b4bf841eb2236ad1c23f795bad4ad20ebd240e44ea530339aa0b20a45ac7526a

Analysis

max time kernel
57s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4bf841eb2236ad1c23f795bad4ad20ebd240e44ea530339aa0b20a45ac7526a.exe
Size

50KB
MD5

08c4aa5711160abac56a2047d824e0a0
SHA1

17f9212f7987154c835d314272b7b1759d65d748
SHA256

b4bf841eb2236ad1c23f795bad4ad20ebd240e44ea530339aa0b20a45ac7526a
SHA512

4a956ce0892e6935edbe8ced58185776b25bb88735e12076758bf61e30b9b51e416fc0c03049bc40570f598513aa63e70cc4a9011c0c1a4a1054df20952745c4
SSDEEP

768:ug5Zrt1RB4OTpThL2nS/cjWf+XlmZKci2AR/oH9uHtkEb2zW8k/1H5/:ug1ReiJZ2n+cjS+cKcirRAHgHaK20

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Afjoaiok.exeFilmoj32.exeOhdidomm.exeIhnongjl.exeHkkgbakj.exeIicnfhhj.exeJojidnnf.exeBpmmjd32.exeKcbbfgcj.exeOdkjip32.exeDoclem32.exeEnalmh32.exeEcgdimcn.exeHcbpdokl.exeJhbnmc32.exeCginla32.exeMfedleac.exeCmfpbfgq.exeEfmqaj32.exeFqpdhg32.exeIckpfegf.exeLejenn32.exeIiodki32.exeOamnmd32.exeDdpend32.exeEfajljid.exeGbmqkm32.exeHleacffk.exeGnqnph32.exeBignii32.exeDfeamlhb.exeCmmfce32.exeCfeklkhi.exeDadeghpb.exeFognoc32.exeGojkdbbq.exeDlegdh32.exeHejpcmcn.exeBlnnjo32.exeHidhakij.exeHemoae32.exeAnmngg32.exeAgebpmjc.exeHigegkgg.exeJnqqba32.exeMldijlmh.exeCpnodqnj.exeGpodob32.exeGigihgdl.exeMicqhqpg.exeQkgkjm32.exeOnoegfng.exeOlhkcanj.exeFjmbll32.exeHnnmjl32.exeHhinha32.exeFoalpd32.exeNpdkdm32.exeCbeepmce.exeIfnkinon.exeGmhenllk.exeOdmgooao.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjoaiok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Filmoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohdidomm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ihnongjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkkgbakj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iicnfhhj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jojidnnf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpmmjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcbbfgcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odkjip32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doclem32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enalmh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecgdimcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcbpdokl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhbnmc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cginla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfedleac.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmfpbfgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efmqaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqpdhg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ickpfegf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lejenn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiodki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oamnmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddpend32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efajljid.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbmqkm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hleacffk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnqnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bignii32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfeamlhb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmmfce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfeklkhi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dadeghpb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fognoc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gojkdbbq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlegdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hejpcmcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blnnjo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hidhakij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hemoae32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmngg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agebpmjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Higegkgg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnqqba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mldijlmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpnodqnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpodob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gigihgdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Micqhqpg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkgkjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onoegfng.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjip32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olhkcanj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjmbll32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnnmjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhinha32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Foalpd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npdkdm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbeepmce.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifnkinon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmhenllk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mldijlmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odmgooao.exe

Executes dropped EXE 64 IoCs

Processes:

Bdfleclh.exeBpmmjd32.exeBmqndh32.exeBoajkp32.exeBignii32.exeBodgap32.exeCijkni32.exeCofcfpbo.exeCljdpdai.exeCebhii32.exeCokmaonj.exeChcajddj.exeCalfcj32.exeCginla32.exeDlegdh32.exeDenkmm32.exeDofpecdk.exeDgmhgpem.exeDljpogcd.exeDhaadhih.exeDfeamlhb.exeDfgncl32.exeEbnohmlc.exeEjicloio.exeEjlpbo32.exeEcdekdmm.exeEcfapdkj.exeEicjhk32.exeFchnfd32.exeFjbfbnad.exeFoookeok.exeFfiggofh.exeFmcodi32.exeFoalpd32.exeFfldmode.exeFpdhfd32.exeFilmoj32.exeFkkike32.exeFbeagohg.exeFcfnog32.exeGkmfpe32.exeGajnil32.exeGmqonm32.exeGgfcke32.exeGcmdpfhm.exeGmehilnn.exeGfnmaa32.exeGmhenllk.exeGbdnfbkb.exeHiofcm32.exeHphnpg32.exeHbgjlb32.exeHiabilpm.exeHlooehoq.exeHbigab32.exeHehcnm32.exeHhfpji32.exeHkdlfddh.exeHejpcmcn.exeHhhlohbb.exeHkghldbf.exeHgniqe32.exeIgpffdeg.exeIddfpida.exe

pid	process
628	Bdfleclh.exe
1868	Bpmmjd32.exe
1080	Bmqndh32.exe
548	Boajkp32.exe
432	Bignii32.exe
1916	Bodgap32.exe
1548	Cijkni32.exe
1148	Cofcfpbo.exe
360	Cljdpdai.exe
1772	Cebhii32.exe
1640	Cokmaonj.exe
1124	Chcajddj.exe
1980	Calfcj32.exe
1340	Cginla32.exe
1816	Dlegdh32.exe
932	Denkmm32.exe
968	Dofpecdk.exe
1016	Dgmhgpem.exe
1796	Dljpogcd.exe
1520	Dhaadhih.exe
1940	Dfeamlhb.exe
1208	Dfgncl32.exe
2012	Ebnohmlc.exe
1268	Ejicloio.exe
1376	Ejlpbo32.exe
1676	Ecdekdmm.exe
688	Ecfapdkj.exe
520	Eicjhk32.exe
636	Fchnfd32.exe
1500	Fjbfbnad.exe
1692	Foookeok.exe
1756	Ffiggofh.exe
1316	Fmcodi32.exe
1836	Foalpd32.exe
876	Ffldmode.exe
1600	Fpdhfd32.exe
1356	Filmoj32.exe
1592	Fkkike32.exe
1688	Fbeagohg.exe
980	Fcfnog32.exe
1620	Gkmfpe32.exe
1128	Gajnil32.exe
880	Gmqonm32.exe
1320	Ggfcke32.exe
1952	Gcmdpfhm.exe
1988	Gmehilnn.exe
1812	Gfnmaa32.exe
1528	Gmhenllk.exe
1860	Gbdnfbkb.exe
1848	Hiofcm32.exe
1644	Hphnpg32.exe
1604	Hbgjlb32.exe
1976	Hiabilpm.exe
1616	Hlooehoq.exe
428	Hbigab32.exe
1308	Hehcnm32.exe
884	Hhfpji32.exe
1708	Hkdlfddh.exe
2008	Hejpcmcn.exe
1760	Hhhlohbb.exe
1992	Hkghldbf.exe
1680	Hgniqe32.exe
1008	Igpffdeg.exe
1324	Iddfpida.exe

Loads dropped DLL 64 IoCs

Processes:

b4bf841eb2236ad1c23f795bad4ad20ebd240e44ea530339aa0b20a45ac7526a.exeBdfleclh.exeBpmmjd32.exeBmqndh32.exeBoajkp32.exeBignii32.exeBodgap32.exeCijkni32.exeCofcfpbo.exeCljdpdai.exeCebhii32.exeCokmaonj.exeChcajddj.exeCalfcj32.exeCginla32.exeDlegdh32.exeDenkmm32.exeDofpecdk.exeDgmhgpem.exeDljpogcd.exeDhaadhih.exeDfeamlhb.exeDfgncl32.exeEbnohmlc.exeEjicloio.exeEjlpbo32.exeEcdekdmm.exeEcfapdkj.exeEicjhk32.exeFchnfd32.exeFjbfbnad.exeFoookeok.exe

pid	process
1720	b4bf841eb2236ad1c23f795bad4ad20ebd240e44ea530339aa0b20a45ac7526a.exe
1720	b4bf841eb2236ad1c23f795bad4ad20ebd240e44ea530339aa0b20a45ac7526a.exe
628	Bdfleclh.exe
628	Bdfleclh.exe
1868	Bpmmjd32.exe
1868	Bpmmjd32.exe
1080	Bmqndh32.exe
1080	Bmqndh32.exe
548	Boajkp32.exe
548	Boajkp32.exe
432	Bignii32.exe
432	Bignii32.exe
1916	Bodgap32.exe
1916	Bodgap32.exe
1548	Cijkni32.exe
1548	Cijkni32.exe
1148	Cofcfpbo.exe
1148	Cofcfpbo.exe
360	Cljdpdai.exe
360	Cljdpdai.exe
1772	Cebhii32.exe
1772	Cebhii32.exe
1640	Cokmaonj.exe
1640	Cokmaonj.exe
1124	Chcajddj.exe
1124	Chcajddj.exe
1980	Calfcj32.exe
1980	Calfcj32.exe
1340	Cginla32.exe
1340	Cginla32.exe
1816	Dlegdh32.exe
1816	Dlegdh32.exe
932	Denkmm32.exe
932	Denkmm32.exe
968	Dofpecdk.exe
968	Dofpecdk.exe
1016	Dgmhgpem.exe
1016	Dgmhgpem.exe
1796	Dljpogcd.exe
1796	Dljpogcd.exe
1520	Dhaadhih.exe
1520	Dhaadhih.exe
1940	Dfeamlhb.exe
1940	Dfeamlhb.exe
1208	Dfgncl32.exe
1208	Dfgncl32.exe
2012	Ebnohmlc.exe
2012	Ebnohmlc.exe
1268	Ejicloio.exe
1268	Ejicloio.exe
1376	Ejlpbo32.exe
1376	Ejlpbo32.exe
1676	Ecdekdmm.exe
1676	Ecdekdmm.exe
688	Ecfapdkj.exe
688	Ecfapdkj.exe
520	Eicjhk32.exe
520	Eicjhk32.exe
636	Fchnfd32.exe
636	Fchnfd32.exe
1500	Fjbfbnad.exe
1500	Fjbfbnad.exe
1692	Foookeok.exe
1692	Foookeok.exe

Drops file in System32 directory 64 IoCs

Processes:

Kldcgf32.exeCfeklkhi.exeDgcjeolg.exeEjlpbo32.exeHkghldbf.exeGajnil32.exeHhhlohbb.exeOahdaehc.exePlbniqfo.exeAgebpmjc.exeDpkondch.exeEnooghaa.exeJdbhae32.exeBodgap32.exeMfedleac.exeNpdkdm32.exeFhbcnefe.exeFndeakph.exeFcqmjbno.exeFbqjeicq.exeGflbekne.exeJgdkpg32.exeEcfapdkj.exeImlkhnka.exeLncigdjp.exeLcpbokhh.exeOhdidomm.exeQnhdlhhh.exeCofcfpbo.exeFkaojpei.exeGpodob32.exeGjcejjkc.exeIppbhbmd.exeBnljfk32.exePbljlhfi.exeBnofkjdk.exeEkobdqgl.exeNfgmqhal.exeHkkgbakj.exeIhnhcqfa.exeHlooehoq.exeAeffcakp.exeFfojfmnc.exeHejblf32.exeKijpfjdm.exeKcpepgel.exeEdmmma32.exeBmiqibbb.exeBefbbe32.exeDaahah32.exeFoalpd32.exeJphfnmoc.exeLafono32.exeBdfleclh.exeJknkkfni.exeAnmngg32.exeGobjhqgh.exeFpdhfd32.exeKqmlhp32.exeAjoeai32.exeFkclpp32.exeHfkeqo32.exeGodgnp32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Kdkkhd32.exe	Kldcgf32.exe
File opened for modification	C:\Windows\SysWOW64\Cidghf32.exe	Cfeklkhi.exe
File opened for modification	C:\Windows\SysWOW64\Diafaj32.exe	Dgcjeolg.exe
File created	C:\Windows\SysWOW64\Ecdekdmm.exe	Ejlpbo32.exe
File created	C:\Windows\SysWOW64\Hgniqe32.exe	Hkghldbf.exe
File created	C:\Windows\SysWOW64\Mmfodk32.dll	Gajnil32.exe
File created	C:\Windows\SysWOW64\Ibafph32.dll	Hhhlohbb.exe
File created	C:\Windows\SysWOW64\Ohbmno32.exe	Oahdaehc.exe
File created	C:\Windows\SysWOW64\Iofbib32.dll	Plbniqfo.exe
File created	C:\Windows\SysWOW64\Okpjffnh.dll	Agebpmjc.exe
File created	C:\Windows\SysWOW64\Aiaglekb.dll	Dpkondch.exe
File created	C:\Windows\SysWOW64\Epnlcdqe.exe	Enooghaa.exe
File opened for modification	C:\Windows\SysWOW64\Jlipcb32.exe	Jdbhae32.exe
File opened for modification	C:\Windows\SysWOW64\Cijkni32.exe	Bodgap32.exe
File created	C:\Windows\SysWOW64\Micqhqpg.exe	Mfedleac.exe
File created	C:\Windows\SysWOW64\Mlmfob32.dll	Npdkdm32.exe
File opened for modification	C:\Windows\SysWOW64\Fkaojpei.exe	Fhbcnefe.exe
File opened for modification	C:\Windows\SysWOW64\Fmgemh32.exe	Fndeakph.exe
File created	C:\Windows\SysWOW64\Aiacdo32.dll	Fcqmjbno.exe
File opened for modification	C:\Windows\SysWOW64\Fdofadbd.exe	Fbqjeicq.exe
File opened for modification	C:\Windows\SysWOW64\Gijoafni.exe	Gflbekne.exe
File opened for modification	C:\Windows\SysWOW64\Jnndmakj.exe	Jgdkpg32.exe
File created	C:\Windows\SysWOW64\Ckofff32.dll	Ecfapdkj.exe
File created	C:\Windows\SysWOW64\Hkghldbf.exe	Hhhlohbb.exe
File created	C:\Windows\SysWOW64\Iongpf32.exe	Imlkhnka.exe
File created	C:\Windows\SysWOW64\Cncacg32.dll	Lncigdjp.exe
File opened for modification	C:\Windows\SysWOW64\Ljjjle32.exe	Lcpbokhh.exe
File opened for modification	C:\Windows\SysWOW64\Oamnmd32.exe	Ohdidomm.exe
File created	C:\Windows\SysWOW64\Qbcplf32.exe	Qnhdlhhh.exe
File created	C:\Windows\SysWOW64\Cljdpdai.exe	Cofcfpbo.exe
File created	C:\Windows\SysWOW64\Gngjkkmm.dll	Fkaojpei.exe
File opened for modification	C:\Windows\SysWOW64\Gbmqkm32.exe	Gpodob32.exe
File created	C:\Windows\SysWOW64\Lhblch32.dll	Gjcejjkc.exe
File opened for modification	C:\Windows\SysWOW64\Jbnodmlg.exe	Ippbhbmd.exe
File created	C:\Windows\SysWOW64\Dgjginaf.dll	Bnljfk32.exe
File created	C:\Windows\SysWOW64\Pjcbmegk.exe	Pbljlhfi.exe
File created	C:\Windows\SysWOW64\Bbjbli32.exe	Bnofkjdk.exe
File opened for modification	C:\Windows\SysWOW64\Eojoeo32.exe	Ekobdqgl.exe
File opened for modification	C:\Windows\SysWOW64\Nifimc32.exe	Nfgmqhal.exe
File opened for modification	C:\Windows\SysWOW64\Hcbpdokl.exe	Hkkgbakj.exe
File opened for modification	C:\Windows\SysWOW64\Ijldoled.exe	Ihnhcqfa.exe
File opened for modification	C:\Windows\SysWOW64\Hbigab32.exe	Hlooehoq.exe
File opened for modification	C:\Windows\SysWOW64\Agebpmjc.exe	Aeffcakp.exe
File created	C:\Windows\SysWOW64\Fnfagkne.exe	Ffojfmnc.exe
File opened for modification	C:\Windows\SysWOW64\Hhinha32.exe	Hejblf32.exe
File opened for modification	C:\Windows\SysWOW64\Kpdhbd32.exe	Kijpfjdm.exe
File created	C:\Windows\SysWOW64\Lhbenn32.dll	Kcpepgel.exe
File opened for modification	C:\Windows\SysWOW64\Eaqnfeae.exe	Edmmma32.exe
File opened for modification	C:\Windows\SysWOW64\Bfaeah32.exe	Bmiqibbb.exe
File opened for modification	C:\Windows\SysWOW64\Bhenop32.exe	Befbbe32.exe
File opened for modification	C:\Windows\SysWOW64\Ddpend32.exe	Daahah32.exe
File created	C:\Windows\SysWOW64\Ddhcclle.dll	Foalpd32.exe
File created	C:\Windows\SysWOW64\Jaejlhpk.dll	Jphfnmoc.exe
File created	C:\Windows\SysWOW64\Lfcgfe32.exe	Lafono32.exe
File created	C:\Windows\SysWOW64\Bdkeqcah.dll	Bdfleclh.exe
File created	C:\Windows\SysWOW64\Jahchp32.exe	Jknkkfni.exe
File opened for modification	C:\Windows\SysWOW64\Aeffcakp.exe	Anmngg32.exe
File created	C:\Windows\SysWOW64\Gflbekne.exe	Gobjhqgh.exe
File created	C:\Windows\SysWOW64\Filmoj32.exe	Fpdhfd32.exe
File created	C:\Windows\SysWOW64\Ihikee32.dll	Kqmlhp32.exe
File opened for modification	C:\Windows\SysWOW64\Abfmbfno.exe	Ajoeai32.exe
File opened for modification	C:\Windows\SysWOW64\Fqpdhg32.exe	Fkclpp32.exe
File created	C:\Windows\SysWOW64\Ihnongjl.exe	Hfkeqo32.exe
File opened for modification	C:\Windows\SysWOW64\Gbbcjl32.exe	Godgnp32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4764 4756 WerFault.exe Kceadpik.exe

pid	pid_target	process	target process
4764	4756	WerFault.exe	Kceadpik.exe

Modifies registry class 64 IoCs

Processes:

Iddfpida.exeApbcjo32.exeGijoafni.exeMicqhqpg.exeGgnbocga.exeHigegkgg.exeKdkkhd32.exeCpgidada.exeKgldjoei.exeDenkmm32.exeDgmhgpem.exeJahchp32.exeHblfpj32.exeKeaakk32.exeFpdhfd32.exeNoeojj32.exeBeaigebp.exeCionmgkb.exeEfomgj32.exeDhaadhih.exeKoickh32.exeFgofpp32.exeIdgenajb.exeCijkni32.exeEjlpbo32.exeBjegqk32.exeEfdgbigb.exeFlfnbacf.exeGbmqkm32.exeFpkdbaah.exeEohbpp32.exeEaldkf32.exeKihcpk32.exeFkkike32.exeLafono32.exeNojlfffd.exeNldfio32.exeOlhkcanj.exeChcajddj.exeEbnohmlc.exeJeadlh32.exeGmehilnn.exeIkgdjgda.exeBfaeah32.exeGenimh32.exeFoggdm32.exeJaclej32.exeBodgap32.exeDlegdh32.exeHehcnm32.exeOaojbdbk.exeGjooakaf.exeJhbnmc32.exeIiehco32.exeKkpdpi32.exeOnoegfng.exeEnalmh32.exeGbgpfh32.exeFjeeaffe.exeHhinha32.exeKoelhaeg.exeHbgjlb32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iddfpida.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apbcjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfacfbem.dll"	Gijoafni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phgdef32.dll"	Micqhqpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njgffh32.dll"	Ggnbocga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Higegkgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkajjhpo.dll"	Kdkkhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpgidada.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abgefjln.dll"	Kgldjoei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgmqjg32.dll"	Denkmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgmhgpem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnfhipmo.dll"	Jahchp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hblfpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Keaakk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjbdbjmb.dll"	Fpdhfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fpdhfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Noeojj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifkdnn32.dll"	Beaigebp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmqbgc32.dll"	Cionmgkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efomgj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhaadhih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dclnii32.dll"	Koickh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fgofpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npjgnl32.dll"	Idgenajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geebhg32.dll"	Cijkni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqbdci32.dll"	Ejlpbo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjegqk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efdgbigb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Flfnbacf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbmqkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fpkdbaah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eohbpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ealdkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjilbgao.dll"	Kihcpk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fkkike32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lafono32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nojlfffd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nldfio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olhkcanj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcajddj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebnohmlc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knpenlco.dll"	Fgofpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbcljc32.dll"	Jeadlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmehilnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ikgdjgda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfaeah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Genimh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Foggdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laafil32.dll"	Jaclej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bodgap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dlegdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofcang32.dll"	Hehcnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oaojbdbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjooakaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jhbnmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iiehco32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkpdpi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onoegfng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enalmh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbgpfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnodqk32.dll"	Fjeeaffe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmaifb32.dll"	Hhinha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhojfa32.dll"	Koelhaeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbgjlb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1720 wrote to memory of 628	1720	b4bf841eb2236ad1c23f795bad4ad20ebd240e44ea530339aa0b20a45ac7526a.exe	Bdfleclh.exe
PID 1720 wrote to memory of 628	1720	b4bf841eb2236ad1c23f795bad4ad20ebd240e44ea530339aa0b20a45ac7526a.exe	Bdfleclh.exe
PID 1720 wrote to memory of 628	1720	b4bf841eb2236ad1c23f795bad4ad20ebd240e44ea530339aa0b20a45ac7526a.exe	Bdfleclh.exe
PID 1720 wrote to memory of 628	1720	b4bf841eb2236ad1c23f795bad4ad20ebd240e44ea530339aa0b20a45ac7526a.exe	Bdfleclh.exe
PID 628 wrote to memory of 1868	628	Bdfleclh.exe	Bpmmjd32.exe
PID 628 wrote to memory of 1868	628	Bdfleclh.exe	Bpmmjd32.exe
PID 628 wrote to memory of 1868	628	Bdfleclh.exe	Bpmmjd32.exe
PID 628 wrote to memory of 1868	628	Bdfleclh.exe	Bpmmjd32.exe
PID 1868 wrote to memory of 1080	1868	Bpmmjd32.exe	Bmqndh32.exe
PID 1868 wrote to memory of 1080	1868	Bpmmjd32.exe	Bmqndh32.exe
PID 1868 wrote to memory of 1080	1868	Bpmmjd32.exe	Bmqndh32.exe
PID 1868 wrote to memory of 1080	1868	Bpmmjd32.exe	Bmqndh32.exe
PID 1080 wrote to memory of 548	1080	Bmqndh32.exe	Boajkp32.exe
PID 1080 wrote to memory of 548	1080	Bmqndh32.exe	Boajkp32.exe
PID 1080 wrote to memory of 548	1080	Bmqndh32.exe	Boajkp32.exe
PID 1080 wrote to memory of 548	1080	Bmqndh32.exe	Boajkp32.exe
PID 548 wrote to memory of 432	548	Boajkp32.exe	Bignii32.exe
PID 548 wrote to memory of 432	548	Boajkp32.exe	Bignii32.exe
PID 548 wrote to memory of 432	548	Boajkp32.exe	Bignii32.exe
PID 548 wrote to memory of 432	548	Boajkp32.exe	Bignii32.exe
PID 432 wrote to memory of 1916	432	Bignii32.exe	Bodgap32.exe
PID 432 wrote to memory of 1916	432	Bignii32.exe	Bodgap32.exe
PID 432 wrote to memory of 1916	432	Bignii32.exe	Bodgap32.exe
PID 432 wrote to memory of 1916	432	Bignii32.exe	Bodgap32.exe
PID 1916 wrote to memory of 1548	1916	Bodgap32.exe	Cijkni32.exe
PID 1916 wrote to memory of 1548	1916	Bodgap32.exe	Cijkni32.exe
PID 1916 wrote to memory of 1548	1916	Bodgap32.exe	Cijkni32.exe
PID 1916 wrote to memory of 1548	1916	Bodgap32.exe	Cijkni32.exe
PID 1548 wrote to memory of 1148	1548	Cijkni32.exe	Cofcfpbo.exe
PID 1548 wrote to memory of 1148	1548	Cijkni32.exe	Cofcfpbo.exe
PID 1548 wrote to memory of 1148	1548	Cijkni32.exe	Cofcfpbo.exe
PID 1548 wrote to memory of 1148	1548	Cijkni32.exe	Cofcfpbo.exe
PID 1148 wrote to memory of 360	1148	Cofcfpbo.exe	Cljdpdai.exe
PID 1148 wrote to memory of 360	1148	Cofcfpbo.exe	Cljdpdai.exe
PID 1148 wrote to memory of 360	1148	Cofcfpbo.exe	Cljdpdai.exe
PID 1148 wrote to memory of 360	1148	Cofcfpbo.exe	Cljdpdai.exe
PID 360 wrote to memory of 1772	360	Cljdpdai.exe	Cebhii32.exe
PID 360 wrote to memory of 1772	360	Cljdpdai.exe	Cebhii32.exe
PID 360 wrote to memory of 1772	360	Cljdpdai.exe	Cebhii32.exe
PID 360 wrote to memory of 1772	360	Cljdpdai.exe	Cebhii32.exe
PID 1772 wrote to memory of 1640	1772	Cebhii32.exe	Cokmaonj.exe
PID 1772 wrote to memory of 1640	1772	Cebhii32.exe	Cokmaonj.exe
PID 1772 wrote to memory of 1640	1772	Cebhii32.exe	Cokmaonj.exe
PID 1772 wrote to memory of 1640	1772	Cebhii32.exe	Cokmaonj.exe
PID 1640 wrote to memory of 1124	1640	Cokmaonj.exe	Chcajddj.exe
PID 1640 wrote to memory of 1124	1640	Cokmaonj.exe	Chcajddj.exe
PID 1640 wrote to memory of 1124	1640	Cokmaonj.exe	Chcajddj.exe
PID 1640 wrote to memory of 1124	1640	Cokmaonj.exe	Chcajddj.exe
PID 1124 wrote to memory of 1980	1124	Chcajddj.exe	Calfcj32.exe
PID 1124 wrote to memory of 1980	1124	Chcajddj.exe	Calfcj32.exe
PID 1124 wrote to memory of 1980	1124	Chcajddj.exe	Calfcj32.exe
PID 1124 wrote to memory of 1980	1124	Chcajddj.exe	Calfcj32.exe
PID 1980 wrote to memory of 1340	1980	Calfcj32.exe	Cginla32.exe
PID 1980 wrote to memory of 1340	1980	Calfcj32.exe	Cginla32.exe
PID 1980 wrote to memory of 1340	1980	Calfcj32.exe	Cginla32.exe
PID 1980 wrote to memory of 1340	1980	Calfcj32.exe	Cginla32.exe
PID 1340 wrote to memory of 1816	1340	Cginla32.exe	Dlegdh32.exe
PID 1340 wrote to memory of 1816	1340	Cginla32.exe	Dlegdh32.exe
PID 1340 wrote to memory of 1816	1340	Cginla32.exe	Dlegdh32.exe
PID 1340 wrote to memory of 1816	1340	Cginla32.exe	Dlegdh32.exe
PID 1816 wrote to memory of 932	1816	Dlegdh32.exe	Denkmm32.exe
PID 1816 wrote to memory of 932	1816	Dlegdh32.exe	Denkmm32.exe
PID 1816 wrote to memory of 932	1816	Dlegdh32.exe	Denkmm32.exe
PID 1816 wrote to memory of 932	1816	Dlegdh32.exe	Denkmm32.exe

C:\Users\Admin\AppData\Local\Temp\b4bf841eb2236ad1c23f795bad4ad20ebd240e44ea530339aa0b20a45ac7526a.exe
"C:\Users\Admin\AppData\Local\Temp\b4bf841eb2236ad1c23f795bad4ad20ebd240e44ea530339aa0b20a45ac7526a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\Bdfleclh.exe
C:\Windows\system32\Bdfleclh.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\SysWOW64\Bpmmjd32.exe
C:\Windows\system32\Bpmmjd32.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\SysWOW64\Bmqndh32.exe
C:\Windows\system32\Bmqndh32.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\SysWOW64\Boajkp32.exe
C:\Windows\system32\Boajkp32.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:548

C:\Windows\SysWOW64\Bignii32.exe
C:\Windows\system32\Bignii32.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\SysWOW64\Bodgap32.exe
C:\Windows\system32\Bodgap32.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\SysWOW64\Cijkni32.exe
C:\Windows\system32\Cijkni32.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\SysWOW64\Cofcfpbo.exe
C:\Windows\system32\Cofcfpbo.exe
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\SysWOW64\Cljdpdai.exe
C:\Windows\system32\Cljdpdai.exe
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:360

C:\Windows\SysWOW64\Cebhii32.exe
C:\Windows\system32\Cebhii32.exe
11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\SysWOW64\Cokmaonj.exe
C:\Windows\system32\Cokmaonj.exe
12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\SysWOW64\Chcajddj.exe
C:\Windows\system32\Chcajddj.exe
13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\SysWOW64\Calfcj32.exe
C:\Windows\system32\Calfcj32.exe
14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\SysWOW64\Cginla32.exe
C:\Windows\system32\Cginla32.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\SysWOW64\Dlegdh32.exe
C:\Windows\system32\Dlegdh32.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\SysWOW64\Denkmm32.exe
C:\Windows\system32\Denkmm32.exe
17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:932

C:\Windows\SysWOW64\Dofpecdk.exe
C:\Windows\system32\Dofpecdk.exe
18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:968

C:\Windows\SysWOW64\Dgmhgpem.exe
C:\Windows\system32\Dgmhgpem.exe
19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1016

C:\Windows\SysWOW64\Dljpogcd.exe
C:\Windows\system32\Dljpogcd.exe
20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1796

C:\Windows\SysWOW64\Dhaadhih.exe
C:\Windows\system32\Dhaadhih.exe
21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1520

C:\Windows\SysWOW64\Dfeamlhb.exe
C:\Windows\system32\Dfeamlhb.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1940

C:\Windows\SysWOW64\Dfgncl32.exe
C:\Windows\system32\Dfgncl32.exe
23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1208

C:\Windows\SysWOW64\Ebnohmlc.exe
C:\Windows\system32\Ebnohmlc.exe
24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2012

C:\Windows\SysWOW64\Ejicloio.exe
C:\Windows\system32\Ejicloio.exe
25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1268

C:\Windows\SysWOW64\Ejlpbo32.exe
C:\Windows\system32\Ejlpbo32.exe
26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1376

C:\Windows\SysWOW64\Ecdekdmm.exe
C:\Windows\system32\Ecdekdmm.exe
27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1676

C:\Windows\SysWOW64\Ecfapdkj.exe
C:\Windows\system32\Ecfapdkj.exe
28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:688

C:\Windows\SysWOW64\Eicjhk32.exe
C:\Windows\system32\Eicjhk32.exe
29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:520

C:\Windows\SysWOW64\Fchnfd32.exe
C:\Windows\system32\Fchnfd32.exe
30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:636

C:\Windows\SysWOW64\Fjbfbnad.exe
C:\Windows\system32\Fjbfbnad.exe
31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1500

C:\Windows\SysWOW64\Foookeok.exe
C:\Windows\system32\Foookeok.exe
32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1692

C:\Windows\SysWOW64\Ffiggofh.exe
C:\Windows\system32\Ffiggofh.exe
33⤵
- Executes dropped EXE
PID:1756

C:\Windows\SysWOW64\Fmcodi32.exe
C:\Windows\system32\Fmcodi32.exe
34⤵
- Executes dropped EXE
PID:1316

C:\Windows\SysWOW64\Foalpd32.exe
C:\Windows\system32\Foalpd32.exe
35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1836

C:\Windows\SysWOW64\Ffldmode.exe
C:\Windows\system32\Ffldmode.exe
36⤵
- Executes dropped EXE
PID:876

C:\Windows\SysWOW64\Fpdhfd32.exe
C:\Windows\system32\Fpdhfd32.exe
37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1600

C:\Windows\SysWOW64\Filmoj32.exe
C:\Windows\system32\Filmoj32.exe
38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1356

C:\Windows\SysWOW64\Fkkike32.exe
C:\Windows\system32\Fkkike32.exe
39⤵
- Executes dropped EXE
- Modifies registry class
PID:1592

C:\Windows\SysWOW64\Fbeagohg.exe
C:\Windows\system32\Fbeagohg.exe
40⤵
- Executes dropped EXE
PID:1688

C:\Windows\SysWOW64\Fcfnog32.exe
C:\Windows\system32\Fcfnog32.exe
41⤵
- Executes dropped EXE
PID:980

C:\Windows\SysWOW64\Gkmfpe32.exe
C:\Windows\system32\Gkmfpe32.exe
42⤵
- Executes dropped EXE
PID:1620

C:\Windows\SysWOW64\Gajnil32.exe
C:\Windows\system32\Gajnil32.exe
43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1128

C:\Windows\SysWOW64\Gmqonm32.exe
C:\Windows\system32\Gmqonm32.exe
44⤵
- Executes dropped EXE
PID:880

C:\Windows\SysWOW64\Ggfcke32.exe
C:\Windows\system32\Ggfcke32.exe
45⤵
- Executes dropped EXE
PID:1320

C:\Windows\SysWOW64\Gcmdpfhm.exe
C:\Windows\system32\Gcmdpfhm.exe
46⤵
- Executes dropped EXE
PID:1952

C:\Windows\SysWOW64\Gmehilnn.exe
C:\Windows\system32\Gmehilnn.exe
47⤵
- Executes dropped EXE
- Modifies registry class
PID:1988

C:\Windows\SysWOW64\Gfnmaa32.exe
C:\Windows\system32\Gfnmaa32.exe
48⤵
- Executes dropped EXE
PID:1812

C:\Windows\SysWOW64\Gmhenllk.exe
C:\Windows\system32\Gmhenllk.exe
49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1528

C:\Windows\SysWOW64\Gbdnfbkb.exe
C:\Windows\system32\Gbdnfbkb.exe
50⤵
- Executes dropped EXE
PID:1860

C:\Windows\SysWOW64\Hiofcm32.exe
C:\Windows\system32\Hiofcm32.exe
51⤵
- Executes dropped EXE
PID:1848

C:\Windows\SysWOW64\Hphnpg32.exe
C:\Windows\system32\Hphnpg32.exe
52⤵
- Executes dropped EXE
PID:1644

C:\Windows\SysWOW64\Hbgjlb32.exe
C:\Windows\system32\Hbgjlb32.exe
53⤵
- Executes dropped EXE
- Modifies registry class
PID:1604

C:\Windows\SysWOW64\Hiabilpm.exe
C:\Windows\system32\Hiabilpm.exe
54⤵
- Executes dropped EXE
PID:1976

C:\Windows\SysWOW64\Hlooehoq.exe
C:\Windows\system32\Hlooehoq.exe
55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1616

C:\Windows\SysWOW64\Hbigab32.exe
C:\Windows\system32\Hbigab32.exe
56⤵
- Executes dropped EXE
PID:428

C:\Windows\SysWOW64\Hehcnm32.exe
C:\Windows\system32\Hehcnm32.exe
57⤵
- Executes dropped EXE
- Modifies registry class
PID:1308

C:\Windows\SysWOW64\Hhfpji32.exe
C:\Windows\system32\Hhfpji32.exe
58⤵
- Executes dropped EXE
PID:884

C:\Windows\SysWOW64\Hkdlfddh.exe
C:\Windows\system32\Hkdlfddh.exe
59⤵
- Executes dropped EXE
PID:1708

C:\Windows\SysWOW64\Hejpcmcn.exe
C:\Windows\system32\Hejpcmcn.exe
60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2008

C:\Windows\SysWOW64\Hhhlohbb.exe
C:\Windows\system32\Hhhlohbb.exe
61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1760

C:\Windows\SysWOW64\Hkghldbf.exe
C:\Windows\system32\Hkghldbf.exe
62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1992

C:\Windows\SysWOW64\Hgniqe32.exe
C:\Windows\system32\Hgniqe32.exe
63⤵
- Executes dropped EXE
PID:1680

C:\Windows\SysWOW64\Igpffdeg.exe
C:\Windows\system32\Igpffdeg.exe
64⤵
- Executes dropped EXE
PID:1008

C:\Windows\SysWOW64\Iddfpida.exe
C:\Windows\system32\Iddfpida.exe
65⤵
- Executes dropped EXE
- Modifies registry class
PID:1324

C:\Windows\SysWOW64\Imlkhnka.exe
C:\Windows\system32\Imlkhnka.exe
66⤵
- Drops file in System32 directory
PID:1532

C:\Windows\SysWOW64\Iongpf32.exe
C:\Windows\system32\Iongpf32.exe
67⤵
PID:1888

C:\Windows\SysWOW64\Igdoad32.exe
C:\Windows\system32\Igdoad32.exe
68⤵
PID:1068

C:\Windows\SysWOW64\Ihflilgp.exe
C:\Windows\system32\Ihflilgp.exe
69⤵
PID:916

C:\Windows\SysWOW64\Ickpfegf.exe
C:\Windows\system32\Ickpfegf.exe
70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1636

C:\Windows\SysWOW64\Iiehco32.exe
C:\Windows\system32\Iiehco32.exe
71⤵
- Modifies registry class
PID:1404

C:\Windows\SysWOW64\Ikgdjgda.exe
C:\Windows\system32\Ikgdjgda.exe
72⤵
- Modifies registry class
PID:1564

C:\Windows\SysWOW64\Jdoicmka.exe
C:\Windows\system32\Jdoicmka.exe
73⤵
PID:1828

C:\Windows\SysWOW64\Jngnlb32.exe
C:\Windows\system32\Jngnlb32.exe
74⤵
PID:1284

C:\Windows\SysWOW64\Jdafilio.exe
C:\Windows\system32\Jdafilio.exe
75⤵
PID:592

C:\Windows\SysWOW64\Jkknef32.exe
C:\Windows\system32\Jkknef32.exe
76⤵
PID:1544

C:\Windows\SysWOW64\Jphfnmoc.exe
C:\Windows\system32\Jphfnmoc.exe
77⤵
- Drops file in System32 directory
PID:1944

C:\Windows\SysWOW64\Jknkkfni.exe
C:\Windows\system32\Jknkkfni.exe
78⤵
- Drops file in System32 directory
PID:1684

C:\Windows\SysWOW64\Jahchp32.exe
C:\Windows\system32\Jahchp32.exe
79⤵
- Modifies registry class
PID:2052

C:\Windows\SysWOW64\Jgdkpg32.exe
C:\Windows\system32\Jgdkpg32.exe
80⤵
- Drops file in System32 directory
PID:2068

C:\Windows\SysWOW64\Jnndmakj.exe
C:\Windows\system32\Jnndmakj.exe
81⤵
PID:2084

C:\Windows\SysWOW64\Jnqqba32.exe
C:\Windows\system32\Jnqqba32.exe
82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2104

C:\Windows\SysWOW64\Kcnikh32.exe
C:\Windows\system32\Kcnikh32.exe
83⤵
PID:2120

C:\Windows\SysWOW64\Kflegc32.exe
C:\Windows\system32\Kflegc32.exe
84⤵
PID:2136

C:\Windows\SysWOW64\Khjaco32.exe
C:\Windows\system32\Khjaco32.exe
85⤵
PID:2152

C:\Windows\SysWOW64\Kqaidl32.exe
C:\Windows\system32\Kqaidl32.exe
86⤵
PID:2168

C:\Windows\SysWOW64\Kcpepgel.exe
C:\Windows\system32\Kcpepgel.exe
87⤵
- Drops file in System32 directory
PID:2184

C:\Windows\SysWOW64\Kfnblcdp.exe
C:\Windows\system32\Kfnblcdp.exe
88⤵
PID:2204

C:\Windows\SysWOW64\Khmnhndc.exe
C:\Windows\system32\Khmnhndc.exe
89⤵
PID:2220

C:\Windows\SysWOW64\Kkkjdjcg.exe
C:\Windows\system32\Kkkjdjcg.exe
90⤵
PID:2236

C:\Windows\SysWOW64\Kcbbfgcj.exe
C:\Windows\system32\Kcbbfgcj.exe
91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2256

C:\Windows\SysWOW64\Kbebad32.exe
C:\Windows\system32\Kbebad32.exe
92⤵
PID:2272

C:\Windows\SysWOW64\Kioknnaa.exe
C:\Windows\system32\Kioknnaa.exe
93⤵
PID:2288

C:\Windows\SysWOW64\Koickh32.exe
C:\Windows\system32\Koickh32.exe
94⤵
- Modifies registry class
PID:2304

C:\Windows\SysWOW64\Kbgogcha.exe
C:\Windows\system32\Kbgogcha.exe
95⤵
PID:2328

C:\Windows\SysWOW64\Kiagcn32.exe
C:\Windows\system32\Kiagcn32.exe
96⤵
PID:2344

C:\Windows\SysWOW64\Kkpdpi32.exe
C:\Windows\system32\Kkpdpi32.exe
97⤵
- Modifies registry class
PID:2360

C:\Windows\SysWOW64\Kqmlhp32.exe
C:\Windows\system32\Kqmlhp32.exe
98⤵
- Drops file in System32 directory
PID:2380

C:\Windows\SysWOW64\Lkbqei32.exe
C:\Windows\system32\Lkbqei32.exe
99⤵
PID:2400

C:\Windows\SysWOW64\Lnqmad32.exe
C:\Windows\system32\Lnqmad32.exe
100⤵
PID:2428

C:\Windows\SysWOW64\Lejenn32.exe
C:\Windows\system32\Lejenn32.exe
101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2444

C:\Windows\SysWOW64\Lgiajj32.exe
C:\Windows\system32\Lgiajj32.exe
102⤵
PID:2460

C:\Windows\SysWOW64\Lncigdjp.exe
C:\Windows\system32\Lncigdjp.exe
103⤵
- Drops file in System32 directory
PID:2476

C:\Windows\SysWOW64\Laaecoid.exe
C:\Windows\system32\Laaecoid.exe
104⤵
PID:2492

C:\Windows\SysWOW64\Lcpbokhh.exe
C:\Windows\system32\Lcpbokhh.exe
105⤵
- Drops file in System32 directory
PID:2512

C:\Windows\SysWOW64\Ljjjle32.exe
C:\Windows\system32\Ljjjle32.exe
106⤵
PID:2528

C:\Windows\SysWOW64\Lacbioga.exe
C:\Windows\system32\Lacbioga.exe
107⤵
PID:2556

C:\Windows\SysWOW64\Lgnkeinn.exe
C:\Windows\system32\Lgnkeinn.exe
108⤵
PID:2576

C:\Windows\SysWOW64\Liogma32.exe
C:\Windows\system32\Liogma32.exe
109⤵
PID:2592

C:\Windows\SysWOW64\Lafono32.exe
C:\Windows\system32\Lafono32.exe
110⤵
- Drops file in System32 directory
- Modifies registry class
PID:2604

C:\Windows\SysWOW64\Lfcgfe32.exe
C:\Windows\system32\Lfcgfe32.exe
111⤵
PID:2632

C:\Windows\SysWOW64\Lmmpcpkc.exe
C:\Windows\system32\Lmmpcpkc.exe
112⤵
PID:2648

C:\Windows\SysWOW64\Lpklokjf.exe
C:\Windows\system32\Lpklokjf.exe
113⤵
PID:2664

C:\Windows\SysWOW64\Mfedleac.exe
C:\Windows\system32\Mfedleac.exe
114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2680

C:\Windows\SysWOW64\Micqhqpg.exe
C:\Windows\system32\Micqhqpg.exe
115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2704

C:\Windows\SysWOW64\Mpniek32.exe
C:\Windows\system32\Mpniek32.exe
116⤵
PID:2716

C:\Windows\SysWOW64\Mbleaf32.exe
C:\Windows\system32\Mbleaf32.exe
117⤵
PID:2732

C:\Windows\SysWOW64\Mifmnpnd.exe
C:\Windows\system32\Mifmnpnd.exe
118⤵
PID:2752

C:\Windows\SysWOW64\Mldijlmh.exe
C:\Windows\system32\Mldijlmh.exe
119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2764

C:\Windows\SysWOW64\Mbnaff32.exe
C:\Windows\system32\Mbnaff32.exe
120⤵
PID:2788

C:\Windows\SysWOW64\Memnba32.exe
C:\Windows\system32\Memnba32.exe
121⤵
PID:2804

C:\Windows\SysWOW64\Mlffok32.exe
C:\Windows\system32\Mlffok32.exe
122⤵
PID:2820

C:\Windows\SysWOW64\Mnebkg32.exe
C:\Windows\system32\Mnebkg32.exe
123⤵
PID:2836

C:\Windows\SysWOW64\Mbqnlebb.exe
C:\Windows\system32\Mbqnlebb.exe
124⤵
PID:2844

C:\Windows\SysWOW64\Mdbkdn32.exe
C:\Windows\system32\Mdbkdn32.exe
125⤵
PID:2872

C:\Windows\SysWOW64\Mddgim32.exe
C:\Windows\system32\Mddgim32.exe
126⤵
PID:2896

C:\Windows\SysWOW64\Nojlfffd.exe
C:\Windows\system32\Nojlfffd.exe
127⤵
- Modifies registry class
PID:2924

C:\Windows\SysWOW64\Npkhnn32.exe
C:\Windows\system32\Npkhnn32.exe
128⤵
PID:2944

C:\Windows\SysWOW64\Nhbpol32.exe
C:\Windows\system32\Nhbpol32.exe
129⤵
PID:2960

C:\Windows\SysWOW64\Nicmgdcb.exe
C:\Windows\system32\Nicmgdcb.exe
130⤵
PID:2976

C:\Windows\SysWOW64\Nmoihb32.exe
C:\Windows\system32\Nmoihb32.exe
131⤵
PID:2992

C:\Windows\SysWOW64\Nfgmqhal.exe
C:\Windows\system32\Nfgmqhal.exe
132⤵
- Drops file in System32 directory
PID:3016

C:\Windows\SysWOW64\Nifimc32.exe
C:\Windows\system32\Nifimc32.exe
133⤵
PID:3036

C:\Windows\SysWOW64\Nldfio32.exe
C:\Windows\system32\Nldfio32.exe
134⤵
- Modifies registry class
PID:3060

C:\Windows\SysWOW64\Ndknjl32.exe
C:\Windows\system32\Ndknjl32.exe
135⤵
PID:564

C:\Windows\SysWOW64\Ngjjfh32.exe
C:\Windows\system32\Ngjjfh32.exe
136⤵
PID:2076

C:\Windows\SysWOW64\Nihfbc32.exe
C:\Windows\system32\Nihfbc32.exe
137⤵
PID:2112

C:\Windows\SysWOW64\Nlfbno32.exe
C:\Windows\system32\Nlfbno32.exe
138⤵
PID:2128

C:\Windows\SysWOW64\Noeojj32.exe
C:\Windows\system32\Noeojj32.exe
139⤵
- Modifies registry class
PID:2164

C:\Windows\SysWOW64\Neoggdda.exe
C:\Windows\system32\Neoggdda.exe
140⤵
PID:2200

C:\Windows\SysWOW64\Npdkdm32.exe
C:\Windows\system32\Npdkdm32.exe
141⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2312

C:\Windows\SysWOW64\Oeacmd32.exe
C:\Windows\system32\Oeacmd32.exe
142⤵
PID:2340

C:\Windows\SysWOW64\Olklinjl.exe
C:\Windows\system32\Olklinjl.exe
143⤵
PID:2392

C:\Windows\SysWOW64\Oahdaehc.exe
C:\Windows\system32\Oahdaehc.exe
144⤵
- Drops file in System32 directory
PID:2420

C:\Windows\SysWOW64\Ohbmno32.exe
C:\Windows\system32\Ohbmno32.exe
145⤵
PID:2472

C:\Windows\SysWOW64\Onoegfng.exe
C:\Windows\system32\Onoegfng.exe
146⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2488

C:\Windows\SysWOW64\Ohdidomm.exe
C:\Windows\system32\Ohdidomm.exe
147⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2536

C:\Windows\SysWOW64\Oamnmd32.exe
C:\Windows\system32\Oamnmd32.exe
148⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2548

C:\Windows\SysWOW64\Odkjip32.exe
C:\Windows\system32\Odkjip32.exe
149⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2564

C:\Windows\SysWOW64\Ojhbaf32.exe
C:\Windows\system32\Ojhbaf32.exe
150⤵
PID:2572

C:\Windows\SysWOW64\Oaojbdbk.exe
C:\Windows\system32\Oaojbdbk.exe
151⤵
- Modifies registry class
PID:2588

C:\Windows\SysWOW64\Odmgooao.exe
C:\Windows\system32\Odmgooao.exe
152⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2612

C:\Windows\SysWOW64\Oglckkpb.exe
C:\Windows\system32\Oglckkpb.exe
153⤵
PID:2620

C:\Windows\SysWOW64\Ojjogfof.exe
C:\Windows\system32\Ojjogfof.exe
154⤵
PID:2628

C:\Windows\SysWOW64\Olhkcanj.exe
C:\Windows\system32\Olhkcanj.exe
155⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2644

C:\Windows\SysWOW64\Pcbcpl32.exe
C:\Windows\system32\Pcbcpl32.exe
156⤵
PID:2660

C:\Windows\SysWOW64\Pfaplg32.exe
C:\Windows\system32\Pfaplg32.exe
157⤵
PID:2676

C:\Windows\SysWOW64\Pnhhmdem.exe
C:\Windows\system32\Pnhhmdem.exe
158⤵
PID:2692

C:\Windows\SysWOW64\Ppfdipdp.exe
C:\Windows\system32\Ppfdipdp.exe
159⤵
PID:2700

C:\Windows\SysWOW64\Pgqlfj32.exe
C:\Windows\system32\Pgqlfj32.exe
160⤵
PID:2724

C:\Windows\SysWOW64\Pfcmagcg.exe
C:\Windows\system32\Pfcmagcg.exe
161⤵
PID:2740

C:\Windows\SysWOW64\Phaimbbk.exe
C:\Windows\system32\Phaimbbk.exe
162⤵
PID:2748

C:\Windows\SysWOW64\Polajm32.exe
C:\Windows\system32\Polajm32.exe
163⤵
PID:2772

C:\Windows\SysWOW64\Pjaege32.exe
C:\Windows\system32\Pjaege32.exe
164⤵
PID:2776

C:\Windows\SysWOW64\Plpacq32.exe
C:\Windows\system32\Plpacq32.exe
165⤵
PID:2796

C:\Windows\SysWOW64\Ponnplge.exe
C:\Windows\system32\Ponnplge.exe
166⤵
PID:2812

C:\Windows\SysWOW64\Pbljlhfi.exe
C:\Windows\system32\Pbljlhfi.exe
167⤵
- Drops file in System32 directory
PID:2828

C:\Windows\SysWOW64\Pjcbmegk.exe
C:\Windows\system32\Pjcbmegk.exe
168⤵
PID:2852

C:\Windows\SysWOW64\Plbniqfo.exe
C:\Windows\system32\Plbniqfo.exe
169⤵
- Drops file in System32 directory
PID:2860

C:\Windows\SysWOW64\Popjelec.exe
C:\Windows\system32\Popjelec.exe
170⤵
PID:2868

C:\Windows\SysWOW64\Pbogagdf.exe
C:\Windows\system32\Pbogagdf.exe
171⤵
PID:2884

C:\Windows\SysWOW64\Phiona32.exe
C:\Windows\system32\Phiona32.exe
172⤵
PID:2892

C:\Windows\SysWOW64\Qkgkjm32.exe
C:\Windows\system32\Qkgkjm32.exe
173⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2908

C:\Windows\SysWOW64\Qobgkkcp.exe
C:\Windows\system32\Qobgkkcp.exe
174⤵
PID:2916

C:\Windows\SysWOW64\Qbacgg32.exe
C:\Windows\system32\Qbacgg32.exe
175⤵
PID:2932

C:\Windows\SysWOW64\Qhklcajq.exe
C:\Windows\system32\Qhklcajq.exe
176⤵
PID:2940

C:\Windows\SysWOW64\Qkihpmid.exe
C:\Windows\system32\Qkihpmid.exe
177⤵
PID:2956

C:\Windows\SysWOW64\Qnhdlhhh.exe
C:\Windows\system32\Qnhdlhhh.exe
178⤵
- Drops file in System32 directory
PID:2972

C:\Windows\SysWOW64\Qbcplf32.exe
C:\Windows\system32\Qbcplf32.exe
179⤵
PID:2988

C:\Windows\SysWOW64\Qdblhb32.exe
C:\Windows\system32\Qdblhb32.exe
180⤵
PID:3000

C:\Windows\SysWOW64\Ajoeai32.exe
C:\Windows\system32\Ajoeai32.exe
181⤵
- Drops file in System32 directory
PID:3012

C:\Windows\SysWOW64\Abfmbfno.exe
C:\Windows\system32\Abfmbfno.exe
182⤵
PID:3028

C:\Windows\SysWOW64\Acgijo32.exe
C:\Windows\system32\Acgijo32.exe
183⤵
PID:3044

C:\Windows\SysWOW64\Aknakl32.exe
C:\Windows\system32\Aknakl32.exe
184⤵
PID:3048

C:\Windows\SysWOW64\Anmngg32.exe
C:\Windows\system32\Anmngg32.exe
185⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3068

C:\Windows\SysWOW64\Aeffcakp.exe
C:\Windows\system32\Aeffcakp.exe
186⤵
- Drops file in System32 directory
PID:2060

C:\Windows\SysWOW64\Agebpmjc.exe
C:\Windows\system32\Agebpmjc.exe
187⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2064

C:\Windows\SysWOW64\Ajcnlhjg.exe
C:\Windows\system32\Ajcnlhjg.exe
188⤵
PID:2100

C:\Windows\SysWOW64\Amajhdik.exe
C:\Windows\system32\Amajhdik.exe
189⤵
PID:2148

C:\Windows\SysWOW64\Afjoaiok.exe
C:\Windows\system32\Afjoaiok.exe
190⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2180

C:\Windows\SysWOW64\Apbcjo32.exe
C:\Windows\system32\Apbcjo32.exe
191⤵
- Modifies registry class
PID:2196

C:\Windows\SysWOW64\Amfdcc32.exe
C:\Windows\system32\Amfdcc32.exe
192⤵
PID:2320

C:\Windows\SysWOW64\Beaigebp.exe
C:\Windows\system32\Beaigebp.exe
193⤵
- Modifies registry class
PID:2368

C:\Windows\SysWOW64\Bmiqibbb.exe
C:\Windows\system32\Bmiqibbb.exe
194⤵
- Drops file in System32 directory
PID:2524

C:\Windows\SysWOW64\Bfaeah32.exe
C:\Windows\system32\Bfaeah32.exe
195⤵
- Modifies registry class
PID:2244

C:\Windows\SysWOW64\Bipand32.exe
C:\Windows\system32\Bipand32.exe
196⤵
PID:2264

C:\Windows\SysWOW64\Blnnjo32.exe
C:\Windows\system32\Blnnjo32.exe
197⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2296

C:\Windows\SysWOW64\Bnljfk32.exe
C:\Windows\system32\Bnljfk32.exe
198⤵
- Drops file in System32 directory
PID:2356

C:\Windows\SysWOW64\Befbbe32.exe
C:\Windows\system32\Befbbe32.exe
199⤵
- Drops file in System32 directory
PID:2412

C:\Windows\SysWOW64\Bhenop32.exe
C:\Windows\system32\Bhenop32.exe
200⤵
PID:2468

C:\Windows\SysWOW64\Bnofkjdk.exe
C:\Windows\system32\Bnofkjdk.exe
201⤵
- Drops file in System32 directory
PID:2232

C:\Windows\SysWOW64\Bbjbli32.exe
C:\Windows\system32\Bbjbli32.exe
202⤵
PID:1048

C:\Windows\SysWOW64\Bdkodabc.exe
C:\Windows\system32\Bdkodabc.exe
203⤵
PID:2452

C:\Windows\SysWOW64\Bjegqk32.exe
C:\Windows\system32\Bjegqk32.exe
204⤵
- Modifies registry class
PID:2228

C:\Windows\SysWOW64\Bmdcmg32.exe
C:\Windows\system32\Bmdcmg32.exe
205⤵
PID:2520

C:\Windows\SysWOW64\Bdnlia32.exe
C:\Windows\system32\Bdnlia32.exe
206⤵
PID:2416

C:\Windows\SysWOW64\Bflhel32.exe
C:\Windows\system32\Bflhel32.exe
207⤵
PID:2408

C:\Windows\SysWOW64\Cmfpbfgq.exe
C:\Windows\system32\Cmfpbfgq.exe
208⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3092

C:\Windows\SysWOW64\Cpdlnbfd.exe
C:\Windows\system32\Cpdlnbfd.exe
209⤵
PID:3128

C:\Windows\SysWOW64\Cjjqlkfj.exe
C:\Windows\system32\Cjjqlkfj.exe
210⤵
PID:3152

C:\Windows\SysWOW64\Cmhmhfen.exe
C:\Windows\system32\Cmhmhfen.exe
211⤵
PID:3168

C:\Windows\SysWOW64\Cpgidada.exe
C:\Windows\system32\Cpgidada.exe
212⤵
- Modifies registry class
PID:3180

C:\Windows\SysWOW64\Cbeepmce.exe
C:\Windows\system32\Cbeepmce.exe
213⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3196

C:\Windows\SysWOW64\Cionmgkb.exe
C:\Windows\system32\Cionmgkb.exe
214⤵
- Modifies registry class
PID:3212

C:\Windows\SysWOW64\Clnjibjf.exe
C:\Windows\system32\Clnjibjf.exe
215⤵
PID:3228

C:\Windows\SysWOW64\Cbhbem32.exe
C:\Windows\system32\Cbhbem32.exe
216⤵
PID:3244

C:\Windows\SysWOW64\Cefnah32.exe
C:\Windows\system32\Cefnah32.exe
217⤵
PID:3268

C:\Windows\SysWOW64\Cmmfce32.exe
C:\Windows\system32\Cmmfce32.exe
218⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3284

C:\Windows\SysWOW64\Coocjngg.exe
C:\Windows\system32\Coocjngg.exe
219⤵
PID:3300

C:\Windows\SysWOW64\Cfeklkhi.exe
C:\Windows\system32\Cfeklkhi.exe
220⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3312

C:\Windows\SysWOW64\Cidghf32.exe
C:\Windows\system32\Cidghf32.exe
221⤵
PID:3328

C:\Windows\SysWOW64\Cpnodqnj.exe
C:\Windows\system32\Cpnodqnj.exe
222⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3340

C:\Windows\SysWOW64\Daolli32.exe
C:\Windows\system32\Daolli32.exe
223⤵
PID:3356

C:\Windows\SysWOW64\Difdmf32.exe
C:\Windows\system32\Difdmf32.exe
224⤵
PID:3372

C:\Windows\SysWOW64\Dlepia32.exe
C:\Windows\system32\Dlepia32.exe
225⤵
PID:3388

C:\Windows\SysWOW64\Doclem32.exe
C:\Windows\system32\Doclem32.exe
226⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3400

C:\Windows\SysWOW64\Daahah32.exe
C:\Windows\system32\Daahah32.exe
227⤵
- Drops file in System32 directory
PID:3420

C:\Windows\SysWOW64\Ddpend32.exe
C:\Windows\system32\Ddpend32.exe
228⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3436

C:\Windows\SysWOW64\Dkjmjn32.exe
C:\Windows\system32\Dkjmjn32.exe
229⤵
PID:3452

C:\Windows\SysWOW64\Dadeghpb.exe
C:\Windows\system32\Dadeghpb.exe
230⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3468

C:\Windows\SysWOW64\Ddbaccof.exe
C:\Windows\system32\Ddbaccof.exe
231⤵
PID:3484

C:\Windows\SysWOW64\Dkljpn32.exe
C:\Windows\system32\Dkljpn32.exe
232⤵
PID:3500

C:\Windows\SysWOW64\Dnkfli32.exe
C:\Windows\system32\Dnkfli32.exe
233⤵
PID:3516

C:\Windows\SysWOW64\Dpibhd32.exe
C:\Windows\system32\Dpibhd32.exe
234⤵
PID:3536

C:\Windows\SysWOW64\Dgcjeolg.exe
C:\Windows\system32\Dgcjeolg.exe
235⤵
- Drops file in System32 directory
PID:3552

C:\Windows\SysWOW64\Diafaj32.exe
C:\Windows\system32\Diafaj32.exe
236⤵
PID:3572

C:\Windows\SysWOW64\Dpkondch.exe
C:\Windows\system32\Dpkondch.exe
237⤵
- Drops file in System32 directory
PID:3588

C:\Windows\SysWOW64\Ddgkoc32.exe
C:\Windows\system32\Ddgkoc32.exe
238⤵
PID:3608

C:\Windows\SysWOW64\Enooghaa.exe
C:\Windows\system32\Enooghaa.exe
239⤵
- Drops file in System32 directory
PID:3624

C:\Windows\SysWOW64\Epnlcdqe.exe
C:\Windows\system32\Epnlcdqe.exe
240⤵
PID:3644

C:\Windows\SysWOW64\Eclhpopi.exe
C:\Windows\system32\Eclhpopi.exe
241⤵
PID:3660

C:\Windows\SysWOW64\Eghdpn32.exe
C:\Windows\system32\Eghdpn32.exe
242⤵
PID:3676

C:\Windows\SysWOW64\Enalmh32.exe
C:\Windows\system32\Enalmh32.exe
243⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3696

C:\Windows\SysWOW64\Eochdpem.exe
C:\Windows\system32\Eochdpem.exe
244⤵
PID:3712

C:\Windows\SysWOW64\Efmqaj32.exe
C:\Windows\system32\Efmqaj32.exe
245⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3728

C:\Windows\SysWOW64\Elginddg.exe
C:\Windows\system32\Elginddg.exe
246⤵
PID:3740

C:\Windows\SysWOW64\Eoeejpcj.exe
C:\Windows\system32\Eoeejpcj.exe
247⤵
PID:3756

C:\Windows\SysWOW64\Efomgj32.exe
C:\Windows\system32\Efomgj32.exe
248⤵
- Modifies registry class
PID:3776

C:\Windows\SysWOW64\Ehnjce32.exe
C:\Windows\system32\Ehnjce32.exe
249⤵
PID:3792

C:\Windows\SysWOW64\Eliecd32.exe
C:\Windows\system32\Eliecd32.exe
250⤵
PID:3804

C:\Windows\SysWOW64\Eohbpp32.exe
C:\Windows\system32\Eohbpp32.exe
251⤵
- Modifies registry class
PID:3824

C:\Windows\SysWOW64\Efajljid.exe
C:\Windows\system32\Efajljid.exe
252⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3836

C:\Windows\SysWOW64\Ehpfhehh.exe
C:\Windows\system32\Ehpfhehh.exe
253⤵
PID:3852

C:\Windows\SysWOW64\Ekobdqgl.exe
C:\Windows\system32\Ekobdqgl.exe
254⤵
- Drops file in System32 directory
PID:3872

C:\Windows\SysWOW64\Eojoeo32.exe
C:\Windows\system32\Eojoeo32.exe
255⤵
PID:3888

C:\Windows\SysWOW64\Efdgbigb.exe
C:\Windows\system32\Efdgbigb.exe
256⤵
- Modifies registry class
PID:3904

C:\Windows\SysWOW64\Fhbcnefe.exe
C:\Windows\system32\Fhbcnefe.exe
257⤵
- Drops file in System32 directory
PID:3924

C:\Windows\SysWOW64\Fkaojpei.exe
C:\Windows\system32\Fkaojpei.exe
258⤵
- Drops file in System32 directory
PID:3940

C:\Windows\SysWOW64\Fkclpp32.exe
C:\Windows\system32\Fkclpp32.exe
259⤵
- Drops file in System32 directory
PID:3948

C:\Windows\SysWOW64\Fqpdhg32.exe
C:\Windows\system32\Fqpdhg32.exe
260⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3956

C:\Windows\SysWOW64\Fcnqdb32.exe
C:\Windows\system32\Fcnqdb32.exe
261⤵
PID:3964

C:\Windows\SysWOW64\Fkeiep32.exe
C:\Windows\system32\Fkeiep32.exe
262⤵
PID:3972

C:\Windows\SysWOW64\Fndeakph.exe
C:\Windows\system32\Fndeakph.exe
263⤵
- Drops file in System32 directory
PID:3980

C:\Windows\SysWOW64\Fmgemh32.exe
C:\Windows\system32\Fmgemh32.exe
264⤵
PID:3988

C:\Windows\SysWOW64\Fcqmjbno.exe
C:\Windows\system32\Fcqmjbno.exe
265⤵
- Drops file in System32 directory
PID:3996

C:\Windows\SysWOW64\Ffojfmnc.exe
C:\Windows\system32\Ffojfmnc.exe
266⤵
- Drops file in System32 directory
PID:4004

C:\Windows\SysWOW64\Fnfagkne.exe
C:\Windows\system32\Fnfagkne.exe
267⤵
PID:4012

C:\Windows\SysWOW64\Fmibbg32.exe
C:\Windows\system32\Fmibbg32.exe
268⤵
PID:4020

C:\Windows\SysWOW64\Fognoc32.exe
C:\Windows\system32\Fognoc32.exe
269⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4028

C:\Windows\SysWOW64\Fgofpp32.exe
C:\Windows\system32\Fgofpp32.exe
270⤵
- Modifies registry class
PID:4036

C:\Windows\SysWOW64\Fjmbll32.exe
C:\Windows\system32\Fjmbll32.exe
271⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4044

C:\Windows\SysWOW64\Fmkohg32.exe
C:\Windows\system32\Fmkohg32.exe
272⤵
PID:4052

C:\Windows\SysWOW64\Gojkdbbq.exe
C:\Windows\system32\Gojkdbbq.exe
273⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4060

C:\Windows\SysWOW64\Gcegea32.exe
C:\Windows\system32\Gcegea32.exe
274⤵
PID:4068

C:\Windows\SysWOW64\Gjooakaf.exe
C:\Windows\system32\Gjooakaf.exe
275⤵
- Modifies registry class
PID:4076

C:\Windows\SysWOW64\Gkqlic32.exe
C:\Windows\system32\Gkqlic32.exe
276⤵
PID:4084

C:\Windows\SysWOW64\Gchcja32.exe
C:\Windows\system32\Gchcja32.exe
277⤵
PID:4092

C:\Windows\SysWOW64\Geipbine.exe
C:\Windows\system32\Geipbine.exe
278⤵
PID:2388

C:\Windows\SysWOW64\Gmphcfog.exe
C:\Windows\system32\Gmphcfog.exe
279⤵
PID:3084

C:\Windows\SysWOW64\Gpodob32.exe
C:\Windows\system32\Gpodob32.exe
280⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3100

C:\Windows\SysWOW64\Gbmqkm32.exe
C:\Windows\system32\Gbmqkm32.exe
281⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3108

C:\Windows\SysWOW64\Gfhmlleh.exe
C:\Windows\system32\Gfhmlleh.exe
282⤵
PID:3116

C:\Windows\SysWOW64\Gigihgdl.exe
C:\Windows\system32\Gigihgdl.exe
283⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3124

C:\Windows\SysWOW64\Genimh32.exe
C:\Windows\system32\Genimh32.exe
284⤵
- Modifies registry class
PID:3140

C:\Windows\SysWOW64\Gglfid32.exe
C:\Windows\system32\Gglfid32.exe
285⤵
PID:3148

C:\Windows\SysWOW64\Gnfnfnqq.exe
C:\Windows\system32\Gnfnfnqq.exe
286⤵
PID:3176

C:\Windows\SysWOW64\Ggnbocga.exe
C:\Windows\system32\Ggnbocga.exe
287⤵
- Modifies registry class
PID:3192

C:\Windows\SysWOW64\Hjmokofe.exe
C:\Windows\system32\Hjmokofe.exe
288⤵
PID:3208

C:\Windows\SysWOW64\Hebchhfk.exe
C:\Windows\system32\Hebchhfk.exe
289⤵
PID:3224

C:\Windows\SysWOW64\Hfcopp32.exe
C:\Windows\system32\Hfcopp32.exe
290⤵
PID:3252

C:\Windows\SysWOW64\Hhcljc32.exe
C:\Windows\system32\Hhcljc32.exe
291⤵
PID:3256

C:\Windows\SysWOW64\Hidhakij.exe
C:\Windows\system32\Hidhakij.exe
292⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3264

C:\Windows\SysWOW64\Hpnqne32.exe
C:\Windows\system32\Hpnqne32.exe
293⤵
PID:3280

C:\Windows\SysWOW64\Hdjmodip.exe
C:\Windows\system32\Hdjmodip.exe
294⤵
PID:3296

C:\Windows\SysWOW64\Hjdeln32.exe
C:\Windows\system32\Hjdeln32.exe
295⤵
PID:3320

C:\Windows\SysWOW64\Higegkgg.exe
C:\Windows\system32\Higegkgg.exe
296⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3336

C:\Windows\SysWOW64\Hleacffk.exe
C:\Windows\system32\Hleacffk.exe
297⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3352

C:\Windows\SysWOW64\Hdlidc32.exe
C:\Windows\system32\Hdlidc32.exe
298⤵
PID:3368

C:\Windows\SysWOW64\Hfkeqo32.exe
C:\Windows\system32\Hfkeqo32.exe
299⤵
- Drops file in System32 directory
PID:3496

C:\Windows\SysWOW64\Ihnongjl.exe
C:\Windows\system32\Ihnongjl.exe
300⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3532

C:\Windows\SysWOW64\Ipegodjo.exe
C:\Windows\system32\Ipegodjo.exe
301⤵
PID:3632

C:\Windows\SysWOW64\Illgdepc.exe
C:\Windows\system32\Illgdepc.exe
302⤵
PID:3652

C:\Windows\SysWOW64\Ealdkf32.exe
C:\Windows\system32\Ealdkf32.exe
303⤵
- Modifies registry class
PID:3668

C:\Windows\SysWOW64\Edmmma32.exe
C:\Windows\system32\Edmmma32.exe
304⤵
- Drops file in System32 directory
PID:3684

C:\Windows\SysWOW64\Eaqnfeae.exe
C:\Windows\system32\Eaqnfeae.exe
305⤵
PID:3692

C:\Windows\SysWOW64\Ecdgcm32.exe
C:\Windows\system32\Ecdgcm32.exe
306⤵
PID:3708

C:\Windows\SysWOW64\Ekkodk32.exe
C:\Windows\system32\Ekkodk32.exe
307⤵
PID:3724

C:\Windows\SysWOW64\Elmklcka.exe
C:\Windows\system32\Elmklcka.exe
308⤵
PID:3748

C:\Windows\SysWOW64\Eddcmp32.exe
C:\Windows\system32\Eddcmp32.exe
309⤵
PID:3764

C:\Windows\SysWOW64\Ecgdimcn.exe
C:\Windows\system32\Ecgdimcn.exe
310⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3772

C:\Windows\SysWOW64\Efepehba.exe
C:\Windows\system32\Efepehba.exe
311⤵
PID:3788

C:\Windows\SysWOW64\Fnlhffbd.exe
C:\Windows\system32\Fnlhffbd.exe
312⤵
PID:3812

C:\Windows\SysWOW64\Fpkdbaah.exe
C:\Windows\system32\Fpkdbaah.exe
313⤵
- Modifies registry class
PID:3820

C:\Windows\SysWOW64\Fciqomak.exe
C:\Windows\system32\Fciqomak.exe
314⤵
PID:3844

C:\Windows\SysWOW64\Fjcikg32.exe
C:\Windows\system32\Fjcikg32.exe
315⤵
PID:3860

C:\Windows\SysWOW64\Flaegb32.exe
C:\Windows\system32\Flaegb32.exe
316⤵
PID:3868

C:\Windows\SysWOW64\Fpmahape.exe
C:\Windows\system32\Fpmahape.exe
317⤵
PID:3884

C:\Windows\SysWOW64\Fanmpiec.exe
C:\Windows\system32\Fanmpiec.exe
318⤵
PID:3900

C:\Windows\SysWOW64\Fjeeaffe.exe
C:\Windows\system32\Fjeeaffe.exe
319⤵
- Modifies registry class
PID:3916

C:\Windows\SysWOW64\Fkfbho32.exe
C:\Windows\system32\Fkfbho32.exe
320⤵
PID:3932

C:\Windows\SysWOW64\Fobnimdm.exe
C:\Windows\system32\Fobnimdm.exe
321⤵
PID:1512

C:\Windows\SysWOW64\Fbqjeicq.exe
C:\Windows\system32\Fbqjeicq.exe
322⤵
- Drops file in System32 directory
PID:3396

C:\Windows\SysWOW64\Fdofadbd.exe
C:\Windows\system32\Fdofadbd.exe
323⤵
PID:3412

C:\Windows\SysWOW64\Flfnbacf.exe
C:\Windows\system32\Flfnbacf.exe
324⤵
- Modifies registry class
PID:3428

C:\Windows\SysWOW64\Fkionn32.exe
C:\Windows\system32\Fkionn32.exe
325⤵
PID:3444

C:\Windows\SysWOW64\Fbcgkhan.exe
C:\Windows\system32\Fbcgkhan.exe
326⤵
PID:3460

C:\Windows\SysWOW64\Fhmogbik.exe
C:\Windows\system32\Fhmogbik.exe
327⤵
PID:3476

C:\Windows\SysWOW64\Foggdm32.exe
C:\Windows\system32\Foggdm32.exe
328⤵
- Modifies registry class
PID:3492

C:\Windows\SysWOW64\Fnjgpigb.exe
C:\Windows\system32\Fnjgpigb.exe
329⤵
PID:3524

C:\Windows\SysWOW64\Fqhdleff.exe
C:\Windows\system32\Fqhdleff.exe
330⤵
PID:3548

C:\Windows\SysWOW64\Gholmbgh.exe
C:\Windows\system32\Gholmbgh.exe
331⤵
PID:3564

C:\Windows\SysWOW64\Ggblho32.exe
C:\Windows\system32\Ggblho32.exe
332⤵
PID:3580

C:\Windows\SysWOW64\Gjqhej32.exe
C:\Windows\system32\Gjqhej32.exe
333⤵
PID:3596

C:\Windows\SysWOW64\Gbgpfh32.exe
C:\Windows\system32\Gbgpfh32.exe
334⤵
- Modifies registry class
PID:3604

C:\Windows\SysWOW64\Gcimnpcg.exe
C:\Windows\system32\Gcimnpcg.exe
335⤵
PID:3620

C:\Windows\SysWOW64\Gkpeom32.exe
C:\Windows\system32\Gkpeom32.exe
336⤵
PID:1652

C:\Windows\SysWOW64\Gjcejjkc.exe
C:\Windows\system32\Gjcejjkc.exe
337⤵
- Drops file in System32 directory
PID:844

C:\Windows\SysWOW64\Gqmmgd32.exe
C:\Windows\system32\Gqmmgd32.exe
338⤵
PID:4104

C:\Windows\SysWOW64\Gckicp32.exe
C:\Windows\system32\Gckicp32.exe
339⤵
PID:4112

C:\Windows\SysWOW64\Gfifok32.exe
C:\Windows\system32\Gfifok32.exe
340⤵
PID:4120

C:\Windows\SysWOW64\Gnqnph32.exe
C:\Windows\system32\Gnqnph32.exe
341⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4128

C:\Windows\SysWOW64\Gobjhqgh.exe
C:\Windows\system32\Gobjhqgh.exe
342⤵
- Drops file in System32 directory
PID:4136

C:\Windows\SysWOW64\Gflbekne.exe
C:\Windows\system32\Gflbekne.exe
343⤵
- Drops file in System32 directory
PID:4144

C:\Windows\SysWOW64\Gijoafni.exe
C:\Windows\system32\Gijoafni.exe
344⤵
- Modifies registry class
PID:4156

C:\Windows\SysWOW64\Godgnp32.exe
C:\Windows\system32\Godgnp32.exe
345⤵
- Drops file in System32 directory
PID:4164

C:\Windows\SysWOW64\Gbbcjl32.exe
C:\Windows\system32\Gbbcjl32.exe
346⤵
PID:4172

C:\Windows\SysWOW64\Gimkffkf.exe
C:\Windows\system32\Gimkffkf.exe
347⤵
PID:4180

C:\Windows\SysWOW64\Hkkgbakj.exe
C:\Windows\system32\Hkkgbakj.exe
348⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4188

C:\Windows\SysWOW64\Hcbpdokl.exe
C:\Windows\system32\Hcbpdokl.exe
349⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4196

C:\Windows\SysWOW64\Hfqlpjjp.exe
C:\Windows\system32\Hfqlpjjp.exe
350⤵
PID:4204

C:\Windows\SysWOW64\Hmkdmdbm.exe
C:\Windows\system32\Hmkdmdbm.exe
351⤵
PID:4212

C:\Windows\SysWOW64\Hnlqdl32.exe
C:\Windows\system32\Hnlqdl32.exe
352⤵
PID:4220

C:\Windows\SysWOW64\Hbgmekpd.exe
C:\Windows\system32\Hbgmekpd.exe
353⤵
PID:4228

C:\Windows\SysWOW64\Hefiafoh.exe
C:\Windows\system32\Hefiafoh.exe
354⤵
PID:4236

C:\Windows\SysWOW64\Hgdembnk.exe
C:\Windows\system32\Hgdembnk.exe
355⤵
PID:4244

C:\Windows\SysWOW64\Hnnmjl32.exe
C:\Windows\system32\Hnnmjl32.exe
356⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4252

C:\Windows\SysWOW64\Hamifg32.exe
C:\Windows\system32\Hamifg32.exe
357⤵
PID:4260

C:\Windows\SysWOW64\Hgfaba32.exe
C:\Windows\system32\Hgfaba32.exe
358⤵
PID:4268

C:\Windows\SysWOW64\Hjenom32.exe
C:\Windows\system32\Hjenom32.exe
359⤵
PID:4276

C:\Windows\SysWOW64\Hblfpj32.exe
C:\Windows\system32\Hblfpj32.exe
360⤵
- Modifies registry class
PID:4284

C:\Windows\SysWOW64\Hejblf32.exe
C:\Windows\system32\Hejblf32.exe
361⤵
- Drops file in System32 directory
PID:4292

C:\Windows\SysWOW64\Hhinha32.exe
C:\Windows\system32\Hhinha32.exe
362⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4300

C:\Windows\SysWOW64\Hjgkdm32.exe
C:\Windows\system32\Hjgkdm32.exe
363⤵
PID:4308

C:\Windows\SysWOW64\Hmfgqh32.exe
C:\Windows\system32\Hmfgqh32.exe
364⤵
PID:4316

C:\Windows\SysWOW64\Hemoae32.exe
C:\Windows\system32\Hemoae32.exe
365⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4324

C:\Windows\SysWOW64\Ifnkinon.exe
C:\Windows\system32\Ifnkinon.exe
366⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4332

C:\Windows\SysWOW64\Ijjgjlgg.exe
C:\Windows\system32\Ijjgjlgg.exe
367⤵
PID:4340

C:\Windows\SysWOW64\Iacpff32.exe
C:\Windows\system32\Iacpff32.exe
368⤵
PID:4348

C:\Windows\SysWOW64\Ihnhcqfa.exe
C:\Windows\system32\Ihnhcqfa.exe
369⤵
- Drops file in System32 directory
PID:4356

C:\Windows\SysWOW64\Ijldoled.exe
C:\Windows\system32\Ijldoled.exe
370⤵
PID:4364

C:\Windows\SysWOW64\Iiodki32.exe
C:\Windows\system32\Iiodki32.exe
371⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4372

C:\Windows\SysWOW64\Iafllf32.exe
C:\Windows\system32\Iafllf32.exe
372⤵
PID:4380

C:\Windows\SysWOW64\Ibgidnbp.exe
C:\Windows\system32\Ibgidnbp.exe
373⤵
PID:4388

C:\Windows\SysWOW64\Ijnqelcb.exe
C:\Windows\system32\Ijnqelcb.exe
374⤵
PID:4396

C:\Windows\SysWOW64\Iiaaqh32.exe
C:\Windows\system32\Iiaaqh32.exe
375⤵
PID:4404

C:\Windows\SysWOW64\Ilpmmdip.exe
C:\Windows\system32\Ilpmmdip.exe
376⤵
PID:4412

C:\Windows\SysWOW64\Idgenajb.exe
C:\Windows\system32\Idgenajb.exe
377⤵
- Modifies registry class
PID:4420

C:\Windows\SysWOW64\Ifeajmif.exe
C:\Windows\system32\Ifeajmif.exe
378⤵
PID:4428

C:\Windows\SysWOW64\Iicnfhhj.exe
C:\Windows\system32\Iicnfhhj.exe
379⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4436

C:\Windows\SysWOW64\Ilbjbcgm.exe
C:\Windows\system32\Ilbjbcgm.exe
380⤵
PID:4444

C:\Windows\SysWOW64\Iblbon32.exe
C:\Windows\system32\Iblbon32.exe
381⤵
PID:4452

C:\Windows\SysWOW64\Iejnki32.exe
C:\Windows\system32\Iejnki32.exe
382⤵
PID:4460

C:\Windows\SysWOW64\Ihikgd32.exe
C:\Windows\system32\Ihikgd32.exe
383⤵
PID:4468

C:\Windows\SysWOW64\Ippbhbmd.exe
C:\Windows\system32\Ippbhbmd.exe
384⤵
- Drops file in System32 directory
PID:4476

C:\Windows\SysWOW64\Jbnodmlg.exe
C:\Windows\system32\Jbnodmlg.exe
385⤵
PID:4484

C:\Windows\SysWOW64\Jemkqilk.exe
C:\Windows\system32\Jemkqilk.exe
386⤵
PID:4492

C:\Windows\SysWOW64\Jkicipjb.exe
C:\Windows\system32\Jkicipjb.exe
387⤵
PID:4500

C:\Windows\SysWOW64\Jbqljmje.exe
C:\Windows\system32\Jbqljmje.exe
388⤵
PID:4508

C:\Windows\SysWOW64\Jaclej32.exe
C:\Windows\system32\Jaclej32.exe
389⤵
- Modifies registry class
PID:4516

C:\Windows\SysWOW64\Jdbhae32.exe
C:\Windows\system32\Jdbhae32.exe
390⤵
- Drops file in System32 directory
PID:4524

C:\Windows\SysWOW64\Jlipcb32.exe
C:\Windows\system32\Jlipcb32.exe
391⤵
PID:4532

C:\Windows\SysWOW64\Joglonpi.exe
C:\Windows\system32\Joglonpi.exe
392⤵
PID:4548

C:\Windows\SysWOW64\Jeadlh32.exe
C:\Windows\system32\Jeadlh32.exe
393⤵
- Modifies registry class
PID:4564

C:\Windows\SysWOW64\Jknmdo32.exe
C:\Windows\system32\Jknmdo32.exe
394⤵
PID:4580

C:\Windows\SysWOW64\Jojidnnf.exe
C:\Windows\system32\Jojidnnf.exe
395⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4592

C:\Windows\SysWOW64\Jpkelf32.exe
C:\Windows\system32\Jpkelf32.exe
396⤵
PID:4604

C:\Windows\SysWOW64\Jhbnmc32.exe
C:\Windows\system32\Jhbnmc32.exe
397⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4612

C:\Windows\SysWOW64\Jkqjio32.exe
C:\Windows\system32\Jkqjio32.exe
398⤵
PID:4620

C:\Windows\SysWOW64\Jmofejcn.exe
C:\Windows\system32\Jmofejcn.exe
399⤵
PID:4628

C:\Windows\SysWOW64\Jpmbbebb.exe
C:\Windows\system32\Jpmbbebb.exe
400⤵
PID:4636

C:\Windows\SysWOW64\Jggjop32.exe
C:\Windows\system32\Jggjop32.exe
401⤵
PID:4644

C:\Windows\SysWOW64\Kiegkk32.exe
C:\Windows\system32\Kiegkk32.exe
402⤵
PID:4652

C:\Windows\SysWOW64\Kldcgf32.exe
C:\Windows\system32\Kldcgf32.exe
403⤵
- Drops file in System32 directory
PID:4660

C:\Windows\SysWOW64\Kdkkhd32.exe
C:\Windows\system32\Kdkkhd32.exe
404⤵
- Modifies registry class
PID:4668

C:\Windows\SysWOW64\Kgigdo32.exe
C:\Windows\system32\Kgigdo32.exe
405⤵
PID:4676

C:\Windows\SysWOW64\Kihcpk32.exe
C:\Windows\system32\Kihcpk32.exe
406⤵
- Modifies registry class
PID:4684

C:\Windows\SysWOW64\Klfplf32.exe
C:\Windows\system32\Klfplf32.exe
407⤵
PID:4692

C:\Windows\SysWOW64\Koelhaeg.exe
C:\Windows\system32\Koelhaeg.exe
408⤵
- Modifies registry class
PID:4700

C:\Windows\SysWOW64\Kgldjoei.exe
C:\Windows\system32\Kgldjoei.exe
409⤵
- Modifies registry class
PID:4708

C:\Windows\SysWOW64\Kijpfjdm.exe
C:\Windows\system32\Kijpfjdm.exe
410⤵
- Drops file in System32 directory
PID:4716

C:\Windows\SysWOW64\Kpdhbd32.exe
C:\Windows\system32\Kpdhbd32.exe
411⤵
PID:4724

C:\Windows\SysWOW64\Kcbdop32.exe
C:\Windows\system32\Kcbdop32.exe
412⤵
PID:4732

C:\Windows\SysWOW64\Keaakk32.exe
C:\Windows\system32\Keaakk32.exe
413⤵
- Modifies registry class
PID:4740

C:\Windows\SysWOW64\Klkigean.exe
C:\Windows\system32\Klkigean.exe
414⤵
PID:4748

C:\Windows\SysWOW64\Kceadpik.exe
C:\Windows\system32\Kceadpik.exe
415⤵
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 140
416⤵
- Program crash
PID:4764

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bdfleclh.exe
Filesize
50KB

MD5
b0c956e7a12bbc6b76cd68053675bac8

SHA1
c086b403c58da7bd7a6128c15336cf9beaff1911

SHA256
453a9e228a97e9065f5548b5678972098557df56bce72720790cb135442b6b61

SHA512
d1514a3a9f77e046e20c78936c2ed62bbed56050b417fa851091e22218ffa5f87dd62b917ac805009c09eab1263e6578c9b8c68317889950dcccd3ad7cbb7fe3

Download Submit
C:\Windows\SysWOW64\Bdfleclh.exe
Filesize
50KB

MD5
b0c956e7a12bbc6b76cd68053675bac8

SHA1
c086b403c58da7bd7a6128c15336cf9beaff1911

SHA256
453a9e228a97e9065f5548b5678972098557df56bce72720790cb135442b6b61

SHA512
d1514a3a9f77e046e20c78936c2ed62bbed56050b417fa851091e22218ffa5f87dd62b917ac805009c09eab1263e6578c9b8c68317889950dcccd3ad7cbb7fe3

Download Submit
C:\Windows\SysWOW64\Bignii32.exe
Filesize
50KB

MD5
e6496c70272d090c94cf5dbdf027800b

SHA1
1d34a1b9e95b7ca4979990c434bcd7146436f8e9

SHA256
3e93899cd44a3b7da1d55211618f083272e00ec37ee99acdcb6816c57605e04f

SHA512
8f01dc6e92eed3a2162378774b5941d951f9af998b2ac432524a32cc4342927563d05e015848422e718e851435702987d89334d79be22f50b49bd929ec6d0706

Download Submit
C:\Windows\SysWOW64\Bignii32.exe
Filesize
50KB

MD5
e6496c70272d090c94cf5dbdf027800b

SHA1
1d34a1b9e95b7ca4979990c434bcd7146436f8e9

SHA256
3e93899cd44a3b7da1d55211618f083272e00ec37ee99acdcb6816c57605e04f

SHA512
8f01dc6e92eed3a2162378774b5941d951f9af998b2ac432524a32cc4342927563d05e015848422e718e851435702987d89334d79be22f50b49bd929ec6d0706

Download Submit
C:\Windows\SysWOW64\Bmqndh32.exe
Filesize
50KB

MD5
0a3c60949000556bc2cb4e147264f403

SHA1
dcbfb470f41dd44037d8047046eebcedd75bd6d0

SHA256
cc11651a8d3ef94ff389a2c9a65888f7b03c8378e95635ca134492ee4044a8e7

SHA512
60f10287dd34b22a7b23a8dcd5d581853c5141b6b92665a5b97caf89d2592bd9d237c0922af1546881ed0316b23857f95e54add7d0e17edd2d8f0c2774445059

Download Submit
C:\Windows\SysWOW64\Bmqndh32.exe
Filesize
50KB

MD5
0a3c60949000556bc2cb4e147264f403

SHA1
dcbfb470f41dd44037d8047046eebcedd75bd6d0

SHA256
cc11651a8d3ef94ff389a2c9a65888f7b03c8378e95635ca134492ee4044a8e7

SHA512
60f10287dd34b22a7b23a8dcd5d581853c5141b6b92665a5b97caf89d2592bd9d237c0922af1546881ed0316b23857f95e54add7d0e17edd2d8f0c2774445059

Download Submit
C:\Windows\SysWOW64\Boajkp32.exe
Filesize
50KB

MD5
bbcbbb868b2718535f8dcecf36b55c89

SHA1
f70ec42949f0aa168d6eb27f8f6144143def16b1

SHA256
46edc8fe74f85dc97d23ebe5e779fee28a5eebc98de6c7e29a7240dc19c7981e

SHA512
3972bc5e0a323e2f085773fb23cc3c1f96fa48ee411d97d108240c0131a0f5c5f209bde0c199011c3484196e816d6acaa0ff95a2c1cb8d95633630c9bdb39d4a

Download Submit
C:\Windows\SysWOW64\Boajkp32.exe
Filesize
50KB

MD5
bbcbbb868b2718535f8dcecf36b55c89

SHA1
f70ec42949f0aa168d6eb27f8f6144143def16b1

SHA256
46edc8fe74f85dc97d23ebe5e779fee28a5eebc98de6c7e29a7240dc19c7981e

SHA512
3972bc5e0a323e2f085773fb23cc3c1f96fa48ee411d97d108240c0131a0f5c5f209bde0c199011c3484196e816d6acaa0ff95a2c1cb8d95633630c9bdb39d4a

Download Submit
C:\Windows\SysWOW64\Bodgap32.exe
Filesize
50KB

MD5
58ee7f809f17c4fedf5d51c89c338fe7

SHA1
95eeffad389f7c529aa6f7e73b94abc24a87319c

SHA256
c9f1c4b51e4a3a68657727c044d9860eb8a854826f7cbfc33b6d8875123993ab

SHA512
95b4e0a570f4bbdf63e675b4025473f8a330736cb01ca1d0067863c0432810fcf092ee5ba5f154a5b2ca2d3e9f259e0bb74ce1a9198999f17f66286b9de20c63

Download Submit
C:\Windows\SysWOW64\Bodgap32.exe
Filesize
50KB

MD5
58ee7f809f17c4fedf5d51c89c338fe7

SHA1
95eeffad389f7c529aa6f7e73b94abc24a87319c

SHA256
c9f1c4b51e4a3a68657727c044d9860eb8a854826f7cbfc33b6d8875123993ab

SHA512
95b4e0a570f4bbdf63e675b4025473f8a330736cb01ca1d0067863c0432810fcf092ee5ba5f154a5b2ca2d3e9f259e0bb74ce1a9198999f17f66286b9de20c63

Download Submit
C:\Windows\SysWOW64\Bpmmjd32.exe
Filesize
50KB

MD5
0713a41aea9ccd1f264c9f61ac7391ee

SHA1
8bdf4b2076fe622f118f6c2348bf6f388c4ceb25

SHA256
849762f80bf73c395c1fa99143515e48b18c0ffb036e90bd7737caf9fb0a419d

SHA512
d537fe6c76174d58aaad556532eccc96a79c10fdcfc0e5d07c97cbae9e119905a8b23ad0e86bdf355abe3e6c2729f4c803ec1132f3d32ce9f7695e2f6494f4c1

Download Submit
C:\Windows\SysWOW64\Bpmmjd32.exe
Filesize
50KB

MD5
0713a41aea9ccd1f264c9f61ac7391ee

SHA1
8bdf4b2076fe622f118f6c2348bf6f388c4ceb25

SHA256
849762f80bf73c395c1fa99143515e48b18c0ffb036e90bd7737caf9fb0a419d

SHA512
d537fe6c76174d58aaad556532eccc96a79c10fdcfc0e5d07c97cbae9e119905a8b23ad0e86bdf355abe3e6c2729f4c803ec1132f3d32ce9f7695e2f6494f4c1

Download Submit
C:\Windows\SysWOW64\Calfcj32.exe
Filesize
50KB

MD5
1e492540256f129402a46c4e4ecd8fe4

SHA1
d69b011e94de19e71cb61b288a245ec3f3cabc67

SHA256
b08bac1a51c8cf2d0120e4c5c2dd97e26a93a6ee6afb83d617210353b1e28615

SHA512
976ce10351c01c5cf09dad88068696182578817ba67eb500f266807cb6da966652fa95e80f369a0070020220b47b7509daa5868117c019401cab0df488988d8a

Download Submit
C:\Windows\SysWOW64\Calfcj32.exe
Filesize
50KB

MD5
1e492540256f129402a46c4e4ecd8fe4

SHA1
d69b011e94de19e71cb61b288a245ec3f3cabc67

SHA256
b08bac1a51c8cf2d0120e4c5c2dd97e26a93a6ee6afb83d617210353b1e28615

SHA512
976ce10351c01c5cf09dad88068696182578817ba67eb500f266807cb6da966652fa95e80f369a0070020220b47b7509daa5868117c019401cab0df488988d8a

Download Submit
C:\Windows\SysWOW64\Cebhii32.exe
Filesize
50KB

MD5
60540b999c62a28f7480ba3cb9f22aeb

SHA1
b2b176c9ec420ec1010881f2a65e028ecb8d1a7d

SHA256
da6f8b80f07ddf4edcb31db4f81cb674aa59e2d235f495b94d5e9bd0771c8c10

SHA512
f620e1de1fcc57461adaacb34182227dd585f7b9d0f882a0ef00e2ded6642e55e16898398d0ee8df7b85b1862b1295ab8f7f36c07a87a6231f2cb5bff78c102d

Download Submit
C:\Windows\SysWOW64\Cebhii32.exe
Filesize
50KB

MD5
60540b999c62a28f7480ba3cb9f22aeb

SHA1
b2b176c9ec420ec1010881f2a65e028ecb8d1a7d

SHA256
da6f8b80f07ddf4edcb31db4f81cb674aa59e2d235f495b94d5e9bd0771c8c10

SHA512
f620e1de1fcc57461adaacb34182227dd585f7b9d0f882a0ef00e2ded6642e55e16898398d0ee8df7b85b1862b1295ab8f7f36c07a87a6231f2cb5bff78c102d

Download Submit
C:\Windows\SysWOW64\Cginla32.exe
Filesize
50KB

MD5
cdd8b277443b66e86eb51b7e7c4777f8

SHA1
fd6eecef16b1cc306b0486e6e3dd132e56d37bc4

SHA256
0f2393bffb9869234c04613e203519b06017667626db8b89da6e1cc028b3be89

SHA512
b90ed3af16d68b9d30aeaf4e5eb072f9f12118f1065682ab4ee080ba95ccb5fd06037774682cee80ff7a88faf5aabd1e9a83ae1ca636ef35529e132beaefe7ff

Download Submit
C:\Windows\SysWOW64\Cginla32.exe
Filesize
50KB

MD5
cdd8b277443b66e86eb51b7e7c4777f8

SHA1
fd6eecef16b1cc306b0486e6e3dd132e56d37bc4

SHA256
0f2393bffb9869234c04613e203519b06017667626db8b89da6e1cc028b3be89

SHA512
b90ed3af16d68b9d30aeaf4e5eb072f9f12118f1065682ab4ee080ba95ccb5fd06037774682cee80ff7a88faf5aabd1e9a83ae1ca636ef35529e132beaefe7ff

Download Submit
C:\Windows\SysWOW64\Chcajddj.exe
Filesize
50KB

MD5
9a126aa65ced871f08ceb450de237589

SHA1
d642539581a491aaded90501184c27291a03373e

SHA256
f05c7199c0b8a055b71d903113673ea3e5c55f6da8a0bec52dedb51ab30221ee

SHA512
d0daa39f6724301d3d8ee085f90f1836400188cbadcffe4d40aa9bca26c800f1d9ec1a8ec13dbfdacab53014a7366605ae6c6bfa26a04ff62a3db66632aabb94

Download Submit
C:\Windows\SysWOW64\Chcajddj.exe
Filesize
50KB

MD5
9a126aa65ced871f08ceb450de237589

SHA1
d642539581a491aaded90501184c27291a03373e

SHA256
f05c7199c0b8a055b71d903113673ea3e5c55f6da8a0bec52dedb51ab30221ee

SHA512
d0daa39f6724301d3d8ee085f90f1836400188cbadcffe4d40aa9bca26c800f1d9ec1a8ec13dbfdacab53014a7366605ae6c6bfa26a04ff62a3db66632aabb94

Download Submit
C:\Windows\SysWOW64\Cijkni32.exe
Filesize
50KB

MD5
b7e87b8d0114a7fcdcd4e686926a2edc

SHA1
1d2ae47a56fbe4ec516f9b6186f5b166677cf9d4

SHA256
b0bbb22b20678326c2d5083650d96223b5574444e96233269d6d7c4f804b0afc

SHA512
5f0d3d7ff4b7e0d13d3af9f5c8fab988ca8d11d32b692786724ff261d7be6b4569dda39c45b21e25a810f77fb816de27f35a69b901a5a2721a430b4b18119592

Download Submit
C:\Windows\SysWOW64\Cijkni32.exe
Filesize
50KB

MD5
b7e87b8d0114a7fcdcd4e686926a2edc

SHA1
1d2ae47a56fbe4ec516f9b6186f5b166677cf9d4

SHA256
b0bbb22b20678326c2d5083650d96223b5574444e96233269d6d7c4f804b0afc

SHA512
5f0d3d7ff4b7e0d13d3af9f5c8fab988ca8d11d32b692786724ff261d7be6b4569dda39c45b21e25a810f77fb816de27f35a69b901a5a2721a430b4b18119592

Download Submit
C:\Windows\SysWOW64\Cljdpdai.exe
Filesize
50KB

MD5
7697f568e49f4a27e86ac8e7227dfcbc

SHA1
4a41bf868815c03aa84df62463260039590e05e1

SHA256
22b03166e6a009080fec1d108cf9e846e45050d3aebfb378bb35db89ea749f99

SHA512
65f7d50df5359af79639adddb0e91f1b54b9e95f7eeddf50e4380d64bcd9e82c43b13c393f0ed0164811a531be13497cdeb7524413a644772122a13f5e94b6bb

Download Submit
C:\Windows\SysWOW64\Cljdpdai.exe
Filesize
50KB

MD5
7697f568e49f4a27e86ac8e7227dfcbc

SHA1
4a41bf868815c03aa84df62463260039590e05e1

SHA256
22b03166e6a009080fec1d108cf9e846e45050d3aebfb378bb35db89ea749f99

SHA512
65f7d50df5359af79639adddb0e91f1b54b9e95f7eeddf50e4380d64bcd9e82c43b13c393f0ed0164811a531be13497cdeb7524413a644772122a13f5e94b6bb

Download Submit
C:\Windows\SysWOW64\Cofcfpbo.exe
Filesize
50KB

MD5
a1c5bbaacef6a2dfd139c86df72293c0

SHA1
b587ea4e594094379ade8d76b790f88f5fbe2754

SHA256
5ba01069f2866489902dd4ba4fa214a8583980690ee652d5df7d7fa6328a6c75

SHA512
05604b31fcc5825a26b231d3475f2c0df4f712e278283d2bd40afded722f41164a581db99a5ec7f8528e32480117475ceb22b2c5711fc1b2765b27903128e3cd

Download Submit
C:\Windows\SysWOW64\Cofcfpbo.exe
Filesize
50KB

MD5
a1c5bbaacef6a2dfd139c86df72293c0

SHA1
b587ea4e594094379ade8d76b790f88f5fbe2754

SHA256
5ba01069f2866489902dd4ba4fa214a8583980690ee652d5df7d7fa6328a6c75

SHA512
05604b31fcc5825a26b231d3475f2c0df4f712e278283d2bd40afded722f41164a581db99a5ec7f8528e32480117475ceb22b2c5711fc1b2765b27903128e3cd

Download Submit
C:\Windows\SysWOW64\Cokmaonj.exe
Filesize
50KB

MD5
56aa7967f24ed1ecdc818a6f2b238650

SHA1
51e25df2bb545e4cd21e7e5a4fe52440b8616bdc

SHA256
f18022bab4bfc10f34bfc44c3bb8791e86009096f83176d45fc9fa4dee6bd837

SHA512
29e62248bfc9e6c9863321e666361b7f29a848129d0de35ce39ace53a27b864f276991803e4a0748c104ef3ff69f68d42fa5b59956da35ffb58b4a11ee5fb1ae

Download Submit
C:\Windows\SysWOW64\Cokmaonj.exe
Filesize
50KB

MD5
56aa7967f24ed1ecdc818a6f2b238650

SHA1
51e25df2bb545e4cd21e7e5a4fe52440b8616bdc

SHA256
f18022bab4bfc10f34bfc44c3bb8791e86009096f83176d45fc9fa4dee6bd837

SHA512
29e62248bfc9e6c9863321e666361b7f29a848129d0de35ce39ace53a27b864f276991803e4a0748c104ef3ff69f68d42fa5b59956da35ffb58b4a11ee5fb1ae

Download Submit
C:\Windows\SysWOW64\Denkmm32.exe
Filesize
50KB

MD5
9139891de191f564e8651925a723d93f

SHA1
008c62dbe8c235a4fc10e74681c0aacae1eb3c1c

SHA256
1cf2744499ae96406feac267e5a4d32a3cf393e1461b375ea08ee6af7417ea06

SHA512
2f0b6a78bef2337ac834c1d3ffdbcb156e50010abed0cc2970e421b14495aa6e2fbb12aaa859a6d47585db17624fefb4ba55ad343675ced8e8ce9bf72fdb12d2

Download Submit
C:\Windows\SysWOW64\Denkmm32.exe
Filesize
50KB

MD5
9139891de191f564e8651925a723d93f

SHA1
008c62dbe8c235a4fc10e74681c0aacae1eb3c1c

SHA256
1cf2744499ae96406feac267e5a4d32a3cf393e1461b375ea08ee6af7417ea06

SHA512
2f0b6a78bef2337ac834c1d3ffdbcb156e50010abed0cc2970e421b14495aa6e2fbb12aaa859a6d47585db17624fefb4ba55ad343675ced8e8ce9bf72fdb12d2

Download Submit
C:\Windows\SysWOW64\Dlegdh32.exe
Filesize
50KB

MD5
21e5659096993502ec803157b0a2e890

SHA1
31821492a6a5a51ad2de2bc6e1f13af6e8dc5c1a

SHA256
e55ec6de0798181b19d72160d6c3fd7a4e457c2619570bc2e7ed289eae4f176e

SHA512
0b5c1f4414300d41cca3191ad8215c6f2c80845ec23aad9736bac91f0594462e50c3ec58b70f0e9c1802da02f3c7cae5ab2c147eddaf97d1256c7e20fc5e3170

Download Submit
C:\Windows\SysWOW64\Dlegdh32.exe
Filesize
50KB

MD5
21e5659096993502ec803157b0a2e890

SHA1
31821492a6a5a51ad2de2bc6e1f13af6e8dc5c1a

SHA256
e55ec6de0798181b19d72160d6c3fd7a4e457c2619570bc2e7ed289eae4f176e

SHA512
0b5c1f4414300d41cca3191ad8215c6f2c80845ec23aad9736bac91f0594462e50c3ec58b70f0e9c1802da02f3c7cae5ab2c147eddaf97d1256c7e20fc5e3170

Download Submit
\Windows\SysWOW64\Bdfleclh.exe
Filesize
50KB

MD5
b0c956e7a12bbc6b76cd68053675bac8

SHA1
c086b403c58da7bd7a6128c15336cf9beaff1911

SHA256
453a9e228a97e9065f5548b5678972098557df56bce72720790cb135442b6b61

SHA512
d1514a3a9f77e046e20c78936c2ed62bbed56050b417fa851091e22218ffa5f87dd62b917ac805009c09eab1263e6578c9b8c68317889950dcccd3ad7cbb7fe3

Download Submit
\Windows\SysWOW64\Bdfleclh.exe
Filesize
50KB

MD5
b0c956e7a12bbc6b76cd68053675bac8

SHA1
c086b403c58da7bd7a6128c15336cf9beaff1911

SHA256
453a9e228a97e9065f5548b5678972098557df56bce72720790cb135442b6b61

SHA512
d1514a3a9f77e046e20c78936c2ed62bbed56050b417fa851091e22218ffa5f87dd62b917ac805009c09eab1263e6578c9b8c68317889950dcccd3ad7cbb7fe3

Download Submit
\Windows\SysWOW64\Bignii32.exe
Filesize
50KB

MD5
e6496c70272d090c94cf5dbdf027800b

SHA1
1d34a1b9e95b7ca4979990c434bcd7146436f8e9

SHA256
3e93899cd44a3b7da1d55211618f083272e00ec37ee99acdcb6816c57605e04f

SHA512
8f01dc6e92eed3a2162378774b5941d951f9af998b2ac432524a32cc4342927563d05e015848422e718e851435702987d89334d79be22f50b49bd929ec6d0706

Download Submit
\Windows\SysWOW64\Bignii32.exe
Filesize
50KB

MD5
e6496c70272d090c94cf5dbdf027800b

SHA1
1d34a1b9e95b7ca4979990c434bcd7146436f8e9

SHA256
3e93899cd44a3b7da1d55211618f083272e00ec37ee99acdcb6816c57605e04f

SHA512
8f01dc6e92eed3a2162378774b5941d951f9af998b2ac432524a32cc4342927563d05e015848422e718e851435702987d89334d79be22f50b49bd929ec6d0706

Download Submit
\Windows\SysWOW64\Bmqndh32.exe
Filesize
50KB

MD5
0a3c60949000556bc2cb4e147264f403

SHA1
dcbfb470f41dd44037d8047046eebcedd75bd6d0

SHA256
cc11651a8d3ef94ff389a2c9a65888f7b03c8378e95635ca134492ee4044a8e7

SHA512
60f10287dd34b22a7b23a8dcd5d581853c5141b6b92665a5b97caf89d2592bd9d237c0922af1546881ed0316b23857f95e54add7d0e17edd2d8f0c2774445059

Download Submit
\Windows\SysWOW64\Bmqndh32.exe
Filesize
50KB

MD5
0a3c60949000556bc2cb4e147264f403

SHA1
dcbfb470f41dd44037d8047046eebcedd75bd6d0

SHA256
cc11651a8d3ef94ff389a2c9a65888f7b03c8378e95635ca134492ee4044a8e7

SHA512
60f10287dd34b22a7b23a8dcd5d581853c5141b6b92665a5b97caf89d2592bd9d237c0922af1546881ed0316b23857f95e54add7d0e17edd2d8f0c2774445059

Download Submit
\Windows\SysWOW64\Boajkp32.exe
Filesize
50KB

MD5
bbcbbb868b2718535f8dcecf36b55c89

SHA1
f70ec42949f0aa168d6eb27f8f6144143def16b1

SHA256
46edc8fe74f85dc97d23ebe5e779fee28a5eebc98de6c7e29a7240dc19c7981e

SHA512
3972bc5e0a323e2f085773fb23cc3c1f96fa48ee411d97d108240c0131a0f5c5f209bde0c199011c3484196e816d6acaa0ff95a2c1cb8d95633630c9bdb39d4a

Download Submit
\Windows\SysWOW64\Boajkp32.exe
Filesize
50KB

MD5
bbcbbb868b2718535f8dcecf36b55c89

SHA1
f70ec42949f0aa168d6eb27f8f6144143def16b1

SHA256
46edc8fe74f85dc97d23ebe5e779fee28a5eebc98de6c7e29a7240dc19c7981e

SHA512
3972bc5e0a323e2f085773fb23cc3c1f96fa48ee411d97d108240c0131a0f5c5f209bde0c199011c3484196e816d6acaa0ff95a2c1cb8d95633630c9bdb39d4a

Download Submit
\Windows\SysWOW64\Bodgap32.exe
Filesize
50KB

MD5
58ee7f809f17c4fedf5d51c89c338fe7

SHA1
95eeffad389f7c529aa6f7e73b94abc24a87319c

SHA256
c9f1c4b51e4a3a68657727c044d9860eb8a854826f7cbfc33b6d8875123993ab

SHA512
95b4e0a570f4bbdf63e675b4025473f8a330736cb01ca1d0067863c0432810fcf092ee5ba5f154a5b2ca2d3e9f259e0bb74ce1a9198999f17f66286b9de20c63

Download Submit
\Windows\SysWOW64\Bodgap32.exe
Filesize
50KB

MD5
58ee7f809f17c4fedf5d51c89c338fe7

SHA1
95eeffad389f7c529aa6f7e73b94abc24a87319c

SHA256
c9f1c4b51e4a3a68657727c044d9860eb8a854826f7cbfc33b6d8875123993ab

SHA512
95b4e0a570f4bbdf63e675b4025473f8a330736cb01ca1d0067863c0432810fcf092ee5ba5f154a5b2ca2d3e9f259e0bb74ce1a9198999f17f66286b9de20c63

Download Submit
\Windows\SysWOW64\Bpmmjd32.exe
Filesize
50KB

MD5
0713a41aea9ccd1f264c9f61ac7391ee

SHA1
8bdf4b2076fe622f118f6c2348bf6f388c4ceb25

SHA256
849762f80bf73c395c1fa99143515e48b18c0ffb036e90bd7737caf9fb0a419d

SHA512
d537fe6c76174d58aaad556532eccc96a79c10fdcfc0e5d07c97cbae9e119905a8b23ad0e86bdf355abe3e6c2729f4c803ec1132f3d32ce9f7695e2f6494f4c1

Download Submit
\Windows\SysWOW64\Bpmmjd32.exe
Filesize
50KB

MD5
0713a41aea9ccd1f264c9f61ac7391ee

SHA1
8bdf4b2076fe622f118f6c2348bf6f388c4ceb25

SHA256
849762f80bf73c395c1fa99143515e48b18c0ffb036e90bd7737caf9fb0a419d

SHA512
d537fe6c76174d58aaad556532eccc96a79c10fdcfc0e5d07c97cbae9e119905a8b23ad0e86bdf355abe3e6c2729f4c803ec1132f3d32ce9f7695e2f6494f4c1

Download Submit
\Windows\SysWOW64\Calfcj32.exe
Filesize
50KB

MD5
1e492540256f129402a46c4e4ecd8fe4

SHA1
d69b011e94de19e71cb61b288a245ec3f3cabc67

SHA256
b08bac1a51c8cf2d0120e4c5c2dd97e26a93a6ee6afb83d617210353b1e28615

SHA512
976ce10351c01c5cf09dad88068696182578817ba67eb500f266807cb6da966652fa95e80f369a0070020220b47b7509daa5868117c019401cab0df488988d8a

Download Submit
\Windows\SysWOW64\Calfcj32.exe
Filesize
50KB

MD5
1e492540256f129402a46c4e4ecd8fe4

SHA1
d69b011e94de19e71cb61b288a245ec3f3cabc67

SHA256
b08bac1a51c8cf2d0120e4c5c2dd97e26a93a6ee6afb83d617210353b1e28615

SHA512
976ce10351c01c5cf09dad88068696182578817ba67eb500f266807cb6da966652fa95e80f369a0070020220b47b7509daa5868117c019401cab0df488988d8a

Download Submit
\Windows\SysWOW64\Cebhii32.exe
Filesize
50KB

MD5
60540b999c62a28f7480ba3cb9f22aeb

SHA1
b2b176c9ec420ec1010881f2a65e028ecb8d1a7d

SHA256
da6f8b80f07ddf4edcb31db4f81cb674aa59e2d235f495b94d5e9bd0771c8c10

SHA512
f620e1de1fcc57461adaacb34182227dd585f7b9d0f882a0ef00e2ded6642e55e16898398d0ee8df7b85b1862b1295ab8f7f36c07a87a6231f2cb5bff78c102d

Download Submit
\Windows\SysWOW64\Cebhii32.exe
Filesize
50KB

MD5
60540b999c62a28f7480ba3cb9f22aeb

SHA1
b2b176c9ec420ec1010881f2a65e028ecb8d1a7d

SHA256
da6f8b80f07ddf4edcb31db4f81cb674aa59e2d235f495b94d5e9bd0771c8c10

SHA512
f620e1de1fcc57461adaacb34182227dd585f7b9d0f882a0ef00e2ded6642e55e16898398d0ee8df7b85b1862b1295ab8f7f36c07a87a6231f2cb5bff78c102d

Download Submit
\Windows\SysWOW64\Cginla32.exe
Filesize
50KB

MD5
cdd8b277443b66e86eb51b7e7c4777f8

SHA1
fd6eecef16b1cc306b0486e6e3dd132e56d37bc4

SHA256
0f2393bffb9869234c04613e203519b06017667626db8b89da6e1cc028b3be89

SHA512
b90ed3af16d68b9d30aeaf4e5eb072f9f12118f1065682ab4ee080ba95ccb5fd06037774682cee80ff7a88faf5aabd1e9a83ae1ca636ef35529e132beaefe7ff

Download Submit
\Windows\SysWOW64\Cginla32.exe
Filesize
50KB

MD5
cdd8b277443b66e86eb51b7e7c4777f8

SHA1
fd6eecef16b1cc306b0486e6e3dd132e56d37bc4

SHA256
0f2393bffb9869234c04613e203519b06017667626db8b89da6e1cc028b3be89

SHA512
b90ed3af16d68b9d30aeaf4e5eb072f9f12118f1065682ab4ee080ba95ccb5fd06037774682cee80ff7a88faf5aabd1e9a83ae1ca636ef35529e132beaefe7ff

Download Submit
\Windows\SysWOW64\Chcajddj.exe
Filesize
50KB

MD5
9a126aa65ced871f08ceb450de237589

SHA1
d642539581a491aaded90501184c27291a03373e

SHA256
f05c7199c0b8a055b71d903113673ea3e5c55f6da8a0bec52dedb51ab30221ee

SHA512
d0daa39f6724301d3d8ee085f90f1836400188cbadcffe4d40aa9bca26c800f1d9ec1a8ec13dbfdacab53014a7366605ae6c6bfa26a04ff62a3db66632aabb94

Download Submit
\Windows\SysWOW64\Chcajddj.exe
Filesize
50KB

MD5
9a126aa65ced871f08ceb450de237589

SHA1
d642539581a491aaded90501184c27291a03373e

SHA256
f05c7199c0b8a055b71d903113673ea3e5c55f6da8a0bec52dedb51ab30221ee

SHA512
d0daa39f6724301d3d8ee085f90f1836400188cbadcffe4d40aa9bca26c800f1d9ec1a8ec13dbfdacab53014a7366605ae6c6bfa26a04ff62a3db66632aabb94

Download Submit
\Windows\SysWOW64\Cijkni32.exe
Filesize
50KB

MD5
b7e87b8d0114a7fcdcd4e686926a2edc

SHA1
1d2ae47a56fbe4ec516f9b6186f5b166677cf9d4

SHA256
b0bbb22b20678326c2d5083650d96223b5574444e96233269d6d7c4f804b0afc

SHA512
5f0d3d7ff4b7e0d13d3af9f5c8fab988ca8d11d32b692786724ff261d7be6b4569dda39c45b21e25a810f77fb816de27f35a69b901a5a2721a430b4b18119592

Download Submit
\Windows\SysWOW64\Cijkni32.exe
Filesize
50KB

MD5
b7e87b8d0114a7fcdcd4e686926a2edc

SHA1
1d2ae47a56fbe4ec516f9b6186f5b166677cf9d4

SHA256
b0bbb22b20678326c2d5083650d96223b5574444e96233269d6d7c4f804b0afc

SHA512
5f0d3d7ff4b7e0d13d3af9f5c8fab988ca8d11d32b692786724ff261d7be6b4569dda39c45b21e25a810f77fb816de27f35a69b901a5a2721a430b4b18119592

Download Submit
\Windows\SysWOW64\Cljdpdai.exe
Filesize
50KB

MD5
7697f568e49f4a27e86ac8e7227dfcbc

SHA1
4a41bf868815c03aa84df62463260039590e05e1

SHA256
22b03166e6a009080fec1d108cf9e846e45050d3aebfb378bb35db89ea749f99

SHA512
65f7d50df5359af79639adddb0e91f1b54b9e95f7eeddf50e4380d64bcd9e82c43b13c393f0ed0164811a531be13497cdeb7524413a644772122a13f5e94b6bb

Download Submit
\Windows\SysWOW64\Cljdpdai.exe
Filesize
50KB

MD5
7697f568e49f4a27e86ac8e7227dfcbc

SHA1
4a41bf868815c03aa84df62463260039590e05e1

SHA256
22b03166e6a009080fec1d108cf9e846e45050d3aebfb378bb35db89ea749f99

SHA512
65f7d50df5359af79639adddb0e91f1b54b9e95f7eeddf50e4380d64bcd9e82c43b13c393f0ed0164811a531be13497cdeb7524413a644772122a13f5e94b6bb

Download Submit
\Windows\SysWOW64\Cofcfpbo.exe
Filesize
50KB

MD5
a1c5bbaacef6a2dfd139c86df72293c0

SHA1
b587ea4e594094379ade8d76b790f88f5fbe2754

SHA256
5ba01069f2866489902dd4ba4fa214a8583980690ee652d5df7d7fa6328a6c75

SHA512
05604b31fcc5825a26b231d3475f2c0df4f712e278283d2bd40afded722f41164a581db99a5ec7f8528e32480117475ceb22b2c5711fc1b2765b27903128e3cd

Download Submit
\Windows\SysWOW64\Cofcfpbo.exe
Filesize
50KB

MD5
a1c5bbaacef6a2dfd139c86df72293c0

SHA1
b587ea4e594094379ade8d76b790f88f5fbe2754

SHA256
5ba01069f2866489902dd4ba4fa214a8583980690ee652d5df7d7fa6328a6c75

SHA512
05604b31fcc5825a26b231d3475f2c0df4f712e278283d2bd40afded722f41164a581db99a5ec7f8528e32480117475ceb22b2c5711fc1b2765b27903128e3cd

Download Submit
\Windows\SysWOW64\Cokmaonj.exe
Filesize
50KB

MD5
56aa7967f24ed1ecdc818a6f2b238650

SHA1
51e25df2bb545e4cd21e7e5a4fe52440b8616bdc

SHA256
f18022bab4bfc10f34bfc44c3bb8791e86009096f83176d45fc9fa4dee6bd837

SHA512
29e62248bfc9e6c9863321e666361b7f29a848129d0de35ce39ace53a27b864f276991803e4a0748c104ef3ff69f68d42fa5b59956da35ffb58b4a11ee5fb1ae

Download Submit
\Windows\SysWOW64\Cokmaonj.exe
Filesize
50KB

MD5
56aa7967f24ed1ecdc818a6f2b238650

SHA1
51e25df2bb545e4cd21e7e5a4fe52440b8616bdc

SHA256
f18022bab4bfc10f34bfc44c3bb8791e86009096f83176d45fc9fa4dee6bd837

SHA512
29e62248bfc9e6c9863321e666361b7f29a848129d0de35ce39ace53a27b864f276991803e4a0748c104ef3ff69f68d42fa5b59956da35ffb58b4a11ee5fb1ae

Download Submit
\Windows\SysWOW64\Denkmm32.exe
Filesize
50KB

MD5
9139891de191f564e8651925a723d93f

SHA1
008c62dbe8c235a4fc10e74681c0aacae1eb3c1c

SHA256
1cf2744499ae96406feac267e5a4d32a3cf393e1461b375ea08ee6af7417ea06

SHA512
2f0b6a78bef2337ac834c1d3ffdbcb156e50010abed0cc2970e421b14495aa6e2fbb12aaa859a6d47585db17624fefb4ba55ad343675ced8e8ce9bf72fdb12d2

Download Submit
\Windows\SysWOW64\Denkmm32.exe
Filesize
50KB

MD5
9139891de191f564e8651925a723d93f

SHA1
008c62dbe8c235a4fc10e74681c0aacae1eb3c1c

SHA256
1cf2744499ae96406feac267e5a4d32a3cf393e1461b375ea08ee6af7417ea06

SHA512
2f0b6a78bef2337ac834c1d3ffdbcb156e50010abed0cc2970e421b14495aa6e2fbb12aaa859a6d47585db17624fefb4ba55ad343675ced8e8ce9bf72fdb12d2

Download Submit
\Windows\SysWOW64\Dlegdh32.exe
Filesize
50KB

MD5
21e5659096993502ec803157b0a2e890

SHA1
31821492a6a5a51ad2de2bc6e1f13af6e8dc5c1a

SHA256
e55ec6de0798181b19d72160d6c3fd7a4e457c2619570bc2e7ed289eae4f176e

SHA512
0b5c1f4414300d41cca3191ad8215c6f2c80845ec23aad9736bac91f0594462e50c3ec58b70f0e9c1802da02f3c7cae5ab2c147eddaf97d1256c7e20fc5e3170

Download Submit
\Windows\SysWOW64\Dlegdh32.exe
Filesize
50KB

MD5
21e5659096993502ec803157b0a2e890

SHA1
31821492a6a5a51ad2de2bc6e1f13af6e8dc5c1a

SHA256
e55ec6de0798181b19d72160d6c3fd7a4e457c2619570bc2e7ed289eae4f176e

SHA512
0b5c1f4414300d41cca3191ad8215c6f2c80845ec23aad9736bac91f0594462e50c3ec58b70f0e9c1802da02f3c7cae5ab2c147eddaf97d1256c7e20fc5e3170

Download Submit
memory/360-151-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/360-96-0x0000000000000000-mapping.dmp

Download
memory/428-194-0x0000000000000000-mapping.dmp

Download
memory/432-146-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/432-76-0x0000000000000000-mapping.dmp

Download
memory/520-167-0x0000000000000000-mapping.dmp

Download
memory/520-219-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/520-221-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/520-220-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/548-144-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/548-71-0x0000000000000000-mapping.dmp

Download
memory/628-140-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/628-56-0x0000000000000000-mapping.dmp

Download
memory/636-168-0x0000000000000000-mapping.dmp

Download
memory/636-222-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/636-224-0x00000000003C0000-0x00000000003F1000-memory.dmp

Filesize
196KB

Download
memory/636-223-0x00000000003C0000-0x00000000003F1000-memory.dmp

Filesize
196KB

Download
memory/688-166-0x0000000000000000-mapping.dmp

Download
memory/688-216-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/688-218-0x00000000002A0000-0x00000000002D1000-memory.dmp

Filesize
196KB

Download
memory/688-217-0x00000000002A0000-0x00000000002D1000-memory.dmp

Filesize
196KB

Download
memory/876-241-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/876-174-0x0000000000000000-mapping.dmp

Download
memory/876-240-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/880-182-0x0000000000000000-mapping.dmp

Download
memory/884-196-0x0000000000000000-mapping.dmp

Download
memory/932-161-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/932-131-0x0000000000000000-mapping.dmp

Download
memory/968-134-0x0000000000000000-mapping.dmp

Download
memory/968-163-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/980-179-0x0000000000000000-mapping.dmp

Download
memory/1008-210-0x0000000000000000-mapping.dmp

Download
memory/1016-135-0x0000000000000000-mapping.dmp

Download
memory/1016-164-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1080-143-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1080-66-0x0000000000000000-mapping.dmp

Download
memory/1124-111-0x0000000000000000-mapping.dmp

Download
memory/1124-155-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1128-181-0x0000000000000000-mapping.dmp

Download
memory/1148-149-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1148-91-0x0000000000000000-mapping.dmp

Download
memory/1208-150-0x0000000000000000-mapping.dmp

Download
memory/1208-204-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1208-206-0x00000000001B0000-0x00000000001E1000-memory.dmp

Filesize
196KB

Download
memory/1268-209-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1268-211-0x00000000002D0000-0x0000000000301000-memory.dmp

Filesize
196KB

Download
memory/1268-156-0x0000000000000000-mapping.dmp

Download
memory/1308-195-0x0000000000000000-mapping.dmp

Download
memory/1316-235-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1316-234-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1316-236-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1316-172-0x0000000000000000-mapping.dmp

Download
memory/1320-183-0x0000000000000000-mapping.dmp

Download
memory/1324-213-0x0000000000000000-mapping.dmp

Download
memory/1340-121-0x0000000000000000-mapping.dmp

Download
memory/1340-158-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1356-176-0x0000000000000000-mapping.dmp

Download
memory/1356-245-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1376-214-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1376-212-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1376-159-0x0000000000000000-mapping.dmp

Download
memory/1500-169-0x0000000000000000-mapping.dmp

Download
memory/1500-225-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1500-227-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1500-226-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1520-141-0x0000000000000000-mapping.dmp

Download
memory/1520-165-0x00000000002D0000-0x0000000000301000-memory.dmp

Filesize
196KB

Download
memory/1520-202-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1528-187-0x0000000000000000-mapping.dmp

Download
memory/1548-86-0x0000000000000000-mapping.dmp

Download
memory/1548-148-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1592-177-0x0000000000000000-mapping.dmp

Download
memory/1600-243-0x00000000002B0000-0x00000000002E1000-memory.dmp

Filesize
196KB

Download
memory/1600-242-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1600-244-0x00000000002B0000-0x00000000002E1000-memory.dmp

Filesize
196KB

Download
memory/1600-175-0x0000000000000000-mapping.dmp

Download
memory/1604-191-0x0000000000000000-mapping.dmp

Download
memory/1616-193-0x0000000000000000-mapping.dmp

Download
memory/1620-180-0x0000000000000000-mapping.dmp

Download
memory/1640-106-0x0000000000000000-mapping.dmp

Download
memory/1640-154-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1644-190-0x0000000000000000-mapping.dmp

Download
memory/1676-215-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1676-162-0x0000000000000000-mapping.dmp

Download
memory/1680-205-0x0000000000000000-mapping.dmp

Download
memory/1688-178-0x0000000000000000-mapping.dmp

Download
memory/1692-170-0x0000000000000000-mapping.dmp

Download
memory/1692-228-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1692-230-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1692-229-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1708-197-0x0000000000000000-mapping.dmp

Download
memory/1720-137-0x00000000002C0000-0x00000000002F1000-memory.dmp

Filesize
196KB

Download
memory/1720-136-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1720-139-0x00000000002C0000-0x00000000002F1000-memory.dmp

Filesize
196KB

Download
memory/1756-233-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1756-231-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1756-232-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1756-171-0x0000000000000000-mapping.dmp

Download
memory/1760-199-0x0000000000000000-mapping.dmp

Download
memory/1772-152-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1772-101-0x0000000000000000-mapping.dmp

Download
memory/1796-200-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1796-138-0x0000000000000000-mapping.dmp

Download
memory/1812-186-0x0000000000000000-mapping.dmp

Download
memory/1816-160-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1816-126-0x0000000000000000-mapping.dmp

Download
memory/1836-237-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1836-238-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1836-173-0x0000000000000000-mapping.dmp

Download
memory/1836-239-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1848-189-0x0000000000000000-mapping.dmp

Download
memory/1860-188-0x0000000000000000-mapping.dmp

Download
memory/1868-61-0x0000000000000000-mapping.dmp

Download
memory/1868-142-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1916-147-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1916-81-0x0000000000000000-mapping.dmp

Download
memory/1940-203-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1940-145-0x0000000000000000-mapping.dmp

Download
memory/1952-184-0x0000000000000000-mapping.dmp

Download
memory/1976-192-0x0000000000000000-mapping.dmp

Download
memory/1980-116-0x0000000000000000-mapping.dmp

Download
memory/1980-157-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1988-185-0x0000000000000000-mapping.dmp

Download
memory/1992-201-0x0000000000000000-mapping.dmp

Download
memory/2008-198-0x0000000000000000-mapping.dmp

Download
memory/2012-207-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2012-208-0x00000000001B0000-0x00000000001E1000-memory.dmp

Filesize
196KB

Download
memory/2012-153-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads