8dbba95008edf4fba7bf229ab780a033160b87934b301f74643eaebe8b3c6029

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8dbba95008edf4fba7bf229ab780a033160b87934b301f74643eaebe8b3c6029.exe
Size

89KB
MD5

2c61f88b4e5b7e7770667cdcc091042a
SHA1

7f20b0fb0d479972018d5311f6902b22026fca11
SHA256

8dbba95008edf4fba7bf229ab780a033160b87934b301f74643eaebe8b3c6029
SHA512

33393aaebdfd1bd01c5c0450e15c721bb742b3c3e7704a169eb98d26ae4ae2bd56f4359c2924aba239f3ae15025fd68d64549ae14506f1516551d8c9a041bbfb
SSDEEP

1536:kVY3HnUh0LmDLZY485AA46F0VJlduPWGHrxbmsCIK282c8CPGCECa9bC7e3iaqW/:dUf98eA4G0VJld/4xbmhD28Qxnd9GMHD

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pngbhg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejegjh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elagacbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebnoikqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fihqmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oijqibbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oijqibbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aimoln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhcnke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qhdpll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahkflk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blnhni32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpcpkc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oniffino.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbpacfmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dokjbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Giofnacd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oagbbdnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnplghhf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoeniefo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chgoogfa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dabpnlkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpqjofcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ficgacna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahiigkqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efgodj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpladg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chnlihnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpnhekgl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oilmnbpg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opfekl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Habnjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecbenm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aogkoedl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aahdqp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bammlomg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chbedh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cefemliq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcekkjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pelaib32.exe

Executes dropped EXE 64 IoCs

pid	Process
1276	Ngjdopkg.exe
1520	Nkfpon32.exe
3628	Nndlkj32.exe
872	Oacige32.exe
944	Oijqibbj.exe
464	Okhmenan.exe
2632	Ongiaiqa.exe
2668	Oaeemepe.exe
748	Oilmnbpg.exe
3680	Opfekl32.exe
1036	Oniffino.exe
532	Oagbbdnb.exe
436	Oiojdb32.exe
4044	Okmfpm32.exe
632	Onkbli32.exe
4184	Oeekicdi.exe
2176	Ogdgencl.exe
2548	Opkoflco.exe
4544	Obikbgbb.exe
3932	Ogfcjnaj.exe
936	Pnplghhf.exe
1448	Paohccgj.exe
3992	Piepdahl.exe
2424	Pldlqlgp.exe
2508	Pelaib32.exe
2096	Phkmem32.exe
1620	Ppbegkmg.exe
4168	Pbpacfmj.exe
2800	Plifll32.exe
3964	Pngbhg32.exe
4572	Paendb32.exe
4216	Pimfep32.exe
3868	Pniomgpl.exe
3028	Pahkjbop.exe
4296	Plmogkoe.exe
4644	Qajhobmm.exe
1596	Qhdpll32.exe
1152	Qlpllkmc.exe
4052	Qnnhhflf.exe
4100	Qamdda32.exe
184	Qhfmalbg.exe
3648	Apndbici.exe
744	Ablaodbm.exe
2056	Aejmkpaq.exe
4816	Ahiigkqd.exe
2228	Appahiag.exe
5004	Abnnddpj.exe
2080	Aemjpp32.exe
4588	Ahkflk32.exe
5000	Aoeniefo.exe
2196	Aackeqeb.exe
4964	Aikbfnfd.exe
2172	Aliobieh.exe
1280	Aogkoedl.exe
1668	Aafgkpcp.exe
4540	Aimoln32.exe
4268	Alkkhi32.exe
3096	Apggihko.exe
2004	Abedecjb.exe
3068	Aahdqp32.exe
1884	Aiolam32.exe
1664	Blnhni32.exe
1084	Bbhqjchp.exe
1744	Befmfngc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hbckbepg.exe	Hpenfjad.exe
File opened for modification	C:\Windows\SysWOW64\Iidipnal.exe	Ipldfi32.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Gbifgkeh.dll	Ogdgencl.exe
File created	C:\Windows\SysWOW64\Aimoln32.exe	Aafgkpcp.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Lfghpbcp.dll	Opkoflco.exe
File opened for modification	C:\Windows\SysWOW64\Himcoo32.exe	Hfofbd32.exe
File created	C:\Windows\SysWOW64\Bdiihjon.dll	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Aiolam32.exe	Aahdqp32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Ibooqjdb.dll	Hfofbd32.exe
File created	C:\Windows\SysWOW64\Olmeac32.dll	Jdhine32.exe
File created	C:\Windows\SysWOW64\Lolncpam.dll	Gfcgge32.exe
File created	C:\Windows\SysWOW64\Ficgacna.exe	Fbioei32.exe
File created	C:\Windows\SysWOW64\Dadofijl.dll	Gmkbnp32.exe
File created	C:\Windows\SysWOW64\Ibilnj32.dll	Hbanme32.exe
File opened for modification	C:\Windows\SysWOW64\Ijkljp32.exe	Ibccic32.exe
File created	C:\Windows\SysWOW64\Jjpeepnb.exe	Jbhmdbnp.exe
File opened for modification	C:\Windows\SysWOW64\Kgphpo32.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Kinemkko.exe	Kgphpo32.exe
File opened for modification	C:\Windows\SysWOW64\Dlojkddn.exe	Dhcnke32.exe
File opened for modification	C:\Windows\SysWOW64\Ipldfi32.exe	Haidklda.exe
File opened for modification	C:\Windows\SysWOW64\Fcgoilpj.exe	Fokbim32.exe
File opened for modification	C:\Windows\SysWOW64\Djpnohej.exe	Dokjbp32.exe
File created	C:\Windows\SysWOW64\Cichoi32.dll	Elccfc32.exe
File opened for modification	C:\Windows\SysWOW64\Hihicplj.exe	Hjfihc32.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Fllceb32.dll	Dhnepfpj.exe
File opened for modification	C:\Windows\SysWOW64\Dcdimopp.exe	Dljqpd32.exe
File created	C:\Windows\SysWOW64\Ebbidj32.exe	Eodlho32.exe
File created	C:\Windows\SysWOW64\Ibccic32.exe	Ipegmg32.exe
File created	C:\Windows\SysWOW64\Ogfcjnaj.exe	Obikbgbb.exe
File created	C:\Windows\SysWOW64\Hfcgek32.dll	Aackeqeb.exe
File opened for modification	C:\Windows\SysWOW64\Bbhqjchp.exe	Blnhni32.exe
File created	C:\Windows\SysWOW64\Okmfpm32.exe	Oiojdb32.exe
File created	C:\Windows\SysWOW64\Cijddbon.dll	Aimoln32.exe
File created	C:\Windows\SysWOW64\Fmmfmbhn.exe	Fjnjqfij.exe
File opened for modification	C:\Windows\SysWOW64\Gqkhjn32.exe	Gidphq32.exe
File opened for modification	C:\Windows\SysWOW64\Ibccic32.exe	Ipegmg32.exe
File opened for modification	C:\Windows\SysWOW64\Dpcpkc32.exe	Dhlhjf32.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Apggihko.exe	Alkkhi32.exe
File created	C:\Windows\SysWOW64\Hbhdmd32.exe	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Iakaql32.exe	Iidipnal.exe
File created	C:\Windows\SysWOW64\Jaedgjjd.exe	Iinlemia.exe
File opened for modification	C:\Windows\SysWOW64\Jmkdlkph.exe	Jiphkm32.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Liekmj32.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Dhnepfpj.exe	Djlddi32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Hboagf32.exe	Gmaioo32.exe
File created	C:\Windows\SysWOW64\Eqciba32.exe	Ehlaaddj.exe
File opened for modification	C:\Windows\SysWOW64\Ffbnph32.exe	Ecdbdl32.exe
File created	C:\Windows\SysWOW64\Jbhmdbnp.exe	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Abmafgei.dll	Blnhni32.exe
File created	C:\Windows\SysWOW64\Bikkml32.exe	Badcln32.exe
File created	C:\Windows\SysWOW64\Gbajhpfb.dll	Gidphq32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
9352	9240	WerFault.exe	422

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aliobieh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cimhckeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoodnhmi.dll"	Epopgbia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkbhbe32.dll"	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffjdqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmihaj32.dll"	Ehonfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjcfkp32.dll"	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hopeje32.dll"	Efneehef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpklpkio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehifigof.dll"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opkoflco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmljla32.dll"	Camfbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhnepfpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dokjbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qhdpll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fphbondi.dll"	Ejegjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eodlho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chbedh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hionfema.dll"	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ppbegkmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ampkqqjm.dll"	Ecmlcmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqnkb32.dll"	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcekkjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfcgge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qajhobmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qlpllkmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chnlihnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebbidj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oijqibbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiihjon.dll"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oiojdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efneehef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qhfmalbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ablaodbm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1892 wrote to memory of 1276	1892	8dbba95008edf4fba7bf229ab780a033160b87934b301f74643eaebe8b3c6029.exe	81
PID 1892 wrote to memory of 1276	1892	8dbba95008edf4fba7bf229ab780a033160b87934b301f74643eaebe8b3c6029.exe	81
PID 1892 wrote to memory of 1276	1892	8dbba95008edf4fba7bf229ab780a033160b87934b301f74643eaebe8b3c6029.exe	81
PID 1276 wrote to memory of 1520	1276	Ngjdopkg.exe	82
PID 1276 wrote to memory of 1520	1276	Ngjdopkg.exe	82
PID 1276 wrote to memory of 1520	1276	Ngjdopkg.exe	82
PID 1520 wrote to memory of 3628	1520	Nkfpon32.exe	84
PID 1520 wrote to memory of 3628	1520	Nkfpon32.exe	84
PID 1520 wrote to memory of 3628	1520	Nkfpon32.exe	84
PID 3628 wrote to memory of 872	3628	Nndlkj32.exe	85
PID 3628 wrote to memory of 872	3628	Nndlkj32.exe	85
PID 3628 wrote to memory of 872	3628	Nndlkj32.exe	85
PID 872 wrote to memory of 944	872	Oacige32.exe	86
PID 872 wrote to memory of 944	872	Oacige32.exe	86
PID 872 wrote to memory of 944	872	Oacige32.exe	86
PID 944 wrote to memory of 464	944	Oijqibbj.exe	87
PID 944 wrote to memory of 464	944	Oijqibbj.exe	87
PID 944 wrote to memory of 464	944	Oijqibbj.exe	87
PID 464 wrote to memory of 2632	464	Okhmenan.exe	88
PID 464 wrote to memory of 2632	464	Okhmenan.exe	88
PID 464 wrote to memory of 2632	464	Okhmenan.exe	88
PID 2632 wrote to memory of 2668	2632	Ongiaiqa.exe	90
PID 2632 wrote to memory of 2668	2632	Ongiaiqa.exe	90
PID 2632 wrote to memory of 2668	2632	Ongiaiqa.exe	90
PID 2668 wrote to memory of 748	2668	Oaeemepe.exe	91
PID 2668 wrote to memory of 748	2668	Oaeemepe.exe	91
PID 2668 wrote to memory of 748	2668	Oaeemepe.exe	91
PID 748 wrote to memory of 3680	748	Oilmnbpg.exe	92
PID 748 wrote to memory of 3680	748	Oilmnbpg.exe	92
PID 748 wrote to memory of 3680	748	Oilmnbpg.exe	92
PID 3680 wrote to memory of 1036	3680	Opfekl32.exe	93
PID 3680 wrote to memory of 1036	3680	Opfekl32.exe	93
PID 3680 wrote to memory of 1036	3680	Opfekl32.exe	93
PID 1036 wrote to memory of 532	1036	Oniffino.exe	94
PID 1036 wrote to memory of 532	1036	Oniffino.exe	94
PID 1036 wrote to memory of 532	1036	Oniffino.exe	94
PID 532 wrote to memory of 436	532	Oagbbdnb.exe	96
PID 532 wrote to memory of 436	532	Oagbbdnb.exe	96
PID 532 wrote to memory of 436	532	Oagbbdnb.exe	96
PID 436 wrote to memory of 4044	436	Oiojdb32.exe	97
PID 436 wrote to memory of 4044	436	Oiojdb32.exe	97
PID 436 wrote to memory of 4044	436	Oiojdb32.exe	97
PID 4044 wrote to memory of 632	4044	Okmfpm32.exe	98
PID 4044 wrote to memory of 632	4044	Okmfpm32.exe	98
PID 4044 wrote to memory of 632	4044	Okmfpm32.exe	98
PID 632 wrote to memory of 4184	632	Onkbli32.exe	99
PID 632 wrote to memory of 4184	632	Onkbli32.exe	99
PID 632 wrote to memory of 4184	632	Onkbli32.exe	99
PID 4184 wrote to memory of 2176	4184	Oeekicdi.exe	100
PID 4184 wrote to memory of 2176	4184	Oeekicdi.exe	100
PID 4184 wrote to memory of 2176	4184	Oeekicdi.exe	100
PID 2176 wrote to memory of 2548	2176	Ogdgencl.exe	101
PID 2176 wrote to memory of 2548	2176	Ogdgencl.exe	101
PID 2176 wrote to memory of 2548	2176	Ogdgencl.exe	101
PID 2548 wrote to memory of 4544	2548	Opkoflco.exe	102
PID 2548 wrote to memory of 4544	2548	Opkoflco.exe	102
PID 2548 wrote to memory of 4544	2548	Opkoflco.exe	102
PID 4544 wrote to memory of 3932	4544	Obikbgbb.exe	103
PID 4544 wrote to memory of 3932	4544	Obikbgbb.exe	103
PID 4544 wrote to memory of 3932	4544	Obikbgbb.exe	103
PID 3932 wrote to memory of 936	3932	Ogfcjnaj.exe	104
PID 3932 wrote to memory of 936	3932	Ogfcjnaj.exe	104
PID 3932 wrote to memory of 936	3932	Ogfcjnaj.exe	104
PID 936 wrote to memory of 1448	936	Pnplghhf.exe	105

C:\Users\Admin\AppData\Local\Temp\8dbba95008edf4fba7bf229ab780a033160b87934b301f74643eaebe8b3c6029.exe
"C:\Users\Admin\AppData\Local\Temp\8dbba95008edf4fba7bf229ab780a033160b87934b301f74643eaebe8b3c6029.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Windows\SysWOW64\Ngjdopkg.exe
  C:\Windows\system32\Ngjdopkg.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1276
- - C:\Windows\SysWOW64\Nkfpon32.exe
    C:\Windows\system32\Nkfpon32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Windows\SysWOW64\Nndlkj32.exe
      C:\Windows\system32\Nndlkj32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3628
    - - C:\Windows\SysWOW64\Oacige32.exe
        
        C:\Windows\system32\Oacige32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:872
      - C:\Windows\SysWOW64\Oijqibbj.exe
        
        C:\Windows\system32\Oijqibbj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Windows\SysWOW64\Okhmenan.exe
        
        C:\Windows\system32\Okhmenan.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\SysWOW64\Ongiaiqa.exe
        
        C:\Windows\system32\Ongiaiqa.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\Oaeemepe.exe
        
        C:\Windows\system32\Oaeemepe.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\Oilmnbpg.exe
        
        C:\Windows\system32\Oilmnbpg.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Windows\SysWOW64\Opfekl32.exe
        
        C:\Windows\system32\Opfekl32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\SysWOW64\Oniffino.exe
        
        C:\Windows\system32\Oniffino.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\Oagbbdnb.exe
        
        C:\Windows\system32\Oagbbdnb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\SysWOW64\Oiojdb32.exe
        
        C:\Windows\system32\Oiojdb32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\SysWOW64\Okmfpm32.exe
        
        C:\Windows\system32\Okmfpm32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4044
        
        C:\Windows\SysWOW64\Onkbli32.exe
        
        C:\Windows\system32\Onkbli32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\SysWOW64\Oeekicdi.exe
        
        C:\Windows\system32\Oeekicdi.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Windows\SysWOW64\Ogdgencl.exe
        
        C:\Windows\system32\Ogdgencl.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\Opkoflco.exe
        
        C:\Windows\system32\Opkoflco.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\Obikbgbb.exe
        
        C:\Windows\system32\Obikbgbb.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\SysWOW64\Ogfcjnaj.exe
        
        C:\Windows\system32\Ogfcjnaj.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\SysWOW64\Pnplghhf.exe
        
        C:\Windows\system32\Pnplghhf.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:936
        
        C:\Windows\SysWOW64\Paohccgj.exe
        
        C:\Windows\system32\Paohccgj.exe
        23⤵
        Executes dropped EXE
        
        PID:1448
        
        C:\Windows\SysWOW64\Piepdahl.exe
        
        C:\Windows\system32\Piepdahl.exe
        24⤵
        Executes dropped EXE
        
        PID:3992
        
        C:\Windows\SysWOW64\Pldlqlgp.exe
        
        C:\Windows\system32\Pldlqlgp.exe
        25⤵
        Executes dropped EXE
        
        PID:2424
        
        C:\Windows\SysWOW64\Pelaib32.exe
        
        C:\Windows\system32\Pelaib32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2508
        
        C:\Windows\SysWOW64\Phkmem32.exe
        
        C:\Windows\system32\Phkmem32.exe
        27⤵
        Executes dropped EXE
        
        PID:2096
        
        C:\Windows\SysWOW64\Ppbegkmg.exe
        
        C:\Windows\system32\Ppbegkmg.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Pbpacfmj.exe
        
        C:\Windows\system32\Pbpacfmj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4168
        
        C:\Windows\SysWOW64\Plifll32.exe
        
        C:\Windows\system32\Plifll32.exe
        30⤵
        Executes dropped EXE
        
        PID:2800
        
        C:\Windows\SysWOW64\Pngbhg32.exe
        
        C:\Windows\system32\Pngbhg32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3964
        
        C:\Windows\SysWOW64\Paendb32.exe
        
        C:\Windows\system32\Paendb32.exe
        32⤵
        Executes dropped EXE
        
        PID:4572
        
        C:\Windows\SysWOW64\Pimfep32.exe
        
        C:\Windows\system32\Pimfep32.exe
        33⤵
        Executes dropped EXE
        
        PID:4216
        
        C:\Windows\SysWOW64\Pniomgpl.exe
        
        C:\Windows\system32\Pniomgpl.exe
        34⤵
        Executes dropped EXE
        
        PID:3868
        
        C:\Windows\SysWOW64\Pahkjbop.exe
        
        C:\Windows\system32\Pahkjbop.exe
        35⤵
        Executes dropped EXE
        
        PID:3028
        
        C:\Windows\SysWOW64\Plmogkoe.exe
        
        C:\Windows\system32\Plmogkoe.exe
        36⤵
        Executes dropped EXE
        
        PID:4296
        
        C:\Windows\SysWOW64\Qajhobmm.exe
        
        C:\Windows\system32\Qajhobmm.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4644
        
        C:\Windows\SysWOW64\Qhdpll32.exe
        
        C:\Windows\system32\Qhdpll32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Qlpllkmc.exe
        
        C:\Windows\system32\Qlpllkmc.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Qnnhhflf.exe
        
        C:\Windows\system32\Qnnhhflf.exe
        40⤵
        Executes dropped EXE
        
        PID:4052
        
        C:\Windows\SysWOW64\Qamdda32.exe
        
        C:\Windows\system32\Qamdda32.exe
        41⤵
        Executes dropped EXE
        
        PID:4100
        
        C:\Windows\SysWOW64\Qhfmalbg.exe
        
        C:\Windows\system32\Qhfmalbg.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:184
        
        C:\Windows\SysWOW64\Apndbici.exe
        
        C:\Windows\system32\Apndbici.exe
        43⤵
        Executes dropped EXE
        
        PID:3648
        
        C:\Windows\SysWOW64\Ablaodbm.exe
        
        C:\Windows\system32\Ablaodbm.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Aejmkpaq.exe
        
        C:\Windows\system32\Aejmkpaq.exe
        45⤵
        Executes dropped EXE
        
        PID:2056
        
        C:\Windows\SysWOW64\Ahiigkqd.exe
        
        C:\Windows\system32\Ahiigkqd.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4816
        
        C:\Windows\SysWOW64\Appahiag.exe
        
        C:\Windows\system32\Appahiag.exe
        47⤵
        Executes dropped EXE
        
        PID:2228
        
        C:\Windows\SysWOW64\Abnnddpj.exe
        
        C:\Windows\system32\Abnnddpj.exe
        48⤵
        Executes dropped EXE
        
        PID:5004
        
        C:\Windows\SysWOW64\Aemjpp32.exe
        
        C:\Windows\system32\Aemjpp32.exe
        49⤵
        Executes dropped EXE
        
        PID:2080
        
        C:\Windows\SysWOW64\Ahkflk32.exe
        
        C:\Windows\system32\Ahkflk32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4588
        
        C:\Windows\SysWOW64\Aoeniefo.exe
        
        C:\Windows\system32\Aoeniefo.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5000
        
        C:\Windows\SysWOW64\Aackeqeb.exe
        
        C:\Windows\system32\Aackeqeb.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2196
        
        C:\Windows\SysWOW64\Aikbfnfd.exe
        
        C:\Windows\system32\Aikbfnfd.exe
        53⤵
        Executes dropped EXE
        
        PID:4964
        
        C:\Windows\SysWOW64\Aliobieh.exe
        
        C:\Windows\system32\Aliobieh.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Aogkoedl.exe
        
        C:\Windows\system32\Aogkoedl.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1280
        
        C:\Windows\SysWOW64\Aafgkpcp.exe
        
        C:\Windows\system32\Aafgkpcp.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1668
        
        C:\Windows\SysWOW64\Aimoln32.exe
        
        C:\Windows\system32\Aimoln32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4540
        
        C:\Windows\SysWOW64\Alkkhi32.exe
        
        C:\Windows\system32\Alkkhi32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4268
        
        C:\Windows\SysWOW64\Apggihko.exe
        
        C:\Windows\system32\Apggihko.exe
        59⤵
        Executes dropped EXE
        
        PID:3096
        
        C:\Windows\SysWOW64\Abedecjb.exe
        
        C:\Windows\system32\Abedecjb.exe
        60⤵
        Executes dropped EXE
        
        PID:2004
        
        C:\Windows\SysWOW64\Aahdqp32.exe
        
        C:\Windows\system32\Aahdqp32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3068
        
        C:\Windows\SysWOW64\Aiolam32.exe
        
        C:\Windows\system32\Aiolam32.exe
        62⤵
        Executes dropped EXE
        
        PID:1884
        
        C:\Windows\SysWOW64\Blnhni32.exe
        
        C:\Windows\system32\Blnhni32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1664
        
        C:\Windows\SysWOW64\Bbhqjchp.exe
        
        C:\Windows\system32\Bbhqjchp.exe
        64⤵
        Executes dropped EXE
        
        PID:1084
        
        C:\Windows\SysWOW64\Befmfngc.exe
        
        C:\Windows\system32\Befmfngc.exe
        65⤵
        Executes dropped EXE
        
        PID:1744
        
        C:\Windows\SysWOW64\Bibigmpl.exe
        
        C:\Windows\system32\Bibigmpl.exe
        66⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\Bpladg32.exe
        
        C:\Windows\system32\Bpladg32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:856
        
        C:\Windows\SysWOW64\Bammlomg.exe
        
        C:\Windows\system32\Bammlomg.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4996
        
        C:\Windows\SysWOW64\Bbljeb32.exe
        
        C:\Windows\system32\Bbljeb32.exe
        69⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\Baojaoke.exe
        
        C:\Windows\system32\Baojaoke.exe
        70⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\Bhibni32.exe
        
        C:\Windows\system32\Bhibni32.exe
        71⤵
        
        PID:64
        
        C:\Windows\SysWOW64\Bpqjofcd.exe
        
        C:\Windows\system32\Bpqjofcd.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3388
        
        C:\Windows\SysWOW64\Baaggo32.exe
        
        C:\Windows\system32\Baaggo32.exe
        73⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\Biiohl32.exe
        
        C:\Windows\system32\Biiohl32.exe
        74⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\Blgkdg32.exe
        
        C:\Windows\system32\Blgkdg32.exe
        75⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\Boegpc32.exe
        
        C:\Windows\system32\Boegpc32.exe
        76⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\Badcln32.exe
        
        C:\Windows\system32\Badcln32.exe
        77⤵
        Drops file in System32 directory
        
        PID:3076
        
        C:\Windows\SysWOW64\Bikkml32.exe
        
        C:\Windows\system32\Bikkml32.exe
        78⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\Chnlihnl.exe
        
        C:\Windows\system32\Chnlihnl.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3724
        
        C:\Windows\SysWOW64\Cpedjf32.exe
        
        C:\Windows\system32\Cpedjf32.exe
        80⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\Cafpanem.exe
        
        C:\Windows\system32\Cafpanem.exe
        81⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\Cimhckeo.exe
        
        C:\Windows\system32\Cimhckeo.exe
        82⤵
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Clldogdc.exe
        
        C:\Windows\system32\Clldogdc.exe
        83⤵
        
        PID:640
        
        C:\Windows\SysWOW64\Cojqkbdf.exe
        
        C:\Windows\system32\Cojqkbdf.exe
        84⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\Caimgncj.exe
        
        C:\Windows\system32\Caimgncj.exe
        85⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\Cedihl32.exe
        
        C:\Windows\system32\Cedihl32.exe
        86⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\Chbedh32.exe
        
        C:\Windows\system32\Chbedh32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Cpjmee32.exe
        
        C:\Windows\system32\Cpjmee32.exe
        88⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\Commqb32.exe
        
        C:\Windows\system32\Commqb32.exe
        89⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\Cefemliq.exe
        
        C:\Windows\system32\Cefemliq.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4144
        
        C:\Windows\SysWOW64\Chebighd.exe
        
        C:\Windows\system32\Chebighd.exe
        91⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\Cpljkdig.exe
        
        C:\Windows\system32\Cpljkdig.exe
        92⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\Coojfa32.exe
        
        C:\Windows\system32\Coojfa32.exe
        93⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\Camfbm32.exe
        
        C:\Windows\system32\Camfbm32.exe
        94⤵
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Ceibclgn.exe
        
        C:\Windows\system32\Ceibclgn.exe
        95⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\Chgoogfa.exe
        
        C:\Windows\system32\Chgoogfa.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:404
        
        C:\Windows\SysWOW64\Cpofpdgd.exe
        
        C:\Windows\system32\Cpofpdgd.exe
        97⤵
        
        PID:540
        
        C:\Windows\SysWOW64\Ccmclp32.exe
        
        C:\Windows\system32\Ccmclp32.exe
        98⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\Cekohk32.exe
        
        C:\Windows\system32\Cekohk32.exe
        99⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\Dhjkdg32.exe
        
        C:\Windows\system32\Dhjkdg32.exe
        100⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\Dpacfd32.exe
        
        C:\Windows\system32\Dpacfd32.exe
        101⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\Dabpnlkp.exe
        
        C:\Windows\system32\Dabpnlkp.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4352
        
        C:\Windows\SysWOW64\Diihojkb.exe
        
        C:\Windows\system32\Diihojkb.exe
        103⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\Dhlhjf32.exe
        
        C:\Windows\system32\Dhlhjf32.exe
        104⤵
        Drops file in System32 directory
        
        PID:4312
        
        C:\Windows\SysWOW64\Dpcpkc32.exe
        
        C:\Windows\system32\Dpcpkc32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:868
        
        C:\Windows\SysWOW64\Dofpgqji.exe
        
        C:\Windows\system32\Dofpgqji.exe
        106⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\Dadlclim.exe
        
        C:\Windows\system32\Dadlclim.exe
        107⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\Djlddi32.exe
        
        C:\Windows\system32\Djlddi32.exe
        108⤵
        Drops file in System32 directory
        
        PID:4420
        
        C:\Windows\SysWOW64\Dhnepfpj.exe
        
        C:\Windows\system32\Dhnepfpj.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3924
        
        C:\Windows\SysWOW64\Dljqpd32.exe
        
        C:\Windows\system32\Dljqpd32.exe
        110⤵
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Dcdimopp.exe
        
        C:\Windows\system32\Dcdimopp.exe
        111⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Dokjbp32.exe
        
        C:\Windows\system32\Dokjbp32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Djpnohej.exe
        
        C:\Windows\system32\Djpnohej.exe
        113⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Dhcnke32.exe
        
        C:\Windows\system32\Dhcnke32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5316
        
        C:\Windows\SysWOW64\Dlojkddn.exe
        
        C:\Windows\system32\Dlojkddn.exe
        115⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Domfgpca.exe
        
        C:\Windows\system32\Domfgpca.exe
        116⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Dakbckbe.exe
        
        C:\Windows\system32\Dakbckbe.exe
        117⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5496
        
        C:\Windows\SysWOW64\Elagacbk.exe
        
        C:\Windows\system32\Elagacbk.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5536
        
        C:\Windows\SysWOW64\Eoocmoao.exe
        
        C:\Windows\system32\Eoocmoao.exe
        120⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Ebnoikqb.exe
        
        C:\Windows\system32\Ebnoikqb.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5624
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Elccfc32.exe
        
        C:\Windows\system32\Elccfc32.exe
        123⤵
        Drops file in System32 directory
        
        PID:5712
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        124⤵
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Ecmlcmhe.exe
        
        C:\Windows\system32\Ecmlcmhe.exe
        125⤵
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        126⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        127⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        128⤵
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        129⤵
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        130⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        131⤵
        Drops file in System32 directory
        
        PID:6044
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        132⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6136
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        134⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        135⤵
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        136⤵
        
        PID:216
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        137⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        138⤵
        Drops file in System32 directory
        
        PID:5372
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        139⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        140⤵
        Drops file in System32 directory
        
        PID:5528
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        141⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        142⤵
        Drops file in System32 directory
        
        PID:5640
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        143⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        144⤵
        Drops file in System32 directory
        
        PID:5776
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5860
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        146⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        147⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        148⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        149⤵
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5244
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        151⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        152⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        153⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        154⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        155⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        156⤵
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        157⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        158⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4620
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5344
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5564
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        162⤵
        Drops file in System32 directory
        
        PID:5700
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        163⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        165⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        166⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        167⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        168⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        169⤵
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        170⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        171⤵
        Drops file in System32 directory
        
        PID:5548
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        172⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5308
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        174⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        175⤵
        Drops file in System32 directory
        
        PID:6212
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        176⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6296
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        178⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        179⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        180⤵
        Drops file in System32 directory
        
        PID:6428
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        181⤵
        
        PID:6476
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        182⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6552
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        184⤵
        Drops file in System32 directory
        
        PID:6604
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        185⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        186⤵
        Drops file in System32 directory
        
        PID:6700
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        187⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6812
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        189⤵
        Modifies registry class
        
        PID:6852
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        190⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        191⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        192⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        193⤵
        Modifies registry class
        
        PID:7048
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        194⤵
        Drops file in System32 directory
        
        PID:7088
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        195⤵
        Modifies registry class
        
        PID:7156
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        196⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        197⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        198⤵
        Drops file in System32 directory
        
        PID:6336
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        199⤵
        Drops file in System32 directory
        
        PID:6412
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        200⤵
        Drops file in System32 directory
        
        PID:6496
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        201⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        202⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        203⤵
        Modifies registry class
        
        PID:6840
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        204⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        205⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        206⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        207⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        208⤵
        Modifies registry class
        
        PID:6256
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        209⤵
        Modifies registry class
        
        PID:6364
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        210⤵
        Modifies registry class
        
        PID:6556
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        211⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        212⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        213⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7072
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        214⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6232
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        215⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        216⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        217⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6696
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        218⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6800
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        219⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        220⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7232
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        221⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        222⤵
        Modifies registry class
        
        PID:7356
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        223⤵
        
        PID:7432
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        224⤵
        Drops file in System32 directory
        
        PID:7476
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        225⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        226⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        227⤵
        Drops file in System32 directory
        
        PID:7608
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        228⤵
        Drops file in System32 directory
        
        PID:7648
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        229⤵
        Modifies registry class
        
        PID:7692
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        230⤵
        
        PID:7728
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        231⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7776
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        232⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7820
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        233⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        234⤵
        
        PID:7912
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        235⤵
        Modifies registry class
        
        PID:7952
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        236⤵
        
        PID:7992
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        237⤵
        
        PID:8028
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        238⤵
        Modifies registry class
        
        PID:8084
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        239⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        240⤵
        
        PID:8168
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        241⤵
        
        PID:7176
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        242⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        243⤵
        
        PID:7444
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        244⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        245⤵
        
        PID:7584
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        246⤵
        Drops file in System32 directory
        
        PID:7640
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        247⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7716
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        248⤵
        
        PID:7816
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        249⤵
        
        PID:7856
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        250⤵
        
        PID:7948
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        251⤵
        
        PID:8012
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        252⤵
        Modifies registry class
        
        PID:8076
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        253⤵
        
        PID:8148
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        254⤵
        
        PID:7240
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        255⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7460
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        256⤵
        
        PID:7556
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        257⤵
        Modifies registry class
        
        PID:7720
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        258⤵
        
        PID:7804
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        259⤵
        
        PID:7936
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        260⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8048
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        261⤵
        
        PID:7224
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        262⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        263⤵
        Drops file in System32 directory
        
        PID:7672
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        264⤵
        
        PID:7928
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        265⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8000
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        266⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        267⤵
        
        PID:7704
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        268⤵
        Drops file in System32 directory
        
        PID:8140
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        269⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7552
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        270⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7596
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        271⤵
        
        PID:8052
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        272⤵
        
        PID:8228
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        273⤵
        
        PID:8276
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        274⤵
        Modifies registry class
        
        PID:8312
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        275⤵
        
        PID:8352
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        276⤵
        Modifies registry class
        
        PID:8400
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        277⤵
        
        PID:8444
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        278⤵
        Modifies registry class
        
        PID:8480
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        279⤵
        
        PID:8528
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        280⤵
        Drops file in System32 directory
        
        PID:8564
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        281⤵
        
        PID:8608
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        282⤵
        Drops file in System32 directory
        
        PID:8652
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        283⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8704
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        284⤵
        
        PID:8740
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        285⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8796
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        286⤵
        Modifies registry class
        
        PID:8840
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        287⤵
        
        PID:8884
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        288⤵
        
        PID:8924
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        289⤵
        
        PID:8960
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        290⤵
        Drops file in System32 directory
        
        PID:9008
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        291⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:9044
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        292⤵
        
        PID:9088
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        293⤵
        
        PID:9128
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        294⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9168
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        295⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        296⤵
        Modifies registry class
        
        PID:8264
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        297⤵
        
        PID:8360
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        298⤵
        
        PID:8416
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        299⤵
        
        PID:8476
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        300⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8560
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        301⤵
        Drops file in System32 directory
        
        PID:8624
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        302⤵
        
        PID:8700
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        303⤵
        
        PID:8760
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        304⤵
        Drops file in System32 directory
        
        PID:8832
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        305⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8904
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        306⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8940
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        307⤵
        Drops file in System32 directory
        
        PID:9040
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        308⤵
        Drops file in System32 directory
        
        PID:9120
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        309⤵
        
        PID:9208
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        310⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8304
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        311⤵
        Modifies registry class
        
        PID:8408
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        312⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8512
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        313⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8632
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        314⤵
        Modifies registry class
        
        PID:8732
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        315⤵
        
        PID:8852
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        316⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8956
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        317⤵
        
        PID:9080
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        318⤵
        
        PID:8252
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        319⤵
        
        PID:8396
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        320⤵
        Drops file in System32 directory
        
        PID:8596
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        321⤵
        
        PID:8764
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        322⤵
        
        PID:9108
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        323⤵
        Modifies registry class
        
        PID:9164
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        324⤵
        
        PID:8616
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        325⤵
        
        PID:8828
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        326⤵
        
        PID:9176
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        327⤵
        
        PID:8688
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        328⤵
        Modifies registry class
        
        PID:8240
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        329⤵
        Modifies registry class
        
        PID:9140
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        330⤵
        Drops file in System32 directory
        
        PID:8516
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        331⤵
        
        PID:9240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9240 -s 408
        332⤵
        Program crash
        
        PID:9352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 9240 -ip 9240
1⤵
PID:9328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
89KB

MD5
e0ece9375cfbefb2ccac6baa79e2123e

SHA1
3a7ea14cab1321437fa6a5d8e9080e2b2709feda

SHA256
0639d87888326418a53a7d29d3e6ff95143282ad73da86748b435cf87d1f5f44

SHA512
22b3242cec554801fca0598e6cf5c8a26539c62a8a9989d88bb352105bf322364b9487cc8756360fe78fb30c9fbf0dd46e6ceb939818468ca77b5bf16239da51

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
89KB

MD5
7df8adcb20d5ea6b4646e06274e6c794

SHA1
b2b46af4d45acaa1a0901f822d22ff29468af550

SHA256
1919029e12af2bed779ea4d044531ff5fa53b0fde899eb8725250474ff6e6707

SHA512
eeb8fc6c4408ea0593ca7a3525d4c3f8d3f4bd06054cf2eccfd5f24d350873b7737bf7bd225ea3db139f937e0ed341ecd6c4f202fa90142b58915bf471849d11

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
89KB

MD5
c90b3d2b944353df7f88fa861a5eedbc

SHA1
edeb24a0eac591de23fc07bd8d03c8a0c8949c60

SHA256
05416a4cac60884fd7d118361f9f05f9eac1a5a2af836f3e33a4a6965bbb05a6

SHA512
fd7588b853024a309d04d89e71c5303f0d477beefc4d9dba1465c19955c5bf014db2b8cba0a5a664e6e047c948d8d15caa90173749908c1631c7bb2413599bfe

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe

Filesize
89KB

MD5
5b7153d0414714de4c425cd209def47c

SHA1
252c413c287acadc8810c07d6829aef9ae7090d0

SHA256
65bbf8369eec75e8dc88878dc490b2b90f43f4de683309dd326dfd0a71df5e87

SHA512
7e448c6d9e445a59a216a7afd49e5604e376d74aa1b1ee5fd5fb2f5c44990f769de8d2358b96a33a219e6a640288153dfc27b86f9f13680ee8a1938660306503

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
89KB

MD5
de82aec7930fe79250ae6ca6d6d81c9d

SHA1
c0605dc48a63b1833d913cb49f055639df0e8133

SHA256
c84d7f08252866ecf378fcee034be6a010203dacd82c0db3baf036bb7dff9c9c

SHA512
3960c9689356988e750d1cc47db0ed079c07d34b8b19e3a0b24714fa3c2ddaa1b66382c970ff166aa43580eb8bad1bde0a7bf3989ca9e7785b536112bc10d0a5

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
89KB

MD5
4f03db99785912cb39c370d7bf1b7beb

SHA1
d6486d42da4518fb9b4c13b1e53090db973904a1

SHA256
3df5ba3360be89d9f7191073513df43cf74bc02a7d2623837f6b4594d1b39e7f

SHA512
d5e897d0c924d3579d97183017362b8442eac0741f0558fca765eca5e3c175d0501d5491fce3f23124b763362168c745946eb75b3e7cd385445052a40481a289

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
89KB

MD5
155c9055b12ce1973198e914475cf7c5

SHA1
236f34ebfda38c38515fbb55effa845c7d98ae41

SHA256
874ac42d5489b25a15fa8d9da0633e88422a3b212fe1de468a48b300a3f169fb

SHA512
4742aa0874666c003e4bc6022869d40b9943836efebc20909cd354bc61b333a178c2c3dc25df2804e0d0e730b8b2c1f9f276540212741ff9770640165fd6dc35

Download Submit
C:\Windows\SysWOW64\Nggqoj32.exe

Filesize
89KB

MD5
8cb15a4af66f34af64005bc4993a2280

SHA1
0665513387bfeaf3737558eaa91438ba6a49df5e

SHA256
ec507151ff9a7ece79121fa13fb18db44dbd17568883e62887f77fa5073bc8d6

SHA512
279d72104e0d200e1095d3af5d5d7be3c68d37145829e61d8322896404b6f6f819c36eaec3a1184eb88c8d8a259d77dbf36099b99d39b6882a1f5e30885b9013

Download Submit
C:\Windows\SysWOW64\Ngjdopkg.exe

Filesize
89KB

MD5
d062d532f6cf32795aeda6f80e8ae128

SHA1
484e2a6a65ee2f8784743ca18793e2fb662ea1bf

SHA256
40bef1037f4ca249f41898d7f96099a66e591e0596a951fd4f7613f20141d24d

SHA512
059f4cdcf106bea833d83081a61bc495b9c5fd26c6b2ab809fdf06066ba65f8f26f1da1973cb0dbcae1ee13c6c740a2670cb167e1b1878b94df9f0874897f122

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
89KB

MD5
7f441c7bd7233955dcebb52ced4e33e3

SHA1
999635365f63bb06bfa453fa5a09f691090b8e6f

SHA256
b8c9b64570e53d43400b37a2add76d1a4dd586f5c114d970f51271e38e015511

SHA512
6efa7b8a94b5927f467e3ea9e5c3d3add30d9b86c711f704529884f21ed025aa783a65cf7b765844fdbbfd488e4e40c57ddb3b5a9e93edb377ab05fbf5acd86e

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
89KB

MD5
474394d93bb99ce9b10835e47f152453

SHA1
76892b0abd8493b0fd662bb62bffa1f4ae7a5e9d

SHA256
3c115723b9719a3e96404ac735595baa81f1074116ac3d5feb5f22cee0de86df

SHA512
d2768d184956b7182d77010967f30c4949712d2b51957c87ac4b41efe6197b6ddb1f0a4322df8c7c85c5da368c8a93107171c4b0589714cf157c000ee705e3e5

Download Submit
C:\Windows\SysWOW64\Nkfpon32.exe

Filesize
89KB

MD5
000ddc0a44d4867e73cc68dd7132e32e

SHA1
af5463a98972fa06c381c216751bccc28d07c2d0

SHA256
8b3d211bc94a8c914b8a501e34be725702ecfe2b5d88c0d9371e659402a3f370

SHA512
638a962c18c91476b9012b1be860b59cb98952f01d261529160af68e889bfbd79bb892fa9aebfe2e83255ddc4037be3a410009b7f5c68a3f5517bad2e40d44db

Download Submit
C:\Windows\SysWOW64\Nndlkj32.exe

Filesize
89KB

MD5
80f859a498e3707721fc5c0ec7827f5b

SHA1
fa26f05404527dbe2b0946dad1c00b48768df4df

SHA256
1cbbee9a0eedb1b5f72ce50e3a6a09b48036d4ddd70ad64737bc2b3c7a293ec9

SHA512
1d01df0b0f343bca7f307a804e804b143d429b0b4ccd3758dd4ed70b3a704b6a28059de7e32371be03d8730ab274b32776c12a82731818e52bcf63c1a5b693c8

Download Submit
C:\Windows\SysWOW64\Oacige32.exe

Filesize
89KB

MD5
75901741840a0c012399ecf8ca6dd060

SHA1
05177a7f2f145283f2bb8d4b02416ad1ea9982ac

SHA256
13368d7596c7cbbf2df5fdb890da26cff29afaaab2e2297732d6dd66a1cae59d

SHA512
672d4525e9cae820a1563c3097aea005b5f2c8022716c50b02bcbbc57250df37a89cfe2ca63df4397b37ce7f669be132f593e4de2a0bd805cf4d24468dab5d25

Download Submit
C:\Windows\SysWOW64\Oaeemepe.exe

Filesize
89KB

MD5
ea399792960d52c77a72f3876265a111

SHA1
4cef901881b87d208a6493968e0a7c5441bd53f3

SHA256
d05178c5ef2235d7aa648f34288b45fe5c9d5f639135d53c77fc9c24f56db143

SHA512
972b92512c48fd13779b86dd6b0f2fe3472a4533917ee81e7431fe42f22f78c6c3f746e2f15d68b906d743584d693cc2b77cecf0bfec609232d8215c078521a8

Download Submit
C:\Windows\SysWOW64\Oagbbdnb.exe

Filesize
89KB

MD5
999e06c9c15396a4588fa476ede785dd

SHA1
3497f88ad21aaca039f5b073dae11d21a1fe5d82

SHA256
aedb268a98837854b9834cb9f8baef7d1766e7b70d87d767c78976fb3f54a73b

SHA512
5c5819c09d9c2300fa9eab2acc371533bfd998da1ebef11b4b6dfe9219084ae3abab615fe2e13065315b81595aa7e673ecee461b82ca67281469851c8e61a77c

Download Submit
C:\Windows\SysWOW64\Obikbgbb.exe

Filesize
89KB

MD5
cc8bec3383c101353b03cb8e3bac77ab

SHA1
c728c281f8de8ede336066e5bcbc60c6fdc4556a

SHA256
6d59afa4b5de3058439b37e9921f4d05b84ded29bd60c1b822879a3c261e7162

SHA512
3c4e3bfff7645dc3e3d041d2cdb3bebacc557d460ecf8edb816cdaddcca19e7329946fab38fda16e7b9e29037f23fec6c9bdc1d49fdb9b2916fb1f27ee24cfa6

Download Submit
C:\Windows\SysWOW64\Oeekicdi.exe

Filesize
89KB

MD5
113ca3f3cc7409eff97a8269ac3d1134

SHA1
a12120e07bfd6dbe6b040f4b95399a4b631282a5

SHA256
2fac89629bb614ac006dbbcac953f0d677bbcee9eef0369b9562132f28f55695

SHA512
22f46e6a35e1ef186bb36cb98bbdd2316c3479f106370c26146ac9c11cb0cb1f1c0c4c123a90d1176a3581584554b87530f3d84f30e338f3d7ec3233336d7dd5

Download Submit
C:\Windows\SysWOW64\Ogdgencl.exe

Filesize
89KB

MD5
1772968d99c6b3a3580994fad4289ab5

SHA1
c7236ff6efa43260e4438a53c773831e4ad4d107

SHA256
0ba09f5253d733d1e6f62f7a571c28a02c184b8ef0493e2e16cc0ec65f7c0673

SHA512
a9263a43c8b02a58e31ad93b01fb9b79d5bcef737d682224f4ce065ee39edae7c450c989a1f1a7b610c6084a317d8e88d1d4bb2eb9db5e66d56ae9f6f73d73e1

Download Submit
C:\Windows\SysWOW64\Ogfcjnaj.exe

Filesize
89KB

MD5
1769311c4c0c527d1c22a683245d0b39

SHA1
ae7603aa364565cddc38c2e04f3cd7774c6f0f45

SHA256
444226627646c5550ff1c485e9bf113f20c949740b2aa250cf7ea2a3e6ac4fb1

SHA512
263da7c24ac2cbf30015d7f6d1d6c50ac527740ec6dc55d4dc5b5cc8a7fb5cd8fcc251fddc7dff9998842762d57692a647e56e93e8879482d2b0093577b49be0

Download Submit
C:\Windows\SysWOW64\Oijqibbj.exe

Filesize
89KB

MD5
e8152cfd952b7868c0c715ca638a2b75

SHA1
19cdc518232265f3cd73188d3b71645463251378

SHA256
0286a45dc973dd42afd1ff47681396ed8a18dc1d6cddfcb31940ff547cc53805

SHA512
ea9f99f068211c288cf6512c9b41f60d162a071621a9512b3e10fde107f7887f259fd2d06a2e8161fffba683e27cb4afd798ba45092c37455639f4b3045eb1c5

Download Submit
C:\Windows\SysWOW64\Oilmnbpg.exe

Filesize
89KB

MD5
9d976d6d39b4c13248a5081cebd30f0e

SHA1
c65ad8962178acb65440af92f338acbf17923f59

SHA256
d3fb00549dae61a34cc2546f34c90a15921c0ecc016b5251ac72272ac319f1d5

SHA512
e5822e5f3e269735fa5c9e1ecc5b4d91497ec0bdf0cb859e5f6fb7a92ec6599f75c5d6b577813029046f43e51118bff0affd3c8cd69001552cfab4e0f733ff4c

Download Submit
C:\Windows\SysWOW64\Oiojdb32.exe

Filesize
89KB

MD5
41a99f9dbebb25290b4c169d3906c19f

SHA1
924d6fe87a4e0e25066af8a1d41d58028d698920

SHA256
aff2f0951e65c70287e51078f16cfb67744eb6c4b00f502d48226f392cb26823

SHA512
e0efaf057e5698ad1b2c06e6fd2ab6a53b7ba116425168a0dd46a53287b4109e79a347bf7fb67d12b7c77034052a10e279169cc394e561d4ab7e05fb9beb015f

Download Submit
C:\Windows\SysWOW64\Okhmenan.exe

Filesize
89KB

MD5
d3889f9ff22153822f07ad61f276784f

SHA1
914c0c8b28dec52f94db9a5a786cf08fd0ea79b5

SHA256
bd2d8847b2601d608976489c3dca324de4ec9468712933205b4fc4f913f6c334

SHA512
3bac6bb52dc32be3e061be32807043caad92f4fd7461b2574a8edf1c198ff2a9238eead4e7f4d621449b6dd271c15053d62ebe0a6f9348bd40944b67ca5e0a43

Download Submit
C:\Windows\SysWOW64\Okmfpm32.exe

Filesize
89KB

MD5
8517ddd904192342f9f0123524103383

SHA1
670613c581f019c30e173490a4cbe9549219198d

SHA256
fc22ae82d9b5b97364524e371131be3b531b3d75c71e6527430c0315789a8fd0

SHA512
d316f821c59b649d8dbb4730ed1e7744a0cad83abbad301271ed9c6a21084fd67481ffd441e6b63b9a457c91d02fdf93da12e7227ae769f07a9bf042ed8760bc

Download Submit
C:\Windows\SysWOW64\Ongiaiqa.exe

Filesize
89KB

MD5
877a26f76ffb73ef02ece7342696618e

SHA1
c65e5189bb78ad63b6dc01fcb643b5538a5696ca

SHA256
c8b7bea9e01a5eed739f45c1fb6f8041e6102b6e5099ae7aba72441da9be5cdb

SHA512
96bbf6660a6f0e1566f6e6f381b226fdb92182cf468265f5d15140984de083c07436cfca0b5453a731ff41532ddba17621850ff3d8b167d78172b0554d4e3bb0

Download Submit
C:\Windows\SysWOW64\Oniffino.exe

Filesize
89KB

MD5
444f3c0e1442a8d2d4ae7dd00811cf90

SHA1
e80f69ebc0bea6b40e6e76d4d235614461aae37e

SHA256
5dc0b80a5a6b22d0b7b80dc98d04ecf067588c3da951be7a95a3e2447715a18a

SHA512
9b8bfa1d9c1d76209b80749fccd46ce56f8be4ec1358cd63813b1a627cebb450684887e97569ec826cca7b9c518494bf95cf16777be4f0b98fd3e11efd6bb10e

Download Submit
C:\Windows\SysWOW64\Onkbli32.exe

Filesize
89KB

MD5
62b7ac491144e401bdd06293bccf5408

SHA1
6ad04c4d15ff647d1291dcb681d837315b5f6a2d

SHA256
b46b02af603d09af8c24d4630a034725a211d3314f8de73994c3b478a850e78a

SHA512
da72d9c80ef80392fef3fe1eb8886331651a8ec4bba70f2754f82dec22247604ae920900e46659effe83ee907a66231ac836e6d6543e4fd60b9c0c1dee3f2d56

Download Submit
C:\Windows\SysWOW64\Opfekl32.exe

Filesize
89KB

MD5
7fbf15687f7b70d4765d05e9d3aa47f1

SHA1
2558be7f51954c5b48f3431c4a08f4339f0ff263

SHA256
f33afe935d243d00043f88f216e9b57ff9987bde01d7a8bd2f6a430af4c4c698

SHA512
5d5896186035020d3336afe9514a4f76d6afed0a051fde3c92b00461403dc21b6f93277750e69c3c364733fb33b1a18739f31d656a31c8c349e8dfaebcd2d101

Download Submit
C:\Windows\SysWOW64\Opkoflco.exe

Filesize
89KB

MD5
9ce968dd426f3c43f30d3169a069a262

SHA1
579f7742b32ca0145b4c713570456c38a4c4f7a3

SHA256
8ff4f738b34aabd1c4845153298fd0e3f124f2d28bb51b834402ae2ee1b9fc8d

SHA512
293e9bfa03e1548b7c8a188067e5b9131aeb55f80aadd1a75c51e39bb3d406baf44b7ae66e332e6fab583db52dad005e172d3333263d535053674d89007fb036

Download Submit
C:\Windows\SysWOW64\Paendb32.exe

Filesize
89KB

MD5
5821ad10926988f21b28a84350f79aad

SHA1
43fc77139c55695d7a01a3c24ed9d9678eb0a5e3

SHA256
ae5c38d65710e32e35da843ea5e4e8c6bc10fbf67f0bf1c22d47fd2655377b33

SHA512
9a4dc80ef67e31aa5599a99b9eb06eb2680a7a47d06b891d4cef6159fd9970ef5a8992cc6b9a879c8e3a826268b3407af039fcdc3962ceb1561e64f6da55365e

Download Submit
C:\Windows\SysWOW64\Paohccgj.exe

Filesize
89KB

MD5
f964782db96dcbc152d4be52844f089e

SHA1
9baab7b65546d411e59132c1135d43a64791ace1

SHA256
981de54f5cec85643550542172b1ad76b639edf094c391735b179bda96eaf7e5

SHA512
fe3adf5e350106f67430990b7704ccd2b59aab512de2821486d40eda62a9a7720d25cc86d1e343ad904456d4d7b99dfadee2b8f4ad3541e34251128c2502f145

Download Submit
C:\Windows\SysWOW64\Pbpacfmj.exe

Filesize
89KB

MD5
4166bb1c605f9c00cf296de7c249f337

SHA1
1d77c0d233c94e165fcfe8f26c9ba85cc375f730

SHA256
fcf80ce82c23d02b13f114f03e8d77f9879f924af4dd4ca46330aacd5d1364bf

SHA512
3b6b0ca001d75334cd6cf8f5dcbb41b5ce7230d34964cb0d68b9ac4915ea7ac2d3aadda1ebee69142eddd007a0ed5150aee710bc21ff989061b8c3a5ce58c35e

Download Submit
C:\Windows\SysWOW64\Pelaib32.exe

Filesize
89KB

MD5
daad81493e94c458646c7e78a802b279

SHA1
84e335e73e21dd932e918cbe11672266e54f425b

SHA256
f537aac7825f91275e7a6136515e43a4d77f8fdf645532eb6c29da7babb0e8b4

SHA512
cd5d11673dcd6c6199ff1d27a8558b2bf5b4f57c970659ffdfba7c744b3305d458dd3a4ccf052a8f62cd56ee8526f2bc05a933e34fce7858d48a0c44582afc20

Download Submit
C:\Windows\SysWOW64\Phkmem32.exe

Filesize
89KB

MD5
75f7cbd4a5bb898d932003fb8464a6a0

SHA1
b85306ea835d8ac5e7db8ef508d94ea7a4c78ffd

SHA256
b97154cc1d72a27094ec36244e60f2868ca861c19fe0e0c0587c18f632afb67a

SHA512
dccaac37e08972e706a78f0e7f4a234fc336c863fdbfa85061302f96cff17dc07633f09949ce80168c09c0648949324f6f843cead72a789ae9d7d4e6073246e8

Download Submit
C:\Windows\SysWOW64\Piepdahl.exe

Filesize
89KB

MD5
800c83a65c1b5379f8b65bb9a0e0d7d0

SHA1
aca9fc683e33c4ba8e95b175ce8708c67b261aac

SHA256
75392acef3f24b47afbcae7560447d6d04731bb796a5886a905226138824ba0d

SHA512
23e9997311604542d3d4aab82edca0bc4a0bb3fcbb08cb4c3b0dfb8bf7217685dec7f6515af55a9b86d97a8e5b080a1d8841351e5ef8047ed298db48744d0610

Download Submit
C:\Windows\SysWOW64\Pimfep32.exe

Filesize
89KB

MD5
ff517ef0edbb8cf9f05048ad40e8ef70

SHA1
3b215f0c23749e82cb380b16662c2d98ad4181ab

SHA256
91ccbc6c641f3e916f2aecb51831fbc68127b80b102417169e025c476f88eca6

SHA512
bed6436dd238d460e3470a05ac9b3407f6bc0af7277e0cf0e854ab9a04f569b2ae77c9bd3537b169e3186a5d1a9a0ebd458f3b49802920f122024c8f22f9790d

Download Submit
C:\Windows\SysWOW64\Pldlqlgp.exe

Filesize
89KB

MD5
52182ca6bcdb1d62e9010a40213fffe6

SHA1
ef522f034fd3fce79573483fc641ee610b7bf331

SHA256
cdfa8b93d130d97fa84520898110b97b843a32f7e8f46a7edc188ef5e21c92b3

SHA512
50779e0dc2c8d44b27a60ad5295d3ebb74c013ced72f387cb221815267abca8883287b7524acbd232f55acda66631be5fa26211b6781e0ae686059b8bd1f6321

Download Submit
C:\Windows\SysWOW64\Plifll32.exe

Filesize
89KB

MD5
96cd04357c99b2374cec46e08ad87f60

SHA1
1ab75aa3532db5a1cb454a8b4b2fc406599f81f9

SHA256
b547e7b83b9576b9f0d3ed73f011af2f8d9eebac4fbfdf39b414fa1b6897c93d

SHA512
5adc1af487e7e3af690ad044915e228c4a5d0da0329a297f09e2dce927ffc9db6b05781bee29aede72d0f5f85bc3aa831d2a53ee1c3ef44f5e6205c7f5894c0d

Download Submit
C:\Windows\SysWOW64\Plmogkoe.exe

Filesize
89KB

MD5
0c214437f2986c08738ed743b5da7d35

SHA1
2a14f3c66865343e1f6f6082f9ea67ac7d3f1f7c

SHA256
863b1cb3f0941f76c425dcb2fbefa928ebb5c9cc8846a46e1b7c72ddc416a875

SHA512
a76bc7852c47093b596eaddb0d1616dd5c1ae053052ae0de07754fc8d1e58ebc1314a736627530911a7d12b2b760b4fc7963031a326a8ba34e621e0e575e4ff1

Download Submit
C:\Windows\SysWOW64\Pngbhg32.exe

Filesize
89KB

MD5
4ccc1578af083746360d0ab2d9ad9f5e

SHA1
1f91ab7343c03fb962b8d26b33821c93c0fa1736

SHA256
35dfd4a35ff901d918680937af6dbf1485bb602c49ee578a99307fe2146b5f90

SHA512
c88751b02c73d80dbfeaf0053cbbf45accea3312e6ea5eb169654cd6ce2390b0a0efb2d4571e59cd5d641f04baaa9de75313f5b708f842dd984c1139393db2a0

Download Submit
C:\Windows\SysWOW64\Pnplghhf.exe

Filesize
89KB

MD5
84c477d94c80cec88a67f83efab5fe4e

SHA1
b0bd420b0e8030863461e0776cdd5e41663ffb6d

SHA256
2cb205f8f8460661671a6b3dec1a491f44942a1462d9d593a3d24819986ecb20

SHA512
fb1620036d7395cf0399684813247f911d10aa3f4a8440a2dc4026fdc60c32e787e53cf5b36470bedd161bf5959054fb343b793ca1f239dea19d09996aa1db7b

Download Submit
C:\Windows\SysWOW64\Ppbegkmg.exe

Filesize
89KB

MD5
39a8989b767494250b28c6eae67270d8

SHA1
bba072db83b4140ec51de353704936f8726a7315

SHA256
b58b237ab7d071015e977571a497d4f7dc78063605522d0fb656d195c1d1faca

SHA512
763ad29e7a00694be783337fe4426278fc5777918f864d58da15fd13a841851e230dcac7a93c36938d3f881a80bf421e8ac69bd4eb149de59c93aac147b6d769

Download Submit
memory/184-311-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/436-104-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/464-48-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/532-96-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/632-121-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/744-327-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/748-72-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/872-37-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/936-169-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/944-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1036-89-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1152-297-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1276-13-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1280-389-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1448-177-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1520-23-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1596-287-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1620-216-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1664-437-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1668-395-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1884-431-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1892-7-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1892-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2004-419-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2056-329-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2080-353-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2096-209-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2172-387-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2176-137-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2196-371-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2228-341-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2424-192-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2508-201-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2548-150-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2632-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2668-65-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2800-233-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3028-269-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3068-429-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3096-413-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3628-25-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3648-317-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3680-81-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3868-263-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3932-160-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3964-241-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3992-185-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4044-113-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4052-303-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4100-308-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4168-225-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4184-132-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4216-257-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4268-407-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4296-275-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4540-405-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4544-152-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4572-249-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4588-359-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4644-285-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4816-335-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4964-377-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5000-365-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5004-347-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads