5454b9b8ca44bd5d3cd4096e17cd8b69bd3dc00f9b3e61c4a63a6aa2ab0ad6ec

Analysis

max time kernel
154s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a77aadbd79d6e19178a61009932da0fc.exe
Size

64KB
MD5

a77aadbd79d6e19178a61009932da0fc
SHA1

a7f08ecff108e084c38daf1b506180c3a5ce0871
SHA256

5454b9b8ca44bd5d3cd4096e17cd8b69bd3dc00f9b3e61c4a63a6aa2ab0ad6ec
SHA512

f43f86b038a363477055e35606210622e09d7b6e3d4047b8b210f5e466ae91833912ded161f9e07b10b610446459989b86f6739b0d3ae285bb8c67ddf3b90324
SSDEEP

1536:2ryL6m/1uHrKo7+mSKuwWYTFJU102LBAMCeW:22tuHFvluwWvBpW

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahiiqafa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjehok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppepkmhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Alplfpbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbdgmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dabpgbpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmhfbf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbfoeiei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpcila32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcpaiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blhhaigj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Himche32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncdgmkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjaodkmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mflbjejb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Albpff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dckoia32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnlhod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jognokdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mociol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdaqhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Flbhia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpjhlche.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkegbfgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hoonjjgk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfonfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boknic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlqljb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifqoehhl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqakln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbkml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncenga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbkml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdlfjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icdhdfcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjghdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nneiikqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djjemlhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkioojpp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clnanlhn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Didnmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgnekcei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabmmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnknim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdchakoo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjljd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ognpoheh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpoiho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeeomegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eojcao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neclpamg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdegkdim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iioicn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndokko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeeomegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcfnqccd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmbjcb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjehok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnbbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaaldjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfaglf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdjba32.exe

Executes dropped EXE 64 IoCs

pid	Process
3928	Pcbkml32.exe
1804	Bdlfjh32.exe
3068	Bfolacnc.exe
2132	Bdeiqgkj.exe
4508	Ckbncapd.exe
2492	Cdmoafdb.exe
4688	Dckoia32.exe
3716	Eaceghcg.exe
2556	Ekngemhd.exe
2172	Fdmaoahm.exe
2956	Gbhhieao.exe
4980	Gjkbnfha.exe
884	Hjolie32.exe
3280	Hnpaec32.exe
1356	Iabglnco.exe
3848	Ibgmaqfl.exe
3252	Jldkeeig.exe
2804	Jdalog32.exe
4380	Koimbpbc.exe
2216	Kongmo32.exe
2648	Kaaldjil.exe
4356	Lknjhokg.exe
2612	Llngbabj.exe
564	Maoifh32.exe
3008	Mociol32.exe
3244	Nfknmd32.exe
1528	Bfabmmhe.exe
3536	Cpcila32.exe
1176	Dpgbgpbe.exe
3876	Dpoiho32.exe
928	Hnmnengg.exe
4276	Iepihf32.exe
2432	Kjdqhjpf.exe
1308	Nnabladg.exe
236	Ndmgnkja.exe
1752	Onmahojj.exe
4044	Paocim32.exe
680	Pnknim32.exe
3764	Qfilkj32.exe
3492	Abdfkj32.exe
3604	Aeeomegd.exe
2500	Bbklli32.exe
2024	Bihancje.exe
4048	Ceehcc32.exe
1292	Cehdib32.exe
1972	Cemndbci.exe
1832	Dpglmjoj.exe
4876	Dbjade32.exe
3704	Epgdch32.exe
2892	Fcmgpbjc.exe
3708	Fpcdof32.exe
4868	Gjghdj32.exe
2928	Ifqoehhl.exe
3192	Jmamba32.exe
1548	Jfjakgpa.exe
1536	Kfaglf32.exe
668	Kpilekqj.exe
3508	Lcnkli32.exe
4160	Lhammfci.exe
524	Miklkm32.exe
228	Mdaqhf32.exe
1944	Nfdfoala.exe
2284	Onqdhh32.exe
3584	Pnjgog32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mjehok32.exe	Mlbllc32.exe
File opened for modification	C:\Windows\SysWOW64\Dbjade32.exe	Dpglmjoj.exe
File opened for modification	C:\Windows\SysWOW64\Foenplji.exe	Flbhia32.exe
File opened for modification	C:\Windows\SysWOW64\Paocim32.exe	Onmahojj.exe
File created	C:\Windows\SysWOW64\Kpipcb32.dll	Cpfkna32.exe
File created	C:\Windows\SysWOW64\Lgkhec32.exe	Lanpml32.exe
File created	C:\Windows\SysWOW64\Hfiffd32.exe	Hoonjjgk.exe
File opened for modification	C:\Windows\SysWOW64\Nffljjfc.exe	Mjehok32.exe
File created	C:\Windows\SysWOW64\Pjngbdgb.dll	Cpcnhbjj.exe
File opened for modification	C:\Windows\SysWOW64\Kagimmol.exe	Kapclned.exe
File opened for modification	C:\Windows\SysWOW64\Cecbgl32.exe	Cknnjcmo.exe
File created	C:\Windows\SysWOW64\Dckoia32.exe	Cdmoafdb.exe
File opened for modification	C:\Windows\SysWOW64\Kongmo32.exe	Koimbpbc.exe
File opened for modification	C:\Windows\SysWOW64\Ijpcbn32.exe	Ipjoee32.exe
File created	C:\Windows\SysWOW64\Ciddcagg.dll	Hjolie32.exe
File created	C:\Windows\SysWOW64\Cogadadh.dll	Liabjh32.exe
File created	C:\Windows\SysWOW64\Eakdje32.exe	Djjemlhf.exe
File created	C:\Windows\SysWOW64\Apjcaodp.dll	Fpnfbi32.exe
File created	C:\Windows\SysWOW64\Dpcpei32.exe	Dabpgbpm.exe
File created	C:\Windows\SysWOW64\Nqfbkf32.exe	Ndpafe32.exe
File created	C:\Windows\SysWOW64\Bpkbmi32.exe	Akdfndpd.exe
File created	C:\Windows\SysWOW64\Jognokdi.exe	Ialhdh32.exe
File opened for modification	C:\Windows\SysWOW64\Dememj32.exe	Dldpde32.exe
File opened for modification	C:\Windows\SysWOW64\Glhgojef.exe	Fhjoilop.exe
File created	C:\Windows\SysWOW64\Qgakgc32.dll	Biolkc32.exe
File opened for modification	C:\Windows\SysWOW64\Kpilekqj.exe	Kfaglf32.exe
File created	C:\Windows\SysWOW64\Cpfkna32.exe	Cjlbag32.exe
File opened for modification	C:\Windows\SysWOW64\Eojcao32.exe	Ehpjdepi.exe
File created	C:\Windows\SysWOW64\Fklcbocl.exe	Eleikb32.exe
File created	C:\Windows\SysWOW64\Dpgbgpbe.exe	Cpcila32.exe
File created	C:\Windows\SysWOW64\Cklqlb32.dll	Pnknim32.exe
File opened for modification	C:\Windows\SysWOW64\Emoaopnf.exe	Dfclmfhl.exe
File created	C:\Windows\SysWOW64\Dnhdkgcp.dll	Ffpadn32.exe
File created	C:\Windows\SysWOW64\Gpmpcc32.dll	Cehdib32.exe
File created	C:\Windows\SysWOW64\Onbiicqa.dll	Nfdfoala.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhec32.exe	Lanpml32.exe
File created	C:\Windows\SysWOW64\Becipn32.exe	Beqljn32.exe
File opened for modification	C:\Windows\SysWOW64\Ndpafe32.exe	Nneiikqe.exe
File created	C:\Windows\SysWOW64\Fdegkdim.exe	Fklcbocl.exe
File created	C:\Windows\SysWOW64\Icdmqg32.exe	Iioicn32.exe
File created	C:\Windows\SysWOW64\Pbpobj32.dll	Ifefbbdj.exe
File created	C:\Windows\SysWOW64\Melfpb32.exe	Lbdgmh32.exe
File created	C:\Windows\SysWOW64\Mflbjejb.exe	Mkfnlmkl.exe
File created	C:\Windows\SysWOW64\Ogimlm32.dll	Ijpcbn32.exe
File created	C:\Windows\SysWOW64\Jgbdfbob.dll	Odhman32.exe
File opened for modification	C:\Windows\SysWOW64\Mcggga32.exe	Liabjh32.exe
File opened for modification	C:\Windows\SysWOW64\Fpnfbi32.exe	Fjanjb32.exe
File created	C:\Windows\SysWOW64\Fhklgafl.dll	Dqajjp32.exe
File opened for modification	C:\Windows\SysWOW64\Biolkc32.exe	Ahiiqafa.exe
File created	C:\Windows\SysWOW64\Echbad32.exe	Elojej32.exe
File opened for modification	C:\Windows\SysWOW64\Ehpjdepi.exe	Dkjmea32.exe
File created	C:\Windows\SysWOW64\Bjbboi32.dll	Fcmgpbjc.exe
File created	C:\Windows\SysWOW64\Cfbkpg32.dll	Oiphbd32.exe
File created	C:\Windows\SysWOW64\Ahiiqafa.exe	Alplfpbp.exe
File created	C:\Windows\SysWOW64\Ebifha32.exe	Dphipidf.exe
File created	C:\Windows\SysWOW64\Bbklli32.exe	Aeeomegd.exe
File created	C:\Windows\SysWOW64\Dfclmfhl.exe	Djlkhe32.exe
File opened for modification	C:\Windows\SysWOW64\Bihancje.exe	Bbklli32.exe
File opened for modification	C:\Windows\SysWOW64\Kfbfmi32.exe	Klibdcjo.exe
File created	C:\Windows\SysWOW64\Gicogo32.dll	Gkmlilej.exe
File created	C:\Windows\SysWOW64\Hnmnengg.exe	Dpoiho32.exe
File created	C:\Windows\SysWOW64\Ikpnha32.dll	Iepihf32.exe
File created	C:\Windows\SysWOW64\Bdlfjh32.exe	Pcbkml32.exe
File created	C:\Windows\SysWOW64\Ichkdj32.dll	Lgkhec32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
6888	2664	WerFault.exe	371
6988	2664	WerFault.exe	371

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dabpgbpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmfchehg.dll"	Lknjhokg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djjemlhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njdibmjj.dll"	Kfaglf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icdhdfcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onlipd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Minkhnmc.dll"	Fklcbocl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iiaein32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akdfndpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbljohcp.dll"	Gffkpa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkdnjd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkjmea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmgckid.dll"	Eakdje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cllkcbnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpfmgq32.dll"	Gcpaiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbhhieao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iepihf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcdjba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baiebmog.dll"	Ncdgmkio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqmjhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cehdib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjmaii32.dll"	Fpcdof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhammfci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcbhbdoa.dll"	Aloekjod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbfokcae.dll"	Pqmjhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hifijmqd.dll"	Omnqhbap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fhjoilop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmidpjmc.dll"	Glhgojef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngbdgb.dll"	Cpcnhbjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fpnfbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjpjea32.dll"	Hnpaec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfabmmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Epgdch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laanbjdf.dll"	Kpilekqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkmlilej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcbkml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnaolm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lanpml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmalih32.dll"	Cknnjcmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djlkhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgkhec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpkbmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kggaohne.dll"	Jndhkmfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cakjfcfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcnafl32.dll"	Ncenga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmnlmdhd.dll"	Dpgbgpbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najlgpeb.dll"	Kaaldjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbdgmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mehpnbkg.dll"	Mebkbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnjgog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgiggcgj.dll"	Nffljjfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfonfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bajqpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hilkfajn.dll"	Lanpml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgbijg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blgmmd32.dll"	Kmobii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ialhdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eakdje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eojcao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmnnknef.dll"	Jdhpba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffpadn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqaipgal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kamonn32.dll"	Eaceghcg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 3928	1760	a77aadbd79d6e19178a61009932da0fc.exe	89
PID 1760 wrote to memory of 3928	1760	a77aadbd79d6e19178a61009932da0fc.exe	89
PID 1760 wrote to memory of 3928	1760	a77aadbd79d6e19178a61009932da0fc.exe	89
PID 3928 wrote to memory of 1804	3928	Pcbkml32.exe	90
PID 3928 wrote to memory of 1804	3928	Pcbkml32.exe	90
PID 3928 wrote to memory of 1804	3928	Pcbkml32.exe	90
PID 1804 wrote to memory of 3068	1804	Bdlfjh32.exe	91
PID 1804 wrote to memory of 3068	1804	Bdlfjh32.exe	91
PID 1804 wrote to memory of 3068	1804	Bdlfjh32.exe	91
PID 3068 wrote to memory of 2132	3068	Bfolacnc.exe	92
PID 3068 wrote to memory of 2132	3068	Bfolacnc.exe	92
PID 3068 wrote to memory of 2132	3068	Bfolacnc.exe	92
PID 2132 wrote to memory of 4508	2132	Bdeiqgkj.exe	93
PID 2132 wrote to memory of 4508	2132	Bdeiqgkj.exe	93
PID 2132 wrote to memory of 4508	2132	Bdeiqgkj.exe	93
PID 4508 wrote to memory of 2492	4508	Ckbncapd.exe	94
PID 4508 wrote to memory of 2492	4508	Ckbncapd.exe	94
PID 4508 wrote to memory of 2492	4508	Ckbncapd.exe	94
PID 2492 wrote to memory of 4688	2492	Cdmoafdb.exe	96
PID 2492 wrote to memory of 4688	2492	Cdmoafdb.exe	96
PID 2492 wrote to memory of 4688	2492	Cdmoafdb.exe	96
PID 4688 wrote to memory of 3716	4688	Dckoia32.exe	97
PID 4688 wrote to memory of 3716	4688	Dckoia32.exe	97
PID 4688 wrote to memory of 3716	4688	Dckoia32.exe	97
PID 3716 wrote to memory of 2556	3716	Eaceghcg.exe	98
PID 3716 wrote to memory of 2556	3716	Eaceghcg.exe	98
PID 3716 wrote to memory of 2556	3716	Eaceghcg.exe	98
PID 2556 wrote to memory of 2172	2556	Ekngemhd.exe	99
PID 2556 wrote to memory of 2172	2556	Ekngemhd.exe	99
PID 2556 wrote to memory of 2172	2556	Ekngemhd.exe	99
PID 2172 wrote to memory of 2956	2172	Fdmaoahm.exe	100
PID 2172 wrote to memory of 2956	2172	Fdmaoahm.exe	100
PID 2172 wrote to memory of 2956	2172	Fdmaoahm.exe	100
PID 2956 wrote to memory of 4980	2956	Gbhhieao.exe	101
PID 2956 wrote to memory of 4980	2956	Gbhhieao.exe	101
PID 2956 wrote to memory of 4980	2956	Gbhhieao.exe	101
PID 4980 wrote to memory of 884	4980	Gjkbnfha.exe	102
PID 4980 wrote to memory of 884	4980	Gjkbnfha.exe	102
PID 4980 wrote to memory of 884	4980	Gjkbnfha.exe	102
PID 884 wrote to memory of 3280	884	Hjolie32.exe	103
PID 884 wrote to memory of 3280	884	Hjolie32.exe	103
PID 884 wrote to memory of 3280	884	Hjolie32.exe	103
PID 3280 wrote to memory of 1356	3280	Hnpaec32.exe	104
PID 3280 wrote to memory of 1356	3280	Hnpaec32.exe	104
PID 3280 wrote to memory of 1356	3280	Hnpaec32.exe	104
PID 1356 wrote to memory of 3848	1356	Iabglnco.exe	105
PID 1356 wrote to memory of 3848	1356	Iabglnco.exe	105
PID 1356 wrote to memory of 3848	1356	Iabglnco.exe	105
PID 3848 wrote to memory of 3252	3848	Ibgmaqfl.exe	106
PID 3848 wrote to memory of 3252	3848	Ibgmaqfl.exe	106
PID 3848 wrote to memory of 3252	3848	Ibgmaqfl.exe	106
PID 3252 wrote to memory of 2804	3252	Jldkeeig.exe	107
PID 3252 wrote to memory of 2804	3252	Jldkeeig.exe	107
PID 3252 wrote to memory of 2804	3252	Jldkeeig.exe	107
PID 2804 wrote to memory of 4380	2804	Jdalog32.exe	108
PID 2804 wrote to memory of 4380	2804	Jdalog32.exe	108
PID 2804 wrote to memory of 4380	2804	Jdalog32.exe	108
PID 4380 wrote to memory of 2216	4380	Koimbpbc.exe	109
PID 4380 wrote to memory of 2216	4380	Koimbpbc.exe	109
PID 4380 wrote to memory of 2216	4380	Koimbpbc.exe	109
PID 2216 wrote to memory of 2648	2216	Kongmo32.exe	110
PID 2216 wrote to memory of 2648	2216	Kongmo32.exe	110
PID 2216 wrote to memory of 2648	2216	Kongmo32.exe	110
PID 2648 wrote to memory of 4356	2648	Kaaldjil.exe	111

C:\Users\Admin\AppData\Local\Temp\a77aadbd79d6e19178a61009932da0fc.exe
"C:\Users\Admin\AppData\Local\Temp\a77aadbd79d6e19178a61009932da0fc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\SysWOW64\Pcbkml32.exe
  C:\Windows\system32\Pcbkml32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3928
- - C:\Windows\SysWOW64\Bdlfjh32.exe
    C:\Windows\system32\Bdlfjh32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\Windows\SysWOW64\Bfolacnc.exe
      C:\Windows\system32\Bfolacnc.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3068
    - - C:\Windows\SysWOW64\Bdeiqgkj.exe
        
        C:\Windows\system32\Bdeiqgkj.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2132
      - C:\Windows\SysWOW64\Ckbncapd.exe
        
        C:\Windows\system32\Ckbncapd.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\SysWOW64\Cdmoafdb.exe
        
        C:\Windows\system32\Cdmoafdb.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\SysWOW64\Dckoia32.exe
        
        C:\Windows\system32\Dckoia32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Windows\SysWOW64\Eaceghcg.exe
        
        C:\Windows\system32\Eaceghcg.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\SysWOW64\Ekngemhd.exe
        
        C:\Windows\system32\Ekngemhd.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Fdmaoahm.exe
        
        C:\Windows\system32\Fdmaoahm.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\Gbhhieao.exe
        
        C:\Windows\system32\Gbhhieao.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Gjkbnfha.exe
        
        C:\Windows\system32\Gjkbnfha.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\SysWOW64\Hjolie32.exe
        
        C:\Windows\system32\Hjolie32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\SysWOW64\Hnpaec32.exe
        
        C:\Windows\system32\Hnpaec32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\SysWOW64\Iabglnco.exe
        
        C:\Windows\system32\Iabglnco.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\SysWOW64\Ibgmaqfl.exe
        
        C:\Windows\system32\Ibgmaqfl.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3848
        
        C:\Windows\SysWOW64\Jldkeeig.exe
        
        C:\Windows\system32\Jldkeeig.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\SysWOW64\Jdalog32.exe
        
        C:\Windows\system32\Jdalog32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\Koimbpbc.exe
        
        C:\Windows\system32\Koimbpbc.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\SysWOW64\Kongmo32.exe
        
        C:\Windows\system32\Kongmo32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Kaaldjil.exe
        
        C:\Windows\system32\Kaaldjil.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\SysWOW64\Lknjhokg.exe
        
        C:\Windows\system32\Lknjhokg.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Llngbabj.exe
        
        C:\Windows\system32\Llngbabj.exe
        24⤵
        Executes dropped EXE
        
        PID:2612
        
        C:\Windows\SysWOW64\Maoifh32.exe
        
        C:\Windows\system32\Maoifh32.exe
        25⤵
        Executes dropped EXE
        
        PID:564
        
        C:\Windows\SysWOW64\Mociol32.exe
        
        C:\Windows\system32\Mociol32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3008
        
        C:\Windows\SysWOW64\Nfknmd32.exe
        
        C:\Windows\system32\Nfknmd32.exe
        27⤵
        Executes dropped EXE
        
        PID:3244
        
        C:\Windows\SysWOW64\Bfabmmhe.exe
        
        C:\Windows\system32\Bfabmmhe.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Cpcila32.exe
        
        C:\Windows\system32\Cpcila32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3536
        
        C:\Windows\SysWOW64\Dpgbgpbe.exe
        
        C:\Windows\system32\Dpgbgpbe.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1176
        
        C:\Windows\SysWOW64\Dpoiho32.exe
        
        C:\Windows\system32\Dpoiho32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3876
        
        C:\Windows\SysWOW64\Hnmnengg.exe
        
        C:\Windows\system32\Hnmnengg.exe
        32⤵
        Executes dropped EXE
        
        PID:928
        
        C:\Windows\SysWOW64\Iepihf32.exe
        
        C:\Windows\system32\Iepihf32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4276
        
        C:\Windows\SysWOW64\Kjdqhjpf.exe
        
        C:\Windows\system32\Kjdqhjpf.exe
        34⤵
        Executes dropped EXE
        
        PID:2432
        
        C:\Windows\SysWOW64\Nnabladg.exe
        
        C:\Windows\system32\Nnabladg.exe
        35⤵
        Executes dropped EXE
        
        PID:1308
        
        C:\Windows\SysWOW64\Ndmgnkja.exe
        
        C:\Windows\system32\Ndmgnkja.exe
        36⤵
        Executes dropped EXE
        
        PID:236
        
        C:\Windows\SysWOW64\Onmahojj.exe
        
        C:\Windows\system32\Onmahojj.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1752
        
        C:\Windows\SysWOW64\Paocim32.exe
        
        C:\Windows\system32\Paocim32.exe
        38⤵
        Executes dropped EXE
        
        PID:4044
        
        C:\Windows\SysWOW64\Pnknim32.exe
        
        C:\Windows\system32\Pnknim32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:680
        
        C:\Windows\SysWOW64\Qfilkj32.exe
        
        C:\Windows\system32\Qfilkj32.exe
        40⤵
        Executes dropped EXE
        
        PID:3764
        
        C:\Windows\SysWOW64\Abdfkj32.exe
        
        C:\Windows\system32\Abdfkj32.exe
        41⤵
        Executes dropped EXE
        
        PID:3492
        
        C:\Windows\SysWOW64\Aeeomegd.exe
        
        C:\Windows\system32\Aeeomegd.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3604
        
        C:\Windows\SysWOW64\Bbklli32.exe
        
        C:\Windows\system32\Bbklli32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2500
        
        C:\Windows\SysWOW64\Bihancje.exe
        
        C:\Windows\system32\Bihancje.exe
        44⤵
        Executes dropped EXE
        
        PID:2024
        
        C:\Windows\SysWOW64\Ceehcc32.exe
        
        C:\Windows\system32\Ceehcc32.exe
        45⤵
        Executes dropped EXE
        
        PID:4048
        
        C:\Windows\SysWOW64\Cehdib32.exe
        
        C:\Windows\system32\Cehdib32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1292
        
        C:\Windows\SysWOW64\Cemndbci.exe
        
        C:\Windows\system32\Cemndbci.exe
        47⤵
        Executes dropped EXE
        
        PID:1972
        
        C:\Windows\SysWOW64\Dpglmjoj.exe
        
        C:\Windows\system32\Dpglmjoj.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1832
        
        C:\Windows\SysWOW64\Dbjade32.exe
        
        C:\Windows\system32\Dbjade32.exe
        49⤵
        Executes dropped EXE
        
        PID:4876
        
        C:\Windows\SysWOW64\Epgdch32.exe
        
        C:\Windows\system32\Epgdch32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3704
        
        C:\Windows\SysWOW64\Fcmgpbjc.exe
        
        C:\Windows\system32\Fcmgpbjc.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2892
        
        C:\Windows\SysWOW64\Fpcdof32.exe
        
        C:\Windows\system32\Fpcdof32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Gjghdj32.exe
        
        C:\Windows\system32\Gjghdj32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4868
        
        C:\Windows\SysWOW64\Ifqoehhl.exe
        
        C:\Windows\system32\Ifqoehhl.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2928
        
        C:\Windows\SysWOW64\Jmamba32.exe
        
        C:\Windows\system32\Jmamba32.exe
        55⤵
        Executes dropped EXE
        
        PID:3192
        
        C:\Windows\SysWOW64\Jfjakgpa.exe
        
        C:\Windows\system32\Jfjakgpa.exe
        56⤵
        Executes dropped EXE
        
        PID:1548
        
        C:\Windows\SysWOW64\Kfaglf32.exe
        
        C:\Windows\system32\Kfaglf32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Kpilekqj.exe
        
        C:\Windows\system32\Kpilekqj.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:668
        
        C:\Windows\SysWOW64\Lcnkli32.exe
        
        C:\Windows\system32\Lcnkli32.exe
        59⤵
        Executes dropped EXE
        
        PID:3508
        
        C:\Windows\SysWOW64\Lhammfci.exe
        
        C:\Windows\system32\Lhammfci.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4160
        
        C:\Windows\SysWOW64\Miklkm32.exe
        
        C:\Windows\system32\Miklkm32.exe
        61⤵
        Executes dropped EXE
        
        PID:524
        
        C:\Windows\SysWOW64\Mdaqhf32.exe
        
        C:\Windows\system32\Mdaqhf32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:228
        
        C:\Windows\SysWOW64\Nfdfoala.exe
        
        C:\Windows\system32\Nfdfoala.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1944
        
        C:\Windows\SysWOW64\Onqdhh32.exe
        
        C:\Windows\system32\Onqdhh32.exe
        64⤵
        Executes dropped EXE
        
        PID:2284
        
        C:\Windows\SysWOW64\Pnjgog32.exe
        
        C:\Windows\system32\Pnjgog32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Qkqdnkge.exe
        
        C:\Windows\system32\Qkqdnkge.exe
        66⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\Qajlje32.exe
        
        C:\Windows\system32\Qajlje32.exe
        67⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\Ajhndgjj.exe
        
        C:\Windows\system32\Ajhndgjj.exe
        68⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\Ahngmnnd.exe
        
        C:\Windows\system32\Ahngmnnd.exe
        69⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\Bjcmpepm.exe
        
        C:\Windows\system32\Bjcmpepm.exe
        70⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\Djklgb32.exe
        
        C:\Windows\system32\Djklgb32.exe
        71⤵
        
        PID:888
        
        C:\Windows\SysWOW64\Dicbfhni.exe
        
        C:\Windows\system32\Dicbfhni.exe
        72⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\Flbhia32.exe
        
        C:\Windows\system32\Flbhia32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4572
        
        C:\Windows\SysWOW64\Foenplji.exe
        
        C:\Windows\system32\Foenplji.exe
        74⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\Ghpooanf.exe
        
        C:\Windows\system32\Ghpooanf.exe
        75⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\Hlnqln32.exe
        
        C:\Windows\system32\Hlnqln32.exe
        76⤵
        
        PID:552
        
        C:\Windows\SysWOW64\Icdhdfcj.exe
        
        C:\Windows\system32\Icdhdfcj.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Jfdafa32.exe
        
        C:\Windows\system32\Jfdafa32.exe
        78⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\Jloibkhh.exe
        
        C:\Windows\system32\Jloibkhh.exe
        79⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\Kbbhka32.exe
        
        C:\Windows\system32\Kbbhka32.exe
        80⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\Kcfnqccd.exe
        
        C:\Windows\system32\Kcfnqccd.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3716
        
        C:\Windows\SysWOW64\Kmobii32.exe
        
        C:\Windows\system32\Kmobii32.exe
        82⤵
        Modifies registry class
        
        PID:3800
        
        C:\Windows\SysWOW64\Lkflpe32.exe
        
        C:\Windows\system32\Lkflpe32.exe
        83⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\Lcdjba32.exe
        
        C:\Windows\system32\Lcdjba32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Liabjh32.exe
        
        C:\Windows\system32\Liabjh32.exe
        85⤵
        Drops file in System32 directory
        
        PID:1300
        
        C:\Windows\SysWOW64\Mcggga32.exe
        
        C:\Windows\system32\Mcggga32.exe
        86⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\Mjaodkmo.exe
        
        C:\Windows\system32\Mjaodkmo.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4984
        
        C:\Windows\SysWOW64\Mlbllc32.exe
        
        C:\Windows\system32\Mlbllc32.exe
        88⤵
        Drops file in System32 directory
        
        PID:4888
        
        C:\Windows\SysWOW64\Mjehok32.exe
        
        C:\Windows\system32\Mjehok32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:876
        
        C:\Windows\SysWOW64\Nffljjfc.exe
        
        C:\Windows\system32\Nffljjfc.exe
        90⤵
        Modifies registry class
        
        PID:4616
        
        C:\Windows\SysWOW64\Oikngeoo.exe
        
        C:\Windows\system32\Oikngeoo.exe
        91⤵
        
        PID:828
        
        C:\Windows\SysWOW64\Oiphbd32.exe
        
        C:\Windows\system32\Oiphbd32.exe
        92⤵
        Drops file in System32 directory
        
        PID:2332
        
        C:\Windows\SysWOW64\Omnqhbap.exe
        
        C:\Windows\system32\Omnqhbap.exe
        93⤵
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Pmbjcb32.exe
        
        C:\Windows\system32\Pmbjcb32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:744
        
        C:\Windows\SysWOW64\Ppepkmhi.exe
        
        C:\Windows\system32\Ppepkmhi.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3288
        
        C:\Windows\SysWOW64\Pdchakoo.exe
        
        C:\Windows\system32\Pdchakoo.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4856
        
        C:\Windows\SysWOW64\Akdfndpd.exe
        
        C:\Windows\system32\Akdfndpd.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Bpkbmi32.exe
        
        C:\Windows\system32\Bpkbmi32.exe
        98⤵
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Bnaolm32.exe
        
        C:\Windows\system32\Bnaolm32.exe
        99⤵
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Cmkehicj.exe
        
        C:\Windows\system32\Cmkehicj.exe
        100⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\Cgpjebcp.exe
        
        C:\Windows\system32\Cgpjebcp.exe
        101⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\Djjemlhf.exe
        
        C:\Windows\system32\Djjemlhf.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Eakdje32.exe
        
        C:\Windows\system32\Eakdje32.exe
        103⤵
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Fhjoilop.exe
        
        C:\Windows\system32\Fhjoilop.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1304
        
        C:\Windows\SysWOW64\Glhgojef.exe
        
        C:\Windows\system32\Glhgojef.exe
        105⤵
        Modifies registry class
        
        PID:3812
        
        C:\Windows\SysWOW64\Gdheol32.exe
        
        C:\Windows\system32\Gdheol32.exe
        106⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\Iefnjm32.exe
        
        C:\Windows\system32\Iefnjm32.exe
        107⤵
        
        PID:656
        
        C:\Windows\SysWOW64\Ihnmlg32.exe
        
        C:\Windows\system32\Ihnmlg32.exe
        108⤵
        
        PID:884
        
        C:\Windows\SysWOW64\Jamhflqq.exe
        
        C:\Windows\system32\Jamhflqq.exe
        109⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\Jlblcdpf.exe
        
        C:\Windows\system32\Jlblcdpf.exe
        110⤵
        
        PID:568
        
        C:\Windows\SysWOW64\Jndhkmfe.exe
        
        C:\Windows\system32\Jndhkmfe.exe
        111⤵
        Modifies registry class
        
        PID:3920
        
        C:\Windows\SysWOW64\Knfepldb.exe
        
        C:\Windows\system32\Knfepldb.exe
        112⤵
        
        PID:364
        
        C:\Windows\SysWOW64\Klibdcjo.exe
        
        C:\Windows\system32\Klibdcjo.exe
        113⤵
        Drops file in System32 directory
        
        PID:1764
        
        C:\Windows\SysWOW64\Kfbfmi32.exe
        
        C:\Windows\system32\Kfbfmi32.exe
        114⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\Lhgiic32.exe
        
        C:\Windows\system32\Lhgiic32.exe
        115⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\Lbdgmh32.exe
        
        C:\Windows\system32\Lbdgmh32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3152
        
        C:\Windows\SysWOW64\Melfpb32.exe
        
        C:\Windows\system32\Melfpb32.exe
        117⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\Mkfnlmkl.exe
        
        C:\Windows\system32\Mkfnlmkl.exe
        118⤵
        Drops file in System32 directory
        
        PID:3536
        
        C:\Windows\SysWOW64\Mflbjejb.exe
        
        C:\Windows\system32\Mflbjejb.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2648
        
        C:\Windows\SysWOW64\Mkhkblii.exe
        
        C:\Windows\system32\Mkhkblii.exe
        120⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\Neclpamg.exe
        
        C:\Windows\system32\Neclpamg.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1016
        
        C:\Windows\SysWOW64\Oeahap32.exe
        
        C:\Windows\system32\Oeahap32.exe
        122⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\Olkqnjhd.exe
        
        C:\Windows\system32\Olkqnjhd.exe
        123⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\Onlipd32.exe
        
        C:\Windows\system32\Onlipd32.exe
        124⤵
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\Pocpqcpm.exe
        
        C:\Windows\system32\Pocpqcpm.exe
        125⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\Qlpcpffl.exe
        
        C:\Windows\system32\Qlpcpffl.exe
        126⤵
        
        PID:448
        
        C:\Windows\SysWOW64\Affgno32.exe
        
        C:\Windows\system32\Affgno32.exe
        127⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\Albpff32.exe
        
        C:\Windows\system32\Albpff32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5140
        
        C:\Windows\SysWOW64\Aljefena.exe
        
        C:\Windows\system32\Aljefena.exe
        129⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Beippj32.exe
        
        C:\Windows\system32\Beippj32.exe
        130⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Cpcnhbjj.exe
        
        C:\Windows\system32\Cpcnhbjj.exe
        131⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5264

C:\Windows\SysWOW64\Cgmfel32.exe
C:\Windows\system32\Cgmfel32.exe
1⤵
PID:5304
- C:\Windows\SysWOW64\Cjlbag32.exe
  C:\Windows\system32\Cjlbag32.exe
  2⤵
  - Drops file in System32 directory
  PID:5344
- - C:\Windows\SysWOW64\Cpfkna32.exe
    C:\Windows\system32\Cpfkna32.exe
    3⤵
    - Drops file in System32 directory
    PID:5396
  - - C:\Windows\SysWOW64\Cfbcfh32.exe
      C:\Windows\system32\Cfbcfh32.exe
      4⤵
      PID:5440
    - - C:\Windows\SysWOW64\Cllkcbnl.exe
        
        C:\Windows\system32\Cllkcbnl.exe
        5⤵
        Modifies registry class
        
        PID:5492
      - C:\Windows\SysWOW64\Dqajjp32.exe
        
        C:\Windows\system32\Dqajjp32.exe
        6⤵
        Drops file in System32 directory
        
        PID:5532
        
        C:\Windows\SysWOW64\Dfnbbg32.exe
        
        C:\Windows\system32\Dfnbbg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5580
        
        C:\Windows\SysWOW64\Djlkhe32.exe
        
        C:\Windows\system32\Djlkhe32.exe
        8⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Dfclmfhl.exe
        
        C:\Windows\system32\Dfclmfhl.exe
        9⤵
        Drops file in System32 directory
        
        PID:5668
        
        C:\Windows\SysWOW64\Emoaopnf.exe
        
        C:\Windows\system32\Emoaopnf.exe
        10⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Efolidno.exe
        
        C:\Windows\system32\Efolidno.exe
        11⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Fplimi32.exe
        
        C:\Windows\system32\Fplimi32.exe
        12⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Fjanjb32.exe
        
        C:\Windows\system32\Fjanjb32.exe
        13⤵
        Drops file in System32 directory
        
        PID:5852
        
        C:\Windows\SysWOW64\Fpnfbi32.exe
        
        C:\Windows\system32\Fpnfbi32.exe
        14⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Gnhifonl.exe
        
        C:\Windows\system32\Gnhifonl.exe
        15⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Gffkpa32.exe
        
        C:\Windows\system32\Gffkpa32.exe
        16⤵
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Hfonfp32.exe
        
        C:\Windows\system32\Hfonfp32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Ipjoee32.exe
        
        C:\Windows\system32\Ipjoee32.exe
        18⤵
        Drops file in System32 directory
        
        PID:6108
        
        C:\Windows\SysWOW64\Ijpcbn32.exe
        
        C:\Windows\system32\Ijpcbn32.exe
        19⤵
        Drops file in System32 directory
        
        PID:4864
        
        C:\Windows\SysWOW64\Ialhdh32.exe
        
        C:\Windows\system32\Ialhdh32.exe
        20⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:680
        
        C:\Windows\SysWOW64\Jognokdi.exe
        
        C:\Windows\system32\Jognokdi.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5204
        
        C:\Windows\SysWOW64\Jpjhlche.exe
        
        C:\Windows\system32\Jpjhlche.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1452
        
        C:\Windows\SysWOW64\Jdhpba32.exe
        
        C:\Windows\system32\Jdhpba32.exe
        23⤵
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Jkbhok32.exe
        
        C:\Windows\system32\Jkbhok32.exe
        24⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\Kkioojpp.exe
        
        C:\Windows\system32\Kkioojpp.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5424
        
        C:\Windows\SysWOW64\Mkegbfgp.exe
        
        C:\Windows\system32\Mkegbfgp.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5472
        
        C:\Windows\SysWOW64\Mglhgg32.exe
        
        C:\Windows\system32\Mglhgg32.exe
        27⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Nqdlpmce.exe
        
        C:\Windows\system32\Nqdlpmce.exe
        28⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Nnimia32.exe
        
        C:\Windows\system32\Nnimia32.exe
        29⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\Oajoaj32.exe
        
        C:\Windows\system32\Oajoaj32.exe
        30⤵
        
        PID:816
        
        C:\Windows\SysWOW64\Pgdgodhj.exe
        
        C:\Windows\system32\Pgdgodhj.exe
        31⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Piepnfnj.exe
        
        C:\Windows\system32\Piepnfnj.exe
        32⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Alplfpbp.exe
        
        C:\Windows\system32\Alplfpbp.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5872
        
        C:\Windows\SysWOW64\Ahiiqafa.exe
        
        C:\Windows\system32\Ahiiqafa.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5112
        
        C:\Windows\SysWOW64\Biolkc32.exe
        
        C:\Windows\system32\Biolkc32.exe
        35⤵
        Drops file in System32 directory
        
        PID:5964
        
        C:\Windows\SysWOW64\Bajqpe32.exe
        
        C:\Windows\system32\Bajqpe32.exe
        36⤵
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Blpemn32.exe
        
        C:\Windows\system32\Blpemn32.exe
        37⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\Ccfmef32.exe
        
        C:\Windows\system32\Ccfmef32.exe
        38⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\Clnanlhn.exe
        
        C:\Windows\system32\Clnanlhn.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1112
        
        C:\Windows\SysWOW64\Cakjfcfe.exe
        
        C:\Windows\system32\Cakjfcfe.exe
        40⤵
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Cpljdjnd.exe
        
        C:\Windows\system32\Cpljdjnd.exe
        41⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\Didnmp32.exe
        
        C:\Windows\system32\Didnmp32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3776
        
        C:\Windows\SysWOW64\Dabpgbpm.exe
        
        C:\Windows\system32\Dabpgbpm.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Dpcpei32.exe
        
        C:\Windows\system32\Dpcpei32.exe
        44⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\Djkdnool.exe
        
        C:\Windows\system32\Djkdnool.exe
        45⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Dohmff32.exe
        
        C:\Windows\system32\Dohmff32.exe
        46⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Dfbebpdq.exe
        
        C:\Windows\system32\Dfbebpdq.exe
        47⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Dphipidf.exe
        
        C:\Windows\system32\Dphipidf.exe
        48⤵
        Drops file in System32 directory
        
        PID:5032
        
        C:\Windows\SysWOW64\Ebifha32.exe
        
        C:\Windows\system32\Ebifha32.exe
        49⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\Elojej32.exe
        
        C:\Windows\system32\Elojej32.exe
        50⤵
        Drops file in System32 directory
        
        PID:2632
        
        C:\Windows\SysWOW64\Echbad32.exe
        
        C:\Windows\system32\Echbad32.exe
        51⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\Ffpadn32.exe
        
        C:\Windows\system32\Ffpadn32.exe
        52⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Fqfeag32.exe
        
        C:\Windows\system32\Fqfeag32.exe
        53⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Gbqeonfj.exe
        
        C:\Windows\system32\Gbqeonfj.exe
        54⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Gcpaiq32.exe
        
        C:\Windows\system32\Gcpaiq32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Gmhfbf32.exe
        
        C:\Windows\system32\Gmhfbf32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4796
        
        C:\Windows\SysWOW64\Gqhknd32.exe
        
        C:\Windows\system32\Gqhknd32.exe
        57⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\Hmdend32.exe
        
        C:\Windows\system32\Hmdend32.exe
        58⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\Himche32.exe
        
        C:\Windows\system32\Himche32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5488
        
        C:\Windows\SysWOW64\Ibhdgjap.exe
        
        C:\Windows\system32\Ibhdgjap.exe
        60⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\Iannpa32.exe
        
        C:\Windows\system32\Iannpa32.exe
        61⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\Jmihpa32.exe
        
        C:\Windows\system32\Jmihpa32.exe
        62⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\Jjmhie32.exe
        
        C:\Windows\system32\Jjmhie32.exe
        63⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\Kkdnjd32.exe
        
        C:\Windows\system32\Kkdnjd32.exe
        64⤵
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Kapclned.exe
        
        C:\Windows\system32\Kapclned.exe
        65⤵
        Drops file in System32 directory
        
        PID:6124
        
        C:\Windows\SysWOW64\Kagimmol.exe
        
        C:\Windows\system32\Kagimmol.exe
        66⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\Lanpml32.exe
        
        C:\Windows\system32\Lanpml32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Lgkhec32.exe
        
        C:\Windows\system32\Lgkhec32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Lgnekcei.exe
        
        C:\Windows\system32\Lgnekcei.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5632
        
        C:\Windows\SysWOW64\Mahbck32.exe
        
        C:\Windows\system32\Mahbck32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5664
        
        C:\Windows\SysWOW64\Nqaipgal.exe
        
        C:\Windows\system32\Nqaipgal.exe
        71⤵
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Nkgmmpab.exe
        
        C:\Windows\system32\Nkgmmpab.exe
        72⤵
        
        PID:780
        
        C:\Windows\SysWOW64\Nneiikqe.exe
        
        C:\Windows\system32\Nneiikqe.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3304
        
        C:\Windows\SysWOW64\Ndpafe32.exe
        
        C:\Windows\system32\Ndpafe32.exe
        74⤵
        Drops file in System32 directory
        
        PID:6076
        
        C:\Windows\SysWOW64\Nqfbkf32.exe
        
        C:\Windows\system32\Nqfbkf32.exe
        75⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\Ncenga32.exe
        
        C:\Windows\system32\Ncenga32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Nbfoeiei.exe
        
        C:\Windows\system32\Nbfoeiei.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1000
        
        C:\Windows\SysWOW64\Oqbagd32.exe
        
        C:\Windows\system32\Oqbagd32.exe
        78⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\Aloekjod.exe
        
        C:\Windows\system32\Aloekjod.exe
        79⤵
        Modifies registry class
        
        PID:3800
        
        C:\Windows\SysWOW64\Aelcooap.exe
        
        C:\Windows\system32\Aelcooap.exe
        80⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\Blhhaigj.exe
        
        C:\Windows\system32\Blhhaigj.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3160
        
        C:\Windows\SysWOW64\Beqljn32.exe
        
        C:\Windows\system32\Beqljn32.exe
        82⤵
        Drops file in System32 directory
        
        PID:4984
        
        C:\Windows\SysWOW64\Becipn32.exe
        
        C:\Windows\system32\Becipn32.exe
        83⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\Boknic32.exe
        
        C:\Windows\system32\Boknic32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6116
        
        C:\Windows\SysWOW64\Cacmkn32.exe
        
        C:\Windows\system32\Cacmkn32.exe
        85⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\Chmehhpn.exe
        
        C:\Windows\system32\Chmehhpn.exe
        86⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\Cknnjcmo.exe
        
        C:\Windows\system32\Cknnjcmo.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Cecbgl32.exe
        
        C:\Windows\system32\Cecbgl32.exe
        88⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\Daolgl32.exe
        
        C:\Windows\system32\Daolgl32.exe
        89⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\Dldpde32.exe
        
        C:\Windows\system32\Dldpde32.exe
        90⤵
        Drops file in System32 directory
        
        PID:2040
        
        C:\Windows\SysWOW64\Dememj32.exe
        
        C:\Windows\system32\Dememj32.exe
        91⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\Dkjmea32.exe
        
        C:\Windows\system32\Dkjmea32.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Ehpjdepi.exe
        
        C:\Windows\system32\Ehpjdepi.exe
        93⤵
        Drops file in System32 directory
        
        PID:1384
        
        C:\Windows\SysWOW64\Eojcao32.exe
        
        C:\Windows\system32\Eojcao32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Eaoenjqa.exe
        
        C:\Windows\system32\Eaoenjqa.exe
        95⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\Eleikb32.exe
        
        C:\Windows\system32\Eleikb32.exe
        96⤵
        Drops file in System32 directory
        
        PID:1592
        
        C:\Windows\SysWOW64\Fklcbocl.exe
        
        C:\Windows\system32\Fklcbocl.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3848
        
        C:\Windows\SysWOW64\Fdegkdim.exe
        
        C:\Windows\system32\Fdegkdim.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3484
        
        C:\Windows\SysWOW64\Fchdnkpi.exe
        
        C:\Windows\system32\Fchdnkpi.exe
        99⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\Gkjocm32.exe
        
        C:\Windows\system32\Gkjocm32.exe
        100⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\Gfpcpefb.exe
        
        C:\Windows\system32\Gfpcpefb.exe
        101⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\Gkmlilej.exe
        
        C:\Windows\system32\Gkmlilej.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3572
        
        C:\Windows\SysWOW64\Gfbpfedp.exe
        
        C:\Windows\system32\Gfbpfedp.exe
        103⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\Hicihp32.exe
        
        C:\Windows\system32\Hicihp32.exe
        104⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Homadjin.exe
        
        C:\Windows\system32\Homadjin.exe
        105⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\Hejjmage.exe
        
        C:\Windows\system32\Hejjmage.exe
        106⤵
        
        PID:216
        
        C:\Windows\SysWOW64\Hoonjjgk.exe
        
        C:\Windows\system32\Hoonjjgk.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6148
        
        C:\Windows\SysWOW64\Hfiffd32.exe
        
        C:\Windows\system32\Hfiffd32.exe
        108⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\Iioicn32.exe
        
        C:\Windows\system32\Iioicn32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6264
        
        C:\Windows\SysWOW64\Icdmqg32.exe
        
        C:\Windows\system32\Icdmqg32.exe
        110⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Iiaein32.exe
        
        C:\Windows\system32\Iiaein32.exe
        111⤵
        Modifies registry class
        
        PID:6352
        
        C:\Windows\SysWOW64\Ifefbbdj.exe
        
        C:\Windows\system32\Ifefbbdj.exe
        112⤵
        Drops file in System32 directory
        
        PID:6400
        
        C:\Windows\SysWOW64\Jpijgf32.exe
        
        C:\Windows\system32\Jpijgf32.exe
        113⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\Kfmejopp.exe
        
        C:\Windows\system32\Kfmejopp.exe
        114⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Kmfmfigl.exe
        
        C:\Windows\system32\Kmfmfigl.exe
        115⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\Klljhe32.exe
        
        C:\Windows\system32\Klljhe32.exe
        116⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\Lbjlpo32.exe
        
        C:\Windows\system32\Lbjlpo32.exe
        117⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\Mebkbi32.exe
        
        C:\Windows\system32\Mebkbi32.exe
        118⤵
        Modifies registry class
        
        PID:6688
        
        C:\Windows\SysWOW64\Mlqljb32.exe
        
        C:\Windows\system32\Mlqljb32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6724
        
        C:\Windows\SysWOW64\Mgfqgkib.exe
        
        C:\Windows\system32\Mgfqgkib.exe
        120⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\Ndokko32.exe
        
        C:\Windows\system32\Ndokko32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6816
        
        C:\Windows\SysWOW64\Nngoddkg.exe
        
        C:\Windows\system32\Nngoddkg.exe
        122⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\Ncdgmkio.exe
        
        C:\Windows\system32\Ncdgmkio.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6896
        
        C:\Windows\SysWOW64\Nnjljd32.exe
        
        C:\Windows\system32\Nnjljd32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6948
        
        C:\Windows\SysWOW64\Ndcdfnpa.exe
        
        C:\Windows\system32\Ndcdfnpa.exe
        125⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\Nnlhod32.exe
        
        C:\Windows\system32\Nnlhod32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7036
        
        C:\Windows\SysWOW64\Ngdmhimb.exe
        
        C:\Windows\system32\Ngdmhimb.exe
        127⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\Odhman32.exe
        
        C:\Windows\system32\Odhman32.exe
        128⤵
        Drops file in System32 directory
        
        PID:7116
        
        C:\Windows\SysWOW64\Ocmjcjad.exe
        
        C:\Windows\system32\Ocmjcjad.exe
        129⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\Ojgbpd32.exe
        
        C:\Windows\system32\Ojgbpd32.exe
        130⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\Oqakln32.exe
        
        C:\Windows\system32\Oqakln32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6248
        
        C:\Windows\SysWOW64\Ofncde32.exe
        
        C:\Windows\system32\Ofncde32.exe
        132⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\Ognpoheh.exe
        
        C:\Windows\system32\Ognpoheh.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6392
        
        C:\Windows\SysWOW64\Omjhgoco.exe
        
        C:\Windows\system32\Omjhgoco.exe
        134⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\Pddmml32.exe
        
        C:\Windows\system32\Pddmml32.exe
        135⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\Pgbijg32.exe
        
        C:\Windows\system32\Pgbijg32.exe
        136⤵
        Modifies registry class
        
        PID:3464
        
        C:\Windows\SysWOW64\Pmoabn32.exe
        
        C:\Windows\system32\Pmoabn32.exe
        137⤵
        Modifies registry class
        
        PID:6508
        
        C:\Windows\SysWOW64\Pgefogop.exe
        
        C:\Windows\system32\Pgefogop.exe
        138⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\Pqmjhm32.exe
        
        C:\Windows\system32\Pqmjhm32.exe
        139⤵
        Modifies registry class
        
        PID:6608
        
        C:\Windows\SysWOW64\Pdmpck32.exe
        
        C:\Windows\system32\Pdmpck32.exe
        140⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\Qfolkcpb.exe
        
        C:\Windows\system32\Qfolkcpb.exe
        141⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 400
        142⤵
        Program crash
        
        PID:6888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 400
        142⤵
        Program crash
        
        PID:6988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2664 -ip 2664
1⤵
PID:6732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ahngmnnd.exe

Filesize
64KB

MD5
4590683a99a08351e67f7dc523ac63d4

SHA1
f184dfc6128f90316cd53c05d09dfb41a8eb6f5c

SHA256
d79da6541109427d501e55d7e2174cb7d4e5e71abd56bcd4b334ac6168e5e709

SHA512
f431f9c04c1f2c5bc16ebf56f4f2fc5cd76baca692c3a24b790c4f2392e40cf14279274792d969fbd658c5a720999d17ba28a7474818da820b5c7a341525b65f

Download Submit
C:\Windows\SysWOW64\Bdeiqgkj.exe

Filesize
64KB

MD5
32409567f79d7b9c6bf347ca00a628fc

SHA1
729745387e0f1fc958ebbed5b4bba1bb575f54a5

SHA256
361971c4d6201f8e771d8a41e80e65c829ddf3d7e2e55df43cc21bdbba3a3892

SHA512
f031ba94aeb2011b23141f36f6e8afe42244b7f07fd25b0dd73de2619024b7d873dcc8e38325f3f2c69d9b8b183b41498fdfd8cfd4dd497b0967077f3eda1859

Download Submit
C:\Windows\SysWOW64\Bdlfjh32.exe

Filesize
64KB

MD5
27b7dd7037a264599b1370c7df9f2f5e

SHA1
e8856bac3d1f8af9816ce5ab399303a4c0c03e1f

SHA256
71b8e054b8d54cea16eba168f2fb13b8fa7e0018d05db5a9eeb584afb895cf6e

SHA512
bae9c870478d1015df1dbbe8605a5fa6d0ac3634a64e6ff7deeb6eeddd7629abed4c456c26061d90a04be02ae40729b51755b169c81de3a16a87c3b95a48a38f

Download Submit
C:\Windows\SysWOW64\Bfabmmhe.exe

Filesize
64KB

MD5
c4b9dab6b1fd99926e20d05faf656198

SHA1
1abc1c432b5518a23734eeadcb8ef2837b84a28e

SHA256
0de5e48b327801ded1856ffbf5ea4f76eeb2aa7857f46c45dc11efe098feef29

SHA512
3d26077bd40b31f36346bd1d76a744f98b8bdcfdb0f8d3cf6a9a6c2019e30592b6e6bdfc1a3e34a2d95896b63ebf5c2bad688ee4c3c141313919a42619212abc

Download Submit
C:\Windows\SysWOW64\Bfolacnc.exe

Filesize
64KB

MD5
4b5d6e68b217464e7b23fef8a4dd3753

SHA1
5db0c35eb5b93fc1cd8001b952f40d58265c5039

SHA256
c440e25bb1fcf3c795f5aea9b2885f96048384464df5df3ddf6d6a0b3da63ed4

SHA512
1acb389ebdb429fee0d3c57f88bbf9525f4f74a979c7e0a861a2f79e6ee6c311984b3e123cc1bc58c8b6235b4558965fcdbc2e169aadd3013d49f6240fb3c012

Download Submit
C:\Windows\SysWOW64\Bihancje.exe

Filesize
64KB

MD5
061bb729a5e7be6696a9be301905731e

SHA1
7104266599852109f26c3a1fa494159e10181207

SHA256
186b72d31bb1961eb4d4aaca6bb5a6b79e6c47c56bb033a435cf1b5d379fe1ef

SHA512
305770258bfd69f3fbc2358086524c6783b9958744c90433b349fe016472dc830bf39411520536b1a528b5da63704e1335e241f0d07f1a23b1c8f596583888b2

Download Submit
C:\Windows\SysWOW64\Bnaolm32.exe

Filesize
64KB

MD5
5c9f7dd07ef2881f3a96c142470cde97

SHA1
d8aec221a02d8395bbbea05be79dfd1a5a22d089

SHA256
93546819ed3790f39fd9aff6777edc7653c67ad6bbeea4401a536e921c555665

SHA512
03becaa50c76d652aedb8de47f15ef2fadffeb50598043dd557fc42a592a35f43b3c5b01968608e0334d263afcd78ab4f9dd8490c08df06e790411c43365b6de

Download Submit
C:\Windows\SysWOW64\Ccfmef32.exe

Filesize
64KB

MD5
baaf4b5333b10dbe2f2ea0ea54ead181

SHA1
ddae9c69ee1ab9f3351e924cbf30e0382ae21036

SHA256
fbc216e808a3194622290c26f75a522c2f4431b2be3f8a3a2cb6d0dcb73ccfa6

SHA512
a4cb921fe009087c4810bee69c36846b5b4141117c2d627f9992e51826abc65b7955adeee01afdd6b9c2dc6d240f4e25376bda604d1b6a2a075a1a8b27baf303

Download Submit
C:\Windows\SysWOW64\Cdmoafdb.exe

Filesize
64KB

MD5
b34efe682352dd8a9d6d7550488f841b

SHA1
ed6cf4ed6d9cd9bb75690a77c02bd99a804e37c9

SHA256
7354686a634517d8aca214b034236233379b8d463bd113003fc211afe0c92bde

SHA512
4e7728ac8d27e46bd5a64abbdfd0659d409883d38766cee9b2d55e6b0909e51daade71a0f5b188678c558cd175bc042ca29e5826ec893654a1c969dca31d25e2

Download Submit
C:\Windows\SysWOW64\Cehdib32.exe

Filesize
64KB

MD5
3b79b9cee2d983e2d8494db4a8abecd5

SHA1
9f0007a820752b0a1172aebe341a7c79683b341a

SHA256
1b884e219b894b9b1d23c49f2bb460610b95321948408141274badd6342b04e7

SHA512
85cc6fba38a70e0c2560c9a4e1e8602eb3d62c642e193734d7c23daf22da4f39559011ec38798044a85fecb0028487f74973a05dfcf56006328be648548dae3c

Download Submit
C:\Windows\SysWOW64\Ckbncapd.exe

Filesize
64KB

MD5
55ef696ee0cd8c04cc7a61572d0a91c9

SHA1
fcc48b1dc16627db33a9b882f2cbd2f57ecdc8ad

SHA256
9846f36ecf87cf8cd54ac1dc8d2eda065ea0c6578d2fdef569953bf8bd61762b

SHA512
b037a077337b2b56bb2270dc946192624e8501b6850312a195de6c0f5a068be4bb3ae51047dbd11946a57b31252ba694f57b3a272f6a8a36dcb52b6ddb084a74

Download Submit
C:\Windows\SysWOW64\Cpcila32.exe

Filesize
64KB

MD5
6c004059f0ccfd63d24b3d2fec17ec2d

SHA1
647cdea074ec319f31dba0a937018f65ebd62137

SHA256
080708d1c4766f7612729dd8d78f5ee60acd0c4ff281818fb260ad900bf71ba6

SHA512
6d3a7f72b4ec619e4d26b313088f1a07e3fd7e104d217abd130f6d29afc205d65d8ab426997543f8d349d0083a2e23e6fb025a1213b98cd16800ee7a632c9db4

Download Submit
C:\Windows\SysWOW64\Dckoia32.exe

Filesize
64KB

MD5
09e5cc517a39e6c54e2e462c0090f56d

SHA1
e11b7cbc3298b4121a19ec276360f4e44b3f30c4

SHA256
bce29e23be548ffd4e1a65650b9eaae88689cd8f175c655d048f1f07f80c8a4d

SHA512
35ebcdea0790e6e37ad0d66b1199337581bdfc01d8050be47664bfeee79aa6addeba23f1e8d3e6ef457b0b7638d829b41a385b8b45309bb8d00f797cfa7cd450

Download Submit
C:\Windows\SysWOW64\Dpgbgpbe.exe

Filesize
64KB

MD5
28a9367142995d516998606114fb5034

SHA1
2d7b649b57a71d3536dfa269387c161907db0687

SHA256
40b34632368d433fd3de72d5e67c8b26eaff37f5b47af7ab2e6861dc151597ad

SHA512
390650ae5979b1d93b9e69ea33e6b59121647fb3bc3014726e35b7c8e7ebf2d3603224902e914a04eae80aa8d0e02de118b69524846b6c3f1413cf7f0bcc0c9e

Download Submit
C:\Windows\SysWOW64\Dpoiho32.exe

Filesize
64KB

MD5
609e87146ea0c03abc457309c4e33b69

SHA1
026d019b0f26e196a93b34055d7a3cd32f089fe2

SHA256
955c170d02f405bae32ae7351e306ba79e64702d0865a22a6faaffaab854fd9d

SHA512
4adfae3b2dae438aa115ad9205c3fbf2767c90788dfe7cfd4fd11cbbdfa95bbe78ce2cc25c85e238608ea319b9dfb747c08ce2de4218155289e204018b14df13

Download Submit
C:\Windows\SysWOW64\Eaceghcg.exe

Filesize
64KB

MD5
0c076132637dbe7d5244f956bdf5ee49

SHA1
2ffd3940a549e07ae5b3e761813d6b5672c62148

SHA256
eb975e6f6f6a7ae7ac8fb2d98a56b16ba35474f8c25753e20ab17dd0108b2ee1

SHA512
7534ef7bdf61b3c04f6606a696a3aa48ba829e7bfd12b2981d5af86af60092383b144ea7a50826c11825e406a20f5be2ae8e2a4ce91b0cf514e1b3383d58d293

Download Submit
C:\Windows\SysWOW64\Ekngemhd.exe

Filesize
64KB

MD5
28ff15509d02b13aec7edb156df2294f

SHA1
a9742db635144523f06445010b268409ff378dd7

SHA256
57ccd3addf094a2ce20a6081c1a1b7cda50180e4d385eb8cedae9b54b98e5297

SHA512
64f5d178d7990ca333ac5b257484fdb9bca366f24f6298ef04be37f791ac26ee0a21092d48f5c94bbc3b160c49f159a8318f28a0e2d5400da9a6324912023d70

Download Submit
C:\Windows\SysWOW64\Fdmaoahm.exe

Filesize
64KB

MD5
233f78fe1e702bb733cdba91dd05d2c8

SHA1
875644bab24d75f8c5f6f83416cf6c07f37953f9

SHA256
14e9d6ada53d824823f64a4daba9f14a1874df23a7a0a9d43867890b74714b86

SHA512
ccafb9bba27d1faa412c0777ad35b9a530a98e95b6c458a1468d8a29db04779b119047979edcc6726408f77c51ac2ccf29a9046eea20f97e961c0a007e0ab8a0

Download Submit
C:\Windows\SysWOW64\Gbhhieao.exe

Filesize
64KB

MD5
f8b14118efdfc4fbbb3ad072c2e67f3c

SHA1
353fa96e35dc43f718f5014f44e32cf2c61fefc9

SHA256
c3494900631b3fcecd46ba217bfd4bca07ce0a6dd082c3a42f719b1e79006629

SHA512
9d8b782132d2875874f6806ec338f526276709879ece8781dca93e3578ef06a43d1f14b28e9cc9c9ea979a54364a99ad4b03d610db15f552f7adb3600c8817fe

Download Submit
C:\Windows\SysWOW64\Gjkbnfha.exe

Filesize
64KB

MD5
e78f07465b429343ace50d86b2778c28

SHA1
75f2008a9d2504049e64572573cddf469d1085ad

SHA256
55a50284197a696e9886fbcf29bbf96b03937b9c63600030bc36e06525fd4af8

SHA512
faa72ad97deabba3700ab0625e3f5635e4b94ecb2db8d9bc75722b5241662c5abe162aef2ec385294308c055e168d14de5936ecf6eb58d84d6d5eeb4d1dd5981

Download Submit
C:\Windows\SysWOW64\Hjolie32.exe

Filesize
64KB

MD5
e2ca89cb1312eb130f3fc4790ec4f6a4

SHA1
990120e6c6d31f41ac880841ff766cd8d37c06fb

SHA256
72ca6f0e5963af2479af8a5a7988e73e41a953f9341e235ce72cb9d2541362b9

SHA512
3eefab60a01faaf30a1a3aa38baf8c8dc4dbe31382497ee5456cb2d7707610ebed8ea8afb92e6d6b066b782263932e2d85de8ec403e65ac435c7e05867c89dbc

Download Submit
C:\Windows\SysWOW64\Hlnqln32.exe

Filesize
64KB

MD5
34967b3f688a84f818468996ade2664f

SHA1
587e4a602c2dd1c3e3fbb0c0d2e7b25146203257

SHA256
33f63ff2f478ad7e82a0149e311be9f1c17f9d26465b8c4bd4e389c43a2cb579

SHA512
9241695b5bb48d10ec06f5bd288d41dde2bce33f445d5ef4659f42f1be95919893a87e06dde98bcdb926f59b3a4b829fdeadb084e10e3213b4c2e8f3f68d933a

Download Submit
C:\Windows\SysWOW64\Hnmnengg.exe

Filesize
64KB

MD5
13c9a0cd15210ea258fc5379d66c9994

SHA1
7bf71984dd0415db816857baeed4b10bca300b3e

SHA256
08e7d1efba1c21f99749cbe4d3ec1b0a8cd3eb8b29783edc57480c2d42093d2e

SHA512
8643270a5dd6dbb9b07023a2e2f3035fbfe343521c99b6d744524c246d92469f6e40c6512f26a87fec2f36af2f6330df44a912b8d262ab419c96585f33bbb6f0

Download Submit
C:\Windows\SysWOW64\Hnpaec32.exe

Filesize
64KB

MD5
07fbffc2f4457ebc18f71f8d00fbca23

SHA1
5a81c51ec6eda8a2844d3547a27b1734add75edd

SHA256
b771233e7ca88d3dc9a93c0fceb03f4d1a3dc3c39cf7922632209e39209af162

SHA512
ff016be1f20d75b590be0af8e6395233a468121a2955fc5abd75b44a6ade5bd8503dc8aba8e4da9b9e2bbd5b5d4b2b7ff500369d3c8fa48da9c77325cdec70cf

Download Submit
C:\Windows\SysWOW64\Iabglnco.exe

Filesize
64KB

MD5
7796b674e143f3da8aed7e2fa6fb6c0a

SHA1
f9125da69752c55e8b0da00132e2be5526191700

SHA256
0d623140b6f7eb528211b90e2f58afd0baa0b05516f7611b2b5c48d401bca972

SHA512
d2ee55162bfa1af3d7119d1f998a7d40aa6eb18ea1e0760dee5a248de3c143dc56f9a369b1785fe8c60cf51ac1c004d66aae9133af59b0f9539e901d22da23e7

Download Submit
C:\Windows\SysWOW64\Ibgmaqfl.exe

Filesize
64KB

MD5
93c2ae97425b5935e9864c3339e93960

SHA1
30dcff31d5d7a741e606b3ec664052436ef3dc95

SHA256
ea3d0c1f5c56bf66dbfd45127d9a6c548f6904de3a26c7b86b796474cfd4ebe4

SHA512
b41e90aba2b9aa4ca2629628328db3da3e1eebbd8cf6bc4677d1b794dc57fb5750e760242e2f2595b0d8316e51561dbca14a79336791838e8d36b5b1a28d46c3

Download Submit
C:\Windows\SysWOW64\Iepihf32.exe

Filesize
64KB

MD5
dbf738e33a99d7e6d4e05711cd377598

SHA1
81c917145704a992cca0fb0adb27ee5b1f048bfe

SHA256
4a50260f7193bf93db61bbccebe84fe7d7fa866213b4b29c725cb618e90ec5d2

SHA512
5fc3739b0d767cfa33f7ffd9676e80950d5eadbc72eaf87de4d41c6e321a3d3aa571d98a93a1b66ec25e825bbd72352ab6680f461629cbe94710ca8cda025751

Download Submit
C:\Windows\SysWOW64\Jdalog32.exe

Filesize
64KB

MD5
795258fc1b0b9ba0db95d7d1135fb72c

SHA1
0a4507f24bea0f260ab2e398ea8cc9a251aaa3dd

SHA256
0be9a8ea891bfc0cb6d314609954de6de8d735ae0f93b6b9d311e4577bf08311

SHA512
43bcff2a7b48efc12f7c4904487ca273245f5ec2cc10b840b3c9693dba8ca8fd32b85ad41f46e6b624de3c4b3224655f2b0e36d2180ff37480daa278fa07a1b1

Download Submit
C:\Windows\SysWOW64\Jldkeeig.exe

Filesize
64KB

MD5
8a16fc57e36460f1f15bb2114185de7a

SHA1
dbd58f45c7bd0519ebe68788efe27dc2c197b684

SHA256
a71faf33803c8d05290cf52b642cf9ecaf05ef609e817e2675229e3e74ab4850

SHA512
7f1db5272ab39852558447ef7f53c1124b16c1de8b02b111354b97819dc13b964db34ae8f21b976473ec55745a43ce3ccab2103425760093fbec41668f05e06b

Download Submit
C:\Windows\SysWOW64\Kaaldjil.exe

Filesize
64KB

MD5
563f2c065eea68a28ff3de345f7ac687

SHA1
d9f32d78109fa94959696cf3d363a74db4badde5

SHA256
48feb868ea04447c9a7af7fd49846af313e90fbadad080df79cc6b511fbf579f

SHA512
be40087840243898950c59db90a32e221c2a3d83f19bba9fb999fd9a31421b96782483915316b8d02a136aaf4ebddc147c4c55f25d33e49aaca9decb21fa367e

Download Submit
C:\Windows\SysWOW64\Klibdcjo.exe

Filesize
64KB

MD5
6a89737345c6be0ecef79d1bcb90c4d9

SHA1
15e1212c318751ee67e87dbc64b0698efd3ad563

SHA256
de5c349370997c06d662c7bac60aeef552f14cbd8e53729dea4938dd97809ab0

SHA512
9fd25555a895d35cd618c5c7b2d0565447a94e144e04a535373cfb206720c0e3fba01691434e5e6504b79c1cae0153d95a9866eedb956a6becd705c6bb8308bb

Download Submit
C:\Windows\SysWOW64\Klljhe32.exe

Filesize
64KB

MD5
6173972aac2f937145996e68dddd1965

SHA1
2d40c8017f3e47f32589d1c65b1a6a9cab720044

SHA256
fd3da12cb09736cabbf36b8e00a07bc80d47ad045157d6911dce46f0593f1b94

SHA512
afc4a035f99de88f22e1731513144416efa779adab7ba7348db56401f87fbdafd08fecd11fb8cdc40945fcc66a5d60e15d101522b9618cbd418ad7270832eaa4

Download Submit
C:\Windows\SysWOW64\Koimbpbc.exe

Filesize
64KB

MD5
01193123a89d0939f97bae8308599f5a

SHA1
e970557de2e86ad091dcc8222d16a35b3ae6ebb0

SHA256
372da1beb6ba5b6fbbea4e0c1001b0a423f6c1017815215ac0f05fac9f6a2947

SHA512
f268aec11ffa5ef946f6e1861cf78ae78605f5d896b4daf08c633543bd55e9be45ddad1c0b95291ca1c2dd3aedd4305345f8c7e1d98a3c67d45b44dc7e098e8e

Download Submit
C:\Windows\SysWOW64\Kongmo32.exe

Filesize
64KB

MD5
d19cae4d1f22a91d4ad43b9d0233edd1

SHA1
79605874b614e9b3a5dbfc42c0b485ffe50e7b74

SHA256
2aee6ad8db902199822ed9aefd763d8c60ce94c83528a9e754d475948da1de4c

SHA512
e40642f14719a499909dedbda320d0c9a4ad15373d3a910125a9f23e1a2445177897e2fa1c1b5ce46d0c5fa6e854a9444ad45e41a78974ad681702ba25f9ed00

Download Submit
C:\Windows\SysWOW64\Lknjhokg.exe

Filesize
64KB

MD5
006e7a6bd20b2a18f69b0d788e8119e2

SHA1
1c06cdca257506ed0c59a9d4be415bfbeb8aee09

SHA256
3eb554622e61400719d3333e539b2e3cc9afaf7ed7c32388474b878846d054f2

SHA512
468b25da596b0cf10e79139e0e54a1c77acce799b8c6b9546735e0aa820df782495a469a2083b43d18f174d7460c8566585a7febc987426c77d0309438119535

Download Submit
C:\Windows\SysWOW64\Llngbabj.exe

Filesize
64KB

MD5
a0d68a141582719b136a0f77637ae4ea

SHA1
c66c9f3e4971c257ac49b32459de7c5968f3b178

SHA256
49c383211adecee2a2a0591888f73ac1a91334173c4633f18b40c3418e06141e

SHA512
892fc58d29dec3df842193dd4dda1b986ea30ed9bc46e24afa819600de7c37762ff2ee798a96350131ec5cd4d31c49426890260adc0dc1182138bf8b6af5b4fd

Download Submit
C:\Windows\SysWOW64\Maoifh32.exe

Filesize
64KB

MD5
f7448b775820da5bb8229d07877ede00

SHA1
91caf4508a2fdcbee91167207a3cfa6b1fdb3c47

SHA256
8dc0f443a1ad6b35c6af60a8df800348ec074049b601ff24f97e5f72a6cbf189

SHA512
5c76aef8411c44b9720e8638a521f901e61d4931e4057b836b1b01196f7bcbfcda580ab89ab35c335ca21471a91ff4b51924a6aaca4cd1aecc5fd63dfcdbdbc0

Download Submit
C:\Windows\SysWOW64\Mociol32.exe

Filesize
64KB

MD5
fa49ad2c19ce46c2526cdaf0bc1cdf48

SHA1
320d6523bbc82a3bfdf2c898d06dd98b8e00b2d5

SHA256
e900e4f3af3ab10db798691842010beb86e85788ac4bad1475d083585501319e

SHA512
3c19a311949e36f4564a8670a2d9da459cf9cbcf09c829db1366ef0632d061268ae722bc9989d5c2e5a57d3010b9d15186986ea1cf05aa88074506869be99623

Download Submit
C:\Windows\SysWOW64\Nbfoeiei.exe

Filesize
64KB

MD5
f4379d324aa9802321608a5c1f93935f

SHA1
b0348ea9f724618f724e74090b82ed9f00a63573

SHA256
e2ab7d7f235059438046cdd0525a887249d0132e9212304e157ebcbdb761ff47

SHA512
a5ebe215e28e1dd4afc5bffe11380e322a55573772a6f5777cf6ccad4af2b24a948e9bed4d15a257961c3e7b962d1248d214401d72a324376ff1428283ec60f6

Download Submit
C:\Windows\SysWOW64\Nfknmd32.exe

Filesize
64KB

MD5
74b2047948e1590e2a6b770cb9b6dcd8

SHA1
76aa7931f833734e389460f236677b076e7ef465

SHA256
2eac27b560dc5efb4e2674a68e31ef91f8c22014cac52b39734cb0f98d6c2330

SHA512
146ff383703dd4fb5e9849cae38baeb12d9156dcca46b192dfe0c442dcc1a285349f55f2b149347f27e6e50a26bc40ba880c9b461e72423f7aef544703c0133e

Download Submit
C:\Windows\SysWOW64\Onmahojj.exe

Filesize
64KB

MD5
f0c84e93b6c2b57650d7a5763c71e791

SHA1
5b9302ebaa25eaf0caea6c80bc08bd6f40d9b285

SHA256
5f494eda1390480e5848ab9d22870575cee58b3aeb6d862b16e55a76b3cb72fb

SHA512
d87b06bcde931abe08575760e407eb8db1b9d6749919f0e136cfaae3780da5243435edb1546ab2ab86853770d608b05ec6b74e647cd7fe4cad7559b48c48069e

Download Submit
C:\Windows\SysWOW64\Pcbkml32.exe

Filesize
64KB

MD5
c35916066dd0c945772eac764d80c137

SHA1
64561f146bad95b3306e3e9092d155fec871df54

SHA256
bd68ecdb5bc33c5f340a55b33524a0c7000679dc94c5a8df518dcae8e5cb3d31

SHA512
96c00126ee1bd679cd79b833f5576ae9c8c7f0c43bc01382ce1f99a206cbf243a5b302f4a35f9c571261dfa75c7bd133c14b187eccae91ee5140e9719f15bcd7

Download Submit
C:\Windows\SysWOW64\Pdchakoo.exe

Filesize
64KB

MD5
6e5f52a5d7010d8e15e19030487529fc

SHA1
d900ede57e59a9f873db319267a91f562b07ce89

SHA256
7569b99d8b33de8e4e3341fe5e181fcc4d4fd73a4fc588e55520c833daf0290c

SHA512
43693f5ef0db7bb4af467bd60c04e58f208532ae8ea6af67d40b061749d4969ecb24f7eeb653715e85d507d97ad404ab41d9da9a1b0f7775cbdac457920ad055

Download Submit
C:\Windows\SysWOW64\Piepnfnj.exe

Filesize
64KB

MD5
a4586bd155fb0c822603c61ea22f05ac

SHA1
a5537d94b15d56b15c50cc4bb3e4438655b58356

SHA256
75792eccc2dc47cbb9b37ea12f945a6f216221b7c75e91ed6af08821dc90c586

SHA512
f47830bc3ec29117bd2c920f94d816418af252ac550b9c7bdc9b78b11eff3c7dbcf2e5a1029b4ac2c61f75a57d26b02363fa024b5fc223303cf36e7c76068328

Download Submit
C:\Windows\SysWOW64\Qfilkj32.exe

Filesize
64KB

MD5
0987396f4d9e172a1ac1228031ae5719

SHA1
b916d7f425ae013d290b0432a1b1e0957bc58eca

SHA256
3e7089ef1766ba93c14a617d9b9eb3e4a5e0e29a6df3fe92a8f34d68b69c60a1

SHA512
fe4c976804c0253687c2bf0bbb4c860aca89050f0463d63df3872dba7788b4a749507a10a62b46b04fe1423d035d00d8df5fa3ca49fb63e663a74995ae9705f1

Download Submit
memory/228-432-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/236-276-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/524-426-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/564-194-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/668-408-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/680-294-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/884-106-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/928-250-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1176-234-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1292-336-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1308-270-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1356-122-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1528-218-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1536-402-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1548-396-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1752-282-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1760-1-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1760-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1760-80-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1804-16-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1832-348-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1972-342-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2024-324-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2132-32-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2172-82-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2216-161-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2432-264-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2492-48-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2500-318-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2556-72-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2612-186-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2648-169-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2804-146-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2892-366-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2928-384-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2956-90-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3008-201-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3068-24-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3192-390-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3244-210-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3252-138-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3280-114-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3492-306-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3508-414-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3536-226-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3604-312-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3704-360-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3708-372-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3716-64-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3764-300-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3848-130-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3876-246-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3928-8-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4044-288-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4048-330-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4160-420-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4276-261-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4356-177-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4380-154-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4508-40-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4688-57-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4868-378-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4876-354-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4980-97-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads