5b1b3ec7a6917e47c52d78949086c4578f698765835b3b741014945ff2909cba

Analysis

max time kernel
103s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b1b3ec7a6917e47c52d78949086c4578f698765835b3b741014945ff2909cba.exe
Size

50KB
MD5

a97ecec8f72e268571cff804ae337510
SHA1

fef88db1787f0562e23d1e167cda9c21e0b9a2c2
SHA256

5b1b3ec7a6917e47c52d78949086c4578f698765835b3b741014945ff2909cba
SHA512

6e92b7ab7cd5c31a1f1f8fa4eefa1e02c98c343599e5c1abd1d2e1caebd7377def10cb0622ba770e167f2ca08fdd15c6a2134039bf4c55f1743354d757aa9515
SSDEEP

768:foWlIbda5eHkXQwS3Lt+qpkGdA4w/TC599EDIJ0QTz2/1H5N:foW2QeEXKh6pbCv9ED0/Q

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5b1b3ec7a6917e47c52d78949086c4578f698765835b3b741014945ff2909cba.exeEbjiakmh.exeJdpoqb32.exeIihjdqlj.exeIldjklmq.exeOiiloi32.exeOfiacnfm.exeJnkpoh32.exeMpoelg32.exeHaicoe32.exeOepldjid.exeFecagd32.exeNialkkoi.exeOlcflobl.exeIkoikfmh.exeBkaaji32.exeOcddhd32.exeNpojad32.exeIdnelp32.exeLkaimo32.exeEnlkio32.exeKjkhlend.exeGobholbe.exeBmhpko32.exeKhmlpiop.exeCcfidj32.exePbkqkefk.exeFfhnflfj.exeHhpmng32.exeKbnikljp.exeAkkmmbng.exeCdbefm32.exeBfenodpo.exeEhmbjl32.exeFfqcdp32.exeCdbgoeoq.exeGphacpab.exeNdcpac32.exeAqgfeilo.exeMdhbomcj.exeGihcgk32.exeMkgfoonf.exeMmebkkmj.exeGmjegdbo.exeFqjddnli.exeBopqjn32.exeGblnda32.exeJgokmnoh.exeNmnaoiba.exeOcqlfmki.exeHohjnj32.exeCijppj32.exeCachja32.exeFcpfah32.exeOenpojkg.exeMhdphd32.exeMkepdf32.exeBgmclcgo.exeIifmdqmk.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	5b1b3ec7a6917e47c52d78949086c4578f698765835b3b741014945ff2909cba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebjiakmh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdpoqb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iihjdqlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ildjklmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oiiloi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofiacnfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnkpoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpoelg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haicoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oepldjid.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haicoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fecagd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nialkkoi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcflobl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikoikfmh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkaaji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocddhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npojad32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idnelp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkaimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enlkio32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjkhlend.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gobholbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmhpko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khmlpiop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccfidj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbkqkefk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffhnflfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhpmng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbnikljp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akkmmbng.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdbefm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfenodpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehmbjl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffqcdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdbgoeoq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gphacpab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndcpac32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqgfeilo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdhbomcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gihcgk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gphacpab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgfoonf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmebkkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmjegdbo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpoelg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqjddnli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bopqjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gblnda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgokmnoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmnaoiba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocqlfmki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hohjnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idnelp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cijppj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cachja32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcpfah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oenpojkg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhdphd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofiacnfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgmclcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iifmdqmk.exe

Executes dropped EXE 64 IoCs

Processes:

Iljmgnij.exeNkadab32.exeNanmji32.exeNghefckc.exeNeobeg32.exeOphcfddi.exeOfgennhp.exeOfiacnfm.exeAcgeha32.exeBgmclcgo.exeBlmijj32.exeBfjfno32.exeCijppj32.exeCgbiff32.exeDlkeqh32.exeEjidhcoj.exeFdfblhae.exeGaefiqgo.exeGhbkkjli.exeGpplelhb.exeGlfmjmmf.exeHlkfem32.exeHceobgqn.exeInhbicea.exeIqikjo32.exeIifmdqmk.exeJihijpkh.exeJhpcqlnn.exeJjoomhma.exeKbnmli32.exeLkcegj32.exeLndnheih.exeLnhgce32.exeLdbppolp.exeMclfmk32.exeNjhgnh32.exeOkjcepkf.exeOcqlfmki.exeOlcflobl.exePcnkpapg.exePhldfo32.exePfaagl32.exePibjighf.exeQbmkgl32.exeQhlpebii.exeAmmbhi32.exeAkabbm32.exeBpcdec32.exeBhnije32.exeBkobkq32.exeCjihglge.exeCbkcmnnh.exeDnadao32.exeDiiedgap.exeDkjnfboa.exeDcebjd32.exeDfdofp32.exeEpcipd32.exeFeekckfj.exeFiinbn32.exeHcfhef32.exeIlebojlf.exeIkkopg32.exeIkmlefok.exe

pid	process
1136	Iljmgnij.exe
908	Nkadab32.exe
1000	Nanmji32.exe
1624	Nghefckc.exe
1668	Neobeg32.exe
1636	Ophcfddi.exe
1116	Ofgennhp.exe
108	Ofiacnfm.exe
760	Acgeha32.exe
964	Bgmclcgo.exe
1600	Blmijj32.exe
1908	Bfjfno32.exe
840	Cijppj32.exe
1508	Cgbiff32.exe
1320	Dlkeqh32.exe
764	Ejidhcoj.exe
304	Fdfblhae.exe
1832	Gaefiqgo.exe
1488	Ghbkkjli.exe
280	Gpplelhb.exe
308	Glfmjmmf.exe
1892	Hlkfem32.exe
1088	Hceobgqn.exe
1504	Inhbicea.exe
1988	Iqikjo32.exe
704	Iifmdqmk.exe
1124	Jihijpkh.exe
952	Jhpcqlnn.exe
1712	Jjoomhma.exe
1848	Kbnmli32.exe
1100	Lkcegj32.exe
1348	Lndnheih.exe
544	Lnhgce32.exe
1520	Ldbppolp.exe
636	Mclfmk32.exe
1012	Njhgnh32.exe
984	Okjcepkf.exe
1452	Ocqlfmki.exe
1980	Olcflobl.exe
432	Pcnkpapg.exe
268	Phldfo32.exe
1656	Pfaagl32.exe
968	Pibjighf.exe
1140	Qbmkgl32.exe
932	Qhlpebii.exe
1684	Ammbhi32.exe
972	Akabbm32.exe
1812	Bpcdec32.exe
572	Bhnije32.exe
1572	Bkobkq32.exe
1276	Cjihglge.exe
1008	Cbkcmnnh.exe
584	Dnadao32.exe
1416	Diiedgap.exe
1968	Dkjnfboa.exe
1372	Dcebjd32.exe
2000	Dfdofp32.exe
1672	Epcipd32.exe
1728	Feekckfj.exe
1388	Fiinbn32.exe
1780	Hcfhef32.exe
1476	Ilebojlf.exe
1984	Ikkopg32.exe
1200	Ikmlefok.exe

Loads dropped DLL 64 IoCs

Processes:

5b1b3ec7a6917e47c52d78949086c4578f698765835b3b741014945ff2909cba.exeIljmgnij.exeNkadab32.exeNanmji32.exeNghefckc.exeNeobeg32.exeOphcfddi.exeOfgennhp.exeOfiacnfm.exeAcgeha32.exeBgmclcgo.exeBlmijj32.exeBfjfno32.exeCijppj32.exeCgbiff32.exeDlkeqh32.exeEjidhcoj.exeFdfblhae.exeGaefiqgo.exeGhbkkjli.exeGpplelhb.exeGlfmjmmf.exeHlkfem32.exeHceobgqn.exeInhbicea.exeIqikjo32.exeIifmdqmk.exeJihijpkh.exeJhpcqlnn.exeJjoomhma.exeKbnmli32.exeLkcegj32.exe

pid	process
1384	5b1b3ec7a6917e47c52d78949086c4578f698765835b3b741014945ff2909cba.exe
1384	5b1b3ec7a6917e47c52d78949086c4578f698765835b3b741014945ff2909cba.exe
1136	Iljmgnij.exe
1136	Iljmgnij.exe
908	Nkadab32.exe
908	Nkadab32.exe
1000	Nanmji32.exe
1000	Nanmji32.exe
1624	Nghefckc.exe
1624	Nghefckc.exe
1668	Neobeg32.exe
1668	Neobeg32.exe
1636	Ophcfddi.exe
1636	Ophcfddi.exe
1116	Ofgennhp.exe
1116	Ofgennhp.exe
108	Ofiacnfm.exe
108	Ofiacnfm.exe
760	Acgeha32.exe
760	Acgeha32.exe
964	Bgmclcgo.exe
964	Bgmclcgo.exe
1600	Blmijj32.exe
1600	Blmijj32.exe
1908	Bfjfno32.exe
1908	Bfjfno32.exe
840	Cijppj32.exe
840	Cijppj32.exe
1508	Cgbiff32.exe
1508	Cgbiff32.exe
1320	Dlkeqh32.exe
1320	Dlkeqh32.exe
764	Ejidhcoj.exe
764	Ejidhcoj.exe
304	Fdfblhae.exe
304	Fdfblhae.exe
1832	Gaefiqgo.exe
1832	Gaefiqgo.exe
1488	Ghbkkjli.exe
1488	Ghbkkjli.exe
280	Gpplelhb.exe
280	Gpplelhb.exe
308	Glfmjmmf.exe
308	Glfmjmmf.exe
1892	Hlkfem32.exe
1892	Hlkfem32.exe
1088	Hceobgqn.exe
1088	Hceobgqn.exe
1504	Inhbicea.exe
1504	Inhbicea.exe
1988	Iqikjo32.exe
1988	Iqikjo32.exe
704	Iifmdqmk.exe
704	Iifmdqmk.exe
1124	Jihijpkh.exe
1124	Jihijpkh.exe
952	Jhpcqlnn.exe
952	Jhpcqlnn.exe
1712	Jjoomhma.exe
1712	Jjoomhma.exe
1848	Kbnmli32.exe
1848	Kbnmli32.exe
1100	Lkcegj32.exe
1100	Lkcegj32.exe

Drops file in System32 directory 64 IoCs

Processes:

Glfmjmmf.exeDkjnfboa.exeEolleond.exeFbghknbf.exeNpjafdch.exeEgbcmdcm.exeGiokooaj.exeGkmhkjam.exeOeklod32.exeJjiogb32.exeClbggkng.exeJabbdg32.exeJqgoec32.exeEcidaf32.exeIljmgnij.exeAkabbm32.exeKjikfe32.exeKmjdhqmg.exePnodjf32.exeGfpmjjkb.exeKopmnpkl.exePgdecf32.exeBjjdoc32.exeEjblnpqn.exeElfaek32.exeMmdhodgq.exeQbmkgl32.exeFeekckfj.exePniblhgg.exeHkqeob32.exeGangfgck.exeKicglffa.exeCoelnf32.exeEjeidp32.exeInhbicea.exePcnkpapg.exeBcgcpm32.exeNplnkd32.exeOebijj32.exeCfidgb32.exeMdmnbefi.exeClgpbj32.exeOcqlfmki.exeEjlcfl32.exeIceobl32.exeLkaimo32.exeFdfblhae.exeGhbkkjli.exeIqikjo32.exeKpgiieip.exeEilpacjm.exeMolloo32.exeQfgodlfh.exeOcikjk32.exePijmnajb.exeNncbenbh.exeJdpoqb32.exeFbgaph32.exeGiloio32.exeDlkeqh32.exeBhndhhmj.exeEjpoipba.exeBkgepkio.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Oomllahh.dll	Glfmjmmf.exe
File created	C:\Windows\SysWOW64\Dcebjd32.exe	Dkjnfboa.exe
File opened for modification	C:\Windows\SysWOW64\Ebjiakmh.exe	Eolleond.exe
File opened for modification	C:\Windows\SysWOW64\Ffeaqm32.exe	Fbghknbf.exe
File created	C:\Windows\SysWOW64\Nhaigbdj.exe	Npjafdch.exe
File created	C:\Windows\SysWOW64\Ejpoipba.exe	Egbcmdcm.exe
File opened for modification	C:\Windows\SysWOW64\Gkmhkjam.exe	Giokooaj.exe
File created	C:\Windows\SysWOW64\Kpgqbhpo.dll	Gkmhkjam.exe
File opened for modification	C:\Windows\SysWOW64\Okgdgk32.exe	Oeklod32.exe
File created	C:\Windows\SysWOW64\Offcco32.dll	Jjiogb32.exe
File opened for modification	C:\Windows\SysWOW64\Coqccfmj.exe	Clbggkng.exe
File created	C:\Windows\SysWOW64\Paeegl32.dll	Jabbdg32.exe
File created	C:\Windows\SysWOW64\Jhngfa32.exe	Jqgoec32.exe
File created	C:\Windows\SysWOW64\Denfim32.dll	Ecidaf32.exe
File created	C:\Windows\SysWOW64\Nkadab32.exe	Iljmgnij.exe
File created	C:\Windows\SysWOW64\Enqoaj32.dll	Akabbm32.exe
File created	C:\Windows\SysWOW64\Khmlpiop.exe	Kjikfe32.exe
File opened for modification	C:\Windows\SysWOW64\Ljpagd32.exe	Kmjdhqmg.exe
File opened for modification	C:\Windows\SysWOW64\Pbkqkefk.exe	Pnodjf32.exe
File created	C:\Windows\SysWOW64\Gmjegdbo.exe	Gfpmjjkb.exe
File opened for modification	C:\Windows\SysWOW64\Kbnikljp.exe	Kopmnpkl.exe
File created	C:\Windows\SysWOW64\Bldgngih.exe	Pgdecf32.exe
File opened for modification	C:\Windows\SysWOW64\Bmhpko32.exe	Bjjdoc32.exe
File created	C:\Windows\SysWOW64\Nedkkb32.dll	Ejblnpqn.exe
File created	C:\Windows\SysWOW64\Djojmdil.dll	Elfaek32.exe
File opened for modification	C:\Windows\SysWOW64\Mcnpkn32.exe	Mmdhodgq.exe
File opened for modification	C:\Windows\SysWOW64\Qhlpebii.exe	Qbmkgl32.exe
File created	C:\Windows\SysWOW64\Fiinbn32.exe	Feekckfj.exe
File opened for modification	C:\Windows\SysWOW64\Phdcjmke.exe	Pniblhgg.exe
File created	C:\Windows\SysWOW64\Kcjbde32.exe	Hkqeob32.exe
File created	C:\Windows\SysWOW64\Gieogedn.exe	Gangfgck.exe
File created	C:\Windows\SysWOW64\Hpiepd32.dll	Kicglffa.exe
File created	C:\Windows\SysWOW64\Gqgpll32.dll	Coelnf32.exe
File created	C:\Windows\SysWOW64\Elcepk32.exe	Ejeidp32.exe
File opened for modification	C:\Windows\SysWOW64\Iqikjo32.exe	Inhbicea.exe
File created	C:\Windows\SysWOW64\Phldfo32.exe	Pcnkpapg.exe
File created	C:\Windows\SysWOW64\Apepmcfo.dll	Bcgcpm32.exe
File created	C:\Windows\SysWOW64\Nbkjgp32.exe	Nplnkd32.exe
File created	C:\Windows\SysWOW64\Ohqefe32.exe	Oebijj32.exe
File created	C:\Windows\SysWOW64\Eaqefnng.dll	Cfidgb32.exe
File created	C:\Windows\SysWOW64\Amedjl32.dll	Mdmnbefi.exe
File created	C:\Windows\SysWOW64\Nmhjbcbf.dll	Clgpbj32.exe
File created	C:\Windows\SysWOW64\Olcflobl.exe	Ocqlfmki.exe
File created	C:\Windows\SysWOW64\Bokdogge.dll	Ejlcfl32.exe
File created	C:\Windows\SysWOW64\Iedlog32.exe	Iceobl32.exe
File opened for modification	C:\Windows\SysWOW64\Lnoeij32.exe	Lkaimo32.exe
File created	C:\Windows\SysWOW64\Gaefiqgo.exe	Fdfblhae.exe
File opened for modification	C:\Windows\SysWOW64\Gpplelhb.exe	Ghbkkjli.exe
File created	C:\Windows\SysWOW64\Njgmfc32.dll	Iqikjo32.exe
File created	C:\Windows\SysWOW64\Ghpdbc32.dll	Kpgiieip.exe
File created	C:\Windows\SysWOW64\Qpmlid32.dll	Eilpacjm.exe
File opened for modification	C:\Windows\SysWOW64\Mefdlidd.exe	Molloo32.exe
File opened for modification	C:\Windows\SysWOW64\Accele32.exe	Qfgodlfh.exe
File opened for modification	C:\Windows\SysWOW64\Ofggfg32.exe	Ocikjk32.exe
File created	C:\Windows\SysWOW64\Pliijmjf.exe	Pijmnajb.exe
File opened for modification	C:\Windows\SysWOW64\Kejhagkf.exe	Kicglffa.exe
File created	C:\Windows\SysWOW64\Pakcol32.dll	Nncbenbh.exe
File created	C:\Windows\SysWOW64\Jgokmnoh.exe	Jdpoqb32.exe
File created	C:\Windows\SysWOW64\Fhkpin32.exe	Fbgaph32.exe
File created	C:\Windows\SysWOW64\Klhppknk.dll	Giloio32.exe
File created	C:\Windows\SysWOW64\Ejidhcoj.exe	Dlkeqh32.exe
File opened for modification	C:\Windows\SysWOW64\Bpkfbjhb.exe	Bhndhhmj.exe
File opened for modification	C:\Windows\SysWOW64\Enlkio32.exe	Ejpoipba.exe
File opened for modification	C:\Windows\SysWOW64\Bcgcpm32.exe	Bkgepkio.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1684 2120 WerFault.exe Chppeceg.exe

pid	pid_target	process	target process
1684	2120	WerFault.exe	Chppeceg.exe

Modifies registry class 64 IoCs

Processes:

Fjilei32.exeKejhagkf.exeJhngfa32.exeGjgngfap.exeMjnebi32.exeBfjfno32.exeKmbgmkpd.exeIceobl32.exeNhaigbdj.exeOkmemahl.exeOkjcepkf.exeKfoeqpbo.exeIofminak.exeKbnikljp.exeMmebkkmj.exeOkgbnbqa.exeIdnelp32.exeMibipg32.exeLaelgb32.exeBebllbpo.exeGmjegdbo.exeFkbegfjl.exeEncflkaj.exeAkkmmbng.exeIlfgplkn.exeBpkfbjhb.exeClgpbj32.exeGhelblio.exeKopmnpkl.exeHcfhef32.exeFhoopk32.exeMcnpkn32.exeEpcipd32.exeEfchljgd.exeGblnda32.exeJkmccl32.exeIkoikfmh.exeEilpacjm.exeGobholbe.exeOhqefe32.exeIbnbgf32.exePibjighf.exeGieogedn.exeLnoeij32.exeIldjklmq.exeMahnocea.exeGdgacdld.exePbkqkefk.exeCoelnf32.exeChnagkpe.exeGmphecji.exeJofcnkpk.exeDnadao32.exeHikplj32.exeLmbcln32.exeOhniqehh.exeEjgeio32.exePcnkpapg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjilei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kejhagkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jhngfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggnbddlc.dll"	Gjgngfap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedknn32.dll"	Mjnebi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfjfno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pphaccpd.dll"	Kmbgmkpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iceobl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaiphii.dll"	Nhaigbdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Okmemahl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lejblgjl.dll"	Okjcepkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfoeqpbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iofminak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbnikljp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odmlbiei.dll"	Mmebkkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaagifci.dll"	Okgbnbqa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idnelp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjdooh32.dll"	Mibipg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laelgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebllbpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emgeelce.dll"	Gmjegdbo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fkbegfjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Encflkaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Okgbnbqa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbpgemdn.dll"	Akkmmbng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flpodn32.dll"	Ilfgplkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbeeek32.dll"	Bpkfbjhb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clgpbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbdkoe32.dll"	Ghelblio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhdjng32.dll"	Kopmnpkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcfhef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nhaigbdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkpkne32.dll"	Fhoopk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnpkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Epcipd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efchljgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fncamjbf.dll"	Gblnda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmebkkmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkmccl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcfhef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chifdchn.dll"	Ikoikfmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eilpacjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gggbja32.dll"	Gobholbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epaflaho.dll"	Ohqefe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibnbgf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pibjighf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkqdg32.dll"	Gieogedn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnpnjki.dll"	Lnoeij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ildjklmq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahnocea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnfnbkp.dll"	Gdgacdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbkqkefk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Coelnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chnagkpe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmphecji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jofcnkpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihfhdl32.dll"	Pibjighf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnadao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hikplj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmbcln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjilei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maamca32.dll"	Ohniqehh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejgeio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcnkpapg.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1384 wrote to memory of 1136	1384	5b1b3ec7a6917e47c52d78949086c4578f698765835b3b741014945ff2909cba.exe	Iljmgnij.exe
PID 1384 wrote to memory of 1136	1384	5b1b3ec7a6917e47c52d78949086c4578f698765835b3b741014945ff2909cba.exe	Iljmgnij.exe
PID 1384 wrote to memory of 1136	1384	5b1b3ec7a6917e47c52d78949086c4578f698765835b3b741014945ff2909cba.exe	Iljmgnij.exe
PID 1384 wrote to memory of 1136	1384	5b1b3ec7a6917e47c52d78949086c4578f698765835b3b741014945ff2909cba.exe	Iljmgnij.exe
PID 1136 wrote to memory of 908	1136	Iljmgnij.exe	Nkadab32.exe
PID 1136 wrote to memory of 908	1136	Iljmgnij.exe	Nkadab32.exe
PID 1136 wrote to memory of 908	1136	Iljmgnij.exe	Nkadab32.exe
PID 1136 wrote to memory of 908	1136	Iljmgnij.exe	Nkadab32.exe
PID 908 wrote to memory of 1000	908	Nkadab32.exe	Nanmji32.exe
PID 908 wrote to memory of 1000	908	Nkadab32.exe	Nanmji32.exe
PID 908 wrote to memory of 1000	908	Nkadab32.exe	Nanmji32.exe
PID 908 wrote to memory of 1000	908	Nkadab32.exe	Nanmji32.exe
PID 1000 wrote to memory of 1624	1000	Nanmji32.exe	Nghefckc.exe
PID 1000 wrote to memory of 1624	1000	Nanmji32.exe	Nghefckc.exe
PID 1000 wrote to memory of 1624	1000	Nanmji32.exe	Nghefckc.exe
PID 1000 wrote to memory of 1624	1000	Nanmji32.exe	Nghefckc.exe
PID 1624 wrote to memory of 1668	1624	Nghefckc.exe	Neobeg32.exe
PID 1624 wrote to memory of 1668	1624	Nghefckc.exe	Neobeg32.exe
PID 1624 wrote to memory of 1668	1624	Nghefckc.exe	Neobeg32.exe
PID 1624 wrote to memory of 1668	1624	Nghefckc.exe	Neobeg32.exe
PID 1668 wrote to memory of 1636	1668	Neobeg32.exe	Ophcfddi.exe
PID 1668 wrote to memory of 1636	1668	Neobeg32.exe	Ophcfddi.exe
PID 1668 wrote to memory of 1636	1668	Neobeg32.exe	Ophcfddi.exe
PID 1668 wrote to memory of 1636	1668	Neobeg32.exe	Ophcfddi.exe
PID 1636 wrote to memory of 1116	1636	Ophcfddi.exe	Ofgennhp.exe
PID 1636 wrote to memory of 1116	1636	Ophcfddi.exe	Ofgennhp.exe
PID 1636 wrote to memory of 1116	1636	Ophcfddi.exe	Ofgennhp.exe
PID 1636 wrote to memory of 1116	1636	Ophcfddi.exe	Ofgennhp.exe
PID 1116 wrote to memory of 108	1116	Ofgennhp.exe	Ofiacnfm.exe
PID 1116 wrote to memory of 108	1116	Ofgennhp.exe	Ofiacnfm.exe
PID 1116 wrote to memory of 108	1116	Ofgennhp.exe	Ofiacnfm.exe
PID 1116 wrote to memory of 108	1116	Ofgennhp.exe	Ofiacnfm.exe
PID 108 wrote to memory of 760	108	Ofiacnfm.exe	Acgeha32.exe
PID 108 wrote to memory of 760	108	Ofiacnfm.exe	Acgeha32.exe
PID 108 wrote to memory of 760	108	Ofiacnfm.exe	Acgeha32.exe
PID 108 wrote to memory of 760	108	Ofiacnfm.exe	Acgeha32.exe
PID 760 wrote to memory of 964	760	Acgeha32.exe	Bgmclcgo.exe
PID 760 wrote to memory of 964	760	Acgeha32.exe	Bgmclcgo.exe
PID 760 wrote to memory of 964	760	Acgeha32.exe	Bgmclcgo.exe
PID 760 wrote to memory of 964	760	Acgeha32.exe	Bgmclcgo.exe
PID 964 wrote to memory of 1600	964	Bgmclcgo.exe	Blmijj32.exe
PID 964 wrote to memory of 1600	964	Bgmclcgo.exe	Blmijj32.exe
PID 964 wrote to memory of 1600	964	Bgmclcgo.exe	Blmijj32.exe
PID 964 wrote to memory of 1600	964	Bgmclcgo.exe	Blmijj32.exe
PID 1600 wrote to memory of 1908	1600	Blmijj32.exe	Bfjfno32.exe
PID 1600 wrote to memory of 1908	1600	Blmijj32.exe	Bfjfno32.exe
PID 1600 wrote to memory of 1908	1600	Blmijj32.exe	Bfjfno32.exe
PID 1600 wrote to memory of 1908	1600	Blmijj32.exe	Bfjfno32.exe
PID 1908 wrote to memory of 840	1908	Bfjfno32.exe	Cijppj32.exe
PID 1908 wrote to memory of 840	1908	Bfjfno32.exe	Cijppj32.exe
PID 1908 wrote to memory of 840	1908	Bfjfno32.exe	Cijppj32.exe
PID 1908 wrote to memory of 840	1908	Bfjfno32.exe	Cijppj32.exe
PID 840 wrote to memory of 1508	840	Cijppj32.exe	Cgbiff32.exe
PID 840 wrote to memory of 1508	840	Cijppj32.exe	Cgbiff32.exe
PID 840 wrote to memory of 1508	840	Cijppj32.exe	Cgbiff32.exe
PID 840 wrote to memory of 1508	840	Cijppj32.exe	Cgbiff32.exe
PID 1508 wrote to memory of 1320	1508	Cgbiff32.exe	Dlkeqh32.exe
PID 1508 wrote to memory of 1320	1508	Cgbiff32.exe	Dlkeqh32.exe
PID 1508 wrote to memory of 1320	1508	Cgbiff32.exe	Dlkeqh32.exe
PID 1508 wrote to memory of 1320	1508	Cgbiff32.exe	Dlkeqh32.exe
PID 1320 wrote to memory of 764	1320	Dlkeqh32.exe	Ejidhcoj.exe
PID 1320 wrote to memory of 764	1320	Dlkeqh32.exe	Ejidhcoj.exe
PID 1320 wrote to memory of 764	1320	Dlkeqh32.exe	Ejidhcoj.exe
PID 1320 wrote to memory of 764	1320	Dlkeqh32.exe	Ejidhcoj.exe

C:\Users\Admin\AppData\Local\Temp\5b1b3ec7a6917e47c52d78949086c4578f698765835b3b741014945ff2909cba.exe
"C:\Users\Admin\AppData\Local\Temp\5b1b3ec7a6917e47c52d78949086c4578f698765835b3b741014945ff2909cba.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\SysWOW64\Iljmgnij.exe
C:\Windows\system32\Iljmgnij.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1136

C:\Windows\SysWOW64\Nkadab32.exe
C:\Windows\system32\Nkadab32.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\SysWOW64\Nanmji32.exe
C:\Windows\system32\Nanmji32.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\SysWOW64\Nghefckc.exe
C:\Windows\system32\Nghefckc.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\Neobeg32.exe
C:\Windows\system32\Neobeg32.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\Ophcfddi.exe
C:\Windows\system32\Ophcfddi.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\Ofgennhp.exe
C:\Windows\system32\Ofgennhp.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\SysWOW64\Ofiacnfm.exe
C:\Windows\system32\Ofiacnfm.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:108

C:\Windows\SysWOW64\Acgeha32.exe
C:\Windows\system32\Acgeha32.exe
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\SysWOW64\Bgmclcgo.exe
C:\Windows\system32\Bgmclcgo.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\SysWOW64\Blmijj32.exe
C:\Windows\system32\Blmijj32.exe
12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\SysWOW64\Bfjfno32.exe
C:\Windows\system32\Bfjfno32.exe
13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\SysWOW64\Cijppj32.exe
C:\Windows\system32\Cijppj32.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\SysWOW64\Cgbiff32.exe
C:\Windows\system32\Cgbiff32.exe
15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\SysWOW64\Dlkeqh32.exe
C:\Windows\system32\Dlkeqh32.exe
16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\SysWOW64\Ejidhcoj.exe
C:\Windows\system32\Ejidhcoj.exe
17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:764

C:\Windows\SysWOW64\Fdfblhae.exe
C:\Windows\system32\Fdfblhae.exe
18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:304

C:\Windows\SysWOW64\Gaefiqgo.exe
C:\Windows\system32\Gaefiqgo.exe
19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1832

C:\Windows\SysWOW64\Ghbkkjli.exe
C:\Windows\system32\Ghbkkjli.exe
20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1488

C:\Windows\SysWOW64\Gpplelhb.exe
C:\Windows\system32\Gpplelhb.exe
21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:280

C:\Windows\SysWOW64\Glfmjmmf.exe
C:\Windows\system32\Glfmjmmf.exe
22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:308

C:\Windows\SysWOW64\Hlkfem32.exe
C:\Windows\system32\Hlkfem32.exe
23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1892

C:\Windows\SysWOW64\Hceobgqn.exe
C:\Windows\system32\Hceobgqn.exe
24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1088

C:\Windows\SysWOW64\Inhbicea.exe
C:\Windows\system32\Inhbicea.exe
25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1504

C:\Windows\SysWOW64\Iqikjo32.exe
C:\Windows\system32\Iqikjo32.exe
26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1988

C:\Windows\SysWOW64\Iifmdqmk.exe
C:\Windows\system32\Iifmdqmk.exe
27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:704

C:\Windows\SysWOW64\Jihijpkh.exe
C:\Windows\system32\Jihijpkh.exe
28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1124

C:\Windows\SysWOW64\Jhpcqlnn.exe
C:\Windows\system32\Jhpcqlnn.exe
29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:952

C:\Windows\SysWOW64\Jjoomhma.exe
C:\Windows\system32\Jjoomhma.exe
30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1712

C:\Windows\SysWOW64\Kbnmli32.exe
C:\Windows\system32\Kbnmli32.exe
31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1848

C:\Windows\SysWOW64\Lkcegj32.exe
C:\Windows\system32\Lkcegj32.exe
32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1100

C:\Windows\SysWOW64\Lndnheih.exe
C:\Windows\system32\Lndnheih.exe
33⤵
- Executes dropped EXE
PID:1348

C:\Windows\SysWOW64\Lnhgce32.exe
C:\Windows\system32\Lnhgce32.exe
34⤵
- Executes dropped EXE
PID:544

C:\Windows\SysWOW64\Ldbppolp.exe
C:\Windows\system32\Ldbppolp.exe
35⤵
- Executes dropped EXE
PID:1520

C:\Windows\SysWOW64\Mclfmk32.exe
C:\Windows\system32\Mclfmk32.exe
36⤵
- Executes dropped EXE
PID:636

C:\Windows\SysWOW64\Njhgnh32.exe
C:\Windows\system32\Njhgnh32.exe
37⤵
- Executes dropped EXE
PID:1012

C:\Windows\SysWOW64\Okjcepkf.exe
C:\Windows\system32\Okjcepkf.exe
38⤵
- Executes dropped EXE
- Modifies registry class
PID:984

C:\Windows\SysWOW64\Ocqlfmki.exe
C:\Windows\system32\Ocqlfmki.exe
39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1452

C:\Windows\SysWOW64\Olcflobl.exe
C:\Windows\system32\Olcflobl.exe
40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1980

C:\Windows\SysWOW64\Pcnkpapg.exe
C:\Windows\system32\Pcnkpapg.exe
41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:432

C:\Windows\SysWOW64\Phldfo32.exe
C:\Windows\system32\Phldfo32.exe
42⤵
- Executes dropped EXE
PID:268

C:\Windows\SysWOW64\Pfaagl32.exe
C:\Windows\system32\Pfaagl32.exe
43⤵
- Executes dropped EXE
PID:1656

C:\Windows\SysWOW64\Pibjighf.exe
C:\Windows\system32\Pibjighf.exe
44⤵
- Executes dropped EXE
- Modifies registry class
PID:968

C:\Windows\SysWOW64\Qbmkgl32.exe
C:\Windows\system32\Qbmkgl32.exe
45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1140

C:\Windows\SysWOW64\Qhlpebii.exe
C:\Windows\system32\Qhlpebii.exe
46⤵
- Executes dropped EXE
PID:932

C:\Windows\SysWOW64\Ammbhi32.exe
C:\Windows\system32\Ammbhi32.exe
47⤵
- Executes dropped EXE
PID:1684

C:\Windows\SysWOW64\Akabbm32.exe
C:\Windows\system32\Akabbm32.exe
48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:972

C:\Windows\SysWOW64\Bpcdec32.exe
C:\Windows\system32\Bpcdec32.exe
49⤵
- Executes dropped EXE
PID:1812

C:\Windows\SysWOW64\Bhnije32.exe
C:\Windows\system32\Bhnije32.exe
50⤵
- Executes dropped EXE
PID:572

C:\Windows\SysWOW64\Bhpfoe32.exe
C:\Windows\system32\Bhpfoe32.exe
51⤵
PID:1640

C:\Windows\SysWOW64\Bkobkq32.exe
C:\Windows\system32\Bkobkq32.exe
52⤵
- Executes dropped EXE
PID:1572

C:\Windows\SysWOW64\Cjihglge.exe
C:\Windows\system32\Cjihglge.exe
53⤵
- Executes dropped EXE
PID:1276

C:\Windows\SysWOW64\Cbkcmnnh.exe
C:\Windows\system32\Cbkcmnnh.exe
54⤵
- Executes dropped EXE
PID:1008

C:\Windows\SysWOW64\Dnadao32.exe
C:\Windows\system32\Dnadao32.exe
55⤵
- Executes dropped EXE
- Modifies registry class
PID:584

C:\Windows\SysWOW64\Diiedgap.exe
C:\Windows\system32\Diiedgap.exe
56⤵
- Executes dropped EXE
PID:1416

C:\Windows\SysWOW64\Dkjnfboa.exe
C:\Windows\system32\Dkjnfboa.exe
57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1968

C:\Windows\SysWOW64\Dcebjd32.exe
C:\Windows\system32\Dcebjd32.exe
58⤵
- Executes dropped EXE
PID:1372

C:\Windows\SysWOW64\Dfdofp32.exe
C:\Windows\system32\Dfdofp32.exe
59⤵
- Executes dropped EXE
PID:2000

C:\Windows\SysWOW64\Epcipd32.exe
C:\Windows\system32\Epcipd32.exe
60⤵
- Executes dropped EXE
- Modifies registry class
PID:1672

C:\Windows\SysWOW64\Feekckfj.exe
C:\Windows\system32\Feekckfj.exe
61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1728

C:\Windows\SysWOW64\Fiinbn32.exe
C:\Windows\system32\Fiinbn32.exe
62⤵
- Executes dropped EXE
PID:1388

C:\Windows\SysWOW64\Hcfhef32.exe
C:\Windows\system32\Hcfhef32.exe
63⤵
- Executes dropped EXE
- Modifies registry class
PID:1780

C:\Windows\SysWOW64\Ilebojlf.exe
C:\Windows\system32\Ilebojlf.exe
64⤵
- Executes dropped EXE
PID:1476

C:\Windows\SysWOW64\Ikkopg32.exe
C:\Windows\system32\Ikkopg32.exe
65⤵
- Executes dropped EXE
PID:1984

C:\Windows\SysWOW64\Ikmlefok.exe
C:\Windows\system32\Ikmlefok.exe
66⤵
- Executes dropped EXE
PID:1200

C:\Windows\SysWOW64\Ikoikfmh.exe
C:\Windows\system32\Ikoikfmh.exe
67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1072

C:\Windows\SysWOW64\Ibiahpde.exe
C:\Windows\system32\Ibiahpde.exe
68⤵
PID:592

C:\Windows\SysWOW64\Jgkckf32.exe
C:\Windows\system32\Jgkckf32.exe
69⤵
PID:1792

C:\Windows\SysWOW64\Jjiogb32.exe
C:\Windows\system32\Jjiogb32.exe
70⤵
- Drops file in System32 directory
PID:1740

C:\Windows\SysWOW64\Jegicofd.exe
C:\Windows\system32\Jegicofd.exe
71⤵
PID:1492

C:\Windows\SysWOW64\Kpmnphfj.exe
C:\Windows\system32\Kpmnphfj.exe
72⤵
PID:856

C:\Windows\SysWOW64\Kjikfe32.exe
C:\Windows\system32\Kjikfe32.exe
73⤵
- Drops file in System32 directory
PID:1644

C:\Windows\SysWOW64\Khmlpiop.exe
C:\Windows\system32\Khmlpiop.exe
74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1560

C:\Windows\SysWOW64\Kjkhlend.exe
C:\Windows\system32\Kjkhlend.exe
75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1592

C:\Windows\SysWOW64\Kmjdhqmg.exe
C:\Windows\system32\Kmjdhqmg.exe
76⤵
- Drops file in System32 directory
PID:1352

C:\Windows\SysWOW64\Ljpagd32.exe
C:\Windows\system32\Ljpagd32.exe
77⤵
PID:2004

C:\Windows\SysWOW64\Lmnncp32.exe
C:\Windows\system32\Lmnncp32.exe
78⤵
PID:1264

C:\Windows\SysWOW64\Laelgb32.exe
C:\Windows\system32\Laelgb32.exe
79⤵
- Modifies registry class
PID:1160

C:\Windows\SysWOW64\Mdhbomcj.exe
C:\Windows\system32\Mdhbomcj.exe
80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:696

C:\Windows\SysWOW64\Miekgd32.exe
C:\Windows\system32\Miekgd32.exe
81⤵
PID:1292

C:\Windows\SysWOW64\Mpapingl.exe
C:\Windows\system32\Mpapingl.exe
82⤵
PID:1772

C:\Windows\SysWOW64\Mdmljm32.exe
C:\Windows\system32\Mdmljm32.exe
83⤵
PID:2076

C:\Windows\SysWOW64\Ocikjk32.exe
C:\Windows\system32\Ocikjk32.exe
84⤵
- Drops file in System32 directory
PID:2084

C:\Windows\SysWOW64\Ofggfg32.exe
C:\Windows\system32\Ofggfg32.exe
85⤵
PID:2092

C:\Windows\SysWOW64\Pijmnajb.exe
C:\Windows\system32\Pijmnajb.exe
86⤵
- Drops file in System32 directory
PID:2104

C:\Windows\SysWOW64\Pliijmjf.exe
C:\Windows\system32\Pliijmjf.exe
87⤵
PID:2112

C:\Windows\SysWOW64\Pngefhij.exe
C:\Windows\system32\Pngefhij.exe
88⤵
PID:2120

C:\Windows\SysWOW64\Pniblhgg.exe
C:\Windows\system32\Pniblhgg.exe
89⤵
- Drops file in System32 directory
PID:2128

C:\Windows\SysWOW64\Phdcjmke.exe
C:\Windows\system32\Phdcjmke.exe
90⤵
PID:2136

C:\Windows\SysWOW64\Pnnkgg32.exe
C:\Windows\system32\Pnnkgg32.exe
91⤵
PID:2216

C:\Windows\SysWOW64\Abicfi32.exe
C:\Windows\system32\Abicfi32.exe
92⤵
PID:2224

C:\Windows\SysWOW64\Aehpbe32.exe
C:\Windows\system32\Aehpbe32.exe
93⤵
PID:2232

C:\Windows\SysWOW64\Bkgepkio.exe
C:\Windows\system32\Bkgepkio.exe
94⤵
- Drops file in System32 directory
PID:2240

C:\Windows\SysWOW64\Bcgcpm32.exe
C:\Windows\system32\Bcgcpm32.exe
95⤵
- Drops file in System32 directory
PID:2248

C:\Windows\SysWOW64\Blohhbie.exe
C:\Windows\system32\Blohhbie.exe
96⤵
PID:2260

C:\Windows\SysWOW64\Bopqjn32.exe
C:\Windows\system32\Bopqjn32.exe
97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2268

C:\Windows\SysWOW64\Coggkmpn.exe
C:\Windows\system32\Coggkmpn.exe
98⤵
PID:2276

C:\Windows\SysWOW64\Dqbfic32.exe
C:\Windows\system32\Dqbfic32.exe
99⤵
PID:2340

C:\Windows\SysWOW64\Djjkaidb.exe
C:\Windows\system32\Djjkaidb.exe
100⤵
PID:2376

C:\Windows\SysWOW64\Dbeofk32.exe
C:\Windows\system32\Dbeofk32.exe
101⤵
PID:2384

C:\Windows\SysWOW64\Efchljgd.exe
C:\Windows\system32\Efchljgd.exe
102⤵
- Modifies registry class
PID:2392

C:\Windows\SysWOW64\Eiadhegg.exe
C:\Windows\system32\Eiadhegg.exe
103⤵
PID:2400

C:\Windows\SysWOW64\Eolleond.exe
C:\Windows\system32\Eolleond.exe
104⤵
- Drops file in System32 directory
PID:2408

C:\Windows\SysWOW64\Ebjiakmh.exe
C:\Windows\system32\Ebjiakmh.exe
105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2416

C:\Windows\SysWOW64\Eekacfji.exe
C:\Windows\system32\Eekacfji.exe
106⤵
PID:2424

C:\Windows\SysWOW64\Ekejpp32.exe
C:\Windows\system32\Ekejpp32.exe
107⤵
PID:2432

C:\Windows\SysWOW64\Encflkaj.exe
C:\Windows\system32\Encflkaj.exe
108⤵
- Modifies registry class
PID:2440

C:\Windows\SysWOW64\Eaabhgpm.exe
C:\Windows\system32\Eaabhgpm.exe
109⤵
PID:2448

C:\Windows\SysWOW64\Ecpodboa.exe
C:\Windows\system32\Ecpodboa.exe
110⤵
PID:2456

C:\Windows\SysWOW64\Egngjq32.exe
C:\Windows\system32\Egngjq32.exe
111⤵
PID:2464

C:\Windows\SysWOW64\Ejlcfl32.exe
C:\Windows\system32\Ejlcfl32.exe
112⤵
- Drops file in System32 directory
PID:2472

C:\Windows\SysWOW64\Fbghknbf.exe
C:\Windows\system32\Fbghknbf.exe
113⤵
- Drops file in System32 directory
PID:2480

C:\Windows\SysWOW64\Ffeaqm32.exe
C:\Windows\system32\Ffeaqm32.exe
114⤵
PID:2488

C:\Windows\SysWOW64\Ffhnflfj.exe
C:\Windows\system32\Ffhnflfj.exe
115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2496

C:\Windows\SysWOW64\Ghncidhc.exe
C:\Windows\system32\Ghncidhc.exe
116⤵
PID:2504

C:\Windows\SysWOW64\Gdgacdld.exe
C:\Windows\system32\Gdgacdld.exe
117⤵
- Modifies registry class
PID:2512

C:\Windows\SysWOW64\Ggemppkh.exe
C:\Windows\system32\Ggemppkh.exe
118⤵
PID:2520

C:\Windows\SysWOW64\Gblnda32.exe
C:\Windows\system32\Gblnda32.exe
119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2672

C:\Windows\SysWOW64\Gihcgk32.exe
C:\Windows\system32\Gihcgk32.exe
120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2712

C:\Windows\SysWOW64\Hikplj32.exe
C:\Windows\system32\Hikplj32.exe
121⤵
- Modifies registry class
PID:2720

C:\Windows\SysWOW64\Heapak32.exe
C:\Windows\system32\Heapak32.exe
122⤵
PID:2728

C:\Windows\SysWOW64\Hhpmng32.exe
C:\Windows\system32\Hhpmng32.exe
123⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2736

C:\Windows\SysWOW64\Hkqeob32.exe
C:\Windows\system32\Hkqeob32.exe
124⤵
- Drops file in System32 directory
PID:2744

C:\Windows\SysWOW64\Kcjbde32.exe
C:\Windows\system32\Kcjbde32.exe
125⤵
PID:2804

C:\Windows\SysWOW64\Kjckqpqp.exe
C:\Windows\system32\Kjckqpqp.exe
126⤵
PID:2812

C:\Windows\SysWOW64\Kmbgmkpd.exe
C:\Windows\system32\Kmbgmkpd.exe
127⤵
- Modifies registry class
PID:2820

C:\Windows\SysWOW64\Kclpie32.exe
C:\Windows\system32\Kclpie32.exe
128⤵
PID:2828

C:\Windows\SysWOW64\Kjfhfoom.exe
C:\Windows\system32\Kjfhfoom.exe
129⤵
PID:2836

C:\Windows\SysWOW64\Kiihaleh.exe
C:\Windows\system32\Kiihaleh.exe
130⤵
PID:2844

C:\Windows\SysWOW64\Knhmpbam.exe
C:\Windows\system32\Knhmpbam.exe
131⤵
PID:2852

C:\Windows\SysWOW64\Kfoeqpbo.exe
C:\Windows\system32\Kfoeqpbo.exe
132⤵
- Modifies registry class
PID:2860

C:\Windows\SysWOW64\Kpgiieip.exe
C:\Windows\system32\Kpgiieip.exe
133⤵
- Drops file in System32 directory
PID:2868

C:\Windows\SysWOW64\Kbfffahc.exe
C:\Windows\system32\Kbfffahc.exe
134⤵
PID:2876

C:\Windows\SysWOW64\Ljajjcen.exe
C:\Windows\system32\Ljajjcen.exe
135⤵
PID:2884

C:\Windows\SysWOW64\Lmbcln32.exe
C:\Windows\system32\Lmbcln32.exe
136⤵
- Modifies registry class
PID:2892

C:\Windows\SysWOW64\Mednqpib.exe
C:\Windows\system32\Mednqpib.exe
137⤵
PID:2900

C:\Windows\SysWOW64\Mhgdhj32.exe
C:\Windows\system32\Mhgdhj32.exe
138⤵
PID:2908

C:\Windows\SysWOW64\Mkepdf32.exe
C:\Windows\system32\Mkepdf32.exe
139⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3052

C:\Windows\SysWOW64\Nnkbaq32.exe
C:\Windows\system32\Nnkbaq32.exe
140⤵
PID:3060

C:\Windows\SysWOW64\Pqbnbn32.exe
C:\Windows\system32\Pqbnbn32.exe
141⤵
PID:3068

C:\Windows\SysWOW64\Pmnhbnhc.exe
C:\Windows\system32\Pmnhbnhc.exe
142⤵
PID:2052

C:\Windows\SysWOW64\Pnodjf32.exe
C:\Windows\system32\Pnodjf32.exe
143⤵
- Drops file in System32 directory
PID:2064

C:\Windows\SysWOW64\Pbkqkefk.exe
C:\Windows\system32\Pbkqkefk.exe
144⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2068

C:\Windows\SysWOW64\Qeimgqeo.exe
C:\Windows\system32\Qeimgqeo.exe
145⤵
PID:1824

C:\Windows\SysWOW64\Qlceck32.exe
C:\Windows\system32\Qlceck32.exe
146⤵
PID:2148

C:\Windows\SysWOW64\Qnaapf32.exe
C:\Windows\system32\Qnaapf32.exe
147⤵
PID:2156

C:\Windows\SysWOW64\Qigemoke.exe
C:\Windows\system32\Qigemoke.exe
148⤵
PID:2172

C:\Windows\SysWOW64\Qjhbdg32.exe
C:\Windows\system32\Qjhbdg32.exe
149⤵
PID:2304

C:\Windows\SysWOW64\Afdldg32.exe
C:\Windows\system32\Afdldg32.exe
150⤵
PID:2312

C:\Windows\SysWOW64\Bpajhl32.exe
C:\Windows\system32\Bpajhl32.exe
151⤵
PID:2320

C:\Windows\SysWOW64\Bebllbpo.exe
C:\Windows\system32\Bebllbpo.exe
152⤵
- Modifies registry class
PID:2328

C:\Windows\SysWOW64\Bhcenn32.exe
C:\Windows\system32\Bhcenn32.exe
153⤵
PID:2336

C:\Windows\SysWOW64\Bkaaji32.exe
C:\Windows\system32\Bkaaji32.exe
154⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2352

C:\Windows\SysWOW64\Bmpmfd32.exe
C:\Windows\system32\Bmpmfd32.exe
155⤵
PID:2360

C:\Windows\SysWOW64\Ckfjehho.exe
C:\Windows\system32\Ckfjehho.exe
156⤵
PID:2368

C:\Windows\SysWOW64\Cndgadgb.exe
C:\Windows\system32\Cndgadgb.exe
157⤵
PID:2528

C:\Windows\SysWOW64\Cpccmoff.exe
C:\Windows\system32\Cpccmoff.exe
158⤵
PID:2536

C:\Windows\SysWOW64\Cllpgpjh.exe
C:\Windows\system32\Cllpgpjh.exe
159⤵
PID:2544

C:\Windows\SysWOW64\Ccfidj32.exe
C:\Windows\system32\Ccfidj32.exe
160⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2644

C:\Windows\SysWOW64\Dkfgdljj.exe
C:\Windows\system32\Dkfgdljj.exe
161⤵
PID:2656

C:\Windows\SysWOW64\Eilpacjm.exe
C:\Windows\system32\Eilpacjm.exe
162⤵
- Drops file in System32 directory
- Modifies registry class
PID:2664

C:\Windows\SysWOW64\Eniijjhd.exe
C:\Windows\system32\Eniijjhd.exe
163⤵
PID:2680

C:\Windows\SysWOW64\Fecagd32.exe
C:\Windows\system32\Fecagd32.exe
164⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2688

C:\Windows\SysWOW64\Fiomgbhj.exe
C:\Windows\system32\Fiomgbhj.exe
165⤵
PID:2696

C:\Windows\SysWOW64\Fbgaph32.exe
C:\Windows\system32\Fbgaph32.exe
166⤵
- Drops file in System32 directory
PID:2704

C:\Windows\SysWOW64\Fhkpin32.exe
C:\Windows\system32\Fhkpin32.exe
167⤵
PID:2752

C:\Windows\SysWOW64\Fjilei32.exe
C:\Windows\system32\Fjilei32.exe
168⤵
- Modifies registry class
PID:2764

C:\Windows\SysWOW64\Gmghae32.exe
C:\Windows\system32\Gmghae32.exe
169⤵
PID:2780

C:\Windows\SysWOW64\Gpfemp32.exe
C:\Windows\system32\Gpfemp32.exe
170⤵
PID:2796

C:\Windows\SysWOW64\Gfpmjjkb.exe
C:\Windows\system32\Gfpmjjkb.exe
171⤵
- Drops file in System32 directory
PID:2932

C:\Windows\SysWOW64\Gmjegdbo.exe
C:\Windows\system32\Gmjegdbo.exe
172⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2940

C:\Windows\SysWOW64\Gphacpab.exe
C:\Windows\system32\Gphacpab.exe
173⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2952

C:\Windows\SysWOW64\Gbfnokqf.exe
C:\Windows\system32\Gbfnokqf.exe
174⤵
PID:2960

C:\Windows\SysWOW64\Giqfle32.exe
C:\Windows\system32\Giqfle32.exe
175⤵
PID:3004

C:\Windows\SysWOW64\Gopkjldg.exe
C:\Windows\system32\Gopkjldg.exe
176⤵
PID:3012

C:\Windows\SysWOW64\Gangfgck.exe
C:\Windows\system32\Gangfgck.exe
177⤵
- Drops file in System32 directory
PID:3020

C:\Windows\SysWOW64\Gieogedn.exe
C:\Windows\system32\Gieogedn.exe
178⤵
- Modifies registry class
PID:3028

C:\Windows\SysWOW64\Glclcpca.exe
C:\Windows\system32\Glclcpca.exe
179⤵
PID:3036

C:\Windows\SysWOW64\Gobholbe.exe
C:\Windows\system32\Gobholbe.exe
180⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3044

C:\Windows\SysWOW64\Hkihdmhi.exe
C:\Windows\system32\Hkihdmhi.exe
181⤵
PID:2180

C:\Windows\SysWOW64\Hmjafhej.exe
C:\Windows\system32\Hmjafhej.exe
182⤵
PID:2184

C:\Windows\SysWOW64\Hphnbcdn.exe
C:\Windows\system32\Hphnbcdn.exe
183⤵
PID:2188

C:\Windows\SysWOW64\Hknbol32.exe
C:\Windows\system32\Hknbol32.exe
184⤵
PID:2196

C:\Windows\SysWOW64\Iofminak.exe
C:\Windows\system32\Iofminak.exe
185⤵
- Modifies registry class
PID:2204

C:\Windows\SysWOW64\Iaejejpo.exe
C:\Windows\system32\Iaejejpo.exe
186⤵
PID:2212

C:\Windows\SysWOW64\Idcfaeob.exe
C:\Windows\system32\Idcfaeob.exe
187⤵
PID:2288

C:\Windows\SysWOW64\Jdmihdgh.exe
C:\Windows\system32\Jdmihdgh.exe
188⤵
PID:2296

C:\Windows\SysWOW64\Jgkedofk.exe
C:\Windows\system32\Jgkedofk.exe
189⤵
PID:1116

C:\Windows\SysWOW64\Kicglffa.exe
C:\Windows\system32\Kicglffa.exe
190⤵
- Drops file in System32 directory
PID:108

C:\Windows\SysWOW64\Kejhagkf.exe
C:\Windows\system32\Kejhagkf.exe
191⤵
- Modifies registry class
PID:760

C:\Windows\SysWOW64\Kopmnpkl.exe
C:\Windows\system32\Kopmnpkl.exe
192⤵
- Drops file in System32 directory
- Modifies registry class
PID:964

C:\Windows\SysWOW64\Kbnikljp.exe
C:\Windows\system32\Kbnikljp.exe
193⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1600

C:\Windows\SysWOW64\Kemeggic.exe
C:\Windows\system32\Kemeggic.exe
194⤵
PID:1908

C:\Windows\SysWOW64\Kgkacbhg.exe
C:\Windows\system32\Kgkacbhg.exe
195⤵
PID:2772

C:\Windows\SysWOW64\Kneipm32.exe
C:\Windows\system32\Kneipm32.exe
196⤵
PID:2788

C:\Windows\SysWOW64\Kjljdn32.exe
C:\Windows\system32\Kjljdn32.exe
197⤵
PID:2920

C:\Windows\SysWOW64\Kmjfqi32.exe
C:\Windows\system32\Kmjfqi32.exe
198⤵
PID:2948

C:\Windows\SysWOW64\Ljpcpmab.exe
C:\Windows\system32\Ljpcpmab.exe
199⤵
PID:2972

C:\Windows\SysWOW64\Lhmjge32.exe
C:\Windows\system32\Lhmjge32.exe
200⤵
PID:2980

C:\Windows\SysWOW64\Molloo32.exe
C:\Windows\system32\Molloo32.exe
201⤵
- Drops file in System32 directory
PID:2988

C:\Windows\SysWOW64\Mefdlidd.exe
C:\Windows\system32\Mefdlidd.exe
202⤵
PID:2996

C:\Windows\SysWOW64\Mhdphd32.exe
C:\Windows\system32\Mhdphd32.exe
203⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:976

C:\Windows\SysWOW64\Mpoelg32.exe
C:\Windows\system32\Mpoelg32.exe
204⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1384

C:\Windows\SysWOW64\Mhfmnd32.exe
C:\Windows\system32\Mhfmnd32.exe
205⤵
PID:1064

C:\Windows\SysWOW64\Mkeijp32.exe
C:\Windows\system32\Mkeijp32.exe
206⤵
PID:1668

C:\Windows\SysWOW64\Mdmnbefi.exe
C:\Windows\system32\Mdmnbefi.exe
207⤵
- Drops file in System32 directory
PID:1636

C:\Windows\SysWOW64\Mkgfoonf.exe
C:\Windows\system32\Mkgfoonf.exe
208⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2560

C:\Windows\SysWOW64\Mmebkkmj.exe
C:\Windows\system32\Mmebkkmj.exe
209⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2572

C:\Windows\SysWOW64\Ndpjhe32.exe
C:\Windows\system32\Ndpjhe32.exe
210⤵
PID:2584

C:\Windows\SysWOW64\Ngngdp32.exe
C:\Windows\system32\Ngngdp32.exe
211⤵
PID:2592

C:\Windows\SysWOW64\Neeqkl32.exe
C:\Windows\system32\Neeqkl32.exe
212⤵
PID:2600

C:\Windows\SysWOW64\Nialkkoi.exe
C:\Windows\system32\Nialkkoi.exe
213⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2608

C:\Windows\SysWOW64\Nalapmlc.exe
C:\Windows\system32\Nalapmlc.exe
214⤵
PID:2616

C:\Windows\SysWOW64\Nkeeicbd.exe
C:\Windows\system32\Nkeeicbd.exe
215⤵
PID:2624

C:\Windows\SysWOW64\Nncbenbh.exe
C:\Windows\system32\Nncbenbh.exe
216⤵
- Drops file in System32 directory
PID:2632

C:\Windows\SysWOW64\Naonem32.exe
C:\Windows\system32\Naonem32.exe
217⤵
PID:2640

C:\Windows\SysWOW64\Ndmjah32.exe
C:\Windows\system32\Ndmjah32.exe
218⤵
PID:1544

C:\Windows\SysWOW64\Okgbnbqa.exe
C:\Windows\system32\Okgbnbqa.exe
219⤵
- Modifies registry class
PID:1832

C:\Windows\SysWOW64\Opfgli32.exe
C:\Windows\system32\Opfgli32.exe
220⤵
PID:1488

C:\Windows\SysWOW64\Ocddhd32.exe
C:\Windows\system32\Ocddhd32.exe
221⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:280

C:\Windows\SysWOW64\Ocgqnd32.exe
C:\Windows\system32\Ocgqnd32.exe
222⤵
PID:308

C:\Windows\SysWOW64\Phkofj32.exe
C:\Windows\system32\Phkofj32.exe
223⤵
PID:1892

C:\Windows\SysWOW64\Pogdid32.exe
C:\Windows\system32\Pogdid32.exe
224⤵
PID:1088

C:\Windows\SysWOW64\Pbepeo32.exe
C:\Windows\system32\Pbepeo32.exe
225⤵
PID:1504

C:\Windows\SysWOW64\Pddlak32.exe
C:\Windows\system32\Pddlak32.exe
226⤵
PID:1988

C:\Windows\SysWOW64\Pgdecf32.exe
C:\Windows\system32\Pgdecf32.exe
227⤵
- Drops file in System32 directory
PID:1628

C:\Windows\SysWOW64\Bldgngih.exe
C:\Windows\system32\Bldgngih.exe
228⤵
PID:1596

C:\Windows\SysWOW64\Bnccjbil.exe
C:\Windows\system32\Bnccjbil.exe
229⤵
PID:532

C:\Windows\SysWOW64\Bmfcep32.exe
C:\Windows\system32\Bmfcep32.exe
230⤵
PID:588

C:\Windows\SysWOW64\Bemlfm32.exe
C:\Windows\system32\Bemlfm32.exe
231⤵
PID:776

C:\Windows\SysWOW64\Bhkhbh32.exe
C:\Windows\system32\Bhkhbh32.exe
232⤵
PID:840

C:\Windows\SysWOW64\Bjjdoc32.exe
C:\Windows\system32\Bjjdoc32.exe
233⤵
- Drops file in System32 directory
PID:1508

C:\Windows\SysWOW64\Bmhpko32.exe
C:\Windows\system32\Bmhpko32.exe
234⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1320

C:\Windows\SysWOW64\Bpgmgk32.exe
C:\Windows\system32\Bpgmgk32.exe
235⤵
PID:304

C:\Windows\SysWOW64\Bhndhhmj.exe
C:\Windows\system32\Bhndhhmj.exe
236⤵
- Drops file in System32 directory
PID:704

C:\Windows\SysWOW64\Bpkfbjhb.exe
C:\Windows\system32\Bpkfbjhb.exe
237⤵
- Modifies registry class
PID:956

C:\Windows\SysWOW64\Bdgbbh32.exe
C:\Windows\system32\Bdgbbh32.exe
238⤵
PID:1124

C:\Windows\SysWOW64\Bfenodpo.exe
C:\Windows\system32\Bfenodpo.exe
239⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1136

C:\Windows\SysWOW64\Bidjkpoc.exe
C:\Windows\system32\Bidjkpoc.exe
240⤵
PID:1624

C:\Windows\SysWOW64\Clbggkng.exe
C:\Windows\system32\Clbggkng.exe
241⤵
- Drops file in System32 directory
PID:2556

C:\Windows\SysWOW64\Coqccfmj.exe
C:\Windows\system32\Coqccfmj.exe
242⤵
PID:2580

C:\Windows\SysWOW64\Cfhkdcnm.exe
C:\Windows\system32\Cfhkdcnm.exe
243⤵
PID:952

C:\Windows\SysWOW64\Clgpbj32.exe
C:\Windows\system32\Clgpbj32.exe
244⤵
- Drops file in System32 directory
- Modifies registry class
PID:1520

C:\Windows\SysWOW64\Coelnf32.exe
C:\Windows\system32\Coelnf32.exe
245⤵
- Drops file in System32 directory
- Modifies registry class
PID:636

C:\Windows\SysWOW64\Cachja32.exe
C:\Windows\system32\Cachja32.exe
246⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1012

C:\Windows\SysWOW64\Cdbefm32.exe
C:\Windows\system32\Cdbefm32.exe
247⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:984

C:\Windows\SysWOW64\Chnagkpe.exe
C:\Windows\system32\Chnagkpe.exe
248⤵
- Modifies registry class
PID:1452

C:\Windows\SysWOW64\Cklmcgoi.exe
C:\Windows\system32\Cklmcgoi.exe
249⤵
PID:1980

C:\Windows\SysWOW64\Cmjiobnm.exe
C:\Windows\system32\Cmjiobnm.exe
250⤵
PID:796

C:\Windows\SysWOW64\Cddall32.exe
C:\Windows\system32\Cddall32.exe
251⤵
PID:432

C:\Windows\SysWOW64\Cmmfeb32.exe
C:\Windows\system32\Cmmfeb32.exe
252⤵
PID:3084

C:\Windows\SysWOW64\Cpkbam32.exe
C:\Windows\system32\Cpkbam32.exe
253⤵
PID:3104

C:\Windows\SysWOW64\Dhbjbk32.exe
C:\Windows\system32\Dhbjbk32.exe
254⤵
PID:3120

C:\Windows\SysWOW64\Dkqfnf32.exe
C:\Windows\system32\Dkqfnf32.exe
255⤵
PID:3156

C:\Windows\SysWOW64\Fglilmaj.exe
C:\Windows\system32\Fglilmaj.exe
256⤵
PID:3200

C:\Windows\SysWOW64\Gmphecji.exe
C:\Windows\system32\Gmphecji.exe
257⤵
- Modifies registry class
PID:3208

C:\Windows\SysWOW64\Gpndanim.exe
C:\Windows\system32\Gpndanim.exe
258⤵
PID:3216

C:\Windows\SysWOW64\Ghelblio.exe
C:\Windows\system32\Ghelblio.exe
259⤵
- Modifies registry class
PID:3224

C:\Windows\SysWOW64\Gppqgn32.exe
C:\Windows\system32\Gppqgn32.exe
260⤵
PID:3232

C:\Windows\SysWOW64\Hohjnj32.exe
C:\Windows\system32\Hohjnj32.exe
261⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3240

C:\Windows\SysWOW64\Haicoe32.exe
C:\Windows\system32\Haicoe32.exe
262⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3248

C:\Windows\SysWOW64\Hipkpb32.exe
C:\Windows\system32\Hipkpb32.exe
263⤵
PID:3256

C:\Windows\SysWOW64\Hkcdnj32.exe
C:\Windows\system32\Hkcdnj32.exe
264⤵
PID:3264

C:\Windows\SysWOW64\Igjebkqb.exe
C:\Windows\system32\Igjebkqb.exe
265⤵
PID:3272

C:\Windows\SysWOW64\Iapipdph.exe
C:\Windows\system32\Iapipdph.exe
266⤵
PID:3280

C:\Windows\SysWOW64\Idnelp32.exe
C:\Windows\system32\Idnelp32.exe
267⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3292

C:\Windows\SysWOW64\Iceobl32.exe
C:\Windows\system32\Iceobl32.exe
268⤵
- Drops file in System32 directory
- Modifies registry class
PID:3300

C:\Windows\SysWOW64\Iedlog32.exe
C:\Windows\system32\Iedlog32.exe
269⤵
PID:3424

C:\Windows\SysWOW64\Jabbdg32.exe
C:\Windows\system32\Jabbdg32.exe
270⤵
- Drops file in System32 directory
PID:3432

C:\Windows\SysWOW64\Jdpoqb32.exe
C:\Windows\system32\Jdpoqb32.exe
271⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3440

C:\Windows\SysWOW64\Jgokmnoh.exe
C:\Windows\system32\Jgokmnoh.exe
272⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3448

C:\Windows\SysWOW64\Jofcnkpk.exe
C:\Windows\system32\Jofcnkpk.exe
273⤵
- Modifies registry class
PID:3456

C:\Windows\SysWOW64\Jqgoec32.exe
C:\Windows\system32\Jqgoec32.exe
274⤵
- Drops file in System32 directory
PID:3464

C:\Windows\SysWOW64\Jhngfa32.exe
C:\Windows\system32\Jhngfa32.exe
275⤵
- Modifies registry class
PID:3472

C:\Windows\SysWOW64\Jkmccl32.exe
C:\Windows\system32\Jkmccl32.exe
276⤵
- Modifies registry class
PID:3480

C:\Windows\SysWOW64\Jnkpoh32.exe
C:\Windows\system32\Jnkpoh32.exe
277⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3488

C:\Windows\SysWOW64\Jdehlblp.exe
C:\Windows\system32\Jdehlblp.exe
278⤵
PID:3496

C:\Windows\SysWOW64\Kgcdhm32.exe
C:\Windows\system32\Kgcdhm32.exe
279⤵
PID:3504

C:\Windows\SysWOW64\Lgcqgq32.exe
C:\Windows\system32\Lgcqgq32.exe
280⤵
PID:3512

C:\Windows\SysWOW64\Lkaimo32.exe
C:\Windows\system32\Lkaimo32.exe
281⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3520

C:\Windows\SysWOW64\Lnoeij32.exe
C:\Windows\system32\Lnoeij32.exe
282⤵
- Modifies registry class
PID:3528

C:\Windows\SysWOW64\Lanaef32.exe
C:\Windows\system32\Lanaef32.exe
283⤵
PID:3536

C:\Windows\SysWOW64\Lfochllo.exe
C:\Windows\system32\Lfochllo.exe
284⤵
PID:3544

C:\Windows\SysWOW64\Minpdgkb.exe
C:\Windows\system32\Minpdgkb.exe
285⤵
PID:3552

C:\Windows\SysWOW64\Maehfeld.exe
C:\Windows\system32\Maehfeld.exe
286⤵
PID:3560

C:\Windows\SysWOW64\Mccdbpkh.exe
C:\Windows\system32\Mccdbpkh.exe
287⤵
PID:3568

C:\Windows\SysWOW64\Mfapnljl.exe
C:\Windows\system32\Mfapnljl.exe
288⤵
PID:3576

C:\Windows\SysWOW64\Mipmjgip.exe
C:\Windows\system32\Mipmjgip.exe
289⤵
PID:3584

C:\Windows\SysWOW64\Mlnifb32.exe
C:\Windows\system32\Mlnifb32.exe
290⤵
PID:3592

C:\Windows\SysWOW64\Mceagp32.exe
C:\Windows\system32\Mceagp32.exe
291⤵
PID:3600

C:\Windows\SysWOW64\Mfdmck32.exe
C:\Windows\system32\Mfdmck32.exe
292⤵
PID:3616

C:\Windows\SysWOW64\Mibipg32.exe
C:\Windows\system32\Mibipg32.exe
293⤵
- Modifies registry class
PID:3696

C:\Windows\SysWOW64\Nlhllapi.exe
C:\Windows\system32\Nlhllapi.exe
294⤵
PID:3704

C:\Windows\SysWOW64\Nofhim32.exe
C:\Windows\system32\Nofhim32.exe
295⤵
PID:3712

C:\Windows\SysWOW64\Naddeh32.exe
C:\Windows\system32\Naddeh32.exe
296⤵
PID:3720

C:\Windows\SysWOW64\Ndcpac32.exe
C:\Windows\system32\Ndcpac32.exe
297⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3728

C:\Windows\SysWOW64\Nholabfm.exe
C:\Windows\system32\Nholabfm.exe
298⤵
PID:3736

C:\Windows\SysWOW64\Nkmhnneq.exe
C:\Windows\system32\Nkmhnneq.exe
299⤵
PID:3744

C:\Windows\SysWOW64\Nmkejidd.exe
C:\Windows\system32\Nmkejidd.exe
300⤵
PID:3752

C:\Windows\SysWOW64\Npjafdch.exe
C:\Windows\system32\Npjafdch.exe
301⤵
- Drops file in System32 directory
PID:3760

C:\Windows\SysWOW64\Nhaigbdj.exe
C:\Windows\system32\Nhaigbdj.exe
302⤵
- Modifies registry class
PID:3768

C:\Windows\SysWOW64\Nkoecmcn.exe
C:\Windows\system32\Nkoecmcn.exe
303⤵
PID:3776

C:\Windows\SysWOW64\Nmnaoiba.exe
C:\Windows\system32\Nmnaoiba.exe
304⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3784

C:\Windows\SysWOW64\Nplnkd32.exe
C:\Windows\system32\Nplnkd32.exe
305⤵
- Drops file in System32 directory
PID:3792

C:\Windows\SysWOW64\Nbkjgp32.exe
C:\Windows\system32\Nbkjgp32.exe
306⤵
PID:3800

C:\Windows\SysWOW64\Nkabim32.exe
C:\Windows\system32\Nkabim32.exe
307⤵
PID:3808

C:\Windows\SysWOW64\Nmpneh32.exe
C:\Windows\system32\Nmpneh32.exe
308⤵
PID:3816

C:\Windows\SysWOW64\Npojad32.exe
C:\Windows\system32\Npojad32.exe
309⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3824

C:\Windows\SysWOW64\Obocbolc.exe
C:\Windows\system32\Obocbolc.exe
310⤵
PID:3832

C:\Windows\SysWOW64\Oenpojkg.exe
C:\Windows\system32\Oenpojkg.exe
311⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3840

C:\Windows\SysWOW64\Oiiloi32.exe
C:\Windows\system32\Oiiloi32.exe
312⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3848

C:\Windows\SysWOW64\Opcdlckm.exe
C:\Windows\system32\Opcdlckm.exe
313⤵
PID:3856

C:\Windows\SysWOW64\Ocaphoja.exe
C:\Windows\system32\Ocaphoja.exe
314⤵
PID:3864

C:\Windows\SysWOW64\Oepldjid.exe
C:\Windows\system32\Oepldjid.exe
315⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3872

C:\Windows\SysWOW64\Ohniqehh.exe
C:\Windows\system32\Ohniqehh.exe
316⤵
- Modifies registry class
PID:3880

C:\Windows\SysWOW64\Okmemahl.exe
C:\Windows\system32\Okmemahl.exe
317⤵
- Modifies registry class
PID:3888

C:\Windows\SysWOW64\Oagmikoi.exe
C:\Windows\system32\Oagmikoi.exe
318⤵
PID:3896

C:\Windows\SysWOW64\Oebijj32.exe
C:\Windows\system32\Oebijj32.exe
319⤵
- Drops file in System32 directory
PID:3904

C:\Windows\SysWOW64\Ohqefe32.exe
C:\Windows\system32\Ohqefe32.exe
320⤵
- Modifies registry class
PID:3912

C:\Windows\SysWOW64\Pancjj32.exe
C:\Windows\system32\Pancjj32.exe
321⤵
PID:3920

C:\Windows\SysWOW64\Pdlpfe32.exe
C:\Windows\system32\Pdlpfe32.exe
322⤵
PID:3928

C:\Windows\SysWOW64\Pgklba32.exe
C:\Windows\system32\Pgklba32.exe
323⤵
PID:3936

C:\Windows\SysWOW64\Pjihnl32.exe
C:\Windows\system32\Pjihnl32.exe
324⤵
PID:4036

C:\Windows\SysWOW64\Qfgodlfh.exe
C:\Windows\system32\Qfgodlfh.exe
325⤵
- Drops file in System32 directory
PID:4044

C:\Windows\SysWOW64\Accele32.exe
C:\Windows\system32\Accele32.exe
326⤵
PID:4052

C:\Windows\SysWOW64\Akkmmbng.exe
C:\Windows\system32\Akkmmbng.exe
327⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4060

C:\Windows\SysWOW64\Anijinmk.exe
C:\Windows\system32\Anijinmk.exe
328⤵
PID:4068

C:\Windows\SysWOW64\Aqgfeilo.exe
C:\Windows\system32\Aqgfeilo.exe
329⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4076

C:\Windows\SysWOW64\Acfbadkb.exe
C:\Windows\system32\Acfbadkb.exe
330⤵
PID:4084

C:\Windows\SysWOW64\Callol32.exe
C:\Windows\system32\Callol32.exe
331⤵
PID:4092

C:\Windows\SysWOW64\Cdjhkg32.exe
C:\Windows\system32\Cdjhkg32.exe
332⤵
PID:3076

C:\Windows\SysWOW64\Cfidgb32.exe
C:\Windows\system32\Cfidgb32.exe
333⤵
- Drops file in System32 directory
PID:3092

C:\Windows\SysWOW64\Cnplipjo.exe
C:\Windows\system32\Cnplipjo.exe
334⤵
PID:972

C:\Windows\SysWOW64\Dloofh32.exe
C:\Windows\system32\Dloofh32.exe
335⤵
PID:1812

C:\Windows\SysWOW64\Domlbcnm.exe
C:\Windows\system32\Domlbcnm.exe
336⤵
PID:572

C:\Windows\SysWOW64\Dbigbb32.exe
C:\Windows\system32\Dbigbb32.exe
337⤵
PID:1640

C:\Windows\SysWOW64\Degdon32.exe
C:\Windows\system32\Degdon32.exe
338⤵
PID:1572

C:\Windows\SysWOW64\Dhfpki32.exe
C:\Windows\system32\Dhfpki32.exe
339⤵
PID:3168

C:\Windows\SysWOW64\Edcgqidi.exe
C:\Windows\system32\Edcgqidi.exe
340⤵
PID:3176

C:\Windows\SysWOW64\Egbcmdcm.exe
C:\Windows\system32\Egbcmdcm.exe
341⤵
- Drops file in System32 directory
PID:1816

C:\Windows\SysWOW64\Ejpoipba.exe
C:\Windows\system32\Ejpoipba.exe
342⤵
- Drops file in System32 directory
PID:3184

C:\Windows\SysWOW64\Enlkio32.exe
C:\Windows\system32\Enlkio32.exe
343⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3192

C:\Windows\SysWOW64\Edfcfibg.exe
C:\Windows\system32\Edfcfibg.exe
344⤵
PID:564

C:\Windows\SysWOW64\Ecidaf32.exe
C:\Windows\system32\Ecidaf32.exe
345⤵
- Drops file in System32 directory
PID:868

C:\Windows\SysWOW64\Ejblnpqn.exe
C:\Windows\system32\Ejblnpqn.exe
346⤵
- Drops file in System32 directory
PID:1244

C:\Windows\SysWOW64\Elahjkpb.exe
C:\Windows\system32\Elahjkpb.exe
347⤵
PID:560

C:\Windows\SysWOW64\Eopdfg32.exe
C:\Windows\system32\Eopdfg32.exe
348⤵
PID:3152

C:\Windows\SysWOW64\Egfmhd32.exe
C:\Windows\system32\Egfmhd32.exe
349⤵
PID:1372

C:\Windows\SysWOW64\Ejeidp32.exe
C:\Windows\system32\Ejeidp32.exe
350⤵
- Drops file in System32 directory
PID:2000

C:\Windows\SysWOW64\Elcepk32.exe
C:\Windows\system32\Elcepk32.exe
351⤵
PID:1500

C:\Windows\SysWOW64\Eobalf32.exe
C:\Windows\system32\Eobalf32.exe
352⤵
PID:1672

C:\Windows\SysWOW64\Efliiqdp.exe
C:\Windows\system32\Efliiqdp.exe
353⤵
PID:3312

C:\Windows\SysWOW64\Ejgeio32.exe
C:\Windows\system32\Ejgeio32.exe
354⤵
- Modifies registry class
PID:3320

C:\Windows\SysWOW64\Elfaek32.exe
C:\Windows\system32\Elfaek32.exe
355⤵
- Drops file in System32 directory
PID:3328

C:\Windows\SysWOW64\Ecpjbd32.exe
C:\Windows\system32\Ecpjbd32.exe
356⤵
PID:3336

C:\Windows\SysWOW64\Ebbjnajd.exe
C:\Windows\system32\Ebbjnajd.exe
357⤵
PID:3344

C:\Windows\SysWOW64\Ehmbjl32.exe
C:\Windows\system32\Ehmbjl32.exe
358⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3352

C:\Windows\SysWOW64\Fkkofg32.exe
C:\Windows\system32\Fkkofg32.exe
359⤵
PID:3360

C:\Windows\SysWOW64\Fnikcb32.exe
C:\Windows\system32\Fnikcb32.exe
360⤵
PID:3368

C:\Windows\SysWOW64\Ffqcdp32.exe
C:\Windows\system32\Ffqcdp32.exe
361⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3376

C:\Windows\SysWOW64\Fhoopk32.exe
C:\Windows\system32\Fhoopk32.exe
362⤵
- Modifies registry class
PID:3384

C:\Windows\SysWOW64\Fkmklg32.exe
C:\Windows\system32\Fkmklg32.exe
363⤵
PID:3392

C:\Windows\SysWOW64\Fnlhhb32.exe
C:\Windows\system32\Fnlhhb32.exe
364⤵
PID:3400

C:\Windows\SysWOW64\Fqjddnli.exe
C:\Windows\system32\Fqjddnli.exe
365⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3408

C:\Windows\SysWOW64\Fhalekmk.exe
C:\Windows\system32\Fhalekmk.exe
366⤵
PID:3416

C:\Windows\SysWOW64\Fkphaflo.exe
C:\Windows\system32\Fkphaflo.exe
367⤵
PID:1728

C:\Windows\SysWOW64\Fqlqjmjf.exe
C:\Windows\system32\Fqlqjmjf.exe
368⤵
PID:1388

C:\Windows\SysWOW64\Fkbegfjl.exe
C:\Windows\system32\Fkbegfjl.exe
369⤵
- Modifies registry class
PID:1900

C:\Windows\SysWOW64\Fqompmhd.exe
C:\Windows\system32\Fqompmhd.exe
370⤵
PID:1332

C:\Windows\SysWOW64\Fcmilh32.exe
C:\Windows\system32\Fcmilh32.exe
371⤵
PID:3612

C:\Windows\SysWOW64\Fjgbhbod.exe
C:\Windows\system32\Fjgbhbod.exe
372⤵
PID:592

C:\Windows\SysWOW64\Fmendnnh.exe
C:\Windows\system32\Fmendnnh.exe
373⤵
PID:3628

C:\Windows\SysWOW64\Fcpfah32.exe
C:\Windows\system32\Fcpfah32.exe
374⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3636

C:\Windows\SysWOW64\Gfnbmc32.exe
C:\Windows\system32\Gfnbmc32.exe
375⤵
PID:3644

C:\Windows\SysWOW64\Giloio32.exe
C:\Windows\system32\Giloio32.exe
376⤵
- Drops file in System32 directory
PID:3652

C:\Windows\SysWOW64\Gofgfiki.exe
C:\Windows\system32\Gofgfiki.exe
377⤵
PID:3660

C:\Windows\SysWOW64\Gbecbdjm.exe
C:\Windows\system32\Gbecbdjm.exe
378⤵
PID:3668

C:\Windows\SysWOW64\Giokooaj.exe
C:\Windows\system32\Giokooaj.exe
379⤵
- Drops file in System32 directory
PID:3676

C:\Windows\SysWOW64\Gkmhkjam.exe
C:\Windows\system32\Gkmhkjam.exe
380⤵
- Drops file in System32 directory
PID:3684

C:\Windows\SysWOW64\Gnnqmenn.exe
C:\Windows\system32\Gnnqmenn.exe
381⤵
PID:3692

C:\Windows\SysWOW64\Gehiioek.exe
C:\Windows\system32\Gehiioek.exe
382⤵
PID:1972

C:\Windows\SysWOW64\Gjgngfap.exe
C:\Windows\system32\Gjgngfap.exe
383⤵
- Modifies registry class
PID:1768

C:\Windows\SysWOW64\Haafdp32.exe
C:\Windows\system32\Haafdp32.exe
384⤵
PID:1664

C:\Windows\SysWOW64\Hgkoaj32.exe
C:\Windows\system32\Hgkoaj32.exe
385⤵
PID:1724

C:\Windows\SysWOW64\Ildjklmq.exe
C:\Windows\system32\Ildjklmq.exe
386⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1580

C:\Windows\SysWOW64\Ibnbgf32.exe
C:\Windows\system32\Ibnbgf32.exe
387⤵
- Modifies registry class
PID:452

C:\Windows\SysWOW64\Iihjdqlj.exe
C:\Windows\system32\Iihjdqlj.exe
388⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1748

C:\Windows\SysWOW64\Ilfgplkn.exe
C:\Windows\system32\Ilfgplkn.exe
389⤵
- Modifies registry class
PID:552

C:\Windows\SysWOW64\Ibpomf32.exe
C:\Windows\system32\Ibpomf32.exe
390⤵
PID:1336

C:\Windows\SysWOW64\Kokeljge.exe
C:\Windows\system32\Kokeljge.exe
391⤵
PID:1096

C:\Windows\SysWOW64\Kjllmfml.exe
C:\Windows\system32\Kjllmfml.exe
392⤵
PID:3944

C:\Windows\SysWOW64\Lnjece32.exe
C:\Windows\system32\Lnjece32.exe
393⤵
PID:3952

C:\Windows\SysWOW64\Mgpifn32.exe
C:\Windows\system32\Mgpifn32.exe
394⤵
PID:3960

C:\Windows\SysWOW64\Mjnebi32.exe
C:\Windows\system32\Mjnebi32.exe
395⤵
- Modifies registry class
PID:3968

C:\Windows\SysWOW64\Mahnocea.exe
C:\Windows\system32\Mahnocea.exe
396⤵
- Modifies registry class
PID:3976

C:\Windows\SysWOW64\Mmdhodgq.exe
C:\Windows\system32\Mmdhodgq.exe
397⤵
- Drops file in System32 directory
PID:3984

C:\Windows\SysWOW64\Mcnpkn32.exe
C:\Windows\system32\Mcnpkn32.exe
398⤵
- Modifies registry class
PID:3992

C:\Windows\SysWOW64\Njhhhh32.exe
C:\Windows\system32\Njhhhh32.exe
399⤵
PID:4000

C:\Windows\SysWOW64\Nmcdng32.exe
C:\Windows\system32\Nmcdng32.exe
1⤵
PID:4008

C:\Windows\SysWOW64\Oeklod32.exe
C:\Windows\system32\Oeklod32.exe
2⤵
- Drops file in System32 directory
PID:4016

C:\Windows\SysWOW64\Okgdgk32.exe
C:\Windows\system32\Okgdgk32.exe
3⤵
PID:4024

C:\Windows\SysWOW64\Omfacg32.exe
C:\Windows\system32\Omfacg32.exe
4⤵
PID:696

C:\Windows\SysWOW64\Oehlhh32.exe
C:\Windows\system32\Oehlhh32.exe
5⤵
PID:4032

C:\Windows\SysWOW64\Paolmidq.exe
C:\Windows\system32\Paolmidq.exe
6⤵
PID:1292

C:\Windows\SysWOW64\Pifdnfec.exe
C:\Windows\system32\Pifdnfec.exe
7⤵
PID:1772

C:\Windows\SysWOW64\Pkgafoka.exe
C:\Windows\system32\Pkgafoka.exe
8⤵
PID:2076

C:\Windows\SysWOW64\Phkaocik.exe
C:\Windows\system32\Phkaocik.exe
9⤵
PID:2084

C:\Windows\SysWOW64\Pacfhh32.exe
C:\Windows\system32\Pacfhh32.exe
10⤵
PID:2092

C:\Windows\SysWOW64\Pgpnqo32.exe
C:\Windows\system32\Pgpnqo32.exe
11⤵
PID:2104

C:\Windows\SysWOW64\Pafbnhni.exe
C:\Windows\system32\Pafbnhni.exe
12⤵
PID:2112

C:\Windows\SysWOW64\Phpkjb32.exe
C:\Windows\system32\Phpkjb32.exe
13⤵
PID:1164

C:\Windows\SysWOW64\Pnmcci32.exe
C:\Windows\system32\Pnmcci32.exe
14⤵
PID:3112

C:\Windows\SysWOW64\Abhkbk32.exe
C:\Windows\system32\Abhkbk32.exe
15⤵
PID:3128

C:\Windows\SysWOW64\Bqpeig32.exe
C:\Windows\system32\Bqpeig32.exe
16⤵
PID:3136

C:\Windows\SysWOW64\Bjmcml32.exe
C:\Windows\system32\Bjmcml32.exe
17⤵
PID:3144

C:\Windows\SysWOW64\Cidmch32.exe
C:\Windows\system32\Cidmch32.exe
18⤵
PID:540

C:\Windows\SysWOW64\Cbonbm32.exe
C:\Windows\system32\Cbonbm32.exe
19⤵
PID:1756

C:\Windows\SysWOW64\Cdbgoeoq.exe
C:\Windows\system32\Cdbgoeoq.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:932

C:\Windows\SysWOW64\Chppeceg.exe
C:\Windows\system32\Chppeceg.exe
21⤵
PID:2120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 140
22⤵
- Program crash
PID:1684

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acgeha32.exe
Filesize
50KB

MD5
f374a5b52dc77cd4bf979855598e93b9

SHA1
77246ad451dcb7532d7cbfa8985e0b73e0f7a31f

SHA256
405b1b95b5282bee4e1b5fa994d5b376ff132f6cdb584bd33eb51a81e7979906

SHA512
f84a6beb00ed477e7b7f8a2672bc4526c40beec9a4f33cee709cd9fc2ab33a168750dac289bb2ca505f36cce47568b29ef2f3392abae66e0dd7e6f57e0d32d03

Download Submit
C:\Windows\SysWOW64\Acgeha32.exe
Filesize
50KB

MD5
f374a5b52dc77cd4bf979855598e93b9

SHA1
77246ad451dcb7532d7cbfa8985e0b73e0f7a31f

SHA256
405b1b95b5282bee4e1b5fa994d5b376ff132f6cdb584bd33eb51a81e7979906

SHA512
f84a6beb00ed477e7b7f8a2672bc4526c40beec9a4f33cee709cd9fc2ab33a168750dac289bb2ca505f36cce47568b29ef2f3392abae66e0dd7e6f57e0d32d03

Download Submit
C:\Windows\SysWOW64\Bfjfno32.exe
Filesize
50KB

MD5
936a51fae11d5467fd0ad020eb96221b

SHA1
8f149b184f6efaa47a64e34ab956dc93563eedff

SHA256
5b1f5ee6cf6430e39ccee8b917a4bd293adf511d8c631e467fc96af2af4412b7

SHA512
577b239d9fa83e5cc3490227be4a4a37a211c42a8e7bb37be681045442e08ea46b6320e83f5ab32991d7cb15adeae9b4b9d2ddbc50ab1c0b5b8e848800a3c25e

Download Submit
C:\Windows\SysWOW64\Bfjfno32.exe
Filesize
50KB

MD5
936a51fae11d5467fd0ad020eb96221b

SHA1
8f149b184f6efaa47a64e34ab956dc93563eedff

SHA256
5b1f5ee6cf6430e39ccee8b917a4bd293adf511d8c631e467fc96af2af4412b7

SHA512
577b239d9fa83e5cc3490227be4a4a37a211c42a8e7bb37be681045442e08ea46b6320e83f5ab32991d7cb15adeae9b4b9d2ddbc50ab1c0b5b8e848800a3c25e

Download Submit
C:\Windows\SysWOW64\Bgmclcgo.exe
Filesize
50KB

MD5
8edf7bb2b438f0f17f8a0bba2e8dfa0d

SHA1
d62e6eb1611aae00093f016b0a93ae176963f645

SHA256
b3c11eb94b895dcbe9f2b21b65dc020171dd86b17f6150a0bbd18868fed5e700

SHA512
16350a2a6c942790ad38621c21a9cb0151211aa23bfa018897d5b0f862b51efd70710de2133b262d21c0e166c1b4a49c7e17640600e69c4abef8de7cf38f5907

Download Submit
C:\Windows\SysWOW64\Bgmclcgo.exe
Filesize
50KB

MD5
8edf7bb2b438f0f17f8a0bba2e8dfa0d

SHA1
d62e6eb1611aae00093f016b0a93ae176963f645

SHA256
b3c11eb94b895dcbe9f2b21b65dc020171dd86b17f6150a0bbd18868fed5e700

SHA512
16350a2a6c942790ad38621c21a9cb0151211aa23bfa018897d5b0f862b51efd70710de2133b262d21c0e166c1b4a49c7e17640600e69c4abef8de7cf38f5907

Download Submit
C:\Windows\SysWOW64\Blmijj32.exe
Filesize
50KB

MD5
d10e0a562138229ecb123ec7df340756

SHA1
936cb44feecc8afef51ac1a544efc9f6481bd599

SHA256
5abc7636f9dac3a84871b2011453fdc207353815eaf4de9f3c642e8dba0bf640

SHA512
3f162cc68d0d3c1e5479d8e58625b058855a500424f7dbc7bc1995e08a802d62197e29d65a4a87211b8c35b49fecbc2cb07ecf84c62a261c5d1d6e11841bb888

Download Submit
C:\Windows\SysWOW64\Blmijj32.exe
Filesize
50KB

MD5
d10e0a562138229ecb123ec7df340756

SHA1
936cb44feecc8afef51ac1a544efc9f6481bd599

SHA256
5abc7636f9dac3a84871b2011453fdc207353815eaf4de9f3c642e8dba0bf640

SHA512
3f162cc68d0d3c1e5479d8e58625b058855a500424f7dbc7bc1995e08a802d62197e29d65a4a87211b8c35b49fecbc2cb07ecf84c62a261c5d1d6e11841bb888

Download Submit
C:\Windows\SysWOW64\Cgbiff32.exe
Filesize
50KB

MD5
3a7abd1bb8d6d3e1226e32ce41ded4e7

SHA1
28953f2a54a12e79db0815cd249269b94a7e9bc6

SHA256
172a373496993a85c57101a3e1475f0d21ab0249c8c37f518c3269fc0744590f

SHA512
4b1160708b62431b672bcf485b88c34167b05552deb0bd55c4d7a304c44f0b8af0e69ec576bf930abaa537c54ed88dd7642730e5732b7c9007fc9e181eb10150

Download Submit
C:\Windows\SysWOW64\Cgbiff32.exe
Filesize
50KB

MD5
3a7abd1bb8d6d3e1226e32ce41ded4e7

SHA1
28953f2a54a12e79db0815cd249269b94a7e9bc6

SHA256
172a373496993a85c57101a3e1475f0d21ab0249c8c37f518c3269fc0744590f

SHA512
4b1160708b62431b672bcf485b88c34167b05552deb0bd55c4d7a304c44f0b8af0e69ec576bf930abaa537c54ed88dd7642730e5732b7c9007fc9e181eb10150

Download Submit
C:\Windows\SysWOW64\Cijppj32.exe
Filesize
50KB

MD5
d9ca0d88059514f62674c71337319868

SHA1
8b3f36743b1e7c2ff956254b7f40d4342a344d3f

SHA256
e37752184c749950be61541c7ce500fc3775a256d8e5146cbabad0c9f64503f5

SHA512
4318b4533f7d5bd4cf2168aece77ed173512c959ee7b7709e542c5070bd4e4c0c13ecae727bfb74c45405df9e63519de24b72a793636a7fb2abddb19d5884e9f

Download Submit
C:\Windows\SysWOW64\Cijppj32.exe
Filesize
50KB

MD5
d9ca0d88059514f62674c71337319868

SHA1
8b3f36743b1e7c2ff956254b7f40d4342a344d3f

SHA256
e37752184c749950be61541c7ce500fc3775a256d8e5146cbabad0c9f64503f5

SHA512
4318b4533f7d5bd4cf2168aece77ed173512c959ee7b7709e542c5070bd4e4c0c13ecae727bfb74c45405df9e63519de24b72a793636a7fb2abddb19d5884e9f

Download Submit
C:\Windows\SysWOW64\Dlkeqh32.exe
Filesize
50KB

MD5
85a5ec6b246c7471f6dedc6e5e15e54e

SHA1
a8692a1568bb7fe14aaa7169f3a20eb55f859660

SHA256
89e5849b4927ee15d6ee916a92d56f76e5bf5945db1bdcaf6a6d9d25ceb37686

SHA512
7ae30cdc4ae77179529432dd546093dbae8c6011f4a41aa97d65756a54b3a5f7ef6ab8e8f9f227f64cb2fcc325f448d52ae16abaa669e239b78418be2baff33d

Download Submit
C:\Windows\SysWOW64\Dlkeqh32.exe
Filesize
50KB

MD5
85a5ec6b246c7471f6dedc6e5e15e54e

SHA1
a8692a1568bb7fe14aaa7169f3a20eb55f859660

SHA256
89e5849b4927ee15d6ee916a92d56f76e5bf5945db1bdcaf6a6d9d25ceb37686

SHA512
7ae30cdc4ae77179529432dd546093dbae8c6011f4a41aa97d65756a54b3a5f7ef6ab8e8f9f227f64cb2fcc325f448d52ae16abaa669e239b78418be2baff33d

Download Submit
C:\Windows\SysWOW64\Ejidhcoj.exe
Filesize
50KB

MD5
cbafb7fae00cb707863bc96b6bb95fee

SHA1
0378cb4dea4a7f574680570e0b52c6334310379a

SHA256
0170e3c8166774edc1b82a258b3b861cc49d26d992bc1b015124a5fd0e302e3c

SHA512
502e09631647ea05c3d3869f4181ee4038a3fa978ec19ce4a3f902e54f3f3b53e4e1cdfbdca34adcc4c920f7c7a20ad22d1f0ccefaa81d6d45f8527e1a6391a3

Download Submit
C:\Windows\SysWOW64\Ejidhcoj.exe
Filesize
50KB

MD5
cbafb7fae00cb707863bc96b6bb95fee

SHA1
0378cb4dea4a7f574680570e0b52c6334310379a

SHA256
0170e3c8166774edc1b82a258b3b861cc49d26d992bc1b015124a5fd0e302e3c

SHA512
502e09631647ea05c3d3869f4181ee4038a3fa978ec19ce4a3f902e54f3f3b53e4e1cdfbdca34adcc4c920f7c7a20ad22d1f0ccefaa81d6d45f8527e1a6391a3

Download Submit
C:\Windows\SysWOW64\Iljmgnij.exe
Filesize
50KB

MD5
8629a188c6fa04fc025fed133363e0e8

SHA1
85701364ddbfe73b78c749c348883548deb2e2f7

SHA256
c79f2fd9b2b78bff18efb3bf60504f9948fde0c83306fb3b3429d51e04fd23fe

SHA512
5aeeeef39f4f320b6618e0242e4c286cc6acac2df61550c6583b36294cf40cb7df00995e75d05cfcfdb8e08509cc3e608daeae74e88263fab61eb6bd175abb65

Download Submit
C:\Windows\SysWOW64\Iljmgnij.exe
Filesize
50KB

MD5
8629a188c6fa04fc025fed133363e0e8

SHA1
85701364ddbfe73b78c749c348883548deb2e2f7

SHA256
c79f2fd9b2b78bff18efb3bf60504f9948fde0c83306fb3b3429d51e04fd23fe

SHA512
5aeeeef39f4f320b6618e0242e4c286cc6acac2df61550c6583b36294cf40cb7df00995e75d05cfcfdb8e08509cc3e608daeae74e88263fab61eb6bd175abb65

Download Submit
C:\Windows\SysWOW64\Nanmji32.exe
Filesize
50KB

MD5
64e7527268c5da1d8607791ae4562ad0

SHA1
07533bec5f9d451e533d5b1bb33836f918610b2b

SHA256
7812e47c67f03349b69e58e4edc047b7571e918a393f98c1018cdc4b53027d23

SHA512
3161e57815d7db215ec3bd3a72f0673a67738875abcf9fe657a96a8a5594f23c70652b17cd20ba7c1204e79d0619ad6ee0ac0d78a22453e49caa4b56206492e5

Download Submit
C:\Windows\SysWOW64\Nanmji32.exe
Filesize
50KB

MD5
64e7527268c5da1d8607791ae4562ad0

SHA1
07533bec5f9d451e533d5b1bb33836f918610b2b

SHA256
7812e47c67f03349b69e58e4edc047b7571e918a393f98c1018cdc4b53027d23

SHA512
3161e57815d7db215ec3bd3a72f0673a67738875abcf9fe657a96a8a5594f23c70652b17cd20ba7c1204e79d0619ad6ee0ac0d78a22453e49caa4b56206492e5

Download Submit
C:\Windows\SysWOW64\Neobeg32.exe
Filesize
50KB

MD5
422ac424ab7cae7d0489b0bfc8e40864

SHA1
6186d4c7cc3ea87fb548f08e332c60242091e63b

SHA256
7e8ff7fc7c96caae0623753e7a25fd3befdccbe9fd9bd76ac5583b21f57e5739

SHA512
e78ba41148d0821baf523224139163bb6e382d0ae9d0a224daf9440a6bc3ffb5664337a585f437c5ffc5bb98ccc4d988648888dec4542ee64c6139684115939c

Download Submit
C:\Windows\SysWOW64\Neobeg32.exe
Filesize
50KB

MD5
422ac424ab7cae7d0489b0bfc8e40864

SHA1
6186d4c7cc3ea87fb548f08e332c60242091e63b

SHA256
7e8ff7fc7c96caae0623753e7a25fd3befdccbe9fd9bd76ac5583b21f57e5739

SHA512
e78ba41148d0821baf523224139163bb6e382d0ae9d0a224daf9440a6bc3ffb5664337a585f437c5ffc5bb98ccc4d988648888dec4542ee64c6139684115939c

Download Submit
C:\Windows\SysWOW64\Nghefckc.exe
Filesize
50KB

MD5
52235df55edd94fc030608155099cbd7

SHA1
a8f97d69a7a2cacea4a98cfe90011ea7966ae712

SHA256
9cc6059eb3049e71085156b1c9fb1fa0f4a391b9fd641d865a53c5b08eb041d8

SHA512
2094b19bad7b208d54319c2bd12cf848881205cea0c3bd4bd36c36618d56e36e2d3744f52dd4797181b25931c33195ad1f9fd0ee26151591999b739e7f9ffd8e

Download Submit
C:\Windows\SysWOW64\Nghefckc.exe
Filesize
50KB

MD5
52235df55edd94fc030608155099cbd7

SHA1
a8f97d69a7a2cacea4a98cfe90011ea7966ae712

SHA256
9cc6059eb3049e71085156b1c9fb1fa0f4a391b9fd641d865a53c5b08eb041d8

SHA512
2094b19bad7b208d54319c2bd12cf848881205cea0c3bd4bd36c36618d56e36e2d3744f52dd4797181b25931c33195ad1f9fd0ee26151591999b739e7f9ffd8e

Download Submit
C:\Windows\SysWOW64\Nkadab32.exe
Filesize
50KB

MD5
4e6d8e90fc98e003aa83a383fe242986

SHA1
7f197124eea52a2c90468f388c2cad27836dfdff

SHA256
4999f378b17a7a83ea4578087cb6729d1168363283815084ff28717632af6efa

SHA512
244adce8429b3230f86260254738a5d84a8949713ffc887e8b62f5c78159b857de3df1c2d4d9b5ccac838ed25c70b5802f5c3f00e2c333096504f5b834fd37f2

Download Submit
C:\Windows\SysWOW64\Nkadab32.exe
Filesize
50KB

MD5
4e6d8e90fc98e003aa83a383fe242986

SHA1
7f197124eea52a2c90468f388c2cad27836dfdff

SHA256
4999f378b17a7a83ea4578087cb6729d1168363283815084ff28717632af6efa

SHA512
244adce8429b3230f86260254738a5d84a8949713ffc887e8b62f5c78159b857de3df1c2d4d9b5ccac838ed25c70b5802f5c3f00e2c333096504f5b834fd37f2

Download Submit
C:\Windows\SysWOW64\Ofgennhp.exe
Filesize
50KB

MD5
7612e83f3f0516b09d390d77d8081bd5

SHA1
21a37a4e4d9f08b4496ccf4e2baab767e43459c3

SHA256
12a0723b9db9a7afcb07ff40054134aa5b60445462144e016d34bae7e8070c04

SHA512
2674d27e48c9a720cd512193ffa743f1715f24009e394ac67ba16354bc4056f4f02ce7422ec916195b694d64f21127adaac088d3603f471d8194237c824a9156

Download Submit
C:\Windows\SysWOW64\Ofgennhp.exe
Filesize
50KB

MD5
7612e83f3f0516b09d390d77d8081bd5

SHA1
21a37a4e4d9f08b4496ccf4e2baab767e43459c3

SHA256
12a0723b9db9a7afcb07ff40054134aa5b60445462144e016d34bae7e8070c04

SHA512
2674d27e48c9a720cd512193ffa743f1715f24009e394ac67ba16354bc4056f4f02ce7422ec916195b694d64f21127adaac088d3603f471d8194237c824a9156

Download Submit
C:\Windows\SysWOW64\Ofiacnfm.exe
Filesize
50KB

MD5
43295e7b8a447c7d605c057e6ecf7609

SHA1
937118d2c4a6187064b00f8b7844f1893676fe91

SHA256
47bb7c8ece05e14eb43b0c55e04d95895c7649e9287959e098a86d65ea1fe9aa

SHA512
47e29acd56f19a05619be2bffb62e53acec56ec8293ffde4f7c41e6386b0817bba1ab6b0aea39eaf8a3e5a07097fcfbe6bc38e280ea0856ba9e7605bb4583354

Download Submit
C:\Windows\SysWOW64\Ofiacnfm.exe
Filesize
50KB

MD5
43295e7b8a447c7d605c057e6ecf7609

SHA1
937118d2c4a6187064b00f8b7844f1893676fe91

SHA256
47bb7c8ece05e14eb43b0c55e04d95895c7649e9287959e098a86d65ea1fe9aa

SHA512
47e29acd56f19a05619be2bffb62e53acec56ec8293ffde4f7c41e6386b0817bba1ab6b0aea39eaf8a3e5a07097fcfbe6bc38e280ea0856ba9e7605bb4583354

Download Submit
C:\Windows\SysWOW64\Ophcfddi.exe
Filesize
50KB

MD5
e48c3383e64bd31bc2595b940ecfde36

SHA1
8a8d11a8b147fbabb731cf9c326fe2be296e5a1e

SHA256
b7f5c325ff702bcd255cd0f94559d33249ee85ca0c8d324fbb5c85b9943ee197

SHA512
07777fe284f74b5f4fcbe15e32ef66719ab69428fa25f4fa3dd5cf4dff2204d26c2649226f8c4cf4e5a9beddb8d000c521969e13e5e511c5a5a22937b1408cc6

Download Submit
C:\Windows\SysWOW64\Ophcfddi.exe
Filesize
50KB

MD5
e48c3383e64bd31bc2595b940ecfde36

SHA1
8a8d11a8b147fbabb731cf9c326fe2be296e5a1e

SHA256
b7f5c325ff702bcd255cd0f94559d33249ee85ca0c8d324fbb5c85b9943ee197

SHA512
07777fe284f74b5f4fcbe15e32ef66719ab69428fa25f4fa3dd5cf4dff2204d26c2649226f8c4cf4e5a9beddb8d000c521969e13e5e511c5a5a22937b1408cc6

Download Submit
\Windows\SysWOW64\Acgeha32.exe
Filesize
50KB

MD5
f374a5b52dc77cd4bf979855598e93b9

SHA1
77246ad451dcb7532d7cbfa8985e0b73e0f7a31f

SHA256
405b1b95b5282bee4e1b5fa994d5b376ff132f6cdb584bd33eb51a81e7979906

SHA512
f84a6beb00ed477e7b7f8a2672bc4526c40beec9a4f33cee709cd9fc2ab33a168750dac289bb2ca505f36cce47568b29ef2f3392abae66e0dd7e6f57e0d32d03

Download Submit
\Windows\SysWOW64\Acgeha32.exe
Filesize
50KB

MD5
f374a5b52dc77cd4bf979855598e93b9

SHA1
77246ad451dcb7532d7cbfa8985e0b73e0f7a31f

SHA256
405b1b95b5282bee4e1b5fa994d5b376ff132f6cdb584bd33eb51a81e7979906

SHA512
f84a6beb00ed477e7b7f8a2672bc4526c40beec9a4f33cee709cd9fc2ab33a168750dac289bb2ca505f36cce47568b29ef2f3392abae66e0dd7e6f57e0d32d03

Download Submit
\Windows\SysWOW64\Bfjfno32.exe
Filesize
50KB

MD5
936a51fae11d5467fd0ad020eb96221b

SHA1
8f149b184f6efaa47a64e34ab956dc93563eedff

SHA256
5b1f5ee6cf6430e39ccee8b917a4bd293adf511d8c631e467fc96af2af4412b7

SHA512
577b239d9fa83e5cc3490227be4a4a37a211c42a8e7bb37be681045442e08ea46b6320e83f5ab32991d7cb15adeae9b4b9d2ddbc50ab1c0b5b8e848800a3c25e

Download Submit
\Windows\SysWOW64\Bfjfno32.exe
Filesize
50KB

MD5
936a51fae11d5467fd0ad020eb96221b

SHA1
8f149b184f6efaa47a64e34ab956dc93563eedff

SHA256
5b1f5ee6cf6430e39ccee8b917a4bd293adf511d8c631e467fc96af2af4412b7

SHA512
577b239d9fa83e5cc3490227be4a4a37a211c42a8e7bb37be681045442e08ea46b6320e83f5ab32991d7cb15adeae9b4b9d2ddbc50ab1c0b5b8e848800a3c25e

Download Submit
\Windows\SysWOW64\Bgmclcgo.exe
Filesize
50KB

MD5
8edf7bb2b438f0f17f8a0bba2e8dfa0d

SHA1
d62e6eb1611aae00093f016b0a93ae176963f645

SHA256
b3c11eb94b895dcbe9f2b21b65dc020171dd86b17f6150a0bbd18868fed5e700

SHA512
16350a2a6c942790ad38621c21a9cb0151211aa23bfa018897d5b0f862b51efd70710de2133b262d21c0e166c1b4a49c7e17640600e69c4abef8de7cf38f5907

Download Submit
\Windows\SysWOW64\Bgmclcgo.exe
Filesize
50KB

MD5
8edf7bb2b438f0f17f8a0bba2e8dfa0d

SHA1
d62e6eb1611aae00093f016b0a93ae176963f645

SHA256
b3c11eb94b895dcbe9f2b21b65dc020171dd86b17f6150a0bbd18868fed5e700

SHA512
16350a2a6c942790ad38621c21a9cb0151211aa23bfa018897d5b0f862b51efd70710de2133b262d21c0e166c1b4a49c7e17640600e69c4abef8de7cf38f5907

Download Submit
\Windows\SysWOW64\Blmijj32.exe
Filesize
50KB

MD5
d10e0a562138229ecb123ec7df340756

SHA1
936cb44feecc8afef51ac1a544efc9f6481bd599

SHA256
5abc7636f9dac3a84871b2011453fdc207353815eaf4de9f3c642e8dba0bf640

SHA512
3f162cc68d0d3c1e5479d8e58625b058855a500424f7dbc7bc1995e08a802d62197e29d65a4a87211b8c35b49fecbc2cb07ecf84c62a261c5d1d6e11841bb888

Download Submit
\Windows\SysWOW64\Blmijj32.exe
Filesize
50KB

MD5
d10e0a562138229ecb123ec7df340756

SHA1
936cb44feecc8afef51ac1a544efc9f6481bd599

SHA256
5abc7636f9dac3a84871b2011453fdc207353815eaf4de9f3c642e8dba0bf640

SHA512
3f162cc68d0d3c1e5479d8e58625b058855a500424f7dbc7bc1995e08a802d62197e29d65a4a87211b8c35b49fecbc2cb07ecf84c62a261c5d1d6e11841bb888

Download Submit
\Windows\SysWOW64\Cgbiff32.exe
Filesize
50KB

MD5
3a7abd1bb8d6d3e1226e32ce41ded4e7

SHA1
28953f2a54a12e79db0815cd249269b94a7e9bc6

SHA256
172a373496993a85c57101a3e1475f0d21ab0249c8c37f518c3269fc0744590f

SHA512
4b1160708b62431b672bcf485b88c34167b05552deb0bd55c4d7a304c44f0b8af0e69ec576bf930abaa537c54ed88dd7642730e5732b7c9007fc9e181eb10150

Download Submit
\Windows\SysWOW64\Cgbiff32.exe
Filesize
50KB

MD5
3a7abd1bb8d6d3e1226e32ce41ded4e7

SHA1
28953f2a54a12e79db0815cd249269b94a7e9bc6

SHA256
172a373496993a85c57101a3e1475f0d21ab0249c8c37f518c3269fc0744590f

SHA512
4b1160708b62431b672bcf485b88c34167b05552deb0bd55c4d7a304c44f0b8af0e69ec576bf930abaa537c54ed88dd7642730e5732b7c9007fc9e181eb10150

Download Submit
\Windows\SysWOW64\Cijppj32.exe
Filesize
50KB

MD5
d9ca0d88059514f62674c71337319868

SHA1
8b3f36743b1e7c2ff956254b7f40d4342a344d3f

SHA256
e37752184c749950be61541c7ce500fc3775a256d8e5146cbabad0c9f64503f5

SHA512
4318b4533f7d5bd4cf2168aece77ed173512c959ee7b7709e542c5070bd4e4c0c13ecae727bfb74c45405df9e63519de24b72a793636a7fb2abddb19d5884e9f

Download Submit
\Windows\SysWOW64\Cijppj32.exe
Filesize
50KB

MD5
d9ca0d88059514f62674c71337319868

SHA1
8b3f36743b1e7c2ff956254b7f40d4342a344d3f

SHA256
e37752184c749950be61541c7ce500fc3775a256d8e5146cbabad0c9f64503f5

SHA512
4318b4533f7d5bd4cf2168aece77ed173512c959ee7b7709e542c5070bd4e4c0c13ecae727bfb74c45405df9e63519de24b72a793636a7fb2abddb19d5884e9f

Download Submit
\Windows\SysWOW64\Dlkeqh32.exe
Filesize
50KB

MD5
85a5ec6b246c7471f6dedc6e5e15e54e

SHA1
a8692a1568bb7fe14aaa7169f3a20eb55f859660

SHA256
89e5849b4927ee15d6ee916a92d56f76e5bf5945db1bdcaf6a6d9d25ceb37686

SHA512
7ae30cdc4ae77179529432dd546093dbae8c6011f4a41aa97d65756a54b3a5f7ef6ab8e8f9f227f64cb2fcc325f448d52ae16abaa669e239b78418be2baff33d

Download Submit
\Windows\SysWOW64\Dlkeqh32.exe
Filesize
50KB

MD5
85a5ec6b246c7471f6dedc6e5e15e54e

SHA1
a8692a1568bb7fe14aaa7169f3a20eb55f859660

SHA256
89e5849b4927ee15d6ee916a92d56f76e5bf5945db1bdcaf6a6d9d25ceb37686

SHA512
7ae30cdc4ae77179529432dd546093dbae8c6011f4a41aa97d65756a54b3a5f7ef6ab8e8f9f227f64cb2fcc325f448d52ae16abaa669e239b78418be2baff33d

Download Submit
\Windows\SysWOW64\Ejidhcoj.exe
Filesize
50KB

MD5
cbafb7fae00cb707863bc96b6bb95fee

SHA1
0378cb4dea4a7f574680570e0b52c6334310379a

SHA256
0170e3c8166774edc1b82a258b3b861cc49d26d992bc1b015124a5fd0e302e3c

SHA512
502e09631647ea05c3d3869f4181ee4038a3fa978ec19ce4a3f902e54f3f3b53e4e1cdfbdca34adcc4c920f7c7a20ad22d1f0ccefaa81d6d45f8527e1a6391a3

Download Submit
\Windows\SysWOW64\Ejidhcoj.exe
Filesize
50KB

MD5
cbafb7fae00cb707863bc96b6bb95fee

SHA1
0378cb4dea4a7f574680570e0b52c6334310379a

SHA256
0170e3c8166774edc1b82a258b3b861cc49d26d992bc1b015124a5fd0e302e3c

SHA512
502e09631647ea05c3d3869f4181ee4038a3fa978ec19ce4a3f902e54f3f3b53e4e1cdfbdca34adcc4c920f7c7a20ad22d1f0ccefaa81d6d45f8527e1a6391a3

Download Submit
\Windows\SysWOW64\Iljmgnij.exe
Filesize
50KB

MD5
8629a188c6fa04fc025fed133363e0e8

SHA1
85701364ddbfe73b78c749c348883548deb2e2f7

SHA256
c79f2fd9b2b78bff18efb3bf60504f9948fde0c83306fb3b3429d51e04fd23fe

SHA512
5aeeeef39f4f320b6618e0242e4c286cc6acac2df61550c6583b36294cf40cb7df00995e75d05cfcfdb8e08509cc3e608daeae74e88263fab61eb6bd175abb65

Download Submit
\Windows\SysWOW64\Iljmgnij.exe
Filesize
50KB

MD5
8629a188c6fa04fc025fed133363e0e8

SHA1
85701364ddbfe73b78c749c348883548deb2e2f7

SHA256
c79f2fd9b2b78bff18efb3bf60504f9948fde0c83306fb3b3429d51e04fd23fe

SHA512
5aeeeef39f4f320b6618e0242e4c286cc6acac2df61550c6583b36294cf40cb7df00995e75d05cfcfdb8e08509cc3e608daeae74e88263fab61eb6bd175abb65

Download Submit
\Windows\SysWOW64\Nanmji32.exe
Filesize
50KB

MD5
64e7527268c5da1d8607791ae4562ad0

SHA1
07533bec5f9d451e533d5b1bb33836f918610b2b

SHA256
7812e47c67f03349b69e58e4edc047b7571e918a393f98c1018cdc4b53027d23

SHA512
3161e57815d7db215ec3bd3a72f0673a67738875abcf9fe657a96a8a5594f23c70652b17cd20ba7c1204e79d0619ad6ee0ac0d78a22453e49caa4b56206492e5

Download Submit
\Windows\SysWOW64\Nanmji32.exe
Filesize
50KB

MD5
64e7527268c5da1d8607791ae4562ad0

SHA1
07533bec5f9d451e533d5b1bb33836f918610b2b

SHA256
7812e47c67f03349b69e58e4edc047b7571e918a393f98c1018cdc4b53027d23

SHA512
3161e57815d7db215ec3bd3a72f0673a67738875abcf9fe657a96a8a5594f23c70652b17cd20ba7c1204e79d0619ad6ee0ac0d78a22453e49caa4b56206492e5

Download Submit
\Windows\SysWOW64\Neobeg32.exe
Filesize
50KB

MD5
422ac424ab7cae7d0489b0bfc8e40864

SHA1
6186d4c7cc3ea87fb548f08e332c60242091e63b

SHA256
7e8ff7fc7c96caae0623753e7a25fd3befdccbe9fd9bd76ac5583b21f57e5739

SHA512
e78ba41148d0821baf523224139163bb6e382d0ae9d0a224daf9440a6bc3ffb5664337a585f437c5ffc5bb98ccc4d988648888dec4542ee64c6139684115939c

Download Submit
\Windows\SysWOW64\Neobeg32.exe
Filesize
50KB

MD5
422ac424ab7cae7d0489b0bfc8e40864

SHA1
6186d4c7cc3ea87fb548f08e332c60242091e63b

SHA256
7e8ff7fc7c96caae0623753e7a25fd3befdccbe9fd9bd76ac5583b21f57e5739

SHA512
e78ba41148d0821baf523224139163bb6e382d0ae9d0a224daf9440a6bc3ffb5664337a585f437c5ffc5bb98ccc4d988648888dec4542ee64c6139684115939c

Download Submit
\Windows\SysWOW64\Nghefckc.exe
Filesize
50KB

MD5
52235df55edd94fc030608155099cbd7

SHA1
a8f97d69a7a2cacea4a98cfe90011ea7966ae712

SHA256
9cc6059eb3049e71085156b1c9fb1fa0f4a391b9fd641d865a53c5b08eb041d8

SHA512
2094b19bad7b208d54319c2bd12cf848881205cea0c3bd4bd36c36618d56e36e2d3744f52dd4797181b25931c33195ad1f9fd0ee26151591999b739e7f9ffd8e

Download Submit
\Windows\SysWOW64\Nghefckc.exe
Filesize
50KB

MD5
52235df55edd94fc030608155099cbd7

SHA1
a8f97d69a7a2cacea4a98cfe90011ea7966ae712

SHA256
9cc6059eb3049e71085156b1c9fb1fa0f4a391b9fd641d865a53c5b08eb041d8

SHA512
2094b19bad7b208d54319c2bd12cf848881205cea0c3bd4bd36c36618d56e36e2d3744f52dd4797181b25931c33195ad1f9fd0ee26151591999b739e7f9ffd8e

Download Submit
\Windows\SysWOW64\Nkadab32.exe
Filesize
50KB

MD5
4e6d8e90fc98e003aa83a383fe242986

SHA1
7f197124eea52a2c90468f388c2cad27836dfdff

SHA256
4999f378b17a7a83ea4578087cb6729d1168363283815084ff28717632af6efa

SHA512
244adce8429b3230f86260254738a5d84a8949713ffc887e8b62f5c78159b857de3df1c2d4d9b5ccac838ed25c70b5802f5c3f00e2c333096504f5b834fd37f2

Download Submit
\Windows\SysWOW64\Nkadab32.exe
Filesize
50KB

MD5
4e6d8e90fc98e003aa83a383fe242986

SHA1
7f197124eea52a2c90468f388c2cad27836dfdff

SHA256
4999f378b17a7a83ea4578087cb6729d1168363283815084ff28717632af6efa

SHA512
244adce8429b3230f86260254738a5d84a8949713ffc887e8b62f5c78159b857de3df1c2d4d9b5ccac838ed25c70b5802f5c3f00e2c333096504f5b834fd37f2

Download Submit
\Windows\SysWOW64\Ofgennhp.exe
Filesize
50KB

MD5
7612e83f3f0516b09d390d77d8081bd5

SHA1
21a37a4e4d9f08b4496ccf4e2baab767e43459c3

SHA256
12a0723b9db9a7afcb07ff40054134aa5b60445462144e016d34bae7e8070c04

SHA512
2674d27e48c9a720cd512193ffa743f1715f24009e394ac67ba16354bc4056f4f02ce7422ec916195b694d64f21127adaac088d3603f471d8194237c824a9156

Download Submit
\Windows\SysWOW64\Ofgennhp.exe
Filesize
50KB

MD5
7612e83f3f0516b09d390d77d8081bd5

SHA1
21a37a4e4d9f08b4496ccf4e2baab767e43459c3

SHA256
12a0723b9db9a7afcb07ff40054134aa5b60445462144e016d34bae7e8070c04

SHA512
2674d27e48c9a720cd512193ffa743f1715f24009e394ac67ba16354bc4056f4f02ce7422ec916195b694d64f21127adaac088d3603f471d8194237c824a9156

Download Submit
\Windows\SysWOW64\Ofiacnfm.exe
Filesize
50KB

MD5
43295e7b8a447c7d605c057e6ecf7609

SHA1
937118d2c4a6187064b00f8b7844f1893676fe91

SHA256
47bb7c8ece05e14eb43b0c55e04d95895c7649e9287959e098a86d65ea1fe9aa

SHA512
47e29acd56f19a05619be2bffb62e53acec56ec8293ffde4f7c41e6386b0817bba1ab6b0aea39eaf8a3e5a07097fcfbe6bc38e280ea0856ba9e7605bb4583354

Download Submit
\Windows\SysWOW64\Ofiacnfm.exe
Filesize
50KB

MD5
43295e7b8a447c7d605c057e6ecf7609

SHA1
937118d2c4a6187064b00f8b7844f1893676fe91

SHA256
47bb7c8ece05e14eb43b0c55e04d95895c7649e9287959e098a86d65ea1fe9aa

SHA512
47e29acd56f19a05619be2bffb62e53acec56ec8293ffde4f7c41e6386b0817bba1ab6b0aea39eaf8a3e5a07097fcfbe6bc38e280ea0856ba9e7605bb4583354

Download Submit
\Windows\SysWOW64\Ophcfddi.exe
Filesize
50KB

MD5
e48c3383e64bd31bc2595b940ecfde36

SHA1
8a8d11a8b147fbabb731cf9c326fe2be296e5a1e

SHA256
b7f5c325ff702bcd255cd0f94559d33249ee85ca0c8d324fbb5c85b9943ee197

SHA512
07777fe284f74b5f4fcbe15e32ef66719ab69428fa25f4fa3dd5cf4dff2204d26c2649226f8c4cf4e5a9beddb8d000c521969e13e5e511c5a5a22937b1408cc6

Download Submit
\Windows\SysWOW64\Ophcfddi.exe
Filesize
50KB

MD5
e48c3383e64bd31bc2595b940ecfde36

SHA1
8a8d11a8b147fbabb731cf9c326fe2be296e5a1e

SHA256
b7f5c325ff702bcd255cd0f94559d33249ee85ca0c8d324fbb5c85b9943ee197

SHA512
07777fe284f74b5f4fcbe15e32ef66719ab69428fa25f4fa3dd5cf4dff2204d26c2649226f8c4cf4e5a9beddb8d000c521969e13e5e511c5a5a22937b1408cc6

Download Submit
memory/108-102-0x0000000000000000-mapping.dmp

Download
memory/108-116-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/268-220-0x0000000000000000-mapping.dmp

Download
memory/280-158-0x0000000000000000-mapping.dmp

Download
memory/280-166-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/304-155-0x0000000000000000-mapping.dmp

Download
memory/304-163-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/308-167-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/308-159-0x0000000000000000-mapping.dmp

Download
memory/432-219-0x0000000000000000-mapping.dmp

Download
memory/544-205-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/544-194-0x0000000000000000-mapping.dmp

Download
memory/544-204-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/572-228-0x0000000000000000-mapping.dmp

Download
memory/584-263-0x0000000000000000-mapping.dmp

Download
memory/636-210-0x0000000000230000-0x0000000000261000-memory.dmp

Filesize
196KB

Download
memory/636-196-0x0000000000000000-mapping.dmp

Download
memory/636-209-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/636-211-0x0000000000230000-0x0000000000261000-memory.dmp

Filesize
196KB

Download
memory/704-185-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/704-172-0x0000000000000000-mapping.dmp

Download
memory/704-183-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/704-182-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/760-118-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/760-107-0x0000000000000000-mapping.dmp

Download
memory/764-150-0x0000000000000000-mapping.dmp

Download
memory/764-162-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/840-131-0x0000000000000000-mapping.dmp

Download
memory/840-148-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/908-63-0x0000000000000000-mapping.dmp

Download
memory/908-94-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/932-224-0x0000000000000000-mapping.dmp

Download
memory/952-188-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/952-187-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/952-174-0x0000000000000000-mapping.dmp

Download
memory/964-144-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/964-112-0x0000000000000000-mapping.dmp

Download
memory/964-122-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/968-222-0x0000000000000000-mapping.dmp

Download
memory/972-226-0x0000000000000000-mapping.dmp

Download
memory/984-198-0x0000000000000000-mapping.dmp

Download
memory/984-229-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/984-217-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/984-216-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1000-95-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1000-68-0x0000000000000000-mapping.dmp

Download
memory/1008-262-0x0000000000000000-mapping.dmp

Download
memory/1012-214-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1012-197-0x0000000000000000-mapping.dmp

Download
memory/1012-213-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1012-215-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1088-177-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1088-169-0x0000000000000000-mapping.dmp

Download
memory/1100-184-0x0000000000000000-mapping.dmp

Download
memory/1100-201-0x0000000001BA0000-0x0000000001BD1000-memory.dmp

Filesize
196KB

Download
memory/1100-200-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1116-115-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1116-99-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1116-88-0x0000000000000000-mapping.dmp

Download
memory/1124-173-0x0000000000000000-mapping.dmp

Download
memory/1124-186-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1136-58-0x0000000000000000-mapping.dmp

Download
memory/1136-92-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1136-93-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1140-223-0x0000000000000000-mapping.dmp

Download
memory/1200-300-0x0000000000000000-mapping.dmp

Download
memory/1276-261-0x0000000000000000-mapping.dmp

Download
memory/1320-161-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1320-141-0x0000000000000000-mapping.dmp

Download
memory/1320-153-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1348-193-0x0000000000000000-mapping.dmp

Download
memory/1348-202-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1348-203-0x00000000003C0000-0x00000000003F1000-memory.dmp

Filesize
196KB

Download
memory/1372-266-0x0000000000000000-mapping.dmp

Download
memory/1384-56-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1384-54-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1384-91-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1388-288-0x0000000000000000-mapping.dmp

Download
memory/1416-264-0x0000000000000000-mapping.dmp

Download
memory/1452-230-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1452-218-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1452-207-0x0000000000000000-mapping.dmp

Download
memory/1476-298-0x0000000000000000-mapping.dmp

Download
memory/1488-165-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1488-157-0x0000000000000000-mapping.dmp

Download
memory/1504-178-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1504-170-0x0000000000000000-mapping.dmp

Download
memory/1508-136-0x0000000000000000-mapping.dmp

Download
memory/1508-151-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1520-208-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1520-206-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1520-195-0x0000000000000000-mapping.dmp

Download
memory/1572-260-0x0000000000000000-mapping.dmp

Download
memory/1600-145-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1600-120-0x0000000000000000-mapping.dmp

Download
memory/1624-96-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1624-73-0x0000000000000000-mapping.dmp

Download
memory/1636-83-0x0000000000000000-mapping.dmp

Download
memory/1636-98-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1656-221-0x0000000000000000-mapping.dmp

Download
memory/1668-78-0x0000000000000000-mapping.dmp

Download
memory/1668-97-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1672-286-0x0000000000000000-mapping.dmp

Download
memory/1684-225-0x0000000000000000-mapping.dmp

Download
memory/1712-189-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1712-190-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1712-191-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1712-175-0x0000000000000000-mapping.dmp

Download
memory/1728-287-0x0000000000000000-mapping.dmp

Download
memory/1780-297-0x0000000000000000-mapping.dmp

Download
memory/1812-227-0x0000000000000000-mapping.dmp

Download
memory/1832-156-0x0000000000000000-mapping.dmp

Download
memory/1832-164-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1848-176-0x0000000000000000-mapping.dmp

Download
memory/1848-192-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1848-199-0x0000000000270000-0x00000000002A1000-memory.dmp

Filesize
196KB

Download
memory/1892-160-0x0000000000000000-mapping.dmp

Download
memory/1892-168-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1908-126-0x0000000000000000-mapping.dmp

Download
memory/1908-146-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1968-265-0x0000000000000000-mapping.dmp

Download
memory/1980-212-0x0000000000000000-mapping.dmp

Download
memory/1984-299-0x0000000000000000-mapping.dmp

Download
memory/1988-181-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1988-171-0x0000000000000000-mapping.dmp

Download
memory/1988-179-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1988-180-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/2000-267-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads