d4a257e078e187478a509e095cf19581946b1184ee6b9cfaa5b5048dd3fb4136

Analysis

max time kernel
151s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 09:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4a257e078e187478a509e095cf19581946b1184ee6b9cfaa5b5048dd3fb4136.exe
Size

50KB
MD5

af79931866e11813349a6b7c3748e390
SHA1

a231d35414a3f08488639aec5385d52a06752375
SHA256

d4a257e078e187478a509e095cf19581946b1184ee6b9cfaa5b5048dd3fb4136
SHA512

f36f95ab849a8914bb506b5f5bd4402bb1d9499c85935196e78da977aae6689a5eb35c472d4a57a38ad13ef68fd69109c8371f855b1e7b65de5901a60cc62333
SSDEEP

768:kmbPvkdtfSIhhcG/SYYVVaOfmIWd9g/WEGOCOK+7k0id/1H5j:7bPv+tfSIhhceE/1/WEzTkHXx

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Jpdnnf32.exeAcempg32.exeDklnoked.exeCommldoo.exeHmjafhej.exeEafpdchp.exeGglhbmqh.exeMhbcbeej.exeDbjmch32.exeNoikib32.exeKefpamff.exeLcnfeccf.exeNbjefb32.exeOnafkc32.exePpnbnjff.exePohhje32.exeFnbkphpi.exeAifcfbob.exeQmmelbka.exeKgpknb32.exeLfgddn32.exeMameajih.exeNmkphl32.exeAlnbhmfk.exeEegnel32.exeGmldgi32.exeGnfpoghd.exeLmflhi32.exeJnjlgkim.exeFgmlcinl.exeHqlbka32.exeGpmkno32.exeNgngdp32.exeApbhhldm.exeFokddaoj.exeJdmkbiim.exeFakjpc32.exeLjeoea32.exeLcgpdd32.exeNibammna.exeOaboln32.exeOafhgnca.exePdeabl32.exeAcaddhcp.exeHepiiaqn.exeFjbfdjle.exeHkeclo32.exeGmjegdbo.exeLfehon32.exeJfnfkqca.exeCcjebb32.exeGbpdhc32.exeNejjflbj.exeGnqpkmcp.exeLdpbml32.exeOekngmab.exeAafaed32.exeJjpkccgm.exeKopmnpkl.exeEnpbnbjb.exeMhpgmegm.exeFppgqpib.exeOgppicdc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpdnnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acempg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dklnoked.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Commldoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmjafhej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eafpdchp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gglhbmqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhbcbeej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbjmch32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Noikib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kefpamff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcnfeccf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbjefb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onafkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppnbnjff.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pohhje32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnbkphpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aifcfbob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmmelbka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgpknb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfgddn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mameajih.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmkphl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alnbhmfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eegnel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmldgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnfpoghd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmflhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnjlgkim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fgmlcinl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hqlbka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpmkno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngngdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apbhhldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fokddaoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdmkbiim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fakjpc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljeoea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgpdd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nibammna.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oaboln32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oafhgnca.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdeabl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acaddhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hepiiaqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjbfdjle.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkeclo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmjegdbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfehon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfnfkqca.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjebb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbpdhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hqlbka32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nejjflbj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnqpkmcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldpbml32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oekngmab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aafaed32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjpkccgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kopmnpkl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enpbnbjb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhpgmegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fppgqpib.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogppicdc.exe

Executes dropped EXE 64 IoCs

Processes:

Dhlcgkaf.exeDagdep32.exeDaiakpca.exeDbjmch32.exeElbblnpp.exeEfhfifpf.exeEfjbof32.exeEofgch32.exeEhnlln32.exeEafpdchp.exeEojanhgi.exeFdgifoeq.exeFomncg32.exeFakjpc32.exeFkcnhhkk.exeFnbjddjn.exeFppgqpib.exeFcocmkhf.exeFkfknh32.exeFgmlcinl.exeFngdpc32.exeGhpepa32.exeGojmmk32.exeGjpajd32.exeGbkfof32.exeGdibkb32.exeGlqjlo32.exeGoofhkeo.exeGdlopacg.exeGkfgml32.exeGndcig32.exeGdnlfaad.exeGglhbmqh.exeGnfpoghd.exeHccignfl.exeHkjqhkgn.exeHmlmpc32.exeHqlbka32.exeHkeclo32.exeHbplii32.exeIbbhni32.exeIinmqb32.exePnodjf32.exeQigemoke.exeDjbnfd32.exeDapoqfag.exeEnnfffac.exeFnkepifa.exeFjbfdjle.exeFegjbckl.exeFmcofeif.exeFcmgcp32.exeFnbkphpi.exeFpchhq32.exeFfnpdkmd.exeFillqflh.exeGiniff32.exeGmjegdbo.exeGphacpab.exeGmlbldql.exeGpknhppp.exeGpmkno32.exeGbkgjk32.exeGejcff32.exe

pid	process
952	Dhlcgkaf.exe
1740	Dagdep32.exe
628	Daiakpca.exe
1204	Dbjmch32.exe
896	Elbblnpp.exe
1640	Efhfifpf.exe
1768	Efjbof32.exe
1608	Eofgch32.exe
1756	Ehnlln32.exe
1824	Eafpdchp.exe
584	Eojanhgi.exe
240	Fdgifoeq.exe
1744	Fomncg32.exe
544	Fakjpc32.exe
1260	Fkcnhhkk.exe
1632	Fnbjddjn.exe
1680	Fppgqpib.exe
1336	Fcocmkhf.exe
1224	Fkfknh32.exe
848	Fgmlcinl.exe
1060	Fngdpc32.exe
1056	Ghpepa32.exe
1792	Gojmmk32.exe
1396	Gjpajd32.exe
968	Gbkfof32.exe
1972	Gdibkb32.exe
556	Glqjlo32.exe
1040	Goofhkeo.exe
1168	Gdlopacg.exe
1436	Gkfgml32.exe
1344	Gndcig32.exe
1372	Gdnlfaad.exe
1200	Gglhbmqh.exe
1376	Gnfpoghd.exe
1976	Hccignfl.exe
1692	Hkjqhkgn.exe
1712	Hmlmpc32.exe
1144	Hqlbka32.exe
280	Hkeclo32.exe
908	Hbplii32.exe
316	Ibbhni32.exe
1076	Iinmqb32.exe
1552	Pnodjf32.exe
1980	Qigemoke.exe
1644	Djbnfd32.exe
1132	Dapoqfag.exe
1856	Ennfffac.exe
1716	Fnkepifa.exe
832	Fjbfdjle.exe
1536	Fegjbckl.exe
1548	Fmcofeif.exe
1008	Fcmgcp32.exe
332	Fnbkphpi.exe
692	Fpchhq32.exe
1160	Ffnpdkmd.exe
344	Fillqflh.exe
640	Giniff32.exe
1784	Gmjegdbo.exe
1148	Gphacpab.exe
2020	Gmlbldql.exe
1940	Gpknhppp.exe
1596	Gpmkno32.exe
1600	Gbkgjk32.exe
1696	Gejcff32.exe

Loads dropped DLL 64 IoCs

Processes:

d4a257e078e187478a509e095cf19581946b1184ee6b9cfaa5b5048dd3fb4136.exeDhlcgkaf.exeDagdep32.exeDaiakpca.exeDbjmch32.exeElbblnpp.exeEfhfifpf.exeEfjbof32.exeEofgch32.exeEhnlln32.exeEafpdchp.exeEojanhgi.exeFdgifoeq.exeFomncg32.exeFakjpc32.exeFkcnhhkk.exeFnbjddjn.exeFppgqpib.exeFcocmkhf.exeFkfknh32.exeFgmlcinl.exeFngdpc32.exeGhpepa32.exeGojmmk32.exeGjpajd32.exeGbkfof32.exeGdibkb32.exeGlqjlo32.exeGfioed32.exeGdlopacg.exeGkfgml32.exeGndcig32.exe

pid	process
1928	d4a257e078e187478a509e095cf19581946b1184ee6b9cfaa5b5048dd3fb4136.exe
1928	d4a257e078e187478a509e095cf19581946b1184ee6b9cfaa5b5048dd3fb4136.exe
952	Dhlcgkaf.exe
952	Dhlcgkaf.exe
1740	Dagdep32.exe
1740	Dagdep32.exe
628	Daiakpca.exe
628	Daiakpca.exe
1204	Dbjmch32.exe
1204	Dbjmch32.exe
896	Elbblnpp.exe
896	Elbblnpp.exe
1640	Efhfifpf.exe
1640	Efhfifpf.exe
1768	Efjbof32.exe
1768	Efjbof32.exe
1608	Eofgch32.exe
1608	Eofgch32.exe
1756	Ehnlln32.exe
1756	Ehnlln32.exe
1824	Eafpdchp.exe
1824	Eafpdchp.exe
584	Eojanhgi.exe
584	Eojanhgi.exe
240	Fdgifoeq.exe
240	Fdgifoeq.exe
1744	Fomncg32.exe
1744	Fomncg32.exe
544	Fakjpc32.exe
544	Fakjpc32.exe
1260	Fkcnhhkk.exe
1260	Fkcnhhkk.exe
1632	Fnbjddjn.exe
1632	Fnbjddjn.exe
1680	Fppgqpib.exe
1680	Fppgqpib.exe
1336	Fcocmkhf.exe
1336	Fcocmkhf.exe
1224	Fkfknh32.exe
1224	Fkfknh32.exe
848	Fgmlcinl.exe
848	Fgmlcinl.exe
1060	Fngdpc32.exe
1060	Fngdpc32.exe
1056	Ghpepa32.exe
1056	Ghpepa32.exe
1792	Gojmmk32.exe
1792	Gojmmk32.exe
1396	Gjpajd32.exe
1396	Gjpajd32.exe
968	Gbkfof32.exe
968	Gbkfof32.exe
1972	Gdibkb32.exe
1972	Gdibkb32.exe
556	Glqjlo32.exe
556	Glqjlo32.exe
1524	Gfioed32.exe
1524	Gfioed32.exe
1168	Gdlopacg.exe
1168	Gdlopacg.exe
1436	Gkfgml32.exe
1436	Gkfgml32.exe
1344	Gndcig32.exe
1344	Gndcig32.exe

Drops file in System32 directory 64 IoCs

Processes:

Cfkndnbf.exeFgmpag32.exeJimbglbd.exeKglfddgo.exeNfcdaaom.exeOiamlp32.exeAafaed32.exeFcafjq32.exeIijeag32.exeGfbljoke.exeGdlopacg.exeGnfpoghd.exePkjpdg32.exePbahed32.exeGhpepa32.exeJgihnp32.exeLaojkq32.exeMhbcbeej.exeNbhipb32.exeBccobckm.exeEelgplol.exeFngdpc32.exePnodjf32.exeNgngdp32.exeOgnccc32.exeOjloooei.exeMciiigjg.exeOgikciqf.exePocoofjn.exeCcjebb32.exeGigopnja.exeEnboca32.exeGbkfof32.exeFillqflh.exeHlakldho.exeNbcoecji.exeAiklab32.exeCapbco32.exeKefpamff.exeBabcjk32.exeGeaocg32.exeJhcmhhel.exeEafpdchp.exeMijfkl32.exeJjgefo32.exeKhbohhgm.exeNbjefb32.exeHkeclo32.exeGpmkno32.exeMjbmdp32.exeQclkih32.exeAifcfbob.exeObicofgo.exeLnjcklln.exeLmcigh32.exeIifpgi32.exeIafngkog.exeFgjclgop.exeFmihjn32.exeCedhcohn.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Iljnoo32.dll	Cfkndnbf.exe
File opened for modification	C:\Windows\SysWOW64\Ffppmcch.exe	Fgmpag32.exe
File created	C:\Windows\SysWOW64\Ifpmhp32.dll	Jimbglbd.exe
File created	C:\Windows\SysWOW64\Kmfnanol.exe	Kglfddgo.exe
File created	C:\Windows\SysWOW64\Nibammna.exe	Nfcdaaom.exe
File created	C:\Windows\SysWOW64\Dkchhe32.dll	Nfcdaaom.exe
File created	C:\Windows\SysWOW64\Olpihk32.exe	Oiamlp32.exe
File created	C:\Windows\SysWOW64\Lboffajc.dll	Aafaed32.exe
File created	C:\Windows\SysWOW64\Fjnkljab.exe	Fcafjq32.exe
File created	C:\Windows\SysWOW64\Qgemhpai.dll	Iijeag32.exe
File created	C:\Windows\SysWOW64\Cgcdnmfd.dll	Gfbljoke.exe
File created	C:\Windows\SysWOW64\Gkfgml32.exe	Gdlopacg.exe
File opened for modification	C:\Windows\SysWOW64\Hccignfl.exe	Gnfpoghd.exe
File created	C:\Windows\SysWOW64\Lmpichpl.dll	Pkjpdg32.exe
File created	C:\Windows\SysWOW64\Padhaago.exe	Pbahed32.exe
File created	C:\Windows\SysWOW64\Gojmmk32.exe	Ghpepa32.exe
File created	C:\Windows\SysWOW64\Jncqkjpk.exe	Jgihnp32.exe
File created	C:\Windows\SysWOW64\Lcnfeccf.exe	Laojkq32.exe
File opened for modification	C:\Windows\SysWOW64\Molloo32.exe	Mhbcbeej.exe
File opened for modification	C:\Windows\SysWOW64\Nfcdaaom.exe	Nbhipb32.exe
File created	C:\Windows\SysWOW64\Pcnbmnkp.dll	Bccobckm.exe
File created	C:\Windows\SysWOW64\Ekninf32.dll	Eelgplol.exe
File created	C:\Windows\SysWOW64\Jjlfeb32.dll	Fngdpc32.exe
File opened for modification	C:\Windows\SysWOW64\Qigemoke.exe	Pnodjf32.exe
File opened for modification	C:\Windows\SysWOW64\Neagpmje.exe	Ngngdp32.exe
File opened for modification	C:\Windows\SysWOW64\Ojloooei.exe	Ognccc32.exe
File created	C:\Windows\SysWOW64\Glekjgna.dll	Ojloooei.exe
File created	C:\Windows\SysWOW64\Ngelelbn.dll	Mciiigjg.exe
File created	C:\Windows\SysWOW64\Ojhgpdpj.exe	Ogikciqf.exe
File created	C:\Windows\SysWOW64\Pbokpe32.exe	Pocoofjn.exe
File created	C:\Windows\SysWOW64\Ppkahgpi.dll	Ccjebb32.exe
File opened for modification	C:\Windows\SysWOW64\Glflliid.exe	Gigopnja.exe
File created	C:\Windows\SysWOW64\Caabbleh.dll	Enboca32.exe
File created	C:\Windows\SysWOW64\Aefopn32.dll	Gbkfof32.exe
File created	C:\Windows\SysWOW64\Giniff32.exe	Fillqflh.exe
File created	C:\Windows\SysWOW64\Hielfhgi.exe	Hlakldho.exe
File created	C:\Windows\SysWOW64\Lfjpcgif.dll	Nbcoecji.exe
File opened for modification	C:\Windows\SysWOW64\Ahnmmoah.exe	Aiklab32.exe
File created	C:\Windows\SysWOW64\Ffiioo32.dll	Capbco32.exe
File created	C:\Windows\SysWOW64\Kialbk32.exe	Kefpamff.exe
File opened for modification	C:\Windows\SysWOW64\Kialbk32.exe	Kefpamff.exe
File opened for modification	C:\Windows\SysWOW64\Bdqofg32.exe	Babcjk32.exe
File created	C:\Windows\SysWOW64\Ffppmcch.exe	Fgmpag32.exe
File opened for modification	C:\Windows\SysWOW64\Gfbljoke.exe	Geaocg32.exe
File created	C:\Windows\SysWOW64\Jdmkbiim.exe	Jhcmhhel.exe
File created	C:\Windows\SysWOW64\Obqcdf32.dll	Eafpdchp.exe
File created	C:\Windows\SysWOW64\Gdibkb32.exe	Gbkfof32.exe
File created	C:\Windows\SysWOW64\Ljajbc32.dll	Mijfkl32.exe
File created	C:\Windows\SysWOW64\Kalnidgk.dll	Jjgefo32.exe
File created	C:\Windows\SysWOW64\Kolheb32.exe	Khbohhgm.exe
File created	C:\Windows\SysWOW64\Llbmbi32.dll	Nbjefb32.exe
File created	C:\Windows\SysWOW64\Jhdfdjip.dll	Hkeclo32.exe
File created	C:\Windows\SysWOW64\Gbkgjk32.exe	Gpmkno32.exe
File opened for modification	C:\Windows\SysWOW64\Mameajih.exe	Mjbmdp32.exe
File opened for modification	C:\Windows\SysWOW64\Qkcbjf32.exe	Qclkih32.exe
File created	C:\Windows\SysWOW64\Aldobnnf.exe	Aifcfbob.exe
File created	C:\Windows\SysWOW64\Oicklp32.exe	Obicofgo.exe
File created	C:\Windows\SysWOW64\Lfehon32.exe	Lnjcklln.exe
File opened for modification	C:\Windows\SysWOW64\Llfibdck.exe	Lmcigh32.exe
File opened for modification	C:\Windows\SysWOW64\Ildlce32.exe	Iifpgi32.exe
File created	C:\Windows\SysWOW64\Adiefhga.dll	Iafngkog.exe
File opened for modification	C:\Windows\SysWOW64\Fndlia32.exe	Fgjclgop.exe
File opened for modification	C:\Windows\SysWOW64\Gobkbe32.exe	Fmihjn32.exe
File opened for modification	C:\Windows\SysWOW64\Cipddm32.exe	Cedhcohn.exe

Modifies registry class 64 IoCs

Processes:

Pklmjgnp.exeDklnoked.exeFfppmcch.exeGigopnja.exeHagjlfkq.exeNikkln32.exeKqaifh32.exeLicdkj32.exePhlchl32.exeGfioed32.exeHqlbka32.exeGlqjlo32.exeGoofhkeo.exeNmkphl32.exeEfjbof32.exeFppgqpib.exeNoikib32.exeKdpfnh32.exeLnjglnkf.exeOjhgpdpj.exeEegnel32.exeJcfbgi32.exeDjbnfd32.exeEnnfffac.exeLgbinged.exeLmcigh32.exeMameajih.exeMihjelgc.exeMijfkl32.exeKefpamff.exeLcecoekq.exeLmamahoc.exeLelafj32.exeEhobcdgd.exeIldlce32.exeIafngkog.exePpnbnjff.exeFmihjn32.exeJgihnp32.exeNejjflbj.exeMggaof32.exeGaqjgiab.exeEafpdchp.exeKialbk32.exeGmjegdbo.exeKbqepkhm.exeLnjcklln.exeGlflliid.exeFkcnhhkk.exeIbbhni32.exeLlifhdai.exeMpabbf32.exeIckdeb32.exeJfnfkqca.exeKnhkgnmi.exeNbhipb32.exeIpaqhblc.exeLeonkj32.exeOnafkc32.exeAnonpe32.exeLppimcng.exeOkgbnbqa.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pklmjgnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dklnoked.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffppmcch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gigopnja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hagjlfkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imhbll32.dll"	Nikkln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kqaifh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Licdkj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Phlchl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jajean32.dll"	Gfioed32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hqlbka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmblfg32.dll"	Glqjlo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddjllkba.dll"	Goofhkeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdhcec32.dll"	Nmkphl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efjbof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fppgqpib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Noikib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdpfnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnjglnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojhgpdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eegnel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcfbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djbnfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ennfffac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbinged.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipljoiac.dll"	Lmcigh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mameajih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mihjelgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mijfkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kefpamff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcecoekq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokjkbfc.dll"	Lmamahoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lelafj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alajpn32.dll"	Lnjglnkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ehobcdgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kojfbf32.dll"	Ildlce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iafngkog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dobeko32.dll"	Ppnbnjff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmihjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jgihnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcmdgg32.dll"	Nejjflbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kooffahn.dll"	Mggaof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gaqjgiab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eafpdchp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kialbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmjegdbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbqepkhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnjcklln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Glflliid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fkcnhhkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imjajc32.dll"	Ibbhni32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llifhdai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpabbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ickdeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihhlie32.dll"	Jfnfkqca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Knhkgnmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogefon32.dll"	Nbhipb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cglkakjk.dll"	Ipaqhblc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Leonkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hodpcccm.dll"	Onafkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anonpe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhipb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lppimcng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Okgbnbqa.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1928 wrote to memory of 952	1928	d4a257e078e187478a509e095cf19581946b1184ee6b9cfaa5b5048dd3fb4136.exe	Dhlcgkaf.exe
PID 1928 wrote to memory of 952	1928	d4a257e078e187478a509e095cf19581946b1184ee6b9cfaa5b5048dd3fb4136.exe	Dhlcgkaf.exe
PID 1928 wrote to memory of 952	1928	d4a257e078e187478a509e095cf19581946b1184ee6b9cfaa5b5048dd3fb4136.exe	Dhlcgkaf.exe
PID 1928 wrote to memory of 952	1928	d4a257e078e187478a509e095cf19581946b1184ee6b9cfaa5b5048dd3fb4136.exe	Dhlcgkaf.exe
PID 952 wrote to memory of 1740	952	Dhlcgkaf.exe	Dagdep32.exe
PID 952 wrote to memory of 1740	952	Dhlcgkaf.exe	Dagdep32.exe
PID 952 wrote to memory of 1740	952	Dhlcgkaf.exe	Dagdep32.exe
PID 952 wrote to memory of 1740	952	Dhlcgkaf.exe	Dagdep32.exe
PID 1740 wrote to memory of 628	1740	Dagdep32.exe	Daiakpca.exe
PID 1740 wrote to memory of 628	1740	Dagdep32.exe	Daiakpca.exe
PID 1740 wrote to memory of 628	1740	Dagdep32.exe	Daiakpca.exe
PID 1740 wrote to memory of 628	1740	Dagdep32.exe	Daiakpca.exe
PID 628 wrote to memory of 1204	628	Daiakpca.exe	Dbjmch32.exe
PID 628 wrote to memory of 1204	628	Daiakpca.exe	Dbjmch32.exe
PID 628 wrote to memory of 1204	628	Daiakpca.exe	Dbjmch32.exe
PID 628 wrote to memory of 1204	628	Daiakpca.exe	Dbjmch32.exe
PID 1204 wrote to memory of 896	1204	Dbjmch32.exe	Elbblnpp.exe
PID 1204 wrote to memory of 896	1204	Dbjmch32.exe	Elbblnpp.exe
PID 1204 wrote to memory of 896	1204	Dbjmch32.exe	Elbblnpp.exe
PID 1204 wrote to memory of 896	1204	Dbjmch32.exe	Elbblnpp.exe
PID 896 wrote to memory of 1640	896	Elbblnpp.exe	Efhfifpf.exe
PID 896 wrote to memory of 1640	896	Elbblnpp.exe	Efhfifpf.exe
PID 896 wrote to memory of 1640	896	Elbblnpp.exe	Efhfifpf.exe
PID 896 wrote to memory of 1640	896	Elbblnpp.exe	Efhfifpf.exe
PID 1640 wrote to memory of 1768	1640	Efhfifpf.exe	Efjbof32.exe
PID 1640 wrote to memory of 1768	1640	Efhfifpf.exe	Efjbof32.exe
PID 1640 wrote to memory of 1768	1640	Efhfifpf.exe	Efjbof32.exe
PID 1640 wrote to memory of 1768	1640	Efhfifpf.exe	Efjbof32.exe
PID 1768 wrote to memory of 1608	1768	Efjbof32.exe	Eofgch32.exe
PID 1768 wrote to memory of 1608	1768	Efjbof32.exe	Eofgch32.exe
PID 1768 wrote to memory of 1608	1768	Efjbof32.exe	Eofgch32.exe
PID 1768 wrote to memory of 1608	1768	Efjbof32.exe	Eofgch32.exe
PID 1608 wrote to memory of 1756	1608	Eofgch32.exe	Ehnlln32.exe
PID 1608 wrote to memory of 1756	1608	Eofgch32.exe	Ehnlln32.exe
PID 1608 wrote to memory of 1756	1608	Eofgch32.exe	Ehnlln32.exe
PID 1608 wrote to memory of 1756	1608	Eofgch32.exe	Ehnlln32.exe
PID 1756 wrote to memory of 1824	1756	Ehnlln32.exe	Eafpdchp.exe
PID 1756 wrote to memory of 1824	1756	Ehnlln32.exe	Eafpdchp.exe
PID 1756 wrote to memory of 1824	1756	Ehnlln32.exe	Eafpdchp.exe
PID 1756 wrote to memory of 1824	1756	Ehnlln32.exe	Eafpdchp.exe
PID 1824 wrote to memory of 584	1824	Eafpdchp.exe	Eojanhgi.exe
PID 1824 wrote to memory of 584	1824	Eafpdchp.exe	Eojanhgi.exe
PID 1824 wrote to memory of 584	1824	Eafpdchp.exe	Eojanhgi.exe
PID 1824 wrote to memory of 584	1824	Eafpdchp.exe	Eojanhgi.exe
PID 584 wrote to memory of 240	584	Eojanhgi.exe	Fdgifoeq.exe
PID 584 wrote to memory of 240	584	Eojanhgi.exe	Fdgifoeq.exe
PID 584 wrote to memory of 240	584	Eojanhgi.exe	Fdgifoeq.exe
PID 584 wrote to memory of 240	584	Eojanhgi.exe	Fdgifoeq.exe
PID 240 wrote to memory of 1744	240	Fdgifoeq.exe	Fomncg32.exe
PID 240 wrote to memory of 1744	240	Fdgifoeq.exe	Fomncg32.exe
PID 240 wrote to memory of 1744	240	Fdgifoeq.exe	Fomncg32.exe
PID 240 wrote to memory of 1744	240	Fdgifoeq.exe	Fomncg32.exe
PID 1744 wrote to memory of 544	1744	Fomncg32.exe	Fakjpc32.exe
PID 1744 wrote to memory of 544	1744	Fomncg32.exe	Fakjpc32.exe
PID 1744 wrote to memory of 544	1744	Fomncg32.exe	Fakjpc32.exe
PID 1744 wrote to memory of 544	1744	Fomncg32.exe	Fakjpc32.exe
PID 544 wrote to memory of 1260	544	Fakjpc32.exe	Fkcnhhkk.exe
PID 544 wrote to memory of 1260	544	Fakjpc32.exe	Fkcnhhkk.exe
PID 544 wrote to memory of 1260	544	Fakjpc32.exe	Fkcnhhkk.exe
PID 544 wrote to memory of 1260	544	Fakjpc32.exe	Fkcnhhkk.exe
PID 1260 wrote to memory of 1632	1260	Fkcnhhkk.exe	Fnbjddjn.exe
PID 1260 wrote to memory of 1632	1260	Fkcnhhkk.exe	Fnbjddjn.exe
PID 1260 wrote to memory of 1632	1260	Fkcnhhkk.exe	Fnbjddjn.exe
PID 1260 wrote to memory of 1632	1260	Fkcnhhkk.exe	Fnbjddjn.exe

C:\Users\Admin\AppData\Local\Temp\d4a257e078e187478a509e095cf19581946b1184ee6b9cfaa5b5048dd3fb4136.exe
"C:\Users\Admin\AppData\Local\Temp\d4a257e078e187478a509e095cf19581946b1184ee6b9cfaa5b5048dd3fb4136.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\SysWOW64\Dhlcgkaf.exe
C:\Windows\system32\Dhlcgkaf.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:952

C:\Windows\SysWOW64\Dagdep32.exe
C:\Windows\system32\Dagdep32.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\SysWOW64\Daiakpca.exe
C:\Windows\system32\Daiakpca.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\SysWOW64\Dbjmch32.exe
C:\Windows\system32\Dbjmch32.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\SysWOW64\Elbblnpp.exe
C:\Windows\system32\Elbblnpp.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:896

C:\Windows\SysWOW64\Efhfifpf.exe
C:\Windows\system32\Efhfifpf.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\SysWOW64\Efjbof32.exe
C:\Windows\system32\Efjbof32.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\Eofgch32.exe
C:\Windows\system32\Eofgch32.exe
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\SysWOW64\Ehnlln32.exe
C:\Windows\system32\Ehnlln32.exe
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\Eafpdchp.exe
C:\Windows\system32\Eafpdchp.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\SysWOW64\Eojanhgi.exe
C:\Windows\system32\Eojanhgi.exe
12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:584

C:\Windows\SysWOW64\Fdgifoeq.exe
C:\Windows\system32\Fdgifoeq.exe
13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:240

C:\Windows\SysWOW64\Fomncg32.exe
C:\Windows\system32\Fomncg32.exe
14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\Fakjpc32.exe
C:\Windows\system32\Fakjpc32.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:544

C:\Windows\SysWOW64\Fkcnhhkk.exe
C:\Windows\system32\Fkcnhhkk.exe
16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1260

C:\Windows\SysWOW64\Fnbjddjn.exe
C:\Windows\system32\Fnbjddjn.exe
17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1632

C:\Windows\SysWOW64\Fppgqpib.exe
C:\Windows\system32\Fppgqpib.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1680

C:\Windows\SysWOW64\Fcocmkhf.exe
C:\Windows\system32\Fcocmkhf.exe
19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1336

C:\Windows\SysWOW64\Fkfknh32.exe
C:\Windows\system32\Fkfknh32.exe
20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1224

C:\Windows\SysWOW64\Fgmlcinl.exe
C:\Windows\system32\Fgmlcinl.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:848

C:\Windows\SysWOW64\Fngdpc32.exe
C:\Windows\system32\Fngdpc32.exe
22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1060

C:\Windows\SysWOW64\Ghpepa32.exe
C:\Windows\system32\Ghpepa32.exe
23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1056

C:\Windows\SysWOW64\Gojmmk32.exe
C:\Windows\system32\Gojmmk32.exe
24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1792

C:\Windows\SysWOW64\Gjpajd32.exe
C:\Windows\system32\Gjpajd32.exe
25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1396

C:\Windows\SysWOW64\Gbkfof32.exe
C:\Windows\system32\Gbkfof32.exe
26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:968

C:\Windows\SysWOW64\Gdibkb32.exe
C:\Windows\system32\Gdibkb32.exe
27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1972

C:\Windows\SysWOW64\Glqjlo32.exe
C:\Windows\system32\Glqjlo32.exe
28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:556

C:\Windows\SysWOW64\Goofhkeo.exe
C:\Windows\system32\Goofhkeo.exe
29⤵
- Executes dropped EXE
- Modifies registry class
PID:1040

C:\Windows\SysWOW64\Gfioed32.exe
C:\Windows\system32\Gfioed32.exe
30⤵
- Loads dropped DLL
- Modifies registry class
PID:1524

C:\Windows\SysWOW64\Gdlopacg.exe
C:\Windows\system32\Gdlopacg.exe
31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1168

C:\Windows\SysWOW64\Gkfgml32.exe
C:\Windows\system32\Gkfgml32.exe
32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1436

C:\Windows\SysWOW64\Gndcig32.exe
C:\Windows\system32\Gndcig32.exe
33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1344

C:\Windows\SysWOW64\Gdnlfaad.exe
C:\Windows\system32\Gdnlfaad.exe
34⤵
- Executes dropped EXE
PID:1372

C:\Windows\SysWOW64\Gglhbmqh.exe
C:\Windows\system32\Gglhbmqh.exe
35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1200

C:\Windows\SysWOW64\Gnfpoghd.exe
C:\Windows\system32\Gnfpoghd.exe
36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1376

C:\Windows\SysWOW64\Hccignfl.exe
C:\Windows\system32\Hccignfl.exe
37⤵
- Executes dropped EXE
PID:1976

C:\Windows\SysWOW64\Hkjqhkgn.exe
C:\Windows\system32\Hkjqhkgn.exe
38⤵
- Executes dropped EXE
PID:1692

C:\Windows\SysWOW64\Hmlmpc32.exe
C:\Windows\system32\Hmlmpc32.exe
39⤵
- Executes dropped EXE
PID:1712

C:\Windows\SysWOW64\Hqlbka32.exe
C:\Windows\system32\Hqlbka32.exe
40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1144

C:\Windows\SysWOW64\Hkeclo32.exe
C:\Windows\system32\Hkeclo32.exe
41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:280

C:\Windows\SysWOW64\Hbplii32.exe
C:\Windows\system32\Hbplii32.exe
42⤵
- Executes dropped EXE
PID:908

C:\Windows\SysWOW64\Ibbhni32.exe
C:\Windows\system32\Ibbhni32.exe
43⤵
- Executes dropped EXE
- Modifies registry class
PID:316

C:\Windows\SysWOW64\Iinmqb32.exe
C:\Windows\system32\Iinmqb32.exe
44⤵
- Executes dropped EXE
PID:1076

C:\Windows\SysWOW64\Pnodjf32.exe
C:\Windows\system32\Pnodjf32.exe
45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1552

C:\Windows\SysWOW64\Qigemoke.exe
C:\Windows\system32\Qigemoke.exe
46⤵
- Executes dropped EXE
PID:1980

C:\Windows\SysWOW64\Djbnfd32.exe
C:\Windows\system32\Djbnfd32.exe
47⤵
- Executes dropped EXE
- Modifies registry class
PID:1644

C:\Windows\SysWOW64\Dapoqfag.exe
C:\Windows\system32\Dapoqfag.exe
48⤵
- Executes dropped EXE
PID:1132

C:\Windows\SysWOW64\Ennfffac.exe
C:\Windows\system32\Ennfffac.exe
49⤵
- Executes dropped EXE
- Modifies registry class
PID:1856

C:\Windows\SysWOW64\Fnkepifa.exe
C:\Windows\system32\Fnkepifa.exe
50⤵
- Executes dropped EXE
PID:1716

C:\Windows\SysWOW64\Fjbfdjle.exe
C:\Windows\system32\Fjbfdjle.exe
51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:832

C:\Windows\SysWOW64\Fegjbckl.exe
C:\Windows\system32\Fegjbckl.exe
52⤵
- Executes dropped EXE
PID:1536

C:\Windows\SysWOW64\Fmcofeif.exe
C:\Windows\system32\Fmcofeif.exe
53⤵
- Executes dropped EXE
PID:1548

C:\Windows\SysWOW64\Fcmgcp32.exe
C:\Windows\system32\Fcmgcp32.exe
54⤵
- Executes dropped EXE
PID:1008

C:\Windows\SysWOW64\Fnbkphpi.exe
C:\Windows\system32\Fnbkphpi.exe
55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:332

C:\Windows\SysWOW64\Fpchhq32.exe
C:\Windows\system32\Fpchhq32.exe
56⤵
- Executes dropped EXE
PID:692

C:\Windows\SysWOW64\Ffnpdkmd.exe
C:\Windows\system32\Ffnpdkmd.exe
57⤵
- Executes dropped EXE
PID:1160

C:\Windows\SysWOW64\Fillqflh.exe
C:\Windows\system32\Fillqflh.exe
58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:344

C:\Windows\SysWOW64\Giniff32.exe
C:\Windows\system32\Giniff32.exe
59⤵
- Executes dropped EXE
PID:640

C:\Windows\SysWOW64\Gmjegdbo.exe
C:\Windows\system32\Gmjegdbo.exe
60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1784

C:\Windows\SysWOW64\Gphacpab.exe
C:\Windows\system32\Gphacpab.exe
61⤵
- Executes dropped EXE
PID:1148

C:\Windows\SysWOW64\Gmlbldql.exe
C:\Windows\system32\Gmlbldql.exe
62⤵
- Executes dropped EXE
PID:2020

C:\Windows\SysWOW64\Gpknhppp.exe
C:\Windows\system32\Gpknhppp.exe
63⤵
- Executes dropped EXE
PID:1940

C:\Windows\SysWOW64\Gpmkno32.exe
C:\Windows\system32\Gpmkno32.exe
64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1596

C:\Windows\SysWOW64\Gbkgjk32.exe
C:\Windows\system32\Gbkgjk32.exe
65⤵
- Executes dropped EXE
PID:1600

C:\Windows\SysWOW64\Gejcff32.exe
C:\Windows\system32\Gejcff32.exe
66⤵
- Executes dropped EXE
PID:1696

C:\Windows\SysWOW64\Gaqdkgah.exe
C:\Windows\system32\Gaqdkgah.exe
67⤵
PID:1948

C:\Windows\SysWOW64\Hdopgbql.exe
C:\Windows\system32\Hdopgbql.exe
68⤵
PID:1560

C:\Windows\SysWOW64\Hacqag32.exe
C:\Windows\system32\Hacqag32.exe
69⤵
PID:1164

C:\Windows\SysWOW64\Hogajk32.exe
C:\Windows\system32\Hogajk32.exe
70⤵
PID:628

C:\Windows\SysWOW64\Hmjafhej.exe
C:\Windows\system32\Hmjafhej.exe
71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:708

C:\Windows\SysWOW64\Hiqbkikn.exe
C:\Windows\system32\Hiqbkikn.exe
72⤵
PID:1952

C:\Windows\SysWOW64\Hagjlfkq.exe
C:\Windows\system32\Hagjlfkq.exe
73⤵
- Modifies registry class
PID:1932

C:\Windows\SysWOW64\Hicophil.exe
C:\Windows\system32\Hicophil.exe
74⤵
PID:1332

C:\Windows\SysWOW64\Hlakldho.exe
C:\Windows\system32\Hlakldho.exe
75⤵
- Drops file in System32 directory
PID:1180

C:\Windows\SysWOW64\Hielfhgi.exe
C:\Windows\system32\Hielfhgi.exe
76⤵
PID:436

C:\Windows\SysWOW64\Hlchbc32.exe
C:\Windows\system32\Hlchbc32.exe
77⤵
PID:1620

C:\Windows\SysWOW64\Iobdno32.exe
C:\Windows\system32\Iobdno32.exe
78⤵
PID:1504

C:\Windows\SysWOW64\Ipaqhblc.exe
C:\Windows\system32\Ipaqhblc.exe
79⤵
- Modifies registry class
PID:560

C:\Windows\SysWOW64\Iodqco32.exe
C:\Windows\system32\Iodqco32.exe
80⤵
PID:1048

C:\Windows\SysWOW64\Iijeag32.exe
C:\Windows\system32\Iijeag32.exe
81⤵
- Drops file in System32 directory
PID:1264

C:\Windows\SysWOW64\Ieqffh32.exe
C:\Windows\system32\Ieqffh32.exe
82⤵
PID:1212

C:\Windows\SysWOW64\Iagfkinl.exe
C:\Windows\system32\Iagfkinl.exe
83⤵
PID:2036

C:\Windows\SysWOW64\Igdocplc.exe
C:\Windows\system32\Igdocplc.exe
84⤵
PID:1584

C:\Windows\SysWOW64\Ipmclfbd.exe
C:\Windows\system32\Ipmclfbd.exe
85⤵
PID:1628

C:\Windows\SysWOW64\Ihckmccf.exe
C:\Windows\system32\Ihckmccf.exe
86⤵
PID:1340

C:\Windows\SysWOW64\Jdjlbd32.exe
C:\Windows\system32\Jdjlbd32.exe
87⤵
PID:1808

C:\Windows\SysWOW64\Jgihnp32.exe
C:\Windows\system32\Jgihnp32.exe
88⤵
- Drops file in System32 directory
- Modifies registry class
PID:1416

C:\Windows\SysWOW64\Jncqkjpk.exe
C:\Windows\system32\Jncqkjpk.exe
89⤵
PID:1520

C:\Windows\SysWOW64\Jqamge32.exe
C:\Windows\system32\Jqamge32.exe
90⤵
PID:1320

C:\Windows\SysWOW64\Jofjhacf.exe
C:\Windows\system32\Jofjhacf.exe
91⤵
PID:860

C:\Windows\SysWOW64\Jmjjafbp.exe
C:\Windows\system32\Jmjjafbp.exe
92⤵
PID:2044

C:\Windows\SysWOW64\Jcdbnpjm.exe
C:\Windows\system32\Jcdbnpjm.exe
93⤵
PID:2028

C:\Windows\SysWOW64\Jfbojkiq.exe
C:\Windows\system32\Jfbojkiq.exe
94⤵
PID:820

C:\Windows\SysWOW64\Jiakfghd.exe
C:\Windows\system32\Jiakfghd.exe
95⤵
PID:1648

C:\Windows\SysWOW64\Jkpgcbgh.exe
C:\Windows\system32\Jkpgcbgh.exe
96⤵
PID:1736

C:\Windows\SysWOW64\Jokcca32.exe
C:\Windows\system32\Jokcca32.exe
97⤵
PID:1216

C:\Windows\SysWOW64\Kkbdhbee.exe
C:\Windows\system32\Kkbdhbee.exe
98⤵
PID:1764

C:\Windows\SysWOW64\Kbllellb.exe
C:\Windows\system32\Kbllellb.exe
99⤵
PID:1988

C:\Windows\SysWOW64\Kopmnpkl.exe
C:\Windows\system32\Kopmnpkl.exe
100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1500

C:\Windows\SysWOW64\Kqaifh32.exe
C:\Windows\system32\Kqaifh32.exe
101⤵
- Modifies registry class
PID:1744

C:\Windows\SysWOW64\Kbqepkhm.exe
C:\Windows\system32\Kbqepkhm.exe
102⤵
- Modifies registry class
PID:1384

C:\Windows\SysWOW64\Kqcflhog.exe
C:\Windows\system32\Kqcflhog.exe
103⤵
PID:1112

C:\Windows\SysWOW64\Keoalg32.exe
C:\Windows\system32\Keoalg32.exe
104⤵
PID:1144

C:\Windows\SysWOW64\Kgpknb32.exe
C:\Windows\system32\Kgpknb32.exe
105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:908

C:\Windows\SysWOW64\Kfbkiokl.exe
C:\Windows\system32\Kfbkiokl.exe
106⤵
PID:952

C:\Windows\SysWOW64\Lnjcklln.exe
C:\Windows\system32\Lnjcklln.exe
107⤵
- Drops file in System32 directory
- Modifies registry class
PID:1204

C:\Windows\SysWOW64\Lfehon32.exe
C:\Windows\system32\Lfehon32.exe
108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:896

C:\Windows\SysWOW64\Licdkj32.exe
C:\Windows\system32\Licdkj32.exe
109⤵
- Modifies registry class
PID:1756

C:\Windows\SysWOW64\Lfgddn32.exe
C:\Windows\system32\Lfgddn32.exe
110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:584

C:\Windows\SysWOW64\Ljcpempp.exe
C:\Windows\system32\Ljcpempp.exe
111⤵
PID:1640

C:\Windows\SysWOW64\Lmamahoc.exe
C:\Windows\system32\Lmamahoc.exe
112⤵
- Modifies registry class
PID:1260

C:\Windows\SysWOW64\Lppimcng.exe
C:\Windows\system32\Lppimcng.exe
113⤵
- Modifies registry class
PID:976

C:\Windows\SysWOW64\Lbneiomk.exe
C:\Windows\system32\Lbneiomk.exe
114⤵
PID:516

C:\Windows\SysWOW64\Lelafj32.exe
C:\Windows\system32\Lelafj32.exe
115⤵
- Modifies registry class
PID:672

C:\Windows\SysWOW64\Lmcigh32.exe
C:\Windows\system32\Lmcigh32.exe
116⤵
- Drops file in System32 directory
- Modifies registry class
PID:2012

C:\Windows\SysWOW64\Llfibdck.exe
C:\Windows\system32\Llfibdck.exe
117⤵
PID:1780

C:\Windows\SysWOW64\Lnefopbo.exe
C:\Windows\system32\Lnefopbo.exe
118⤵
PID:1968

C:\Windows\SysWOW64\Leonkj32.exe
C:\Windows\system32\Leonkj32.exe
119⤵
- Modifies registry class
PID:272

C:\Windows\SysWOW64\Lhmjge32.exe
C:\Windows\system32\Lhmjge32.exe
120⤵
PID:568

C:\Windows\SysWOW64\Llifhdai.exe
C:\Windows\system32\Llifhdai.exe
121⤵
- Modifies registry class
PID:1688

C:\Windows\SysWOW64\Lngbdpqm.exe
C:\Windows\system32\Lngbdpqm.exe
122⤵
PID:996

C:\Windows\SysWOW64\Laeopkpp.exe
C:\Windows\system32\Laeopkpp.exe
123⤵
PID:1240

C:\Windows\SysWOW64\Mimgah32.exe
C:\Windows\system32\Mimgah32.exe
124⤵
PID:636

C:\Windows\SysWOW64\Mhpgmegm.exe
C:\Windows\system32\Mhpgmegm.exe
125⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1700

C:\Windows\SysWOW64\Mniojo32.exe
C:\Windows\system32\Mniojo32.exe
126⤵
PID:2056

C:\Windows\SysWOW64\Mahkfk32.exe
C:\Windows\system32\Mahkfk32.exe
127⤵
PID:2064

C:\Windows\SysWOW64\Mhbcbeej.exe
C:\Windows\system32\Mhbcbeej.exe
128⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2072

C:\Windows\SysWOW64\Molloo32.exe
C:\Windows\system32\Molloo32.exe
129⤵
PID:2080

C:\Windows\SysWOW64\Majhkj32.exe
C:\Windows\system32\Majhkj32.exe
130⤵
PID:2088

C:\Windows\SysWOW64\Mdhdgf32.exe
C:\Windows\system32\Mdhdgf32.exe
131⤵
PID:2096

C:\Windows\SysWOW64\Mfgqcajb.exe
C:\Windows\system32\Mfgqcajb.exe
132⤵
PID:2104

C:\Windows\SysWOW64\Mjbmdp32.exe
C:\Windows\system32\Mjbmdp32.exe
133⤵
- Drops file in System32 directory
PID:2112

C:\Windows\SysWOW64\Mameajih.exe
C:\Windows\system32\Mameajih.exe
134⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2120

C:\Windows\SysWOW64\Mdkameil.exe
C:\Windows\system32\Mdkameil.exe
135⤵
PID:2128

C:\Windows\SysWOW64\Mfimiahp.exe
C:\Windows\system32\Mfimiahp.exe
136⤵
PID:2136

C:\Windows\SysWOW64\Mihjelgc.exe
C:\Windows\system32\Mihjelgc.exe
137⤵
- Modifies registry class
PID:2144

C:\Windows\SysWOW64\Mpabbf32.exe
C:\Windows\system32\Mpabbf32.exe
138⤵
- Modifies registry class
PID:2152

C:\Windows\SysWOW64\Mbpnnb32.exe
C:\Windows\system32\Mbpnnb32.exe
139⤵
PID:2160

C:\Windows\SysWOW64\Mijfkl32.exe
C:\Windows\system32\Mijfkl32.exe
140⤵
- Drops file in System32 directory
- Modifies registry class
PID:2168

C:\Windows\SysWOW64\Mlhbgg32.exe
C:\Windows\system32\Mlhbgg32.exe
141⤵
PID:2176

C:\Windows\SysWOW64\Npdogflm.exe
C:\Windows\system32\Npdogflm.exe
142⤵
PID:2184

C:\Windows\SysWOW64\Ngngdp32.exe
C:\Windows\system32\Ngngdp32.exe
143⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2192

C:\Windows\SysWOW64\Neagpmje.exe
C:\Windows\system32\Neagpmje.exe
144⤵
PID:2200

C:\Windows\SysWOW64\Nmhoajkg.exe
C:\Windows\system32\Nmhoajkg.exe
145⤵
PID:2208

C:\Windows\SysWOW64\Npfkmfjk.exe
C:\Windows\system32\Npfkmfjk.exe
146⤵
PID:2216

C:\Windows\SysWOW64\Noikib32.exe
C:\Windows\system32\Noikib32.exe
147⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2224

C:\Windows\SysWOW64\Niopfkak.exe
C:\Windows\system32\Niopfkak.exe
148⤵
PID:2284

C:\Windows\SysWOW64\Nopaia32.exe
C:\Windows\system32\Nopaia32.exe
149⤵
PID:2312

C:\Windows\SysWOW64\Nejjflbj.exe
C:\Windows\system32\Nejjflbj.exe
150⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2332

C:\Windows\SysWOW64\Nhifbgan.exe
C:\Windows\system32\Nhifbgan.exe
151⤵
PID:2348

C:\Windows\SysWOW64\Okgbnbqa.exe
C:\Windows\system32\Okgbnbqa.exe
152⤵
- Modifies registry class
PID:2364

C:\Windows\SysWOW64\Oobnoa32.exe
C:\Windows\system32\Oobnoa32.exe
153⤵
PID:2380

C:\Windows\SysWOW64\Oaajkm32.exe
C:\Windows\system32\Oaajkm32.exe
154⤵
PID:2396

C:\Windows\SysWOW64\Opdkfioi.exe
C:\Windows\system32\Opdkfioi.exe
155⤵
PID:2412

C:\Windows\SysWOW64\Ohkchgpk.exe
C:\Windows\system32\Ohkchgpk.exe
156⤵
PID:2424

C:\Windows\SysWOW64\Ognccc32.exe
C:\Windows\system32\Ognccc32.exe
157⤵
- Drops file in System32 directory
PID:2440

C:\Windows\SysWOW64\Ojloooei.exe
C:\Windows\system32\Ojloooei.exe
158⤵
- Drops file in System32 directory
PID:2452

C:\Windows\SysWOW64\Onhkpn32.exe
C:\Windows\system32\Onhkpn32.exe
159⤵
PID:2468

C:\Windows\SysWOW64\Opfgli32.exe
C:\Windows\system32\Opfgli32.exe
160⤵
PID:2484

C:\Windows\SysWOW64\Odacmheo.exe
C:\Windows\system32\Odacmheo.exe
161⤵
PID:2500

C:\Windows\SysWOW64\Ogppicdc.exe
C:\Windows\system32\Ogppicdc.exe
162⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2884

C:\Windows\SysWOW64\Ebplkmjn.exe
C:\Windows\system32\Ebplkmjn.exe
163⤵
PID:2892

C:\Windows\SysWOW64\Fijdhg32.exe
C:\Windows\system32\Fijdhg32.exe
164⤵
PID:2900

C:\Windows\SysWOW64\Ggnapocp.exe
C:\Windows\system32\Ggnapocp.exe
165⤵
PID:2908

C:\Windows\SysWOW64\Ghonhg32.exe
C:\Windows\system32\Ghonhg32.exe
166⤵
PID:2916

C:\Windows\SysWOW64\Gnqpkmcp.exe
C:\Windows\system32\Gnqpkmcp.exe
167⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2924

C:\Windows\SysWOW64\Gfhglkdb.exe
C:\Windows\system32\Gfhglkdb.exe
168⤵
PID:2964

C:\Windows\SysWOW64\Hmoobh32.exe
C:\Windows\system32\Hmoobh32.exe
169⤵
PID:2972

C:\Windows\SysWOW64\Hqkkcghf.exe
C:\Windows\system32\Hqkkcghf.exe
170⤵
PID:2980

C:\Windows\SysWOW64\Iblhkp32.exe
C:\Windows\system32\Iblhkp32.exe
171⤵
PID:2988

C:\Windows\SysWOW64\Iifpgi32.exe
C:\Windows\system32\Iifpgi32.exe
172⤵
- Drops file in System32 directory
PID:2996

C:\Windows\SysWOW64\Ildlce32.exe
C:\Windows\system32\Ildlce32.exe
173⤵
- Modifies registry class
PID:3004

C:\Windows\SysWOW64\Ickdeb32.exe
C:\Windows\system32\Ickdeb32.exe
174⤵
- Modifies registry class
PID:3012

C:\Windows\SysWOW64\Ibndpola.exe
C:\Windows\system32\Ibndpola.exe
175⤵
PID:3020

C:\Windows\SysWOW64\Imdinhlh.exe
C:\Windows\system32\Imdinhlh.exe
176⤵
PID:3028

C:\Windows\SysWOW64\Ipbejckk.exe
C:\Windows\system32\Ipbejckk.exe
177⤵
PID:3036

C:\Windows\SysWOW64\Iflmfm32.exe
C:\Windows\system32\Iflmfm32.exe
178⤵
PID:3044

C:\Windows\SysWOW64\Iikibial.exe
C:\Windows\system32\Iikibial.exe
179⤵
PID:3052

C:\Windows\SysWOW64\Ilifodqp.exe
C:\Windows\system32\Ilifodqp.exe
180⤵
PID:3060

C:\Windows\SysWOW64\Ingbkppc.exe
C:\Windows\system32\Ingbkppc.exe
181⤵
PID:3068

C:\Windows\SysWOW64\Iafngkog.exe
C:\Windows\system32\Iafngkog.exe
182⤵
- Drops file in System32 directory
- Modifies registry class
PID:2236

C:\Windows\SysWOW64\Ibekan32.exe
C:\Windows\system32\Ibekan32.exe
183⤵
PID:2244

C:\Windows\SysWOW64\Ihbcie32.exe
C:\Windows\system32\Ihbcie32.exe
184⤵
PID:2252

C:\Windows\SysWOW64\Jnlkfo32.exe
C:\Windows\system32\Jnlkfo32.exe
185⤵
PID:2260

C:\Windows\SysWOW64\Jajhbj32.exe
C:\Windows\system32\Jajhbj32.exe
186⤵
PID:2268

C:\Windows\SysWOW64\Jhdpodbn.exe
C:\Windows\system32\Jhdpodbn.exe
187⤵
PID:2276

C:\Windows\SysWOW64\Jamdgj32.exe
C:\Windows\system32\Jamdgj32.exe
188⤵
PID:2280

C:\Windows\SysWOW64\Jpbaif32.exe
C:\Windows\system32\Jpbaif32.exe
189⤵
PID:2300

C:\Windows\SysWOW64\Jjgefo32.exe
C:\Windows\system32\Jjgefo32.exe
190⤵
- Drops file in System32 directory
PID:2308

C:\Windows\SysWOW64\Jlibnhck.exe
C:\Windows\system32\Jlibnhck.exe
191⤵
PID:2324

C:\Windows\SysWOW64\Jpdnnf32.exe
C:\Windows\system32\Jpdnnf32.exe
192⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2344

C:\Windows\SysWOW64\Jfnfkqca.exe
C:\Windows\system32\Jfnfkqca.exe
193⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2356

C:\Windows\SysWOW64\Jimbglbd.exe
C:\Windows\system32\Jimbglbd.exe
194⤵
- Drops file in System32 directory
PID:2372

C:\Windows\SysWOW64\Jpgkdfia.exe
C:\Windows\system32\Jpgkdfia.exe
195⤵
PID:2388

C:\Windows\SysWOW64\Jbegpaie.exe
C:\Windows\system32\Jbegpaie.exe
196⤵
PID:2404

C:\Windows\SysWOW64\Khbohhgm.exe
C:\Windows\system32\Khbohhgm.exe
197⤵
- Drops file in System32 directory
PID:2420

C:\Windows\SysWOW64\Kolheb32.exe
C:\Windows\system32\Kolheb32.exe
198⤵
PID:2460

C:\Windows\SysWOW64\Kefpamff.exe
C:\Windows\system32\Kefpamff.exe
199⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2448

C:\Windows\SysWOW64\Kialbk32.exe
C:\Windows\system32\Kialbk32.exe
200⤵
- Modifies registry class
PID:2480

C:\Windows\SysWOW64\Klphnfmc.exe
C:\Windows\system32\Klphnfmc.exe
201⤵
PID:2628

C:\Windows\SysWOW64\Kehmgl32.exe
C:\Windows\system32\Kehmgl32.exe
202⤵
PID:2648

C:\Windows\SysWOW64\Khfich32.exe
C:\Windows\system32\Khfich32.exe
203⤵
PID:2680

C:\Windows\SysWOW64\Kkeeoc32.exe
C:\Windows\system32\Kkeeoc32.exe
204⤵
PID:2712

C:\Windows\SysWOW64\Kaomlmih.exe
C:\Windows\system32\Kaomlmih.exe
205⤵
PID:2776

C:\Windows\SysWOW64\Kglfddgo.exe
C:\Windows\system32\Kglfddgo.exe
206⤵
- Drops file in System32 directory
PID:2800

C:\Windows\SysWOW64\Kmfnanol.exe
C:\Windows\system32\Kmfnanol.exe
207⤵
PID:2836

C:\Windows\SysWOW64\Kdpfnh32.exe
C:\Windows\system32\Kdpfnh32.exe
208⤵
- Modifies registry class
PID:1308

C:\Windows\SysWOW64\Knhkgnmi.exe
C:\Windows\system32\Knhkgnmi.exe
209⤵
- Modifies registry class
PID:1956

C:\Windows\SysWOW64\Lacggm32.exe
C:\Windows\system32\Lacggm32.exe
210⤵
PID:472

C:\Windows\SysWOW64\Lcecoekq.exe
C:\Windows\system32\Lcecoekq.exe
211⤵
- Modifies registry class
PID:2872

C:\Windows\SysWOW64\Lnjglnkf.exe
C:\Windows\system32\Lnjglnkf.exe
212⤵
- Modifies registry class
PID:1076

C:\Windows\SysWOW64\Lddpihbc.exe
C:\Windows\system32\Lddpihbc.exe
213⤵
PID:1400

C:\Windows\SysWOW64\Lcgpdd32.exe
C:\Windows\system32\Lcgpdd32.exe
214⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2040

C:\Windows\SysWOW64\Leflqp32.exe
C:\Windows\system32\Leflqp32.exe
215⤵
PID:1912

C:\Windows\SysWOW64\Lnmdam32.exe
C:\Windows\system32\Lnmdam32.exe
216⤵
PID:1540

C:\Windows\SysWOW64\Lonqieob.exe
C:\Windows\system32\Lonqieob.exe
217⤵
PID:1728

C:\Windows\SysWOW64\Lehifp32.exe
C:\Windows\system32\Lehifp32.exe
218⤵
PID:960

C:\Windows\SysWOW64\Laojkq32.exe
C:\Windows\system32\Laojkq32.exe
219⤵
- Drops file in System32 directory
PID:1852

C:\Windows\SysWOW64\Lcnfeccf.exe
C:\Windows\system32\Lcnfeccf.exe
220⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:980

C:\Windows\SysWOW64\Ldpbml32.exe
C:\Windows\system32\Ldpbml32.exe
221⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:780

C:\Windows\SysWOW64\Mlgjni32.exe
C:\Windows\system32\Mlgjni32.exe
222⤵
PID:1672

C:\Windows\SysWOW64\Mfoogo32.exe
C:\Windows\system32\Mfoogo32.exe
223⤵
PID:2008

C:\Windows\SysWOW64\Mdbobkga.exe
C:\Windows\system32\Mdbobkga.exe
224⤵
PID:1428

C:\Windows\SysWOW64\Mklgoe32.exe
C:\Windows\system32\Mklgoe32.exe
225⤵
PID:1788

C:\Windows\SysWOW64\Mnjdka32.exe
C:\Windows\system32\Mnjdka32.exe
226⤵
PID:1684

C:\Windows\SysWOW64\Mddlhkeo.exe
C:\Windows\system32\Mddlhkeo.exe
227⤵
PID:1572

C:\Windows\SysWOW64\Mhphhj32.exe
C:\Windows\system32\Mhphhj32.exe
228⤵
PID:1544

C:\Windows\SysWOW64\Mkndde32.exe
C:\Windows\system32\Mkndde32.exe
229⤵
PID:364

C:\Windows\SysWOW64\Mjadpbcf.exe
C:\Windows\system32\Mjadpbcf.exe
230⤵
PID:1064

C:\Windows\SysWOW64\Mqkmmljc.exe
C:\Windows\system32\Mqkmmljc.exe
231⤵
PID:1944

C:\Windows\SysWOW64\Mciiigjg.exe
C:\Windows\system32\Mciiigjg.exe
232⤵
- Drops file in System32 directory
PID:1592

C:\Windows\SysWOW64\Mgeejf32.exe
C:\Windows\system32\Mgeejf32.exe
233⤵
PID:1604

C:\Windows\SysWOW64\Mjcafa32.exe
C:\Windows\system32\Mjcafa32.exe
234⤵
PID:1708

C:\Windows\SysWOW64\Mqmiblhq.exe
C:\Windows\system32\Mqmiblhq.exe
235⤵
PID:1668

C:\Windows\SysWOW64\Mggaof32.exe
C:\Windows\system32\Mggaof32.exe
236⤵
- Modifies registry class
PID:1804

C:\Windows\SysWOW64\Mnajlpgj.exe
C:\Windows\system32\Mnajlpgj.exe
237⤵
PID:1740

C:\Windows\SysWOW64\Mmdjgm32.exe
C:\Windows\system32\Mmdjgm32.exe
238⤵
PID:1300

C:\Windows\SysWOW64\Ncnbdg32.exe
C:\Windows\system32\Ncnbdg32.exe
239⤵
PID:1608

C:\Windows\SysWOW64\Nikkln32.exe
C:\Windows\system32\Nikkln32.exe
240⤵
- Modifies registry class
PID:1680

C:\Windows\SysWOW64\Nqbcnk32.exe
C:\Windows\system32\Nqbcnk32.exe
241⤵
PID:1224

C:\Windows\SysWOW64\Nbcoecji.exe
C:\Windows\system32\Nbcoecji.exe
242⤵
- Drops file in System32 directory
PID:1824

C:\Windows\SysWOW64\Nfokfb32.exe
C:\Windows\system32\Nfokfb32.exe
243⤵
PID:240

C:\Windows\SysWOW64\Nimgbm32.exe
C:\Windows\system32\Nimgbm32.exe
244⤵
PID:1060

C:\Windows\SysWOW64\Nkldni32.exe
C:\Windows\system32\Nkldni32.exe
245⤵
PID:544

C:\Windows\SysWOW64\Ncclof32.exe
C:\Windows\system32\Ncclof32.exe
246⤵
PID:1792

C:\Windows\SysWOW64\Nedhgn32.exe
C:\Windows\system32\Nedhgn32.exe
247⤵
PID:1632

C:\Windows\SysWOW64\Nmkphl32.exe
C:\Windows\system32\Nmkphl32.exe
248⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:968

C:\Windows\SysWOW64\Noildg32.exe
C:\Windows\system32\Noildg32.exe
249⤵
PID:1336

C:\Windows\SysWOW64\Nbhipb32.exe
C:\Windows\system32\Nbhipb32.exe
250⤵
- Drops file in System32 directory
- Modifies registry class
PID:556

C:\Windows\SysWOW64\Nfcdaaom.exe
C:\Windows\system32\Nfcdaaom.exe
251⤵
- Drops file in System32 directory
PID:848

C:\Windows\SysWOW64\Nibammna.exe
C:\Windows\system32\Nibammna.exe
252⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1524

C:\Windows\SysWOW64\Nplijg32.exe
C:\Windows\system32\Nplijg32.exe
253⤵
PID:1056

C:\Windows\SysWOW64\Nbjefb32.exe
C:\Windows\system32\Nbjefb32.exe
254⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1372

C:\Windows\SysWOW64\Nggnnibi.exe
C:\Windows\system32\Nggnnibi.exe
255⤵
PID:1396

C:\Windows\SysWOW64\Onafkc32.exe
C:\Windows\system32\Onafkc32.exe
256⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1972

C:\Windows\SysWOW64\Obmbkbbo.exe
C:\Windows\system32\Obmbkbbo.exe
257⤵
PID:296

C:\Windows\SysWOW64\Oekngmab.exe
C:\Windows\system32\Oekngmab.exe
258⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1520

C:\Windows\SysWOW64\Ogikciqf.exe
C:\Windows\system32\Ogikciqf.exe
259⤵
- Drops file in System32 directory
PID:1320

C:\Windows\SysWOW64\Ojhgpdpj.exe
C:\Windows\system32\Ojhgpdpj.exe
260⤵
- Modifies registry class
PID:860

C:\Windows\SysWOW64\Onccpc32.exe
C:\Windows\system32\Onccpc32.exe
261⤵
PID:2044

C:\Windows\SysWOW64\Oaboln32.exe
C:\Windows\system32\Oaboln32.exe
262⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2028

C:\Windows\SysWOW64\Ojjced32.exe
C:\Windows\system32\Ojjced32.exe
263⤵
PID:820

C:\Windows\SysWOW64\Omipao32.exe
C:\Windows\system32\Omipao32.exe
264⤵
PID:1648

C:\Windows\SysWOW64\Opglnk32.exe
C:\Windows\system32\Opglnk32.exe
265⤵
PID:1736

C:\Windows\SysWOW64\Ocbhnidg.exe
C:\Windows\system32\Ocbhnidg.exe
266⤵
PID:1216

C:\Windows\SysWOW64\Ofadjeck.exe
C:\Windows\system32\Ofadjeck.exe
267⤵
PID:1764

C:\Windows\SysWOW64\Omklgo32.exe
C:\Windows\system32\Omklgo32.exe
268⤵
PID:1988

C:\Windows\SysWOW64\Oafhgnca.exe
C:\Windows\system32\Oafhgnca.exe
269⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1500

C:\Windows\SysWOW64\Oceedibe.exe
C:\Windows\system32\Oceedibe.exe
270⤵
PID:1744

C:\Windows\SysWOW64\Oiamlp32.exe
C:\Windows\system32\Oiamlp32.exe
271⤵
- Drops file in System32 directory
PID:1384

C:\Windows\SysWOW64\Olpihk32.exe
C:\Windows\system32\Olpihk32.exe
272⤵
PID:1112

C:\Windows\SysWOW64\Odgaii32.exe
C:\Windows\system32\Odgaii32.exe
273⤵
PID:1144

C:\Windows\SysWOW64\Pehnaafq.exe
C:\Windows\system32\Pehnaafq.exe
274⤵
PID:908

C:\Windows\SysWOW64\Pmpfbnfc.exe
C:\Windows\system32\Pmpfbnfc.exe
275⤵
PID:952

C:\Windows\SysWOW64\Ppnbnjff.exe
C:\Windows\system32\Ppnbnjff.exe
276⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1204

C:\Windows\SysWOW64\Pblnjeej.exe
C:\Windows\system32\Pblnjeej.exe
277⤵
PID:896

C:\Windows\SysWOW64\Pfhjkd32.exe
C:\Windows\system32\Pfhjkd32.exe
278⤵
PID:1756

C:\Windows\SysWOW64\Piffgolg.exe
C:\Windows\system32\Piffgolg.exe
279⤵
PID:584

C:\Windows\SysWOW64\Plecckkk.exe
C:\Windows\system32\Plecckkk.exe
280⤵
PID:1640

C:\Windows\SysWOW64\Pocoofjn.exe
C:\Windows\system32\Pocoofjn.exe
281⤵
- Drops file in System32 directory
PID:1260

C:\Windows\SysWOW64\Pbokpe32.exe
C:\Windows\system32\Pbokpe32.exe
282⤵
PID:976

C:\Windows\SysWOW64\Pemglp32.exe
C:\Windows\system32\Pemglp32.exe
283⤵
PID:516

C:\Windows\SysWOW64\Phlchl32.exe
C:\Windows\system32\Phlchl32.exe
284⤵
- Modifies registry class
PID:672

C:\Windows\SysWOW64\Pkjpdg32.exe
C:\Windows\system32\Pkjpdg32.exe
285⤵
- Drops file in System32 directory
PID:2012

C:\Windows\SysWOW64\Pbahed32.exe
C:\Windows\system32\Pbahed32.exe
286⤵
- Drops file in System32 directory
PID:1780

C:\Windows\SysWOW64\Padhaago.exe
C:\Windows\system32\Padhaago.exe
287⤵
PID:1968

C:\Windows\SysWOW64\Pdbdmmfc.exe
C:\Windows\system32\Pdbdmmfc.exe
288⤵
PID:272

C:\Windows\SysWOW64\Phnpnkol.exe
C:\Windows\system32\Phnpnkol.exe
289⤵
PID:568

C:\Windows\SysWOW64\Pklmjgnp.exe
C:\Windows\system32\Pklmjgnp.exe
290⤵
- Modifies registry class
PID:1688

C:\Windows\SysWOW64\Pohhje32.exe
C:\Windows\system32\Pohhje32.exe
291⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:996

C:\Windows\SysWOW64\Pafefa32.exe
C:\Windows\system32\Pafefa32.exe
292⤵
PID:1240

C:\Windows\SysWOW64\Pebqgpnf.exe
C:\Windows\system32\Pebqgpnf.exe
293⤵
PID:636

C:\Windows\SysWOW64\Pdeabl32.exe
C:\Windows\system32\Pdeabl32.exe
294⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1700

C:\Windows\SysWOW64\Pgcmoh32.exe
C:\Windows\system32\Pgcmoh32.exe
295⤵
PID:2056

C:\Windows\SysWOW64\Qmmelbka.exe
C:\Windows\system32\Qmmelbka.exe
296⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2064

C:\Windows\SysWOW64\Qaialq32.exe
C:\Windows\system32\Qaialq32.exe
297⤵
PID:2072

C:\Windows\SysWOW64\Qhbjikkg.exe
C:\Windows\system32\Qhbjikkg.exe
298⤵
PID:2080

C:\Windows\SysWOW64\Qkafef32.exe
C:\Windows\system32\Qkafef32.exe
299⤵
PID:2088

C:\Windows\SysWOW64\Qmpbaa32.exe
C:\Windows\system32\Qmpbaa32.exe
300⤵
PID:2096

C:\Windows\SysWOW64\Qdijnlqk.exe
C:\Windows\system32\Qdijnlqk.exe
301⤵
PID:2104

C:\Windows\SysWOW64\Qclkih32.exe
C:\Windows\system32\Qclkih32.exe
302⤵
- Drops file in System32 directory
PID:2112

C:\Windows\SysWOW64\Qkcbjf32.exe
C:\Windows\system32\Qkcbjf32.exe
303⤵
PID:2120

C:\Windows\SysWOW64\Aifcfbob.exe
C:\Windows\system32\Aifcfbob.exe
304⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2128

C:\Windows\SysWOW64\Aldobnnf.exe
C:\Windows\system32\Aldobnnf.exe
305⤵
PID:2136

C:\Windows\SysWOW64\Adlgckoh.exe
C:\Windows\system32\Adlgckoh.exe
306⤵
PID:2144

C:\Windows\SysWOW64\Agjcpgnl.exe
C:\Windows\system32\Agjcpgnl.exe
307⤵
PID:2152

C:\Windows\SysWOW64\Aihplbmp.exe
C:\Windows\system32\Aihplbmp.exe
308⤵
PID:2160

C:\Windows\SysWOW64\Amdllaei.exe
C:\Windows\system32\Amdllaei.exe
309⤵
PID:2168

C:\Windows\SysWOW64\Apbhhldm.exe
C:\Windows\system32\Apbhhldm.exe
310⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2176

C:\Windows\SysWOW64\Acaddhcp.exe
C:\Windows\system32\Acaddhcp.exe
311⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2184

C:\Windows\SysWOW64\Aiklab32.exe
C:\Windows\system32\Aiklab32.exe
312⤵
- Drops file in System32 directory
PID:2192

C:\Windows\SysWOW64\Ahnmmoah.exe
C:\Windows\system32\Ahnmmoah.exe
313⤵
PID:2200

C:\Windows\SysWOW64\Aoheii32.exe
C:\Windows\system32\Aoheii32.exe
314⤵
PID:2208

C:\Windows\SysWOW64\Aafaed32.exe
C:\Windows\system32\Aafaed32.exe
315⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2216

C:\Windows\SysWOW64\Allecmhn.exe
C:\Windows\system32\Allecmhn.exe
316⤵
PID:2224

C:\Windows\SysWOW64\Akoenj32.exe
C:\Windows\system32\Akoenj32.exe
317⤵
PID:2284

C:\Windows\SysWOW64\Acempg32.exe
C:\Windows\system32\Acempg32.exe
318⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2312

C:\Windows\SysWOW64\Aedjlb32.exe
C:\Windows\system32\Aedjlb32.exe
319⤵
PID:2332

C:\Windows\SysWOW64\Adgjgoei.exe
C:\Windows\system32\Adgjgoei.exe
320⤵
PID:2348

C:\Windows\SysWOW64\Alnbhmfk.exe
C:\Windows\system32\Alnbhmfk.exe
321⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2364

C:\Windows\SysWOW64\Anonpe32.exe
C:\Windows\system32\Anonpe32.exe
322⤵
- Modifies registry class
PID:2400

C:\Windows\SysWOW64\Dklnoked.exe
C:\Windows\system32\Dklnoked.exe
323⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2416

C:\Windows\SysWOW64\Bgmombei.exe
C:\Windows\system32\Bgmombei.exe
324⤵
PID:2444

C:\Windows\SysWOW64\Bikkinem.exe
C:\Windows\system32\Bikkinem.exe
325⤵
PID:2456

C:\Windows\SysWOW64\Babcjk32.exe
C:\Windows\system32\Babcjk32.exe
326⤵
- Drops file in System32 directory
PID:2472

C:\Windows\SysWOW64\Bdqofg32.exe
C:\Windows\system32\Bdqofg32.exe
327⤵
PID:2488

C:\Windows\SysWOW64\Bccobckm.exe
C:\Windows\system32\Bccobckm.exe
328⤵
- Drops file in System32 directory
PID:2932

C:\Windows\SysWOW64\Bkkgcqlp.exe
C:\Windows\system32\Bkkgcqlp.exe
329⤵
PID:2940

C:\Windows\SysWOW64\Blldki32.exe
C:\Windows\system32\Blldki32.exe
330⤵
PID:2948

C:\Windows\SysWOW64\Bdcllf32.exe
C:\Windows\system32\Bdcllf32.exe
331⤵
PID:2956

C:\Windows\SysWOW64\Bcflgcij.exe
C:\Windows\system32\Bcflgcij.exe
332⤵
PID:2496

C:\Windows\SysWOW64\Cedhcohn.exe
C:\Windows\system32\Cedhcohn.exe
333⤵
- Drops file in System32 directory
PID:2512

C:\Windows\SysWOW64\Cipddm32.exe
C:\Windows\system32\Cipddm32.exe
334⤵
PID:2520

C:\Windows\SysWOW64\Cnkpdl32.exe
C:\Windows\system32\Cnkpdl32.exe
335⤵
PID:2528

C:\Windows\SysWOW64\Cpjlqg32.exe
C:\Windows\system32\Cpjlqg32.exe
336⤵
PID:2536

C:\Windows\SysWOW64\Commldoo.exe
C:\Windows\system32\Commldoo.exe
337⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2544

C:\Windows\SysWOW64\Cefein32.exe
C:\Windows\system32\Cefein32.exe
338⤵
PID:2552

C:\Windows\SysWOW64\Clqmfhnh.exe
C:\Windows\system32\Clqmfhnh.exe
339⤵
PID:2560

C:\Windows\SysWOW64\Cplifg32.exe
C:\Windows\system32\Cplifg32.exe
340⤵
PID:2568

C:\Windows\SysWOW64\Ccjebb32.exe
C:\Windows\system32\Ccjebb32.exe
341⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2576

C:\Windows\SysWOW64\Ceiaon32.exe
C:\Windows\system32\Ceiaon32.exe
342⤵
PID:2584

C:\Windows\SysWOW64\Chgnki32.exe
C:\Windows\system32\Chgnki32.exe
343⤵
PID:2592

C:\Windows\SysWOW64\Ckfjge32.exe
C:\Windows\system32\Ckfjge32.exe
344⤵
PID:2600

C:\Windows\SysWOW64\Capbco32.exe
C:\Windows\system32\Capbco32.exe
345⤵
- Drops file in System32 directory
PID:2608

C:\Windows\SysWOW64\Cfkndnbf.exe
C:\Windows\system32\Cfkndnbf.exe
346⤵
- Drops file in System32 directory
PID:2616

C:\Windows\SysWOW64\Eojeme32.exe
C:\Windows\system32\Eojeme32.exe
347⤵
PID:2624

C:\Windows\SysWOW64\Eegnel32.exe
C:\Windows\system32\Eegnel32.exe
348⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2640

C:\Windows\SysWOW64\Egfjah32.exe
C:\Windows\system32\Egfjah32.exe
349⤵
PID:2656

C:\Windows\SysWOW64\Enpbnbjb.exe
C:\Windows\system32\Enpbnbjb.exe
350⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2664

C:\Windows\SysWOW64\Eclkfi32.exe
C:\Windows\system32\Eclkfi32.exe
351⤵
PID:2672

C:\Windows\SysWOW64\Enboca32.exe
C:\Windows\system32\Enboca32.exe
352⤵
- Drops file in System32 directory
PID:2688

C:\Windows\SysWOW64\Eelgplol.exe
C:\Windows\system32\Eelgplol.exe
353⤵
- Drops file in System32 directory
PID:2696

C:\Windows\SysWOW64\Fcogkh32.exe
C:\Windows\system32\Fcogkh32.exe
354⤵
PID:2704

C:\Windows\SysWOW64\Fgjclgop.exe
C:\Windows\system32\Fgjclgop.exe
355⤵
- Drops file in System32 directory
PID:2720

C:\Windows\SysWOW64\Fndlia32.exe
C:\Windows\system32\Fndlia32.exe
356⤵
PID:2732

C:\Windows\SysWOW64\Fachem32.exe
C:\Windows\system32\Fachem32.exe
357⤵
PID:2736

C:\Windows\SysWOW64\Fpehqilk.exe
C:\Windows\system32\Fpehqilk.exe
358⤵
PID:2744

C:\Windows\SysWOW64\Fgmpag32.exe
C:\Windows\system32\Fgmpag32.exe
359⤵
- Drops file in System32 directory
PID:2752

C:\Windows\SysWOW64\Ffppmcch.exe
C:\Windows\system32\Ffppmcch.exe
360⤵
- Modifies registry class
PID:2760

C:\Windows\SysWOW64\Fmihjn32.exe
C:\Windows\system32\Fmihjn32.exe
361⤵
- Drops file in System32 directory
- Modifies registry class
PID:2768

C:\Windows\SysWOW64\Gobkbe32.exe
C:\Windows\system32\Gobkbe32.exe
362⤵
PID:2784

C:\Windows\SysWOW64\Gbmgcccd.exe
C:\Windows\system32\Gbmgcccd.exe
363⤵
PID:2792

C:\Windows\SysWOW64\Gelcoobh.exe
C:\Windows\system32\Gelcoobh.exe
364⤵
PID:1908

C:\Windows\SysWOW64\Gigopnja.exe
C:\Windows\system32\Gigopnja.exe
365⤵
- Drops file in System32 directory
- Modifies registry class
PID:2812

C:\Windows\SysWOW64\Glflliid.exe
C:\Windows\system32\Glflliid.exe
366⤵
- Modifies registry class
PID:2820

C:\Windows\SysWOW64\Gkhlgf32.exe
C:\Windows\system32\Gkhlgf32.exe
367⤵
PID:2828

C:\Windows\SysWOW64\Gbpdhc32.exe
C:\Windows\system32\Gbpdhc32.exe
368⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2844

C:\Windows\SysWOW64\Gabddphl.exe
C:\Windows\system32\Gabddphl.exe
369⤵
PID:2852

C:\Windows\SysWOW64\Genpdo32.exe
C:\Windows\system32\Genpdo32.exe
370⤵
PID:2860

C:\Windows\SysWOW64\Ghmlqj32.exe
C:\Windows\system32\Ghmlqj32.exe
371⤵
PID:984

C:\Windows\SysWOW64\Hgklhelf.exe
C:\Windows\system32\Hgklhelf.exe
372⤵
PID:900

C:\Windows\SysWOW64\Hiihdq32.exe
C:\Windows\system32\Hiihdq32.exe
373⤵
PID:1676

C:\Windows\SysWOW64\Hhlipmad.exe
C:\Windows\system32\Hhlipmad.exe
374⤵
PID:2500

C:\Windows\SysWOW64\Hofalg32.exe
C:\Windows\system32\Hofalg32.exe
375⤵
PID:2884

C:\Windows\SysWOW64\Hepiiaqn.exe
C:\Windows\system32\Hepiiaqn.exe
376⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3080

C:\Windows\SysWOW64\Hilejp32.exe
C:\Windows\system32\Hilejp32.exe
377⤵
PID:3088

C:\Windows\SysWOW64\Hljafl32.exe
C:\Windows\system32\Hljafl32.exe
378⤵
PID:3096

C:\Windows\SysWOW64\Hoinbg32.exe
C:\Windows\system32\Hoinbg32.exe
379⤵
PID:3104

C:\Windows\SysWOW64\Hcdibfog.exe
C:\Windows\system32\Hcdibfog.exe
380⤵
PID:3112

C:\Windows\SysWOW64\Jcfbgi32.exe
C:\Windows\system32\Jcfbgi32.exe
381⤵
- Modifies registry class
PID:3120

C:\Windows\SysWOW64\Jjpkccgm.exe
C:\Windows\system32\Jjpkccgm.exe
382⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3600

C:\Windows\SysWOW64\Ehobcdgd.exe
C:\Windows\system32\Ehobcdgd.exe
383⤵
- Modifies registry class
PID:3608

C:\Windows\SysWOW64\Ecmmoapn.exe
C:\Windows\system32\Ecmmoapn.exe
384⤵
PID:3616

C:\Windows\SysWOW64\Fqcjnemd.exe
C:\Windows\system32\Fqcjnemd.exe
385⤵
PID:3624

C:\Windows\SysWOW64\Fcafjq32.exe
C:\Windows\system32\Fcafjq32.exe
386⤵
- Drops file in System32 directory
PID:3632

C:\Windows\SysWOW64\Fjnkljab.exe
C:\Windows\system32\Fjnkljab.exe
387⤵
PID:3640

C:\Windows\SysWOW64\Fmlghfpf.exe
C:\Windows\system32\Fmlghfpf.exe
388⤵
PID:3648

C:\Windows\SysWOW64\Fokddaoj.exe
C:\Windows\system32\Fokddaoj.exe
389⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3656

C:\Windows\SysWOW64\Gaqjgiab.exe
C:\Windows\system32\Gaqjgiab.exe
390⤵
- Modifies registry class
PID:3664

C:\Windows\SysWOW64\Geaocg32.exe
C:\Windows\system32\Geaocg32.exe
391⤵
- Drops file in System32 directory
PID:3672

C:\Windows\SysWOW64\Gfbljoke.exe
C:\Windows\system32\Gfbljoke.exe
392⤵
- Drops file in System32 directory
PID:3680

C:\Windows\SysWOW64\Gmldgi32.exe
C:\Windows\system32\Gmldgi32.exe
393⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3688

C:\Windows\SysWOW64\Gpjpce32.exe
C:\Windows\system32\Gpjpce32.exe
394⤵
PID:3696

C:\Windows\SysWOW64\Hmqmbiol.exe
C:\Windows\system32\Hmqmbiol.exe
395⤵
PID:3704

C:\Windows\SysWOW64\Iokmpp32.exe
C:\Windows\system32\Iokmpp32.exe
396⤵
PID:3712

C:\Windows\SysWOW64\Imeclk32.exe
C:\Windows\system32\Imeclk32.exe
397⤵
PID:3720

C:\Windows\SysWOW64\Jgpdkq32.exe
C:\Windows\system32\Jgpdkq32.exe
398⤵
PID:3728

C:\Windows\SysWOW64\Jnjlgkim.exe
C:\Windows\system32\Jnjlgkim.exe
399⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3736

C:\Windows\SysWOW64\Jcgepagd.exe
C:\Windows\system32\Jcgepagd.exe
400⤵
PID:3748

C:\Windows\SysWOW64\Jgbapp32.exe
C:\Windows\system32\Jgbapp32.exe
401⤵
PID:3764

C:\Windows\SysWOW64\Jhcmhhel.exe
C:\Windows\system32\Jhcmhhel.exe
402⤵
- Drops file in System32 directory
PID:3808

C:\Windows\SysWOW64\Jdmkbiim.exe
C:\Windows\system32\Jdmkbiim.exe
403⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3816

C:\Windows\SysWOW64\Lmflhi32.exe
C:\Windows\system32\Lmflhi32.exe
404⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3824

C:\Windows\SysWOW64\Lgbinged.exe
C:\Windows\system32\Lgbinged.exe
405⤵
- Modifies registry class
PID:3832

C:\Windows\SysWOW64\Lgdfdf32.exe
C:\Windows\system32\Lgdfdf32.exe
406⤵
PID:3840

C:\Windows\SysWOW64\Lamjmlib.exe
C:\Windows\system32\Lamjmlib.exe
407⤵
PID:3848

C:\Windows\SysWOW64\Ljeoea32.exe
C:\Windows\system32\Ljeoea32.exe
408⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3856

C:\Windows\SysWOW64\Maogblgp.exe
C:\Windows\system32\Maogblgp.exe
409⤵
PID:3864

C:\Windows\SysWOW64\Mcmcng32.exe
C:\Windows\system32\Mcmcng32.exe
410⤵
PID:3872

C:\Windows\SysWOW64\Mjglkanp.exe
C:\Windows\system32\Mjglkanp.exe
411⤵
PID:3880

C:\Windows\SysWOW64\Maadhk32.exe
C:\Windows\system32\Maadhk32.exe
412⤵
PID:2908

C:\Windows\SysWOW64\Nahfgn32.exe
C:\Windows\system32\Nahfgn32.exe
413⤵
PID:2916

C:\Windows\SysWOW64\Obicofgo.exe
C:\Windows\system32\Obicofgo.exe
414⤵
- Drops file in System32 directory
PID:2964

C:\Windows\SysWOW64\Oicklp32.exe
C:\Windows\system32\Oicklp32.exe
415⤵
PID:2924

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dagdep32.exe
Filesize
50KB

MD5
2728838601b1de3cdcc224daf4ad64d0

SHA1
4e3ccbed9b2aa38d448166929a7587e8447a332c

SHA256
3c30f3ac9acaf558768d0bcab9c24e521014b0c0f16c49e70fe2021b1abcca9c

SHA512
0e979c678b80302c39749ac259ebdfe45ea61ac34d464d0259560c6a82e23d2f432230e8268e348ad8237ecd3965cfe5d044cbdb6d389ea0f670f859faac6914

Download Submit
C:\Windows\SysWOW64\Dagdep32.exe
Filesize
50KB

MD5
2728838601b1de3cdcc224daf4ad64d0

SHA1
4e3ccbed9b2aa38d448166929a7587e8447a332c

SHA256
3c30f3ac9acaf558768d0bcab9c24e521014b0c0f16c49e70fe2021b1abcca9c

SHA512
0e979c678b80302c39749ac259ebdfe45ea61ac34d464d0259560c6a82e23d2f432230e8268e348ad8237ecd3965cfe5d044cbdb6d389ea0f670f859faac6914

Download Submit
C:\Windows\SysWOW64\Daiakpca.exe
Filesize
50KB

MD5
ecd7cb4d916d5b89e292f5a5050cec89

SHA1
fd46f644728d2ab8de57320256e343f9766d0c24

SHA256
bc949d3dbc4c1d2523c79f491ef71b36abb22b3250aacf7ed7cf1798152b1d69

SHA512
6aa1b8e2dda211b523af3043a8a2f36cff9e520065bf8b7e181b7e9167fd81f379c2ddb670d93aa0fa683b5edb9c27471efcfc229094db9d025f1ec4f2fe5e79

Download Submit
C:\Windows\SysWOW64\Daiakpca.exe
Filesize
50KB

MD5
ecd7cb4d916d5b89e292f5a5050cec89

SHA1
fd46f644728d2ab8de57320256e343f9766d0c24

SHA256
bc949d3dbc4c1d2523c79f491ef71b36abb22b3250aacf7ed7cf1798152b1d69

SHA512
6aa1b8e2dda211b523af3043a8a2f36cff9e520065bf8b7e181b7e9167fd81f379c2ddb670d93aa0fa683b5edb9c27471efcfc229094db9d025f1ec4f2fe5e79

Download Submit
C:\Windows\SysWOW64\Dbjmch32.exe
Filesize
50KB

MD5
a928a048d88868f6811bfced13536deb

SHA1
cd4a2fc1aa8a787b55c53ed5604a9662ae3d284a

SHA256
308d1e11858a026656b90f10444c47f424426db8146de2b8a1f18ff511afdef9

SHA512
da647266cabb3496f151a5d93165f1b8e43c6802e439a66f7ef41285a87bb8b2e9c1de9c979d765025a0e85450f346b3516c491b631a7dc4a167c7e6545b2b74

Download Submit
C:\Windows\SysWOW64\Dbjmch32.exe
Filesize
50KB

MD5
a928a048d88868f6811bfced13536deb

SHA1
cd4a2fc1aa8a787b55c53ed5604a9662ae3d284a

SHA256
308d1e11858a026656b90f10444c47f424426db8146de2b8a1f18ff511afdef9

SHA512
da647266cabb3496f151a5d93165f1b8e43c6802e439a66f7ef41285a87bb8b2e9c1de9c979d765025a0e85450f346b3516c491b631a7dc4a167c7e6545b2b74

Download Submit
C:\Windows\SysWOW64\Dhlcgkaf.exe
Filesize
50KB

MD5
29a31511ebc31cf3aa1655fd99be5167

SHA1
1ca5d613b6a04514d789fb9ba108ac8f342122d2

SHA256
dcc25af9fd533bd3d9dc19396b8974beb65c95ec7e27d3fa9daeea60b117d7cf

SHA512
ec1638f65cee373ffcff7dda5ec8fe16470b742d4d727b579544110694891be4169223d6b31c39e3af79bf0e7cb51098335e86e92047184f7d3d74ca0eef5e41

Download Submit
C:\Windows\SysWOW64\Dhlcgkaf.exe
Filesize
50KB

MD5
29a31511ebc31cf3aa1655fd99be5167

SHA1
1ca5d613b6a04514d789fb9ba108ac8f342122d2

SHA256
dcc25af9fd533bd3d9dc19396b8974beb65c95ec7e27d3fa9daeea60b117d7cf

SHA512
ec1638f65cee373ffcff7dda5ec8fe16470b742d4d727b579544110694891be4169223d6b31c39e3af79bf0e7cb51098335e86e92047184f7d3d74ca0eef5e41

Download Submit
C:\Windows\SysWOW64\Eafpdchp.exe
Filesize
50KB

MD5
762c177150a1f24f0325b97846c7f39f

SHA1
71864d1cf9d5052080a9f8d0bf087a97b12965ef

SHA256
ff5f6d9dfc3deff5beb0a6b9a47af3006c5c6b56b2258f661c5e09e96b5bca41

SHA512
0ba29113c918bf4fdd692d32352dcb690966037b3fae91faaab2a5fd06466882b6ca2554cfea9f489490fb889c34545b99f3962ecf6009b14a7dd508db1d3a69

Download Submit
C:\Windows\SysWOW64\Eafpdchp.exe
Filesize
50KB

MD5
762c177150a1f24f0325b97846c7f39f

SHA1
71864d1cf9d5052080a9f8d0bf087a97b12965ef

SHA256
ff5f6d9dfc3deff5beb0a6b9a47af3006c5c6b56b2258f661c5e09e96b5bca41

SHA512
0ba29113c918bf4fdd692d32352dcb690966037b3fae91faaab2a5fd06466882b6ca2554cfea9f489490fb889c34545b99f3962ecf6009b14a7dd508db1d3a69

Download Submit
C:\Windows\SysWOW64\Efhfifpf.exe
Filesize
50KB

MD5
05297cb54283cb01ddcb80a599d5c42f

SHA1
f9fead77c754d7ee316b266ade22d31130099ac4

SHA256
f1deb4c4ccf324f428c355c8df6df9eb299f056ecdd4747268e00c7b7cbf9430

SHA512
0d18658a2120562aade67795b803a952a8bc9e1952cc958417fe1902aead21e2ac719dbec1dacaac94a8646367f4c491fbf023512140a3614ebf3dc6a09bb79c

Download Submit
C:\Windows\SysWOW64\Efhfifpf.exe
Filesize
50KB

MD5
05297cb54283cb01ddcb80a599d5c42f

SHA1
f9fead77c754d7ee316b266ade22d31130099ac4

SHA256
f1deb4c4ccf324f428c355c8df6df9eb299f056ecdd4747268e00c7b7cbf9430

SHA512
0d18658a2120562aade67795b803a952a8bc9e1952cc958417fe1902aead21e2ac719dbec1dacaac94a8646367f4c491fbf023512140a3614ebf3dc6a09bb79c

Download Submit
C:\Windows\SysWOW64\Efjbof32.exe
Filesize
50KB

MD5
4147ad28f1122b61d93cf70236e834cd

SHA1
7b242f77b78cc4748c8a495d6c2705b241b24b18

SHA256
c6f3b7ede2fd216f76691dc760eb96f71d2c166461fb904ea75760dd09e42263

SHA512
f76b73f98503d058ed541273ba235c43370e0d163c72299bf940108d182ba3a8ca1fcb73296ed062afec3d7e66e89f3a25b6af2bbd83c4d48da705fdb76eeddd

Download Submit
C:\Windows\SysWOW64\Efjbof32.exe
Filesize
50KB

MD5
4147ad28f1122b61d93cf70236e834cd

SHA1
7b242f77b78cc4748c8a495d6c2705b241b24b18

SHA256
c6f3b7ede2fd216f76691dc760eb96f71d2c166461fb904ea75760dd09e42263

SHA512
f76b73f98503d058ed541273ba235c43370e0d163c72299bf940108d182ba3a8ca1fcb73296ed062afec3d7e66e89f3a25b6af2bbd83c4d48da705fdb76eeddd

Download Submit
C:\Windows\SysWOW64\Ehnlln32.exe
Filesize
50KB

MD5
2117b57c897082de98c3e1916dc9cd04

SHA1
36a3974a8192f15e2af4e3923965ca80f2413a5a

SHA256
624fc3909694f2cb0f6b1ccd89dd040a16809c195230d1d26765aa278dd86a45

SHA512
13b0baa385fcc93666ce1d8cf0b4427f6c26aea208fe2e62bf485bf1355b031ac0dc51653d70e275d3166c7dfcd498cd42cc81112836b5d8925fb41a5e960779

Download Submit
C:\Windows\SysWOW64\Ehnlln32.exe
Filesize
50KB

MD5
2117b57c897082de98c3e1916dc9cd04

SHA1
36a3974a8192f15e2af4e3923965ca80f2413a5a

SHA256
624fc3909694f2cb0f6b1ccd89dd040a16809c195230d1d26765aa278dd86a45

SHA512
13b0baa385fcc93666ce1d8cf0b4427f6c26aea208fe2e62bf485bf1355b031ac0dc51653d70e275d3166c7dfcd498cd42cc81112836b5d8925fb41a5e960779

Download Submit
C:\Windows\SysWOW64\Elbblnpp.exe
Filesize
50KB

MD5
f99b921a0fe4e072c037c0463c11b918

SHA1
e83278c8f3b57030230f86f2a8bc2c7687339303

SHA256
5c66bff9162125265edf54a47be89067e4e99a086f34992047450a263e24e8a4

SHA512
fe11940fb005699d4cc923fca344a21f8eb61b3298265a789163fb40ad109b85e0ce199d4735d7f56126309e8ade0f37902c6fe30644da891b4b022b2e717149

Download Submit
C:\Windows\SysWOW64\Elbblnpp.exe
Filesize
50KB

MD5
f99b921a0fe4e072c037c0463c11b918

SHA1
e83278c8f3b57030230f86f2a8bc2c7687339303

SHA256
5c66bff9162125265edf54a47be89067e4e99a086f34992047450a263e24e8a4

SHA512
fe11940fb005699d4cc923fca344a21f8eb61b3298265a789163fb40ad109b85e0ce199d4735d7f56126309e8ade0f37902c6fe30644da891b4b022b2e717149

Download Submit
C:\Windows\SysWOW64\Eofgch32.exe
Filesize
50KB

MD5
a3430e9d9bb116db041970f615f9ce26

SHA1
a1fef8fa21401dd22549f14737b13b5342fa0efc

SHA256
ceb507b5862a7b21f322bda2856bb4c8eb92d67448ff2b7da2b566a1f91173eb

SHA512
0dc7806376badf0043221306f7fba35a66d71b4b819d00344aab1d99402fcf248ed10bd70c9b4ab9b6b72df39f3c5146d10ff42fd00f796342e7b46b2d67b951

Download Submit
C:\Windows\SysWOW64\Eofgch32.exe
Filesize
50KB

MD5
a3430e9d9bb116db041970f615f9ce26

SHA1
a1fef8fa21401dd22549f14737b13b5342fa0efc

SHA256
ceb507b5862a7b21f322bda2856bb4c8eb92d67448ff2b7da2b566a1f91173eb

SHA512
0dc7806376badf0043221306f7fba35a66d71b4b819d00344aab1d99402fcf248ed10bd70c9b4ab9b6b72df39f3c5146d10ff42fd00f796342e7b46b2d67b951

Download Submit
C:\Windows\SysWOW64\Eojanhgi.exe
Filesize
50KB

MD5
1e2650bf7d892369beaa50142fe50d8d

SHA1
063f1727bbd21a37fef5f604eb45e51c995aa959

SHA256
b1f37f6437257e9125b22dfe93f1e5d33af714ae5de703dad60503b31c39a67e

SHA512
389151377d628559e1477cda939aba198505d1215cf9dcdf4128210e43660e37c6ddb79dfb6661fee064542975e34ae41a60dc5d37a211c0f1a7f4464eae14bb

Download Submit
C:\Windows\SysWOW64\Eojanhgi.exe
Filesize
50KB

MD5
1e2650bf7d892369beaa50142fe50d8d

SHA1
063f1727bbd21a37fef5f604eb45e51c995aa959

SHA256
b1f37f6437257e9125b22dfe93f1e5d33af714ae5de703dad60503b31c39a67e

SHA512
389151377d628559e1477cda939aba198505d1215cf9dcdf4128210e43660e37c6ddb79dfb6661fee064542975e34ae41a60dc5d37a211c0f1a7f4464eae14bb

Download Submit
C:\Windows\SysWOW64\Fakjpc32.exe
Filesize
50KB

MD5
d925ac4def89700621cba26230bcb6ff

SHA1
c01f452e6a40ec4ba8a34c374af4635a5c8fb1ed

SHA256
346531a7198dd8fe62e7c0a7ab1b453c269c6dcd6878c3c8c188980fbcb33dc6

SHA512
ceb66da81e75a11ed90749360feac27c214d969260798fe0323b5a3e21f2daae645a8b26804803d70cb32d0b297388afc4c5d207728ea0415fa3b20abb5308b6

Download Submit
C:\Windows\SysWOW64\Fakjpc32.exe
Filesize
50KB

MD5
d925ac4def89700621cba26230bcb6ff

SHA1
c01f452e6a40ec4ba8a34c374af4635a5c8fb1ed

SHA256
346531a7198dd8fe62e7c0a7ab1b453c269c6dcd6878c3c8c188980fbcb33dc6

SHA512
ceb66da81e75a11ed90749360feac27c214d969260798fe0323b5a3e21f2daae645a8b26804803d70cb32d0b297388afc4c5d207728ea0415fa3b20abb5308b6

Download Submit
C:\Windows\SysWOW64\Fdgifoeq.exe
Filesize
50KB

MD5
060b7cb0fa541205bb89c6d04430168d

SHA1
ad64d7531e943970a0d3a3c36be06c8b742e71d2

SHA256
a109329e9f160218c9907a5cb5e40f7c305337dd0b73bfca0fed9b36c1ffc9fa

SHA512
474728c12a21923838442ba367ddc39e8a339d3ca6687ed62784d923a991599dfaf3171dcbec16166fb700fe3cef824ca013f4b52fa44b7f2f3568fdce4c51f6

Download Submit
C:\Windows\SysWOW64\Fdgifoeq.exe
Filesize
50KB

MD5
060b7cb0fa541205bb89c6d04430168d

SHA1
ad64d7531e943970a0d3a3c36be06c8b742e71d2

SHA256
a109329e9f160218c9907a5cb5e40f7c305337dd0b73bfca0fed9b36c1ffc9fa

SHA512
474728c12a21923838442ba367ddc39e8a339d3ca6687ed62784d923a991599dfaf3171dcbec16166fb700fe3cef824ca013f4b52fa44b7f2f3568fdce4c51f6

Download Submit
C:\Windows\SysWOW64\Fkcnhhkk.exe
Filesize
50KB

MD5
b757b770148219703b39d2780e3cba29

SHA1
cab7eef0a09d9f990222532b97c000c4c15ec80e

SHA256
7587f1e2741ede41443c655dea2d3e02d367e511457181cfb0a0faa218649803

SHA512
4b5921e54b23fb27456ebc046ce5b3232a722d93d69c2c42deb5debab3e21eacc55bfd0a7f507ad43685690bffa66c24ad489c27fb12c138cd6b1ca11169e8ce

Download Submit
C:\Windows\SysWOW64\Fkcnhhkk.exe
Filesize
50KB

MD5
b757b770148219703b39d2780e3cba29

SHA1
cab7eef0a09d9f990222532b97c000c4c15ec80e

SHA256
7587f1e2741ede41443c655dea2d3e02d367e511457181cfb0a0faa218649803

SHA512
4b5921e54b23fb27456ebc046ce5b3232a722d93d69c2c42deb5debab3e21eacc55bfd0a7f507ad43685690bffa66c24ad489c27fb12c138cd6b1ca11169e8ce

Download Submit
C:\Windows\SysWOW64\Fnbjddjn.exe
Filesize
50KB

MD5
0aa9680e879bc9f205418883544e9a54

SHA1
4b17930bf72d2896e4cb13cc562b7ec23f3a0a83

SHA256
44a4abc2a267ba9625ddf2079aadadb2e05d68216c579af9a4265eb36db37336

SHA512
a8b7c48e651b3750fc53fd2549cb7f5ef91b3d7eee78b3162705229908e940049ccb90394e11a291672af1c015020c534bd8a6dd6dee79c06047ecef795c9ec9

Download Submit
C:\Windows\SysWOW64\Fnbjddjn.exe
Filesize
50KB

MD5
0aa9680e879bc9f205418883544e9a54

SHA1
4b17930bf72d2896e4cb13cc562b7ec23f3a0a83

SHA256
44a4abc2a267ba9625ddf2079aadadb2e05d68216c579af9a4265eb36db37336

SHA512
a8b7c48e651b3750fc53fd2549cb7f5ef91b3d7eee78b3162705229908e940049ccb90394e11a291672af1c015020c534bd8a6dd6dee79c06047ecef795c9ec9

Download Submit
C:\Windows\SysWOW64\Fomncg32.exe
Filesize
50KB

MD5
91ede4d172e05d09ec557e6b9fd00f9d

SHA1
60e5597e9c8c4db3cb5449c98564145e1edca2b3

SHA256
be8f3f7718c493111cfc029d0426efd0fd4a73d96ed3d64ea133530971d83baa

SHA512
3b6d52662160d4d114b14acde0e7b3a4123d3c4f5e3044403a37433f496bc3dfbd6e3751cb7fc88e60564295efd3c7d4f18d218f7a487b950ffda4fa8568f3d8

Download Submit
C:\Windows\SysWOW64\Fomncg32.exe
Filesize
50KB

MD5
91ede4d172e05d09ec557e6b9fd00f9d

SHA1
60e5597e9c8c4db3cb5449c98564145e1edca2b3

SHA256
be8f3f7718c493111cfc029d0426efd0fd4a73d96ed3d64ea133530971d83baa

SHA512
3b6d52662160d4d114b14acde0e7b3a4123d3c4f5e3044403a37433f496bc3dfbd6e3751cb7fc88e60564295efd3c7d4f18d218f7a487b950ffda4fa8568f3d8

Download Submit
\Windows\SysWOW64\Dagdep32.exe
Filesize
50KB

MD5
2728838601b1de3cdcc224daf4ad64d0

SHA1
4e3ccbed9b2aa38d448166929a7587e8447a332c

SHA256
3c30f3ac9acaf558768d0bcab9c24e521014b0c0f16c49e70fe2021b1abcca9c

SHA512
0e979c678b80302c39749ac259ebdfe45ea61ac34d464d0259560c6a82e23d2f432230e8268e348ad8237ecd3965cfe5d044cbdb6d389ea0f670f859faac6914

Download Submit
\Windows\SysWOW64\Dagdep32.exe
Filesize
50KB

MD5
2728838601b1de3cdcc224daf4ad64d0

SHA1
4e3ccbed9b2aa38d448166929a7587e8447a332c

SHA256
3c30f3ac9acaf558768d0bcab9c24e521014b0c0f16c49e70fe2021b1abcca9c

SHA512
0e979c678b80302c39749ac259ebdfe45ea61ac34d464d0259560c6a82e23d2f432230e8268e348ad8237ecd3965cfe5d044cbdb6d389ea0f670f859faac6914

Download Submit
\Windows\SysWOW64\Daiakpca.exe
Filesize
50KB

MD5
ecd7cb4d916d5b89e292f5a5050cec89

SHA1
fd46f644728d2ab8de57320256e343f9766d0c24

SHA256
bc949d3dbc4c1d2523c79f491ef71b36abb22b3250aacf7ed7cf1798152b1d69

SHA512
6aa1b8e2dda211b523af3043a8a2f36cff9e520065bf8b7e181b7e9167fd81f379c2ddb670d93aa0fa683b5edb9c27471efcfc229094db9d025f1ec4f2fe5e79

Download Submit
\Windows\SysWOW64\Daiakpca.exe
Filesize
50KB

MD5
ecd7cb4d916d5b89e292f5a5050cec89

SHA1
fd46f644728d2ab8de57320256e343f9766d0c24

SHA256
bc949d3dbc4c1d2523c79f491ef71b36abb22b3250aacf7ed7cf1798152b1d69

SHA512
6aa1b8e2dda211b523af3043a8a2f36cff9e520065bf8b7e181b7e9167fd81f379c2ddb670d93aa0fa683b5edb9c27471efcfc229094db9d025f1ec4f2fe5e79

Download Submit
\Windows\SysWOW64\Dbjmch32.exe
Filesize
50KB

MD5
a928a048d88868f6811bfced13536deb

SHA1
cd4a2fc1aa8a787b55c53ed5604a9662ae3d284a

SHA256
308d1e11858a026656b90f10444c47f424426db8146de2b8a1f18ff511afdef9

SHA512
da647266cabb3496f151a5d93165f1b8e43c6802e439a66f7ef41285a87bb8b2e9c1de9c979d765025a0e85450f346b3516c491b631a7dc4a167c7e6545b2b74

Download Submit
\Windows\SysWOW64\Dbjmch32.exe
Filesize
50KB

MD5
a928a048d88868f6811bfced13536deb

SHA1
cd4a2fc1aa8a787b55c53ed5604a9662ae3d284a

SHA256
308d1e11858a026656b90f10444c47f424426db8146de2b8a1f18ff511afdef9

SHA512
da647266cabb3496f151a5d93165f1b8e43c6802e439a66f7ef41285a87bb8b2e9c1de9c979d765025a0e85450f346b3516c491b631a7dc4a167c7e6545b2b74

Download Submit
\Windows\SysWOW64\Dhlcgkaf.exe
Filesize
50KB

MD5
29a31511ebc31cf3aa1655fd99be5167

SHA1
1ca5d613b6a04514d789fb9ba108ac8f342122d2

SHA256
dcc25af9fd533bd3d9dc19396b8974beb65c95ec7e27d3fa9daeea60b117d7cf

SHA512
ec1638f65cee373ffcff7dda5ec8fe16470b742d4d727b579544110694891be4169223d6b31c39e3af79bf0e7cb51098335e86e92047184f7d3d74ca0eef5e41

Download Submit
\Windows\SysWOW64\Dhlcgkaf.exe
Filesize
50KB

MD5
29a31511ebc31cf3aa1655fd99be5167

SHA1
1ca5d613b6a04514d789fb9ba108ac8f342122d2

SHA256
dcc25af9fd533bd3d9dc19396b8974beb65c95ec7e27d3fa9daeea60b117d7cf

SHA512
ec1638f65cee373ffcff7dda5ec8fe16470b742d4d727b579544110694891be4169223d6b31c39e3af79bf0e7cb51098335e86e92047184f7d3d74ca0eef5e41

Download Submit
\Windows\SysWOW64\Eafpdchp.exe
Filesize
50KB

MD5
762c177150a1f24f0325b97846c7f39f

SHA1
71864d1cf9d5052080a9f8d0bf087a97b12965ef

SHA256
ff5f6d9dfc3deff5beb0a6b9a47af3006c5c6b56b2258f661c5e09e96b5bca41

SHA512
0ba29113c918bf4fdd692d32352dcb690966037b3fae91faaab2a5fd06466882b6ca2554cfea9f489490fb889c34545b99f3962ecf6009b14a7dd508db1d3a69

Download Submit
\Windows\SysWOW64\Eafpdchp.exe
Filesize
50KB

MD5
762c177150a1f24f0325b97846c7f39f

SHA1
71864d1cf9d5052080a9f8d0bf087a97b12965ef

SHA256
ff5f6d9dfc3deff5beb0a6b9a47af3006c5c6b56b2258f661c5e09e96b5bca41

SHA512
0ba29113c918bf4fdd692d32352dcb690966037b3fae91faaab2a5fd06466882b6ca2554cfea9f489490fb889c34545b99f3962ecf6009b14a7dd508db1d3a69

Download Submit
\Windows\SysWOW64\Efhfifpf.exe
Filesize
50KB

MD5
05297cb54283cb01ddcb80a599d5c42f

SHA1
f9fead77c754d7ee316b266ade22d31130099ac4

SHA256
f1deb4c4ccf324f428c355c8df6df9eb299f056ecdd4747268e00c7b7cbf9430

SHA512
0d18658a2120562aade67795b803a952a8bc9e1952cc958417fe1902aead21e2ac719dbec1dacaac94a8646367f4c491fbf023512140a3614ebf3dc6a09bb79c

Download Submit
\Windows\SysWOW64\Efhfifpf.exe
Filesize
50KB

MD5
05297cb54283cb01ddcb80a599d5c42f

SHA1
f9fead77c754d7ee316b266ade22d31130099ac4

SHA256
f1deb4c4ccf324f428c355c8df6df9eb299f056ecdd4747268e00c7b7cbf9430

SHA512
0d18658a2120562aade67795b803a952a8bc9e1952cc958417fe1902aead21e2ac719dbec1dacaac94a8646367f4c491fbf023512140a3614ebf3dc6a09bb79c

Download Submit
\Windows\SysWOW64\Efjbof32.exe
Filesize
50KB

MD5
4147ad28f1122b61d93cf70236e834cd

SHA1
7b242f77b78cc4748c8a495d6c2705b241b24b18

SHA256
c6f3b7ede2fd216f76691dc760eb96f71d2c166461fb904ea75760dd09e42263

SHA512
f76b73f98503d058ed541273ba235c43370e0d163c72299bf940108d182ba3a8ca1fcb73296ed062afec3d7e66e89f3a25b6af2bbd83c4d48da705fdb76eeddd

Download Submit
\Windows\SysWOW64\Efjbof32.exe
Filesize
50KB

MD5
4147ad28f1122b61d93cf70236e834cd

SHA1
7b242f77b78cc4748c8a495d6c2705b241b24b18

SHA256
c6f3b7ede2fd216f76691dc760eb96f71d2c166461fb904ea75760dd09e42263

SHA512
f76b73f98503d058ed541273ba235c43370e0d163c72299bf940108d182ba3a8ca1fcb73296ed062afec3d7e66e89f3a25b6af2bbd83c4d48da705fdb76eeddd

Download Submit
\Windows\SysWOW64\Ehnlln32.exe
Filesize
50KB

MD5
2117b57c897082de98c3e1916dc9cd04

SHA1
36a3974a8192f15e2af4e3923965ca80f2413a5a

SHA256
624fc3909694f2cb0f6b1ccd89dd040a16809c195230d1d26765aa278dd86a45

SHA512
13b0baa385fcc93666ce1d8cf0b4427f6c26aea208fe2e62bf485bf1355b031ac0dc51653d70e275d3166c7dfcd498cd42cc81112836b5d8925fb41a5e960779

Download Submit
\Windows\SysWOW64\Ehnlln32.exe
Filesize
50KB

MD5
2117b57c897082de98c3e1916dc9cd04

SHA1
36a3974a8192f15e2af4e3923965ca80f2413a5a

SHA256
624fc3909694f2cb0f6b1ccd89dd040a16809c195230d1d26765aa278dd86a45

SHA512
13b0baa385fcc93666ce1d8cf0b4427f6c26aea208fe2e62bf485bf1355b031ac0dc51653d70e275d3166c7dfcd498cd42cc81112836b5d8925fb41a5e960779

Download Submit
\Windows\SysWOW64\Elbblnpp.exe
Filesize
50KB

MD5
f99b921a0fe4e072c037c0463c11b918

SHA1
e83278c8f3b57030230f86f2a8bc2c7687339303

SHA256
5c66bff9162125265edf54a47be89067e4e99a086f34992047450a263e24e8a4

SHA512
fe11940fb005699d4cc923fca344a21f8eb61b3298265a789163fb40ad109b85e0ce199d4735d7f56126309e8ade0f37902c6fe30644da891b4b022b2e717149

Download Submit
\Windows\SysWOW64\Elbblnpp.exe
Filesize
50KB

MD5
f99b921a0fe4e072c037c0463c11b918

SHA1
e83278c8f3b57030230f86f2a8bc2c7687339303

SHA256
5c66bff9162125265edf54a47be89067e4e99a086f34992047450a263e24e8a4

SHA512
fe11940fb005699d4cc923fca344a21f8eb61b3298265a789163fb40ad109b85e0ce199d4735d7f56126309e8ade0f37902c6fe30644da891b4b022b2e717149

Download Submit
\Windows\SysWOW64\Eofgch32.exe
Filesize
50KB

MD5
a3430e9d9bb116db041970f615f9ce26

SHA1
a1fef8fa21401dd22549f14737b13b5342fa0efc

SHA256
ceb507b5862a7b21f322bda2856bb4c8eb92d67448ff2b7da2b566a1f91173eb

SHA512
0dc7806376badf0043221306f7fba35a66d71b4b819d00344aab1d99402fcf248ed10bd70c9b4ab9b6b72df39f3c5146d10ff42fd00f796342e7b46b2d67b951

Download Submit
\Windows\SysWOW64\Eofgch32.exe
Filesize
50KB

MD5
a3430e9d9bb116db041970f615f9ce26

SHA1
a1fef8fa21401dd22549f14737b13b5342fa0efc

SHA256
ceb507b5862a7b21f322bda2856bb4c8eb92d67448ff2b7da2b566a1f91173eb

SHA512
0dc7806376badf0043221306f7fba35a66d71b4b819d00344aab1d99402fcf248ed10bd70c9b4ab9b6b72df39f3c5146d10ff42fd00f796342e7b46b2d67b951

Download Submit
\Windows\SysWOW64\Eojanhgi.exe
Filesize
50KB

MD5
1e2650bf7d892369beaa50142fe50d8d

SHA1
063f1727bbd21a37fef5f604eb45e51c995aa959

SHA256
b1f37f6437257e9125b22dfe93f1e5d33af714ae5de703dad60503b31c39a67e

SHA512
389151377d628559e1477cda939aba198505d1215cf9dcdf4128210e43660e37c6ddb79dfb6661fee064542975e34ae41a60dc5d37a211c0f1a7f4464eae14bb

Download Submit
\Windows\SysWOW64\Eojanhgi.exe
Filesize
50KB

MD5
1e2650bf7d892369beaa50142fe50d8d

SHA1
063f1727bbd21a37fef5f604eb45e51c995aa959

SHA256
b1f37f6437257e9125b22dfe93f1e5d33af714ae5de703dad60503b31c39a67e

SHA512
389151377d628559e1477cda939aba198505d1215cf9dcdf4128210e43660e37c6ddb79dfb6661fee064542975e34ae41a60dc5d37a211c0f1a7f4464eae14bb

Download Submit
\Windows\SysWOW64\Fakjpc32.exe
Filesize
50KB

MD5
d925ac4def89700621cba26230bcb6ff

SHA1
c01f452e6a40ec4ba8a34c374af4635a5c8fb1ed

SHA256
346531a7198dd8fe62e7c0a7ab1b453c269c6dcd6878c3c8c188980fbcb33dc6

SHA512
ceb66da81e75a11ed90749360feac27c214d969260798fe0323b5a3e21f2daae645a8b26804803d70cb32d0b297388afc4c5d207728ea0415fa3b20abb5308b6

Download Submit
\Windows\SysWOW64\Fakjpc32.exe
Filesize
50KB

MD5
d925ac4def89700621cba26230bcb6ff

SHA1
c01f452e6a40ec4ba8a34c374af4635a5c8fb1ed

SHA256
346531a7198dd8fe62e7c0a7ab1b453c269c6dcd6878c3c8c188980fbcb33dc6

SHA512
ceb66da81e75a11ed90749360feac27c214d969260798fe0323b5a3e21f2daae645a8b26804803d70cb32d0b297388afc4c5d207728ea0415fa3b20abb5308b6

Download Submit
\Windows\SysWOW64\Fdgifoeq.exe
Filesize
50KB

MD5
060b7cb0fa541205bb89c6d04430168d

SHA1
ad64d7531e943970a0d3a3c36be06c8b742e71d2

SHA256
a109329e9f160218c9907a5cb5e40f7c305337dd0b73bfca0fed9b36c1ffc9fa

SHA512
474728c12a21923838442ba367ddc39e8a339d3ca6687ed62784d923a991599dfaf3171dcbec16166fb700fe3cef824ca013f4b52fa44b7f2f3568fdce4c51f6

Download Submit
\Windows\SysWOW64\Fdgifoeq.exe
Filesize
50KB

MD5
060b7cb0fa541205bb89c6d04430168d

SHA1
ad64d7531e943970a0d3a3c36be06c8b742e71d2

SHA256
a109329e9f160218c9907a5cb5e40f7c305337dd0b73bfca0fed9b36c1ffc9fa

SHA512
474728c12a21923838442ba367ddc39e8a339d3ca6687ed62784d923a991599dfaf3171dcbec16166fb700fe3cef824ca013f4b52fa44b7f2f3568fdce4c51f6

Download Submit
\Windows\SysWOW64\Fkcnhhkk.exe
Filesize
50KB

MD5
b757b770148219703b39d2780e3cba29

SHA1
cab7eef0a09d9f990222532b97c000c4c15ec80e

SHA256
7587f1e2741ede41443c655dea2d3e02d367e511457181cfb0a0faa218649803

SHA512
4b5921e54b23fb27456ebc046ce5b3232a722d93d69c2c42deb5debab3e21eacc55bfd0a7f507ad43685690bffa66c24ad489c27fb12c138cd6b1ca11169e8ce

Download Submit
\Windows\SysWOW64\Fkcnhhkk.exe
Filesize
50KB

MD5
b757b770148219703b39d2780e3cba29

SHA1
cab7eef0a09d9f990222532b97c000c4c15ec80e

SHA256
7587f1e2741ede41443c655dea2d3e02d367e511457181cfb0a0faa218649803

SHA512
4b5921e54b23fb27456ebc046ce5b3232a722d93d69c2c42deb5debab3e21eacc55bfd0a7f507ad43685690bffa66c24ad489c27fb12c138cd6b1ca11169e8ce

Download Submit
\Windows\SysWOW64\Fnbjddjn.exe
Filesize
50KB

MD5
0aa9680e879bc9f205418883544e9a54

SHA1
4b17930bf72d2896e4cb13cc562b7ec23f3a0a83

SHA256
44a4abc2a267ba9625ddf2079aadadb2e05d68216c579af9a4265eb36db37336

SHA512
a8b7c48e651b3750fc53fd2549cb7f5ef91b3d7eee78b3162705229908e940049ccb90394e11a291672af1c015020c534bd8a6dd6dee79c06047ecef795c9ec9

Download Submit
\Windows\SysWOW64\Fnbjddjn.exe
Filesize
50KB

MD5
0aa9680e879bc9f205418883544e9a54

SHA1
4b17930bf72d2896e4cb13cc562b7ec23f3a0a83

SHA256
44a4abc2a267ba9625ddf2079aadadb2e05d68216c579af9a4265eb36db37336

SHA512
a8b7c48e651b3750fc53fd2549cb7f5ef91b3d7eee78b3162705229908e940049ccb90394e11a291672af1c015020c534bd8a6dd6dee79c06047ecef795c9ec9

Download Submit
\Windows\SysWOW64\Fomncg32.exe
Filesize
50KB

MD5
91ede4d172e05d09ec557e6b9fd00f9d

SHA1
60e5597e9c8c4db3cb5449c98564145e1edca2b3

SHA256
be8f3f7718c493111cfc029d0426efd0fd4a73d96ed3d64ea133530971d83baa

SHA512
3b6d52662160d4d114b14acde0e7b3a4123d3c4f5e3044403a37433f496bc3dfbd6e3751cb7fc88e60564295efd3c7d4f18d218f7a487b950ffda4fa8568f3d8

Download Submit
\Windows\SysWOW64\Fomncg32.exe
Filesize
50KB

MD5
91ede4d172e05d09ec557e6b9fd00f9d

SHA1
60e5597e9c8c4db3cb5449c98564145e1edca2b3

SHA256
be8f3f7718c493111cfc029d0426efd0fd4a73d96ed3d64ea133530971d83baa

SHA512
3b6d52662160d4d114b14acde0e7b3a4123d3c4f5e3044403a37433f496bc3dfbd6e3751cb7fc88e60564295efd3c7d4f18d218f7a487b950ffda4fa8568f3d8

Download Submit
memory/240-118-0x0000000000000000-mapping.dmp

Download
memory/240-170-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/280-171-0x0000000000000000-mapping.dmp

Download
memory/280-219-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/280-218-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/316-222-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/316-185-0x0000000000000000-mapping.dmp

Download
memory/332-239-0x0000000000000000-mapping.dmp

Download
memory/344-242-0x0000000000000000-mapping.dmp

Download
memory/544-174-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/544-128-0x0000000000000000-mapping.dmp

Download
memory/556-192-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/556-193-0x00000000002B0000-0x00000000002E1000-memory.dmp

Filesize
196KB

Download
memory/556-194-0x00000000002B0000-0x00000000002E1000-memory.dmp

Filesize
196KB

Download
memory/556-151-0x0000000000000000-mapping.dmp

Download
memory/584-168-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/584-113-0x0000000000000000-mapping.dmp

Download
memory/628-66-0x0000000000000000-mapping.dmp

Download
memory/628-88-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/640-243-0x0000000000000000-mapping.dmp

Download
memory/692-240-0x0000000000000000-mapping.dmp

Download
memory/832-235-0x0000000000000000-mapping.dmp

Download
memory/848-181-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/848-144-0x0000000000000000-mapping.dmp

Download
memory/896-76-0x0000000000000000-mapping.dmp

Download
memory/896-93-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/908-221-0x00000000002D0000-0x0000000000301000-memory.dmp

Filesize
196KB

Download
memory/908-176-0x0000000000000000-mapping.dmp

Download
memory/908-220-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/908-213-0x00000000002D0000-0x0000000000301000-memory.dmp

Filesize
196KB

Download
memory/952-82-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/952-56-0x0000000000000000-mapping.dmp

Download
memory/968-149-0x0000000000000000-mapping.dmp

Download
memory/968-189-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/968-188-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/968-190-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1008-238-0x0000000000000000-mapping.dmp

Download
memory/1040-152-0x0000000000000000-mapping.dmp

Download
memory/1040-196-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1040-195-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1056-183-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1056-146-0x0000000000000000-mapping.dmp

Download
memory/1060-182-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1060-145-0x0000000000000000-mapping.dmp

Download
memory/1076-223-0x0000000000000000-mapping.dmp

Download
memory/1132-231-0x0000000000000000-mapping.dmp

Download
memory/1144-169-0x0000000000000000-mapping.dmp

Download
memory/1144-217-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1148-245-0x0000000000000000-mapping.dmp

Download
memory/1160-241-0x0000000000000000-mapping.dmp

Download
memory/1168-200-0x00000000002C0000-0x00000000002F1000-memory.dmp

Filesize
196KB

Download
memory/1168-199-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1168-153-0x0000000000000000-mapping.dmp

Download
memory/1200-207-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1200-157-0x0000000000000000-mapping.dmp

Download
memory/1204-92-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1204-71-0x0000000000000000-mapping.dmp

Download
memory/1224-143-0x0000000000000000-mapping.dmp

Download
memory/1224-180-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1260-175-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1260-133-0x0000000000000000-mapping.dmp

Download
memory/1336-179-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1336-142-0x0000000000000000-mapping.dmp

Download
memory/1344-204-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1344-203-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1344-155-0x0000000000000000-mapping.dmp

Download
memory/1372-205-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1372-206-0x00000000002B0000-0x00000000002E1000-memory.dmp

Filesize
196KB

Download
memory/1372-156-0x0000000000000000-mapping.dmp

Download
memory/1376-208-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1376-158-0x0000000000000000-mapping.dmp

Download
memory/1396-186-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1396-187-0x0000000000440000-0x0000000000471000-memory.dmp

Filesize
196KB

Download
memory/1396-148-0x0000000000000000-mapping.dmp

Download
memory/1436-201-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1436-202-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1436-154-0x0000000000000000-mapping.dmp

Download
memory/1524-197-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1524-198-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1536-236-0x0000000000000000-mapping.dmp

Download
memory/1548-237-0x0000000000000000-mapping.dmp

Download
memory/1552-224-0x0000000000000000-mapping.dmp

Download
memory/1596-248-0x0000000000000000-mapping.dmp

Download
memory/1600-249-0x0000000000000000-mapping.dmp

Download
memory/1608-164-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1608-98-0x0000000000000000-mapping.dmp

Download
memory/1632-138-0x0000000000000000-mapping.dmp

Download
memory/1632-177-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1640-84-0x0000000000000000-mapping.dmp

Download
memory/1640-161-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1644-229-0x0000000000000000-mapping.dmp

Download
memory/1680-141-0x0000000000000000-mapping.dmp

Download
memory/1680-178-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1692-211-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1692-212-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1692-214-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1692-160-0x0000000000000000-mapping.dmp

Download
memory/1696-250-0x0000000000000000-mapping.dmp

Download
memory/1712-163-0x0000000000000000-mapping.dmp

Download
memory/1712-216-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1712-215-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1716-234-0x0000000000000000-mapping.dmp

Download
memory/1740-61-0x0000000000000000-mapping.dmp

Download
memory/1740-85-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1744-172-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1744-123-0x0000000000000000-mapping.dmp

Download
memory/1744-173-0x0000000000440000-0x0000000000471000-memory.dmp

Filesize
196KB

Download
memory/1756-165-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1756-103-0x0000000000000000-mapping.dmp

Download
memory/1756-166-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1768-91-0x0000000000000000-mapping.dmp

Download
memory/1768-162-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1784-244-0x0000000000000000-mapping.dmp

Download
memory/1792-184-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1792-147-0x0000000000000000-mapping.dmp

Download
memory/1824-167-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1824-108-0x0000000000000000-mapping.dmp

Download
memory/1856-233-0x0000000000000000-mapping.dmp

Download
memory/1928-79-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1928-80-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1940-247-0x0000000000000000-mapping.dmp

Download
memory/1972-191-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1972-150-0x0000000000000000-mapping.dmp

Download
memory/1976-209-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1976-159-0x0000000000000000-mapping.dmp

Download
memory/1976-210-0x0000000000440000-0x0000000000471000-memory.dmp

Filesize
196KB

Download
memory/1980-228-0x0000000000000000-mapping.dmp

Download
memory/2020-246-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads