5c07650baf7c5649c8942926ddff5758bd526f24915dffd0d963c188df897211

Analysis

max time kernel
138s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 21:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c07650baf7c5649c8942926ddff5758bd526f24915dffd0d963c188df897211.exe
Size

128KB
MD5

f64193fa26fa5194af54375ceb65b498
SHA1

4fbfce6d69bafc21069b5f78c6b0510f3320828a
SHA256

5c07650baf7c5649c8942926ddff5758bd526f24915dffd0d963c188df897211
SHA512

f29caabe2fe7c027aefac1a4b523b5ac3435b6a5be2406ca2cf9be83f505e5264c6348e73efbfba9d397636fb45ee48efdba7127d13c4d105fb50b95b4191384
SSDEEP

3072:MFhevLTd7LanwUhG7J9IDlRxyhTbhgu+tAcrbFAJc+i:MnevF7La27sDshsrtMk

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebaplnie.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aibibp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipjoja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmfkhmdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdfpkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcpjnjii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Finnef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbnhoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibqnkh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llqjbhdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofgdcipq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obqanjdb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgflcifg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abcgjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkhpfbce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klndfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oclkgccf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lojmcdgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjlalkmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhegig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgklmacf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqimikfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfmlghd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihdldn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmodajm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oaifpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Modgdicm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dafppp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ihkjno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcnfohmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Paeelgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Coqncejg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddnobj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Geldkfpi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggkqgaol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpgind32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Koodbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgeakekd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chiblk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oifppdpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdpni32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qaqegecm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdfpkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbnhoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpnakk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhegig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmpcbhji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knenkbio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfbped32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpbjkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqaiecjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlgoek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqklkbbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qamago32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llmhaold.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgeakekd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjbcplpe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlppno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfmfefni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmdlmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfmmplad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmlfqh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lqojclne.exe

Executes dropped EXE 64 IoCs

pid	Process
1920	Glkmmefl.exe
3916	Gpgind32.exe
4400	Hpiecd32.exe
1440	Hbhboolf.exe
2188	Hefnkkkj.exe
3432	Hbjoeojc.exe
3084	Hmpcbhji.exe
1128	Hblkjo32.exe
4696	Hlepcdoa.exe
1800	Hoclopne.exe
5048	Hmdlmg32.exe
1496	Ibaeen32.exe
4388	Iikmbh32.exe
4176	Iliinc32.exe
1492	Iebngial.exe
1300	Imiehfao.exe
4264	Iipfmggc.exe
2396	Ipjoja32.exe
2168	Iomoenej.exe
4632	Iefgbh32.exe
664	Ilqoobdd.exe
4276	Ieidhh32.exe
740	Ilcldb32.exe
5040	Jcmdaljn.exe
5008	Jleijb32.exe
2280	Jcoaglhk.exe
3260	Jgkmgk32.exe
4000	Jlgepanl.exe
4820	Jgmjmjnb.exe
4636	Jilfifme.exe
2892	Jpenfp32.exe
1968	Johnamkm.exe
3140	Jgpfbjlo.exe
4036	Jllokajf.exe
3968	Jcfggkac.exe
4932	Jedccfqg.exe
4676	Jlolpq32.exe
4488	Komhll32.exe
4120	Kgdpni32.exe
3264	Klahfp32.exe
2192	Koodbl32.exe
4048	Kgflcifg.exe
4756	Knqepc32.exe
5100	Kpoalo32.exe
4836	Kgiiiidd.exe
1896	Kncaec32.exe
1340	Kpanan32.exe
1976	Kcpjnjii.exe
2288	Knenkbio.exe
4980	Kpcjgnhb.exe
1468	Kcbfcigf.exe
4448	Kfpcoefj.exe
4520	Lljklo32.exe
3676	Lcdciiec.exe
692	Lfbped32.exe
3920	Llmhaold.exe
2960	Lcgpni32.exe
1904	Ljqhkckn.exe
3508	Lqkqhm32.exe
1356	Lcimdh32.exe
3540	Ljceqb32.exe
1724	Lmaamn32.exe
4916	Lggejg32.exe
3856	Lfjfecno.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mfchlbfd.exe	Moipoh32.exe
File opened for modification	C:\Windows\SysWOW64\Ondljl32.exe	Ofmdio32.exe
File opened for modification	C:\Windows\SysWOW64\Cocjiehd.exe	Ckgohf32.exe
File created	C:\Windows\SysWOW64\Kafkmp32.dll	Jaajhb32.exe
File created	C:\Windows\SysWOW64\Dnbjkgmg.dll	Jgmjmjnb.exe
File opened for modification	C:\Windows\SysWOW64\Bdfpkm32.exe	Bahdob32.exe
File opened for modification	C:\Windows\SysWOW64\Eomffaag.exe	Edgbii32.exe
File opened for modification	C:\Windows\SysWOW64\Gacepg32.exe	Gbpedjnb.exe
File created	C:\Windows\SysWOW64\Hemmac32.exe	Haaaaeim.exe
File created	C:\Windows\SysWOW64\Kbmimp32.dll	Lmaamn32.exe
File opened for modification	C:\Windows\SysWOW64\Jaajhb32.exe	Jldbpl32.exe
File created	C:\Windows\SysWOW64\Nqoloc32.exe	Nckkfp32.exe
File created	C:\Windows\SysWOW64\Pdbeojmh.dll	Mnjqmpgg.exe
File opened for modification	C:\Windows\SysWOW64\Dhbebj32.exe	Dpkmal32.exe
File opened for modification	C:\Windows\SysWOW64\Doojec32.exe	Dggbcf32.exe
File created	C:\Windows\SysWOW64\Alapqh32.dll	Nblolm32.exe
File created	C:\Windows\SysWOW64\Ojnfihmo.exe	Obgohklm.exe
File created	C:\Windows\SysWOW64\Obnehj32.exe	Oophlo32.exe
File opened for modification	C:\Windows\SysWOW64\Ofjqihnn.exe	Obnehj32.exe
File opened for modification	C:\Windows\SysWOW64\Cibain32.exe	Bagmdllg.exe
File created	C:\Windows\SysWOW64\Bdmlme32.dll	Mqimikfj.exe
File created	C:\Windows\SysWOW64\Npepkf32.exe	Njhgbp32.exe
File created	C:\Windows\SysWOW64\Jbofpe32.dll	Nceefd32.exe
File created	C:\Windows\SysWOW64\Gejain32.dll	Oaifpi32.exe
File opened for modification	C:\Windows\SysWOW64\Oghghb32.exe	Oclkgccf.exe
File opened for modification	C:\Windows\SysWOW64\Pnplfj32.exe	Pfiddm32.exe
File opened for modification	C:\Windows\SysWOW64\Bahdob32.exe	Bnlhncgi.exe
File created	C:\Windows\SysWOW64\Fbgdmb32.dll	Dglkoeio.exe
File opened for modification	C:\Windows\SysWOW64\Ookoaokf.exe	Ommceclc.exe
File opened for modification	C:\Windows\SysWOW64\Pfhmjf32.exe	Pmphaaln.exe
File opened for modification	C:\Windows\SysWOW64\Cpfmlghd.exe	Cildom32.exe
File opened for modification	C:\Windows\SysWOW64\Johnamkm.exe	Jpenfp32.exe
File created	C:\Windows\SysWOW64\Lhdbgapf.dll	Paeelgnj.exe
File opened for modification	C:\Windows\SysWOW64\Cajjjk32.exe	Cibain32.exe
File created	C:\Windows\SysWOW64\Ebdlangb.exe	Egohdegl.exe
File opened for modification	C:\Windows\SysWOW64\Lhcali32.exe	Laiipofp.exe
File created	C:\Windows\SysWOW64\Mmebednk.dll	Aagdnn32.exe
File created	C:\Windows\SysWOW64\Ljceqb32.exe	Lcimdh32.exe
File created	C:\Windows\SysWOW64\Cnaaib32.exe	Cggimh32.exe
File opened for modification	C:\Windows\SysWOW64\Ghojbq32.exe	Gbbajjlp.exe
File created	C:\Windows\SysWOW64\Afakoidm.dll	Ilqoobdd.exe
File opened for modification	C:\Windows\SysWOW64\Ocjoadei.exe	Oakbehfe.exe
File opened for modification	C:\Windows\SysWOW64\Lcmodajm.exe	Lpochfji.exe
File created	C:\Windows\SysWOW64\Nnndji32.dll	Oiccje32.exe
File created	C:\Windows\SysWOW64\Gejimf32.dll	Ocihgnam.exe
File created	C:\Windows\SysWOW64\Hpiecd32.exe	Gpgind32.exe
File created	C:\Windows\SysWOW64\Keiifian.dll	Qhhpop32.exe
File created	C:\Windows\SysWOW64\Mqhfoebo.exe	Mhanngbl.exe
File created	C:\Windows\SysWOW64\Ookoaokf.exe	Ommceclc.exe
File opened for modification	C:\Windows\SysWOW64\Abcgjg32.exe	Aabkbono.exe
File opened for modification	C:\Windows\SysWOW64\Kgiiiidd.exe	Kpoalo32.exe
File created	C:\Windows\SysWOW64\Bcjfln32.dll	Mfqlfb32.exe
File opened for modification	C:\Windows\SysWOW64\Omdppiif.exe	Ojfcdnjc.exe
File opened for modification	C:\Windows\SysWOW64\Qfmmplad.exe	Qaqegecm.exe
File opened for modification	C:\Windows\SysWOW64\Ckgohf32.exe	Chiblk32.exe
File created	C:\Windows\SysWOW64\Cmedjl32.exe	Cgklmacf.exe
File opened for modification	C:\Windows\SysWOW64\Glkmmefl.exe	5c07650baf7c5649c8942926ddff5758bd526f24915dffd0d963c188df897211.exe
File opened for modification	C:\Windows\SysWOW64\Lljklo32.exe	Kfpcoefj.exe
File created	C:\Windows\SysWOW64\Cedckdaj.dll	Pnfiplog.exe
File created	C:\Windows\SysWOW64\Lacaea32.dll	Damfao32.exe
File created	C:\Windows\SysWOW64\Haodle32.exe	Hpmhdmea.exe
File opened for modification	C:\Windows\SysWOW64\Oiccje32.exe	Ojqcnhkl.exe
File created	C:\Windows\SysWOW64\Aabkbono.exe	Qikbaaml.exe
File created	C:\Windows\SysWOW64\Ngndaccj.exe	Npgmpf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
10420	11260	WerFault.exe	509

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqoloc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdimkqnb.dll"	Jleijb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpcpel32.dll"	Jlolpq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Koodbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofmdio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ondljl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ppjbmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bahdob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpcpfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcimdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjpfjl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmhocd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cggimh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dahmfpap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qamago32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgiiiidd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmkdcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhblllfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dllfqd32.dll"	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baampdgc.dll"	Finnef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hnibokbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klahfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gddedlaq.dll"	Lljklo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mfqlfb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojfcdnjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqiibjlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnibokbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eccphn32.dll"	Hhaggp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmdlmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnfpinmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfandnla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhijep32.dll"	Cdbpgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpenegb.dll"	Pfdjinjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhcali32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcmodajm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Balgcpkn.dll"	Oonlfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocihgnam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aidehpea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iohmnmmb.dll"	Akdilipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlobem32.dll"	Cdimqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aiplmq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jlgepanl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgflcifg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojajin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opclldhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aagkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akeodedd.dll"	Eiekog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Obnehj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Egaejeej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilnjmilq.dll"	Mcdeeq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oifppdpd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpenfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjbcplpe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgqlcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jedccfqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmkdcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbofpe32.dll"	Nceefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfcabp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mofmobmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qedegh32.dll"	Ojfcdnjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbihjifh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jldbpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aogbfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgcpfdbd.dll"	Eomffaag.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 1920	2140	5c07650baf7c5649c8942926ddff5758bd526f24915dffd0d963c188df897211.exe	92
PID 2140 wrote to memory of 1920	2140	5c07650baf7c5649c8942926ddff5758bd526f24915dffd0d963c188df897211.exe	92
PID 2140 wrote to memory of 1920	2140	5c07650baf7c5649c8942926ddff5758bd526f24915dffd0d963c188df897211.exe	92
PID 1920 wrote to memory of 3916	1920	Glkmmefl.exe	93
PID 1920 wrote to memory of 3916	1920	Glkmmefl.exe	93
PID 1920 wrote to memory of 3916	1920	Glkmmefl.exe	93
PID 3916 wrote to memory of 4400	3916	Gpgind32.exe	94
PID 3916 wrote to memory of 4400	3916	Gpgind32.exe	94
PID 3916 wrote to memory of 4400	3916	Gpgind32.exe	94
PID 4400 wrote to memory of 1440	4400	Hpiecd32.exe	95
PID 4400 wrote to memory of 1440	4400	Hpiecd32.exe	95
PID 4400 wrote to memory of 1440	4400	Hpiecd32.exe	95
PID 1440 wrote to memory of 2188	1440	Hbhboolf.exe	96
PID 1440 wrote to memory of 2188	1440	Hbhboolf.exe	96
PID 1440 wrote to memory of 2188	1440	Hbhboolf.exe	96
PID 2188 wrote to memory of 3432	2188	Hefnkkkj.exe	97
PID 2188 wrote to memory of 3432	2188	Hefnkkkj.exe	97
PID 2188 wrote to memory of 3432	2188	Hefnkkkj.exe	97
PID 3432 wrote to memory of 3084	3432	Hbjoeojc.exe	98
PID 3432 wrote to memory of 3084	3432	Hbjoeojc.exe	98
PID 3432 wrote to memory of 3084	3432	Hbjoeojc.exe	98
PID 3084 wrote to memory of 1128	3084	Hmpcbhji.exe	99
PID 3084 wrote to memory of 1128	3084	Hmpcbhji.exe	99
PID 3084 wrote to memory of 1128	3084	Hmpcbhji.exe	99
PID 1128 wrote to memory of 4696	1128	Hblkjo32.exe	100
PID 1128 wrote to memory of 4696	1128	Hblkjo32.exe	100
PID 1128 wrote to memory of 4696	1128	Hblkjo32.exe	100
PID 4696 wrote to memory of 1800	4696	Hlepcdoa.exe	101
PID 4696 wrote to memory of 1800	4696	Hlepcdoa.exe	101
PID 4696 wrote to memory of 1800	4696	Hlepcdoa.exe	101
PID 1800 wrote to memory of 5048	1800	Hoclopne.exe	102
PID 1800 wrote to memory of 5048	1800	Hoclopne.exe	102
PID 1800 wrote to memory of 5048	1800	Hoclopne.exe	102
PID 5048 wrote to memory of 1496	5048	Hmdlmg32.exe	103
PID 5048 wrote to memory of 1496	5048	Hmdlmg32.exe	103
PID 5048 wrote to memory of 1496	5048	Hmdlmg32.exe	103
PID 1496 wrote to memory of 4388	1496	Ibaeen32.exe	104
PID 1496 wrote to memory of 4388	1496	Ibaeen32.exe	104
PID 1496 wrote to memory of 4388	1496	Ibaeen32.exe	104
PID 4388 wrote to memory of 4176	4388	Iikmbh32.exe	105
PID 4388 wrote to memory of 4176	4388	Iikmbh32.exe	105
PID 4388 wrote to memory of 4176	4388	Iikmbh32.exe	105
PID 4176 wrote to memory of 1492	4176	Iliinc32.exe	106
PID 4176 wrote to memory of 1492	4176	Iliinc32.exe	106
PID 4176 wrote to memory of 1492	4176	Iliinc32.exe	106
PID 1492 wrote to memory of 1300	1492	Iebngial.exe	108
PID 1492 wrote to memory of 1300	1492	Iebngial.exe	108
PID 1492 wrote to memory of 1300	1492	Iebngial.exe	108
PID 1300 wrote to memory of 4264	1300	Imiehfao.exe	109
PID 1300 wrote to memory of 4264	1300	Imiehfao.exe	109
PID 1300 wrote to memory of 4264	1300	Imiehfao.exe	109
PID 4264 wrote to memory of 2396	4264	Iipfmggc.exe	111
PID 4264 wrote to memory of 2396	4264	Iipfmggc.exe	111
PID 4264 wrote to memory of 2396	4264	Iipfmggc.exe	111
PID 2396 wrote to memory of 2168	2396	Ipjoja32.exe	112
PID 2396 wrote to memory of 2168	2396	Ipjoja32.exe	112
PID 2396 wrote to memory of 2168	2396	Ipjoja32.exe	112
PID 2168 wrote to memory of 4632	2168	Iomoenej.exe	113
PID 2168 wrote to memory of 4632	2168	Iomoenej.exe	113
PID 2168 wrote to memory of 4632	2168	Iomoenej.exe	113
PID 4632 wrote to memory of 664	4632	Iefgbh32.exe	114
PID 4632 wrote to memory of 664	4632	Iefgbh32.exe	114
PID 4632 wrote to memory of 664	4632	Iefgbh32.exe	114
PID 664 wrote to memory of 4276	664	Ilqoobdd.exe	115

C:\Users\Admin\AppData\Local\Temp\5c07650baf7c5649c8942926ddff5758bd526f24915dffd0d963c188df897211.exe
"C:\Users\Admin\AppData\Local\Temp\5c07650baf7c5649c8942926ddff5758bd526f24915dffd0d963c188df897211.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\SysWOW64\Glkmmefl.exe
  C:\Windows\system32\Glkmmefl.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Windows\SysWOW64\Gpgind32.exe
    C:\Windows\system32\Gpgind32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3916
  - - C:\Windows\SysWOW64\Hpiecd32.exe
      C:\Windows\system32\Hpiecd32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4400
    - - C:\Windows\SysWOW64\Hbhboolf.exe
        
        C:\Windows\system32\Hbhboolf.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1440
      - C:\Windows\SysWOW64\Hefnkkkj.exe
        
        C:\Windows\system32\Hefnkkkj.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\SysWOW64\Hbjoeojc.exe
        
        C:\Windows\system32\Hbjoeojc.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\SysWOW64\Hmpcbhji.exe
        
        C:\Windows\system32\Hmpcbhji.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Windows\SysWOW64\Hblkjo32.exe
        
        C:\Windows\system32\Hblkjo32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\SysWOW64\Hlepcdoa.exe
        
        C:\Windows\system32\Hlepcdoa.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\Hoclopne.exe
        
        C:\Windows\system32\Hoclopne.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\Hmdlmg32.exe
        
        C:\Windows\system32\Hmdlmg32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Ibaeen32.exe
        
        C:\Windows\system32\Ibaeen32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\Iikmbh32.exe
        
        C:\Windows\system32\Iikmbh32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\SysWOW64\Iliinc32.exe
        
        C:\Windows\system32\Iliinc32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Windows\SysWOW64\Iebngial.exe
        
        C:\Windows\system32\Iebngial.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\SysWOW64\Imiehfao.exe
        
        C:\Windows\system32\Imiehfao.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\SysWOW64\Iipfmggc.exe
        
        C:\Windows\system32\Iipfmggc.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\SysWOW64\Ipjoja32.exe
        
        C:\Windows\system32\Ipjoja32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\Iomoenej.exe
        
        C:\Windows\system32\Iomoenej.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Iefgbh32.exe
        
        C:\Windows\system32\Iefgbh32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\Ilqoobdd.exe
        
        C:\Windows\system32\Ilqoobdd.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:664
        
        C:\Windows\SysWOW64\Ieidhh32.exe
        
        C:\Windows\system32\Ieidhh32.exe
        23⤵
        Executes dropped EXE
        
        PID:4276
        
        C:\Windows\SysWOW64\Ilcldb32.exe
        
        C:\Windows\system32\Ilcldb32.exe
        24⤵
        Executes dropped EXE
        
        PID:740
        
        C:\Windows\SysWOW64\Jcmdaljn.exe
        
        C:\Windows\system32\Jcmdaljn.exe
        25⤵
        Executes dropped EXE
        
        PID:5040
        
        C:\Windows\SysWOW64\Jleijb32.exe
        
        C:\Windows\system32\Jleijb32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Jcoaglhk.exe
        
        C:\Windows\system32\Jcoaglhk.exe
        27⤵
        Executes dropped EXE
        
        PID:2280
        
        C:\Windows\SysWOW64\Jgkmgk32.exe
        
        C:\Windows\system32\Jgkmgk32.exe
        28⤵
        Executes dropped EXE
        
        PID:3260
        
        C:\Windows\SysWOW64\Jlgepanl.exe
        
        C:\Windows\system32\Jlgepanl.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4000
        
        C:\Windows\SysWOW64\Jgmjmjnb.exe
        
        C:\Windows\system32\Jgmjmjnb.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4820
        
        C:\Windows\SysWOW64\Jilfifme.exe
        
        C:\Windows\system32\Jilfifme.exe
        31⤵
        Executes dropped EXE
        
        PID:4636
        
        C:\Windows\SysWOW64\Jpenfp32.exe
        
        C:\Windows\system32\Jpenfp32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\Johnamkm.exe
        
        C:\Windows\system32\Johnamkm.exe
        33⤵
        Executes dropped EXE
        
        PID:1968
        
        C:\Windows\SysWOW64\Jgpfbjlo.exe
        
        C:\Windows\system32\Jgpfbjlo.exe
        34⤵
        Executes dropped EXE
        
        PID:3140
        
        C:\Windows\SysWOW64\Jllokajf.exe
        
        C:\Windows\system32\Jllokajf.exe
        35⤵
        Executes dropped EXE
        
        PID:4036
        
        C:\Windows\SysWOW64\Jcfggkac.exe
        
        C:\Windows\system32\Jcfggkac.exe
        36⤵
        Executes dropped EXE
        
        PID:3968
        
        C:\Windows\SysWOW64\Jedccfqg.exe
        
        C:\Windows\system32\Jedccfqg.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Jlolpq32.exe
        
        C:\Windows\system32\Jlolpq32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\Komhll32.exe
        
        C:\Windows\system32\Komhll32.exe
        39⤵
        Executes dropped EXE
        
        PID:4488
        
        C:\Windows\SysWOW64\Kgdpni32.exe
        
        C:\Windows\system32\Kgdpni32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4120
        
        C:\Windows\SysWOW64\Klahfp32.exe
        
        C:\Windows\system32\Klahfp32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Koodbl32.exe
        
        C:\Windows\system32\Koodbl32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Kgflcifg.exe
        
        C:\Windows\system32\Kgflcifg.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4048
        
        C:\Windows\SysWOW64\Knqepc32.exe
        
        C:\Windows\system32\Knqepc32.exe
        44⤵
        Executes dropped EXE
        
        PID:4756
        
        C:\Windows\SysWOW64\Kpoalo32.exe
        
        C:\Windows\system32\Kpoalo32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5100
        
        C:\Windows\SysWOW64\Kgiiiidd.exe
        
        C:\Windows\system32\Kgiiiidd.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Kncaec32.exe
        
        C:\Windows\system32\Kncaec32.exe
        47⤵
        Executes dropped EXE
        
        PID:1896
        
        C:\Windows\SysWOW64\Kpanan32.exe
        
        C:\Windows\system32\Kpanan32.exe
        48⤵
        Executes dropped EXE
        
        PID:1340
        
        C:\Windows\SysWOW64\Kcpjnjii.exe
        
        C:\Windows\system32\Kcpjnjii.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1976
        
        C:\Windows\SysWOW64\Knenkbio.exe
        
        C:\Windows\system32\Knenkbio.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2288
        
        C:\Windows\SysWOW64\Kpcjgnhb.exe
        
        C:\Windows\system32\Kpcjgnhb.exe
        51⤵
        Executes dropped EXE
        
        PID:4980
        
        C:\Windows\SysWOW64\Kcbfcigf.exe
        
        C:\Windows\system32\Kcbfcigf.exe
        52⤵
        Executes dropped EXE
        
        PID:1468
        
        C:\Windows\SysWOW64\Kfpcoefj.exe
        
        C:\Windows\system32\Kfpcoefj.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4448
        
        C:\Windows\SysWOW64\Lljklo32.exe
        
        C:\Windows\system32\Lljklo32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Lcdciiec.exe
        
        C:\Windows\system32\Lcdciiec.exe
        55⤵
        Executes dropped EXE
        
        PID:3676
        
        C:\Windows\SysWOW64\Lfbped32.exe
        
        C:\Windows\system32\Lfbped32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:692
        
        C:\Windows\SysWOW64\Llmhaold.exe
        
        C:\Windows\system32\Llmhaold.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3920
        
        C:\Windows\SysWOW64\Lcgpni32.exe
        
        C:\Windows\system32\Lcgpni32.exe
        58⤵
        Executes dropped EXE
        
        PID:2960
        
        C:\Windows\SysWOW64\Ljqhkckn.exe
        
        C:\Windows\system32\Ljqhkckn.exe
        59⤵
        Executes dropped EXE
        
        PID:1904
        
        C:\Windows\SysWOW64\Lqkqhm32.exe
        
        C:\Windows\system32\Lqkqhm32.exe
        60⤵
        Executes dropped EXE
        
        PID:3508
        
        C:\Windows\SysWOW64\Lcimdh32.exe
        
        C:\Windows\system32\Lcimdh32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\Ljceqb32.exe
        
        C:\Windows\system32\Ljceqb32.exe
        62⤵
        Executes dropped EXE
        
        PID:3540
        
        C:\Windows\SysWOW64\Lmaamn32.exe
        
        C:\Windows\system32\Lmaamn32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1724
        
        C:\Windows\SysWOW64\Lggejg32.exe
        
        C:\Windows\system32\Lggejg32.exe
        64⤵
        Executes dropped EXE
        
        PID:4916
        
        C:\Windows\SysWOW64\Lfjfecno.exe
        
        C:\Windows\system32\Lfjfecno.exe
        65⤵
        Executes dropped EXE
        
        PID:3856
        
        C:\Windows\SysWOW64\Lqojclne.exe
        
        C:\Windows\system32\Lqojclne.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2636
        
        C:\Windows\SysWOW64\Lcnfohmi.exe
        
        C:\Windows\system32\Lcnfohmi.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:972
        
        C:\Windows\SysWOW64\Lflbkcll.exe
        
        C:\Windows\system32\Lflbkcll.exe
        68⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\Mmfkhmdi.exe
        
        C:\Windows\system32\Mmfkhmdi.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5128
        
        C:\Windows\SysWOW64\Modgdicm.exe
        
        C:\Windows\system32\Modgdicm.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5164
        
        C:\Windows\SysWOW64\Mcpcdg32.exe
        
        C:\Windows\system32\Mcpcdg32.exe
        71⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Mnegbp32.exe
        
        C:\Windows\system32\Mnegbp32.exe
        72⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Mcbpjg32.exe
        
        C:\Windows\system32\Mcbpjg32.exe
        73⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Mfqlfb32.exe
        
        C:\Windows\system32\Mfqlfb32.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Mmkdcm32.exe
        
        C:\Windows\system32\Mmkdcm32.exe
        75⤵
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Moipoh32.exe
        
        C:\Windows\system32\Moipoh32.exe
        76⤵
        Drops file in System32 directory
        
        PID:5412
        
        C:\Windows\SysWOW64\Mfchlbfd.exe
        
        C:\Windows\system32\Mfchlbfd.exe
        77⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Mnjqmpgg.exe
        
        C:\Windows\system32\Mnjqmpgg.exe
        78⤵
        Drops file in System32 directory
        
        PID:5516
        
        C:\Windows\SysWOW64\Mqimikfj.exe
        
        C:\Windows\system32\Mqimikfj.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5576
        
        C:\Windows\SysWOW64\Mcgiefen.exe
        
        C:\Windows\system32\Mcgiefen.exe
        80⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\Mfeeabda.exe
        
        C:\Windows\system32\Mfeeabda.exe
        81⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Mqkiok32.exe
        
        C:\Windows\system32\Mqkiok32.exe
        82⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Mgeakekd.exe
        
        C:\Windows\system32\Mgeakekd.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5748
        
        C:\Windows\SysWOW64\Mfhbga32.exe
        
        C:\Windows\system32\Mfhbga32.exe
        84⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Nggnadib.exe
        
        C:\Windows\system32\Nggnadib.exe
        85⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Nnafno32.exe
        
        C:\Windows\system32\Nnafno32.exe
        86⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Ncnofeof.exe
        
        C:\Windows\system32\Ncnofeof.exe
        87⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Njhgbp32.exe
        
        C:\Windows\system32\Njhgbp32.exe
        88⤵
        Drops file in System32 directory
        
        PID:5992
        
        C:\Windows\SysWOW64\Npepkf32.exe
        
        C:\Windows\system32\Npepkf32.exe
        89⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Nfohgqlg.exe
        
        C:\Windows\system32\Nfohgqlg.exe
        90⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Nnfpinmi.exe
        
        C:\Windows\system32\Nnfpinmi.exe
        91⤵
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Npgmpf32.exe
        
        C:\Windows\system32\Npgmpf32.exe
        92⤵
        Drops file in System32 directory
        
        PID:5148
        
        C:\Windows\SysWOW64\Ngndaccj.exe
        
        C:\Windows\system32\Ngndaccj.exe
        93⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\Njmqnobn.exe
        
        C:\Windows\system32\Njmqnobn.exe
        94⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Nnhmnn32.exe
        
        C:\Windows\system32\Nnhmnn32.exe
        95⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Nagiji32.exe
        
        C:\Windows\system32\Nagiji32.exe
        96⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Nceefd32.exe
        
        C:\Windows\system32\Nceefd32.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Nfcabp32.exe
        
        C:\Windows\system32\Nfcabp32.exe
        98⤵
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Onkidm32.exe
        
        C:\Windows\system32\Onkidm32.exe
        99⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Oaifpi32.exe
        
        C:\Windows\system32\Oaifpi32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5824
        
        C:\Windows\SysWOW64\Ocgbld32.exe
        
        C:\Windows\system32\Ocgbld32.exe
        101⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Offnhpfo.exe
        
        C:\Windows\system32\Offnhpfo.exe
        102⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\Ojajin32.exe
        
        C:\Windows\system32\Ojajin32.exe
        103⤵
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Ompfej32.exe
        
        C:\Windows\system32\Ompfej32.exe
        104⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Oakbehfe.exe
        
        C:\Windows\system32\Oakbehfe.exe
        105⤵
        Drops file in System32 directory
        
        PID:5256
        
        C:\Windows\SysWOW64\Ocjoadei.exe
        
        C:\Windows\system32\Ocjoadei.exe
        106⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Ogekbb32.exe
        
        C:\Windows\system32\Ogekbb32.exe
        107⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Ombcji32.exe
        
        C:\Windows\system32\Ombcji32.exe
        108⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Opqofe32.exe
        
        C:\Windows\system32\Opqofe32.exe
        109⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Oclkgccf.exe
        
        C:\Windows\system32\Oclkgccf.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6060
        
        C:\Windows\SysWOW64\Oghghb32.exe
        
        C:\Windows\system32\Oghghb32.exe
        111⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Ojfcdnjc.exe
        
        C:\Windows\system32\Ojfcdnjc.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Omdppiif.exe
        
        C:\Windows\system32\Omdppiif.exe
        113⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Opclldhj.exe
        
        C:\Windows\system32\Opclldhj.exe
        114⤵
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Ocohmc32.exe
        
        C:\Windows\system32\Ocohmc32.exe
        115⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Ofmdio32.exe
        
        C:\Windows\system32\Ofmdio32.exe
        116⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Ondljl32.exe
        
        C:\Windows\system32\Ondljl32.exe
        117⤵
        Modifies registry class
        
        PID:6152
        
        C:\Windows\SysWOW64\Oabhfg32.exe
        
        C:\Windows\system32\Oabhfg32.exe
        118⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\Pjkmomfn.exe
        
        C:\Windows\system32\Pjkmomfn.exe
        119⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\Pnfiplog.exe
        
        C:\Windows\system32\Pnfiplog.exe
        120⤵
        Drops file in System32 directory
        
        PID:6276
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6344
        
        C:\Windows\SysWOW64\Pccahbmn.exe
        
        C:\Windows\system32\Pccahbmn.exe
        122⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\Pfandnla.exe
        
        C:\Windows\system32\Pfandnla.exe
        123⤵
        Modifies registry class
        
        PID:6460
        
        C:\Windows\SysWOW64\Pmlfqh32.exe
        
        C:\Windows\system32\Pmlfqh32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6508
        
        C:\Windows\SysWOW64\Ppjbmc32.exe
        
        C:\Windows\system32\Ppjbmc32.exe
        125⤵
        Modifies registry class
        
        PID:6556
        
        C:\Windows\SysWOW64\Pfdjinjo.exe
        
        C:\Windows\system32\Pfdjinjo.exe
        126⤵
        Modifies registry class
        
        PID:6600
        
        C:\Windows\SysWOW64\Pjpfjl32.exe
        
        C:\Windows\system32\Pjpfjl32.exe
        127⤵
        Modifies registry class
        
        PID:6636
        
        C:\Windows\SysWOW64\Pmnbfhal.exe
        
        C:\Windows\system32\Pmnbfhal.exe
        128⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        129⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\Phcgcqab.exe
        
        C:\Windows\system32\Phcgcqab.exe
        130⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\Pjbcplpe.exe
        
        C:\Windows\system32\Pjbcplpe.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6808
        
        C:\Windows\SysWOW64\Palklf32.exe
        
        C:\Windows\system32\Palklf32.exe
        132⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\Pdjgha32.exe
        
        C:\Windows\system32\Pdjgha32.exe
        133⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\Pfiddm32.exe
        
        C:\Windows\system32\Pfiddm32.exe
        134⤵
        Drops file in System32 directory
        
        PID:6940
        
        C:\Windows\SysWOW64\Pnplfj32.exe
        
        C:\Windows\system32\Pnplfj32.exe
        135⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\Qhhpop32.exe
        
        C:\Windows\system32\Qhhpop32.exe
        136⤵
        Drops file in System32 directory
        
        PID:7028
        
        C:\Windows\SysWOW64\Qobhkjdi.exe
        
        C:\Windows\system32\Qobhkjdi.exe
        137⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7112
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7156
        
        C:\Windows\SysWOW64\Qmgelf32.exe
        
        C:\Windows\system32\Qmgelf32.exe
        140⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\Qpeahb32.exe
        
        C:\Windows\system32\Qpeahb32.exe
        141⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        142⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\Afpjel32.exe
        
        C:\Windows\system32\Afpjel32.exe
        143⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\Aogbfi32.exe
        
        C:\Windows\system32\Aogbfi32.exe
        144⤵
        Modifies registry class
        
        PID:6488
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        145⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        146⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\Aagkhd32.exe
        
        C:\Windows\system32\Aagkhd32.exe
        147⤵
        Modifies registry class
        
        PID:6704
        
        C:\Windows\SysWOW64\Agdcpkll.exe
        
        C:\Windows\system32\Agdcpkll.exe
        148⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        149⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        150⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\Adhdjpjf.exe
        
        C:\Windows\system32\Adhdjpjf.exe
        151⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        152⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\Akdilipp.exe
        
        C:\Windows\system32\Akdilipp.exe
        153⤵
        Modifies registry class
        
        PID:7136
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        154⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\Bobabg32.exe
        
        C:\Windows\system32\Bobabg32.exe
        155⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\Bmeandma.exe
        
        C:\Windows\system32\Bmeandma.exe
        156⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        157⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\Bkibgh32.exe
        
        C:\Windows\system32\Bkibgh32.exe
        158⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\Bmhocd32.exe
        
        C:\Windows\system32\Bmhocd32.exe
        159⤵
        Modifies registry class
        
        PID:6800
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        160⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\Bdagpnbk.exe
        
        C:\Windows\system32\Bdagpnbk.exe
        161⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\Bmjkic32.exe
        
        C:\Windows\system32\Bmjkic32.exe
        162⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        163⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        164⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\Bknlbhhe.exe
        
        C:\Windows\system32\Bknlbhhe.exe
        165⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        166⤵
        Drops file in System32 directory
        
        PID:6816
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        167⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6992
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7148
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        169⤵
        Modifies registry class
        
        PID:6536
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        170⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        171⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        172⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        173⤵
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Cggimh32.exe
        
        C:\Windows\system32\Cggimh32.exe
        174⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6204
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        175⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        176⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        177⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        178⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\Coqncejg.exe
        
        C:\Windows\system32\Coqncejg.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7256
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        180⤵
        
        PID:7300
        
        C:\Windows\SysWOW64\Cpbjkn32.exe
        
        C:\Windows\system32\Cpbjkn32.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7348
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7388
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        183⤵
        Drops file in System32 directory
        
        PID:7428
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        184⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        185⤵
        
        PID:7512
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        186⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        187⤵
        
        PID:7596
        
        C:\Windows\SysWOW64\Ckjknfnh.exe
        
        C:\Windows\system32\Ckjknfnh.exe
        188⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        189⤵
        
        PID:7684
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        190⤵
        Modifies registry class
        
        PID:7720
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        191⤵
        Modifies registry class
        
        PID:7776
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7848
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7892
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        194⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        195⤵
        Modifies registry class
        
        PID:7968
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        196⤵
        
        PID:8012
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        197⤵
        Modifies registry class
        
        PID:8052
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        198⤵
        Drops file in System32 directory
        
        PID:8100
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        199⤵
        
        PID:8144
        
        C:\Windows\SysWOW64\Ddifgk32.exe
        
        C:\Windows\system32\Ddifgk32.exe
        200⤵
        
        PID:8180
        
        C:\Windows\SysWOW64\Dggbcf32.exe
        
        C:\Windows\system32\Dggbcf32.exe
        201⤵
        Drops file in System32 directory
        
        PID:7212
        
        C:\Windows\SysWOW64\Doojec32.exe
        
        C:\Windows\system32\Doojec32.exe
        202⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\Damfao32.exe
        
        C:\Windows\system32\Damfao32.exe
        203⤵
        Drops file in System32 directory
        
        PID:7344
        
        C:\Windows\SysWOW64\Ddkbmj32.exe
        
        C:\Windows\system32\Ddkbmj32.exe
        204⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\Dgjoif32.exe
        
        C:\Windows\system32\Dgjoif32.exe
        205⤵
        
        PID:7480
        
        C:\Windows\SysWOW64\Doagjc32.exe
        
        C:\Windows\system32\Doagjc32.exe
        206⤵
        
        PID:7556
        
        C:\Windows\SysWOW64\Ddnobj32.exe
        
        C:\Windows\system32\Ddnobj32.exe
        207⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7636
        
        C:\Windows\SysWOW64\Dglkoeio.exe
        
        C:\Windows\system32\Dglkoeio.exe
        208⤵
        Drops file in System32 directory
        
        PID:7692
        
        C:\Windows\SysWOW64\Dkhgod32.exe
        
        C:\Windows\system32\Dkhgod32.exe
        209⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\Ebaplnie.exe
        
        C:\Windows\system32\Ebaplnie.exe
        210⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7856
        
        C:\Windows\SysWOW64\Egohdegl.exe
        
        C:\Windows\system32\Egohdegl.exe
        211⤵
        Drops file in System32 directory
        
        PID:7928
        
        C:\Windows\SysWOW64\Ebdlangb.exe
        
        C:\Windows\system32\Ebdlangb.exe
        212⤵
        
        PID:8000
        
        C:\Windows\SysWOW64\Egaejeej.exe
        
        C:\Windows\system32\Egaejeej.exe
        213⤵
        Modifies registry class
        
        PID:8076
        
        C:\Windows\SysWOW64\Eqiibjlj.exe
        
        C:\Windows\system32\Eqiibjlj.exe
        214⤵
        Modifies registry class
        
        PID:8132
        
        C:\Windows\SysWOW64\Ebifmm32.exe
        
        C:\Windows\system32\Ebifmm32.exe
        215⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\Edgbii32.exe
        
        C:\Windows\system32\Edgbii32.exe
        216⤵
        Drops file in System32 directory
        
        PID:7308
        
        C:\Windows\SysWOW64\Eomffaag.exe
        
        C:\Windows\system32\Eomffaag.exe
        217⤵
        Modifies registry class
        
        PID:7372
        
        C:\Windows\SysWOW64\Ebkbbmqj.exe
        
        C:\Windows\system32\Ebkbbmqj.exe
        218⤵
        
        PID:7520
        
        C:\Windows\SysWOW64\Edionhpn.exe
        
        C:\Windows\system32\Edionhpn.exe
        219⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\Eiekog32.exe
        
        C:\Windows\system32\Eiekog32.exe
        220⤵
        Modifies registry class
        
        PID:7760
        
        C:\Windows\SysWOW64\Fooclapd.exe
        
        C:\Windows\system32\Fooclapd.exe
        221⤵
        
        PID:7872
        
        C:\Windows\SysWOW64\Fdlkdhnk.exe
        
        C:\Windows\system32\Fdlkdhnk.exe
        222⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\Fndpmndl.exe
        
        C:\Windows\system32\Fndpmndl.exe
        223⤵
        
        PID:8096
        
        C:\Windows\SysWOW64\Fgmdec32.exe
        
        C:\Windows\system32\Fgmdec32.exe
        224⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\Fkhpfbce.exe
        
        C:\Windows\system32\Fkhpfbce.exe
        225⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7384
        
        C:\Windows\SysWOW64\Fbbicl32.exe
        
        C:\Windows\system32\Fbbicl32.exe
        226⤵
        
        PID:7536
        
        C:\Windows\SysWOW64\Fkjmlaac.exe
        
        C:\Windows\system32\Fkjmlaac.exe
        227⤵
        
        PID:7704
        
        C:\Windows\SysWOW64\Fniihmpf.exe
        
        C:\Windows\system32\Fniihmpf.exe
        228⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\Finnef32.exe
        
        C:\Windows\system32\Finnef32.exe
        229⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8088
        
        C:\Windows\SysWOW64\Fkmjaa32.exe
        
        C:\Windows\system32\Fkmjaa32.exe
        230⤵
        
        PID:7328
        
        C:\Windows\SysWOW64\Fbgbnkfm.exe
        
        C:\Windows\system32\Fbgbnkfm.exe
        231⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\Feenjgfq.exe
        
        C:\Windows\system32\Feenjgfq.exe
        232⤵
        
        PID:7884
        
        C:\Windows\SysWOW64\Fgcjfbed.exe
        
        C:\Windows\system32\Fgcjfbed.exe
        233⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\Gnnccl32.exe
        
        C:\Windows\system32\Gnnccl32.exe
        234⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\Galoohke.exe
        
        C:\Windows\system32\Galoohke.exe
        235⤵
        
        PID:7976
        
        C:\Windows\SysWOW64\Gicgpelg.exe
        
        C:\Windows\system32\Gicgpelg.exe
        236⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\Gpmomo32.exe
        
        C:\Windows\system32\Gpmomo32.exe
        237⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\Gbkkik32.exe
        
        C:\Windows\system32\Gbkkik32.exe
        238⤵
        
        PID:8108
        
        C:\Windows\SysWOW64\Giecfejd.exe
        
        C:\Windows\system32\Giecfejd.exe
        239⤵
        
        PID:8208
        
        C:\Windows\SysWOW64\Gbnhoj32.exe
        
        C:\Windows\system32\Gbnhoj32.exe
        240⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8252
        
        C:\Windows\SysWOW64\Geldkfpi.exe
        
        C:\Windows\system32\Geldkfpi.exe
        241⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8296
        
        C:\Windows\SysWOW64\Ggkqgaol.exe
        
        C:\Windows\system32\Ggkqgaol.exe
        242⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8340
        
        C:\Windows\SysWOW64\Gbpedjnb.exe
        
        C:\Windows\system32\Gbpedjnb.exe
        243⤵
        Drops file in System32 directory
        
        PID:8380
        
        C:\Windows\SysWOW64\Gacepg32.exe
        
        C:\Windows\system32\Gacepg32.exe
        244⤵
        
        PID:8420
        
        C:\Windows\SysWOW64\Gijmad32.exe
        
        C:\Windows\system32\Gijmad32.exe
        245⤵
        
        PID:8460
        
        C:\Windows\SysWOW64\Gbbajjlp.exe
        
        C:\Windows\system32\Gbbajjlp.exe
        246⤵
        Drops file in System32 directory
        
        PID:8504
        
        C:\Windows\SysWOW64\Ghojbq32.exe
        
        C:\Windows\system32\Ghojbq32.exe
        247⤵
        
        PID:8544
        
        C:\Windows\SysWOW64\Hnibokbd.exe
        
        C:\Windows\system32\Hnibokbd.exe
        248⤵
        Modifies registry class
        
        PID:8588
        
        C:\Windows\SysWOW64\Hbenoi32.exe
        
        C:\Windows\system32\Hbenoi32.exe
        249⤵
        
        PID:8636
        
        C:\Windows\SysWOW64\Hhaggp32.exe
        
        C:\Windows\system32\Hhaggp32.exe
        250⤵
        Modifies registry class
        
        PID:8676
        
        C:\Windows\SysWOW64\Hnlodjpa.exe
        
        C:\Windows\system32\Hnlodjpa.exe
        251⤵
        
        PID:8720
        
        C:\Windows\SysWOW64\Hiacacpg.exe
        
        C:\Windows\system32\Hiacacpg.exe
        252⤵
        
        PID:8752
        
        C:\Windows\SysWOW64\Hlppno32.exe
        
        C:\Windows\system32\Hlppno32.exe
        253⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8800
        
        C:\Windows\SysWOW64\Hpkknmgd.exe
        
        C:\Windows\system32\Hpkknmgd.exe
        254⤵
        
        PID:8840
        
        C:\Windows\SysWOW64\Hbihjifh.exe
        
        C:\Windows\system32\Hbihjifh.exe
        255⤵
        Modifies registry class
        
        PID:8884
        
        C:\Windows\SysWOW64\Hpmhdmea.exe
        
        C:\Windows\system32\Hpmhdmea.exe
        256⤵
        Drops file in System32 directory
        
        PID:8928
        
        C:\Windows\SysWOW64\Haodle32.exe
        
        C:\Windows\system32\Haodle32.exe
        257⤵
        
        PID:8972
        
        C:\Windows\SysWOW64\Hldiinke.exe
        
        C:\Windows\system32\Hldiinke.exe
        258⤵
        
        PID:9024
        
        C:\Windows\SysWOW64\Hnbeeiji.exe
        
        C:\Windows\system32\Hnbeeiji.exe
        259⤵
        
        PID:9068
        
        C:\Windows\SysWOW64\Haaaaeim.exe
        
        C:\Windows\system32\Haaaaeim.exe
        260⤵
        Drops file in System32 directory
        
        PID:9124
        
        C:\Windows\SysWOW64\Hemmac32.exe
        
        C:\Windows\system32\Hemmac32.exe
        261⤵
        
        PID:9192
        
        C:\Windows\SysWOW64\Ihkjno32.exe
        
        C:\Windows\system32\Ihkjno32.exe
        262⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8224
        
        C:\Windows\SysWOW64\Ipbaol32.exe
        
        C:\Windows\system32\Ipbaol32.exe
        263⤵
        
        PID:8284
        
        C:\Windows\SysWOW64\Ibqnkh32.exe
        
        C:\Windows\system32\Ibqnkh32.exe
        264⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8416
        
        C:\Windows\SysWOW64\Ieojgc32.exe
        
        C:\Windows\system32\Ieojgc32.exe
        265⤵
        
        PID:8496
        
        C:\Windows\SysWOW64\Iijfhbhl.exe
        
        C:\Windows\system32\Iijfhbhl.exe
        266⤵
        
        PID:8564
        
        C:\Windows\SysWOW64\Ihmfco32.exe
        
        C:\Windows\system32\Ihmfco32.exe
        267⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\Ipdndloi.exe
        
        C:\Windows\system32\Ipdndloi.exe
        268⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\Ibcjqgnm.exe
        
        C:\Windows\system32\Ibcjqgnm.exe
        269⤵
        
        PID:8612
        
        C:\Windows\SysWOW64\Ieagmcmq.exe
        
        C:\Windows\system32\Ieagmcmq.exe
        270⤵
        
        PID:8704
        
        C:\Windows\SysWOW64\Ilkoim32.exe
        
        C:\Windows\system32\Ilkoim32.exe
        271⤵
        
        PID:8792
        
        C:\Windows\SysWOW64\Ibegfglj.exe
        
        C:\Windows\system32\Ibegfglj.exe
        272⤵
        
        PID:8848
        
        C:\Windows\SysWOW64\Iahgad32.exe
        
        C:\Windows\system32\Iahgad32.exe
        273⤵
        
        PID:8912
        
        C:\Windows\SysWOW64\Ihbponja.exe
        
        C:\Windows\system32\Ihbponja.exe
        274⤵
        
        PID:8956
        
        C:\Windows\SysWOW64\Ihdldn32.exe
        
        C:\Windows\system32\Ihdldn32.exe
        275⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9060
        
        C:\Windows\SysWOW64\Iondqhpl.exe
        
        C:\Windows\system32\Iondqhpl.exe
        276⤵
        
        PID:9160
        
        C:\Windows\SysWOW64\Jpnakk32.exe
        
        C:\Windows\system32\Jpnakk32.exe
        277⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7668
        
        C:\Windows\SysWOW64\Jblmgf32.exe
        
        C:\Windows\system32\Jblmgf32.exe
        278⤵
        
        PID:8368
        
        C:\Windows\SysWOW64\Jldbpl32.exe
        
        C:\Windows\system32\Jldbpl32.exe
        279⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8512
        
        C:\Windows\SysWOW64\Jaajhb32.exe
        
        C:\Windows\system32\Jaajhb32.exe
        280⤵
        Drops file in System32 directory
        
        PID:1888
        
        C:\Windows\SysWOW64\Jlgoek32.exe
        
        C:\Windows\system32\Jlgoek32.exe
        281⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8576
        
        C:\Windows\SysWOW64\Jadgnb32.exe
        
        C:\Windows\system32\Jadgnb32.exe
        282⤵
        
        PID:8688
        
        C:\Windows\SysWOW64\Johggfha.exe
        
        C:\Windows\system32\Johggfha.exe
        283⤵
        
        PID:8824
        
        C:\Windows\SysWOW64\Jafdcbge.exe
        
        C:\Windows\system32\Jafdcbge.exe
        284⤵
        
        PID:8936
        
        C:\Windows\SysWOW64\Jbepme32.exe
        
        C:\Windows\system32\Jbepme32.exe
        285⤵
        
        PID:9052
        
        C:\Windows\SysWOW64\Kiphjo32.exe
        
        C:\Windows\system32\Kiphjo32.exe
        286⤵
        
        PID:8196
        
        C:\Windows\SysWOW64\Klndfj32.exe
        
        C:\Windows\system32\Klndfj32.exe
        287⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8396
        
        C:\Windows\SysWOW64\Kolabf32.exe
        
        C:\Windows\system32\Kolabf32.exe
        288⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\Kakmna32.exe
        
        C:\Windows\system32\Kakmna32.exe
        289⤵
        
        PID:8716
        
        C:\Windows\SysWOW64\Keifdpif.exe
        
        C:\Windows\system32\Keifdpif.exe
        290⤵
        
        PID:8892
        
        C:\Windows\SysWOW64\Khgbqkhj.exe
        
        C:\Windows\system32\Khgbqkhj.exe
        291⤵
        
        PID:9108
        
        C:\Windows\SysWOW64\Kekbjo32.exe
        
        C:\Windows\system32\Kekbjo32.exe
        292⤵
        
        PID:8292
        
        C:\Windows\SysWOW64\Khiofk32.exe
        
        C:\Windows\system32\Khiofk32.exe
        293⤵
        
        PID:8584
        
        C:\Windows\SysWOW64\Klggli32.exe
        
        C:\Windows\system32\Klggli32.exe
        294⤵
        
        PID:8876
        
        C:\Windows\SysWOW64\Kcapicdj.exe
        
        C:\Windows\system32\Kcapicdj.exe
        295⤵
        
        PID:8200
        
        C:\Windows\SysWOW64\Lhnhajba.exe
        
        C:\Windows\system32\Lhnhajba.exe
        296⤵
        
        PID:940
        
        C:\Windows\SysWOW64\Lljdai32.exe
        
        C:\Windows\system32\Lljdai32.exe
        297⤵
        
        PID:8980
        
        C:\Windows\SysWOW64\Lhqefjpo.exe
        
        C:\Windows\system32\Lhqefjpo.exe
        298⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\Lojmcdgl.exe
        
        C:\Windows\system32\Lojmcdgl.exe
        299⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6136
        
        C:\Windows\SysWOW64\Laiipofp.exe
        
        C:\Windows\system32\Laiipofp.exe
        300⤵
        Drops file in System32 directory
        
        PID:9228
        
        C:\Windows\SysWOW64\Lhcali32.exe
        
        C:\Windows\system32\Lhcali32.exe
        301⤵
        Modifies registry class
        
        PID:9272
        
        C:\Windows\SysWOW64\Lchfib32.exe
        
        C:\Windows\system32\Lchfib32.exe
        302⤵
        
        PID:9312
        
        C:\Windows\SysWOW64\Ljbnfleo.exe
        
        C:\Windows\system32\Ljbnfleo.exe
        303⤵
        
        PID:9356
        
        C:\Windows\SysWOW64\Llqjbhdc.exe
        
        C:\Windows\system32\Llqjbhdc.exe
        304⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9400
        
        C:\Windows\SysWOW64\Lancko32.exe
        
        C:\Windows\system32\Lancko32.exe
        305⤵
        
        PID:9440
        
        C:\Windows\SysWOW64\Lfiokmkc.exe
        
        C:\Windows\system32\Lfiokmkc.exe
        306⤵
        
        PID:9484
        
        C:\Windows\SysWOW64\Llcghg32.exe
        
        C:\Windows\system32\Llcghg32.exe
        307⤵
        
        PID:9532
        
        C:\Windows\SysWOW64\Lpochfji.exe
        
        C:\Windows\system32\Lpochfji.exe
        308⤵
        Drops file in System32 directory
        
        PID:9576
        
        C:\Windows\SysWOW64\Lcmodajm.exe
        
        C:\Windows\system32\Lcmodajm.exe
        309⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:9620
        
        C:\Windows\SysWOW64\Mhjhmhhd.exe
        
        C:\Windows\system32\Mhjhmhhd.exe
        310⤵
        
        PID:9656
        
        C:\Windows\SysWOW64\Mpapnfhg.exe
        
        C:\Windows\system32\Mpapnfhg.exe
        311⤵
        
        PID:9704
        
        C:\Windows\SysWOW64\Mhldbh32.exe
        
        C:\Windows\system32\Mhldbh32.exe
        312⤵
        
        PID:9752
        
        C:\Windows\SysWOW64\Mofmobmo.exe
        
        C:\Windows\system32\Mofmobmo.exe
        313⤵
        Modifies registry class
        
        PID:9796
        
        C:\Windows\SysWOW64\Mjlalkmd.exe
        
        C:\Windows\system32\Mjlalkmd.exe
        314⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9836
        
        C:\Windows\SysWOW64\Mcdeeq32.exe
        
        C:\Windows\system32\Mcdeeq32.exe
        315⤵
        Modifies registry class
        
        PID:9884
        
        C:\Windows\SysWOW64\Mjnnbk32.exe
        
        C:\Windows\system32\Mjnnbk32.exe
        316⤵
        
        PID:9924
        
        C:\Windows\SysWOW64\Mhanngbl.exe
        
        C:\Windows\system32\Mhanngbl.exe
        317⤵
        Drops file in System32 directory
        
        PID:9968
        
        C:\Windows\SysWOW64\Mqhfoebo.exe
        
        C:\Windows\system32\Mqhfoebo.exe
        318⤵
        
        PID:10012
        
        C:\Windows\SysWOW64\Mbibfm32.exe
        
        C:\Windows\system32\Mbibfm32.exe
        319⤵
        
        PID:10056
        
        C:\Windows\SysWOW64\Mjpjgj32.exe
        
        C:\Windows\system32\Mjpjgj32.exe
        320⤵
        
        PID:10100
        
        C:\Windows\SysWOW64\Mlofcf32.exe
        
        C:\Windows\system32\Mlofcf32.exe
        321⤵
        
        PID:10144
        
        C:\Windows\SysWOW64\Momcpa32.exe
        
        C:\Windows\system32\Momcpa32.exe
        322⤵
        
        PID:10184
        
        C:\Windows\SysWOW64\Nblolm32.exe
        
        C:\Windows\system32\Nblolm32.exe
        323⤵
        Drops file in System32 directory
        
        PID:10232
        
        C:\Windows\SysWOW64\Njbgmjgl.exe
        
        C:\Windows\system32\Njbgmjgl.exe
        324⤵
        
        PID:9240
        
        C:\Windows\SysWOW64\Nhegig32.exe
        
        C:\Windows\system32\Nhegig32.exe
        325⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9320
        
        C:\Windows\SysWOW64\Nckkfp32.exe
        
        C:\Windows\system32\Nckkfp32.exe
        326⤵
        Drops file in System32 directory
        
        PID:9388
        
        C:\Windows\SysWOW64\Nqoloc32.exe
        
        C:\Windows\system32\Nqoloc32.exe
        327⤵
        Modifies registry class
        
        PID:9452
        
        C:\Windows\SysWOW64\Njgqhicg.exe
        
        C:\Windows\system32\Njgqhicg.exe
        328⤵
        
        PID:9520
        
        C:\Windows\SysWOW64\Nijqcf32.exe
        
        C:\Windows\system32\Nijqcf32.exe
        329⤵
        
        PID:9564
        
        C:\Windows\SysWOW64\Nqaiecjd.exe
        
        C:\Windows\system32\Nqaiecjd.exe
        330⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9640
        
        C:\Windows\SysWOW64\Ncpeaoih.exe
        
        C:\Windows\system32\Ncpeaoih.exe
        331⤵
        
        PID:9720
        
        C:\Windows\SysWOW64\Njjmni32.exe
        
        C:\Windows\system32\Njjmni32.exe
        332⤵
        
        PID:9788
        
        C:\Windows\SysWOW64\Nmhijd32.exe
        
        C:\Windows\system32\Nmhijd32.exe
        333⤵
        
        PID:9860
        
        C:\Windows\SysWOW64\Nofefp32.exe
        
        C:\Windows\system32\Nofefp32.exe
        334⤵
        
        PID:9916
        
        C:\Windows\SysWOW64\Nbebbk32.exe
        
        C:\Windows\system32\Nbebbk32.exe
        335⤵
        
        PID:9988
        
        C:\Windows\SysWOW64\Njljch32.exe
        
        C:\Windows\system32\Njljch32.exe
        336⤵
        
        PID:10040
        
        C:\Windows\SysWOW64\Nmjfodne.exe
        
        C:\Windows\system32\Nmjfodne.exe
        337⤵
        
        PID:10112
        
        C:\Windows\SysWOW64\Nqfbpb32.exe
        
        C:\Windows\system32\Nqfbpb32.exe
        338⤵
        
        PID:10176
        
        C:\Windows\SysWOW64\Ocdnln32.exe
        
        C:\Windows\system32\Ocdnln32.exe
        339⤵
        
        PID:9220
        
        C:\Windows\SysWOW64\Obgohklm.exe
        
        C:\Windows\system32\Obgohklm.exe
        340⤵
        Drops file in System32 directory
        
        PID:5436
        
        C:\Windows\SysWOW64\Ojnfihmo.exe
        
        C:\Windows\system32\Ojnfihmo.exe
        341⤵
        
        PID:9304
        
        C:\Windows\SysWOW64\Ommceclc.exe
        
        C:\Windows\system32\Ommceclc.exe
        342⤵
        Drops file in System32 directory
        
        PID:8600
        
        C:\Windows\SysWOW64\Ookoaokf.exe
        
        C:\Windows\system32\Ookoaokf.exe
        343⤵
        
        PID:9512
        
        C:\Windows\SysWOW64\Objkmkjj.exe
        
        C:\Windows\system32\Objkmkjj.exe
        344⤵
        
        PID:9584
        
        C:\Windows\SysWOW64\Ojqcnhkl.exe
        
        C:\Windows\system32\Ojqcnhkl.exe
        345⤵
        Drops file in System32 directory
        
        PID:9696
        
        C:\Windows\SysWOW64\Oiccje32.exe
        
        C:\Windows\system32\Oiccje32.exe
        346⤵
        Drops file in System32 directory
        
        PID:9816
        
        C:\Windows\SysWOW64\Oqklkbbi.exe
        
        C:\Windows\system32\Oqklkbbi.exe
        347⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9892
        
        C:\Windows\SysWOW64\Oonlfo32.exe
        
        C:\Windows\system32\Oonlfo32.exe
        348⤵
        Modifies registry class
        
        PID:10048
        
        C:\Windows\SysWOW64\Ocihgnam.exe
        
        C:\Windows\system32\Ocihgnam.exe
        349⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:10124
        
        C:\Windows\SysWOW64\Ofgdcipq.exe
        
        C:\Windows\system32\Ofgdcipq.exe
        350⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10212
        
        C:\Windows\SysWOW64\Oifppdpd.exe
        
        C:\Windows\system32\Oifppdpd.exe
        351⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Oophlo32.exe
        
        C:\Windows\system32\Oophlo32.exe
        352⤵
        Drops file in System32 directory
        
        PID:5456
        
        C:\Windows\SysWOW64\Obnehj32.exe
        
        C:\Windows\system32\Obnehj32.exe
        353⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:9476
        
        C:\Windows\SysWOW64\Ofjqihnn.exe
        
        C:\Windows\system32\Ofjqihnn.exe
        354⤵
        
        PID:9616
        
        C:\Windows\SysWOW64\Oihmedma.exe
        
        C:\Windows\system32\Oihmedma.exe
        355⤵
        
        PID:9872
        
        C:\Windows\SysWOW64\Opbean32.exe
        
        C:\Windows\system32\Opbean32.exe
        356⤵
        
        PID:10044
        
        C:\Windows\SysWOW64\Ocnabm32.exe
        
        C:\Windows\system32\Ocnabm32.exe
        357⤵
        
        PID:10224
        
        C:\Windows\SysWOW64\Obqanjdb.exe
        
        C:\Windows\system32\Obqanjdb.exe
        358⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5536
        
        C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        359⤵
        
        PID:9680
        
        C:\Windows\SysWOW64\Omfekbdh.exe
        
        C:\Windows\system32\Omfekbdh.exe
        360⤵
        
        PID:9952
        
        C:\Windows\SysWOW64\Ppdbgncl.exe
        
        C:\Windows\system32\Ppdbgncl.exe
        361⤵
        
        PID:9300
        
        C:\Windows\SysWOW64\Pmhbqbae.exe
        
        C:\Windows\system32\Pmhbqbae.exe
        362⤵
        
        PID:9368
        
        C:\Windows\SysWOW64\Pmkofa32.exe
        
        C:\Windows\system32\Pmkofa32.exe
        363⤵
        
        PID:8456
        
        C:\Windows\SysWOW64\Pjoppf32.exe
        
        C:\Windows\system32\Pjoppf32.exe
        364⤵
        
        PID:9364
        
        C:\Windows\SysWOW64\Pmphaaln.exe
        
        C:\Windows\system32\Pmphaaln.exe
        365⤵
        Drops file in System32 directory
        
        PID:9976
        
        C:\Windows\SysWOW64\Pfhmjf32.exe
        
        C:\Windows\system32\Pfhmjf32.exe
        366⤵
        
        PID:9612
        
        C:\Windows\SysWOW64\Qamago32.exe
        
        C:\Windows\system32\Qamago32.exe
        367⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:9540
        
        C:\Windows\SysWOW64\Qpbnhl32.exe
        
        C:\Windows\system32\Qpbnhl32.exe
        368⤵
        
        PID:9900
        
        C:\Windows\SysWOW64\Qfmfefni.exe
        
        C:\Windows\system32\Qfmfefni.exe
        369⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10268
        
        C:\Windows\SysWOW64\Qikbaaml.exe
        
        C:\Windows\system32\Qikbaaml.exe
        370⤵
        Drops file in System32 directory
        
        PID:10312
        
        C:\Windows\SysWOW64\Aabkbono.exe
        
        C:\Windows\system32\Aabkbono.exe
        371⤵
        Drops file in System32 directory
        
        PID:10356
        
        C:\Windows\SysWOW64\Abcgjg32.exe
        
        C:\Windows\system32\Abcgjg32.exe
        372⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10400
        
        C:\Windows\SysWOW64\Ajjokd32.exe
        
        C:\Windows\system32\Ajjokd32.exe
        373⤵
        
        PID:10444
        
        C:\Windows\SysWOW64\Acccdj32.exe
        
        C:\Windows\system32\Acccdj32.exe
        374⤵
        
        PID:10488
        
        C:\Windows\SysWOW64\Aiplmq32.exe
        
        C:\Windows\system32\Aiplmq32.exe
        375⤵
        Modifies registry class
        
        PID:10528
        
        C:\Windows\SysWOW64\Aagdnn32.exe
        
        C:\Windows\system32\Aagdnn32.exe
        376⤵
        Drops file in System32 directory
        
        PID:10576
        
        C:\Windows\SysWOW64\Aibibp32.exe
        
        C:\Windows\system32\Aibibp32.exe
        377⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10616
        
        C:\Windows\SysWOW64\Aplaoj32.exe
        
        C:\Windows\system32\Aplaoj32.exe
        378⤵
        
        PID:10652
        
        C:\Windows\SysWOW64\Aidehpea.exe
        
        C:\Windows\system32\Aidehpea.exe
        379⤵
        Modifies registry class
        
        PID:10704
        
        C:\Windows\SysWOW64\Adjjeieh.exe
        
        C:\Windows\system32\Adjjeieh.exe
        380⤵
        
        PID:10744
        
        C:\Windows\SysWOW64\Bmbnnn32.exe
        
        C:\Windows\system32\Bmbnnn32.exe
        381⤵
        
        PID:10792
        
        C:\Windows\SysWOW64\Bfkbfd32.exe
        
        C:\Windows\system32\Bfkbfd32.exe
        382⤵
        
        PID:10836
        
        C:\Windows\SysWOW64\Bapgdm32.exe
        
        C:\Windows\system32\Bapgdm32.exe
        383⤵
        
        PID:10880
        
        C:\Windows\SysWOW64\Bdocph32.exe
        
        C:\Windows\system32\Bdocph32.exe
        384⤵
        
        PID:10924
        
        C:\Windows\SysWOW64\Bjhkmbho.exe
        
        C:\Windows\system32\Bjhkmbho.exe
        385⤵
        
        PID:10968
        
        C:\Windows\SysWOW64\Babcil32.exe
        
        C:\Windows\system32\Babcil32.exe
        386⤵
        
        PID:11008
        
        C:\Windows\SysWOW64\Bpedeiff.exe
        
        C:\Windows\system32\Bpedeiff.exe
        387⤵
        
        PID:11048
        
        C:\Windows\SysWOW64\Bbdpad32.exe
        
        C:\Windows\system32\Bbdpad32.exe
        388⤵
        
        PID:11092
        
        C:\Windows\SysWOW64\Binhnomg.exe
        
        C:\Windows\system32\Binhnomg.exe
        389⤵
        
        PID:11136
        
        C:\Windows\SysWOW64\Baepolni.exe
        
        C:\Windows\system32\Baepolni.exe
        390⤵
        
        PID:11180
        
        C:\Windows\SysWOW64\Bdcmkgmm.exe
        
        C:\Windows\system32\Bdcmkgmm.exe
        391⤵
        
        PID:11220
        
        C:\Windows\SysWOW64\Bagmdllg.exe
        
        C:\Windows\system32\Bagmdllg.exe
        392⤵
        Drops file in System32 directory
        
        PID:10244
        
        C:\Windows\SysWOW64\Cibain32.exe
        
        C:\Windows\system32\Cibain32.exe
        393⤵
        Drops file in System32 directory
        
        PID:10320
        
        C:\Windows\SysWOW64\Cajjjk32.exe
        
        C:\Windows\system32\Cajjjk32.exe
        394⤵
        
        PID:10388
        
        C:\Windows\SysWOW64\Cdhffg32.exe
        
        C:\Windows\system32\Cdhffg32.exe
        395⤵
        
        PID:10452
        
        C:\Windows\SysWOW64\Cienon32.exe
        
        C:\Windows\system32\Cienon32.exe
        396⤵
        
        PID:10516
        
        C:\Windows\SysWOW64\Calfpk32.exe
        
        C:\Windows\system32\Calfpk32.exe
        397⤵
        
        PID:10592
        
        C:\Windows\SysWOW64\Cgiohbfi.exe
        
        C:\Windows\system32\Cgiohbfi.exe
        398⤵
        
        PID:10640
        
        C:\Windows\SysWOW64\Cigkdmel.exe
        
        C:\Windows\system32\Cigkdmel.exe
        399⤵
        
        PID:10716
        
        C:\Windows\SysWOW64\Cgklmacf.exe
        
        C:\Windows\system32\Cgklmacf.exe
        400⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:10788
        
        C:\Windows\SysWOW64\Cmedjl32.exe
        
        C:\Windows\system32\Cmedjl32.exe
        401⤵
        
        PID:10856
        
        C:\Windows\SysWOW64\Cpcpfg32.exe
        
        C:\Windows\system32\Cpcpfg32.exe
        402⤵
        Modifies registry class
        
        PID:10932
        
        C:\Windows\SysWOW64\Cgmhcaac.exe
        
        C:\Windows\system32\Cgmhcaac.exe
        403⤵
        
        PID:10992
        
        C:\Windows\SysWOW64\Cildom32.exe
        
        C:\Windows\system32\Cildom32.exe
        404⤵
        Drops file in System32 directory
        
        PID:5244
        
        C:\Windows\SysWOW64\Cpfmlghd.exe
        
        C:\Windows\system32\Cpfmlghd.exe
        405⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11104
        
        C:\Windows\SysWOW64\Dinael32.exe
        
        C:\Windows\system32\Dinael32.exe
        406⤵
        
        PID:11164
        
        C:\Windows\SysWOW64\Dcffnbee.exe
        
        C:\Windows\system32\Dcffnbee.exe
        407⤵
        
        PID:11204
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        408⤵
        
        PID:11260
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 11260 -s 400
        409⤵
        Program crash
        
        PID:10420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4216,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=4232 /prefetch:8
1⤵
PID:6336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 11260 -ip 11260
1⤵
PID:10368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aibibp32.exe

Filesize
128KB

MD5
4aa77fea3cfbba4482899605b6148762

SHA1
6207569125fd58cfcd0d8ff6aa626b5e0425bf64

SHA256
5f810c57f4a5afbe3e9c464556bf76243ec7dab4ed2f884c6554c11188d48aee

SHA512
d745bfd583073d9eeaad54c3ebb9d216155b436f0eb418aca418e196e745fe726721200ae37b179a77442d714d9816f48d109f08e7f0c7b7a6b8eb2a4dd588d6

Download Submit
C:\Windows\SysWOW64\Amcehdod.exe

Filesize
128KB

MD5
1e7cc9f1f41283536454f7a224bbb70f

SHA1
4ab7e511f6784442dc224af322749bb98920902e

SHA256
65ab516623e8959bceed37ddd42639bc65bc4dfaf33c30486e7b12eb0fdf3b62

SHA512
7c89ad7aa75e6568d9f2c5acb38c4612e6252755498f66d776b20961e0d4914dfc8646c5bb5aa3dd417c5132cd7483ae3058012ce4afce305ab0823ded2ae852

Download Submit
C:\Windows\SysWOW64\Aogbfi32.exe

Filesize
128KB

MD5
dfe8e67e7bb99d997711cad2fbb0f13c

SHA1
efc5c3322768b8a7ade1e12cfe68049a6685f5b6

SHA256
89754a3f7abc732b26e02e83ba03f7e47fc94775458b37c9ae079c3948774080

SHA512
f7988d6c7b2dc91f70121770dc3bef4abf2ea61d4c20b0ee3f279c9974e6a4e14c4e686e0936c87705a9701864934497e1cd44cb5b558df279fafb543da32319

Download Submit
C:\Windows\SysWOW64\Bbdpad32.exe

Filesize
128KB

MD5
4afc7528956f868d4442f0555df29dc1

SHA1
d71529c99038a601c28d081235680d41304675a7

SHA256
f3b170d0dfb090c62b4ae4cedc6b645246e6e38ff1710ede1c2b834943610715

SHA512
7d8e37358eb48b4ac4171e3b491c90df28b4de7c477e0f1736e86f9c55e1e91b59c64f693d8bcc10ec087a8909e0dbdd1f7d401f88bf802eb65abd9433b92523

Download Submit
C:\Windows\SysWOW64\Bdagpnbk.exe

Filesize
128KB

MD5
e303dd23fccbb8551185f0102761b4d2

SHA1
b0e6d47781c5db129f7c0c6ef23b3ce56950656c

SHA256
b62e32828900b1fadbb4b2ffda237f229debccdcc3b4dd542a2df7476fc09b1a

SHA512
98c21488547bfbe0dc8c9a764407e71416349384a8b1f0869058ab3ffa7b3a5dc98ea36c3410d60c00e6d9b0a634f420d330eb282353eb7e01e0b16e1e108906

Download Submit
C:\Windows\SysWOW64\Bdcmkgmm.exe

Filesize
128KB

MD5
75046611af3dd74d12b453d08b5614e1

SHA1
efc154bb01e9308fe77a3c08f8d625ef3daac193

SHA256
8b647ba766dfbdbdb4664a3d617ebe741123bc0db5f441e2f800dbc44e5f35be

SHA512
27fa9195a8a791eb326c69691b9a9fbddb8befec96a68d7d89da89d86e65d00a84c2181089c04189744d3bcf5788c47e606c05159d42fe196fc5af32e0fedd6c

Download Submit
C:\Windows\SysWOW64\Bhblllfo.exe

Filesize
128KB

MD5
71acc3bd421eb34352258394c69f6510

SHA1
466000e1b9ef21fd07682f667f6c0b3df23a4a61

SHA256
5d8f30c48071bde370f67d36138c55944ac06135026a89b5957233ebcfa7a6f8

SHA512
d8008fbb15ba7b0c60df5e519698bdf957e0d7cc619290dc35577d28c7359282fd0b45e9c9717f92ca4290fc0957ca71814d79ebba406908e12efdc0179dca7b

Download Submit
C:\Windows\SysWOW64\Cienon32.exe

Filesize
128KB

MD5
5ebd4f107bdb946b8354bdbc11ef07f7

SHA1
757527f8ec6875a26873c40da34052016bbed334

SHA256
8a25ce4f8869175e6381f50b187c53d97afaa18c980ca6c8fd1ac0f668015345

SHA512
5a67fb2b6ef5556a217ecd6418d90c3370d5f8b3bc487c6a73dbb37ec9339c38859ffd9c49319ec92914e527c14594365db69297837183e6bd4c9a2e613ed681

Download Submit
C:\Windows\SysWOW64\Doagjc32.exe

Filesize
128KB

MD5
b5db20dfc732fba5c845872d66cb7e58

SHA1
9a56d88ad11b4066881b0191ff732e52b6c37c98

SHA256
a1a1a4d28b804bb1780e57a8e23bb0b33e54a45546bedd82b2c72a61c604d8f0

SHA512
4f764235ffe1dee1336cb60bab99f244bac740ff433d7d69a85bcac4c6fd343ebaa655d81e9533132d91876887b5f6c052a1b3114bdd95814c31d1042b405828

Download Submit
C:\Windows\SysWOW64\Doojec32.exe

Filesize
128KB

MD5
836ee7e7c6fde8c2d21f060d2d695ee8

SHA1
880e5e52cc83b80559b62dbad90fa2f293abe95a

SHA256
d8a1df1424e55500d6b800713a06084975a224a2a0596c571594754b2d901e03

SHA512
7ccededed37d90a6977f4f66b8e210df9a9bd1f84b5efa8c7f4e5873549b63ed59adef72d6a8f76746212d7af89bc819e9ff76b176fa19fcc13630e340254638

Download Submit
C:\Windows\SysWOW64\Ebaplnie.exe

Filesize
128KB

MD5
4ac5f407b5abfc16dc98a011773271a9

SHA1
5fcf8374e2dfb865cdac9ca9b5c3ac36f9820721

SHA256
068b6fd9d80a0e93acd3d19e0bc1fd78683b586bef2171eac3ad5d52bbedd3de

SHA512
74c9cf0a0ad6630d52d1d31d8ce3860861690fe9a1b5a1f028c2adb5179d62a50123fe48ee987ca564b9bd7114dde07fb70e3cd1b22b6267daa3a11ca642d786

Download Submit
C:\Windows\SysWOW64\Eqiibjlj.exe

Filesize
128KB

MD5
1da7fc7f4ee8a3c08808c90fb55392c3

SHA1
08055b467bef9b77b66b4f548b2d82e85e5c5bf4

SHA256
aac0ed9260f7165e1079acf6338c5f5deebbf6c9b0646db511280176bf45c161

SHA512
d0355e1b93e614b49215cc45b3b0ca967dbb2aa9899161bfe65b362e6c4b812cab26916f8c05cf039b0c8b3c207343dbb4b6fbfe71871b57c9f4f7c42ce1a552

Download Submit
C:\Windows\SysWOW64\Fniihmpf.exe

Filesize
128KB

MD5
8de067f699b96c136db9a17bcb3bc829

SHA1
f93dab79b5212b22a82c858516f53bc0609a3a45

SHA256
cf6ef470c72b9d0eb176936310e38c806d56b0ed9bcbc8b76f378bf84700d581

SHA512
124aafed4709e9375ea311eff6c17ca4468be29fc3a07b1769314c127dd67547dfc316c4068fc3a6be9c27efd65185434240853c7298df351a5bb86caccf1edc

Download Submit
C:\Windows\SysWOW64\Gbkkik32.exe

Filesize
128KB

MD5
4478d96fd576ff0ea36cfe5fd5db13e8

SHA1
1909dd1adca26268b70761b5bbd247d6e44b50a5

SHA256
166425e0eeba3440bcc3646f42a0f78a88c682c8e6548e632153c51cd2ee2d7e

SHA512
fb7cbc6c2b72dfa27008b15f8a0867cc409729bc93736fdd251327a9a7bafff233f55929e36760031beabd00c9f4450cc5358b49f9f5feadd046f76b4bc204a6

Download Submit
C:\Windows\SysWOW64\Glkmmefl.exe

Filesize
128KB

MD5
cf397519b01516a0d416677df192e8e0

SHA1
c31bb7d4e0c117c538bf75ddbccb0f434d2b593d

SHA256
c6e6868a6ab973ac3f51c91107dd1be99e758521695751c3b070ec4dc91e2d3e

SHA512
2e933069a48e80358ee174a715d917bb1de56d7ec7d66269168a6eff7469dfb5e605e061f04004e4c6d987dc89e737089f83dd4349bd5349b973f42bd1f5257a

Download Submit
C:\Windows\SysWOW64\Gpgind32.exe

Filesize
128KB

MD5
2a8962ef1fc04b24f21387c3e5333d35

SHA1
5fe8ca7c7736477d3bcc86e287dcd25e60620ac4

SHA256
578c968c57f3f05d03926a9f13c910054c95cb9b03679b5e575b1fb089dcbf64

SHA512
9f11ed7115d090fe6ee303fffe23aa8f9a98f3563f5f809253e71df30bf723617baa1172c43cf210d883637e4ba0375168e684c81311ae6f107a3e62fb061831

Download Submit
C:\Windows\SysWOW64\Hbhboolf.exe

Filesize
128KB

MD5
3b3e5b7e5ca417758865c5d44afbc0be

SHA1
64ae44c9376191c721b7eb3121060abfa71d6701

SHA256
6f605226a7700e787aa35143c3d03316f441b2f3072bad7a0db27565b3ef74d1

SHA512
f17141f7aa178b6d030bd54bbc79c42c9665445cf4db967b4699908340517423aa314f3f874fcc397dd9c25de2ba119b3a93df57a9b721667082d544e21bdc3e

Download Submit
C:\Windows\SysWOW64\Hbjoeojc.exe

Filesize
128KB

MD5
57bc3433a66fc7cca14bd11f263fe48f

SHA1
388680c5d21c7e9b1612c9c2882423c08a43881f

SHA256
c88da4e392df19fac7f4c8f4d3b8f635edcb5983b164a11d8cc998a91a1f9a01

SHA512
a788f81338580c47a2430c5021a8a2e5887c89e4c15c714fda7f3a0573ec4a5468ba4dca5ca7e31dc0b326cb43dd6a11b582160d1363e926aeee8e8f3099bd6a

Download Submit
C:\Windows\SysWOW64\Hblkjo32.exe

Filesize
128KB

MD5
c59a9f8451546ce57834d3a10bae24f1

SHA1
ed44d27faf8f97c36ffc080e1be1042256e89e42

SHA256
bbd84985a64488aaea9fb5fee80117414dc9cc882677dd416a02a199f0edc0d7

SHA512
8b22e61fb30293a626c4d7b23c9f87e984856f5c5abed2446be87306549404fdc5c6a1d34ab53a0a55f3983158418bdc52136daa1d699d88f27669513cfa0d33

Download Submit
C:\Windows\SysWOW64\Hefnkkkj.exe

Filesize
128KB

MD5
9ffe61367c9c42203283effa2e1808c2

SHA1
4b5219cc993602e6d93564b18949cee4be70bccd

SHA256
f413094dbc857e8c412e5a5a0652460471684e610d12e8de1b1fa23fa58a9bb7

SHA512
5ed885222f400865ac00b1fa0712dbb2b3ee9a19d262d7ccb0f43ef6cd5c82e0dacc1a12e3e4cf91f883b87564e3e049e35b68fafdf6c7d14d064a117315aba7

Download Submit
C:\Windows\SysWOW64\Hlepcdoa.exe

Filesize
128KB

MD5
733fee2bb012a621ba6f6e0b0969a125

SHA1
3fc98add59185cdef9111def452e3a1e3171e1f2

SHA256
452281a464f3454a15f699a66c7fde147116b052c2250476b68184f8a38d4547

SHA512
50ff110e25819e9d2ab35e69693cc716c953239bb34f60484b1870bc074f1c7dbed59bd3c180ec68b6b9cd11e8c5217b1956dc85446ca70d75fdc35d69f2879f

Download Submit
C:\Windows\SysWOW64\Hmdlmg32.exe

Filesize
128KB

MD5
683098bec6ac5e747379c1ad11443aa4

SHA1
c93476de6f2f18179e751296ecaa0220f3d186e9

SHA256
208b47a40b1095019426578bdbc3102ee435a4ed102751fc38aa4da795e7eae2

SHA512
91ea0e627d1caf101197fb0b72e5a365ab3197b7f801e436ff2c702f70b6ea2f3ea21a98af1c6713a5b9e1839fd85082d1ce80dd28ef51861e3b16a5ca60c97b

Download Submit
C:\Windows\SysWOW64\Hmpcbhji.exe

Filesize
128KB

MD5
ef729140a6f0a23337bab6ad43e86244

SHA1
23d9d9af768f50b55e8900fbde3633e3755da24a

SHA256
bd447daec0207a70905d0c0b9950a24771f1b1fed2dc16e1beb94e9eee5afdf3

SHA512
348fa117d1c9054a1a2fe6f1874b44557e95a0022ad650fb84f5c352a25cb4257592e31920f2ac9a3baeb1dc8b657eca0981de8c79d8f39c66e4cc29683a6a98

Download Submit
C:\Windows\SysWOW64\Hnlodjpa.exe

Filesize
128KB

MD5
93b2e9092984fbde2addd096989ae81a

SHA1
a3644cefc060a627fe457b09910ef6c69a258327

SHA256
c9cc489cde9fa35fe11b0b13676a4fe36320363cf308e370af3977599810e2b1

SHA512
59de79c837feda0a32d541bfc4f2e5da2f78d2090e20f0ffde9cb7445faddffc04fd85e677ef0fcae9df28a1cccbbcfed3deda16649f52c4686a96e6143a9f66

Download Submit
C:\Windows\SysWOW64\Hoclopne.exe

Filesize
128KB

MD5
f0a2ca664ac428be9b90074249c626e8

SHA1
e5e6bc7d27026384bbf0101cf78415f79ea4563a

SHA256
476eda43d55e17e8c4002c53982b6c85d7f5e02ed5ea7f13ca26c20e3c21fd77

SHA512
a64522f046a5c6d2b7adecd25cbae027eb33bc148bd5dc5cbedd330a4c26a8e0e470a318130e67b8e0eeb787040aa10aeeaea44d0ef15d92c6e0188006254839

Download Submit
C:\Windows\SysWOW64\Hpiecd32.exe

Filesize
128KB

MD5
50ad51d7b64dc4f2d372f3001891e8a1

SHA1
39687312b067c28c6f4efc82db715c6a3f31245a

SHA256
1cd9e7f04540f45b3af5b4035a1dc616690dc18b669bd6b558c6aa1e86a415a1

SHA512
be63e54b4eb7993c0c436618a77dddd0019e040146c2b333f872c95d0f3af9e2fa3b12f323a2cae7c2e58ee92b2671c3b1e56d70302f4147f479747876042da8

Download Submit
C:\Windows\SysWOW64\Ibaeen32.exe

Filesize
128KB

MD5
6aae4e25517af88673fed06f5a883487

SHA1
ab63677bf04018b0072c99f055595e28d552ceeb

SHA256
0834c4d53d4fb2d3789bff3693deb20987aa7dad8058a636252d3e501b9f0ab2

SHA512
984642f4107f6116d435a798f9f8c2aaeba07a4e7f33193e5294a22771345264e8fcbcffd721041636fc279af73fb6468aa3abf45bcd3b1fb5ec04c7920e43af

Download Submit
C:\Windows\SysWOW64\Iebngial.exe

Filesize
128KB

MD5
9bb51a57c17f63d326ecace7681f487e

SHA1
c7b7a3f5c77405c0f54ee6e796fe4a92fbb81e91

SHA256
00595752e1f900885ff237a0323b6cb89302593de5fbd735cea5b45a0c78e1c5

SHA512
994dbb1697b3e11643cc6eb8b1b894aa74237c9c26b8fb9a3bc2052f91518e685b3ab428126406e3926efae9d779df563ebed464177404060a58ecd2d1773372

Download Submit
C:\Windows\SysWOW64\Iefgbh32.exe

Filesize
128KB

MD5
b97a8d838d329306be0cbf880b645a22

SHA1
76fce18fce67375756fc6540d7a8ee30bf56f725

SHA256
e691a0879288a746ab6a44951e0ad59cd62c298a7ca7fe84e5a4c0800733a313

SHA512
21e64b1b1b103a0bbea07bbb0bd88b8b9f8b2797850afac9ac5b3c94432c9372808babd06d7aad3ca020c05e16dc133992837bf7ae14411e1f03cb24cf2aec9f

Download Submit
C:\Windows\SysWOW64\Ieidhh32.exe

Filesize
128KB

MD5
50dbb4c5dc74190496156e2b50e23a1f

SHA1
cb264c04cec4b21b39bf9beb252b9fd4a61cf070

SHA256
35de8559b7ff6a58a415737061ad0283478d25605d4a7a2feec2c9e916ddf32a

SHA512
317144760ca9c25ea04ef72889a8daf6fbcc3f3d29b722d132fbe51ff1b0dc8e313d844953750c2e4be94d091bba30bff62b0b2165d4efbc073dbca29785ae9d

Download Submit
C:\Windows\SysWOW64\Iikmbh32.exe

Filesize
128KB

MD5
c41bf245e91ed46559c570c2976a62fb

SHA1
fbd584f6a2b7a77c0082a2e89feebd051dc2da68

SHA256
16b57375276c968ea65fee97265dbd6b1ac687e85d22680de751f63f05ccf0fb

SHA512
cf5e5e89d2790728f38df24e551b9e27c6b239a9d3a2b33faf97493966f972bc47145156d6f9e8d516b94b335272c130fa0ab75a46e45ceb700639202b65961a

Download Submit
C:\Windows\SysWOW64\Iipfmggc.exe

Filesize
128KB

MD5
c4a372a4b1d0d2390b5519c861deb034

SHA1
7e831753f97bfa5cb6ce6063c37a7c2d6b4b2279

SHA256
6237178c027462980dc768a3983ddd6943846849860471685dca3c21704d9c77

SHA512
76a5395769157fc7f3314bbdec1ceda59df338524065cba5b4b70e8bc5af15adf5b256f282a54180ba7d5a2f4d9f7e5fa6022702ad5bf544cf5e2726bc966ec6

Download Submit
C:\Windows\SysWOW64\Ilcldb32.exe

Filesize
128KB

MD5
ea7387bece97651176b291ede11e0067

SHA1
8dfab14576d81146a48dbda678001b968f6c2958

SHA256
853abbafaf7618db8c96d3dccc1025850747894d1d2123f82d4eb33fa4cc4ca6

SHA512
7d35d531f328b20783f2a41ba0e33e784b0524e97bc58d96f03a0b3f6c734277f434c0cc1dc6fcb4fb80a991b2e5bc15bce64be36e08a3b1670839e08d123ba2

Download Submit
C:\Windows\SysWOW64\Iliinc32.exe

Filesize
128KB

MD5
095e5cb082dafc5232e7341741b585ff

SHA1
a7f00e48ced92dbaab17c1e25f89719eb1797005

SHA256
021119fd0d2402d6b93c714307fdef9aa3a6175df3485c0d39e35c5d631effde

SHA512
de71c62d5d4f682d8ee54955f773183a3d68757c592c3c900f86fd18f93b41302dcae11c4bbdd5bbfb48c133393b35a7979cddffb7a24f2aae3f9829d213abac

Download Submit
C:\Windows\SysWOW64\Ilqoobdd.exe

Filesize
128KB

MD5
88e917e0ec772aeeb550ab3a3e3a54be

SHA1
29e615af1fe70272b91386925459f748dec56263

SHA256
75a5e91090c2e3e4e5afc20223014ee2706c0981cdcde826e6c28e858960d838

SHA512
414cdbb3f43fd6f473266ac8f64e6cca8b5e3b9d9a018d076631eac753c514352d9fe023bd858ecc5179cbee707e40cd18e3b11e96e5abb424197d4390f28996

Download Submit
C:\Windows\SysWOW64\Imiehfao.exe

Filesize
128KB

MD5
3b63495cd8b6d5829250f7eab1aff02d

SHA1
0f452a2832c4c10fed9dbd87d70b543867f56516

SHA256
bf837e6269ab7b7f6410f5425d5b56900a2f82b593a772d39326d44ab6884d95

SHA512
5352cef7c1c32d952cf8d3e2c1da9317956d7fcfdb4b39c15a0dd19fe466108e601f2dd9c2b0cde70075490a299b65d2806750fb581454b0c09b4ea5c24389da

Download Submit
C:\Windows\SysWOW64\Iomoenej.exe

Filesize
128KB

MD5
d65edf1d910151bf32880487d531db59

SHA1
3e97ed1f9138e84f2282a2ed7c6a71c4ee7d85d3

SHA256
02eda8e4037e2031e449a8ae57ff7cb383bca9623c742330e5924507625cc3c9

SHA512
9a88dea68318b7faf77f5f4e7662613f34353a744e0ea8054e837221dcb6eab2bc9a75e7a0b9a822b720f94662f4ab30d857b56d112fad61c3f29dcedc30d626

Download Submit
C:\Windows\SysWOW64\Ipjoja32.exe

Filesize
128KB

MD5
138beaa2b3d56beeb74f6d6525599675

SHA1
2fdc11c541cd578815bcbb62503301ac3f24aeab

SHA256
4c52a1494c60a2454b1957450ac2c2f7d4d63c099b305d66891b53851894b8e6

SHA512
8ebfac1bed0aef3c1b31701739f0cd17853b7fb8a88079d6b77211dad8f03052957f4c49e0d3f4e8fce604e7951fc9579eef692da07295d813f486b990601bdc

Download Submit
C:\Windows\SysWOW64\Jadgnb32.exe

Filesize
128KB

MD5
d720fb2105f6dcf5f313407e32d89ed1

SHA1
ca8bdf1c3f63f291174232d6764ab7dd924b5492

SHA256
78d0e46da0db326e0f57fdb600630a2edf508ee76ea5d976f2792776acff0248

SHA512
b85c8ef84ef29dfaeb2b4c0b69a9232571ebb385f5e935834c62b007aa6b0c843acb4a2cf58dd1ed8899f8ecc40f4c4761235cb42d3f2eac108adcb7e95c90a6

Download Submit
C:\Windows\SysWOW64\Jbepme32.exe

Filesize
128KB

MD5
ad35994985ca282aeea9fff8d3d94cc7

SHA1
47ea5c00bb867fe8ee52f3020f09b28e1734bfc4

SHA256
467b63d856e056852db37be275cd0b13595cc2effbd706b4d73da6e692d97576

SHA512
4b73e8c50c5e50e9aec0bb41266932892ce0775e3879ea40b27e160d877d2fe52827ea9ad290298d9324333a89ac131feb718794f21cc967e0a68949dedebac8

Download Submit
C:\Windows\SysWOW64\Jcmdaljn.exe

Filesize
128KB

MD5
1a168ddcbb664dad71ac37a3306214bd

SHA1
6f2b91bdd4a45f3553e2ac8bc49780befa7f3ff4

SHA256
c88c7e8a8f43212ea59d75096b880387710d15a2b9d59896795398fbea080717

SHA512
71d71ad89fa9a54fb57f1605a39c00ec12eeb5962ba4de0bbce2ac14fe403837930a01c0e2b1c94c7f3715eecfb27ea9424e84fdbbb36d9594727cefbca4d3d0

Download Submit
C:\Windows\SysWOW64\Jcoaglhk.exe

Filesize
128KB

MD5
27120226d334214b4dac8c5ab3d20bd6

SHA1
caa36af43532d7f60085968c7985a61905a501c5

SHA256
1d8d2b452e105d103f1cc5efee1b77c4cb3ed8f31f9a7b041a1e2c930fb81d30

SHA512
22f48a10e1ea2f26756d46763438785e0958bcfb167688beb98e7e53bb602f71eb6affbbcf4744a10f1527297747512ac8a963b8c91ff92e346a4f056ecac0d5

Download Submit
C:\Windows\SysWOW64\Jgkmgk32.exe

Filesize
128KB

MD5
312aabc17ed1ff29bb5e4019d5df76f4

SHA1
a96334b103b4abf34fe4917f0d147aa6bf7a1384

SHA256
5218767ca25ba97975e170dbefb258c674fcaf7d70e8883826d520cd257a628f

SHA512
14588b2add251076b4c7f50e13ae9217c49f3b5205b9cd83078af251815468d7c51a66bbbcdab6ad18586e8b4dce200cd9395d1c10043080cff986b0f0b46688

Download Submit
C:\Windows\SysWOW64\Jgmjmjnb.exe

Filesize
128KB

MD5
ac5e55b283861dbff5ddefb45b0a7fd7

SHA1
3085d141bf019114ebdf5bf237f98a74f28ce612

SHA256
ee23b54d0898e640e3e559a30ad3be413100ad1e6bb03ebc6869b3f17c37da37

SHA512
fc8f3f58a777f2b33ebbd567da31b8ce91dbace75046cb9c4e7ff45d86eaaf51b9a693a3d3a5af7b2b274c57b007523cb8a32e81995f5a6c1196fa816febe015

Download Submit
C:\Windows\SysWOW64\Jilfifme.exe

Filesize
128KB

MD5
a01485099c9704cc9858291269845cdf

SHA1
c96556a925a65456138718370f2949e22b6ed406

SHA256
b4230e24d4144d55f9e2df023d33490d94c0da41a9255769095bf67d5f478bad

SHA512
82d2597bfbf8fb5914eb00888204808c5cdeac2445aee57f2abd77c18843e956f7a4f1d3fca3bf750cae68fda0e13bca2af9cba2cea77a9c706dec2d3b765fcf

Download Submit
C:\Windows\SysWOW64\Jleijb32.exe

Filesize
128KB

MD5
34b511a7d726b1f88dd2ac0dd1fef6e3

SHA1
26fdf100bfc9097cffd6a484c44149a15d1b6664

SHA256
3c31158ee0d0e7193c2a6358e5054881172a4beb5d0a21a0e1d28b6330de79dd

SHA512
051e9a32154f4bc7cf769236bc02db7889a70cfbb5f89e2fbb3f3d57d2e18086b046f0889311788b53fe77f03ccb466a5120231e2c7727f4a46233d18006ad24

Download Submit
C:\Windows\SysWOW64\Jlgepanl.exe

Filesize
128KB

MD5
1a3b934116d639a4ee9b2deaa2a6fb95

SHA1
5233d0ab10b84501330da8ed2a5060eb345d4749

SHA256
2fc27d1aadea4dc3152f254f3e3ded5d77de33f0ba807ae4e139aca6a3bd3c11

SHA512
3cff7e4f007bd1c22af9febf467b3ccb47b8aea1eb25648272a4bcf2c038a8f72ce8a203816443ebf08b64fe777e9993c10653adc9a946981190b77c13370e5a

Download Submit
C:\Windows\SysWOW64\Johnamkm.exe

Filesize
128KB

MD5
455225045ce1e05643e230b86fb4cf30

SHA1
b0717c54d0273a82e6713c16ee35bc93493848a8

SHA256
8ef8d7c9c013ac27c1415f4aa0d14d1b76e6f58f860cd40d02590c90246d5842

SHA512
876d20bf8727af3ce045a25461685a34043fb1dedf7964f3048f97ba8d341cdb036c4b7571938f590793d2915b03f554eb864cdfb48751453099cba229faf7f0

Download Submit
C:\Windows\SysWOW64\Jpenfp32.exe

Filesize
128KB

MD5
7dcebf2d512172ed732223a9214b8d38

SHA1
a44f97e617d703afe6e75b26ed491f4bad1a7931

SHA256
59d597ff06fb01f74ccb38ab43e24c49bd6adf71439ce3a20ac38166564be205

SHA512
ca957425a6c9a71b12f932e08caa9870303ceda353a0664ef9d3eb5ae0a80f009de6a2629cebddbb06f44b8dd7e2f941d8a55c47ce27e00ce0865d03b53b2e43

Download Submit
C:\Windows\SysWOW64\Jpnakk32.exe

Filesize
128KB

MD5
583289a0b5ba63005f75396b4c4259f1

SHA1
d3a4db478dc3d0e9f5eb6fce01bf8bf727b585b2

SHA256
79f684105400986cef4a05c4067f41038c62a20c76ef936beacdbf3a5adf0d2b

SHA512
34925bae3be32d4151a15c62396997347b8e1bb7ef0f55bcca272ae3fa5b0a2212f98e2725ef3c46e2397fb35b6dc1d854e2df886bd97b669cc12d74437809ca

Download Submit
C:\Windows\SysWOW64\Kakmna32.exe

Filesize
128KB

MD5
039c807ddc218c1ebc76237118b82d2a

SHA1
f07d66d42ef9d2882c3695ef8ffdf0a8cdd4052c

SHA256
a71d4310202cf7f6959924d76d9030cbdf9c7684b7805836657a97fe730a939f

SHA512
e921d39f21c01fb8a943fd3c30d0ab7029eb83f5aef4f9beb293cb80be839efa98fa174547c097e2ec9f686d96f21748f01a4243fe230fbb743d8e3e0a03e041

Download Submit
C:\Windows\SysWOW64\Kcapicdj.exe

Filesize
128KB

MD5
c40e880149f71055537b3ea15f045727

SHA1
ad0fbaaf1f438fe0bf7257af8aecc727334f02fb

SHA256
e2beb005c99e0a3b26e6f62f92d6ab55196fb6c789f9198dd4e0cf690bf0e415

SHA512
b21f603c5d8f352660ab62114355931ff96c202b8842508a77bb20bed84be73ffd4fc236a53f91a2714c01ec433276f563bf904bca78a108e8dea74bce7c5574

Download Submit
C:\Windows\SysWOW64\Khgbqkhj.exe

Filesize
128KB

MD5
e71fcaea2b18c0c15253c06a6f0a101f

SHA1
b24b686ff639eba880a7edf57b50afef5e054fea

SHA256
3ab162a1edb6582800bd457457924243d9feac04f979b1e8625bd14ad5726225

SHA512
a9f31975bed35b12276088137c143c4adf92d5052f74a76210cf1d3e083d560e63ad680158a5782c711537ae5afc21fd15296cb2b40619e63a2ba49b6c88a1e0

Download Submit
C:\Windows\SysWOW64\Khiofk32.exe

Filesize
128KB

MD5
22c25edb34c392ef8ad662d7c6d701ae

SHA1
5ab47fe65f8e84ba4abd6eddfbe22416a3a46130

SHA256
4ae0383f68f2af0b30023955fa5489a7e7dbc89135662bfa54503d50468a8f30

SHA512
3d8c8ded1f45e17420d552418c4ec2347d68d683462288214daac9a5d5a1887a5a1da53574470c32d656b6f8096e6c76c996eee90ec9aba9228f67e9490f54f0

Download Submit
C:\Windows\SysWOW64\Kiphjo32.exe

Filesize
128KB

MD5
d27612c1c44d5bfadb2d44dc7f6cadf2

SHA1
b97ae99917e19f88d1b88d60c594ca513b06ec7b

SHA256
cc3744c110a5bac90862fa6d7f9fa632cd1a0fe3d1f4b57af45fd570adf8d279

SHA512
0f9913af67ada5c5451dcac3d5e434200a75306d76b85dc713252f4243d8855d8093f0976a8cde28264f422e710e528139e892b5c0369ec22deeea9f0f2b58d0

Download Submit
C:\Windows\SysWOW64\Lcmodajm.exe

Filesize
128KB

MD5
38fe731a95019be7e2d7179eb50fea45

SHA1
9e6f5a1761fdebb233329b1e8b470e40701d1739

SHA256
a229a6138b804bae2c02aa8a88f4bef2d3bf3b4d27b9676b313074e3b6837fe2

SHA512
85a932faee1ef3400bd7f8ef0f88a2266817afecaaf871267e2c073ff53807ed38d1447fd0315362e8a8f9386f3c549cbfc562bc516e10a387cfc3230badbe80

Download Submit
C:\Windows\SysWOW64\Llcghg32.exe

Filesize
128KB

MD5
975572504196d305ca14b3e9181f928d

SHA1
ca6cb88149e071ab72c35a5d2a1f5358d17f1f7b

SHA256
bc00fcb44f14c84d00f6e0fd400793246c596e2396a62ed9f7921273f2ac6b12

SHA512
4a71e97db3bef08201b368f61e8d80e748751fa758b3a4f413f7c1b8e02c4ec30f5cfa97463864fdff6ef347698964be6d313e0984b53fc478c2516b4d3dd20b

Download Submit
C:\Windows\SysWOW64\Mbibfm32.exe

Filesize
128KB

MD5
48c1ccb8e42d6db0f67bc0bdf024049a

SHA1
012a77c0e8e7cdf3f2b0cef5e6ee953ba2563823

SHA256
6da1cf0d6ec473a0e4b2975146597749813624a1f7fd9f13430b55ad22fc0688

SHA512
2b13153fea85184ad07323fed51cf09f1ac9c130ab5fabf35f8acc9b16a86c069896c05a99d0e63a25c4c28b24530172452261c3cdb51524ac81e54d9de5ccb0

Download Submit
C:\Windows\SysWOW64\Mofmobmo.exe

Filesize
128KB

MD5
31a548364c642feb6245e082596e274f

SHA1
e34d226fa21803f85a3cf475c477b3b57cd69c88

SHA256
541c745f6211dff933a09bc27dd57f68886da465d713454164f4fadcee9fa565

SHA512
e64a80011b8eb5f69bb0180258152af688755e505a4cdae76e858791d747785ea62939aac340be83d77b36648041f525ee4551837abc9d617d97de543f73de0e

Download Submit
C:\Windows\SysWOW64\Mpapnfhg.exe

Filesize
128KB

MD5
3be7046b9bf43369b95274da0da6785e

SHA1
2fd32d96e027dd3b8b47836607131db883b17c76

SHA256
fd63a7ca2b44d244f437b9db34c0cdf3f848b8f1bc0e2e84577cea9d0a7a2382

SHA512
cb651bedddb3d7f541df60f076494ff5827996e3147223cd2f54054029824c40c21c812cbc0f896b2a52b21a2e82b4ea93bd5eaa8523eb9e441d1bb202636e4f

Download Submit
C:\Windows\SysWOW64\Nceefd32.exe

Filesize
128KB

MD5
47b2264916f75d33ccf9a9cf821a7e6f

SHA1
1910c8a019470f49e124fd97ed15f6e7a0ae9440

SHA256
3fdf6ee5a7a991692b50d8817e61535cd859a4272c03f9f77c157f7824c63e9a

SHA512
2a0fb0998ae8f72ac1d6f7b2fdf2e31a8032a09286cb87ef993280a7523968e1db83926721e9648c8f0f15dad4607d796e632f284346449990dc2f1e2dc81b9c

Download Submit
C:\Windows\SysWOW64\Nckkfp32.exe

Filesize
128KB

MD5
04a2d9ef7eb7c7d9a42346bcbcc18357

SHA1
073a3474507c028f2a398e1442e947e0ec0380a5

SHA256
dd02a86f3bb2018f133e439a0ded1851de6ca256e0b3d3321da9e89c003c876a

SHA512
da1be9eee36810db45c4ce4fc3351949076237da8e1e7559804a82fe5f328cdfde5ec7712e0d3667c5339ef9dc360240cdace7351d88746c2d855b6ce4b86840

Download Submit
C:\Windows\SysWOW64\Ogekbb32.exe

Filesize
128KB

MD5
ea75b83ffd0e56f2004c89768859732c

SHA1
2b99b18aae74aa48401e6ab61057f5df05b63d95

SHA256
35e5a7b723860ea32a3d9f14b04982bda386f46e9a1509ae66ff0583e5ca7edb

SHA512
acd35cde5a56d2f331360bcf8f9cd8662680d0899004afc2c59a6fdbef30ed3ed3f0c95fd1a1b3419ec03467b6937389105b2b153f39a88870795b4879dbee57

Download Submit
C:\Windows\SysWOW64\Oifppdpd.exe

Filesize
128KB

MD5
46d18226934fd5f8b7be20c3d009423f

SHA1
197f295758e069118afefd9ead68b2546d3c0955

SHA256
00f30885f9ba35e1aecec0cec54668770db8c25b0a699cb95469e4819711e55e

SHA512
713e9bb6bc91b7e549845241f63c3e79bfa7a784bad7d9fda006884795538b1c682ae2a375af560d53915b333e5e638dc05581b4a0cb3b1fe57b9a7858fdd4f5

Download Submit
C:\Windows\SysWOW64\Qaqegecm.exe

Filesize
128KB

MD5
290709d409887fb5d08a1f640951616a

SHA1
0f98ddd810da4486de3f96956fcfb3dcceee293a

SHA256
2e4d5d05e45d2f052090c6dcc7f20180dd6cc674030b0af0c25fdebe11fccb72

SHA512
da944614249bf01d8f7b35850040602b442ff344462f9a414c65d187113cf404631e7d67f2a0a7fe91ad93b11465aa443fdaae0a2e497aa02775af7ff6f28b64

Download Submit
C:\Windows\SysWOW64\Qpbnhl32.exe

Filesize
128KB

MD5
0f84eae859b6e3a5a918ed642738668f

SHA1
7b68d1cf49f3703f80b9d35accb8a42dcf6b80d5

SHA256
439493210d3a84b4682038728cf400f1c2543000af53c90465a638044b9713f4

SHA512
c112a95cc815ac7b8cb8fa416388a0f094c2d6029e2b6cdd40f6afbb7d58dbb6f7aa40dbdad08cbe44da713d69e208ce172cd4cd3db6b78e1b3c820201466afd

Download Submit
memory/664-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/692-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/740-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/972-465-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1128-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1300-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1340-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1356-425-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1440-578-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1440-33-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1468-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1492-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1496-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1724-437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1800-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1896-345-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1904-413-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1920-10-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1920-558-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1968-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1976-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2140-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2140-545-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2140-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2168-156-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2188-585-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2188-41-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2192-315-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2280-209-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2288-363-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2396-145-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2636-455-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2892-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2960-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3084-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3084-599-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3140-267-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3172-467-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3260-221-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3264-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3432-49-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3432-592-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3508-424-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3540-436-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3676-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3856-449-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3916-565-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3916-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3920-406-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3968-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4000-229-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4036-273-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4048-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4120-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4176-113-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4264-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4276-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4388-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4400-29-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4448-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4488-297-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4520-387-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4632-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4636-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4676-291-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4696-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4756-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4820-238-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4836-339-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4916-447-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4932-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4980-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5008-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5040-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5048-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5100-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5128-478-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5164-483-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5204-485-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5248-491-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5288-497-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5332-503-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5372-510-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5412-515-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5468-521-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5516-527-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5576-538-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5612-543-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5660-546-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5704-552-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5748-559-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5796-570-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5848-572-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5896-579-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5948-590-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5992-597-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads