xmrig | 96138db76fd5ababbeee7679820f67226dc924cbc02a9d646b8c200ed69a969f

Analysis

max time kernel
129s
max time network
141s
platform
windows10_x64
resource
win10v20210408
submitted
04-05-2021 21:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96138db76fd5ababbeee7679820f67226dc924cbc02a9d646b8c200ed69a969f.exe
Size

9.6MB
MD5

e42d21095d220b1ccd7720e0d3297670
SHA1

be8f7f7c13659a1bd01e650362d7a759a50495b6
SHA256

96138db76fd5ababbeee7679820f67226dc924cbc02a9d646b8c200ed69a969f
SHA512

155b831621f32c54b32854e78fd773744fcab26eee04ded14d6958b9dbd11f31255d8a7340a9b9435d4b10dfb473f63c0d0661f615291be0fec18240c54027c0

Score

10^/10

xmrig miner persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Executes dropped EXE 64 IoCs

Processes:

Pagoloqe.exeAkdmpccp.exeAelncl32.exeAhmgeg32.exeBfcddkkk.exeBjcipioo.exeChmpld32.exeDobgdmma.exeEpqdek32.exeFfabcd32.exeFigdpo32.exeGilnkngm.exeHignflmo.exeHmefmkce.exeHiocgkgg.exeLghpij32.exeOjqqippj.exeNnminjqg.exeEagllk32.exeHaohpb32.exeLijglhim.exePqndlmlj.exePcomnhik.exeDicndide.exeEjhpffbm.exeFkjifhgm.exeHnenepna.exeIaegfk32.exeIgfedd32.exeMkofdjgj.exeDeldecdk.exeImnngekh.exeKgdkklmk.exeKejhjp32.exeOkaefa32.exeOgjbqa32.exeAomcdk32.exeBkimdk32.exeEebckl32.exeEfapeobj.exeGicbnhah.exeGieocg32.exeGhjlddcn.exeGofqfnih.exeIodmhl32.exeIgegoh32.exeLincnmgc.exeLanneipj.exeMjpeemnp.exeOhihpnjb.exeOmfqheii.exePkjaai32.exePpfijp32.exePioncelk.exePhpnqmdj.exePahbjb32.exePkagbhak.exePdilkn32.exeAdpblm32.exeAnifebhd.exeAhnjbkhj.exeAafokqoj.exeAkocdf32.exeAqlllm32.exe

pid	process
684	Pagoloqe.exe
4008	Akdmpccp.exe
2240	Aelncl32.exe
3752	Ahmgeg32.exe
2952	Bfcddkkk.exe
3260	Bjcipioo.exe
192	Chmpld32.exe
2336	Dobgdmma.exe
736	Epqdek32.exe
2616	Ffabcd32.exe
3620	Figdpo32.exe
3020	Gilnkngm.exe
2080	Hignflmo.exe
2288	Hmefmkce.exe
3052	Hiocgkgg.exe
3944	Lghpij32.exe
1248	Ojqqippj.exe
2776	Nnminjqg.exe
788	Eagllk32.exe
2148	Haohpb32.exe
3548	Lijglhim.exe
912	Pqndlmlj.exe
4084	Pcomnhik.exe
3168	Dicndide.exe
3140	Ejhpffbm.exe
572	Fkjifhgm.exe
2244	Hnenepna.exe
3688	Iaegfk32.exe
2920	Igfedd32.exe
3908	Mkofdjgj.exe
1984	Deldecdk.exe
2792	Imnngekh.exe
504	Kgdkklmk.exe
1288	Kejhjp32.exe
2084	Okaefa32.exe
3860	Ogjbqa32.exe
736	Aomcdk32.exe
2616	Bkimdk32.exe
1000	Eebckl32.exe
3024	Efapeobj.exe
3920	Gicbnhah.exe
500	Gieocg32.exe
3876	Ghjlddcn.exe
3944	Gofqfnih.exe
2260	Iodmhl32.exe
416	Igegoh32.exe
2220	Lincnmgc.exe
424	Lanneipj.exe
3936	Mjpeemnp.exe
3868	Ohihpnjb.exe
184	Omfqheii.exe
192	Pkjaai32.exe
2192	Ppfijp32.exe
3528	Pioncelk.exe
2120	Phpnqmdj.exe
1076	Pahbjb32.exe
3512	Pkagbhak.exe
3468	Pdilkn32.exe
3232	Adpblm32.exe
3956	Anifebhd.exe
3752	Ahnjbkhj.exe
4092	Aafokqoj.exe
1660	Akocdf32.exe
988	Aqlllm32.exe

Drops file in System32 directory 64 IoCs

Processes:

Aelncl32.exeFigdpo32.exeHlcmljlk.exeEpqdek32.exeGofjlg32.exeOdfodj32.exeQihjonqd.exeDjbobhld.exeGicbnhah.exeBbdklobj.exeJhmcmi32.exeBggjdqea.exeKgdkklmk.exeGofqfnih.exeBkfjdeoc.exePphoei32.exePkagbhak.exeIaihjpbh.exeEebckl32.exeMikhed32.exeOipkga32.exeJjejfm32.exeDicndide.exeMjpeemnp.exeBgmjifeg.exeCnbbbo32.exeIodmhl32.exeJjgfll32.exeMcqmbm32.exeMmiakbmn.exeCdlcdbfh.exeFfabcd32.exeBkimdk32.exeChcmdh32.exeJlklcghp.exeAlbffhek.exeDaageh32.exeBdednj32.exeCnnigofl.exeFbcikhje.exeDdbiea32.exeLghpij32.exeDldomaep.exePbihgdmm.exeCcgnopcj.exeJjcmqmag.exeKopnpaal.exeHiocgkgg.exeLijglhim.exeAheqbjbb.exeIkbmce32.exeAcgdhbam.exeFgfhcjmk.exeHlocqk32.exeMiilpdij.exePmlpon32.exeAiopom32.exeDqncebao.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Ahmgeg32.exe	Aelncl32.exe
File opened for modification	C:\Windows\SysWOW64\Gilnkngm.exe	Figdpo32.exe
File created	C:\Windows\SysWOW64\Hapedajb.exe	Hlcmljlk.exe
File created	C:\Windows\SysWOW64\Ffabcd32.exe	Epqdek32.exe
File created	C:\Windows\SysWOW64\Pkpjeddb.dll	Gofjlg32.exe
File created	C:\Windows\SysWOW64\Omncmp32.exe	Odfodj32.exe
File created	C:\Windows\SysWOW64\Qcpogc32.exe	Qihjonqd.exe
File opened for modification	C:\Windows\SysWOW64\Dgfoll32.exe	Djbobhld.exe
File created	C:\Windows\SysWOW64\Lcgjnhjd.dll	Gicbnhah.exe
File created	C:\Windows\SysWOW64\Bkmpedik.exe	Bbdklobj.exe
File created	C:\Windows\SysWOW64\Jcbgja32.exe	Jhmcmi32.exe
File opened for modification	C:\Windows\SysWOW64\Bppomfla.exe	Bggjdqea.exe
File opened for modification	C:\Windows\SysWOW64\Kejhjp32.exe	Kgdkklmk.exe
File created	C:\Windows\SysWOW64\Iodmhl32.exe	Gofqfnih.exe
File opened for modification	C:\Windows\SysWOW64\Bgmjifeg.exe	Bkfjdeoc.exe
File created	C:\Windows\SysWOW64\Bofjfi32.dll	Pphoei32.exe
File created	C:\Windows\SysWOW64\Pdilkn32.exe	Pkagbhak.exe
File created	C:\Windows\SysWOW64\Ikbmce32.exe	Iaihjpbh.exe
File opened for modification	C:\Windows\SysWOW64\Efapeobj.exe	Eebckl32.exe
File created	C:\Windows\SysWOW64\Mcqmbm32.exe	Mikhed32.exe
File created	C:\Windows\SysWOW64\Bqfagnfc.dll	Oipkga32.exe
File created	C:\Windows\SysWOW64\Oonpma32.dll	Qihjonqd.exe
File created	C:\Windows\SysWOW64\Jobboc32.exe	Jjejfm32.exe
File opened for modification	C:\Windows\SysWOW64\Ejhpffbm.exe	Dicndide.exe
File created	C:\Windows\SysWOW64\Kejhjp32.exe	Kgdkklmk.exe
File created	C:\Windows\SysWOW64\Ceqqfd32.dll	Mjpeemnp.exe
File created	C:\Windows\SysWOW64\Iphjfola.dll	Bgmjifeg.exe
File created	C:\Windows\SysWOW64\Kphdoanq.dll	Cnbbbo32.exe
File created	C:\Windows\SysWOW64\Igegoh32.exe	Iodmhl32.exe
File created	C:\Windows\SysWOW64\Chfooojg.dll	Jjgfll32.exe
File created	C:\Windows\SysWOW64\Mmiakbmn.exe	Mcqmbm32.exe
File created	C:\Windows\SysWOW64\Mfafdhdn.exe	Mmiakbmn.exe
File opened for modification	C:\Windows\SysWOW64\Cmghhecc.exe	Cdlcdbfh.exe
File created	C:\Windows\SysWOW64\Figdpo32.exe	Ffabcd32.exe
File created	C:\Windows\SysWOW64\Eebckl32.exe	Bkimdk32.exe
File created	C:\Windows\SysWOW64\Flhldbli.dll	Chcmdh32.exe
File created	C:\Windows\SysWOW64\Kfcqlmna.exe	Jlklcghp.exe
File created	C:\Windows\SysWOW64\Inpafa32.dll	Albffhek.exe
File created	C:\Windows\SysWOW64\Ofjchekb.dll	Daageh32.exe
File created	C:\Windows\SysWOW64\Jpboapgi.dll	Bdednj32.exe
File opened for modification	C:\Windows\SysWOW64\Chcmdh32.exe	Cnnigofl.exe
File created	C:\Windows\SysWOW64\Fllndn32.exe	Fbcikhje.exe
File created	C:\Windows\SysWOW64\Ddefjanm.exe	Ddbiea32.exe
File opened for modification	C:\Windows\SysWOW64\Ojqqippj.exe	Lghpij32.exe
File created	C:\Windows\SysWOW64\Blhdclmn.dll	Dldomaep.exe
File opened for modification	C:\Windows\SysWOW64\Mcqmbm32.exe	Mikhed32.exe
File opened for modification	C:\Windows\SysWOW64\Pmomdmmc.exe	Pbihgdmm.exe
File created	C:\Windows\SysWOW64\Idgeahlh.dll	Ccgnopcj.exe
File created	C:\Windows\SysWOW64\Jopeid32.exe	Jjcmqmag.exe
File opened for modification	C:\Windows\SysWOW64\Kihcig32.exe	Kopnpaal.exe
File opened for modification	C:\Windows\SysWOW64\Lghpij32.exe	Hiocgkgg.exe
File created	C:\Windows\SysWOW64\Pqndlmlj.exe	Lijglhim.exe
File opened for modification	C:\Windows\SysWOW64\Pdilkn32.exe	Pkagbhak.exe
File created	C:\Windows\SysWOW64\Bbnelp32.exe	Aheqbjbb.exe
File created	C:\Windows\SysWOW64\Jjcmqmag.exe	Ikbmce32.exe
File created	C:\Windows\SysWOW64\Anmiek32.exe	Acgdhbam.exe
File created	C:\Windows\SysWOW64\Fejilnle.exe	Fgfhcjmk.exe
File created	C:\Windows\SysWOW64\Bhlgci32.exe	Bgmjifeg.exe
File created	C:\Windows\SysWOW64\Hibdjo32.exe	Hlocqk32.exe
File opened for modification	C:\Windows\SysWOW64\Mcnpmm32.exe	Miilpdij.exe
File created	C:\Windows\SysWOW64\Hiobdh32.dll	Pmlpon32.exe
File created	C:\Windows\SysWOW64\Acgdhbam.exe	Aiopom32.exe
File created	C:\Windows\SysWOW64\Cmghhecc.exe	Cdlcdbfh.exe
File opened for modification	C:\Windows\SysWOW64\Dkchbkad.exe	Dqncebao.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

6208 6156 WerFault.exe Fcabcjnj.exe

pid	pid_target	process	target process
6208	6156	WerFault.exe	Fcabcjnj.exe

Modifies registry class 64 IoCs

Processes:

Aafokqoj.exeBbdklobj.exeFekpgdoa.exeNpejil32.exeEmjnebcn.exeHibdjo32.exeMcqmbm32.exeOjgnbcfj.exeKonaja32.exeIgegoh32.exeHlocqk32.exeAdpblm32.exeIkhjmg32.exeMiilpdij.exeDdefjanm.exeEjnnnfbg.exeFejilnle.exeAkdmpccp.exePpfijp32.exeJjgfll32.exePbdole32.exeDjbobhld.exeBfcddkkk.exeAkocdf32.exeJjcmqmag.exeJcpkea32.exeClpbhf32.exeEnncjdfk.exeHiocgkgg.exeNnminjqg.exeMkofdjgj.exeAhnjbkhj.exeGenecbok.exePkijgcdg.exeCjfogjfb.exeAnifebhd.exeOmncmp32.exeQldiej32.exeLincnmgc.exePahbjb32.exeCqnknd32.exeDgfoll32.exeLghpij32.exeIaegfk32.exeMcnpmm32.exeCgllfn32.exeAelncl32.exeGieocg32.exeHljjelde.exeLjcooh32.exeMlnnlobe.exeAnmiek32.exeImnngekh.exeCghjedkj.exeDaageh32.exeFbcikhje.exeFaifld32.exeGofjlg32.exeGofqfnih.exeChcmdh32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aafokqoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbdklobj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfjbmble.dll"	Fekpgdoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dobloi32.dll"	Npejil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coqcpdej.dll"	Emjnebcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hibdjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcqmbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhbknjkl.dll"	Ojgnbcfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meckdibc.dll"	Konaja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nebfie32.dll"	Igegoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlghai32.dll"	Aafokqoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlocqk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adpblm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ikhjmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Miilpdij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oekiop32.dll"	Ddefjanm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejnnnfbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldebba32.dll"	Fejilnle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhpidhid.dll"	Akdmpccp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ppfijp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fekpgdoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chfooojg.dll"	Jjgfll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcefmfca.dll"	Pbdole32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djbobhld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfcddkkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akocdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lknafggn.dll"	Jjcmqmag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dofmhihp.dll"	Jcpkea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clpbhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enncjdfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfjmniee.dll"	Hiocgkgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnminjqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkofdjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hclmee32.dll"	Ahnjbkhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Genecbok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkijgcdg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjfogjfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anifebhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggmmcp32.dll"	Omncmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghhhm32.dll"	Qldiej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lincnmgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pahbjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbognoen.dll"	Cqnknd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgfoll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkmjpo32.dll"	Lghpij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iaegfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnpmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaiqpdeg.dll"	Cgllfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cqnknd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fipnmhmd.dll"	Aelncl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnhiafio.dll"	Gieocg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eebeae32.dll"	Ppfijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abphno32.dll"	Hljjelde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldlebb32.dll"	Ljcooh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlnnlobe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkefihik.dll"	Anmiek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphgikpg.dll"	Imnngekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cghjedkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daageh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbcikhje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Faifld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gofjlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebgnqj32.dll"	Gofqfnih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flhldbli.dll"	Chcmdh32.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

WerFault.exe

pid	process
6208	WerFault.exe
6208	WerFault.exe
6208	WerFault.exe
6208	WerFault.exe
6208	WerFault.exe
6208	WerFault.exe
6208	WerFault.exe
6208	WerFault.exe
6208	WerFault.exe
6208	WerFault.exe
6208	WerFault.exe
6208	WerFault.exe
6208	WerFault.exe
6208	WerFault.exe
6208	WerFault.exe
6208	WerFault.exe
6208	WerFault.exe
6208	WerFault.exe
6208	WerFault.exe
6208	WerFault.exe
6208	WerFault.exe
6208	WerFault.exe
6208	WerFault.exe
6208	WerFault.exe
6208	WerFault.exe
6208	WerFault.exe
6208	WerFault.exe
6208	WerFault.exe
6208	WerFault.exe
6208	WerFault.exe
6208	WerFault.exe
6208	WerFault.exe
6208	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 6208 WerFault.exe
Token: SeBackupPrivilege 6208 WerFault.exe
Token: SeDebugPrivilege 6208 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	6208	WerFault.exe
Token: SeBackupPrivilege	6208	WerFault.exe
Token: SeDebugPrivilege	6208	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

96138db76fd5ababbeee7679820f67226dc924cbc02a9d646b8c200ed69a969f.exePagoloqe.exeAkdmpccp.exeAelncl32.exeAhmgeg32.exeBfcddkkk.exeBjcipioo.exeChmpld32.exeDobgdmma.exeEpqdek32.exeFfabcd32.exeFigdpo32.exeGilnkngm.exeHignflmo.exeHmefmkce.exeHiocgkgg.exeLghpij32.exeOjqqippj.exeNnminjqg.exeEagllk32.exeHaohpb32.exeLijglhim.exe

description	pid	process	target process
PID 852 wrote to memory of 684	852	96138db76fd5ababbeee7679820f67226dc924cbc02a9d646b8c200ed69a969f.exe	Pagoloqe.exe
PID 852 wrote to memory of 684	852	96138db76fd5ababbeee7679820f67226dc924cbc02a9d646b8c200ed69a969f.exe	Pagoloqe.exe
PID 852 wrote to memory of 684	852	96138db76fd5ababbeee7679820f67226dc924cbc02a9d646b8c200ed69a969f.exe	Pagoloqe.exe
PID 684 wrote to memory of 4008	684	Pagoloqe.exe	Akdmpccp.exe
PID 684 wrote to memory of 4008	684	Pagoloqe.exe	Akdmpccp.exe
PID 684 wrote to memory of 4008	684	Pagoloqe.exe	Akdmpccp.exe
PID 4008 wrote to memory of 2240	4008	Akdmpccp.exe	Aelncl32.exe
PID 4008 wrote to memory of 2240	4008	Akdmpccp.exe	Aelncl32.exe
PID 4008 wrote to memory of 2240	4008	Akdmpccp.exe	Aelncl32.exe
PID 2240 wrote to memory of 3752	2240	Aelncl32.exe	Ahmgeg32.exe
PID 2240 wrote to memory of 3752	2240	Aelncl32.exe	Ahmgeg32.exe
PID 2240 wrote to memory of 3752	2240	Aelncl32.exe	Ahmgeg32.exe
PID 3752 wrote to memory of 2952	3752	Ahmgeg32.exe	Bfcddkkk.exe
PID 3752 wrote to memory of 2952	3752	Ahmgeg32.exe	Bfcddkkk.exe
PID 3752 wrote to memory of 2952	3752	Ahmgeg32.exe	Bfcddkkk.exe
PID 2952 wrote to memory of 3260	2952	Bfcddkkk.exe	Bjcipioo.exe
PID 2952 wrote to memory of 3260	2952	Bfcddkkk.exe	Bjcipioo.exe
PID 2952 wrote to memory of 3260	2952	Bfcddkkk.exe	Bjcipioo.exe
PID 3260 wrote to memory of 192	3260	Bjcipioo.exe	Chmpld32.exe
PID 3260 wrote to memory of 192	3260	Bjcipioo.exe	Chmpld32.exe
PID 3260 wrote to memory of 192	3260	Bjcipioo.exe	Chmpld32.exe
PID 192 wrote to memory of 2336	192	Chmpld32.exe	Dobgdmma.exe
PID 192 wrote to memory of 2336	192	Chmpld32.exe	Dobgdmma.exe
PID 192 wrote to memory of 2336	192	Chmpld32.exe	Dobgdmma.exe
PID 2336 wrote to memory of 736	2336	Dobgdmma.exe	Epqdek32.exe
PID 2336 wrote to memory of 736	2336	Dobgdmma.exe	Epqdek32.exe
PID 2336 wrote to memory of 736	2336	Dobgdmma.exe	Epqdek32.exe
PID 736 wrote to memory of 2616	736	Epqdek32.exe	Ffabcd32.exe
PID 736 wrote to memory of 2616	736	Epqdek32.exe	Ffabcd32.exe
PID 736 wrote to memory of 2616	736	Epqdek32.exe	Ffabcd32.exe
PID 2616 wrote to memory of 3620	2616	Ffabcd32.exe	Figdpo32.exe
PID 2616 wrote to memory of 3620	2616	Ffabcd32.exe	Figdpo32.exe
PID 2616 wrote to memory of 3620	2616	Ffabcd32.exe	Figdpo32.exe
PID 3620 wrote to memory of 3020	3620	Figdpo32.exe	Gilnkngm.exe
PID 3620 wrote to memory of 3020	3620	Figdpo32.exe	Gilnkngm.exe
PID 3620 wrote to memory of 3020	3620	Figdpo32.exe	Gilnkngm.exe
PID 3020 wrote to memory of 2080	3020	Gilnkngm.exe	Hignflmo.exe
PID 3020 wrote to memory of 2080	3020	Gilnkngm.exe	Hignflmo.exe
PID 3020 wrote to memory of 2080	3020	Gilnkngm.exe	Hignflmo.exe
PID 2080 wrote to memory of 2288	2080	Hignflmo.exe	Hmefmkce.exe
PID 2080 wrote to memory of 2288	2080	Hignflmo.exe	Hmefmkce.exe
PID 2080 wrote to memory of 2288	2080	Hignflmo.exe	Hmefmkce.exe
PID 2288 wrote to memory of 3052	2288	Hmefmkce.exe	Hiocgkgg.exe
PID 2288 wrote to memory of 3052	2288	Hmefmkce.exe	Hiocgkgg.exe
PID 2288 wrote to memory of 3052	2288	Hmefmkce.exe	Hiocgkgg.exe
PID 3052 wrote to memory of 3944	3052	Hiocgkgg.exe	Lghpij32.exe
PID 3052 wrote to memory of 3944	3052	Hiocgkgg.exe	Lghpij32.exe
PID 3052 wrote to memory of 3944	3052	Hiocgkgg.exe	Lghpij32.exe
PID 3944 wrote to memory of 1248	3944	Lghpij32.exe	Ojqqippj.exe
PID 3944 wrote to memory of 1248	3944	Lghpij32.exe	Ojqqippj.exe
PID 3944 wrote to memory of 1248	3944	Lghpij32.exe	Ojqqippj.exe
PID 1248 wrote to memory of 2776	1248	Ojqqippj.exe	Nnminjqg.exe
PID 1248 wrote to memory of 2776	1248	Ojqqippj.exe	Nnminjqg.exe
PID 1248 wrote to memory of 2776	1248	Ojqqippj.exe	Nnminjqg.exe
PID 2776 wrote to memory of 788	2776	Nnminjqg.exe	Eagllk32.exe
PID 2776 wrote to memory of 788	2776	Nnminjqg.exe	Eagllk32.exe
PID 2776 wrote to memory of 788	2776	Nnminjqg.exe	Eagllk32.exe
PID 788 wrote to memory of 2148	788	Eagllk32.exe	Haohpb32.exe
PID 788 wrote to memory of 2148	788	Eagllk32.exe	Haohpb32.exe
PID 788 wrote to memory of 2148	788	Eagllk32.exe	Haohpb32.exe
PID 2148 wrote to memory of 3548	2148	Haohpb32.exe	Lijglhim.exe
PID 2148 wrote to memory of 3548	2148	Haohpb32.exe	Lijglhim.exe
PID 2148 wrote to memory of 3548	2148	Haohpb32.exe	Lijglhim.exe
PID 3548 wrote to memory of 912	3548	Lijglhim.exe	Pqndlmlj.exe

C:\Users\Admin\AppData\Local\Temp\96138db76fd5ababbeee7679820f67226dc924cbc02a9d646b8c200ed69a969f.exe
"C:\Users\Admin\AppData\Local\Temp\96138db76fd5ababbeee7679820f67226dc924cbc02a9d646b8c200ed69a969f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:852
- C:\Windows\SysWOW64\Pagoloqe.exe
  C:\Windows\system32\Pagoloqe.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:684
- - C:\Windows\SysWOW64\Akdmpccp.exe
    C:\Windows\system32\Akdmpccp.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4008
  - - C:\Windows\SysWOW64\Aelncl32.exe
      C:\Windows\system32\Aelncl32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2240
    - - C:\Windows\SysWOW64\Ahmgeg32.exe
        
        C:\Windows\system32\Ahmgeg32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3752
      - C:\Windows\SysWOW64\Bfcddkkk.exe
        
        C:\Windows\system32\Bfcddkkk.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\Bjcipioo.exe
        
        C:\Windows\system32\Bjcipioo.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\SysWOW64\Chmpld32.exe
        
        C:\Windows\system32\Chmpld32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:192
        
        C:\Windows\SysWOW64\Dobgdmma.exe
        
        C:\Windows\system32\Dobgdmma.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\Epqdek32.exe
        
        C:\Windows\system32\Epqdek32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Windows\SysWOW64\Ffabcd32.exe
        
        C:\Windows\system32\Ffabcd32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\SysWOW64\Figdpo32.exe
        
        C:\Windows\system32\Figdpo32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Gilnkngm.exe
        
        C:\Windows\system32\Gilnkngm.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Hignflmo.exe
        
        C:\Windows\system32\Hignflmo.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Hmefmkce.exe
        
        C:\Windows\system32\Hmefmkce.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\Hiocgkgg.exe
        
        C:\Windows\system32\Hiocgkgg.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\Lghpij32.exe
        
        C:\Windows\system32\Lghpij32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Ojqqippj.exe
        
        C:\Windows\system32\Ojqqippj.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\SysWOW64\Nnminjqg.exe
        
        C:\Windows\system32\Nnminjqg.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\Eagllk32.exe
        
        C:\Windows\system32\Eagllk32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:788
        
        C:\Windows\SysWOW64\Haohpb32.exe
        
        C:\Windows\system32\Haohpb32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Lijglhim.exe
        
        C:\Windows\system32\Lijglhim.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\SysWOW64\Pqndlmlj.exe
        
        C:\Windows\system32\Pqndlmlj.exe
        23⤵
        Executes dropped EXE
        
        PID:912
        
        C:\Windows\SysWOW64\Pcomnhik.exe
        
        C:\Windows\system32\Pcomnhik.exe
        24⤵
        Executes dropped EXE
        
        PID:4084
        
        C:\Windows\SysWOW64\Dicndide.exe
        
        C:\Windows\system32\Dicndide.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3168
        
        C:\Windows\SysWOW64\Ejhpffbm.exe
        
        C:\Windows\system32\Ejhpffbm.exe
        26⤵
        Executes dropped EXE
        
        PID:3140
        
        C:\Windows\SysWOW64\Fkjifhgm.exe
        
        C:\Windows\system32\Fkjifhgm.exe
        27⤵
        Executes dropped EXE
        
        PID:572
        
        C:\Windows\SysWOW64\Hnenepna.exe
        
        C:\Windows\system32\Hnenepna.exe
        28⤵
        Executes dropped EXE
        
        PID:2244
        
        C:\Windows\SysWOW64\Iaegfk32.exe
        
        C:\Windows\system32\Iaegfk32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3688
        
        C:\Windows\SysWOW64\Igfedd32.exe
        
        C:\Windows\system32\Igfedd32.exe
        30⤵
        Executes dropped EXE
        
        PID:2920
        
        C:\Windows\SysWOW64\Mkofdjgj.exe
        
        C:\Windows\system32\Mkofdjgj.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3908
        
        C:\Windows\SysWOW64\Deldecdk.exe
        
        C:\Windows\system32\Deldecdk.exe
        32⤵
        Executes dropped EXE
        
        PID:1984
        
        C:\Windows\SysWOW64\Imnngekh.exe
        
        C:\Windows\system32\Imnngekh.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Kgdkklmk.exe
        
        C:\Windows\system32\Kgdkklmk.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:504
        
        C:\Windows\SysWOW64\Kejhjp32.exe
        
        C:\Windows\system32\Kejhjp32.exe
        35⤵
        Executes dropped EXE
        
        PID:1288
        
        C:\Windows\SysWOW64\Okaefa32.exe
        
        C:\Windows\system32\Okaefa32.exe
        36⤵
        Executes dropped EXE
        
        PID:2084
        
        C:\Windows\SysWOW64\Ogjbqa32.exe
        
        C:\Windows\system32\Ogjbqa32.exe
        37⤵
        Executes dropped EXE
        
        PID:3860
        
        C:\Windows\SysWOW64\Aomcdk32.exe
        
        C:\Windows\system32\Aomcdk32.exe
        38⤵
        Executes dropped EXE
        
        PID:736
        
        C:\Windows\SysWOW64\Bkimdk32.exe
        
        C:\Windows\system32\Bkimdk32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2616
        
        C:\Windows\SysWOW64\Eebckl32.exe
        
        C:\Windows\system32\Eebckl32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1000
        
        C:\Windows\SysWOW64\Efapeobj.exe
        
        C:\Windows\system32\Efapeobj.exe
        41⤵
        Executes dropped EXE
        
        PID:3024
        
        C:\Windows\SysWOW64\Gicbnhah.exe
        
        C:\Windows\system32\Gicbnhah.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3920
        
        C:\Windows\SysWOW64\Gieocg32.exe
        
        C:\Windows\system32\Gieocg32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:500
        
        C:\Windows\SysWOW64\Ghjlddcn.exe
        
        C:\Windows\system32\Ghjlddcn.exe
        44⤵
        Executes dropped EXE
        
        PID:3876
        
        C:\Windows\SysWOW64\Gofqfnih.exe
        
        C:\Windows\system32\Gofqfnih.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Iodmhl32.exe
        
        C:\Windows\system32\Iodmhl32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2260
        
        C:\Windows\SysWOW64\Igegoh32.exe
        
        C:\Windows\system32\Igegoh32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:416
        
        C:\Windows\SysWOW64\Lincnmgc.exe
        
        C:\Windows\system32\Lincnmgc.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Lanneipj.exe
        
        C:\Windows\system32\Lanneipj.exe
        49⤵
        Executes dropped EXE
        
        PID:424
        
        C:\Windows\SysWOW64\Mjpeemnp.exe
        
        C:\Windows\system32\Mjpeemnp.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3936
        
        C:\Windows\SysWOW64\Ohihpnjb.exe
        
        C:\Windows\system32\Ohihpnjb.exe
        51⤵
        Executes dropped EXE
        
        PID:3868
        
        C:\Windows\SysWOW64\Omfqheii.exe
        
        C:\Windows\system32\Omfqheii.exe
        52⤵
        Executes dropped EXE
        
        PID:184
        
        C:\Windows\SysWOW64\Pkjaai32.exe
        
        C:\Windows\system32\Pkjaai32.exe
        53⤵
        Executes dropped EXE
        
        PID:192
        
        C:\Windows\SysWOW64\Ppfijp32.exe
        
        C:\Windows\system32\Ppfijp32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Pioncelk.exe
        
        C:\Windows\system32\Pioncelk.exe
        55⤵
        Executes dropped EXE
        
        PID:3528
        
        C:\Windows\SysWOW64\Phpnqmdj.exe
        
        C:\Windows\system32\Phpnqmdj.exe
        56⤵
        Executes dropped EXE
        
        PID:2120
        
        C:\Windows\SysWOW64\Pahbjb32.exe
        
        C:\Windows\system32\Pahbjb32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Pkagbhak.exe
        
        C:\Windows\system32\Pkagbhak.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3512
        
        C:\Windows\SysWOW64\Pdilkn32.exe
        
        C:\Windows\system32\Pdilkn32.exe
        59⤵
        Executes dropped EXE
        
        PID:3468
        
        C:\Windows\SysWOW64\Adpblm32.exe
        
        C:\Windows\system32\Adpblm32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Anifebhd.exe
        
        C:\Windows\system32\Anifebhd.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Ahnjbkhj.exe
        
        C:\Windows\system32\Ahnjbkhj.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\Aafokqoj.exe
        
        C:\Windows\system32\Aafokqoj.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Akocdf32.exe
        
        C:\Windows\system32\Akocdf32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Aqlllm32.exe
        
        C:\Windows\system32\Aqlllm32.exe
        65⤵
        Executes dropped EXE
        
        PID:988
        
        C:\Windows\SysWOW64\Ajdpebjc.exe
        
        C:\Windows\system32\Ajdpebjc.exe
        66⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\Aheqbjbb.exe
        
        C:\Windows\system32\Aheqbjbb.exe
        67⤵
        Drops file in System32 directory
        
        PID:3548
        
        C:\Windows\SysWOW64\Bbnelp32.exe
        
        C:\Windows\system32\Bbnelp32.exe
        68⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\Bkfjdeoc.exe
        
        C:\Windows\system32\Bkfjdeoc.exe
        69⤵
        Drops file in System32 directory
        
        PID:4104
        
        C:\Windows\SysWOW64\Bgmjifeg.exe
        
        C:\Windows\system32\Bgmjifeg.exe
        70⤵
        Drops file in System32 directory
        
        PID:4120
        
        C:\Windows\SysWOW64\Bhlgci32.exe
        
        C:\Windows\system32\Bhlgci32.exe
        71⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\Bbdklobj.exe
        
        C:\Windows\system32\Bbdklobj.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4152
        
        C:\Windows\SysWOW64\Bkmpedik.exe
        
        C:\Windows\system32\Bkmpedik.exe
        73⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\Bdednj32.exe
        
        C:\Windows\system32\Bdednj32.exe
        74⤵
        Drops file in System32 directory
        
        PID:4184
        
        C:\Windows\SysWOW64\Cnnigofl.exe
        
        C:\Windows\system32\Cnnigofl.exe
        75⤵
        Drops file in System32 directory
        
        PID:4200
        
        C:\Windows\SysWOW64\Chcmdh32.exe
        
        C:\Windows\system32\Chcmdh32.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4216
        
        C:\Windows\SysWOW64\Cnpelo32.exe
        
        C:\Windows\system32\Cnpelo32.exe
        77⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\Cghjedkj.exe
        
        C:\Windows\system32\Cghjedkj.exe
        78⤵
        Modifies registry class
        
        PID:4248
        
        C:\Windows\SysWOW64\Cnbbbo32.exe
        
        C:\Windows\system32\Cnbbbo32.exe
        79⤵
        Drops file in System32 directory
        
        PID:4264
        
        C:\Windows\SysWOW64\Cgkfkdig.exe
        
        C:\Windows\system32\Cgkfkdig.exe
        80⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\Dldomaep.exe
        
        C:\Windows\system32\Dldomaep.exe
        81⤵
        Drops file in System32 directory
        
        PID:4300
        
        C:\Windows\SysWOW64\Daageh32.exe
        
        C:\Windows\system32\Daageh32.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Fekpgdoa.exe
        
        C:\Windows\system32\Fekpgdoa.exe
        83⤵
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Fncdpjfa.exe
        
        C:\Windows\system32\Fncdpjfa.exe
        84⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\Fiihmceg.exe
        
        C:\Windows\system32\Fiihmceg.exe
        85⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\Foeqejco.exe
        
        C:\Windows\system32\Foeqejco.exe
        86⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\Fhneno32.exe
        
        C:\Windows\system32\Fhneno32.exe
        87⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\Fbcikhje.exe
        
        C:\Windows\system32\Fbcikhje.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Fllndn32.exe
        
        C:\Windows\system32\Fllndn32.exe
        89⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\Faifld32.exe
        
        C:\Windows\system32\Faifld32.exe
        90⤵
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Gkakejen.exe
        
        C:\Windows\system32\Gkakejen.exe
        91⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\Glcdemjn.exe
        
        C:\Windows\system32\Glcdemjn.exe
        92⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\Gaplmc32.exe
        
        C:\Windows\system32\Gaplmc32.exe
        93⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\Gkhafioe.exe
        
        C:\Windows\system32\Gkhafioe.exe
        94⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\Genecbok.exe
        
        C:\Windows\system32\Genecbok.exe
        95⤵
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Gofjlg32.exe
        
        C:\Windows\system32\Gofjlg32.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Hljjelde.exe
        
        C:\Windows\system32\Hljjelde.exe
        97⤵
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Hagbnbbm.exe
        
        C:\Windows\system32\Hagbnbbm.exe
        98⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\Hllgkkbc.exe
        
        C:\Windows\system32\Hllgkkbc.exe
        99⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\Haiocbqj.exe
        
        C:\Windows\system32\Haiocbqj.exe
        100⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\Hlocqk32.exe
        
        C:\Windows\system32\Hlocqk32.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Hibdjo32.exe
        
        C:\Windows\system32\Hibdjo32.exe
        102⤵
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Hckhceej.exe
        
        C:\Windows\system32\Hckhceej.exe
        103⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\Hlcmljlk.exe
        
        C:\Windows\system32\Hlcmljlk.exe
        104⤵
        Drops file in System32 directory
        
        PID:4672
        
        C:\Windows\SysWOW64\Hapedajb.exe
        
        C:\Windows\system32\Hapedajb.exe
        105⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\Ikhjmg32.exe
        
        C:\Windows\system32\Ikhjmg32.exe
        106⤵
        Modifies registry class
        
        PID:4704
        
        C:\Windows\SysWOW64\Iiijkn32.exe
        
        C:\Windows\system32\Iiijkn32.exe
        107⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\Iofbce32.exe
        
        C:\Windows\system32\Iofbce32.exe
        108⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\Iaihjpbh.exe
        
        C:\Windows\system32\Iaihjpbh.exe
        109⤵
        Drops file in System32 directory
        
        PID:4752
        
        C:\Windows\SysWOW64\Ikbmce32.exe
        
        C:\Windows\system32\Ikbmce32.exe
        110⤵
        Drops file in System32 directory
        
        PID:4768
        
        C:\Windows\SysWOW64\Jjcmqmag.exe
        
        C:\Windows\system32\Jjcmqmag.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\Jopeid32.exe
        
        C:\Windows\system32\Jopeid32.exe
        112⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\Jjejfm32.exe
        
        C:\Windows\system32\Jjejfm32.exe
        113⤵
        Drops file in System32 directory
        
        PID:4816
        
        C:\Windows\SysWOW64\Jobboc32.exe
        
        C:\Windows\system32\Jobboc32.exe
        114⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\Jjgfll32.exe
        
        C:\Windows\system32\Jjgfll32.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Jcpkea32.exe
        
        C:\Windows\system32\Jcpkea32.exe
        116⤵
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Jhmcmi32.exe
        
        C:\Windows\system32\Jhmcmi32.exe
        117⤵
        Drops file in System32 directory
        
        PID:4880
        
        C:\Windows\SysWOW64\Jcbgja32.exe
        
        C:\Windows\system32\Jcbgja32.exe
        118⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\Jlklcghp.exe
        
        C:\Windows\system32\Jlklcghp.exe
        119⤵
        Drops file in System32 directory
        
        PID:4912
        
        C:\Windows\SysWOW64\Kfcqlmna.exe
        
        C:\Windows\system32\Kfcqlmna.exe
        120⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\Kkpidcmh.exe
        
        C:\Windows\system32\Kkpidcmh.exe
        121⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\Kfemalln.exe
        
        C:\Windows\system32\Kfemalln.exe
        122⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\Konaja32.exe
        
        C:\Windows\system32\Konaja32.exe
        123⤵
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Kjcfhjbd.exe
        
        C:\Windows\system32\Kjcfhjbd.exe
        124⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\Kopnpaal.exe
        
        C:\Windows\system32\Kopnpaal.exe
        125⤵
        Drops file in System32 directory
        
        PID:5008
        
        C:\Windows\SysWOW64\Kihcig32.exe
        
        C:\Windows\system32\Kihcig32.exe
        126⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\Lkboqqlc.exe
        
        C:\Windows\system32\Lkboqqlc.exe
        127⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\Ljcooh32.exe
        
        C:\Windows\system32\Ljcooh32.exe
        128⤵
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Mpqggo32.exe
        
        C:\Windows\system32\Mpqggo32.exe
        129⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\Miilpdij.exe
        
        C:\Windows\system32\Miilpdij.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Mcnpmm32.exe
        
        C:\Windows\system32\Mcnpmm32.exe
        131⤵
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Mikhed32.exe
        
        C:\Windows\system32\Mikhed32.exe
        132⤵
        Drops file in System32 directory
        
        PID:492
        
        C:\Windows\SysWOW64\Mcqmbm32.exe
        
        C:\Windows\system32\Mcqmbm32.exe
        133⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Mmiakbmn.exe
        
        C:\Windows\system32\Mmiakbmn.exe
        134⤵
        Drops file in System32 directory
        
        PID:1680
        
        C:\Windows\SysWOW64\Mfafdhdn.exe
        
        C:\Windows\system32\Mfafdhdn.exe
        135⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\Mlnnlobe.exe
        
        C:\Windows\system32\Mlnnlobe.exe
        136⤵
        Modifies registry class
        
        PID:1220
        
        C:\Windows\SysWOW64\Mibofcao.exe
        
        C:\Windows\system32\Mibofcao.exe
        137⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\Nffoog32.exe
        
        C:\Windows\system32\Nffoog32.exe
        138⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\Ncjpil32.exe
        
        C:\Windows\system32\Ncjpil32.exe
        139⤵
        
        PID:856
        
        C:\Windows\SysWOW64\Nighab32.exe
        
        C:\Windows\system32\Nighab32.exe
        140⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\Nfkhjglc.exe
        
        C:\Windows\system32\Nfkhjglc.exe
        141⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Nlhabnjk.exe
        
        C:\Windows\system32\Nlhabnjk.exe
        142⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Njiaqe32.exe
        
        C:\Windows\system32\Njiaqe32.exe
        143⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Npejil32.exe
        
        C:\Windows\system32\Npejil32.exe
        144⤵
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Njknfepg.exe
        
        C:\Windows\system32\Njknfepg.exe
        145⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Oipkga32.exe
        
        C:\Windows\system32\Oipkga32.exe
        146⤵
        Drops file in System32 directory
        
        PID:5216
        
        C:\Windows\SysWOW64\Odfodj32.exe
        
        C:\Windows\system32\Odfodj32.exe
        147⤵
        Drops file in System32 directory
        
        PID:5232
        
        C:\Windows\SysWOW64\Omncmp32.exe
        
        C:\Windows\system32\Omncmp32.exe
        148⤵
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Offhfeaf.exe
        
        C:\Windows\system32\Offhfeaf.exe
        149⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Olcqnlpn.exe
        
        C:\Windows\system32\Olcqnlpn.exe
        150⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Olfmdl32.exe
        
        C:\Windows\system32\Olfmdl32.exe
        151⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Ojgnbcfj.exe
        
        C:\Windows\system32\Ojgnbcfj.exe
        152⤵
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Ppcfjjda.exe
        
        C:\Windows\system32\Ppcfjjda.exe
        153⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Pkijgcdg.exe
        
        C:\Windows\system32\Pkijgcdg.exe
        154⤵
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Pbdole32.exe
        
        C:\Windows\system32\Pbdole32.exe
        155⤵
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Pphoei32.exe
        
        C:\Windows\system32\Pphoei32.exe
        156⤵
        Drops file in System32 directory
        
        PID:5376
        
        C:\Windows\SysWOW64\Pmlpon32.exe
        
        C:\Windows\system32\Pmlpon32.exe
        157⤵
        Drops file in System32 directory
        
        PID:5392
        
        C:\Windows\SysWOW64\Pbihgdmm.exe
        
        C:\Windows\system32\Pbihgdmm.exe
        158⤵
        Drops file in System32 directory
        
        PID:5408
        
        C:\Windows\SysWOW64\Pmomdmmc.exe
        
        C:\Windows\system32\Pmomdmmc.exe
        159⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Pggamc32.exe
        
        C:\Windows\system32\Pggamc32.exe
        160⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Qldiej32.exe
        
        C:\Windows\system32\Qldiej32.exe
        161⤵
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Qihjonqd.exe
        
        C:\Windows\system32\Qihjonqd.exe
        162⤵
        Drops file in System32 directory
        
        PID:5472
        
        C:\Windows\SysWOW64\Qcpogc32.exe
        
        C:\Windows\system32\Qcpogc32.exe
        163⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Amebel32.exe
        
        C:\Windows\system32\Amebel32.exe
        164⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Agngnb32.exe
        
        C:\Windows\system32\Agngnb32.exe
        165⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Apflfgdl.exe
        
        C:\Windows\system32\Apflfgdl.exe
        166⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Aiopom32.exe
        
        C:\Windows\system32\Aiopom32.exe
        167⤵
        Drops file in System32 directory
        
        PID:5552
        
        C:\Windows\SysWOW64\Acgdhbam.exe
        
        C:\Windows\system32\Acgdhbam.exe
        168⤵
        Drops file in System32 directory
        
        PID:5568
        
        C:\Windows\SysWOW64\Anmiek32.exe
        
        C:\Windows\system32\Anmiek32.exe
        169⤵
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Agemnagc.exe
        
        C:\Windows\system32\Agemnagc.exe
        170⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Albffhek.exe
        
        C:\Windows\system32\Albffhek.exe
        171⤵
        Drops file in System32 directory
        
        PID:5616
        
        C:\Windows\SysWOW64\Bggjdqea.exe
        
        C:\Windows\system32\Bggjdqea.exe
        172⤵
        Drops file in System32 directory
        
        PID:5632
        
        C:\Windows\SysWOW64\Bppomfla.exe
        
        C:\Windows\system32\Bppomfla.exe
        173⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Bdbqndnb.exe
        
        C:\Windows\system32\Bdbqndnb.exe
        174⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Bnkegi32.exe
        
        C:\Windows\system32\Bnkegi32.exe
        175⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Ccgnopcj.exe
        
        C:\Windows\system32\Ccgnopcj.exe
        176⤵
        Drops file in System32 directory
        
        PID:5696
        
        C:\Windows\SysWOW64\Clpbhf32.exe
        
        C:\Windows\system32\Clpbhf32.exe
        177⤵
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Cgefeo32.exe
        
        C:\Windows\system32\Cgefeo32.exe
        178⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Cqnknd32.exe
        
        C:\Windows\system32\Cqnknd32.exe
        179⤵
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Cjfogjfb.exe
        
        C:\Windows\system32\Cjfogjfb.exe
        180⤵
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Cdlcdbfh.exe
        
        C:\Windows\system32\Cdlcdbfh.exe
        181⤵
        Drops file in System32 directory
        
        PID:5776
        
        C:\Windows\SysWOW64\Cmghhecc.exe
        
        C:\Windows\system32\Cmghhecc.exe
        182⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Cgllfn32.exe
        
        C:\Windows\system32\Cgllfn32.exe
        183⤵
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Cqeaocii.exe
        
        C:\Windows\system32\Cqeaocii.exe
        184⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Dkjellio.exe
        
        C:\Windows\system32\Dkjellio.exe
        185⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Ddbiea32.exe
        
        C:\Windows\system32\Ddbiea32.exe
        186⤵
        Drops file in System32 directory
        
        PID:5856
        
        C:\Windows\SysWOW64\Ddefjanm.exe
        
        C:\Windows\system32\Ddefjanm.exe
        187⤵
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Djbobhld.exe
        
        C:\Windows\system32\Djbobhld.exe
        188⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Dgfoll32.exe
        
        C:\Windows\system32\Dgfoll32.exe
        189⤵
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Dqncebao.exe
        
        C:\Windows\system32\Dqncebao.exe
        190⤵
        Drops file in System32 directory
        
        PID:5920
        
        C:\Windows\SysWOW64\Dkchbkad.exe
        
        C:\Windows\system32\Dkchbkad.exe
        191⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Ecomfmop.exe
        
        C:\Windows\system32\Ecomfmop.exe
        192⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Endadf32.exe
        
        C:\Windows\system32\Endadf32.exe
        193⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Egmemkef.exe
        
        C:\Windows\system32\Egmemkef.exe
        194⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Emjnebcn.exe
        
        C:\Windows\system32\Emjnebcn.exe
        195⤵
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Ejnnnfbg.exe
        
        C:\Windows\system32\Ejnnnfbg.exe
        196⤵
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Ecfcglhh.exe
        
        C:\Windows\system32\Ecfcglhh.exe
        197⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Eeeoao32.exe
        
        C:\Windows\system32\Eeeoao32.exe
        198⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Enncjdfk.exe
        
        C:\Windows\system32\Enncjdfk.exe
        199⤵
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Fgfhcjmk.exe
        
        C:\Windows\system32\Fgfhcjmk.exe
        200⤵
        Drops file in System32 directory
        
        PID:6084
        
        C:\Windows\SysWOW64\Fejilnle.exe
        
        C:\Windows\system32\Fejilnle.exe
        201⤵
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Fjgadejm.exe
        
        C:\Windows\system32\Fjgadejm.exe
        202⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\Felebn32.exe
        
        C:\Windows\system32\Felebn32.exe
        203⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Fnejkcpc.exe
        
        C:\Windows\system32\Fnejkcpc.exe
        204⤵
        
        PID:852
        
        C:\Windows\SysWOW64\Fcabcjnj.exe
        
        C:\Windows\system32\Fcabcjnj.exe
        205⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6156 -s 364
        206⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aelncl32.exe

MD5
61570f7d0dff24c1d316fbab12ad46e5

SHA1
97a18a610f72c12435818650d1b7d8d0bece1cad

SHA256
22a61cd803abfc81c79ce7816caef1805318fc14242bc9cd670c4b7d562226ec

SHA512
60bf2d7b53cc185463bcd6230ae9545271cab45604172be9e02f1f3e2a0de71bc415b0669b0bc94c4480b0e298783346d622f115b049045b6bb0cb5d344a4d4f

Download Submit
C:\Windows\SysWOW64\Aelncl32.exe

MD5
61570f7d0dff24c1d316fbab12ad46e5

SHA1
97a18a610f72c12435818650d1b7d8d0bece1cad

SHA256
22a61cd803abfc81c79ce7816caef1805318fc14242bc9cd670c4b7d562226ec

SHA512
60bf2d7b53cc185463bcd6230ae9545271cab45604172be9e02f1f3e2a0de71bc415b0669b0bc94c4480b0e298783346d622f115b049045b6bb0cb5d344a4d4f

Download Submit
C:\Windows\SysWOW64\Ahmgeg32.exe

MD5
8dec0a98b46a84f502547776b07b8891

SHA1
ac3cc7f156eb7957ddd3c0f2ee5c6f71291cb806

SHA256
9352689f1309d9f4e6a9bc49862e6f5bd2c511a7472c0034bb6591d54ecf834c

SHA512
dbd4d2101b8daa3ac6505da4d5437ac3b1475cf8f45a2509288e1e317e4dbac21b7c60e99fd525b22700223378d34d759163e4b8f453c68b5430e1a8cc5b6ab4

Download Submit
C:\Windows\SysWOW64\Ahmgeg32.exe

MD5
8dec0a98b46a84f502547776b07b8891

SHA1
ac3cc7f156eb7957ddd3c0f2ee5c6f71291cb806

SHA256
9352689f1309d9f4e6a9bc49862e6f5bd2c511a7472c0034bb6591d54ecf834c

SHA512
dbd4d2101b8daa3ac6505da4d5437ac3b1475cf8f45a2509288e1e317e4dbac21b7c60e99fd525b22700223378d34d759163e4b8f453c68b5430e1a8cc5b6ab4

Download Submit
C:\Windows\SysWOW64\Akdmpccp.exe

MD5
141ce1ae29feeb0b4c265b536dfb1015

SHA1
cacb3b9044a079a442d554f47909d30950dd38e0

SHA256
03d504a3f03f2e1cffabbe92c078db6e961f2b0017d4b9687c4800c843395d0c

SHA512
420bb9213b43934242eb6875830c5d53ec1b8d0285e1e5f09f006c8372a4380ce5288e3a0ed6f1e48de1620c09fbaa8acaca61e6818aa42023e5f999dcb5c80b

Download Submit
C:\Windows\SysWOW64\Akdmpccp.exe

MD5
141ce1ae29feeb0b4c265b536dfb1015

SHA1
cacb3b9044a079a442d554f47909d30950dd38e0

SHA256
03d504a3f03f2e1cffabbe92c078db6e961f2b0017d4b9687c4800c843395d0c

SHA512
420bb9213b43934242eb6875830c5d53ec1b8d0285e1e5f09f006c8372a4380ce5288e3a0ed6f1e48de1620c09fbaa8acaca61e6818aa42023e5f999dcb5c80b

Download Submit
C:\Windows\SysWOW64\Bfcddkkk.exe

MD5
2303f3b9039d5e6a2c884f9d35a82704

SHA1
227423f074bea1123dce7897720230f4e6b41d7e

SHA256
8cd39051d546d592b33c4a2e268ca38e39558a0274f3b7ab6bd2e77153b49f5c

SHA512
969f51432c9eb28decf34d68288b73904a7fc4ec72a846c2da067e7f91b122e70da61be59986778a09814cb081d088b1da784b0310b334723c8b141f549b7096

Download Submit
C:\Windows\SysWOW64\Bfcddkkk.exe

MD5
2303f3b9039d5e6a2c884f9d35a82704

SHA1
227423f074bea1123dce7897720230f4e6b41d7e

SHA256
8cd39051d546d592b33c4a2e268ca38e39558a0274f3b7ab6bd2e77153b49f5c

SHA512
969f51432c9eb28decf34d68288b73904a7fc4ec72a846c2da067e7f91b122e70da61be59986778a09814cb081d088b1da784b0310b334723c8b141f549b7096

Download Submit
C:\Windows\SysWOW64\Bjcipioo.exe

MD5
5e3bbfb36a69f188d63a43be3f110542

SHA1
1d5c8d6d0efc2e9819bfea5c4463a5b4c216ef1a

SHA256
df48565c8bfde5e30495682570eaf8ae0f6c98cfa0d73bfbb6ddc19f254930cf

SHA512
152c75c7d8a0b5961a79d7b3c0eaa55057147df7e0110e8c2fad07214e46cddc63668db52417e4957ae3e825ee945bccb1b900a4e78c30eacb4f48dfccbcaba9

Download Submit
C:\Windows\SysWOW64\Bjcipioo.exe

MD5
5e3bbfb36a69f188d63a43be3f110542

SHA1
1d5c8d6d0efc2e9819bfea5c4463a5b4c216ef1a

SHA256
df48565c8bfde5e30495682570eaf8ae0f6c98cfa0d73bfbb6ddc19f254930cf

SHA512
152c75c7d8a0b5961a79d7b3c0eaa55057147df7e0110e8c2fad07214e46cddc63668db52417e4957ae3e825ee945bccb1b900a4e78c30eacb4f48dfccbcaba9

Download Submit
C:\Windows\SysWOW64\Chmpld32.exe

MD5
b2c31fb10cf54753b9b5efc1baeb8c85

SHA1
986783e7a557e6bee5351e6931f9ba75eb2d79b9

SHA256
f49a5bf4d0839b3d438d239ef834589d4c74fb23d8a8d28f4a43e38b3c9592a5

SHA512
357bd2a8412b2049c54cb45f9d8a5b0eb0593e6082954e3bac90892299050598d4a0a2b555bf5934875bc345cc65b8994afa325d53eb5b4773d582eabd554b66

Download Submit
C:\Windows\SysWOW64\Chmpld32.exe

MD5
b2c31fb10cf54753b9b5efc1baeb8c85

SHA1
986783e7a557e6bee5351e6931f9ba75eb2d79b9

SHA256
f49a5bf4d0839b3d438d239ef834589d4c74fb23d8a8d28f4a43e38b3c9592a5

SHA512
357bd2a8412b2049c54cb45f9d8a5b0eb0593e6082954e3bac90892299050598d4a0a2b555bf5934875bc345cc65b8994afa325d53eb5b4773d582eabd554b66

Download Submit
C:\Windows\SysWOW64\Deldecdk.exe

MD5
9478878c7320875f629018f13bbb4efc

SHA1
a215d4e15acbb2ac6453ea31e2210801c95284fc

SHA256
5cc1799b23d644ef57aa4eca87a26c6003bd0660f0df0a06d3c0b812e4b4cbff

SHA512
fe77bfd9caf0af175d9a88556792171c6672d53f2c780b81992334a3305b4919113dac815ac8469c598a9351577bcef4fa643db48dba33ebc3a1e4cfa23c678d

Download Submit
C:\Windows\SysWOW64\Deldecdk.exe

MD5
9478878c7320875f629018f13bbb4efc

SHA1
a215d4e15acbb2ac6453ea31e2210801c95284fc

SHA256
5cc1799b23d644ef57aa4eca87a26c6003bd0660f0df0a06d3c0b812e4b4cbff

SHA512
fe77bfd9caf0af175d9a88556792171c6672d53f2c780b81992334a3305b4919113dac815ac8469c598a9351577bcef4fa643db48dba33ebc3a1e4cfa23c678d

Download Submit
C:\Windows\SysWOW64\Dicndide.exe

MD5
dd3e7883ade7c1e56f211cae9b60ed8c

SHA1
741598dc5a2d49eac768985526f5795041fb2c4c

SHA256
cd414a94ac3c1a1c72f6e6e2fad834e4d108c770421c165ae968bfcc0b1d1498

SHA512
53500356277d8be7d6cf63cc723dd3ea9a43d1e73f241452ac2e9f91e7407b8cf0b2d12f148cab1fcc74682e2704e1a15f14d4db024afc94e51d4aa986c50fc0

Download Submit
C:\Windows\SysWOW64\Dicndide.exe

MD5
dd3e7883ade7c1e56f211cae9b60ed8c

SHA1
741598dc5a2d49eac768985526f5795041fb2c4c

SHA256
cd414a94ac3c1a1c72f6e6e2fad834e4d108c770421c165ae968bfcc0b1d1498

SHA512
53500356277d8be7d6cf63cc723dd3ea9a43d1e73f241452ac2e9f91e7407b8cf0b2d12f148cab1fcc74682e2704e1a15f14d4db024afc94e51d4aa986c50fc0

Download Submit
C:\Windows\SysWOW64\Dobgdmma.exe

MD5
926c8b2a987e8853b87a8d3f8a1ba9cc

SHA1
6ffad68f967a1d24b8c85b5eccb79339ed0ad592

SHA256
ac286ea7cd340c52d68b3a4da5b17c97fa7f6d7130fbd9815abaa889c46f2b6c

SHA512
2ba796d782279b47240f6eb71402bd25f1ccd96ed4b7723e4fa32e10832fd97700cf22fca458b2e1c07e834d82bc8c1cd695769d5ab13d1c1547325331f09c20

Download Submit
C:\Windows\SysWOW64\Dobgdmma.exe

MD5
926c8b2a987e8853b87a8d3f8a1ba9cc

SHA1
6ffad68f967a1d24b8c85b5eccb79339ed0ad592

SHA256
ac286ea7cd340c52d68b3a4da5b17c97fa7f6d7130fbd9815abaa889c46f2b6c

SHA512
2ba796d782279b47240f6eb71402bd25f1ccd96ed4b7723e4fa32e10832fd97700cf22fca458b2e1c07e834d82bc8c1cd695769d5ab13d1c1547325331f09c20

Download Submit
C:\Windows\SysWOW64\Eagllk32.exe

MD5
ad3192936c1e7f3c605cb17a610a8147

SHA1
9623a5c8876a86ad38082615b9e52b560c0d16a5

SHA256
443acb68851ba7527246f1fcf83f7f610c3397461fc5975bf3e5a82fa40df264

SHA512
f6de1c84fd82a51dc165dcca01d1a76ad7e419989a14f0435f0191521830c80d921b76a01d89353686bf235868e01ec6e679fa4678fb30fbc38349d9fc9f4cde

Download Submit
C:\Windows\SysWOW64\Eagllk32.exe

MD5
ad3192936c1e7f3c605cb17a610a8147

SHA1
9623a5c8876a86ad38082615b9e52b560c0d16a5

SHA256
443acb68851ba7527246f1fcf83f7f610c3397461fc5975bf3e5a82fa40df264

SHA512
f6de1c84fd82a51dc165dcca01d1a76ad7e419989a14f0435f0191521830c80d921b76a01d89353686bf235868e01ec6e679fa4678fb30fbc38349d9fc9f4cde

Download Submit
C:\Windows\SysWOW64\Ejhpffbm.exe

MD5
13a16533585e6bbdab49f282cbe79fdd

SHA1
2c98fe0871dba16e5ccf22b341cc6a04ba80dac6

SHA256
2db0134b521b609d1af5ac8b6942ce1554e9d815a15e7b9b42a399d66ae8b572

SHA512
52cc33b4f28bcc83780761e412e302c175c547b85ddf65d98009c208bcd348810727f8284048eb3f6d19c578065190812c19c0d703037915fb24974a99b1fb80

Download Submit
C:\Windows\SysWOW64\Ejhpffbm.exe

MD5
13a16533585e6bbdab49f282cbe79fdd

SHA1
2c98fe0871dba16e5ccf22b341cc6a04ba80dac6

SHA256
2db0134b521b609d1af5ac8b6942ce1554e9d815a15e7b9b42a399d66ae8b572

SHA512
52cc33b4f28bcc83780761e412e302c175c547b85ddf65d98009c208bcd348810727f8284048eb3f6d19c578065190812c19c0d703037915fb24974a99b1fb80

Download Submit
C:\Windows\SysWOW64\Epqdek32.exe

MD5
814b34dffbc22282fea9942cfce8c870

SHA1
c4fd0033455c8f6c1ba21e2c8c61a8f143aa6517

SHA256
ba6212dea155cd1bc9180972930f0c6670d5acdeecdfeaeed1cb62f9fa34e30f

SHA512
69307599e0a6d1c033668272e715e9f140c1ed4f05a28ceb304924c7541a7150a37bd591472185ed8e32bd7a5049fa1bab67b30df6bb99d0478e81d24015f3be

Download Submit
C:\Windows\SysWOW64\Epqdek32.exe

MD5
814b34dffbc22282fea9942cfce8c870

SHA1
c4fd0033455c8f6c1ba21e2c8c61a8f143aa6517

SHA256
ba6212dea155cd1bc9180972930f0c6670d5acdeecdfeaeed1cb62f9fa34e30f

SHA512
69307599e0a6d1c033668272e715e9f140c1ed4f05a28ceb304924c7541a7150a37bd591472185ed8e32bd7a5049fa1bab67b30df6bb99d0478e81d24015f3be

Download Submit
C:\Windows\SysWOW64\Ffabcd32.exe

MD5
ec635ea37e277b0a4683d1a087d01951

SHA1
a9f4049a38a0a1b4c6272556d2c2bb665778599a

SHA256
0fe464511408e4aa93205ddd56a9187765c015d6649688ff68de743dd0e9e77d

SHA512
3146fc73b7206694b5900fdf2c27cfad6ae89ffb3af9947ed679f548ddcd3dd2a8404736a7d9d276697dc19deddcba1a10720de9e553bf9fbf94302de91a9046

Download Submit
C:\Windows\SysWOW64\Ffabcd32.exe

MD5
ec635ea37e277b0a4683d1a087d01951

SHA1
a9f4049a38a0a1b4c6272556d2c2bb665778599a

SHA256
0fe464511408e4aa93205ddd56a9187765c015d6649688ff68de743dd0e9e77d

SHA512
3146fc73b7206694b5900fdf2c27cfad6ae89ffb3af9947ed679f548ddcd3dd2a8404736a7d9d276697dc19deddcba1a10720de9e553bf9fbf94302de91a9046

Download Submit
C:\Windows\SysWOW64\Figdpo32.exe

MD5
6e0aba6be807231b5e8bb6743d387125

SHA1
a9c3b5acf5455d2e1434443019842518c975ee29

SHA256
e8052e57e9fc91506d34d33951dd9c5296158fa4a6a40b379c8734bd2926c6e6

SHA512
d06744d7ba08a7212681f2c61ec7b8bcf14be48054dc6a2e5dfee723f2b0dd4b55b3e5ac9efdb030789d05ec0772ca3687fae74a7e7c64ed6c48d85c926d48f7

Download Submit
C:\Windows\SysWOW64\Figdpo32.exe

MD5
6e0aba6be807231b5e8bb6743d387125

SHA1
a9c3b5acf5455d2e1434443019842518c975ee29

SHA256
e8052e57e9fc91506d34d33951dd9c5296158fa4a6a40b379c8734bd2926c6e6

SHA512
d06744d7ba08a7212681f2c61ec7b8bcf14be48054dc6a2e5dfee723f2b0dd4b55b3e5ac9efdb030789d05ec0772ca3687fae74a7e7c64ed6c48d85c926d48f7

Download Submit
C:\Windows\SysWOW64\Fkjifhgm.exe

MD5
126432951d1f27d2fce96aa613676ef0

SHA1
06718abb1cd1ada134b0cea9cdebe3dc7b8483d8

SHA256
e13b68b3c9d8a909e16a602c6e847ece524897e0df3fdc945cb07490958eff3f

SHA512
3b22e0918d44172a0a364e774e40decffd197800797fac89993ad3f2cd341a6b7663415d213373a93cb254da14f4ac8ce05725c79f46464903e5a40dc99b290b

Download Submit
C:\Windows\SysWOW64\Fkjifhgm.exe

MD5
126432951d1f27d2fce96aa613676ef0

SHA1
06718abb1cd1ada134b0cea9cdebe3dc7b8483d8

SHA256
e13b68b3c9d8a909e16a602c6e847ece524897e0df3fdc945cb07490958eff3f

SHA512
3b22e0918d44172a0a364e774e40decffd197800797fac89993ad3f2cd341a6b7663415d213373a93cb254da14f4ac8ce05725c79f46464903e5a40dc99b290b

Download Submit
C:\Windows\SysWOW64\Gilnkngm.exe

MD5
b1dd8ff5544e5d7a0cea8f85107221f0

SHA1
42c1a46ebebc9cc8c18b8df981e8f1a4b494fe25

SHA256
96ae2de831e2258db3a060c384d9c1c6431fec39a8def38a9bf8ab3400d743a5

SHA512
96268b68b39f46f14c478c583f5d9b2ed4cfa5201ebcc37b3348664045ab11acbf83462058fe4b423937d678aabadcd6daf938315e9173d224e8d68826f0348a

Download Submit
C:\Windows\SysWOW64\Gilnkngm.exe

MD5
b1dd8ff5544e5d7a0cea8f85107221f0

SHA1
42c1a46ebebc9cc8c18b8df981e8f1a4b494fe25

SHA256
96ae2de831e2258db3a060c384d9c1c6431fec39a8def38a9bf8ab3400d743a5

SHA512
96268b68b39f46f14c478c583f5d9b2ed4cfa5201ebcc37b3348664045ab11acbf83462058fe4b423937d678aabadcd6daf938315e9173d224e8d68826f0348a

Download Submit
C:\Windows\SysWOW64\Haohpb32.exe

MD5
c8d8b2ba52c4e648e3bc6eb9c4bb2d7f

SHA1
db8bf007ff2a2990cc9a5c12a453d6e096617226

SHA256
59fcacd3f361c7bd440133bc2561f555f9ae87e200c0380b1dcc0c3388ecc1b9

SHA512
3f2d47853d65eaf6e119493868514d5e921d70f210e4ee3c272d338f54d6eab116f8d46ba6a5f7386a15e8d7aa6c20ebf37ff07a1e3898b2be55e50ab33eacbf

Download Submit
C:\Windows\SysWOW64\Haohpb32.exe

MD5
c8d8b2ba52c4e648e3bc6eb9c4bb2d7f

SHA1
db8bf007ff2a2990cc9a5c12a453d6e096617226

SHA256
59fcacd3f361c7bd440133bc2561f555f9ae87e200c0380b1dcc0c3388ecc1b9

SHA512
3f2d47853d65eaf6e119493868514d5e921d70f210e4ee3c272d338f54d6eab116f8d46ba6a5f7386a15e8d7aa6c20ebf37ff07a1e3898b2be55e50ab33eacbf

Download Submit
C:\Windows\SysWOW64\Hignflmo.exe

MD5
65fc8a151589ca811aff2c5b8b1ae73e

SHA1
7bf7d95e105dcd2f35b5eb3958fed2980973bb59

SHA256
35508ed26536a8cbc7ff98a2ced80e297d22a3feb9e5bc959af98e5cf60a5984

SHA512
36345982ade8c2779d1cb80fc031d3088aeae3d097a67a6f28173ebbe6050d9288353464c2b9a8058c6a63afe5e92b71066a93275c6d81a5ee9c7adf4d5ffdd8

Download Submit
C:\Windows\SysWOW64\Hignflmo.exe

MD5
65fc8a151589ca811aff2c5b8b1ae73e

SHA1
7bf7d95e105dcd2f35b5eb3958fed2980973bb59

SHA256
35508ed26536a8cbc7ff98a2ced80e297d22a3feb9e5bc959af98e5cf60a5984

SHA512
36345982ade8c2779d1cb80fc031d3088aeae3d097a67a6f28173ebbe6050d9288353464c2b9a8058c6a63afe5e92b71066a93275c6d81a5ee9c7adf4d5ffdd8

Download Submit
C:\Windows\SysWOW64\Hiocgkgg.exe

MD5
90b8e771647da4931ca154b89c9ab4cb

SHA1
342b3707065e939e7d86cd4674ecdbdaa9109b93

SHA256
9ad88d5a370ad1eec116e04ac40877ccb716a26c655629382b5b883d41832899

SHA512
3c1d6755439a33cf9c8607e8916bbe5c6aba4921a97b7baf32a4723130a6cebff59ba20e7277c5368c39afa14f8c7b3db093dd1d18b8e344f0d390c7fd34b065

Download Submit
C:\Windows\SysWOW64\Hiocgkgg.exe

MD5
90b8e771647da4931ca154b89c9ab4cb

SHA1
342b3707065e939e7d86cd4674ecdbdaa9109b93

SHA256
9ad88d5a370ad1eec116e04ac40877ccb716a26c655629382b5b883d41832899

SHA512
3c1d6755439a33cf9c8607e8916bbe5c6aba4921a97b7baf32a4723130a6cebff59ba20e7277c5368c39afa14f8c7b3db093dd1d18b8e344f0d390c7fd34b065

Download Submit
C:\Windows\SysWOW64\Hmefmkce.exe

MD5
6d556ac1d4635d6baec3bd609bb5a359

SHA1
dfa33ad205b448c78339a269194ed5de1cb2d4d1

SHA256
95e0a433fb8e15a595674cd5fbdc34f3b95515f81152f4cf2cb8a4e83de0510a

SHA512
c3ff867bcadc8547950db723692454319a756a3c160bba569a2305b22b20a8cde27f079c87ca057961cde8eeb786445ff89bfeaa56a648441f77e4f814b4a1e3

Download Submit
C:\Windows\SysWOW64\Hmefmkce.exe

MD5
6d556ac1d4635d6baec3bd609bb5a359

SHA1
dfa33ad205b448c78339a269194ed5de1cb2d4d1

SHA256
95e0a433fb8e15a595674cd5fbdc34f3b95515f81152f4cf2cb8a4e83de0510a

SHA512
c3ff867bcadc8547950db723692454319a756a3c160bba569a2305b22b20a8cde27f079c87ca057961cde8eeb786445ff89bfeaa56a648441f77e4f814b4a1e3

Download Submit
C:\Windows\SysWOW64\Hnenepna.exe

MD5
77aad07ef93130f8c4bffabb9cc2bbaa

SHA1
25d6f5976386e48f4e6b3abfa13a151281dedf15

SHA256
ca58be32f596df786716fed8cb1a95ca12df72dc5163ea5edc0126cf1da081b8

SHA512
da3f96e3c3a9de351d8c9441dece714a987aa3187db9eb74842784a671320aa7197aebdcc3f5bce219368d89b9c640c1570600fa0d6f0901a101aa6db75a53b9

Download Submit
C:\Windows\SysWOW64\Hnenepna.exe

MD5
77aad07ef93130f8c4bffabb9cc2bbaa

SHA1
25d6f5976386e48f4e6b3abfa13a151281dedf15

SHA256
ca58be32f596df786716fed8cb1a95ca12df72dc5163ea5edc0126cf1da081b8

SHA512
da3f96e3c3a9de351d8c9441dece714a987aa3187db9eb74842784a671320aa7197aebdcc3f5bce219368d89b9c640c1570600fa0d6f0901a101aa6db75a53b9

Download Submit
C:\Windows\SysWOW64\Iaegfk32.exe

MD5
8fac8de2544af7ca9aa07792be8c7713

SHA1
66970483b8c4e347a2e36da769b3c19a4243d68c

SHA256
cfb9460c7cb7848ceb42eabb902d9ac321fd4cb72dcdc24651132569f4715448

SHA512
7b070ef657ae942e1820f515365e7dfaaa59aa73348511d137f88095d42cf6158d26379c9c58ea64fab6b4cd3b64a9c5f53d69479ae0d73afcd6360efe909f40

Download Submit
C:\Windows\SysWOW64\Iaegfk32.exe

MD5
8fac8de2544af7ca9aa07792be8c7713

SHA1
66970483b8c4e347a2e36da769b3c19a4243d68c

SHA256
cfb9460c7cb7848ceb42eabb902d9ac321fd4cb72dcdc24651132569f4715448

SHA512
7b070ef657ae942e1820f515365e7dfaaa59aa73348511d137f88095d42cf6158d26379c9c58ea64fab6b4cd3b64a9c5f53d69479ae0d73afcd6360efe909f40

Download Submit
C:\Windows\SysWOW64\Igfedd32.exe

MD5
81155dfa51ce76ac8d4d3b403ac9d70b

SHA1
80d421d7549071c7e899d5af089ab4425532fc37

SHA256
6ce85eb2eae27e90e13316100f76023bad49cdf54e734ef7ee1b1d58d1a3bcdb

SHA512
28db9b86ad6b08c69b62d1a1365537709c6006040ad47e00e21235e0c683c5ae13823580391a53fdd8411d6e4729335806a98cc898d4e4d7e4eaff1c6b246120

Download Submit
C:\Windows\SysWOW64\Igfedd32.exe

MD5
81155dfa51ce76ac8d4d3b403ac9d70b

SHA1
80d421d7549071c7e899d5af089ab4425532fc37

SHA256
6ce85eb2eae27e90e13316100f76023bad49cdf54e734ef7ee1b1d58d1a3bcdb

SHA512
28db9b86ad6b08c69b62d1a1365537709c6006040ad47e00e21235e0c683c5ae13823580391a53fdd8411d6e4729335806a98cc898d4e4d7e4eaff1c6b246120

Download Submit
C:\Windows\SysWOW64\Imnngekh.exe

MD5
ed52ab0a6c21f30a7d910fa3293ee351

SHA1
989e5c0f2f288f5cce2fec472556a0a982eb6e8b

SHA256
997431aba98eb9844539092d618b3188e1ce92b092a01b3bb206a7f4ed118406

SHA512
3f001d1ce6c09e9831c77030214b27aee065a60ce589cf0c55f94275de229c1165d2255f7ac689d3219807fe466922af54a975c8a8d4c615e1778f010d1b6e98

Download Submit
C:\Windows\SysWOW64\Imnngekh.exe

MD5
ed52ab0a6c21f30a7d910fa3293ee351

SHA1
989e5c0f2f288f5cce2fec472556a0a982eb6e8b

SHA256
997431aba98eb9844539092d618b3188e1ce92b092a01b3bb206a7f4ed118406

SHA512
3f001d1ce6c09e9831c77030214b27aee065a60ce589cf0c55f94275de229c1165d2255f7ac689d3219807fe466922af54a975c8a8d4c615e1778f010d1b6e98

Download Submit
C:\Windows\SysWOW64\Lghpij32.exe

MD5
f406c49c45e001ccd6d189f251cb7717

SHA1
bbe19891dd2405ba3b17284be3da174cfa0f4fd2

SHA256
bee9c3d4071cf6da5902566d8cf50bbb1b22d2c4151ef3f6bf08eb50f01e22e4

SHA512
8eb935d579fc8dbe5e904179e46d6208015f01bc5eeead6191b282e2aef7c6d4ca86af5b0afe195a12d6ffe0fec3fe35467921c958203c3b32f33d002a28e534

Download Submit
C:\Windows\SysWOW64\Lghpij32.exe

MD5
f406c49c45e001ccd6d189f251cb7717

SHA1
bbe19891dd2405ba3b17284be3da174cfa0f4fd2

SHA256
bee9c3d4071cf6da5902566d8cf50bbb1b22d2c4151ef3f6bf08eb50f01e22e4

SHA512
8eb935d579fc8dbe5e904179e46d6208015f01bc5eeead6191b282e2aef7c6d4ca86af5b0afe195a12d6ffe0fec3fe35467921c958203c3b32f33d002a28e534

Download Submit
C:\Windows\SysWOW64\Lijglhim.exe

MD5
8aad17151a27408bd2034280be54ca34

SHA1
d015415e7c97d0d1e692ecb9bf29aa8124a3e5dd

SHA256
6779ee71df0d43d49d1f7b93e2e646143844b572d519f56e3c61c43e9a43f466

SHA512
f81a7c26e8b4237f6aa31eb5ed56c080eef372578649523191a2d73606aa06fbe159812c0729dc1fc4ae68be10b750725021a25784e655b3eabfbcb86e5bd6c8

Download Submit
C:\Windows\SysWOW64\Lijglhim.exe

MD5
8aad17151a27408bd2034280be54ca34

SHA1
d015415e7c97d0d1e692ecb9bf29aa8124a3e5dd

SHA256
6779ee71df0d43d49d1f7b93e2e646143844b572d519f56e3c61c43e9a43f466

SHA512
f81a7c26e8b4237f6aa31eb5ed56c080eef372578649523191a2d73606aa06fbe159812c0729dc1fc4ae68be10b750725021a25784e655b3eabfbcb86e5bd6c8

Download Submit
C:\Windows\SysWOW64\Mkofdjgj.exe

MD5
7ae27be57bd6fb788dd3347f790d1470

SHA1
6137ab35866b817a18d2c7ff462cff5b3322c66f

SHA256
1a7141e259aa9b6093e5b75dd4b7247b85611d6ceab97721d9388c9fb9f45939

SHA512
94de3e41e02285a9a9bcd9205cbb87bbcc9d0d90c4da79c0f6dc93a54c6e4e787dff2ea4f1f611ec74473eb44ac69be9a864a34722118a712b2247521c051406

Download Submit
C:\Windows\SysWOW64\Mkofdjgj.exe

MD5
7ae27be57bd6fb788dd3347f790d1470

SHA1
6137ab35866b817a18d2c7ff462cff5b3322c66f

SHA256
1a7141e259aa9b6093e5b75dd4b7247b85611d6ceab97721d9388c9fb9f45939

SHA512
94de3e41e02285a9a9bcd9205cbb87bbcc9d0d90c4da79c0f6dc93a54c6e4e787dff2ea4f1f611ec74473eb44ac69be9a864a34722118a712b2247521c051406

Download Submit
C:\Windows\SysWOW64\Nnminjqg.exe

MD5
c6c26eecbff1fb1fafa419841998da70

SHA1
60efff15c3af9974de3c1d5670653ffae310edcb

SHA256
f1003338e1fa8ab2eca98382ea61e9c02bf66105af458e8124f6fdf59ac06230

SHA512
b1b2fc041e1a187b0051fc8cf52a1fab113cb4413899efbd5b734ad1ddd7bcc29d85c1092d323b078ecfe8b95aa771d32ee776971d8609a66810c093cc0953c8

Download Submit
C:\Windows\SysWOW64\Nnminjqg.exe

MD5
c6c26eecbff1fb1fafa419841998da70

SHA1
60efff15c3af9974de3c1d5670653ffae310edcb

SHA256
f1003338e1fa8ab2eca98382ea61e9c02bf66105af458e8124f6fdf59ac06230

SHA512
b1b2fc041e1a187b0051fc8cf52a1fab113cb4413899efbd5b734ad1ddd7bcc29d85c1092d323b078ecfe8b95aa771d32ee776971d8609a66810c093cc0953c8

Download Submit
C:\Windows\SysWOW64\Ojqqippj.exe

MD5
2bba127e0a4ca8e782479d1b38ff0e24

SHA1
c5599030f651ce496fcd04f033871f160714f5b4

SHA256
f00700b8ae3bf5ea8e01ee57690df28c89d63ac8f215255c59271e1c1bacb31e

SHA512
5543f8106bdb0ef650f36e51bab47ee4fea2d977a5741833d5b2b40fd163324029f4ceacc5d2940bfe9ba1f5e266e3f3db5d735eb4a8acbc74593bf1bfc84846

Download Submit
C:\Windows\SysWOW64\Ojqqippj.exe

MD5
2bba127e0a4ca8e782479d1b38ff0e24

SHA1
c5599030f651ce496fcd04f033871f160714f5b4

SHA256
f00700b8ae3bf5ea8e01ee57690df28c89d63ac8f215255c59271e1c1bacb31e

SHA512
5543f8106bdb0ef650f36e51bab47ee4fea2d977a5741833d5b2b40fd163324029f4ceacc5d2940bfe9ba1f5e266e3f3db5d735eb4a8acbc74593bf1bfc84846

Download Submit
C:\Windows\SysWOW64\Pagoloqe.exe

MD5
589e1b588412d0bf2e19382909dcdd7c

SHA1
d4a40da88375adc085e26bf29aa5eaef832ef272

SHA256
22b70c0bee936db959dfe301f451628a97c07d79f115716958f5e3047c27e0f9

SHA512
285d7b33681667ca8cfbae3dec8785c14341a1261178dc579116caa43e29e3e5f7dd9f66de83bb0d549444daf64cb81491d21dfefe1bd915b44707894915ed27

Download Submit
C:\Windows\SysWOW64\Pagoloqe.exe

MD5
589e1b588412d0bf2e19382909dcdd7c

SHA1
d4a40da88375adc085e26bf29aa5eaef832ef272

SHA256
22b70c0bee936db959dfe301f451628a97c07d79f115716958f5e3047c27e0f9

SHA512
285d7b33681667ca8cfbae3dec8785c14341a1261178dc579116caa43e29e3e5f7dd9f66de83bb0d549444daf64cb81491d21dfefe1bd915b44707894915ed27

Download Submit
C:\Windows\SysWOW64\Pcomnhik.exe

MD5
d174a168cb1ea5193b890c312be59c1a

SHA1
d57670ff49914c46899b849734d88a3146f4b9ee

SHA256
a78da2dd761bedd71b44cb85ba3d50e26c379f3044e869acee2cab71674263c2

SHA512
a9953b604733acc65c367a7c77159fe258fc2eb0ca2765f73aaa3e7f8111351c7ea84fb7b8066f1cb5ade98c45ba7eb5d0995a5fdfc8f272516605d73b6cb865

Download Submit
C:\Windows\SysWOW64\Pcomnhik.exe

MD5
d174a168cb1ea5193b890c312be59c1a

SHA1
d57670ff49914c46899b849734d88a3146f4b9ee

SHA256
a78da2dd761bedd71b44cb85ba3d50e26c379f3044e869acee2cab71674263c2

SHA512
a9953b604733acc65c367a7c77159fe258fc2eb0ca2765f73aaa3e7f8111351c7ea84fb7b8066f1cb5ade98c45ba7eb5d0995a5fdfc8f272516605d73b6cb865

Download Submit
C:\Windows\SysWOW64\Pqndlmlj.exe

MD5
e105fa0e4f02f362817900ac0719faf3

SHA1
62f4de980a702cdafed9279dc8cad6ff650bee0f

SHA256
b7e3fb5d184814d9022813edb177000c4c302c8e179e0c5f8093a9d6ae3bce02

SHA512
7ee51f0b5746d25625e4fa95423629c769159e5ee0cc551e92626367cfe6160b169d033ed00699ee794b4f131b1d069fe1b8c3111a4bf4ff7098e82531acd02d

Download Submit
C:\Windows\SysWOW64\Pqndlmlj.exe

MD5
e105fa0e4f02f362817900ac0719faf3

SHA1
62f4de980a702cdafed9279dc8cad6ff650bee0f

SHA256
b7e3fb5d184814d9022813edb177000c4c302c8e179e0c5f8093a9d6ae3bce02

SHA512
7ee51f0b5746d25625e4fa95423629c769159e5ee0cc551e92626367cfe6160b169d033ed00699ee794b4f131b1d069fe1b8c3111a4bf4ff7098e82531acd02d

Download Submit
memory/184-228-0x0000000000000000-mapping.dmp

Download
memory/192-229-0x0000000000000000-mapping.dmp

Download
memory/192-132-0x0000000000000000-mapping.dmp

Download
memory/416-223-0x0000000000000000-mapping.dmp

Download
memory/424-225-0x0000000000000000-mapping.dmp

Download
memory/500-219-0x0000000000000000-mapping.dmp

Download
memory/504-210-0x0000000000000000-mapping.dmp

Download
memory/572-189-0x0000000000000000-mapping.dmp

Download
memory/684-114-0x0000000000000000-mapping.dmp

Download
memory/736-214-0x0000000000000000-mapping.dmp

Download
memory/736-138-0x0000000000000000-mapping.dmp

Download
memory/788-168-0x0000000000000000-mapping.dmp

Download
memory/912-177-0x0000000000000000-mapping.dmp

Download
memory/988-241-0x0000000000000000-mapping.dmp

Download
memory/1000-216-0x0000000000000000-mapping.dmp

Download
memory/1076-233-0x0000000000000000-mapping.dmp

Download
memory/1248-162-0x0000000000000000-mapping.dmp

Download
memory/1288-211-0x0000000000000000-mapping.dmp

Download
memory/1660-240-0x0000000000000000-mapping.dmp

Download
memory/1984-204-0x0000000000000000-mapping.dmp

Download
memory/2080-150-0x0000000000000000-mapping.dmp

Download
memory/2084-212-0x0000000000000000-mapping.dmp

Download
memory/2120-232-0x0000000000000000-mapping.dmp

Download
memory/2148-171-0x0000000000000000-mapping.dmp

Download
memory/2192-230-0x0000000000000000-mapping.dmp

Download
memory/2220-224-0x0000000000000000-mapping.dmp

Download
memory/2240-120-0x0000000000000000-mapping.dmp

Download
memory/2244-192-0x0000000000000000-mapping.dmp

Download
memory/2260-222-0x0000000000000000-mapping.dmp

Download
memory/2288-153-0x0000000000000000-mapping.dmp

Download
memory/2336-135-0x0000000000000000-mapping.dmp

Download
memory/2616-215-0x0000000000000000-mapping.dmp

Download
memory/2616-141-0x0000000000000000-mapping.dmp

Download
memory/2776-165-0x0000000000000000-mapping.dmp

Download
memory/2792-207-0x0000000000000000-mapping.dmp

Download
memory/2920-198-0x0000000000000000-mapping.dmp

Download
memory/2952-126-0x0000000000000000-mapping.dmp

Download
memory/3020-147-0x0000000000000000-mapping.dmp

Download
memory/3024-217-0x0000000000000000-mapping.dmp

Download
memory/3052-156-0x0000000000000000-mapping.dmp

Download
memory/3140-186-0x0000000000000000-mapping.dmp

Download
memory/3168-183-0x0000000000000000-mapping.dmp

Download
memory/3232-236-0x0000000000000000-mapping.dmp

Download
memory/3260-129-0x0000000000000000-mapping.dmp

Download
memory/3468-235-0x0000000000000000-mapping.dmp

Download
memory/3512-234-0x0000000000000000-mapping.dmp

Download
memory/3528-231-0x0000000000000000-mapping.dmp

Download
memory/3548-174-0x0000000000000000-mapping.dmp

Download
memory/3620-144-0x0000000000000000-mapping.dmp

Download
memory/3688-195-0x0000000000000000-mapping.dmp

Download
memory/3752-238-0x0000000000000000-mapping.dmp

Download
memory/3752-123-0x0000000000000000-mapping.dmp

Download
memory/3860-213-0x0000000000000000-mapping.dmp

Download
memory/3868-227-0x0000000000000000-mapping.dmp

Download
memory/3876-220-0x0000000000000000-mapping.dmp

Download
memory/3908-201-0x0000000000000000-mapping.dmp

Download
memory/3920-218-0x0000000000000000-mapping.dmp

Download
memory/3936-226-0x0000000000000000-mapping.dmp

Download
memory/3944-221-0x0000000000000000-mapping.dmp

Download
memory/3944-159-0x0000000000000000-mapping.dmp

Download
memory/3956-237-0x0000000000000000-mapping.dmp

Download
memory/4008-117-0x0000000000000000-mapping.dmp

Download
memory/4084-180-0x0000000000000000-mapping.dmp

Download
memory/4092-239-0x0000000000000000-mapping.dmp

Download