3f05b34861acf5fda9444a8a7d4f5711082ec48989e7d91504ec175586c194ab

Analysis

max time kernel
178s
max time network
195s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
05/01/2024, 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfc71464c9163759743bdeb9c94c9f5b.exe
Size

724KB
MD5

cfc71464c9163759743bdeb9c94c9f5b
SHA1

173b615d12a59fe4195d7de9083cb73e481eb2a1
SHA256

3f05b34861acf5fda9444a8a7d4f5711082ec48989e7d91504ec175586c194ab
SHA512

6b840faee1f1568b3e575e02c956028264c62b77238bb344bbd357d2a2a690f8c8a9b41b142ae4642b94229e8f0bc56e0c05c4877a69a5b606d7ad204fb8b984
SSDEEP

12288:CDAuovN6IveDVqvQ6IvYvc6IveDVqvQ6IvmMVkJvO6IveDVqvQ6IvYvc8:Ccuiq5h3q5hnOYq5h38

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklbfaae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abbpif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffngfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lemagjjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpdbhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkmbbajb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fineho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Naaejj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eaabci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lefkfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnmojp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcceifof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Elagjihh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fppqjcli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oldagc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Poanqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fikihlmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oncopcqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emkeho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdpjeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjbkal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqfochal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cliahf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fojlhmic.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogbohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjklcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odhman32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fklcbocl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajoagadf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmbbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fplimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kiikkada.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obdkfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aplahpdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iagqac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogqcon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dampal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkbkna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ihdjfhhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndfgfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogqcon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olhlaoea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkjpek32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqokhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfmmajed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjjbmhfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjcfeola.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmbflc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfkcibdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Moglkikl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfnbnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Feoomd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqfochal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhfbim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iadljc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfbbhdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqpgnl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Impeib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhhpfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcokah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgdlnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pghaghfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fplimi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclnon32.exe

Executes dropped EXE 64 IoCs

pid	Process
3376	Nglcjfie.exe
1904	Qbkcek32.exe
3300	Agobna32.exe
3500	Biedhclh.exe
1916	Bfpkbfdi.exe
3360	Cfedmfqd.exe
2004	Deagoa32.exe
3864	Dlbfmjqi.exe
4924	Ellicihn.exe
4880	Fikihlmj.exe
1020	Ghgljg32.exe
1960	Lgjglg32.exe
380	Mfkcibdl.exe
4620	Mmiealgc.exe
3776	Omgabj32.exe
4468	Okkalnjm.exe
1484	Odfcjc32.exe
4648	Ppffec32.exe
388	Pknghk32.exe
1040	Ahkkhnpg.exe
2928	Bjcmpepm.exe
1896	Bjmpfdhb.exe
3204	Dijppjfd.exe
4888	Dicbfhni.exe
4516	Enpknplq.exe
5020	Eecfah32.exe
1492	Ihgnfnjl.exe
4696	Iadljc32.exe
3980	Jbieebha.exe
3544	Jloibkhh.exe
3672	Jmccnk32.exe
2272	Kofheeoq.exe
640	Kcfnqccd.exe
3324	Kcikfcab.exe
4300	Limioiia.exe
1528	Mcicma32.exe
1104	Mihikgod.exe
2916	Mcpjnp32.exe
4656	Nbefolao.exe
2868	Njokei32.exe
2920	Nbjpjl32.exe
2356	Olgnnqpe.exe
628	Oljkcpnb.exe
1192	Ojmgggdo.exe
1416	Okodlgbl.exe
4080	Obkiqi32.exe
4928	Pghaghfn.exe
4828	Qkpmcddi.exe
4680	Alfcflfb.exe
3356	Ajjcoqdl.exe
2344	Adohmidb.exe
4592	Ajlpepbi.exe
4372	Bjcfeola.exe
1616	Bqokhi32.exe
3988	Bkglkapo.exe
3480	Ccendc32.exe
384	Ccldebeo.exe
1824	Dgliapic.exe
3524	Dnkkij32.exe
560	Ecafgo32.exe
3176	Felbmqpl.exe
3332	Gjndpg32.exe
4932	Ghdaokfe.exe
3856	Hoepmd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hmbflc32.exe	Gikkof32.exe
File opened for modification	C:\Windows\SysWOW64\Mcicma32.exe	Limioiia.exe
File created	C:\Windows\SysWOW64\Dofgklcb.exe	Dnekcd32.exe
File opened for modification	C:\Windows\SysWOW64\Nglala32.exe	Maohdj32.exe
File created	C:\Windows\SysWOW64\Kiadbknf.dll	Fplimi32.exe
File opened for modification	C:\Windows\SysWOW64\Ckjbbbga.exe	Cdpjeh32.exe
File created	C:\Windows\SysWOW64\Ajqfhdik.dll	Bphgoe32.exe
File opened for modification	C:\Windows\SysWOW64\Ipgkcabd.exe	Heegjj32.exe
File created	C:\Windows\SysWOW64\Nokfcg32.exe	Mcolcgmh.exe
File opened for modification	C:\Windows\SysWOW64\Fglndbmn.exe	Fnalfmhp.exe
File opened for modification	C:\Windows\SysWOW64\Ajjcoqdl.exe	Alfcflfb.exe
File opened for modification	C:\Windows\SysWOW64\Dgliapic.exe	Ccldebeo.exe
File created	C:\Windows\SysWOW64\Cqncbfbf.dll	Mfgiof32.exe
File created	C:\Windows\SysWOW64\Hbkgfa32.dll	Ocldhqgb.exe
File opened for modification	C:\Windows\SysWOW64\Ajikhfpg.exe	Aaqgop32.exe
File created	C:\Windows\SysWOW64\Jkdcffci.exe	Hmbflc32.exe
File opened for modification	C:\Windows\SysWOW64\Ebocpd32.exe	Dklhmlac.exe
File opened for modification	C:\Windows\SysWOW64\Mchhamcl.exe	Lemagjjj.exe
File created	C:\Windows\SysWOW64\Ggobkk32.dll	Adbiojfo.exe
File opened for modification	C:\Windows\SysWOW64\Kfnkeh32.exe	Kpdbhn32.exe
File created	C:\Windows\SysWOW64\Glpedl32.dll	Kglmbd32.exe
File created	C:\Windows\SysWOW64\Dfoamm32.dll	Eecfah32.exe
File opened for modification	C:\Windows\SysWOW64\Jknocljn.exe	Jddggb32.exe
File created	C:\Windows\SysWOW64\Ngcpcbbd.dll	Dampal32.exe
File opened for modification	C:\Windows\SysWOW64\Fhbpqb32.exe	Fojlhmic.exe
File created	C:\Windows\SysWOW64\Ongopg32.dll	Mcmall32.exe
File opened for modification	C:\Windows\SysWOW64\Fikihlmj.exe	Ellicihn.exe
File created	C:\Windows\SysWOW64\Abkjnd32.exe	Acjjpllp.exe
File created	C:\Windows\SysWOW64\Ekgbbi32.dll	Ahhbfkbf.exe
File created	C:\Windows\SysWOW64\Femcnc32.dll	Ndfqlnno.exe
File created	C:\Windows\SysWOW64\Ehlpjikd.exe	Dmglmpkn.exe
File created	C:\Windows\SysWOW64\Hkmlgeje.dll	Oepipo32.exe
File created	C:\Windows\SysWOW64\Gdafgefe.exe	Gngnjk32.exe
File opened for modification	C:\Windows\SysWOW64\Ebejpp32.exe	Djcoko32.exe
File created	C:\Windows\SysWOW64\Cfkmdl32.exe	Coadgacp.exe
File created	C:\Windows\SysWOW64\Icelfhmg.dll	Jdfcla32.exe
File created	C:\Windows\SysWOW64\Hpbajp32.exe	Gpkliaol.exe
File created	C:\Windows\SysWOW64\Mjqjbn32.exe	Maefnk32.exe
File opened for modification	C:\Windows\SysWOW64\Nbqmbo32.exe	Nlfeeelm.exe
File created	C:\Windows\SysWOW64\Khdiln32.dll	Ejchbmna.exe
File opened for modification	C:\Windows\SysWOW64\Ccendc32.exe	Bkglkapo.exe
File opened for modification	C:\Windows\SysWOW64\Pjkofh32.exe	Pengna32.exe
File created	C:\Windows\SysWOW64\Emnbmoef.exe	Edemdine.exe
File opened for modification	C:\Windows\SysWOW64\Bphgoe32.exe	Bacjmh32.exe
File opened for modification	C:\Windows\SysWOW64\Nijqml32.exe	Nihdhl32.exe
File opened for modification	C:\Windows\SysWOW64\Mfkcibdl.exe	Lgjglg32.exe
File created	C:\Windows\SysWOW64\Mcpjnp32.exe	Mihikgod.exe
File created	C:\Windows\SysWOW64\Kiikkada.exe	Kmbkfp32.exe
File created	C:\Windows\SysWOW64\Oeipko32.dll	Mgfqgkib.exe
File created	C:\Windows\SysWOW64\Qcppogqo.exe	Pncggqbg.exe
File created	C:\Windows\SysWOW64\Neoink32.exe	Nbqmbo32.exe
File opened for modification	C:\Windows\SysWOW64\Kglmbd32.exe	Jkdcffci.exe
File created	C:\Windows\SysWOW64\Bonjnc32.exe	Bdhfaj32.exe
File opened for modification	C:\Windows\SysWOW64\Bopgdcnc.exe	Bdkbgj32.exe
File opened for modification	C:\Windows\SysWOW64\Cellfm32.exe	Ckghid32.exe
File opened for modification	C:\Windows\SysWOW64\Nebdighb.exe	Mcmall32.exe
File opened for modification	C:\Windows\SysWOW64\Nlnbqjjq.exe	Nllekk32.exe
File created	C:\Windows\SysWOW64\Hndakp32.dll	Colfpace.exe
File opened for modification	C:\Windows\SysWOW64\Dijppjfd.exe	Bjmpfdhb.exe
File opened for modification	C:\Windows\SysWOW64\Ehlpjikd.exe	Dmglmpkn.exe
File created	C:\Windows\SysWOW64\Leadag32.dll	Fmgecn32.exe
File created	C:\Windows\SysWOW64\Omeocm32.dll	Igajka32.exe
File created	C:\Windows\SysWOW64\Kmbkfp32.exe	Jmpnppap.exe
File created	C:\Windows\SysWOW64\Eomgog32.dll	Ohebek32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjnjo32.dll"	Pjffkhpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeemop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahhbfkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ggnenagl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Paelpcgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mipoje32.dll"	Nbefolao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpegfm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjklcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjklcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akdameeh.dll"	Kiikkada.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lalchm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkpglqgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chpangnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aplgij32.dll"	Gjndpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhahj32.dll"	Opdpih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgbijg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmglmpkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcbikd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnmajl32.dll"	Beqljn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfgnle32.dll"	Kijjldkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Momhii32.dll"	Ccednl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnpekn32.dll"	Iagqac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecafgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iafgob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hicnfocd.dll"	Ppemmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccldebeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nllekk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ochjmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Emnbmoef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjdpoacp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmacbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jhfbim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljmmai32.dll"	Qepccqlm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cliahf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enpknplq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aimpafok.dll"	Khbhdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajikhfpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ikndpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olpjfn32.dll"	Dkmogbeo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dlbfmjqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Omgabj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bohbackj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Coadgacp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adfgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bacjmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bckjdc32.dll"	Ipgkcabd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obkiqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfaplg32.dll"	Gpaqkgba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmqgdhfa.dll"	Pqknbmhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmangnmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfilee32.dll"	Ffqhmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haafcf32.dll"	Eoccii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffngfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehejpnfb.dll"	Ecfeldcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkpglqgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkglkapo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jlnbhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jekpljgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkohln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kiikkada.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdpmij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dijppjfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jloibkhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Coadgacp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 3376	4952	cfc71464c9163759743bdeb9c94c9f5b.exe	94
PID 4952 wrote to memory of 3376	4952	cfc71464c9163759743bdeb9c94c9f5b.exe	94
PID 4952 wrote to memory of 3376	4952	cfc71464c9163759743bdeb9c94c9f5b.exe	94
PID 3376 wrote to memory of 1904	3376	Nglcjfie.exe	95
PID 3376 wrote to memory of 1904	3376	Nglcjfie.exe	95
PID 3376 wrote to memory of 1904	3376	Nglcjfie.exe	95
PID 1904 wrote to memory of 3300	1904	Qbkcek32.exe	96
PID 1904 wrote to memory of 3300	1904	Qbkcek32.exe	96
PID 1904 wrote to memory of 3300	1904	Qbkcek32.exe	96
PID 3300 wrote to memory of 3500	3300	Agobna32.exe	97
PID 3300 wrote to memory of 3500	3300	Agobna32.exe	97
PID 3300 wrote to memory of 3500	3300	Agobna32.exe	97
PID 3500 wrote to memory of 1916	3500	Biedhclh.exe	98
PID 3500 wrote to memory of 1916	3500	Biedhclh.exe	98
PID 3500 wrote to memory of 1916	3500	Biedhclh.exe	98
PID 1916 wrote to memory of 3360	1916	Bfpkbfdi.exe	99
PID 1916 wrote to memory of 3360	1916	Bfpkbfdi.exe	99
PID 1916 wrote to memory of 3360	1916	Bfpkbfdi.exe	99
PID 3360 wrote to memory of 2004	3360	Cfedmfqd.exe	100
PID 3360 wrote to memory of 2004	3360	Cfedmfqd.exe	100
PID 3360 wrote to memory of 2004	3360	Cfedmfqd.exe	100
PID 2004 wrote to memory of 3864	2004	Deagoa32.exe	101
PID 2004 wrote to memory of 3864	2004	Deagoa32.exe	101
PID 2004 wrote to memory of 3864	2004	Deagoa32.exe	101
PID 3864 wrote to memory of 4924	3864	Dlbfmjqi.exe	102
PID 3864 wrote to memory of 4924	3864	Dlbfmjqi.exe	102
PID 3864 wrote to memory of 4924	3864	Dlbfmjqi.exe	102
PID 4924 wrote to memory of 4880	4924	Ellicihn.exe	103
PID 4924 wrote to memory of 4880	4924	Ellicihn.exe	103
PID 4924 wrote to memory of 4880	4924	Ellicihn.exe	103
PID 4880 wrote to memory of 1020	4880	Fikihlmj.exe	104
PID 4880 wrote to memory of 1020	4880	Fikihlmj.exe	104
PID 4880 wrote to memory of 1020	4880	Fikihlmj.exe	104
PID 1020 wrote to memory of 1960	1020	Ghgljg32.exe	105
PID 1020 wrote to memory of 1960	1020	Ghgljg32.exe	105
PID 1020 wrote to memory of 1960	1020	Ghgljg32.exe	105
PID 1960 wrote to memory of 380	1960	Lgjglg32.exe	106
PID 1960 wrote to memory of 380	1960	Lgjglg32.exe	106
PID 1960 wrote to memory of 380	1960	Lgjglg32.exe	106
PID 380 wrote to memory of 4620	380	Mfkcibdl.exe	108
PID 380 wrote to memory of 4620	380	Mfkcibdl.exe	108
PID 380 wrote to memory of 4620	380	Mfkcibdl.exe	108
PID 4620 wrote to memory of 3776	4620	Mmiealgc.exe	109
PID 4620 wrote to memory of 3776	4620	Mmiealgc.exe	109
PID 4620 wrote to memory of 3776	4620	Mmiealgc.exe	109
PID 3776 wrote to memory of 4468	3776	Omgabj32.exe	110
PID 3776 wrote to memory of 4468	3776	Omgabj32.exe	110
PID 3776 wrote to memory of 4468	3776	Omgabj32.exe	110
PID 4468 wrote to memory of 1484	4468	Okkalnjm.exe	111
PID 4468 wrote to memory of 1484	4468	Okkalnjm.exe	111
PID 4468 wrote to memory of 1484	4468	Okkalnjm.exe	111
PID 1484 wrote to memory of 4648	1484	Odfcjc32.exe	112
PID 1484 wrote to memory of 4648	1484	Odfcjc32.exe	112
PID 1484 wrote to memory of 4648	1484	Odfcjc32.exe	112
PID 4648 wrote to memory of 388	4648	Ppffec32.exe	113
PID 4648 wrote to memory of 388	4648	Ppffec32.exe	113
PID 4648 wrote to memory of 388	4648	Ppffec32.exe	113
PID 388 wrote to memory of 1040	388	Pknghk32.exe	114
PID 388 wrote to memory of 1040	388	Pknghk32.exe	114
PID 388 wrote to memory of 1040	388	Pknghk32.exe	114
PID 1040 wrote to memory of 2928	1040	Ahkkhnpg.exe	115
PID 1040 wrote to memory of 2928	1040	Ahkkhnpg.exe	115
PID 1040 wrote to memory of 2928	1040	Ahkkhnpg.exe	115
PID 2928 wrote to memory of 1896	2928	Bjcmpepm.exe	116

C:\Users\Admin\AppData\Local\Temp\cfc71464c9163759743bdeb9c94c9f5b.exe
"C:\Users\Admin\AppData\Local\Temp\cfc71464c9163759743bdeb9c94c9f5b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Windows\SysWOW64\Nglcjfie.exe
  C:\Windows\system32\Nglcjfie.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3376
- - C:\Windows\SysWOW64\Qbkcek32.exe
    C:\Windows\system32\Qbkcek32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1904
  - - C:\Windows\SysWOW64\Agobna32.exe
      C:\Windows\system32\Agobna32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3300
    - - C:\Windows\SysWOW64\Biedhclh.exe
        
        C:\Windows\system32\Biedhclh.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3500
      - C:\Windows\SysWOW64\Bfpkbfdi.exe
        
        C:\Windows\system32\Bfpkbfdi.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\SysWOW64\Cfedmfqd.exe
        
        C:\Windows\system32\Cfedmfqd.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Windows\SysWOW64\Deagoa32.exe
        
        C:\Windows\system32\Deagoa32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Dlbfmjqi.exe
        
        C:\Windows\system32\Dlbfmjqi.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3864
        
        C:\Windows\SysWOW64\Ellicihn.exe
        
        C:\Windows\system32\Ellicihn.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Fikihlmj.exe
        
        C:\Windows\system32\Fikihlmj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\Ghgljg32.exe
        
        C:\Windows\system32\Ghgljg32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\SysWOW64\Lgjglg32.exe
        
        C:\Windows\system32\Lgjglg32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\Mfkcibdl.exe
        
        C:\Windows\system32\Mfkcibdl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Windows\SysWOW64\Mmiealgc.exe
        
        C:\Windows\system32\Mmiealgc.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Windows\SysWOW64\Omgabj32.exe
        
        C:\Windows\system32\Omgabj32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3776
        
        C:\Windows\SysWOW64\Okkalnjm.exe
        
        C:\Windows\system32\Okkalnjm.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\SysWOW64\Odfcjc32.exe
        
        C:\Windows\system32\Odfcjc32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\Ppffec32.exe
        
        C:\Windows\system32\Ppffec32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Windows\SysWOW64\Pknghk32.exe
        
        C:\Windows\system32\Pknghk32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:388
        
        C:\Windows\SysWOW64\Ahkkhnpg.exe
        
        C:\Windows\system32\Ahkkhnpg.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\SysWOW64\Bjcmpepm.exe
        
        C:\Windows\system32\Bjcmpepm.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Bjmpfdhb.exe
        
        C:\Windows\system32\Bjmpfdhb.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1896
        
        C:\Windows\SysWOW64\Dijppjfd.exe
        
        C:\Windows\system32\Dijppjfd.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3204
        
        C:\Windows\SysWOW64\Dicbfhni.exe
        
        C:\Windows\system32\Dicbfhni.exe
        25⤵
        Executes dropped EXE
        
        PID:4888
        
        C:\Windows\SysWOW64\Enpknplq.exe
        
        C:\Windows\system32\Enpknplq.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Eecfah32.exe
        
        C:\Windows\system32\Eecfah32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5020
        
        C:\Windows\SysWOW64\Ihgnfnjl.exe
        
        C:\Windows\system32\Ihgnfnjl.exe
        28⤵
        Executes dropped EXE
        
        PID:1492
        
        C:\Windows\SysWOW64\Iadljc32.exe
        
        C:\Windows\system32\Iadljc32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4696
        
        C:\Windows\SysWOW64\Jbieebha.exe
        
        C:\Windows\system32\Jbieebha.exe
        30⤵
        Executes dropped EXE
        
        PID:3980
        
        C:\Windows\SysWOW64\Jloibkhh.exe
        
        C:\Windows\system32\Jloibkhh.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3544
        
        C:\Windows\SysWOW64\Jmccnk32.exe
        
        C:\Windows\system32\Jmccnk32.exe
        32⤵
        Executes dropped EXE
        
        PID:3672
        
        C:\Windows\SysWOW64\Kofheeoq.exe
        
        C:\Windows\system32\Kofheeoq.exe
        33⤵
        Executes dropped EXE
        
        PID:2272
        
        C:\Windows\SysWOW64\Kcfnqccd.exe
        
        C:\Windows\system32\Kcfnqccd.exe
        34⤵
        Executes dropped EXE
        
        PID:640
        
        C:\Windows\SysWOW64\Kcikfcab.exe
        
        C:\Windows\system32\Kcikfcab.exe
        35⤵
        Executes dropped EXE
        
        PID:3324
        
        C:\Windows\SysWOW64\Limioiia.exe
        
        C:\Windows\system32\Limioiia.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4300
        
        C:\Windows\SysWOW64\Mcicma32.exe
        
        C:\Windows\system32\Mcicma32.exe
        37⤵
        Executes dropped EXE
        
        PID:1528
        
        C:\Windows\SysWOW64\Mihikgod.exe
        
        C:\Windows\system32\Mihikgod.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1104
        
        C:\Windows\SysWOW64\Mcpjnp32.exe
        
        C:\Windows\system32\Mcpjnp32.exe
        39⤵
        Executes dropped EXE
        
        PID:2916
        
        C:\Windows\SysWOW64\Nbefolao.exe
        
        C:\Windows\system32\Nbefolao.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Njokei32.exe
        
        C:\Windows\system32\Njokei32.exe
        41⤵
        Executes dropped EXE
        
        PID:2868
        
        C:\Windows\SysWOW64\Nbjpjl32.exe
        
        C:\Windows\system32\Nbjpjl32.exe
        42⤵
        Executes dropped EXE
        
        PID:2920
        
        C:\Windows\SysWOW64\Olgnnqpe.exe
        
        C:\Windows\system32\Olgnnqpe.exe
        43⤵
        Executes dropped EXE
        
        PID:2356
        
        C:\Windows\SysWOW64\Oljkcpnb.exe
        
        C:\Windows\system32\Oljkcpnb.exe
        44⤵
        Executes dropped EXE
        
        PID:628
        
        C:\Windows\SysWOW64\Ojmgggdo.exe
        
        C:\Windows\system32\Ojmgggdo.exe
        45⤵
        Executes dropped EXE
        
        PID:1192
        
        C:\Windows\SysWOW64\Okodlgbl.exe
        
        C:\Windows\system32\Okodlgbl.exe
        46⤵
        Executes dropped EXE
        
        PID:1416
        
        C:\Windows\SysWOW64\Obkiqi32.exe
        
        C:\Windows\system32\Obkiqi32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Pghaghfn.exe
        
        C:\Windows\system32\Pghaghfn.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4928
        
        C:\Windows\SysWOW64\Qkpmcddi.exe
        
        C:\Windows\system32\Qkpmcddi.exe
        49⤵
        Executes dropped EXE
        
        PID:4828
        
        C:\Windows\SysWOW64\Alfcflfb.exe
        
        C:\Windows\system32\Alfcflfb.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4680
        
        C:\Windows\SysWOW64\Ajjcoqdl.exe
        
        C:\Windows\system32\Ajjcoqdl.exe
        51⤵
        Executes dropped EXE
        
        PID:3356
        
        C:\Windows\SysWOW64\Adohmidb.exe
        
        C:\Windows\system32\Adohmidb.exe
        52⤵
        Executes dropped EXE
        
        PID:2344
        
        C:\Windows\SysWOW64\Ajlpepbi.exe
        
        C:\Windows\system32\Ajlpepbi.exe
        53⤵
        Executes dropped EXE
        
        PID:4592
        
        C:\Windows\SysWOW64\Bjcfeola.exe
        
        C:\Windows\system32\Bjcfeola.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4372
        
        C:\Windows\SysWOW64\Bqokhi32.exe
        
        C:\Windows\system32\Bqokhi32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1616
        
        C:\Windows\SysWOW64\Bkglkapo.exe
        
        C:\Windows\system32\Bkglkapo.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Ccendc32.exe
        
        C:\Windows\system32\Ccendc32.exe
        57⤵
        Executes dropped EXE
        
        PID:3480
        
        C:\Windows\SysWOW64\Ccldebeo.exe
        
        C:\Windows\system32\Ccldebeo.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:384
        
        C:\Windows\SysWOW64\Dgliapic.exe
        
        C:\Windows\system32\Dgliapic.exe
        59⤵
        Executes dropped EXE
        
        PID:1824
        
        C:\Windows\SysWOW64\Dnkkij32.exe
        
        C:\Windows\system32\Dnkkij32.exe
        60⤵
        Executes dropped EXE
        
        PID:3524
        
        C:\Windows\SysWOW64\Ecafgo32.exe
        
        C:\Windows\system32\Ecafgo32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:560
        
        C:\Windows\SysWOW64\Felbmqpl.exe
        
        C:\Windows\system32\Felbmqpl.exe
        62⤵
        Executes dropped EXE
        
        PID:3176
        
        C:\Windows\SysWOW64\Gjndpg32.exe
        
        C:\Windows\system32\Gjndpg32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3332
        
        C:\Windows\SysWOW64\Ghdaokfe.exe
        
        C:\Windows\system32\Ghdaokfe.exe
        64⤵
        Executes dropped EXE
        
        PID:4932
        
        C:\Windows\SysWOW64\Hoepmd32.exe
        
        C:\Windows\system32\Hoepmd32.exe
        65⤵
        Executes dropped EXE
        
        PID:3856
        
        C:\Windows\SysWOW64\Ihdjfhhc.exe
        
        C:\Windows\system32\Ihdjfhhc.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:976
        
        C:\Windows\SysWOW64\Jahnkl32.exe
        
        C:\Windows\system32\Jahnkl32.exe
        67⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\Jlnbhe32.exe
        
        C:\Windows\system32\Jlnbhe32.exe
        68⤵
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\Jlponebi.exe
        
        C:\Windows\system32\Jlponebi.exe
        69⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\Jkeloa32.exe
        
        C:\Windows\system32\Jkeloa32.exe
        70⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\Jekpljgg.exe
        
        C:\Windows\system32\Jekpljgg.exe
        71⤵
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Kfmmajed.exe
        
        C:\Windows\system32\Kfmmajed.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4008
        
        C:\Windows\SysWOW64\Lkfeeo32.exe
        
        C:\Windows\system32\Lkfeeo32.exe
        73⤵
        
        PID:404
        
        C:\Windows\SysWOW64\Mkohln32.exe
        
        C:\Windows\system32\Mkohln32.exe
        74⤵
        Modifies registry class
        
        PID:3288
        
        C:\Windows\SysWOW64\Mfgiof32.exe
        
        C:\Windows\system32\Mfgiof32.exe
        75⤵
        Drops file in System32 directory
        
        PID:3232
        
        C:\Windows\SysWOW64\Nfnooe32.exe
        
        C:\Windows\system32\Nfnooe32.exe
        76⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\Nfpled32.exe
        
        C:\Windows\system32\Nfpled32.exe
        77⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\Nfeepdbg.exe
        
        C:\Windows\system32\Nfeepdbg.exe
        78⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\Opdpih32.exe
        
        C:\Windows\system32\Opdpih32.exe
        79⤵
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Ppgeff32.exe
        
        C:\Windows\system32\Ppgeff32.exe
        80⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\Cnealfkf.exe
        
        C:\Windows\system32\Cnealfkf.exe
        81⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\Cpmqoqbp.exe
        
        C:\Windows\system32\Cpmqoqbp.exe
        82⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\Djgbmffn.exe
        
        C:\Windows\system32\Djgbmffn.exe
        83⤵
        
        PID:1856

C:\Windows\SysWOW64\Dnekcd32.exe
C:\Windows\system32\Dnekcd32.exe
1⤵
- Drops file in System32 directory
PID:4520
- C:\Windows\SysWOW64\Dofgklcb.exe
  C:\Windows\system32\Dofgklcb.exe
  2⤵
  PID:3300
- - C:\Windows\SysWOW64\Efjbne32.exe
    C:\Windows\system32\Efjbne32.exe
    3⤵
    PID:5092
  - - C:\Windows\SysWOW64\Efolidno.exe
      C:\Windows\system32\Efolidno.exe
      4⤵
      PID:4168
    - - C:\Windows\SysWOW64\Fplimi32.exe
        
        C:\Windows\system32\Fplimi32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4016
      - C:\Windows\SysWOW64\Gcceifof.exe
        
        C:\Windows\system32\Gcceifof.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4716
        
        C:\Windows\SysWOW64\Hpeejfjm.exe
        
        C:\Windows\system32\Hpeejfjm.exe
        7⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\Iffcgoka.exe
        
        C:\Windows\system32\Iffcgoka.exe
        8⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\Jddggb32.exe
        
        C:\Windows\system32\Jddggb32.exe
        9⤵
        Drops file in System32 directory
        
        PID:4320
        
        C:\Windows\SysWOW64\Jknocljn.exe
        
        C:\Windows\system32\Jknocljn.exe
        10⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\Jdfcla32.exe
        
        C:\Windows\system32\Jdfcla32.exe
        11⤵
        Drops file in System32 directory
        
        PID:3500
        
        C:\Windows\SysWOW64\Jopaejlo.exe
        
        C:\Windows\system32\Jopaejlo.exe
        12⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\Khbhdn32.exe
        
        C:\Windows\system32\Khbhdn32.exe
        13⤵
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Lqfpoope.exe
        
        C:\Windows\system32\Lqfpoope.exe
        14⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\Mkegbfgp.exe
        
        C:\Windows\system32\Mkegbfgp.exe
        15⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\Ndphpk32.exe
        
        C:\Windows\system32\Ndphpk32.exe
        16⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\Nkagndmc.exe
        
        C:\Windows\system32\Nkagndmc.exe
        17⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\Oilmhhfd.exe
        
        C:\Windows\system32\Oilmhhfd.exe
        18⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\Piepnfnj.exe
        
        C:\Windows\system32\Piepnfnj.exe
        19⤵
        
        PID:364
        
        C:\Windows\SysWOW64\Qnlkllcf.exe
        
        C:\Windows\system32\Qnlkllcf.exe
        20⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\Cadcfd32.exe
        
        C:\Windows\system32\Cadcfd32.exe
        21⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\Clqncl32.exe
        
        C:\Windows\system32\Clqncl32.exe
        22⤵
        
        PID:816
        
        C:\Windows\SysWOW64\Djnaco32.exe
        
        C:\Windows\system32\Djnaco32.exe
        23⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\Ecfeldcj.exe
        
        C:\Windows\system32\Ecfeldcj.exe
        24⤵
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\Elagjihh.exe
        
        C:\Windows\system32\Elagjihh.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3824
        
        C:\Windows\SysWOW64\Eqalfgll.exe
        
        C:\Windows\system32\Eqalfgll.exe
        26⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\Fiajfi32.exe
        
        C:\Windows\system32\Fiajfi32.exe
        27⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\Fjqgpl32.exe
        
        C:\Windows\system32\Fjqgpl32.exe
        28⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Gpkliaol.exe
        
        C:\Windows\system32\Gpkliaol.exe
        29⤵
        Drops file in System32 directory
        
        PID:5204
        
        C:\Windows\SysWOW64\Hpbajp32.exe
        
        C:\Windows\system32\Hpbajp32.exe
        30⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Hjjbmhfg.exe
        
        C:\Windows\system32\Hjjbmhfg.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5284
        
        C:\Windows\SysWOW64\Hcbgen32.exe
        
        C:\Windows\system32\Hcbgen32.exe
        32⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Iafgob32.exe
        
        C:\Windows\system32\Iafgob32.exe
        33⤵
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Ijolhg32.exe
        
        C:\Windows\system32\Ijolhg32.exe
        34⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Ipldpo32.exe
        
        C:\Windows\system32\Ipldpo32.exe
        35⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Impeib32.exe
        
        C:\Windows\system32\Impeib32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5496
        
        C:\Windows\SysWOW64\Ibmmbj32.exe
        
        C:\Windows\system32\Ibmmbj32.exe
        37⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Imbaobmp.exe
        
        C:\Windows\system32\Imbaobmp.exe
        38⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\Iiibdc32.exe
        
        C:\Windows\system32\Iiibdc32.exe
        39⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Ifmcmg32.exe
        
        C:\Windows\system32\Ifmcmg32.exe
        40⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Jpegfm32.exe
        
        C:\Windows\system32\Jpegfm32.exe
        41⤵
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Jjklcf32.exe
        
        C:\Windows\system32\Jjklcf32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Jmpnppap.exe
        
        C:\Windows\system32\Jmpnppap.exe
        43⤵
        Drops file in System32 directory
        
        PID:5868
        
        C:\Windows\SysWOW64\Kmbkfp32.exe
        
        C:\Windows\system32\Kmbkfp32.exe
        44⤵
        Drops file in System32 directory
        
        PID:5920
        
        C:\Windows\SysWOW64\Kiikkada.exe
        
        C:\Windows\system32\Kiikkada.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Kkkdjcjb.exe
        
        C:\Windows\system32\Kkkdjcjb.exe
        46⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Kpjjhj32.exe
        
        C:\Windows\system32\Kpjjhj32.exe
        47⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Lalchm32.exe
        
        C:\Windows\system32\Lalchm32.exe
        48⤵
        Modifies registry class
        
        PID:1896
        
        C:\Windows\SysWOW64\Lcbikd32.exe
        
        C:\Windows\system32\Lcbikd32.exe
        49⤵
        Modifies registry class
        
        PID:1408
        
        C:\Windows\SysWOW64\Lacihleo.exe
        
        C:\Windows\system32\Lacihleo.exe
        50⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Mgpaqbcf.exe
        
        C:\Windows\system32\Mgpaqbcf.exe
        51⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Maefnk32.exe
        
        C:\Windows\system32\Maefnk32.exe
        52⤵
        Drops file in System32 directory
        
        PID:5376
        
        C:\Windows\SysWOW64\Mjqjbn32.exe
        
        C:\Windows\system32\Mjqjbn32.exe
        53⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Mpkbohhd.exe
        
        C:\Windows\system32\Mpkbohhd.exe
        54⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Mkpglqgj.exe
        
        C:\Windows\system32\Mkpglqgj.exe
        55⤵
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Mdhkefnj.exe
        
        C:\Windows\system32\Mdhkefnj.exe
        56⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Mgidgakk.exe
        
        C:\Windows\system32\Mgidgakk.exe
        57⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Maohdj32.exe
        
        C:\Windows\system32\Maohdj32.exe
        58⤵
        Drops file in System32 directory
        
        PID:5796
        
        C:\Windows\SysWOW64\Nglala32.exe
        
        C:\Windows\system32\Nglala32.exe
        59⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Naaejj32.exe
        
        C:\Windows\system32\Naaejj32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:668
        
        C:\Windows\SysWOW64\Ndfgfd32.exe
        
        C:\Windows\system32\Ndfgfd32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5944
        
        C:\Windows\SysWOW64\Ocldhqgb.exe
        
        C:\Windows\system32\Ocldhqgb.exe
        62⤵
        Drops file in System32 directory
        
        PID:6004
        
        C:\Windows\SysWOW64\Ogjmnomi.exe
        
        C:\Windows\system32\Ogjmnomi.exe
        63⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Okgfdm32.exe
        
        C:\Windows\system32\Okgfdm32.exe
        64⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Odpjmcjp.exe
        
        C:\Windows\system32\Odpjmcjp.exe
        65⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\Obdkfg32.exe
        
        C:\Windows\system32\Obdkfg32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5292
        
        C:\Windows\SysWOW64\Ogqcon32.exe
        
        C:\Windows\system32\Ogqcon32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1620
        
        C:\Windows\SysWOW64\Pcgdcome.exe
        
        C:\Windows\system32\Pcgdcome.exe
        68⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Pnmhqh32.exe
        
        C:\Windows\system32\Pnmhqh32.exe
        69⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Pgemimck.exe
        
        C:\Windows\system32\Pgemimck.exe
        70⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Pclnon32.exe
        
        C:\Windows\system32\Pclnon32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1592
        
        C:\Windows\SysWOW64\Pjffkhpl.exe
        
        C:\Windows\system32\Pjffkhpl.exe
        72⤵
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Pengna32.exe
        
        C:\Windows\system32\Pengna32.exe
        73⤵
        Drops file in System32 directory
        
        PID:3724
        
        C:\Windows\SysWOW64\Pjkofh32.exe
        
        C:\Windows\system32\Pjkofh32.exe
        74⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Qepccqlm.exe
        
        C:\Windows\system32\Qepccqlm.exe
        75⤵
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Qjmllgjd.exe
        
        C:\Windows\system32\Qjmllgjd.exe
        76⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\Qagdia32.exe
        
        C:\Windows\system32\Qagdia32.exe
        77⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\Qlmhfj32.exe
        
        C:\Windows\system32\Qlmhfj32.exe
        78⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Aeemop32.exe
        
        C:\Windows\system32\Aeemop32.exe
        79⤵
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Aloekjod.exe
        
        C:\Windows\system32\Aloekjod.exe
        80⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Acjjpllp.exe
        
        C:\Windows\system32\Acjjpllp.exe
        81⤵
        Drops file in System32 directory
        
        PID:5568
        
        C:\Windows\SysWOW64\Abkjnd32.exe
        
        C:\Windows\system32\Abkjnd32.exe
        82⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\Ahhbfkbf.exe
        
        C:\Windows\system32\Ahhbfkbf.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3876
        
        C:\Windows\SysWOW64\Aaqgop32.exe
        
        C:\Windows\system32\Aaqgop32.exe
        84⤵
        Drops file in System32 directory
        
        PID:5892
        
        C:\Windows\SysWOW64\Ajikhfpg.exe
        
        C:\Windows\system32\Ajikhfpg.exe
        85⤵
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Aenpeoom.exe
        
        C:\Windows\system32\Aenpeoom.exe
        86⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Blhhaigj.exe
        
        C:\Windows\system32\Blhhaigj.exe
        87⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Beqljn32.exe
        
        C:\Windows\system32\Beqljn32.exe
        88⤵
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Bhaeli32.exe
        
        C:\Windows\system32\Bhaeli32.exe
        89⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Bbgiibja.exe
        
        C:\Windows\system32\Bbgiibja.exe
        90⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\Bdhfaj32.exe
        
        C:\Windows\system32\Bdhfaj32.exe
        91⤵
        Drops file in System32 directory
        
        PID:3156
        
        C:\Windows\SysWOW64\Bonjnc32.exe
        
        C:\Windows\system32\Bonjnc32.exe
        92⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Bdkbgj32.exe
        
        C:\Windows\system32\Bdkbgj32.exe
        93⤵
        Drops file in System32 directory
        
        PID:1528
        
        C:\Windows\SysWOW64\Bopgdcnc.exe
        
        C:\Windows\system32\Bopgdcnc.exe
        94⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\Ckghid32.exe
        
        C:\Windows\system32\Ckghid32.exe
        95⤵
        Drops file in System32 directory
        
        PID:2856
        
        C:\Windows\SysWOW64\Cellfm32.exe
        
        C:\Windows\system32\Cellfm32.exe
        96⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\Ckidoc32.exe
        
        C:\Windows\system32\Ckidoc32.exe
        97⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Cliahf32.exe
        
        C:\Windows\system32\Cliahf32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3892
        
        C:\Windows\SysWOW64\Chpangnk.exe
        
        C:\Windows\system32\Chpangnk.exe
        99⤵
        Modifies registry class
        
        PID:628
        
        C:\Windows\SysWOW64\Coijja32.exe
        
        C:\Windows\system32\Coijja32.exe
        100⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\Cdfbbhdp.exe
        
        C:\Windows\system32\Cdfbbhdp.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2344
        
        C:\Windows\SysWOW64\Colfpace.exe
        
        C:\Windows\system32\Colfpace.exe
        102⤵
        Drops file in System32 directory
        
        PID:4680
        
        C:\Windows\SysWOW64\Dlpgiebo.exe
        
        C:\Windows\system32\Dlpgiebo.exe
        103⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\Dampal32.exe
        
        C:\Windows\system32\Dampal32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5864
        
        C:\Windows\SysWOW64\Dlbcoe32.exe
        
        C:\Windows\system32\Dlbcoe32.exe
        105⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\Dldpde32.exe
        
        C:\Windows\system32\Dldpde32.exe
        106⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\Daaiml32.exe
        
        C:\Windows\system32\Daaiml32.exe
        107⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Dkjmea32.exe
        
        C:\Windows\system32\Dkjmea32.exe
        108⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\Eaabci32.exe
        
        C:\Windows\system32\Eaabci32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5192
        
        C:\Windows\SysWOW64\Flgfqb32.exe
        
        C:\Windows\system32\Flgfqb32.exe
        110⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Fdbked32.exe
        
        C:\Windows\system32\Fdbked32.exe
        111⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Fklcbocl.exe
        
        C:\Windows\system32\Fklcbocl.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3428
        
        C:\Windows\SysWOW64\Ffbgog32.exe
        
        C:\Windows\system32\Ffbgog32.exe
        113⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\Fojlhmic.exe
        
        C:\Windows\system32\Fojlhmic.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4372
        
        C:\Windows\SysWOW64\Fhbpqb32.exe
        
        C:\Windows\system32\Fhbpqb32.exe
        115⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\Gkhbnm32.exe
        
        C:\Windows\system32\Gkhbnm32.exe
        116⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\Gkjocm32.exe
        
        C:\Windows\system32\Gkjocm32.exe
        117⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\Gfpcpefb.exe
        
        C:\Windows\system32\Gfpcpefb.exe
        118⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\Gkmlilej.exe
        
        C:\Windows\system32\Gkmlilej.exe
        119⤵
        
        PID:756
        
        C:\Windows\SysWOW64\Gfbpfedp.exe
        
        C:\Windows\system32\Gfbpfedp.exe
        120⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\Gokdoj32.exe
        
        C:\Windows\system32\Gokdoj32.exe
        121⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\Hfemkdbm.exe
        
        C:\Windows\system32\Hfemkdbm.exe
        122⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\Homadjin.exe
        
        C:\Windows\system32\Homadjin.exe
        123⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\Hfgjad32.exe
        
        C:\Windows\system32\Hfgjad32.exe
        124⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\Hoonjjgk.exe
        
        C:\Windows\system32\Hoonjjgk.exe
        125⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\Hihbco32.exe
        
        C:\Windows\system32\Hihbco32.exe
        126⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\Hcmgphma.exe
        
        C:\Windows\system32\Hcmgphma.exe
        127⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\Hijohoki.exe
        
        C:\Windows\system32\Hijohoki.exe
        128⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\Jmknkk32.exe
        
        C:\Windows\system32\Jmknkk32.exe
        129⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\Kmdqai32.exe
        
        C:\Windows\system32\Kmdqai32.exe
        130⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\Kdnincal.exe
        
        C:\Windows\system32\Kdnincal.exe
        131⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\Keoeel32.exe
        
        C:\Windows\system32\Keoeel32.exe
        132⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\Klljhe32.exe
        
        C:\Windows\system32\Klljhe32.exe
        133⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\Kedoqkbe.exe
        
        C:\Windows\system32\Kedoqkbe.exe
        134⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\Lpjcnd32.exe
        
        C:\Windows\system32\Lpjcnd32.exe
        135⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\Lefkfk32.exe
        
        C:\Windows\system32\Lefkfk32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6972
        
        C:\Windows\SysWOW64\Llpcceho.exe
        
        C:\Windows\system32\Llpcceho.exe
        137⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\Lbjlpo32.exe
        
        C:\Windows\system32\Lbjlpo32.exe
        138⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\Lmppmh32.exe
        
        C:\Windows\system32\Lmppmh32.exe
        139⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\Lbmheomi.exe
        
        C:\Windows\system32\Lbmheomi.exe
        140⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\Lpqioclc.exe
        
        C:\Windows\system32\Lpqioclc.exe
        141⤵
        
        PID:384
        
        C:\Windows\SysWOW64\Lemagjjj.exe
        
        C:\Windows\system32\Lemagjjj.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6280
        
        C:\Windows\SysWOW64\Mchhamcl.exe
        
        C:\Windows\system32\Mchhamcl.exe
        143⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\Mmnlnfcb.exe
        
        C:\Windows\system32\Mmnlnfcb.exe
        144⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\Mgfqgkib.exe
        
        C:\Windows\system32\Mgfqgkib.exe
        145⤵
        Drops file in System32 directory
        
        PID:4948
        
        C:\Windows\SysWOW64\Mcmall32.exe
        
        C:\Windows\system32\Mcmall32.exe
        146⤵
        Drops file in System32 directory
        
        PID:4624
        
        C:\Windows\SysWOW64\Nebdighb.exe
        
        C:\Windows\system32\Nebdighb.exe
        147⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\Ngbpbjoe.exe
        
        C:\Windows\system32\Ngbpbjoe.exe
        148⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\Ndfqlnno.exe
        
        C:\Windows\system32\Ndfqlnno.exe
        149⤵
        Drops file in System32 directory
        
        PID:6720
        
        C:\Windows\SysWOW64\Onneeceo.exe
        
        C:\Windows\system32\Onneeceo.exe
        150⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\Odhman32.exe
        
        C:\Windows\system32\Odhman32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4000
        
        C:\Windows\SysWOW64\Onqbjccl.exe
        
        C:\Windows\system32\Onqbjccl.exe
        152⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\Odkjgm32.exe
        
        C:\Windows\system32\Odkjgm32.exe
        153⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\Oncopcqj.exe
        
        C:\Windows\system32\Oncopcqj.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7040
        
        C:\Windows\SysWOW64\Ofncde32.exe
        
        C:\Windows\system32\Ofncde32.exe
        155⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\Olhlaoea.exe
        
        C:\Windows\system32\Olhlaoea.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6148
        
        C:\Windows\SysWOW64\Ocbdni32.exe
        
        C:\Windows\system32\Ocbdni32.exe
        157⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\Ojllkcdk.exe
        
        C:\Windows\system32\Ojllkcdk.exe
        158⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\Oqfdgn32.exe
        
        C:\Windows\system32\Oqfdgn32.exe
        159⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\Pfcmpdjp.exe
        
        C:\Windows\system32\Pfcmpdjp.exe
        160⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\Pqhammje.exe
        
        C:\Windows\system32\Pqhammje.exe
        161⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\Pgbijg32.exe
        
        C:\Windows\system32\Pgbijg32.exe
        162⤵
        Modifies registry class
        
        PID:6564
        
        C:\Windows\SysWOW64\Pqknbmhc.exe
        
        C:\Windows\system32\Pqknbmhc.exe
        163⤵
        Modifies registry class
        
        PID:6592
        
        C:\Windows\SysWOW64\Pfgfkd32.exe
        
        C:\Windows\system32\Pfgfkd32.exe
        164⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\Pmangnmg.exe
        
        C:\Windows\system32\Pmangnmg.exe
        165⤵
        Modifies registry class
        
        PID:976
        
        C:\Windows\SysWOW64\Pckfdh32.exe
        
        C:\Windows\system32\Pckfdh32.exe
        166⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\Pqpgnl32.exe
        
        C:\Windows\system32\Pqpgnl32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6820
        
        C:\Windows\SysWOW64\Pgiojf32.exe
        
        C:\Windows\system32\Pgiojf32.exe
        168⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\Pncggqbg.exe
        
        C:\Windows\system32\Pncggqbg.exe
        169⤵
        Drops file in System32 directory
        
        PID:6980
        
        C:\Windows\SysWOW64\Qcppogqo.exe
        
        C:\Windows\system32\Qcppogqo.exe
        170⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\Qdpmij32.exe
        
        C:\Windows\system32\Qdpmij32.exe
        171⤵
        Modifies registry class
        
        PID:7148
        
        C:\Windows\SysWOW64\Qnhabp32.exe
        
        C:\Windows\system32\Qnhabp32.exe
        172⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\Adbiojfo.exe
        
        C:\Windows\system32\Adbiojfo.exe
        173⤵
        Drops file in System32 directory
        
        PID:6420
        
        C:\Windows\SysWOW64\Ajoagadf.exe
        
        C:\Windows\system32\Ajoagadf.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3332
        
        C:\Windows\SysWOW64\Aedfdjdl.exe
        
        C:\Windows\system32\Aedfdjdl.exe
        175⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Afeblb32.exe
        
        C:\Windows\system32\Afeblb32.exe
        176⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\Acicefid.exe
        
        C:\Windows\system32\Acicefid.exe
        177⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\Anogbohj.exe
        
        C:\Windows\system32\Anogbohj.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3956
        
        C:\Windows\SysWOW64\Jfnbnk32.exe
        
        C:\Windows\system32\Jfnbnk32.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4536
        
        C:\Windows\SysWOW64\Kijjldkh.exe
        
        C:\Windows\system32\Kijjldkh.exe
        180⤵
        Modifies registry class
        
        PID:7064
        
        C:\Windows\SysWOW64\Kpdbhn32.exe
        
        C:\Windows\system32\Kpdbhn32.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1216
        
        C:\Windows\SysWOW64\Kfnkeh32.exe
        
        C:\Windows\system32\Kfnkeh32.exe
        182⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\Lpkiim32.exe
        
        C:\Windows\system32\Lpkiim32.exe
        183⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\Licmbccm.exe
        
        C:\Windows\system32\Licmbccm.exe
        184⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\Lfgnkgbf.exe
        
        C:\Windows\system32\Lfgnkgbf.exe
        185⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\Lldfcn32.exe
        
        C:\Windows\system32\Lldfcn32.exe
        186⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\Lihfmb32.exe
        
        C:\Windows\system32\Lihfmb32.exe
        187⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\Mbqkfhfh.exe
        
        C:\Windows\system32\Mbqkfhfh.exe
        188⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\Moglkikl.exe
        
        C:\Windows\system32\Moglkikl.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2704
        
        C:\Windows\SysWOW64\Nohdaf32.exe
        
        C:\Windows\system32\Nohdaf32.exe
        190⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\Nllekk32.exe
        
        C:\Windows\system32\Nllekk32.exe
        191⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Nlnbqjjq.exe
        
        C:\Windows\system32\Nlnbqjjq.exe
        192⤵
        
        PID:432
        
        C:\Windows\SysWOW64\Ochjmd32.exe
        
        C:\Windows\system32\Ochjmd32.exe
        193⤵
        Modifies registry class
        
        PID:4716
        
        C:\Windows\SysWOW64\Ohebek32.exe
        
        C:\Windows\system32\Ohebek32.exe
        194⤵
        Drops file in System32 directory
        
        PID:2328
        
        C:\Windows\SysWOW64\Oeicopoo.exe
        
        C:\Windows\system32\Oeicopoo.exe
        195⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\Ocmchdmh.exe
        
        C:\Windows\system32\Ocmchdmh.exe
        196⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\Olehai32.exe
        
        C:\Windows\system32\Olehai32.exe
        197⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\Oenljoji.exe
        
        C:\Windows\system32\Oenljoji.exe
        198⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\Opcqgh32.exe
        
        C:\Windows\system32\Opcqgh32.exe
        199⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\Oepipo32.exe
        
        C:\Windows\system32\Oepipo32.exe
        200⤵
        Drops file in System32 directory
        
        PID:3948
        
        C:\Windows\SysWOW64\Ppemmg32.exe
        
        C:\Windows\system32\Ppemmg32.exe
        201⤵
        Modifies registry class
        
        PID:2132
        
        C:\Windows\SysWOW64\Pgoejapi.exe
        
        C:\Windows\system32\Pgoejapi.exe
        202⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\Pphjbgfj.exe
        
        C:\Windows\system32\Pphjbgfj.exe
        203⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\Pomgcc32.exe
        
        C:\Windows\system32\Pomgcc32.exe
        204⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\Pjbkal32.exe
        
        C:\Windows\system32\Pjbkal32.exe
        205⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6576
        
        C:\Windows\SysWOW64\Poodicio.exe
        
        C:\Windows\system32\Poodicio.exe
        206⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\Plcdbghi.exe
        
        C:\Windows\system32\Plcdbghi.exe
        207⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\Ccednl32.exe
        
        C:\Windows\system32\Ccednl32.exe
        208⤵
        Modifies registry class
        
        PID:776
        
        C:\Windows\SysWOW64\Dffmogji.exe
        
        C:\Windows\system32\Dffmogji.exe
        209⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\Dhejij32.exe
        
        C:\Windows\system32\Dhejij32.exe
        210⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\Dmbbaq32.exe
        
        C:\Windows\system32\Dmbbaq32.exe
        211⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4520
        
        C:\Windows\SysWOW64\Dhgfoioi.exe
        
        C:\Windows\system32\Dhgfoioi.exe
        212⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\Dmglmpkn.exe
        
        C:\Windows\system32\Dmglmpkn.exe
        213⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Ehlpjikd.exe
        
        C:\Windows\system32\Ehlpjikd.exe
        214⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\Epgenk32.exe
        
        C:\Windows\system32\Epgenk32.exe
        215⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\Emkeho32.exe
        
        C:\Windows\system32\Emkeho32.exe
        216⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1012
        
        C:\Windows\SysWOW64\Edemdine.exe
        
        C:\Windows\system32\Edemdine.exe
        217⤵
        Drops file in System32 directory
        
        PID:2292
        
        C:\Windows\SysWOW64\Emnbmoef.exe
        
        C:\Windows\system32\Emnbmoef.exe
        218⤵
        Modifies registry class
        
        PID:3452
        
        C:\Windows\SysWOW64\Ehcfkhel.exe
        
        C:\Windows\system32\Ehcfkhel.exe
        219⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\Eidbbp32.exe
        
        C:\Windows\system32\Eidbbp32.exe
        220⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\Epokojbg.exe
        
        C:\Windows\system32\Epokojbg.exe
        221⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\Ekdolcbm.exe
        
        C:\Windows\system32\Ekdolcbm.exe
        222⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\Eangimij.exe
        
        C:\Windows\system32\Eangimij.exe
        223⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\Fhhpfg32.exe
        
        C:\Windows\system32\Fhhpfg32.exe
        224⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7204
        
        C:\Windows\SysWOW64\Fmehnn32.exe
        
        C:\Windows\system32\Fmehnn32.exe
        225⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\Fdopkhfk.exe
        
        C:\Windows\system32\Fdopkhfk.exe
        226⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\Fmgecn32.exe
        
        C:\Windows\system32\Fmgecn32.exe
        227⤵
        Drops file in System32 directory
        
        PID:7344
        
        C:\Windows\SysWOW64\Fineho32.exe
        
        C:\Windows\system32\Fineho32.exe
        228⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7392
        
        C:\Windows\SysWOW64\Fdcjfg32.exe
        
        C:\Windows\system32\Fdcjfg32.exe
        229⤵
        
        PID:7444
        
        C:\Windows\SysWOW64\Fkmbbajb.exe
        
        C:\Windows\system32\Fkmbbajb.exe
        230⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7488
        
        C:\Windows\SysWOW64\Fagjolao.exe
        
        C:\Windows\system32\Fagjolao.exe
        231⤵
        
        PID:7532
        
        C:\Windows\SysWOW64\Fhablf32.exe
        
        C:\Windows\system32\Fhablf32.exe
        232⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\Fmnkdm32.exe
        
        C:\Windows\system32\Fmnkdm32.exe
        233⤵
        
        PID:7628
        
        C:\Windows\SysWOW64\Gkbkna32.exe
        
        C:\Windows\system32\Gkbkna32.exe
        234⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7672
        
        C:\Windows\SysWOW64\Gdjpff32.exe
        
        C:\Windows\system32\Gdjpff32.exe
        235⤵
        
        PID:7728
        
        C:\Windows\SysWOW64\Gighom32.exe
        
        C:\Windows\system32\Gighom32.exe
        236⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\Gpaqkgba.exe
        
        C:\Windows\system32\Gpaqkgba.exe
        237⤵
        Modifies registry class
        
        PID:7820
        
        C:\Windows\SysWOW64\Gkgeipah.exe
        
        C:\Windows\system32\Gkgeipah.exe
        238⤵
        
        PID:7864
        
        C:\Windows\SysWOW64\Gaqmej32.exe
        
        C:\Windows\system32\Gaqmej32.exe
        239⤵
        
        PID:7908
        
        C:\Windows\SysWOW64\Ggnenagl.exe
        
        C:\Windows\system32\Ggnenagl.exe
        240⤵
        Modifies registry class
        
        PID:7944
        
        C:\Windows\SysWOW64\Gngnjk32.exe
        
        C:\Windows\system32\Gngnjk32.exe
        241⤵
        Drops file in System32 directory
        
        PID:7984
        
        C:\Windows\SysWOW64\Gdafgefe.exe
        
        C:\Windows\system32\Gdafgefe.exe
        242⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\Gjnnoldm.exe
        
        C:\Windows\system32\Gjnnoldm.exe
        243⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\Hknkiokp.exe
        
        C:\Windows\system32\Hknkiokp.exe
        244⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\Hpkcafjg.exe
        
        C:\Windows\system32\Hpkcafjg.exe
        245⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\Hgdlnp32.exe
        
        C:\Windows\system32\Hgdlnp32.exe
        246⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2984
        
        C:\Windows\SysWOW64\Hajpli32.exe
        
        C:\Windows\system32\Hajpli32.exe
        247⤵
        
        PID:7256
        
        C:\Windows\SysWOW64\Hkbddo32.exe
        
        C:\Windows\system32\Hkbddo32.exe
        248⤵
        
        PID:7276
        
        C:\Windows\SysWOW64\Hpomme32.exe
        
        C:\Windows\system32\Hpomme32.exe
        249⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\Ikndpm32.exe
        
        C:\Windows\system32\Ikndpm32.exe
        250⤵
        Modifies registry class
        
        PID:7440
        
        C:\Windows\SysWOW64\Ihbdja32.exe
        
        C:\Windows\system32\Ihbdja32.exe
        251⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\Mbgjlq32.exe
        
        C:\Windows\system32\Mbgjlq32.exe
        252⤵
        
        PID:7872
        
        C:\Windows\SysWOW64\Mlooef32.exe
        
        C:\Windows\system32\Mlooef32.exe
        253⤵
        
        PID:8080
        
        C:\Windows\SysWOW64\Nlfeeelm.exe
        
        C:\Windows\system32\Nlfeeelm.exe
        254⤵
        Drops file in System32 directory
        
        PID:8152
        
        C:\Windows\SysWOW64\Nbqmbo32.exe
        
        C:\Windows\system32\Nbqmbo32.exe
        255⤵
        Drops file in System32 directory
        
        PID:2976
        
        C:\Windows\SysWOW64\Neoink32.exe
        
        C:\Windows\system32\Neoink32.exe
        256⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\Nklbfaae.exe
        
        C:\Windows\system32\Nklbfaae.exe
        257⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4608
        
        C:\Windows\SysWOW64\Nlknqd32.exe
        
        C:\Windows\system32\Nlknqd32.exe
        258⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Oefpoi32.exe
        
        C:\Windows\system32\Oefpoi32.exe
        259⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\Okbhgq32.exe
        
        C:\Windows\system32\Okbhgq32.exe
        260⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\Oampdkbj.exe
        
        C:\Windows\system32\Oampdkbj.exe
        261⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Ooqqmoac.exe
        
        C:\Windows\system32\Ooqqmoac.exe
        262⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Oejijiip.exe
        
        C:\Windows\system32\Oejijiip.exe
        263⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Oldagc32.exe
        
        C:\Windows\system32\Oldagc32.exe
        264⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7668
        
        C:\Windows\SysWOW64\Alcfoo32.exe
        
        C:\Windows\system32\Alcfoo32.exe
        265⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Bcokah32.exe
        
        C:\Windows\system32\Bcokah32.exe
        266⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5732
        
        C:\Windows\SysWOW64\Bkjpek32.exe
        
        C:\Windows\system32\Bkjpek32.exe
        267⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8160
        
        C:\Windows\SysWOW64\Diccal32.exe
        
        C:\Windows\system32\Diccal32.exe
        268⤵
        
        PID:7244
        
        C:\Windows\SysWOW64\Djcoko32.exe
        
        C:\Windows\system32\Djcoko32.exe
        269⤵
        Drops file in System32 directory
        
        PID:5020
        
        C:\Windows\SysWOW64\Ebejpp32.exe
        
        C:\Windows\system32\Ebejpp32.exe
        270⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\Elpknehe.exe
        
        C:\Windows\system32\Elpknehe.exe
        271⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\Efepln32.exe
        
        C:\Windows\system32\Efepln32.exe
        272⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Ejchbmna.exe
        
        C:\Windows\system32\Ejchbmna.exe
        273⤵
        Drops file in System32 directory
        
        PID:4504
        
        C:\Windows\SysWOW64\Fppqjcli.exe
        
        C:\Windows\system32\Fppqjcli.exe
        274⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5912
        
        C:\Windows\SysWOW64\Gikkof32.exe
        
        C:\Windows\system32\Gikkof32.exe
        275⤵
        Drops file in System32 directory
        
        PID:5516
        
        C:\Windows\SysWOW64\Hmbflc32.exe
        
        C:\Windows\system32\Hmbflc32.exe
        276⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7760
        
        C:\Windows\SysWOW64\Jkdcffci.exe
        
        C:\Windows\system32\Jkdcffci.exe
        277⤵
        Drops file in System32 directory
        
        PID:5892
        
        C:\Windows\SysWOW64\Kglmbd32.exe
        
        C:\Windows\system32\Kglmbd32.exe
        278⤵
        Drops file in System32 directory
        
        PID:632
        
        C:\Windows\SysWOW64\Paelpcgc.exe
        
        C:\Windows\system32\Paelpcgc.exe
        279⤵
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Ahpmckpn.exe
        
        C:\Windows\system32\Ahpmckpn.exe
        280⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\Bohbackj.exe
        
        C:\Windows\system32\Bohbackj.exe
        281⤵
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Cdlpjicj.exe
        
        C:\Windows\system32\Cdlpjicj.exe
        282⤵
        
        PID:7412
        
        C:\Windows\SysWOW64\Coadgacp.exe
        
        C:\Windows\system32\Coadgacp.exe
        283⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Cfkmdl32.exe
        
        C:\Windows\system32\Cfkmdl32.exe
        284⤵
        
        PID:7664
        
        C:\Windows\SysWOW64\Cdpjeh32.exe
        
        C:\Windows\system32\Cdpjeh32.exe
        285⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7652
        
        C:\Windows\SysWOW64\Ckjbbbga.exe
        
        C:\Windows\system32\Ckjbbbga.exe
        286⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Dkmogbeo.exe
        
        C:\Windows\system32\Dkmogbeo.exe
        287⤵
        Modifies registry class
        
        PID:6220
        
        C:\Windows\SysWOW64\Feoomd32.exe
        
        C:\Windows\system32\Feoomd32.exe
        288⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3580
        
        C:\Windows\SysWOW64\Fimhcbkh.exe
        
        C:\Windows\system32\Fimhcbkh.exe
        289⤵
        
        PID:7736
        
        C:\Windows\SysWOW64\Ffqhmf32.exe
        
        C:\Windows\system32\Ffqhmf32.exe
        290⤵
        Modifies registry class
        
        PID:3456
        
        C:\Windows\SysWOW64\Gnlmai32.exe
        
        C:\Windows\system32\Gnlmai32.exe
        291⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\Gefencoj.exe
        
        C:\Windows\system32\Gefencoj.exe
        292⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\Iikmlnae.exe
        
        C:\Windows\system32\Iikmlnae.exe
        293⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\Igajka32.exe
        
        C:\Windows\system32\Igajka32.exe
        294⤵
        Drops file in System32 directory
        
        PID:3888
        
        C:\Windows\SysWOW64\Ipjocgdm.exe
        
        C:\Windows\system32\Ipjocgdm.exe
        295⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\Nmdgbamf.exe
        
        C:\Windows\system32\Nmdgbamf.exe
        296⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\Pnmojp32.exe
        
        C:\Windows\system32\Pnmojp32.exe
        297⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5688
        
        C:\Windows\SysWOW64\Qjdpoacp.exe
        
        C:\Windows\system32\Qjdpoacp.exe
        298⤵
        Modifies registry class
        
        PID:6944
        
        C:\Windows\SysWOW64\Adfgne32.exe
        
        C:\Windows\system32\Adfgne32.exe
        299⤵
        Modifies registry class
        
        PID:6748
        
        C:\Windows\SysWOW64\Bdojdd32.exe
        
        C:\Windows\system32\Bdojdd32.exe
        300⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\Bacjmh32.exe
        
        C:\Windows\system32\Bacjmh32.exe
        301⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6400
        
        C:\Windows\SysWOW64\Bphgoe32.exe
        
        C:\Windows\system32\Bphgoe32.exe
        302⤵
        Drops file in System32 directory
        
        PID:7828
        
        C:\Windows\SysWOW64\Cneknh32.exe
        
        C:\Windows\system32\Cneknh32.exe
        303⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\Dklhmlac.exe
        
        C:\Windows\system32\Dklhmlac.exe
        304⤵
        Drops file in System32 directory
        
        PID:4476
        
        C:\Windows\SysWOW64\Ebocpd32.exe
        
        C:\Windows\system32\Ebocpd32.exe
        305⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\Eoccii32.exe
        
        C:\Windows\system32\Eoccii32.exe
        306⤵
        Modifies registry class
        
        PID:7844
        
        C:\Windows\SysWOW64\Edbhgokc.exe
        
        C:\Windows\system32\Edbhgokc.exe
        307⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\Egcaij32.exe
        
        C:\Windows\system32\Egcaij32.exe
        308⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\Edgbbo32.exe
        
        C:\Windows\system32\Edgbbo32.exe
        309⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\Heegjj32.exe
        
        C:\Windows\system32\Heegjj32.exe
        310⤵
        Drops file in System32 directory
        
        PID:3412
        
        C:\Windows\SysWOW64\Ipgkcabd.exe
        
        C:\Windows\system32\Ipgkcabd.exe
        311⤵
        Modifies registry class
        
        PID:6540
        
        C:\Windows\SysWOW64\Kimlnemd.exe
        
        C:\Windows\system32\Kimlnemd.exe
        312⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\Kojdflkl.exe
        
        C:\Windows\system32\Kojdflkl.exe
        313⤵
        
        PID:7304
        
        C:\Windows\SysWOW64\Lpqgqn32.exe
        
        C:\Windows\system32\Lpqgqn32.exe
        314⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\Lcfimheb.exe
        
        C:\Windows\system32\Lcfimheb.exe
        315⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\Moacnh32.exe
        
        C:\Windows\system32\Moacnh32.exe
        316⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\Mcolcgmh.exe
        
        C:\Windows\system32\Mcolcgmh.exe
        317⤵
        Drops file in System32 directory
        
        PID:7336
        
        C:\Windows\SysWOW64\Nokfcg32.exe
        
        C:\Windows\system32\Nokfcg32.exe
        318⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Nhckmmeg.exe
        
        C:\Windows\system32\Nhckmmeg.exe
        319⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\Nbkoeb32.exe
        
        C:\Windows\system32\Nbkoeb32.exe
        320⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Nmacbk32.exe
        
        C:\Windows\system32\Nmacbk32.exe
        321⤵
        Modifies registry class
        
        PID:7264
        
        C:\Windows\SysWOW64\Nbnlkbje.exe
        
        C:\Windows\system32\Nbnlkbje.exe
        322⤵
        
        PID:6640

C:\Windows\SysWOW64\Nihdhl32.exe
C:\Windows\system32\Nihdhl32.exe
1⤵
- Drops file in System32 directory
PID:2552
- C:\Windows\SysWOW64\Nijqml32.exe
  C:\Windows\system32\Nijqml32.exe
  2⤵
  PID:3480
- - C:\Windows\SysWOW64\Oiojhkkj.exe
    C:\Windows\system32\Oiojhkkj.exe
    3⤵
    PID:5932
  - - C:\Windows\SysWOW64\Apekha32.exe
      C:\Windows\system32\Apekha32.exe
      4⤵
      PID:1624
    - - C:\Windows\SysWOW64\Aplahpdo.exe
        
        C:\Windows\system32\Aplahpdo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7696
      - C:\Windows\SysWOW64\Bfolki32.exe
        
        C:\Windows\system32\Bfolki32.exe
        6⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\Bmidhc32.exe
        
        C:\Windows\system32\Bmidhc32.exe
        7⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\Ckmeag32.exe
        
        C:\Windows\system32\Ckmeag32.exe
        8⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\Cmnncb32.exe
        
        C:\Windows\system32\Cmnncb32.exe
        9⤵
        
        PID:888
        
        C:\Windows\SysWOW64\Cgfblh32.exe
        
        C:\Windows\system32\Cgfblh32.exe
        10⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\Calfiq32.exe
        
        C:\Windows\system32\Calfiq32.exe
        11⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\Cgioah32.exe
        
        C:\Windows\system32\Cgioah32.exe
        12⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\Eaaikn32.exe
        
        C:\Windows\system32\Eaaikn32.exe
        13⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\Ecgone32.exe
        
        C:\Windows\system32\Ecgone32.exe
        14⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\Fjccpo32.exe
        
        C:\Windows\system32\Fjccpo32.exe
        15⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\Fggdic32.exe
        
        C:\Windows\system32\Fggdic32.exe
        16⤵
        
        PID:736
        
        C:\Windows\SysWOW64\Fnalfmhp.exe
        
        C:\Windows\system32\Fnalfmhp.exe
        17⤵
        Drops file in System32 directory
        
        PID:7748
        
        C:\Windows\SysWOW64\Fglndbmn.exe
        
        C:\Windows\system32\Fglndbmn.exe
        18⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\Fkjfkacd.exe
        
        C:\Windows\system32\Fkjfkacd.exe
        19⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\Gqfochal.exe
        
        C:\Windows\system32\Gqfochal.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3124
        
        C:\Windows\SysWOW64\Gjoclm32.exe
        
        C:\Windows\system32\Gjoclm32.exe
        21⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Gcggec32.exe
        
        C:\Windows\system32\Gcggec32.exe
        22⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Gnmlbl32.exe
        
        C:\Windows\system32\Gnmlbl32.exe
        23⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\Gdgdofep.exe
        
        C:\Windows\system32\Gdgdofep.exe
        24⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\Gclapb32.exe
        
        C:\Windows\system32\Gclapb32.exe
        25⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\Iccpgofm.exe
        
        C:\Windows\system32\Iccpgofm.exe
        26⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\Iagqac32.exe
        
        C:\Windows\system32\Iagqac32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6784
        
        C:\Windows\SysWOW64\Jlmenl32.exe
        
        C:\Windows\system32\Jlmenl32.exe
        28⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\Jhfbim32.exe
        
        C:\Windows\system32\Jhfbim32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Jejbba32.exe
        
        C:\Windows\system32\Jejbba32.exe
        30⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\Jldkokod.exe
        
        C:\Windows\system32\Jldkokod.exe
        31⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\Jbncke32.exe
        
        C:\Windows\system32\Jbncke32.exe
        32⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\Jhklcldi.exe
        
        C:\Windows\system32\Jhklcldi.exe
        33⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\Klhdjj32.exe
        
        C:\Windows\system32\Klhdjj32.exe
        34⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\Kaemba32.exe
        
        C:\Windows\system32\Kaemba32.exe
        35⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\Kbeild32.exe
        
        C:\Windows\system32\Kbeild32.exe
        36⤵
        
        PID:7924
        
        C:\Windows\SysWOW64\Khabdk32.exe
        
        C:\Windows\system32\Khabdk32.exe
        37⤵
        
        PID:7492
        
        C:\Windows\SysWOW64\Poanqn32.exe
        
        C:\Windows\system32\Poanqn32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7960
        
        C:\Windows\SysWOW64\Amckkpij.exe
        
        C:\Windows\system32\Amckkpij.exe
        39⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\Abbpif32.exe
        
        C:\Windows\system32\Abbpif32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5352
        
        C:\Windows\SysWOW64\Alkdbllo.exe
        
        C:\Windows\system32\Alkdbllo.exe
        41⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\Fgijdm32.exe
        
        C:\Windows\system32\Fgijdm32.exe
        42⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\Ffngfi32.exe
        
        C:\Windows\system32\Ffngfi32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7896
        
        C:\Windows\SysWOW64\Gdhjjopa.exe
        
        C:\Windows\system32\Gdhjjopa.exe
        44⤵
        
        PID:5884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agobna32.exe

Filesize
724KB

MD5
011e52a018a7faf0e1fdbb425761fdf8

SHA1
08d820693481ee70a32c82bc8d4eaa905781e2ec

SHA256
37d87d499b046ade04d8e71b5d53aec5f1a6d3c314cb22d537e35371e9d19b55

SHA512
addf56ff15afc080fbe2857ddf201a7b689b7b912f5ad2c4441fcefb76e3b7397bcfa641aff1efce7beb7b4fad96de0de21d502c3c21fa90b1f7be131c235b40

Download Submit
C:\Windows\SysWOW64\Ahkkhnpg.exe

Filesize
724KB

MD5
f2337e1e8f6636441d52f39a428950a5

SHA1
e76f44e458b3f8c886952891b02797ff235cd395

SHA256
425a67b822da37e09b5f2c385c3fa244633f74ac464e64221117b08fd9a5f935

SHA512
e21d727e930f46d71347cd15fac4193adb2157d4bf63b36fe5d5bb2c54a4d38ba6b143af115c3d4c4ba8681fc11c863d114b4121a3c37382814c91b654d0fb39

Download Submit
C:\Windows\SysWOW64\Bfpkbfdi.exe

Filesize
724KB

MD5
0cc98d2c18ba10f2612234cad6628cf4

SHA1
94cf56a05d90d398c19bcf0028a260915a5e1a4e

SHA256
6ff683448393663300a3b64553047d1f359d549f1509974b3b17e52c4353c9e4

SHA512
8343720c7eeca9730d4f33800f5d9268bbc41e91c7a55b6560ae2ce13227351d98ddd3d5345d62c4449dd8cc4f7ffc65034193059830a838e58bc9a25d3d7162

Download Submit
C:\Windows\SysWOW64\Biedhclh.exe

Filesize
724KB

MD5
f5926bb5328191e62a4f993a4ae91b93

SHA1
011633bca1629728a940eba9ed5c7b552a9515d2

SHA256
a0c4135d1c28e079b2a13e261e74f756cd14e28f95fe42e4982ab58de8a5f320

SHA512
5e093cd2145d82903ec40497f8014cea4af7ff30642f99f08660253267331d89fdb9f37ef292568582feeaaffe7a9e3047c36fdd4d85e293d449cb8322db1fbd

Download Submit
C:\Windows\SysWOW64\Bjcmpepm.exe

Filesize
724KB

MD5
70727b068a86de33aff18b0bf88f4ac5

SHA1
c9e73c79e7cef631fab7ab4e99f899801e211c4e

SHA256
7b343ccdf28988d76187bf9faa4b697863001ad6269e565303d69c9b64d1f96f

SHA512
7e81e54f48e71677fb89363fc9c7636506ade96456343c4ed63be2f994589dd7735298dcff6e919641161b4e47e09cfaf38e8277a5b61cee870200ff86322444

Download Submit
C:\Windows\SysWOW64\Bjmpfdhb.exe

Filesize
724KB

MD5
7678ee7841b205b579a9ec5691eaa242

SHA1
5b75594f526f697a8a6d7b8023feb676d858fdfd

SHA256
5b7fc74523d3d59138c2a2cf0b63559e1777d3d6655ea2737d9230cee9833704

SHA512
501e78c2dffc13b3185ad27d00961e6b806cccde32134bf6d0f23c1a6c52fa8ad4ed79bd4763c96b7b007b1c1ec30f617b994a2c0463e63b19c6e5612aae9811

Download Submit
C:\Windows\SysWOW64\Bphgoe32.exe

Filesize
724KB

MD5
74cfa65d21e5d35d3caf13e7610d7c61

SHA1
f55cab3f41bed9579d78c5779814c400ce9ada1a

SHA256
89c6d34ac7da1ce6e1702aa9e4aa18e8b8a883e123b2d5d775ab70b4abb23de9

SHA512
252a26c6bda46d9ede281d85e3724a29fd7701bb4e3838a7e52491c439caf28910ed225702918ff7638947c88a0ba84dcf50452ae6b3991806ec78808b03eee9

Download Submit
C:\Windows\SysWOW64\Ccednl32.exe

Filesize
724KB

MD5
4e179e83162a37f6df0f090036ad1ff1

SHA1
018b7d1319a79b460f36ef2d1c9f1fddc8db6683

SHA256
9225db9d6ae393a35a690200c74e4b4041407113e23264bbe4caa1e654c77fe6

SHA512
a6bb98777c342a226ba4738de0e6d76b551adc9aee5264dfda260c7b05b4de90dca536e4ab210266c3f0f424c33a06176b3e584033d1ad9eaaf7bdc3bab03ace

Download Submit
C:\Windows\SysWOW64\Cfedmfqd.exe

Filesize
724KB

MD5
fdb844e9f4c2029d3c3f3fc271a7c05e

SHA1
c698c833e197064c087fccf186e4d319280d4296

SHA256
3949b6698b12cb9e3799d83bdce723300260e5f439ba8873749bd0e2cbf6d1f0

SHA512
213f53a6ff4f2b85e85f1188cdb65a5d5ce103d1bdff58e84f952c9af9ff56c17a64d2fc23609ba26a2a7b273a14dc9d6726e2457e0d5dccad585383ecbc53e3

Download Submit
C:\Windows\SysWOW64\Clqncl32.exe

Filesize
724KB

MD5
d526d6f013b41771a46d3ce80b6e2b92

SHA1
f7e62342c035376220a761c60e29bda6833f7a09

SHA256
9b3c1a34b66836b368c4ef07edc6351e1de2680f01e1115864ee73e14ed0de72

SHA512
1b24296e9064afe7b881dea5f938f8ca4c0019269b3092557b95bd31f923a52d5d3b8f1da8e978d21743f6dde91522cd57b7f09f32e7c9edce5202321dcc63a7

Download Submit
C:\Windows\SysWOW64\Deagoa32.exe

Filesize
724KB

MD5
809a4059836ae9350193ff9f066e1d06

SHA1
c50fdeb6f03e3d66686c5c8f8a08d14684f25b55

SHA256
a5350e204abb69c9aea4adc44798d00600c609bc603cca4724a15414b71697c3

SHA512
c062c601f86931636564f289f7be8ed654055b1072fdbbc980b9ca3daed1471b4a6985af2677ebb31f069f5d3fcb770a2c6c0027c22e39f51e350d8f955d01da

Download Submit
C:\Windows\SysWOW64\Dicbfhni.exe

Filesize
724KB

MD5
d9eff653136607899aa2a108419bdbef

SHA1
b0383e27cfb4595c30b6f2e52bdd9569bce0450b

SHA256
03c0a4c69f6a07d4b68a19381cd9834e123b1e546c05c804e820455ff4007993

SHA512
04b98c08a292b98b61d8bdb383f828b8b8dedb14e342733a86916e3be127b202838522093a2f9baa62988deeddd675ebf958a07bee578e26e667ebdcef7532f8

Download Submit
C:\Windows\SysWOW64\Dijppjfd.exe

Filesize
384KB

MD5
ae117555493a42ad97b74c064bf3e4d3

SHA1
101fe4e004140bff984ef846b5c810cbbbc30e9b

SHA256
d76b669bc03d87aba04b50d6671777f4dfbd1f21e7d9bf5996868e0ecdc654a0

SHA512
09f3bac82a2e80237780fb72dda2548bf772b5f627d71838fe63a4edac28cd7964fd0b0cb01794f355c6acf2eac3eea2a093af34661c0be01b63d15bdccfbe8d

Download Submit
C:\Windows\SysWOW64\Dijppjfd.exe

Filesize
724KB

MD5
22a9e01dd3be7c5c8291b504093ada62

SHA1
3a36bb105a5c78f269952a517d5234d1a1f9f82a

SHA256
eaaec942cf53d7a66962d57185464d1bffcf60203bc11cfb0e71230013e4e19f

SHA512
79e59e6f144b18a3412b6aed89dc6bdc7eb22c90087ce0046bbb75c106bd10795220f8a60a7e81ce08c575e538eb971c4ba0b80798783cf9286be0ad6f46dc70

Download Submit
C:\Windows\SysWOW64\Dkmogbeo.exe

Filesize
704KB

MD5
df9bb484d13826d606d064bfaf43a80d

SHA1
caa8fda98475ac79462e8600f96296e43289ee00

SHA256
b34d0a84626ef4ea48087c1b1862169e357a0bc118f65b641c701be52d52a2b5

SHA512
506ec15bc77e27b474776a0ad8b591e908b4939f840f359c68d9421e0ae264f77c4397fbbfa3869d45fbfb653142ce62b9396629b9e59d705ca3a33d82943a43

Download Submit
C:\Windows\SysWOW64\Dlbfmjqi.exe

Filesize
724KB

MD5
f8f9ef922554b6b5d0e5a7db605eaba1

SHA1
bafe1330f8345686d619c37bf0647e4c27b28238

SHA256
b93f72347d96945f9db4476bf80264b40ce3187557a746dff0ab0dbb9b68e752

SHA512
a526246b6c243421b14fb5b7d2b583a30418e6a734836974edca30e59374c50543fd84de4fee1e7489dfffc20ded7c7e89c762e65e7c86ada14fd41bfd0a02cd

Download Submit
C:\Windows\SysWOW64\Ecafgo32.exe

Filesize
724KB

MD5
ae0722708a14cd497b2fd746134546be

SHA1
db25435eca247997e4f525edbbfbefeef0c54d69

SHA256
a54576da4cf3fc5f8009512b5b5f6167c2d8c403f0fb141957f876b9fee72bce

SHA512
d0907c68a4cce1a9abf11e135581c25268412190c411818f7ebbac6d88f767ee89636fbc47451285cea96b29af10bf16b5aae7819861a77c01c95ffa0c038a89

Download Submit
C:\Windows\SysWOW64\Eecfah32.exe

Filesize
724KB

MD5
c59b60a26e153a0ca3bed395e1c14733

SHA1
0d7529186579d667bfe4f3a02d7006825bea535b

SHA256
5ae26e589f57ddf2896d393a75206a033cb28c95c5aa4c20d73bf820256accdb

SHA512
63ad21a50c1ea495ae6ff19c604229913ff8af2e2e4a1934ff7bedca158eeca387ddf4ec05945d024f4f4dd46ecd4cb5c2bfaeeddb8a9b05ae24c10cdbc7f911

Download Submit
C:\Windows\SysWOW64\Ellicihn.exe

Filesize
704KB

MD5
e65a3ad36aebac6b9ad551e526c6590d

SHA1
5dd12397db8a8a90fb4cfc2f71f62038109f308c

SHA256
904c1461fe9c9e760c868fa6f8446edc8ff8a4581f15563ee8d120256299fc82

SHA512
a3f2e7ef4e7cd0f7c9815088c910ccafaaffd8e920187e76b1e90b478b01dbb5d4a994dd093f8d89e3d5e6642257ac311512a7e0cc9b870a5102d1477e9b337b

Download Submit
C:\Windows\SysWOW64\Ellicihn.exe

Filesize
724KB

MD5
38d98049e11ce07e8948309198703dc8

SHA1
7a6b12bd9514e3524d7e0253ece5489cfa1c0e52

SHA256
2720afa63b1f2370ad76eeed9b6386f4096c3a0c33c8e30ad4bb9de74a44d136

SHA512
443b4bb4e608bf8829a6f897150fbb84f80467f349d031b82bbb01744349896f295dc907b7fb182ff94456e585f05a6a0624ca9459d58bd58b962559e28c7a7c

Download Submit
C:\Windows\SysWOW64\Enpknplq.exe

Filesize
724KB

MD5
ecbb9ec5a70b064b81328973b57f4b15

SHA1
15c28bccb5effde380e4cbcb07d37ae8752004e3

SHA256
486a1672122d186d1b5d7a81102c8c469843bbe69a7938556909c840909f3630

SHA512
13d504325649956a4583e0f27c15ca6381d134fb80920955ff17bf626ac4b04edc9abeac1cfe70760ff82fae31c6049a0b80c56313473fe1a16cf9e6d3937725

Download Submit
C:\Windows\SysWOW64\Fikihlmj.exe

Filesize
724KB

MD5
39da6926311452273e0698875d4a8241

SHA1
611314bebf87cd3169042a5b8ea53479f6d26645

SHA256
55f6106f3cd5bcbcda2416e2d080abd7eb200c72d6de650fb634acf46b1e81c8

SHA512
373d9f4e9090393f97be7f3b7b192309f2b71ef80c1325775ea05f076a90d15beb3ca85d8834973be776ee19199803d2b2ea9efe74c25640069746aacb34b33b

Download Submit
C:\Windows\SysWOW64\Gcceifof.exe

Filesize
704KB

MD5
a9341d06d2a709965181ad9e28fc9e8f

SHA1
1668f67eb4b3f538709c1299a495247acb927843

SHA256
f284d5726c2ad81f904941352c12d4e1e54969c6dae866bc64e5f21a96b1ef59

SHA512
0ec70b4a8c1627aa9c6ca847ea505aa81f591e2078ea9b0b4c56d749ba0253f964e64b9f6743cee3e578fbaaf24f230321180a1cbcb04db48658f2312ff0a781

Download Submit
C:\Windows\SysWOW64\Ghgljg32.exe

Filesize
724KB

MD5
fceaa52fdac3f8cf456e77bc40b7c3a8

SHA1
5395c765d27e4ca803f445ad206de1d8a030f95f

SHA256
b561941fc9bddd782d77ccf6f3fce43e1d26171e4178c2dc8c570b7f47887725

SHA512
a78d3383a43c682988cecdea6af239bb448a94d7b4c492ea68b8f7889151f55c19b250b2f157c51ce71c2d5ac6fd2bfc94d9f46b60b74a43c343de0d1d7ab403

Download Submit
C:\Windows\SysWOW64\Iadljc32.exe

Filesize
384KB

MD5
c29bcac2f55e6fac76c606f335f73906

SHA1
5a81938fcb66b99ae0b5758bc0371a210202d5e1

SHA256
c0a3f4b3c7ab3d7368916ce7152d8c64e2f46b450c145688ed9a8d9da4a51d78

SHA512
921b346ef8f82e09fe9c2bb667999f629e01271c7b575fa4baae141b45b8793171ac5c629b122f9adc38cf8ea9915bbc995a350867924849c4948aae525361b0

Download Submit
C:\Windows\SysWOW64\Iadljc32.exe

Filesize
724KB

MD5
61d16a79f5fc7209f070c857c9395f77

SHA1
85593510bfecab1b994b3c30258087211a424286

SHA256
f6e1fa33ba0811872a0b04d9583b52f026e28d9a053ba8278d7706406f1c96d1

SHA512
ce75191bbdaea1a74c961f38ebf7429c114ad93a7ac879f86f00afb19576da757e5038ee3fd3df7c2b0fffd91c81fa302b64130d6a79efd2f3cfec347b57dba9

Download Submit
C:\Windows\SysWOW64\Ihgnfnjl.exe

Filesize
724KB

MD5
0af0d9c7d7893dab1243303f4f444bbb

SHA1
9a349b6f64557d5dffc3565b00edfbd600fdff01

SHA256
abca2d97c33b15ea49f63d43c5b5d69fdded49affe5e811e7796415d17946193

SHA512
62c997a3d97ae1a58600021c1865433e69220597e6688e6db5e56131a0de759904e98e666b1e595edd708d604ab6ced344d0e02532e40fea1cc8c9e1ba3da345

Download Submit
C:\Windows\SysWOW64\Jbieebha.exe

Filesize
724KB

MD5
b7c85f417b7ef4f9aa48bee7017654a2

SHA1
01c1d29d54d0c5278d328d2b1b72ba335c14685c

SHA256
74ce428b0f86abb044f215ed1fac17d78f89373bdcd347660e0c80615b167ac1

SHA512
6dd122be2266443e2d7d542db73ce8668d968fedf4bb5fba12ae6ec2dd48a461eec1e8826d7ef8a3f0c9f0a4c760e9fd9d7e0dc8b02684d9a768325e1f2ee563

Download Submit
C:\Windows\SysWOW64\Jhklcldi.exe

Filesize
724KB

MD5
1d2ab9bacab6279ee734424d4219b869

SHA1
4204654fbf9eaed2930974a9a532215be6e64ae0

SHA256
2084783cdf23b184c839aee9eccc75711bf031ffcaba0d4d79d10143f8ca793f

SHA512
aa6323b8e0a935fafdb11e8f9caed87e8648bb49f0947b045be34bd8628316b684a4d08ddb5be9ad36c4ee5b231d9e18bc56b7421967a028dcb1fa2fd7f61d0b

Download Submit
C:\Windows\SysWOW64\Jloibkhh.exe

Filesize
724KB

MD5
39781492f74f56c84f4d3103f78b6a3b

SHA1
2e626497850651fad70e766c943a927903bbea8c

SHA256
207dde7daa2b73b7d25a389d78f361e18bf86e08ca80176808eb55462bad0ffa

SHA512
8f8bd45ca20100d3ef606372839838b8e08b816248a9a4aa4cd6a05a354b48945c92fc1c99bd24cbfdae29b2502c646647fc3067d58ba19566e7e2a4a9684669

Download Submit
C:\Windows\SysWOW64\Jmccnk32.exe

Filesize
724KB

MD5
ccd530cceaaa5b28f61bd5ed793714db

SHA1
0d8ab4792984df0e42477ce03ab65e7769639567

SHA256
45500e379273377373423b387927a50396e647529f55c1260fc16d19261d37cd

SHA512
6cdcb2f59165737f222b13f6dc9fb535d4c25750680672d75671d834cbae35a35c265139122acfd8352358ce73f19a3f5f6f95920ab00c250dc0556f4cbbf3c2

Download Submit
C:\Windows\SysWOW64\Kfmmajed.exe

Filesize
724KB

MD5
be24981fa025b1f51081e379c3f5f753

SHA1
5113f9b301df3cb5523370c3a52132fd8513a0e6

SHA256
590342b732448bbe04b02d7e9292ff13edde408d8e967e83ee3b399a06b9181b

SHA512
ddcf6d940cd601f9358253304c5aabd4fcf08df64ebb38af46c4ecc7b3808269475ed1b93743105c95d5e39f49c41d0d7f3bf1a9b7f05c5afdfe59cf87bf242e

Download Submit
C:\Windows\SysWOW64\Kfnkeh32.exe

Filesize
724KB

MD5
149361decd3e4b3f37fc71ffb0448df9

SHA1
b5d97b80d0fe0f821093725245f474c860f33ea2

SHA256
fb49df0ad445eb1f2f218778a905f9ac35927fab74465c9d5ab12f188d4621f9

SHA512
0b2ab71f04ef25c0e9999fbd68e116e3470b197298cc45fd5ab07da8c2d4e156fbf01af62d05f23861040eac1a67c1d27f627d71b510d93e855cbee74866be45

Download Submit
C:\Windows\SysWOW64\Kofheeoq.exe

Filesize
724KB

MD5
5f73a555a8ac1cf767323e310a889b04

SHA1
aff66c1e932f7894f740c25ad3dae8e74f426c9b

SHA256
99a191fd6505940388313c9d44b4822fee3bf7e8ee68d6c9a9176362d3b8f8af

SHA512
a66fd64ae00a4ec5d2e7aba7d26548899fc0d25144581b551805c1309fe8ea5efff77c5eaef011c2f5e5948677a95e6870ee17102dfbb0549cbc7a9b5ce3f885

Download Submit
C:\Windows\SysWOW64\Lcfimheb.exe

Filesize
512KB

MD5
311217bbcacb457f47a277a57b7e3f05

SHA1
84fed33c96eb3fe11502958b2ed1063e3b594d25

SHA256
3a528ec28ef5b9355b8dea4bee1165b83cb3388953ec8412960ac8bac0c7ed5b

SHA512
ddf2427f88b578f8b8f9dda8782bb8901dc29ab15ad61bcf7f46e3825253dc6d3472a4a9485af50c1a671c77066e6a7015a14caf7646795ca9e7056a2b545cdc

Download Submit
C:\Windows\SysWOW64\Lgjglg32.exe

Filesize
724KB

MD5
7a48bb65a92ce079a53d412867badb8d

SHA1
6ae900e8196471aaa69c63d2d7ca4e43b4ba6fa4

SHA256
c80b688a14ab8ade753b23ac58c5b31a9088f5d3b4b6bf592ed9081cdd7e23a9

SHA512
b7be9338dc2ade411e5ce178fa363d535cf88923f67ed85a131df3b89c57195cf8781db363084bc80bb28641eda6660f6baad56e28c06351e069b5b440098fcc

Download Submit
C:\Windows\SysWOW64\Mcolcgmh.exe

Filesize
724KB

MD5
a75fb9a489f4129120bf0a5a6a9b75f1

SHA1
05058bc6567cd786a1a13ea4d5696fa53fad724e

SHA256
87f8ed793bc67ca0e9dfe3c9de3ca302ed6b9b54c060e9aaa079092ba26af4ce

SHA512
0286dc7edd340f37b44428f87105063bdce973e322c42906168a0627abd35677628d47a2a34976e954093a009c93a6a3952bf6a95a2cab598ee94831865a3ce4

Download Submit
C:\Windows\SysWOW64\Mfkcibdl.exe

Filesize
724KB

MD5
31c82fe44f8f266bb2fadc2c1680aaef

SHA1
07e145ba2912a22d48514e9fe4ba1a8ebf2e8413

SHA256
0916992aafbd5866c597f252b15cbe9c8a31711692a94c8b368a0713396c4ddb

SHA512
bed2eb6ee3b08c6fb4b54e81427a8f58df4d24ba4a59db283765253ec7219c7557f49626a066a8a2845f51ea32d6afb57c7447a5697bbe0cc253b3b6ecfaa2f1

Download Submit
C:\Windows\SysWOW64\Mkohln32.exe

Filesize
384KB

MD5
a527eb36fed085e17b3f2de35a8a3d7c

SHA1
99d58c5ea2914b7de45c3d81d16fac3054a2782a

SHA256
a8190367173710f5d358ff453285376b611fb6c48b5d7d1b3628f390d2b4baa2

SHA512
da79adb3fce80fb4d6b5dd3cf3f25de9f6cdd9d402e08ad5a8071924030859b5f654fab3710a1e82845197456c0e68c57c33c64d6787c066d6eac6b543280106

Download Submit
C:\Windows\SysWOW64\Mmiealgc.exe

Filesize
384KB

MD5
2b66f5d0d5fdc43235e64966b8b2b5a9

SHA1
e7c0db420e150aa6d16c72fc3c9b4918c4a6a044

SHA256
2c2167f08be3c8a8a0e58b28f75f83b9592edbb39874e0170327f885e57de8a9

SHA512
5d32305ab3d9beb326c8e660e3b83bf766274a2a0e10a93f5bf25a1fd4104bfeffb5e08ac2b3c8f50386a7490d88defbd6a76cbe5d95386933579bf7b511f2fa

Download Submit
C:\Windows\SysWOW64\Mmiealgc.exe

Filesize
724KB

MD5
06b3dd6eba690efe8334d9fe83b7eaeb

SHA1
d3c1b12cccbe2d91d7aec823291a1503db2da638

SHA256
17ac69355e3590cf7c0333ac599da59bcdf3226c3bdd56b4a502fb0ca4ed5ede

SHA512
a08434c1278adf81b297810fa47d9520352b83f38a36df3dce385ff78e296ab717e9e9f0fee991216a75e07f5b12384d7c3989665cf9f03e9ef9711fbef4bada

Download Submit
C:\Windows\SysWOW64\Nglcjfie.exe

Filesize
724KB

MD5
886ce65479a4c0a39ab34dfb5e92ae71

SHA1
22b01e15edcfa251a1db46b9d3f835d04f349758

SHA256
a13acc6390d45fd1d48e97edb35217e10d6f8486f34c58d9ab45bc16c5d6c488

SHA512
aeecec0fdf5ff529b2609aa85a543ab24e8378a5f98ac1b09d50fca4b4a1179a833b9ef9033b73623363e6930994e9a4579e45d8893964cc1520ea2c0a275aba

Download Submit
C:\Windows\SysWOW64\Njokei32.exe

Filesize
640KB

MD5
924584df0dd890f2c206264add9c8756

SHA1
d2f84e5c8c9db8c71f741e1571867dd74ba5d855

SHA256
0b292f282d1dd71a252cea5b3a7440b27c355c4d3158b4bd687fc4d14557bb2f

SHA512
b80e20d8fd3161d4caf3e1b8eb748aa2e02f94bc7a4453b14465a7db723ade987cb10e9ca36f104e17c17713ff1b1f4fae4828a974c7b0f2e49d8e3237136827

Download Submit
C:\Windows\SysWOW64\Nmdgbamf.exe

Filesize
724KB

MD5
05e7a4040eeb7ea35bbb737967e3cab1

SHA1
ce6f2864952b5a599d7e97529b29cd0c45ff61e4

SHA256
b0c827edd49c597b311777e423b45ffebaac34e645bc58eadfcfba33702e60bf

SHA512
ec42dc15b52772ffebef56d8f7019cfde9ba72facc6e3d027465e2aa546dd686749524e80ba25044ad2c386bd423971f7d5d7279890b36773212cccff2afc6cb

Download Submit
C:\Windows\SysWOW64\Odfcjc32.exe

Filesize
724KB

MD5
d6ae4d650fb944e5bc7153537c1c5cb1

SHA1
bc25b81776aa4a2e594bf3713974697204217665

SHA256
8890e729308180a6527e13fde2124a055712d453e2bd16448798f7c46656ba5f

SHA512
526c81be90acf47362d587812c280136124d8813c45f3a35a239aaf24f691efa2b6c5a32169eb4459fdde90b9e35bfa36ba8e8927523d2bdb3d24cc462821a17

Download Submit
C:\Windows\SysWOW64\Okkalnjm.exe

Filesize
724KB

MD5
81ac22cc80eda0476d5962e31d826972

SHA1
548698b5daf3b2bf07ae7d0f3bdc4004975e3359

SHA256
b162d1bb81ebce659aaf8e9584f190ef47c7054e18f031a2c08435fb294e562c

SHA512
f7435cd50bfba4c95cd32a1d97d66d9917f375099e739d41196b98fe5d68779659ff6f84bb0342ace70a759649b3b159e23268a7d7e4132e38f173d634cefd48

Download Submit
C:\Windows\SysWOW64\Omgabj32.exe

Filesize
64KB

MD5
cdaad08e4d431f9720bdc17b633d2917

SHA1
349db3db90546f6d67885ff81e1fba695eb89984

SHA256
3f18ebe9fcffef6c93f1ee82e4c863e628045a6a622e6870971e6e4797615833

SHA512
5d97427642b79e3a52d086430ad5262e0106392ff307c8d98a11f7691822660e3b1a28e575c05dcdfbe869ae25d8b773a1043cc08340f44770fced47c6dfded4

Download Submit
C:\Windows\SysWOW64\Omgabj32.exe

Filesize
724KB

MD5
a2f0ccc6ba2f9503fdd09e1217b0663b

SHA1
664656d5f1d75b73e36138f49f6d22ad8383ab0e

SHA256
ae79320255cac0055d939ac82aab2cc79f1457f988f19cf130c314a89812cc88

SHA512
891e151c743d16bf86ca71866e89e626a62fd6534fec9ada05d8a0ac7b00c366bc319ba56b39ca46e5c1d78f9f2492e3befe1278ec91fa2464a2d54b43632c01

Download Submit
C:\Windows\SysWOW64\Pgoejapi.exe

Filesize
724KB

MD5
38fd8feb27cfbac58e412d24b27bc4e1

SHA1
b90204ed4a3dc4d03fe846776c84831067748d27

SHA256
9bba79b36915eac02984812b220a1d56615fc68d8e0720cea30d2a387f6b2aba

SHA512
7da0362a10b9a314229a95a45f6e7b6f5196f261a6d71b309974f9c55af0b0028ce869b51f695987716c53ca965b018d627ab0ce39b16cc6d9b4c4a4c564cdee

Download Submit
C:\Windows\SysWOW64\Pknghk32.exe

Filesize
724KB

MD5
ed9848445df32bf63906dc15dd80079d

SHA1
504f5085e2a430191dc5179e3a02702fa7f5684b

SHA256
ffdf723401cbb62f7de383e00ad12d8bb4796846494c273d6a1040b9f82ac672

SHA512
a3d30b108819ef02f613688d223ebf13611bd600d9a761d14cad98f19c57e246e2d88d5f0d939ebfff61e3d796b878b68560b100653419e264c9e790de321fe3

Download Submit
C:\Windows\SysWOW64\Ppffec32.exe

Filesize
724KB

MD5
0accf1257ce95cebedcbfccf622b4012

SHA1
b166fd8032c7ad37235725ad7e5b4163669401ae

SHA256
ac089a2ebfb2b4b3773197fa5378b830cdecad2f2914d63205e1bcd115ae63e7

SHA512
b91a5e26fcd8580325ef1b77648d87aea197de86a26931d0ed687c66655b8f849a8d2d214651407d9081170e7e9c5c897cc4ff4e286a586e4ff1deaa892aebe4

Download Submit
C:\Windows\SysWOW64\Qbkcek32.exe

Filesize
724KB

MD5
dc773977e598a2a49cf30aa750c417de

SHA1
457d74d9d0e7ec9bc468b669f02f526d4f75ab2b

SHA256
138f23bff2702acea26167e283862f48576c2ad29078ddb3ff11444a7dfef8ca

SHA512
3fdd6779b8a89d17a41b21172f77dc194fd1f87c91dc36608f05e18732eb131073324921ff1a5fa656ca83cbed997163c31fa46a36f60156bd3b610557a201b2

Download Submit
memory/380-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/380-106-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/384-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/388-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/388-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/560-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/628-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/640-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1020-91-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1020-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1040-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1040-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1104-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1192-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1416-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-138-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1492-495-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1492-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1528-296-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1616-422-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1824-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1896-190-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1904-18-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1904-155-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1916-42-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1916-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-289-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2004-58-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2004-194-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2272-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2356-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2868-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-180-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3176-470-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3204-199-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3204-451-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3300-164-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3300-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3324-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3332-477-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3356-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3360-50-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3360-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3376-147-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3376-10-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3480-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3500-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3500-174-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3524-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3544-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3544-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3672-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3672-529-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3776-122-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3776-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3864-211-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3864-67-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3980-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3980-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3988-429-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4080-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4300-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-130-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4592-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4620-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4620-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4648-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4680-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4696-496-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4696-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-82-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4888-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4888-203-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4924-219-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4924-74-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-2-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5020-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads