        54⤵
        Executes dropped EXE
        
        PID:1516
        
        C:\Windows\SysWOW64\Eoocmoao.exe
        
        C:\Windows\system32\Eoocmoao.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4672
        
        C:\Windows\SysWOW64\Ebnoikqb.exe
        
        C:\Windows\system32\Ebnoikqb.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4296
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        57⤵
        Executes dropped EXE
        
        PID:4600
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2336
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Ecmlcmhe.exe
        
        C:\Windows\system32\Ecmlcmhe.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4456
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        62⤵
        Executes dropped EXE
        
        PID:1396
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        63⤵
        Executes dropped EXE
        
        PID:2320
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4496
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1480
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        66⤵
        
        PID:636
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        67⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        68⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        69⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        70⤵
        Drops file in System32 directory
        
        PID:2324
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4152
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        72⤵
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        73⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        74⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        75⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        76⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        77⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        78⤵
        
        PID:224
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4740
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        80⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        81⤵
        Drops file in System32 directory
        
        PID:884
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        82⤵
        Drops file in System32 directory
        
        PID:1760
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        83⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        84⤵
        Drops file in System32 directory
        
        PID:3420
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        85⤵
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        86⤵
        
        PID:364
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        87⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5184
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5224
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        91⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        93⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        94⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5444
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        96⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        97⤵
        Drops file in System32 directory
        
        PID:5528
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        98⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        99⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5664
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        101⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        102⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        103⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        104⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        105⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        106⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        107⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        108⤵
        Modifies registry class
        
        PID:6024
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        110⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        111⤵
        Drops file in System32 directory
        
        PID:5124
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        112⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        113⤵
        Drops file in System32 directory
        
        PID:5252
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        114⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        115⤵
        Drops file in System32 directory
        
        PID:5388
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        117⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        120⤵
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        121⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6008
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        123⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        124⤵
        Drops file in System32 directory
        
        PID:5180
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        125⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5524
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        127⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        128⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        129⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        130⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        131⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        132⤵
        Drops file in System32 directory
        
        PID:5512
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        133⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        134⤵
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        135⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5916
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        137⤵
        Drops file in System32 directory
        
        PID:5292
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6060
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        139⤵
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        140⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        141⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6172
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        142⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        143⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        144⤵
        Modifies registry class
        
        PID:6304
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6344
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        146⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        147⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        148⤵
        Modifies registry class
        
        PID:6468
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        149⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6548
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        151⤵
        Modifies registry class
        
        PID:6592
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        152⤵
        Modifies registry class
        
        PID:6640
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        153⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        154⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        155⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        156⤵
        Drops file in System32 directory
        
        PID:6812
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        157⤵
        Drops file in System32 directory
        
        PID:6856
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6900
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6932
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6988
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        161⤵
        Drops file in System32 directory
        
        PID:7028
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7068
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        163⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7112
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        164⤵
        Drops file in System32 directory
        
        PID:7152
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        165⤵
        Drops file in System32 directory
        
        PID:6192
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        166⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        167⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6328
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        168⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        169⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        170⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        171⤵
        Drops file in System32 directory
        
        PID:6608
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        172⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6732
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6796
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        175⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        176⤵
        Modifies registry class
        
        PID:6924
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        177⤵
        Drops file in System32 directory
        
        PID:6996
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        178⤵
        Drops file in System32 directory
        
        PID:7088
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        179⤵
        Drops file in System32 directory
        
        PID:7160
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6224
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6376
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        182⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6636
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        184⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        185⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6976
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        187⤵
        Modifies registry class
        
        PID:7120
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        188⤵
        Modifies registry class
        
        PID:6236
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        189⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6580
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        191⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        192⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        193⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        194⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        195⤵
        Modifies registry class
        
        PID:6820
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7132
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        197⤵
        Drops file in System32 directory
        
        PID:6688
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        198⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        199⤵
        Drops file in System32 directory
        
        PID:6232
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        200⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        201⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        202⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        203⤵
        Modifies registry class
        
        PID:7244
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        204⤵
        Modifies registry class
        
        PID:7280
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        205⤵
        Drops file in System32 directory
        
        PID:7336
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        206⤵
        Drops file in System32 directory
        
        PID:7376
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        207⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        208⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        209⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7500
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        210⤵
        
        PID:7540
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        211⤵
        Drops file in System32 directory
        
        PID:7584
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        212⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        213⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7668
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        214⤵
        Drops file in System32 directory
        
        PID:7716
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        215⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        216⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7796
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        217⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        218⤵
        
        PID:7888
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        219⤵
        
        PID:7936
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        220⤵
        Modifies registry class
        
        PID:7980
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        221⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        222⤵
        
        PID:8064
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        223⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8108
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        224⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8152
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        225⤵
        Modifies registry class
        
        PID:6456
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        226⤵
        
        PID:7232
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        227⤵
        
        PID:7312
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        228⤵
        
        PID:7412
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        229⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7448
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        230⤵
        
        PID:7532
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        231⤵
        
        PID:7604
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        232⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7680
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        233⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        234⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        235⤵
        Modifies registry class
        
        PID:7956
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        236⤵
        
        PID:8032
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        237⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        238⤵
        
        PID:8176
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        239⤵
        
        PID:7196
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        240⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        241⤵
        Modifies registry class
        
        PID:7484
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        242⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        243⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7712
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        244⤵
        Modifies registry class
        
        PID:7852
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        245⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        246⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8076
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        247⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        248⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7364
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        249⤵
        Drops file in System32 directory
        
        PID:7548
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        250⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        251⤵
        Drops file in System32 directory
        
        PID:7944
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        252⤵
        
        PID:8128
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        253⤵
        
        PID:7440
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        254⤵
        Drops file in System32 directory
        
        PID:7660
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        255⤵
        
        PID:8004
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        256⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7404
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        257⤵
        Modifies registry class
        
        PID:6420
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        258⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        259⤵
        
        PID:8144
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        260⤵
        Modifies registry class
        
        PID:7656
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        261⤵
        
        PID:8236
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        262⤵
        
        PID:8268
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        263⤵
        
        PID:8312
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        264⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8352
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        265⤵
        
        PID:8400
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        266⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8452
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        267⤵
        Drops file in System32 directory
        
        PID:8492
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        268⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8532
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        269⤵
        Modifies registry class
        
        PID:8576
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        270⤵
        
        PID:8608
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        271⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:8656
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        272⤵
        
        PID:8700
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        273⤵
        
        PID:8736
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        274⤵
        
        PID:8784
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        275⤵
        
        PID:8828
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8828 -s 416
        276⤵
        Program crash
        
        PID:8972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 8828 -ip 8828
1⤵
PID:8940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bakqfp32.exe

Filesize
74KB

MD5
6714f574e7252b813fefc19b43d7e7d7

SHA1
911ddf13249d9005977284bbdd9cd93af5e43378

SHA256
2222ef44aadd6f009c49ff91e450af8f59ae2085871aea81d390b50c54ac7804

SHA512
c1b1471fd19115c5a9e066f8e89d7c96d6dbae91c4bd58b17622d354b3d95c3c0fb40ebd23a98d16cdbca12bf69255b2914efc0bf9bd3b51cc7049d0512af28a

Download Submit
C:\Windows\SysWOW64\Bammlomg.exe

Filesize
74KB

MD5
68acc2da073e4ef6320ea3619190443a

SHA1
43cb42d5a5d6b311ec3c9d3367a61ab9dfc62773

SHA256
0e78847dacaa9c0d40425717eec1b3f129325506e53b0fed4dab490656b85516

SHA512
4d3797db11102322cdb5a1bf7566063aa7b55dce1b5d5343800c3dfc392bb5181c444e1296081c97064f7df3565f5ee7cc3feb9a8ef5ec38f99a39b4d4d34316

Download Submit
C:\Windows\SysWOW64\Bbacqape.exe

Filesize
74KB

MD5
e2a039838ddbb5c051a161c726561103

SHA1
753cf5cb7cae37c6de41ea65ffb789cf1a6e4054

SHA256
22b5e18f7a0dbbc5c2b04d75820faec5acf9bf502eafe45a8c63440c2e5f76e3

SHA512
d710e8b8e6a2a8a7c2f2c3a4aad4bc4bd99f1cbabbe4c64280ada67b71adf2133507a376daee5805282ab4cfa67a18833ec721cca7437ce0bf10cdc1cedafe4c

Download Submit
C:\Windows\SysWOW64\Bbljeb32.exe

Filesize
74KB

MD5
e24b7e8af939afe25fbb82ed6790fae8

SHA1
3c13ee0fd0876e6994110c55e74d48a19edaf145

SHA256
c4f7fbf10f22cec3ebcd0d6b80c06ecfa25877fcdda9b95b742c4460dc13e646

SHA512
c10a32359cc0dca7592816ff859d37bafeb99f22b6dc52010246063b883b07dacce841aba4aafdd4424ceb117063a3823494213f5fd85a6c1467df235522f574

Download Submit
C:\Windows\SysWOW64\Bemcgmak.exe

Filesize
74KB

MD5
bea6b8a350f3caf6a054c18700bf2f55

SHA1
4a149498db26079a96c2413b9bf9ea0f2e6d6d91

SHA256
3e3f947c9d70e49480efcd793b4362382a2fe6bb9494f2f1198c85233153ea4b

SHA512
594a8be4659598763abd491eb83db3da3ec3851226084c320311f4863e27cf32c8cbcfa62509d11fc4a7dfb5aef54879ac75f6689c16f2ec33b739e280f4fdfc

Download Submit
C:\Windows\SysWOW64\Bhdibj32.exe

Filesize
74KB

MD5
16b0e92f4e556e4e0fddc1e448a4316f

SHA1
7287c4dc56f2a18cc922f55d2e2f8a2ab264730a

SHA256
22217b912066a40947a0f3872ac7c0eaac23ab02ee38c2ae6e459876d362f669

SHA512
3124800befa3cfc1954c07a49d17a778632165e8ae7306821d05fa2f5d7f457f98c9884dd777982d904b1a85cfc86365eaabc1df3e67f77dad28fe2f93107177

Download Submit
C:\Windows\SysWOW64\Bhibni32.exe

Filesize
74KB

MD5
804683c9abc7e1418d7dbb71ff23738a

SHA1
dab360408554ce56ee43c753dd57be043203ff32

SHA256
2de0ad3f9eb2c100ea881e4067bc5b5c8dbab5db6a42e2972d094b33b3317413

SHA512
61b8eb28fe74b6c01d84abb01a0063db818edd2056883273c239638252f8a3053308b58bc3a348bc9b47bcd1ffb964ed0db33ac34b31eca586f7a67a01d72756

Download Submit
C:\Windows\SysWOW64\Bhlocipo.exe

Filesize
74KB

MD5
895900f6f270a895bc3ba06036810dd3

SHA1
10ca9e53fe7c4d6afd53a06e327a832ec6b7b7ac

SHA256
e179b8a1681eab234a2bbe3dab2121c5093e00f7e1545538b2106d415f976ace

SHA512
836ebb56e04ce5de11edeaf1c67a68f32c6032116105c444780ac203a575568ed1a6440c71faa58a27ad94d5a108c7fecb4d5b1c90e6956b54ec53cbf535ed40

Download Submit
C:\Windows\SysWOW64\Bibigmpl.exe

Filesize
74KB

MD5
51c903b8e99ff5ef9d8446fc54504371

SHA1
efc9e02e37003c8b846f2d13adaf19626ae8dde5

SHA256
cbe743ff29d6108f58478fa08ee5b5cf879c924628dd30247bafbb738ec7fd42

SHA512
6396658c47b85747fe820288510d0c1f6b2f69c7ec9c064a08ed9126d695a6da914915b39f24a57c9f35c751e983a90e57fdf05a00e5da23d8cf98a4e128cd3c

Download Submit
C:\Windows\SysWOW64\Bidemmnj.exe

Filesize
74KB

MD5
56d49cacb53aa28803a112a0fce8ed70

SHA1
40cb276165680030ef59be4ac2690e3e2e66f462

SHA256
3006d7d5c4600abec5253e67ae20343cefff2462f5eddf5924fde62996bf7080

SHA512
945761a94f3c82109bbf650e0c8766fd144d7f6c689bdc3d051690a9849671376d640c0f28ff1b0591974854e4d42c50f0bec90371f182bf01791a8d746cacb8

Download Submit
C:\Windows\SysWOW64\Bikkml32.exe

Filesize
74KB

MD5
b187675520a51ed14a5906bd9c850af8

SHA1
269ac2672b53cf673b675ebd39195c3ce1fdc67d

SHA256
0a388d0914414d0adf4329a480b6a41abe0bfc782e68712347682f3e35a3a8d0

SHA512
aa0cea30e5d1675407db802ec82cd34b7afe74f8495d277d76a45d818b2bc057051e749a7c85d1b0fe61241ca501a01169edd51b30348183e26f71980788adfd

Download Submit
C:\Windows\SysWOW64\Blbaihmn.exe

Filesize
74KB

MD5
04b1883a2cc808f6b0dee170fa2c7f08

SHA1
ee834bb85c8064fff282ba5c27541c0b3b5a71d8

SHA256
6957a7cedbc608b9a3b67fd531ff8bbbf7871f775139b782d289cbd507f4595a

SHA512
4602f47eddfc48ee36b9f3f214a1be269be6ee23df1bf90d27707c9b91c461dcfcf21577aacde25f51808fef9b60df13e0612c73da6322868d5a89f623bb0459

Download Submit
C:\Windows\SysWOW64\Booaodnd.exe

Filesize
74KB

MD5
b979d4684d0867b47aad46d62f2b8500

SHA1
80e3c37ecba21aae62f31d48d314dd50c6588e8e

SHA256
6643b7450b1887e5ecbef7762939909f90b1cc42a9f9ce9e59df727b7a6b037e

SHA512
cdd7f46edb8f515be2eaa8f8c137775709772b1a11fd6d08e3e75e3aed0cf2ae8df371b2693b67f27d7565b154197a4567215a411f4ccc95ec8efa7bc536d72d

Download Submit
C:\Windows\SysWOW64\Bpcgdfaa.exe

Filesize
74KB

MD5
46ccca8150cac451f035a651c454b04a

SHA1
78abf12342c0afe0bd18cec1e4f375f970736309

SHA256
1302acb544e7657dddfbeab3a300c05676878ac4231f1175b9f65db8d8d9e68f

SHA512
621fe5afdb01dbbb7dc549cfee91768b0d1fc9e4f034b64805d6b84db19e6381caff1dee6eb70c000594e9f3a9fe9d5d190a660e17101c3364edbab08d0c10a7

Download Submit
C:\Windows\SysWOW64\Bpnnig32.exe

Filesize
74KB

MD5
a6c9562cd9b56fdde9259b6ea618fc0d

SHA1
0617b0ba3270e9ba30ee7d9704f3b1e114a31ebf

SHA256
150b937c7d61339f312515a57f340bf97a32bc5a2f271302cb9cb7b6aa53043f

SHA512
03eeaf1893c0117a8c29560a4c00074aa52a10dd052c2e7b380081ed64cb7ff67a18bd3871e3f9b6a10238c6e6a927c6fa2c678d401fd0d9c3a38e0a070258a9

Download Submit
C:\Windows\SysWOW64\Bpqjofcd.exe

Filesize
74KB

MD5
e7001361116b8d37a9594c5cf4216274

SHA1
028a8cc0b39186c0ee8ae7775b59b26d74b2298d

SHA256
feeff9c53ceafc39193f150fb2542633ab5a752505b421c13d7f04ccf697cdae

SHA512
a8d99084d0bc47ea878d9b09ffd64f3273dc0447073eeb1c7e9ce1718895bd570613bea397e53dea5b5e9ddf6616ed37fcc0b542a622fdd19a7cf4467a01115f

Download Submit
C:\Windows\SysWOW64\Caimgncj.exe

Filesize
74KB

MD5
04c9e1574d094ac01462e52c63672110

SHA1
a7e426b65d7cf6223a8d566035c1280eb34cb971

SHA256
6a09501f03962d1f1ef2e3ede833e871217574f7607746dc5b2a673c194fce3a

SHA512
2338c6c253029f0b949c2c5d45934da26989e9ca6a4a7350435eacb171887a74ac994d2b8e73b3f3c2b63ed1ba626270c5633c38478adf6cd108c78db05fe91d

Download Submit
C:\Windows\SysWOW64\Cakjmm32.exe

Filesize
74KB

MD5
c027ae4d754bd7feeffb52272291c2e8

SHA1
39594d6b45c4fd7a3cdb9d6e3cf6dc7b025510cf

SHA256
de7a9a4ea4f229a7334f88ab2b5dfc7f5c97efeae96ca70314eea009262f50c8

SHA512
52708f9d9594afd8638a304a7ffe0f2393b8568b6480f95e2aaa49a2e2a59c2e8857bbd6da0724a8d1c44a5026bdb6f86034fc1de2d433548dcf9fc8f3b29de7

Download Submit
C:\Windows\SysWOW64\Camfbm32.exe

Filesize
74KB

MD5
b623f639392764f85e8b376def14ef3d

SHA1
1ce0f4e1c49538dbd84b5a819517d52bdb22c997

SHA256
9c7b8196ca607c734a9061f1a3f857699b63cd9cf63d506f16a1701979b9f991

SHA512
cc1dfce267930af6e9a37ee40e6970bebcb07810b67a4a05155d8e61c7274915981ee4e268171a43d0058c190bca3db4cb5b57eeec6e466c4cd7b005c33c26b8

Download Submit
C:\Windows\SysWOW64\Cccpfa32.exe

Filesize
74KB

MD5
d3ccafb7f3695b7fe61f552c7b727df0

SHA1
36a87f60277a51958f2b1afae7c19d46c2c9c362

SHA256
11d43d2dff8a3ec97d1661ceaf1ad7feb134ce149af3cfb30d211a039216eb5a

SHA512
a8c6fae52f81379c2bfa8fb1da436f511e0f0b3df705e793cc88f9903e68ba61538c03123c395e0a2961841ddeaa316c02d22e61a40c73df72e2ecdecb239aa0

Download Submit
C:\Windows\SysWOW64\Ceblbm32.exe

Filesize
74KB

MD5
0a8a4222bdfdca21a82f77ec1d8149b6

SHA1
b5a57373726154291eb537a688b8da614d119583

SHA256
cc5e10b3ae3bca9f8183cf6b0069c628d52aaa6ecb1a1252911debbff97f8cc0

SHA512
5d6c19afcc0919496486dc725164f9f7d786ce1abb11a3ac1f59bbb451f22172ea7c9367404ac411bb0cd6ad2ea5526e874ba930d018cf6c2773b760745c379f

Download Submit
C:\Windows\SysWOW64\Cefemliq.exe

Filesize
74KB

MD5
d3bded6938b55cab3c627051069a0744

SHA1
81c6b38d8117aab3ad47c21287d26a4330241328

SHA256
28774b0b1d1ea089927105adc313ee34b2154564e3d8d7cd9b3f6d2e27c93d3d

SHA512
7d423fa0554a076fb53654600cbec869299e86b504ff60f26cc687ee6f188adaa7a2800fd31c387cff60980a6ae4ff75bbfc4aed9cffc926703c5a73351fa219

Download Submit
C:\Windows\SysWOW64\Chebighd.exe

Filesize
74KB

MD5
ff26d468d9a3ac3d8ea17471b5e97d37

SHA1
4630e62c78f5319ed4c06422065f3588e0d54c59

SHA256
547b2157925f47e99e5d802c5f86be1c6c3de430e99210352effb4025d3729d7

SHA512
6ff61b3d0430c088a33effda804843f075c7eba1a856fe6c53805243ca7811d18578514f7bac94b91a4a1bd057e5e4ff772c4f9271a27c3852c1c91b173759bf

Download Submit
C:\Windows\SysWOW64\Chnlihnl.exe

Filesize
74KB

MD5
e6b4132920117a4a03e40d64c39d352e

SHA1
086e1e1f5342adf17ccc95c8be8871aa2e15370f

SHA256
09260f07bbeb5837255c3d2d5be18a9355c8fbc25a2a4b3117e7142a77b7e550

SHA512
68fa90c8fa53eab5662c8924e95cf1af5f39291f91ccd0aaa88300fca313dd7bfa53797b266f865e20a42e20f3192352ef366f3ccf9dfcbc364b2faf2f6448d4

Download Submit
C:\Windows\SysWOW64\Chphoh32.exe

Filesize
74KB

MD5
1d0bae156ebd093809283dc82feb8fa9

SHA1
c93964a28c2ea346dcbc06b02bd70cc81233a440

SHA256
47b0521e066def4129fcf457168a7f748e8ab42152f90f4c8faf5128cac4c1ee

SHA512
5e8ce3b2a9218c0c53eb398bd205db0dc24ede7bb2fd250dee3af75deb03e5a1169507fce98d71c5a473fd8b72e91a0673499587761942cf0ea3362a6116f739

Download Submit
C:\Windows\SysWOW64\Cidncj32.exe

Filesize
74KB

MD5
299a9dcb9de6f9c0e2b36e832f54f8fb

SHA1
5863e7d327fea310afc8173b3e8f68c93d8dbd01

SHA256
4ba7a2ca46b6db2e454a46ef165acb0169257ec36da55a6ad0eeac2928d927d0

SHA512
f239651beb9357cd4d48af331dc3ceb7f2a5d7e055f91b9c9e942337db349e601b5b3660ac01fc74f87425e7fef4b18d2335dd0737fabb6606a7b5112fa839b2

Download Submit
C:\Windows\SysWOW64\Cidncj32.exe

Filesize
74KB

MD5
af28fd82bef58ffd70190e67c05e8826

SHA1
3e3a128e23d405b1e1a60bcbad5bf4b29b0c1408

SHA256
58a9a33c36831e73554c4cd30f5d4de27f5c8592ad89bd45c2891899cf7286d0

SHA512
ace960b5a705c3ec439a911e2daf7443e207915f7b7ccc2cc861a7f21ba2bfd64581c672108e0f14101dbc34cf999708112e378f2a6e4c56b5ca207e400384f6

Download Submit
C:\Windows\SysWOW64\Cipehkcl.exe

Filesize
74KB

MD5
d364bfd1800b7581cad13e0ba9e511f5

SHA1
7661f3e79cc9078d9cdb0159287a08b660f0a96e

SHA256
eed45922ff5e28fcbaec707e6008b08f4bdf005883833128c9f211ddda8b1cf2

SHA512
29f9b437256c6eb3b112f61ef32d7f070b6f68699f9bd4800111ef0afe391d7c3c56a4c23b7f1614c92800aacf71c8ca0e44edbb4191aba9190706b220fbf573

Download Submit
C:\Windows\SysWOW64\Clnadfbp.exe

Filesize
74KB

MD5
e48f12a9ebe4c17e8e782375bfc17c0f

SHA1
6ead58a3e1ed1f83f485059981fc4c630478c4c5

SHA256
c4cad7b3d83160ccce9362a744a407f26da4f2a87b51e2430f20a05d7ec403be

SHA512
1d32f080de84b228697ece6c094e880b814441b1d1c7e4a837053ff0f49eae1e6dad9f1cf7ecbce23c342b55b355f70cd8ab13c03d6d7584bdad909232825b9a

Download Submit
C:\Windows\SysWOW64\Cpedjf32.exe

Filesize
74KB

MD5
49d1e79c7349d64ac008e8be48965913

SHA1
c82cd58340a2437e2fd1b86a97585d0c4afcea8f

SHA256
a0d6b49fdc8aaa58b6de8ef7a2cbd31a59d7b741a3c3d62fe2f3763f3ef8f60a

SHA512
2efc4644ba854ee1b9ddd715942a6ed844acdcb81fdea4c3607e0b7bd4320a4b73d3a63394153d7c0425f41efdda3eb28837545b8d77038a7f1eeb6d09905752

Download Submit
C:\Windows\SysWOW64\Cpgqpe32.exe

Filesize
74KB

MD5
41f39751e33adfd8b274784a55f84cc7

SHA1
8d034832911ef092b4c3f5adfa6c506caa976115

SHA256
2fa59bfbdb1038d123c2e2992dd3dd59aa1f38a5176a30322ae0bb0a8d2962c8

SHA512
ac8bf7af3fa74a860a9c660daf2bceace1d6ee0ce6b8909e76f18a72a6eb94b9fe59f7c7a77c549d846527f76e83e22e584b9c4b4cf6e714f79aa11375882eb3

Download Submit
C:\Windows\SysWOW64\Cpljkdig.exe

Filesize
74KB

MD5
fda129aa986d60eb571adad3056cb3fa

SHA1
74e3c8345048820aabc536741d1d1d3e582ca925

SHA256
d250c6ea0c15c2134ac892214ad67427fbde89be51035992cee72fdf8cfa4bbe

SHA512
6cd0b2d49b82f22b34d8a5758414e8f117b7ef042c1029e29685edc5bc8476188e2c8a97db67e11cbe339186a32d9941406692124e65f220750b30e0531a6400

Download Submit
C:\Windows\SysWOW64\Cpofpdgd.exe

Filesize
74KB

MD5
ab0dac2d89be3270902e86009084d15f

SHA1
9cd953df9a021ba1b56f2c262850f03381d8f3b3

SHA256
f44587abebe90ff5dd5e61bbd46fc91fe349326a40195e3a57a9cf2be91ae31f

SHA512
0719166c68769d23046fb80c599929e3e0c7f08fc32b005c7abcea58bd3bf84d9d3cda89d8c37e5db7f9775b4d862adde87e5aca7d7f827472f3b6d1269e11c6

Download Submit
C:\Windows\SysWOW64\Dchbhn32.exe

Filesize
74KB

MD5
7ce7b013adc58b384d2942dab5a95920

SHA1
76f6b264daa5c16ca5d56ceb371c4b1613eea350

SHA256
475c72c5ac5b69c83d073d969b8836b0fe260f4d45d9fab86f65c871b80885ee

SHA512
7adf81c5af1022c3140f61445767e486c66745d39c24360766ee0c0fe11cbf22ba456684f0e24c4a26af4ec9f99db687e8864a1ba223f105e31084f733c06be5

Download Submit
C:\Windows\SysWOW64\Ehjdldfl.exe

Filesize
74KB

MD5
b215ee6059b09869cb3b881a98e2ba62

SHA1
5ddd0ce1af0538174c21a893d23707ddf69ad15b

SHA256
36a7e168bd039edcc3616201bde690be9de71c80cc457aaa37555c1019cac654

SHA512
b4f6829a5b829391239b63610accaa227cc61902730e915c1f4f29cc8be0f81c960e24d98e763620cdca829e0791d5a719037466e10612f160723908eb41f46c

Download Submit
C:\Windows\SysWOW64\Gameonno.exe

Filesize
74KB

MD5
599961a973cb5360be3229838abdbf89

SHA1
951f91945226b58d9cbec2dc505263ea276a5b5a

SHA256
6ce0560dacd2e91cbe518bfee8519adb1d4e9e62b0ddf5e1398472db02def37a

SHA512
846386113dcc54a4b99f8b0f75b52ce421007d64d7d5650530684295d121b1e1f663213e26d1988b63ca5438e0ad3c23bfaa41abc1ff60e218e4018dedc0214e

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
74KB

MD5
3731a58a2b97d5a40a54d14375c6ed5d

SHA1
7c0b362b9c04fbb4433adf3e18ee2cf3c5f14605

SHA256
4dab08f127bfd19e06c02b44f067e50209372cd827ba7cf10647140a6ab80136

SHA512
ce0aefcf16cd9f15f9b6cebf8340891092ad2c45f96fabcee12cf04f511ecabd20ad67afcba36bd86aeb40ebc6300dc927e4554982a717922cc06bb73bc16e9e

Download Submit
C:\Windows\SysWOW64\Haidklda.exe

Filesize
74KB

MD5
345ccd2c04dbf0bf73f728fd5ed53e89

SHA1
c0b0a6eea419b901707245e585a6862986550796

SHA256
074ffcdcd3f8b47f6d668d12a6005859ca934ede01dae76f35395c828a0fafdc

SHA512
99061494adaae978e2adc080684ed6bac637f81da3ff591208d7f8ca398529a3b37df5b91bbc940f0cfd5728cbd92b175af4ccc5e8ac33372ea05ab9ab0a91f2

Download Submit
C:\Windows\SysWOW64\Iannfk32.exe

Filesize
74KB

MD5
6c8b947f745ad42c4d5ffda9f17a85a8

SHA1
0849b5e39ba86d66711455f1cbd4d029540cdfa9

SHA256
b6f357af34507b02c2c58870883760604c1bd43e0daee2feb3ea6b1038bebe92

SHA512
6fcf473ea996b1abe497803c5371c2c91ea24b0cf62ea9258fa734dabed5114ee8778fb8a54fe449ea3e19468aa410da57468f13046899744b4bd9fa77571d85

Download Submit
C:\Windows\SysWOW64\Ijaida32.exe

Filesize
74KB

MD5
243b83712e1d27d518dafd56179aa926

SHA1
00bca28a8b15291d262306c391fb09e30c50e15c

SHA256
64eb65e57a3aabd26a1fe31be48c16393edad21111d6af001d1925ae5b8f64c4

SHA512
0ffa4dfc976960f4c9422b0f1180527c1f5e033977c5cb3755c5194a079fe80e151366790881b74ca3c232b9c1484824b816f2502a9f908b948ed0b0f1d7137f

Download Submit
C:\Windows\SysWOW64\Imdnklfp.exe

Filesize
74KB

MD5
f28bffc0ee4854c861ef8a0a77e92b04

SHA1
a722ca09b5b23bafa0473389e86060db7fbbad91

SHA256
66fe09a0343502a73a9bf8d87e4eb1bbb415c1cab5b93b005b3bbcead6b13447

SHA512
e949e5b412b4cd463bc720dd2df1f73b7365bba45adce73970572003748dd312ad8faef51ecab043da755258efdaa268b6edad250f00318007a1eaeaa73f580b

Download Submit
C:\Windows\SysWOW64\Jagqlj32.exe

Filesize
74KB

MD5
0d6220d2552d05764c3ec8ad36b52223

SHA1
66b7044b038808f98bd0a296011d915d6f23ee72

SHA256
4ce2b0c25997dc0667f91bd169f4f91e5422d8abd33dd52ece7db4c15cefa4e6

SHA512
b869684c6d2b3ede9fe7adde82eb5753aee88b649d18fa66fd8780981a3d5af8b2ba2ddb6dd2370ce08d3321d922577e6138cf834f12822a3683f4d0f4c8ed59

Download Submit
C:\Windows\SysWOW64\Jbfpobpb.exe

Filesize
74KB

MD5
37821c82ebf8aded17a10fa1036abbb3

SHA1
caf5f0726b46bfc607091ec5ec2cb4c2a283a268

SHA256
8f640c4ea57db9489b3503d8594d1376e2e15848f7c05cad07a66e6b13c04acf

SHA512
6ded26e43bfbc128ccf53a5fcba77effc0a455e5d055590d157ae66fac45610533194b8bb41739e655998e9b3eb29f28ec71dc06acca6b79b9b19f7d07ad3d77

Download Submit
C:\Windows\SysWOW64\Jeakme32.dll

Filesize
7KB

MD5
f6ca12213ab8c58171d3fee9d0ea7f75

SHA1
2ec86ed0c360c118b452c11f7a8e2e37de2a1669

SHA256
864e04e9286473112113775e233d18be818a2e3f54f8676963249756c6bcdd86

SHA512
1560d50d7bf1cb26dd19c1abe7fb6e78b0ae4acf4524e84b4a802d8ec73b54fffc364e176bb1f94ab279368a735fed44f94e458d7f951c863ee5e838d9ff1dd8

Download Submit
C:\Windows\SysWOW64\Jibeql32.exe

Filesize
74KB

MD5
463611e9135342e14eae459474629d0d

SHA1
0d30eaa930d1598353e5459b17ec12c8d3d7af7d

SHA256
ee2a8f7dea4f463bdb527ecda0daadf26ddeb518f68e107ac13af7eaabacc1b5

SHA512
7e5b3a4f7105440eabad2f2c14707827675549d0f5316bdcc9328e0ede56794c1da8c4672c45b55e59040af0fa090ebce0a05040d708d5ee712832df2886c4a3

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe

Filesize
74KB

MD5
ec313aeb62076f336add73131682cd64

SHA1
8cd5ec43697159ad686f6dc7f143dc13dbb90fa5

SHA256
166ed78ab7ba6aa1b0bc0324f792f4192c4e98a486f517d3386006c5e06f3fe1

SHA512
203e58aeeaaaaeee9e4fe766ebb549103f228c76b311d749fdd31bde9a9bbeec3dbfcbb05cc8edf55ee548d370f1338a384ee14770cdbc993e5ffc986cf5ff3c

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
74KB

MD5
b0c496a9d88dd5a61ac9dad1135d8dad

SHA1
793ff6bf0ae504a2151edf9f0c620fb0f2863e8a

SHA256
2a481cf3de2b1b50311f383106bdb8ecb157d0e44814ebea32d4112ead0d6a8d

SHA512
089da567d0f3d6a45b550f8eaf4f23865cfb0fb7ff8016a9a4634548461056c77f91d3a8838b1fdedaf46b54a65c1370b380e108c2f9521af494d698c86743f8

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
74KB

MD5
e4a424546d0351c541260144daf2afd6

SHA1
935653db905cabd536664c1c83342223e1d8775a

SHA256
ea2db16c02d6f13d8664b3ddab557727e0ad3ca8063b10b62d6d7d6aae49c75d

SHA512
2c7897f0289f7ef72a88be3a25c40076ec78fd920f4ffbadc2600ca1b1839b20832008ef4d8ee7404659d3fe5385dae843e6bea09daf3575122d90aa4dc0c020

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
74KB

MD5
9a37f3899a39797cd2a774fbe91b4e3b

SHA1
285c162d8efd867880dc2a972c672db0c2ed1329

SHA256
e2c3a1126780cf23cd6c4374e24f68d66be11672d9e62487bd6476f0a52fb825

SHA512
1e930550520c1007edb516caa583e7377d86f736f5bae037e8cc85ba29d8467070a16d147bad43dc036d8bf052086d887b2d607dd4535fae3d77e4951314e946

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
74KB

MD5
ba94726c914172e81dc1bdf26aec6575

SHA1
6a71b1830692ba1aaf30acb7a006a8e7c23d0ac4

SHA256
0675b698fa815515f1365a509850f3ab1ee95990b97928cfd4d050336988a478

SHA512
6c50db948a0ce8e69083d9944385a52e2b64777613bee8218045789e8b88662a034f90877723a1be56fade9cf087189ff536c7a87dc516b9411910abde3ff29a

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
74KB

MD5
ba23d2552c28e465a48e87dcaa421fc4

SHA1
e512527be510553eea617ab8361153d481b52592

SHA256
f6240ccea017b3771a5c43f057bcde5b6cf594ce87deb70e251f73526745a0c7

SHA512
2261631ab7811606e89f15d7d05a93ea252220e8afd14d1c42ce6c37463f55f15e8b552c4b65e47b931ede70be5d3879f4b690bc39752b5753f3974b9d31c489

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
74KB

MD5
e6e5f5d0dfbf7d275c67f08c93640c4c

SHA1
92705ea0cdfb3c20ef1ea90371ad49cdedfeea50

SHA256
4e01e90b1a138c612a236a275c4f1c3e16ea73a0ebe6942bdaec25270e8d6996

SHA512
ddf1904e23d0d9afaee7ae14ca8a6dcf70d08fce5cbd1b3c4a5180c5c3987034510d2e8c57ceb58989d5f52c1ac30e71a833bb4b50a84c255afb367c5275015d

Download Submit
memory/208-292-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/220-95-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/224-526-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/364-578-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/532-316-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/608-176-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/636-454-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/876-216-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/884-549-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1072-334-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1104-604-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1104-71-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1396-430-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1452-584-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1452-48-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1464-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1464-550-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1480-451-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1484-108-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1496-136-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1516-382-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1560-119-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1760-551-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1832-563-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1880-298-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2044-564-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2044-19-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2116-236-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2128-477-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2140-508-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2144-572-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2164-39-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2256-514-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2308-240-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2320-436-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2324-478-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2336-406-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2452-164-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2496-192-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2528-112-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2748-496-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2812-56-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2812-591-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2820-286-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2852-542-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2928-345-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3044-253-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3064-322-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3132-520-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3328-589-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3408-188-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3420-565-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3452-9-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3452-562-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3568-502-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3600-88-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3620-380-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3628-364-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3652-152-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3688-168-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3692-356-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3704-272-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3720-332-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3836-304-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3860-464-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3948-68-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3956-424-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3992-314-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4016-128-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4044-274-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4152-484-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4180-351-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4204-199-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4256-358-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4296-394-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4356-495-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4364-577-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4364-40-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4456-418-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4480-149-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4496-446-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4600-405-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4652-29-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4672-388-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4740-532-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4760-412-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4804-259-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4808-470-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4816-370-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4828-80-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4940-212-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4968-284-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5072-224-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5080-265-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5140-592-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5184-598-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads