f23e8125234ce57d00ceefe0eb868d462d4a4a6591c1da340b542118ff7cdf21

Analysis

max time kernel
141s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
02/11/2023, 06:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.3e4e0083c8a91da7217a88fdef42a720_JC.exe
Size

325KB
MD5

3e4e0083c8a91da7217a88fdef42a720
SHA1

405af46861b1f5140da237082154377da9808078
SHA256

f23e8125234ce57d00ceefe0eb868d462d4a4a6591c1da340b542118ff7cdf21
SHA512

670c3eeee1380bfe53fc0fe1c2adb4d3a222e059ff91d855e292e15b03e4378ffcd34a2c1d7db76fc30508e07ef6c476dd6d8d6ad4b7aeaf11a49b292ee21836
SSDEEP

3072:OczY/IQjFmXOjEePqiY8JZZz9IZtOmA2RIfoYWhWl6mTKcO3:Oc0/IZMPqiY8vZytOEHVkoL3

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgqfdnah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	NEAS.3e4e0083c8a91da7217a88fdef42a720_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cqpbglno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlphbnoe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjliajmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjfnedho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmiclo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knhakh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjnqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iomoenej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lepleocn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkleeplq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jncoikmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chglab32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nagiji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihgnkkbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccbadp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfeaopqo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmdgikhi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kplmliko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nckkfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecbeip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Embkoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emehdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbddfmgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkehkocf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaajhb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emoadlfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llodgnja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckjknfnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnkbkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdbhkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcobaedj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajndioga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipjedh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpelhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmfkhmdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oanokhdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhnojl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbekii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hheoid32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbqmiinl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Empoiimf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ggahedjn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omdppiif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahenokjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjliajmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmaamn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmpolgoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncchae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gddinf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhfedm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iqipio32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akamff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hdhedh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbnoiqdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjodla32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofmdio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kemooo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Momcpa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpcpfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnjocf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emehdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkiaej32.exe

Executes dropped EXE 64 IoCs

pid	Process
3260	Gkleeplq.exe
4196	Gddinf32.exe
720	Gahjgj32.exe
2372	Hheoid32.exe
1388	Hfipbh32.exe
1800	Hkehkocf.exe
2448	Hocqam32.exe
5096	Hninbj32.exe
420	Hgabkoee.exe
1580	Iokgal32.exe
3356	Ikaggmii.exe
2196	Iiehpahb.exe
4768	Ioopml32.exe
1692	Igjeanmj.exe
4836	Jilnqqbj.exe
2492	Jnifigpa.exe
1328	Jeekkafl.exe
2676	Jfehed32.exe
2920	Jkaqnk32.exe
3924	Knbiofhg.exe
180	Kbpbed32.exe
4832	Kpdboimg.exe
4868	Kpgodhkd.exe
1044	Khbdikip.exe
2364	Kbghfc32.exe
4896	Kefdbo32.exe
4736	Llpmoiof.exe
3868	Bgeaifia.exe
932	Bifmqo32.exe
4448	Cqpbglno.exe
1996	Cglgjeci.exe
1500	Cjmpkqqj.exe
1920	Cceddf32.exe
2684	Cgcmjd32.exe
2208	Dakacjdb.exe
3160	Dfhjkabi.exe
4272	Dannij32.exe
456	Dclkee32.exe
4056	Dmdonkgc.exe
2292	Dcogje32.exe
1492	Djhpgofm.exe
3668	Dpehof32.exe
4548	Ehailbaa.exe
3224	Edhjqc32.exe
3124	Empoiimf.exe
1356	Edjgfcec.exe
5020	Ejdocm32.exe
32	Embkoi32.exe
3792	Edmclccp.exe
3304	Ejflhm32.exe
4872	Emehdh32.exe
3208	Fkihnmhj.exe
4772	Fhmigagd.exe
4692	Faenpf32.exe
1316	Fgbfhmll.exe
1004	Fagjfflb.exe
2484	Fdffbake.exe
3368	Fibojhim.exe
1408	Fggocmhf.exe
4312	Falcae32.exe
3104	Gkdhjknm.exe
1716	Gdmmbq32.exe
2940	Gkgeoklj.exe
3080	Gdoihpbk.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Niojoeel.exe	Nbebbk32.exe
File opened for modification	C:\Windows\SysWOW64\Edaaccbj.exe	Eaceghcg.exe
File created	C:\Windows\SysWOW64\Ahenokjf.exe	Achegd32.exe
File created	C:\Windows\SysWOW64\Jofill32.dll	Fmpqfq32.exe
File created	C:\Windows\SysWOW64\Abakhdbk.dll	Ipjedh32.exe
File created	C:\Windows\SysWOW64\Lmdnbn32.exe	Lggejg32.exe
File opened for modification	C:\Windows\SysWOW64\Oqoefand.exe	Ofgdcipq.exe
File created	C:\Windows\SysWOW64\Idajkk32.dll	Hhfedm32.exe
File created	C:\Windows\SysWOW64\Ddjmba32.exe	Cbdjeg32.exe
File opened for modification	C:\Windows\SysWOW64\Mgnlkfal.exe	Mogcihaj.exe
File opened for modification	C:\Windows\SysWOW64\Nefped32.exe	Nlnkmnah.exe
File created	C:\Windows\SysWOW64\Aojlaeei.exe	Allpejfe.exe
File opened for modification	C:\Windows\SysWOW64\Coknoaic.exe	Ciafbg32.exe
File created	C:\Windows\SysWOW64\Jdmgfedl.exe	Jncoikmp.exe
File opened for modification	C:\Windows\SysWOW64\Llnnmhfe.exe	Laiipofp.exe
File opened for modification	C:\Windows\SysWOW64\Indfca32.exe	Ihgnkkbd.exe
File created	C:\Windows\SysWOW64\Aqdjon32.dll	Bfgjjm32.exe
File created	C:\Windows\SysWOW64\Hgmgqc32.exe	Hpcodihc.exe
File created	C:\Windows\SysWOW64\Ilmmni32.exe	Ikkpgafg.exe
File created	C:\Windows\SysWOW64\Fmbdpnaj.dll	Ganldgib.exe
File opened for modification	C:\Windows\SysWOW64\Hnnljj32.exe	Hioflcbj.exe
File opened for modification	C:\Windows\SysWOW64\Dalofi32.exe	Dggkipii.exe
File created	C:\Windows\SysWOW64\Kkjqle32.dll	Hheoid32.exe
File created	C:\Windows\SysWOW64\Coiaiakf.exe	Cjliajmo.exe
File created	C:\Windows\SysWOW64\Cklgfgfg.dll	Bkphhgfc.exe
File opened for modification	C:\Windows\SysWOW64\Bjlpjm32.exe	Boflmdkk.exe
File created	C:\Windows\SysWOW64\Bbaffgag.dll	Hgmgqc32.exe
File opened for modification	C:\Windows\SysWOW64\Jdodkebj.exe	Jlhljhbg.exe
File created	C:\Windows\SysWOW64\Qfdngj32.dll	Hkbmqb32.exe
File opened for modification	C:\Windows\SysWOW64\Dakacjdb.exe	Cgcmjd32.exe
File created	C:\Windows\SysWOW64\Dnqjcbao.dll	Lihpif32.exe
File opened for modification	C:\Windows\SysWOW64\Gddinf32.exe	Gkleeplq.exe
File opened for modification	C:\Windows\SysWOW64\Ecbeip32.exe	Epdime32.exe
File created	C:\Windows\SysWOW64\Cclaff32.dll	Gdafnpqh.exe
File opened for modification	C:\Windows\SysWOW64\Bfgjjm32.exe	Bcinna32.exe
File created	C:\Windows\SysWOW64\Efpomccg.exe	Eofgpikj.exe
File created	C:\Windows\SysWOW64\Dgfnagdi.dll	Nnhmnn32.exe
File opened for modification	C:\Windows\SysWOW64\Afbgkl32.exe	Aphnnafb.exe
File opened for modification	C:\Windows\SysWOW64\Jaonbc32.exe	Joqafgni.exe
File created	C:\Windows\SysWOW64\Ejlnfjbd.exe	Ecbeip32.exe
File opened for modification	C:\Windows\SysWOW64\Ikcmbfcj.exe	Ikqqlgem.exe
File opened for modification	C:\Windows\SysWOW64\Elgaeolp.exe	Djelgied.exe
File created	C:\Windows\SysWOW64\Igjeanmj.exe	Ioopml32.exe
File created	C:\Windows\SysWOW64\Ebaplnie.exe	Ddnobj32.exe
File created	C:\Windows\SysWOW64\Jaajhb32.exe	Jocnlg32.exe
File created	C:\Windows\SysWOW64\Paihlpfi.exe	Pjoppf32.exe
File opened for modification	C:\Windows\SysWOW64\Hlepcdoa.exe	Hifcgion.exe
File created	C:\Windows\SysWOW64\Jknfcofa.exe	Jqhafffk.exe
File created	C:\Windows\SysWOW64\Emmdom32.exe	Emjgim32.exe
File opened for modification	C:\Windows\SysWOW64\Emehdh32.exe	Ejflhm32.exe
File created	C:\Windows\SysWOW64\Oeddnh32.dll	Gjfnedho.exe
File created	C:\Windows\SysWOW64\Kkjeomld.exe	Kdpmbc32.exe
File created	C:\Windows\SysWOW64\Eohmkb32.exe	Ebaplnie.exe
File created	C:\Windows\SysWOW64\Lhlgjo32.dll	Fqfojblo.exe
File created	C:\Windows\SysWOW64\Cgcmjd32.exe	Cceddf32.exe
File opened for modification	C:\Windows\SysWOW64\Pekbga32.exe	Phganm32.exe
File created	C:\Windows\SysWOW64\Ibodeh32.dll	Coknoaic.exe
File created	C:\Windows\SysWOW64\Jimldogg.exe	Jafdcbge.exe
File created	C:\Windows\SysWOW64\Gidbch32.dll	Cglgjeci.exe
File created	C:\Windows\SysWOW64\Klobfk32.dll	Allpejfe.exe
File created	C:\Windows\SysWOW64\Gefchq32.dll	Hdhedh32.exe
File created	C:\Windows\SysWOW64\Malhfo32.dll	Piijno32.exe
File created	C:\Windows\SysWOW64\Lnnbqnjn.exe	Liqihglg.exe
File created	C:\Windows\SysWOW64\Coknoaic.exe	Ciafbg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6912	6724	WerFault.exe	763

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfebfnqn.dll"	Gojiiafp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnnlhc32.dll"	Gmdjapgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Occgpjdk.dll"	Hpabni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ookoaokf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhglpo32.dll"	Ckeimm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klfaapbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hicpgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnebjidl.dll"	Lohqnd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlphbnoe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aojlaeei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ememkjeq.dll"	Kjccdkki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilnpcnol.dll"	Kmieae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Emjgim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfbped32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aoabad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkaqnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcobaedj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdodkebj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqbpojnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iialhaad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjeplijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkkgmlcm.dll"	Gaefgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjfnedho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dempqa32.dll"	Nagiji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kplmliko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emkbpmep.dll"	Niojoeel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnoefe32.dll"	Egkddo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Megljppl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipgkjlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejhfdb32.dll"	Kiphjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbebbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjnafk32.dll"	Mhdckaeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bklomh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Edaaccbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cglgjeci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfcqdoab.dll"	Fagjfflb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpbpbecj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojomcopk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bifmqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnocehc.dll"	Lgjijmin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahmjjoig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehblpall.dll"	Eohmkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aofcga32.dll"	Jnifigpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djelgied.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Knhakh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbbffdlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbekii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjibekmc.dll"	Njfagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgnpek32.dll"	Lindkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dflfac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paoinm32.dll"	Fndpmndl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Emehdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mogcihaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlblcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejojljqa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpabni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lckggdbo.dll"	Iahgad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnlkfal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcjppk32.dll"	Idbodn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpqjglii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jepjhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hioflcbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpapnfhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofgdcipq.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 3260	1904	NEAS.3e4e0083c8a91da7217a88fdef42a720_JC.exe	86
PID 1904 wrote to memory of 3260	1904	NEAS.3e4e0083c8a91da7217a88fdef42a720_JC.exe	86
PID 1904 wrote to memory of 3260	1904	NEAS.3e4e0083c8a91da7217a88fdef42a720_JC.exe	86
PID 3260 wrote to memory of 4196	3260	Gkleeplq.exe	87
PID 3260 wrote to memory of 4196	3260	Gkleeplq.exe	87
PID 3260 wrote to memory of 4196	3260	Gkleeplq.exe	87
PID 4196 wrote to memory of 720	4196	Gddinf32.exe	88
PID 4196 wrote to memory of 720	4196	Gddinf32.exe	88
PID 4196 wrote to memory of 720	4196	Gddinf32.exe	88
PID 720 wrote to memory of 2372	720	Gahjgj32.exe	89
PID 720 wrote to memory of 2372	720	Gahjgj32.exe	89
PID 720 wrote to memory of 2372	720	Gahjgj32.exe	89
PID 2372 wrote to memory of 1388	2372	Hheoid32.exe	90
PID 2372 wrote to memory of 1388	2372	Hheoid32.exe	90
PID 2372 wrote to memory of 1388	2372	Hheoid32.exe	90
PID 1388 wrote to memory of 1800	1388	Hfipbh32.exe	91
PID 1388 wrote to memory of 1800	1388	Hfipbh32.exe	91
PID 1388 wrote to memory of 1800	1388	Hfipbh32.exe	91
PID 1800 wrote to memory of 2448	1800	Hkehkocf.exe	92
PID 1800 wrote to memory of 2448	1800	Hkehkocf.exe	92
PID 1800 wrote to memory of 2448	1800	Hkehkocf.exe	92
PID 2448 wrote to memory of 5096	2448	Hocqam32.exe	93
PID 2448 wrote to memory of 5096	2448	Hocqam32.exe	93
PID 2448 wrote to memory of 5096	2448	Hocqam32.exe	93
PID 5096 wrote to memory of 420	5096	Hninbj32.exe	94
PID 5096 wrote to memory of 420	5096	Hninbj32.exe	94
PID 5096 wrote to memory of 420	5096	Hninbj32.exe	94
PID 420 wrote to memory of 1580	420	Hgabkoee.exe	95
PID 420 wrote to memory of 1580	420	Hgabkoee.exe	95
PID 420 wrote to memory of 1580	420	Hgabkoee.exe	95
PID 1580 wrote to memory of 3356	1580	Iokgal32.exe	96
PID 1580 wrote to memory of 3356	1580	Iokgal32.exe	96
PID 1580 wrote to memory of 3356	1580	Iokgal32.exe	96
PID 3356 wrote to memory of 2196	3356	Ikaggmii.exe	99
PID 3356 wrote to memory of 2196	3356	Ikaggmii.exe	99
PID 3356 wrote to memory of 2196	3356	Ikaggmii.exe	99
PID 2196 wrote to memory of 4768	2196	Iiehpahb.exe	98
PID 2196 wrote to memory of 4768	2196	Iiehpahb.exe	98
PID 2196 wrote to memory of 4768	2196	Iiehpahb.exe	98
PID 4768 wrote to memory of 1692	4768	Ioopml32.exe	97
PID 4768 wrote to memory of 1692	4768	Ioopml32.exe	97
PID 4768 wrote to memory of 1692	4768	Ioopml32.exe	97
PID 1692 wrote to memory of 4836	1692	Igjeanmj.exe	100
PID 1692 wrote to memory of 4836	1692	Igjeanmj.exe	100
PID 1692 wrote to memory of 4836	1692	Igjeanmj.exe	100
PID 4836 wrote to memory of 2492	4836	Jilnqqbj.exe	101
PID 4836 wrote to memory of 2492	4836	Jilnqqbj.exe	101
PID 4836 wrote to memory of 2492	4836	Jilnqqbj.exe	101
PID 2492 wrote to memory of 1328	2492	Jnifigpa.exe	102
PID 2492 wrote to memory of 1328	2492	Jnifigpa.exe	102
PID 2492 wrote to memory of 1328	2492	Jnifigpa.exe	102
PID 1328 wrote to memory of 2676	1328	Jeekkafl.exe	103
PID 1328 wrote to memory of 2676	1328	Jeekkafl.exe	103
PID 1328 wrote to memory of 2676	1328	Jeekkafl.exe	103
PID 2676 wrote to memory of 2920	2676	Jfehed32.exe	104
PID 2676 wrote to memory of 2920	2676	Jfehed32.exe	104
PID 2676 wrote to memory of 2920	2676	Jfehed32.exe	104
PID 2920 wrote to memory of 3924	2920	Jkaqnk32.exe	105
PID 2920 wrote to memory of 3924	2920	Jkaqnk32.exe	105
PID 2920 wrote to memory of 3924	2920	Jkaqnk32.exe	105
PID 3924 wrote to memory of 180	3924	Knbiofhg.exe	106
PID 3924 wrote to memory of 180	3924	Knbiofhg.exe	106
PID 3924 wrote to memory of 180	3924	Knbiofhg.exe	106
PID 180 wrote to memory of 4832	180	Kbpbed32.exe	107

C:\Users\Admin\AppData\Local\Temp\NEAS.3e4e0083c8a91da7217a88fdef42a720_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.3e4e0083c8a91da7217a88fdef42a720_JC.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Windows\SysWOW64\Gkleeplq.exe
  C:\Windows\system32\Gkleeplq.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3260
- - C:\Windows\SysWOW64\Gddinf32.exe
    C:\Windows\system32\Gddinf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4196
  - - C:\Windows\SysWOW64\Gahjgj32.exe
      C:\Windows\system32\Gahjgj32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:720
    - - C:\Windows\SysWOW64\Hheoid32.exe
        
        C:\Windows\system32\Hheoid32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2372
      - C:\Windows\SysWOW64\Hfipbh32.exe
        
        C:\Windows\system32\Hfipbh32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\Hkehkocf.exe
        
        C:\Windows\system32\Hkehkocf.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\Hocqam32.exe
        
        C:\Windows\system32\Hocqam32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\Hninbj32.exe
        
        C:\Windows\system32\Hninbj32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\Hgabkoee.exe
        
        C:\Windows\system32\Hgabkoee.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:420
        
        C:\Windows\SysWOW64\Iokgal32.exe
        
        C:\Windows\system32\Iokgal32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\Ikaggmii.exe
        
        C:\Windows\system32\Ikaggmii.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3356
        
        C:\Windows\SysWOW64\Iiehpahb.exe
        
        C:\Windows\system32\Iiehpahb.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2196

C:\Windows\SysWOW64\Igjeanmj.exe
C:\Windows\system32\Igjeanmj.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Windows\SysWOW64\Jilnqqbj.exe
  C:\Windows\system32\Jilnqqbj.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Windows\SysWOW64\Jnifigpa.exe
    C:\Windows\system32\Jnifigpa.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Windows\SysWOW64\Jeekkafl.exe
      C:\Windows\system32\Jeekkafl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1328
    - - C:\Windows\SysWOW64\Jfehed32.exe
        
        C:\Windows\system32\Jfehed32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2676
      - C:\Windows\SysWOW64\Jkaqnk32.exe
        
        C:\Windows\system32\Jkaqnk32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Knbiofhg.exe
        
        C:\Windows\system32\Knbiofhg.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\SysWOW64\Kbpbed32.exe
        
        C:\Windows\system32\Kbpbed32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:180
        
        C:\Windows\SysWOW64\Kpdboimg.exe
        
        C:\Windows\system32\Kpdboimg.exe
        9⤵
        Executes dropped EXE
        
        PID:4832
        
        C:\Windows\SysWOW64\Kpgodhkd.exe
        
        C:\Windows\system32\Kpgodhkd.exe
        10⤵
        Executes dropped EXE
        
        PID:4868
        
        C:\Windows\SysWOW64\Khbdikip.exe
        
        C:\Windows\system32\Khbdikip.exe
        11⤵
        Executes dropped EXE
        
        PID:1044
        
        C:\Windows\SysWOW64\Kbghfc32.exe
        
        C:\Windows\system32\Kbghfc32.exe
        12⤵
        Executes dropped EXE
        
        PID:2364
        
        C:\Windows\SysWOW64\Kefdbo32.exe
        
        C:\Windows\system32\Kefdbo32.exe
        13⤵
        Executes dropped EXE
        
        PID:4896
        
        C:\Windows\SysWOW64\Llpmoiof.exe
        
        C:\Windows\system32\Llpmoiof.exe
        14⤵
        Executes dropped EXE
        
        PID:4736
        
        C:\Windows\SysWOW64\Bgeaifia.exe
        
        C:\Windows\system32\Bgeaifia.exe
        15⤵
        Executes dropped EXE
        
        PID:3868
        
        C:\Windows\SysWOW64\Bifmqo32.exe
        
        C:\Windows\system32\Bifmqo32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:932
        
        C:\Windows\SysWOW64\Cqpbglno.exe
        
        C:\Windows\system32\Cqpbglno.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4448
        
        C:\Windows\SysWOW64\Cglgjeci.exe
        
        C:\Windows\system32\Cglgjeci.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Cjmpkqqj.exe
        
        C:\Windows\system32\Cjmpkqqj.exe
        19⤵
        Executes dropped EXE
        
        PID:1500
        
        C:\Windows\SysWOW64\Cceddf32.exe
        
        C:\Windows\system32\Cceddf32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1920
        
        C:\Windows\SysWOW64\Cgcmjd32.exe
        
        C:\Windows\system32\Cgcmjd32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2684
        
        C:\Windows\SysWOW64\Dakacjdb.exe
        
        C:\Windows\system32\Dakacjdb.exe
        22⤵
        Executes dropped EXE
        
        PID:2208
        
        C:\Windows\SysWOW64\Dfhjkabi.exe
        
        C:\Windows\system32\Dfhjkabi.exe
        23⤵
        Executes dropped EXE
        
        PID:3160
        
        C:\Windows\SysWOW64\Dannij32.exe
        
        C:\Windows\system32\Dannij32.exe
        24⤵
        Executes dropped EXE
        
        PID:4272
        
        C:\Windows\SysWOW64\Dclkee32.exe
        
        C:\Windows\system32\Dclkee32.exe
        25⤵
        Executes dropped EXE
        
        PID:456
        
        C:\Windows\SysWOW64\Dmdonkgc.exe
        
        C:\Windows\system32\Dmdonkgc.exe
        26⤵
        Executes dropped EXE
        
        PID:4056
        
        C:\Windows\SysWOW64\Dcogje32.exe
        
        C:\Windows\system32\Dcogje32.exe
        27⤵
        Executes dropped EXE
        
        PID:2292
        
        C:\Windows\SysWOW64\Djhpgofm.exe
        
        C:\Windows\system32\Djhpgofm.exe
        28⤵
        Executes dropped EXE
        
        PID:1492
        
        C:\Windows\SysWOW64\Dpehof32.exe
        
        C:\Windows\system32\Dpehof32.exe
        29⤵
        Executes dropped EXE
        
        PID:3668
        
        C:\Windows\SysWOW64\Ehailbaa.exe
        
        C:\Windows\system32\Ehailbaa.exe
        30⤵
        Executes dropped EXE
        
        PID:4548
        
        C:\Windows\SysWOW64\Edhjqc32.exe
        
        C:\Windows\system32\Edhjqc32.exe
        31⤵
        Executes dropped EXE
        
        PID:3224
        
        C:\Windows\SysWOW64\Empoiimf.exe
        
        C:\Windows\system32\Empoiimf.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3124
        
        C:\Windows\SysWOW64\Edjgfcec.exe
        
        C:\Windows\system32\Edjgfcec.exe
        33⤵
        Executes dropped EXE
        
        PID:1356
        
        C:\Windows\SysWOW64\Ejdocm32.exe
        
        C:\Windows\system32\Ejdocm32.exe
        34⤵
        Executes dropped EXE
        
        PID:5020
        
        C:\Windows\SysWOW64\Embkoi32.exe
        
        C:\Windows\system32\Embkoi32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:32
        
        C:\Windows\SysWOW64\Edmclccp.exe
        
        C:\Windows\system32\Edmclccp.exe
        36⤵
        Executes dropped EXE
        
        PID:3792
        
        C:\Windows\SysWOW64\Ejflhm32.exe
        
        C:\Windows\system32\Ejflhm32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3304
        
        C:\Windows\SysWOW64\Emehdh32.exe
        
        C:\Windows\system32\Emehdh32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Fkihnmhj.exe
        
        C:\Windows\system32\Fkihnmhj.exe
        39⤵
        Executes dropped EXE
        
        PID:3208
        
        C:\Windows\SysWOW64\Fhmigagd.exe
        
        C:\Windows\system32\Fhmigagd.exe
        40⤵
        Executes dropped EXE
        
        PID:4772
        
        C:\Windows\SysWOW64\Faenpf32.exe
        
        C:\Windows\system32\Faenpf32.exe
        41⤵
        Executes dropped EXE
        
        PID:4692
        
        C:\Windows\SysWOW64\Fgbfhmll.exe
        
        C:\Windows\system32\Fgbfhmll.exe
        42⤵
        Executes dropped EXE
        
        PID:1316
        
        C:\Windows\SysWOW64\Fagjfflb.exe
        
        C:\Windows\system32\Fagjfflb.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1004
        
        C:\Windows\SysWOW64\Fdffbake.exe
        
        C:\Windows\system32\Fdffbake.exe
        44⤵
        Executes dropped EXE
        
        PID:2484
        
        C:\Windows\SysWOW64\Fibojhim.exe
        
        C:\Windows\system32\Fibojhim.exe
        45⤵
        Executes dropped EXE
        
        PID:3368
        
        C:\Windows\SysWOW64\Fggocmhf.exe
        
        C:\Windows\system32\Fggocmhf.exe
        46⤵
        Executes dropped EXE
        
        PID:1408
        
        C:\Windows\SysWOW64\Falcae32.exe
        
        C:\Windows\system32\Falcae32.exe
        47⤵
        Executes dropped EXE
        
        PID:4312
        
        C:\Windows\SysWOW64\Gkdhjknm.exe
        
        C:\Windows\system32\Gkdhjknm.exe
        48⤵
        Executes dropped EXE
        
        PID:3104
        
        C:\Windows\SysWOW64\Gdmmbq32.exe
        
        C:\Windows\system32\Gdmmbq32.exe
        49⤵
        Executes dropped EXE
        
        PID:1716
        
        C:\Windows\SysWOW64\Gkgeoklj.exe
        
        C:\Windows\system32\Gkgeoklj.exe
        50⤵
        Executes dropped EXE
        
        PID:2940
        
        C:\Windows\SysWOW64\Gdoihpbk.exe
        
        C:\Windows\system32\Gdoihpbk.exe
        51⤵
        Executes dropped EXE
        
        PID:3080
        
        C:\Windows\SysWOW64\Gkiaej32.exe
        
        C:\Windows\system32\Gkiaej32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2604
        
        C:\Windows\SysWOW64\Gdafnpqh.exe
        
        C:\Windows\system32\Gdafnpqh.exe
        53⤵
        Drops file in System32 directory
        
        PID:2460
        
        C:\Windows\SysWOW64\Gaefgd32.exe
        
        C:\Windows\system32\Gaefgd32.exe
        54⤵
        Modifies registry class
        
        PID:3444
        
        C:\Windows\SysWOW64\Giqkkf32.exe
        
        C:\Windows\system32\Giqkkf32.exe
        55⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\Gpkchqdj.exe
        
        C:\Windows\system32\Gpkchqdj.exe
        56⤵
        
        PID:224
        
        C:\Windows\SysWOW64\Hajpbckl.exe
        
        C:\Windows\system32\Hajpbckl.exe
        57⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\Hgghjjid.exe
        
        C:\Windows\system32\Hgghjjid.exe
        58⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\Hnaqgd32.exe
        
        C:\Windows\system32\Hnaqgd32.exe
        59⤵
        
        PID:8
        
        C:\Windows\SysWOW64\Hhfedm32.exe
        
        C:\Windows\system32\Hhfedm32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1780
        
        C:\Windows\SysWOW64\Hjhalefe.exe
        
        C:\Windows\system32\Hjhalefe.exe
        61⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\Haoimcgg.exe
        
        C:\Windows\system32\Haoimcgg.exe
        62⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\Hkgnfhnh.exe
        
        C:\Windows\system32\Hkgnfhnh.exe
        63⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\Haafcb32.exe
        
        C:\Windows\system32\Haafcb32.exe
        64⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\Hgnoki32.exe
        
        C:\Windows\system32\Hgnoki32.exe
        65⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Hjlkge32.exe
        
        C:\Windows\system32\Hjlkge32.exe
        66⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Idbodn32.exe
        
        C:\Windows\system32\Idbodn32.exe
        67⤵
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Ihnkel32.exe
        
        C:\Windows\system32\Ihnkel32.exe
        68⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Iqipio32.exe
        
        C:\Windows\system32\Iqipio32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5332
        
        C:\Windows\SysWOW64\Ikndgg32.exe
        
        C:\Windows\system32\Ikndgg32.exe
        70⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Idghpmnp.exe
        
        C:\Windows\system32\Idghpmnp.exe
        71⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Ikqqlgem.exe
        
        C:\Windows\system32\Ikqqlgem.exe
        72⤵
        Drops file in System32 directory
        
        PID:5488
        
        C:\Windows\SysWOW64\Ikcmbfcj.exe
        
        C:\Windows\system32\Ikcmbfcj.exe
        73⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Ihgnkkbd.exe
        
        C:\Windows\system32\Ihgnkkbd.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5600
        
        C:\Windows\SysWOW64\Indfca32.exe
        
        C:\Windows\system32\Indfca32.exe
        75⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Jdnoplhh.exe
        
        C:\Windows\system32\Jdnoplhh.exe
        76⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Jglklggl.exe
        
        C:\Windows\system32\Jglklggl.exe
        77⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Jbaojpgb.exe
        
        C:\Windows\system32\Jbaojpgb.exe
        78⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Jhlgfj32.exe
        
        C:\Windows\system32\Jhlgfj32.exe
        79⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Jnhpoamf.exe
        
        C:\Windows\system32\Jnhpoamf.exe
        80⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Jdbhkk32.exe
        
        C:\Windows\system32\Jdbhkk32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5916
        
        C:\Windows\SysWOW64\Kjmmepfj.exe
        
        C:\Windows\system32\Kjmmepfj.exe
        82⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Kbddfmgl.exe
        
        C:\Windows\system32\Kbddfmgl.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6000
        
        C:\Windows\SysWOW64\Lbgalmej.exe
        
        C:\Windows\system32\Lbgalmej.exe
        84⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Liqihglg.exe
        
        C:\Windows\system32\Liqihglg.exe
        85⤵
        Drops file in System32 directory
        
        PID:6108
        
        C:\Windows\SysWOW64\Lnnbqnjn.exe
        
        C:\Windows\system32\Lnnbqnjn.exe
        86⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Legjmh32.exe
        
        C:\Windows\system32\Legjmh32.exe
        87⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Lkabjbih.exe
        
        C:\Windows\system32\Lkabjbih.exe
        88⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\Lghcocol.exe
        
        C:\Windows\system32\Lghcocol.exe
        89⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Lbngllob.exe
        
        C:\Windows\system32\Lbngllob.exe
        90⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Lihpif32.exe
        
        C:\Windows\system32\Lihpif32.exe
        91⤵
        Drops file in System32 directory
        
        PID:5552
        
        C:\Windows\SysWOW64\Ljilqnlm.exe
        
        C:\Windows\system32\Ljilqnlm.exe
        92⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Lacdmh32.exe
        
        C:\Windows\system32\Lacdmh32.exe
        93⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Lhmmjbkf.exe
        
        C:\Windows\system32\Lhmmjbkf.exe
        94⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Mngegmbc.exe
        
        C:\Windows\system32\Mngegmbc.exe
        95⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Meamcg32.exe
        
        C:\Windows\system32\Meamcg32.exe
        96⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Mniallpq.exe
        
        C:\Windows\system32\Mniallpq.exe
        97⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\Miofjepg.exe
        
        C:\Windows\system32\Miofjepg.exe
        98⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Mbgjbkfg.exe
        
        C:\Windows\system32\Mbgjbkfg.exe
        99⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\Mhdckaeo.exe
        
        C:\Windows\system32\Mhdckaeo.exe
        100⤵
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Malgcg32.exe
        
        C:\Windows\system32\Malgcg32.exe
        101⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Mhfppabl.exe
        
        C:\Windows\system32\Mhfppabl.exe
        102⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Mblcnj32.exe
        
        C:\Windows\system32\Mblcnj32.exe
        103⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Maodigil.exe
        
        C:\Windows\system32\Maodigil.exe
        104⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Nbqmiinl.exe
        
        C:\Windows\system32\Nbqmiinl.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5768
        
        C:\Windows\SysWOW64\Nbcjnilj.exe
        
        C:\Windows\system32\Nbcjnilj.exe
        106⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Nahgoe32.exe
        
        C:\Windows\system32\Nahgoe32.exe
        107⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Niooqcad.exe
        
        C:\Windows\system32\Niooqcad.exe
        108⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Nlnkmnah.exe
        
        C:\Windows\system32\Nlnkmnah.exe
        109⤵
        Drops file in System32 directory
        
        PID:5400
        
        C:\Windows\SysWOW64\Nefped32.exe
        
        C:\Windows\system32\Nefped32.exe
        110⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Nlphbnoe.exe
        
        C:\Windows\system32\Nlphbnoe.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Ohghgodi.exe
        
        C:\Windows\system32\Ohghgodi.exe
        112⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Oiknlagg.exe
        
        C:\Windows\system32\Oiknlagg.exe
        113⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Pkogiikb.exe
        
        C:\Windows\system32\Pkogiikb.exe
        114⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Pchlpfjb.exe
        
        C:\Windows\system32\Pchlpfjb.exe
        115⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Pibdmp32.exe
        
        C:\Windows\system32\Pibdmp32.exe
        116⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\Poomegpf.exe
        
        C:\Windows\system32\Poomegpf.exe
        117⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Peieba32.exe
        
        C:\Windows\system32\Peieba32.exe
        118⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Phganm32.exe
        
        C:\Windows\system32\Phganm32.exe
        119⤵
        Drops file in System32 directory
        
        PID:5416
        
        C:\Windows\SysWOW64\Pekbga32.exe
        
        C:\Windows\system32\Pekbga32.exe
        120⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Pcobaedj.exe
        
        C:\Windows\system32\Pcobaedj.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6152
        
        C:\Windows\SysWOW64\Piijno32.exe
        
        C:\Windows\system32\Piijno32.exe
        122⤵
        Drops file in System32 directory
        
        PID:6196
        
        C:\Windows\SysWOW64\Qofcff32.exe
        
        C:\Windows\system32\Qofcff32.exe
        123⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\Qcclld32.exe
        
        C:\Windows\system32\Qcclld32.exe
        124⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\Ajndioga.exe
        
        C:\Windows\system32\Ajndioga.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6328
        
        C:\Windows\SysWOW64\Allpejfe.exe
        
        C:\Windows\system32\Allpejfe.exe
        126⤵
        Drops file in System32 directory
        
        PID:6372
        
        C:\Windows\SysWOW64\Aojlaeei.exe
        
        C:\Windows\system32\Aojlaeei.exe
        127⤵
        Modifies registry class
        
        PID:6416
        
        C:\Windows\SysWOW64\Ajpqnneo.exe
        
        C:\Windows\system32\Ajpqnneo.exe
        128⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\Akamff32.exe
        
        C:\Windows\system32\Akamff32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6496
        
        C:\Windows\SysWOW64\Achegd32.exe
        
        C:\Windows\system32\Achegd32.exe
        130⤵
        Drops file in System32 directory
        
        PID:6544
        
        C:\Windows\SysWOW64\Ahenokjf.exe
        
        C:\Windows\system32\Ahenokjf.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6592
        
        C:\Windows\SysWOW64\Ackbmcjl.exe
        
        C:\Windows\system32\Ackbmcjl.exe
        132⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\Ajdjin32.exe
        
        C:\Windows\system32\Ajdjin32.exe
        133⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\Alcfei32.exe
        
        C:\Windows\system32\Alcfei32.exe
        134⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\Aoabad32.exe
        
        C:\Windows\system32\Aoabad32.exe
        135⤵
        Modifies registry class
        
        PID:6768
        
        C:\Windows\SysWOW64\Ajggomog.exe
        
        C:\Windows\system32\Ajggomog.exe
        136⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\Aleckinj.exe
        
        C:\Windows\system32\Aleckinj.exe
        137⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\Abbkcpma.exe
        
        C:\Windows\system32\Abbkcpma.exe
        138⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\Bjicdmmd.exe
        
        C:\Windows\system32\Bjicdmmd.exe
        139⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\Blhpqhlh.exe
        
        C:\Windows\system32\Blhpqhlh.exe
        140⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\Boflmdkk.exe
        
        C:\Windows\system32\Boflmdkk.exe
        141⤵
        Drops file in System32 directory
        
        PID:7056
        
        C:\Windows\SysWOW64\Bjlpjm32.exe
        
        C:\Windows\system32\Bjlpjm32.exe
        142⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\Bcddcbab.exe
        
        C:\Windows\system32\Bcddcbab.exe
        143⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Bkoigdom.exe
        
        C:\Windows\system32\Bkoigdom.exe
        144⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\Bfendmoc.exe
        
        C:\Windows\system32\Bfendmoc.exe
        145⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\Bhcjqinf.exe
        
        C:\Windows\system32\Bhcjqinf.exe
        146⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Bombmcec.exe
        
        C:\Windows\system32\Bombmcec.exe
        147⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\Bcinna32.exe
        
        C:\Windows\system32\Bcinna32.exe
        148⤵
        Drops file in System32 directory
        
        PID:6468
        
        C:\Windows\SysWOW64\Bfgjjm32.exe
        
        C:\Windows\system32\Bfgjjm32.exe
        149⤵
        Drops file in System32 directory
        
        PID:6552
        
        C:\Windows\SysWOW64\Bmabggdm.exe
        
        C:\Windows\system32\Bmabggdm.exe
        150⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\Bopocbcq.exe
        
        C:\Windows\system32\Bopocbcq.exe
        151⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\Bbnkonbd.exe
        
        C:\Windows\system32\Bbnkonbd.exe
        152⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Cjecpkcg.exe
        
        C:\Windows\system32\Cjecpkcg.exe
        153⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\Cobkhb32.exe
        
        C:\Windows\system32\Cobkhb32.exe
        154⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\Cjgpfk32.exe
        
        C:\Windows\system32\Cjgpfk32.exe
        155⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\Cmflbf32.exe
        
        C:\Windows\system32\Cmflbf32.exe
        156⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\Ccpdoqgd.exe
        
        C:\Windows\system32\Ccpdoqgd.exe
        157⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\Cjjlkk32.exe
        
        C:\Windows\system32\Cjjlkk32.exe
        158⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Cmhigf32.exe
        
        C:\Windows\system32\Cmhigf32.exe
        159⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Ccbadp32.exe
        
        C:\Windows\system32\Ccbadp32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6456
        
        C:\Windows\SysWOW64\Cjliajmo.exe
        
        C:\Windows\system32\Cjliajmo.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6524
        
        C:\Windows\SysWOW64\Coiaiakf.exe
        
        C:\Windows\system32\Coiaiakf.exe
        162⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\Cfcjfk32.exe
        
        C:\Windows\system32\Cfcjfk32.exe
        163⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\Ciafbg32.exe
        
        C:\Windows\system32\Ciafbg32.exe
        164⤵
        Drops file in System32 directory
        
        PID:6900
        
        C:\Windows\SysWOW64\Coknoaic.exe
        
        C:\Windows\system32\Coknoaic.exe
        165⤵
        Drops file in System32 directory
        
        PID:7000
        
        C:\Windows\SysWOW64\Djqblj32.exe
        
        C:\Windows\system32\Djqblj32.exe
        166⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\Dblgpl32.exe
        
        C:\Windows\system32\Dblgpl32.exe
        167⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\Djelgied.exe
        
        C:\Windows\system32\Djelgied.exe
        168⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6488
        
        C:\Windows\SysWOW64\Elgaeolp.exe
        
        C:\Windows\system32\Elgaeolp.exe
        169⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\Ffmfchle.exe
        
        C:\Windows\system32\Ffmfchle.exe
        170⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Fikbocki.exe
        
        C:\Windows\system32\Fikbocki.exe
        171⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\Flinkojm.exe
        
        C:\Windows\system32\Flinkojm.exe
        172⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\Fjjnifbl.exe
        
        C:\Windows\system32\Fjjnifbl.exe
        173⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\Fdccbl32.exe
        
        C:\Windows\system32\Fdccbl32.exe
        174⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Ffaong32.exe
        
        C:\Windows\system32\Ffaong32.exe
        175⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\Fdepgkgj.exe
        
        C:\Windows\system32\Fdepgkgj.exe
        176⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\Fdglmkeg.exe
        
        C:\Windows\system32\Fdglmkeg.exe
        177⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\Fmpqfq32.exe
        
        C:\Windows\system32\Fmpqfq32.exe
        178⤵
        Drops file in System32 directory
        
        PID:7088
        
        C:\Windows\SysWOW64\Gbmingjo.exe
        
        C:\Windows\system32\Gbmingjo.exe
        179⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\Gmbmkpie.exe
        
        C:\Windows\system32\Gmbmkpie.exe
        180⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Gpqjglii.exe
        
        C:\Windows\system32\Gpqjglii.exe
        181⤵
        Modifies registry class
        
        PID:7172
        
        C:\Windows\SysWOW64\Gbofcghl.exe
        
        C:\Windows\system32\Gbofcghl.exe
        182⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\Gjfnedho.exe
        
        C:\Windows\system32\Gjfnedho.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7252
        
        C:\Windows\SysWOW64\Gmdjapgb.exe
        
        C:\Windows\system32\Gmdjapgb.exe
        184⤵
        Modifies registry class
        
        PID:7292
        
        C:\Windows\SysWOW64\Gpcfmkff.exe
        
        C:\Windows\system32\Gpcfmkff.exe
        185⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\Gbabigfj.exe
        
        C:\Windows\system32\Gbabigfj.exe
        186⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\Gikkfqmf.exe
        
        C:\Windows\system32\Gikkfqmf.exe
        187⤵
        
        PID:7432
        
        C:\Windows\SysWOW64\Gljgbllj.exe
        
        C:\Windows\system32\Gljgbllj.exe
        188⤵
        
        PID:7480
        
        C:\Windows\SysWOW64\Gbdoof32.exe
        
        C:\Windows\system32\Gbdoof32.exe
        189⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\Gmiclo32.exe
        
        C:\Windows\system32\Gmiclo32.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7568
        
        C:\Windows\SysWOW64\Gphphj32.exe
        
        C:\Windows\system32\Gphphj32.exe
        191⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\Ggahedjn.exe
        
        C:\Windows\system32\Ggahedjn.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7668
        
        C:\Windows\SysWOW64\Hloqml32.exe
        
        C:\Windows\system32\Hloqml32.exe
        193⤵
        
        PID:7736
        
        C:\Windows\SysWOW64\Hbhijepa.exe
        
        C:\Windows\system32\Hbhijepa.exe
        194⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\Hibafp32.exe
        
        C:\Windows\system32\Hibafp32.exe
        195⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\Hlambk32.exe
        
        C:\Windows\system32\Hlambk32.exe
        196⤵
        
        PID:7900
        
        C:\Windows\SysWOW64\Hdhedh32.exe
        
        C:\Windows\system32\Hdhedh32.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7952
        
        C:\Windows\SysWOW64\Hkbmqb32.exe
        
        C:\Windows\system32\Hkbmqb32.exe
        198⤵
        Drops file in System32 directory
        
        PID:7988
        
        C:\Windows\SysWOW64\Hlcjhkdp.exe
        
        C:\Windows\system32\Hlcjhkdp.exe
        199⤵
        
        PID:8028
        
        C:\Windows\SysWOW64\Hdjbiheb.exe
        
        C:\Windows\system32\Hdjbiheb.exe
        200⤵
        
        PID:8076
        
        C:\Windows\SysWOW64\Hmbfbn32.exe
        
        C:\Windows\system32\Hmbfbn32.exe
        201⤵
        
        PID:8116
        
        C:\Windows\SysWOW64\Hpabni32.exe
        
        C:\Windows\system32\Hpabni32.exe
        202⤵
        Modifies registry class
        
        PID:8172
        
        C:\Windows\SysWOW64\Hkfglb32.exe
        
        C:\Windows\system32\Hkfglb32.exe
        203⤵
        
        PID:7040
        
        C:\Windows\SysWOW64\Hpcodihc.exe
        
        C:\Windows\system32\Hpcodihc.exe
        204⤵
        Drops file in System32 directory
        
        PID:7240
        
        C:\Windows\SysWOW64\Hgmgqc32.exe
        
        C:\Windows\system32\Hgmgqc32.exe
        205⤵
        Drops file in System32 directory
        
        PID:7356
        
        C:\Windows\SysWOW64\Ingpmmgm.exe
        
        C:\Windows\system32\Ingpmmgm.exe
        206⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\Ipflihfq.exe
        
        C:\Windows\system32\Ipflihfq.exe
        207⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\Ikkpgafg.exe
        
        C:\Windows\system32\Ikkpgafg.exe
        208⤵
        Drops file in System32 directory
        
        PID:7536
        
        C:\Windows\SysWOW64\Ilmmni32.exe
        
        C:\Windows\system32\Ilmmni32.exe
        209⤵
        
        PID:7604
        
        C:\Windows\SysWOW64\Icfekc32.exe
        
        C:\Windows\system32\Icfekc32.exe
        210⤵
        
        PID:7660
        
        C:\Windows\SysWOW64\Ijqmhnko.exe
        
        C:\Windows\system32\Ijqmhnko.exe
        211⤵
        
        PID:7780
        
        C:\Windows\SysWOW64\Ipjedh32.exe
        
        C:\Windows\system32\Ipjedh32.exe
        212⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7880
        
        C:\Windows\SysWOW64\Iciaqc32.exe
        
        C:\Windows\system32\Iciaqc32.exe
        213⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\Innfnl32.exe
        
        C:\Windows\system32\Innfnl32.exe
        214⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\Ipmbjgpi.exe
        
        C:\Windows\system32\Ipmbjgpi.exe
        215⤵
        
        PID:8064
        
        C:\Windows\SysWOW64\Ikbfgppo.exe
        
        C:\Windows\system32\Ikbfgppo.exe
        216⤵
        
        PID:8136
        
        C:\Windows\SysWOW64\Inqbclob.exe
        
        C:\Windows\system32\Inqbclob.exe
        217⤵
        
        PID:7200
        
        C:\Windows\SysWOW64\Ipoopgnf.exe
        
        C:\Windows\system32\Ipoopgnf.exe
        218⤵
        
        PID:7280
        
        C:\Windows\SysWOW64\Jncoikmp.exe
        
        C:\Windows\system32\Jncoikmp.exe
        219⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7416
        
        C:\Windows\SysWOW64\Jdmgfedl.exe
        
        C:\Windows\system32\Jdmgfedl.exe
        220⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\Jgkdbacp.exe
        
        C:\Windows\system32\Jgkdbacp.exe
        221⤵
        
        PID:7652
        
        C:\Windows\SysWOW64\Jlhljhbg.exe
        
        C:\Windows\system32\Jlhljhbg.exe
        222⤵
        Drops file in System32 directory
        
        PID:7784
        
        C:\Windows\SysWOW64\Jdodkebj.exe
        
        C:\Windows\system32\Jdodkebj.exe
        223⤵
        Modifies registry class
        
        PID:7948
        
        C:\Windows\SysWOW64\Jjlmclqa.exe
        
        C:\Windows\system32\Jjlmclqa.exe
        224⤵
        
        PID:7984
        
        C:\Windows\SysWOW64\Jlkipgpe.exe
        
        C:\Windows\system32\Jlkipgpe.exe
        225⤵
        
        PID:8112
        
        C:\Windows\SysWOW64\Jdaaaeqg.exe
        
        C:\Windows\system32\Jdaaaeqg.exe
        226⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\Jgpmmp32.exe
        
        C:\Windows\system32\Jgpmmp32.exe
        227⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\Jnjejjgh.exe
        
        C:\Windows\system32\Jnjejjgh.exe
        228⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\Jqhafffk.exe
        
        C:\Windows\system32\Jqhafffk.exe
        229⤵
        Drops file in System32 directory
        
        PID:7744
        
        C:\Windows\SysWOW64\Jknfcofa.exe
        
        C:\Windows\system32\Jknfcofa.exe
        230⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\Jlobkg32.exe
        
        C:\Windows\system32\Jlobkg32.exe
        231⤵
        
        PID:8180
        
        C:\Windows\SysWOW64\Kjccdkki.exe
        
        C:\Windows\system32\Kjccdkki.exe
        232⤵
        Modifies registry class
        
        PID:7352
        
        C:\Windows\SysWOW64\Kqmkae32.exe
        
        C:\Windows\system32\Kqmkae32.exe
        233⤵
        
        PID:7656
        
        C:\Windows\SysWOW64\Kmdlffhj.exe
        
        C:\Windows\system32\Kmdlffhj.exe
        234⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\Kgipcogp.exe
        
        C:\Windows\system32\Kgipcogp.exe
        235⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\Kmfhkf32.exe
        
        C:\Windows\system32\Kmfhkf32.exe
        236⤵
        
        PID:7576
        
        C:\Windows\SysWOW64\Kcpahpmd.exe
        
        C:\Windows\system32\Kcpahpmd.exe
        237⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\Kmieae32.exe
        
        C:\Windows\system32\Kmieae32.exe
        238⤵
        Modifies registry class
        
        PID:7456
        
        C:\Windows\SysWOW64\Kdpmbc32.exe
        
        C:\Windows\system32\Kdpmbc32.exe
        239⤵
        Drops file in System32 directory
        
        PID:7512
        
        C:\Windows\SysWOW64\Kkjeomld.exe
        
        C:\Windows\system32\Kkjeomld.exe
        240⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\Knhakh32.exe
        
        C:\Windows\system32\Knhakh32.exe
        241⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8232
        
        C:\Windows\SysWOW64\Lgqfdnah.exe
        
        C:\Windows\system32\Lgqfdnah.exe
        242⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8284
        
        C:\Windows\SysWOW64\Lnjnqh32.exe
        
        C:\Windows\system32\Lnjnqh32.exe
        243⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8324
        
        C:\Windows\SysWOW64\Lqikmc32.exe
        
        C:\Windows\system32\Lqikmc32.exe
        244⤵
        
        PID:8372
        
        C:\Windows\SysWOW64\Ljaoeini.exe
        
        C:\Windows\system32\Ljaoeini.exe
        245⤵
        
        PID:8424
        
        C:\Windows\SysWOW64\Lmpkadnm.exe
        
        C:\Windows\system32\Lmpkadnm.exe
        246⤵
        
        PID:8468
        
        C:\Windows\SysWOW64\Lgepom32.exe
        
        C:\Windows\system32\Lgepom32.exe
        247⤵
        
        PID:8512
        
        C:\Windows\SysWOW64\Lnohlgep.exe
        
        C:\Windows\system32\Lnohlgep.exe
        248⤵
        
        PID:8552
        
        C:\Windows\SysWOW64\Lclpdncg.exe
        
        C:\Windows\system32\Lclpdncg.exe
        249⤵
        
        PID:8592
        
        C:\Windows\SysWOW64\Lmdemd32.exe
        
        C:\Windows\system32\Lmdemd32.exe
        250⤵
        
        PID:8636
        
        C:\Windows\SysWOW64\Lgjijmin.exe
        
        C:\Windows\system32\Lgjijmin.exe
        251⤵
        Modifies registry class
        
        PID:8676
        
        C:\Windows\SysWOW64\Mkhapk32.exe
        
        C:\Windows\system32\Mkhapk32.exe
        252⤵
        
        PID:8720
        
        C:\Windows\SysWOW64\Mminhceb.exe
        
        C:\Windows\system32\Mminhceb.exe
        253⤵
        
        PID:8764
        
        C:\Windows\SysWOW64\Mjmoag32.exe
        
        C:\Windows\system32\Mjmoag32.exe
        254⤵
        
        PID:8804
        
        C:\Windows\SysWOW64\Mgaokl32.exe
        
        C:\Windows\system32\Mgaokl32.exe
        255⤵
        
        PID:8844
        
        C:\Windows\SysWOW64\Mmnhcb32.exe
        
        C:\Windows\system32\Mmnhcb32.exe
        256⤵
        
        PID:8884
        
        C:\Windows\SysWOW64\Mgclpkac.exe
        
        C:\Windows\system32\Mgclpkac.exe
        257⤵
        
        PID:8924
        
        C:\Windows\SysWOW64\Mmpdhboj.exe
        
        C:\Windows\system32\Mmpdhboj.exe
        258⤵
        
        PID:8960
        
        C:\Windows\SysWOW64\Megljppl.exe
        
        C:\Windows\system32\Megljppl.exe
        259⤵
        Modifies registry class
        
        PID:9004
        
        C:\Windows\SysWOW64\Mgehfkop.exe
        
        C:\Windows\system32\Mgehfkop.exe
        260⤵
        
        PID:9056
        
        C:\Windows\SysWOW64\Mjdebfnd.exe
        
        C:\Windows\system32\Mjdebfnd.exe
        261⤵
        
        PID:9104
        
        C:\Windows\SysWOW64\Manmoq32.exe
        
        C:\Windows\system32\Manmoq32.exe
        262⤵
        
        PID:9144
        
        C:\Windows\SysWOW64\Njfagf32.exe
        
        C:\Windows\system32\Njfagf32.exe
        263⤵
        Modifies registry class
        
        PID:9184
        
        C:\Windows\SysWOW64\Nmenca32.exe
        
        C:\Windows\system32\Nmenca32.exe
        264⤵
        
        PID:7828
        
        C:\Windows\SysWOW64\Nelfeo32.exe
        
        C:\Windows\system32\Nelfeo32.exe
        265⤵
        
        PID:8244
        
        C:\Windows\SysWOW64\Nlfnaicd.exe
        
        C:\Windows\system32\Nlfnaicd.exe
        266⤵
        
        PID:8316
        
        C:\Windows\SysWOW64\Nndjndbh.exe
        
        C:\Windows\system32\Nndjndbh.exe
        267⤵
        
        PID:8360
        
        C:\Windows\SysWOW64\Nlhkgi32.exe
        
        C:\Windows\system32\Nlhkgi32.exe
        268⤵
        
        PID:8436
        
        C:\Windows\SysWOW64\Akepfpcl.exe
        
        C:\Windows\system32\Akepfpcl.exe
        269⤵
        
        PID:8508
        
        C:\Windows\SysWOW64\Bepmoh32.exe
        
        C:\Windows\system32\Bepmoh32.exe
        270⤵
        
        PID:8576
        
        C:\Windows\SysWOW64\Blnoga32.exe
        
        C:\Windows\system32\Blnoga32.exe
        271⤵
        
        PID:8644
        
        C:\Windows\SysWOW64\Chglab32.exe
        
        C:\Windows\system32\Chglab32.exe
        272⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8704
        
        C:\Windows\SysWOW64\Ckeimm32.exe
        
        C:\Windows\system32\Ckeimm32.exe
        273⤵
        Modifies registry class
        
        PID:8772
        
        C:\Windows\SysWOW64\Cndeii32.exe
        
        C:\Windows\system32\Cndeii32.exe
        274⤵
        
        PID:8840
        
        C:\Windows\SysWOW64\Cfkmkf32.exe
        
        C:\Windows\system32\Cfkmkf32.exe
        275⤵
        
        PID:8908
        
        C:\Windows\SysWOW64\Cleegp32.exe
        
        C:\Windows\system32\Cleegp32.exe
        276⤵
        
        PID:8992
        
        C:\Windows\SysWOW64\Cbdjeg32.exe
        
        C:\Windows\system32\Cbdjeg32.exe
        277⤵
        Drops file in System32 directory
        
        PID:9092
        
        C:\Windows\SysWOW64\Ddjmba32.exe
        
        C:\Windows\system32\Ddjmba32.exe
        278⤵
        
        PID:9168
        
        C:\Windows\SysWOW64\Dmadco32.exe
        
        C:\Windows\system32\Dmadco32.exe
        279⤵
        
        PID:8240
        
        C:\Windows\SysWOW64\Dooaoj32.exe
        
        C:\Windows\system32\Dooaoj32.exe
        280⤵
        
        PID:8332
        
        C:\Windows\SysWOW64\Dfiildio.exe
        
        C:\Windows\system32\Dfiildio.exe
        281⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\Digehphc.exe
        
        C:\Windows\system32\Digehphc.exe
        282⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\Doaneiop.exe
        
        C:\Windows\system32\Doaneiop.exe
        283⤵
        
        PID:8440
        
        C:\Windows\SysWOW64\Dflfac32.exe
        
        C:\Windows\system32\Dflfac32.exe
        284⤵
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Dijbno32.exe
        
        C:\Windows\system32\Dijbno32.exe
        285⤵
        
        PID:8548
        
        C:\Windows\SysWOW64\Dkhnjk32.exe
        
        C:\Windows\system32\Dkhnjk32.exe
        286⤵
        
        PID:8624
        
        C:\Windows\SysWOW64\Dbbffdlq.exe
        
        C:\Windows\system32\Dbbffdlq.exe
        287⤵
        Modifies registry class
        
        PID:8732
        
        C:\Windows\SysWOW64\Deqcbpld.exe
        
        C:\Windows\system32\Deqcbpld.exe
        288⤵
        
        PID:8832
        
        C:\Windows\SysWOW64\Emhkdmlg.exe
        
        C:\Windows\system32\Emhkdmlg.exe
        289⤵
        
        PID:8988
        
        C:\Windows\SysWOW64\Eofgpikj.exe
        
        C:\Windows\system32\Eofgpikj.exe
        290⤵
        Drops file in System32 directory
        
        PID:9072
        
        C:\Windows\SysWOW64\Efpomccg.exe
        
        C:\Windows\system32\Efpomccg.exe
        291⤵
        
        PID:9128
        
        C:\Windows\SysWOW64\Emjgim32.exe
        
        C:\Windows\system32\Emjgim32.exe
        292⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8224
        
        C:\Windows\SysWOW64\Emmdom32.exe
        
        C:\Windows\system32\Emmdom32.exe
        293⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\Ennqfenp.exe
        
        C:\Windows\system32\Ennqfenp.exe
        294⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\Efeihb32.exe
        
        C:\Windows\system32\Efeihb32.exe
        295⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\Emoadlfo.exe
        
        C:\Windows\system32\Emoadlfo.exe
        296⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8620
        
        C:\Windows\SysWOW64\Epmmqheb.exe
        
        C:\Windows\system32\Epmmqheb.exe
        297⤵
        
        PID:8776
        
        C:\Windows\SysWOW64\Eejeiocj.exe
        
        C:\Windows\system32\Eejeiocj.exe
        298⤵
        
        PID:8980
        
        C:\Windows\SysWOW64\Ekdnei32.exe
        
        C:\Windows\system32\Ekdnei32.exe
        299⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\Ebnfbcbc.exe
        
        C:\Windows\system32\Ebnfbcbc.exe
        300⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Fmcjpl32.exe
        
        C:\Windows\system32\Fmcjpl32.exe
        301⤵
        
        PID:8416
        
        C:\Windows\SysWOW64\Fneggdhg.exe
        
        C:\Windows\system32\Fneggdhg.exe
        302⤵
        
        PID:8560
        
        C:\Windows\SysWOW64\Fijkdmhn.exe
        
        C:\Windows\system32\Fijkdmhn.exe
        303⤵
        
        PID:8932
        
        C:\Windows\SysWOW64\Fbbpmb32.exe
        
        C:\Windows\system32\Fbbpmb32.exe
        304⤵
        
        PID:8208
        
        C:\Windows\SysWOW64\Flpmagqi.exe
        
        C:\Windows\system32\Flpmagqi.exe
        305⤵
        
        PID:768
        
        C:\Windows\SysWOW64\Gfeaopqo.exe
        
        C:\Windows\system32\Gfeaopqo.exe
        306⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4920
        
        C:\Windows\SysWOW64\Gmojkj32.exe
        
        C:\Windows\system32\Gmojkj32.exe
        307⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\Gpnfge32.exe
        
        C:\Windows\system32\Gpnfge32.exe
        308⤵
        
        PID:8604
        
        C:\Windows\SysWOW64\Gblbca32.exe
        
        C:\Windows\system32\Gblbca32.exe
        309⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\Gifkpknp.exe
        
        C:\Windows\system32\Gifkpknp.exe
        310⤵
        
        PID:8956
        
        C:\Windows\SysWOW64\Gppcmeem.exe
        
        C:\Windows\system32\Gppcmeem.exe
        311⤵
        
        PID:452
        
        C:\Windows\SysWOW64\Gbnoiqdq.exe
        
        C:\Windows\system32\Gbnoiqdq.exe
        312⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9260
        
        C:\Windows\SysWOW64\Gihgfk32.exe
        
        C:\Windows\system32\Gihgfk32.exe
        313⤵
        
        PID:9308
        
        C:\Windows\SysWOW64\Gpbpbecj.exe
        
        C:\Windows\system32\Gpbpbecj.exe
        314⤵
        Modifies registry class
        
        PID:9352
        
        C:\Windows\SysWOW64\Gflhoo32.exe
        
        C:\Windows\system32\Gflhoo32.exe
        315⤵
        
        PID:9400
        
        C:\Windows\SysWOW64\Gmfplibd.exe
        
        C:\Windows\system32\Gmfplibd.exe
        316⤵
        
        PID:9444
        
        C:\Windows\SysWOW64\Gpelhd32.exe
        
        C:\Windows\system32\Gpelhd32.exe
        317⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9484
        
        C:\Windows\SysWOW64\Gfodeohd.exe
        
        C:\Windows\system32\Gfodeohd.exe
        318⤵
        
        PID:9532
        
        C:\Windows\SysWOW64\Gimqajgh.exe
        
        C:\Windows\system32\Gimqajgh.exe
        319⤵
        
        PID:9580
        
        C:\Windows\SysWOW64\Glkmmefl.exe
        
        C:\Windows\system32\Glkmmefl.exe
        320⤵
        
        PID:9628
        
        C:\Windows\SysWOW64\Gojiiafp.exe
        
        C:\Windows\system32\Gojiiafp.exe
        321⤵
        Modifies registry class
        
        PID:9668
        
        C:\Windows\SysWOW64\Hedafk32.exe
        
        C:\Windows\system32\Hedafk32.exe
        322⤵
        
        PID:9712
        
        C:\Windows\SysWOW64\Hmkigh32.exe
        
        C:\Windows\system32\Hmkigh32.exe
        323⤵
        
        PID:9752
        
        C:\Windows\SysWOW64\Hbhboolf.exe
        
        C:\Windows\system32\Hbhboolf.exe
        324⤵
        
        PID:9800
        
        C:\Windows\SysWOW64\Hefnkkkj.exe
        
        C:\Windows\system32\Hefnkkkj.exe
        325⤵
        
        PID:9844
        
        C:\Windows\SysWOW64\Hmmfmhll.exe
        
        C:\Windows\system32\Hmmfmhll.exe
        326⤵
        
        PID:9880
        
        C:\Windows\SysWOW64\Hbjoeojc.exe
        
        C:\Windows\system32\Hbjoeojc.exe
        327⤵
        
        PID:9924
        
        C:\Windows\SysWOW64\Hmpcbhji.exe
        
        C:\Windows\system32\Hmpcbhji.exe
        328⤵
        
        PID:9968
        
        C:\Windows\SysWOW64\Hlkfbocp.exe
        
        C:\Windows\system32\Hlkfbocp.exe
        44⤵
        
        PID:676
        
        C:\Windows\SysWOW64\Hahokfag.exe
        
        C:\Windows\system32\Hahokfag.exe
        45⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\Hioflcbj.exe
        
        C:\Windows\system32\Hioflcbj.exe
        46⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1408
        
        C:\Windows\SysWOW64\Hnnljj32.exe
        
        C:\Windows\system32\Hnnljj32.exe
        47⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\Hicpgc32.exe
        
        C:\Windows\system32\Hicpgc32.exe
        48⤵
        Modifies registry class
        
        PID:1360
        
        C:\Windows\SysWOW64\Hlblcn32.exe
        
        C:\Windows\system32\Hlblcn32.exe
        49⤵
        Modifies registry class
        
        PID:10652
        
        C:\Windows\SysWOW64\Hhimhobl.exe
        
        C:\Windows\system32\Hhimhobl.exe
        50⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\Hppeim32.exe
        
        C:\Windows\system32\Hppeim32.exe
        51⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\Hbnaeh32.exe
        
        C:\Windows\system32\Hbnaeh32.exe
        52⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\Hihibbjo.exe
        
        C:\Windows\system32\Hihibbjo.exe
        53⤵
        
        PID:392
        
        C:\Windows\SysWOW64\Iijfhbhl.exe
        
        C:\Windows\system32\Iijfhbhl.exe
        54⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\Ipdndloi.exe
        
        C:\Windows\system32\Ipdndloi.exe
        55⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\Ibcjqgnm.exe
        
        C:\Windows\system32\Ibcjqgnm.exe
        56⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\Ipgkjlmg.exe
        
        C:\Windows\system32\Ipgkjlmg.exe
        57⤵
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Iahgad32.exe
        
        C:\Windows\system32\Iahgad32.exe
        58⤵
        Modifies registry class
        
        PID:1316
        
        C:\Windows\SysWOW64\Ilnlom32.exe
        
        C:\Windows\system32\Ilnlom32.exe
        59⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\Iajdgcab.exe
        
        C:\Windows\system32\Iajdgcab.exe
        60⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Iialhaad.exe
        
        C:\Windows\system32\Iialhaad.exe
        61⤵
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\Iondqhpl.exe
        
        C:\Windows\system32\Iondqhpl.exe
        62⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\Iehmmb32.exe
        
        C:\Windows\system32\Iehmmb32.exe
        63⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\Joqafgni.exe
        
        C:\Windows\system32\Joqafgni.exe
        64⤵
        Drops file in System32 directory
        
        PID:1356
        
        C:\Windows\SysWOW64\Jaonbc32.exe
        
        C:\Windows\system32\Jaonbc32.exe
        65⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\Jocnlg32.exe
        
        C:\Windows\system32\Jocnlg32.exe
        66⤵
        Drops file in System32 directory
        
        PID:3180
        
        C:\Windows\SysWOW64\Jaajhb32.exe
        
        C:\Windows\system32\Jaajhb32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4968
        
        C:\Windows\SysWOW64\Jihbip32.exe
        
        C:\Windows\system32\Jihbip32.exe
        68⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\Jlgoek32.exe
        
        C:\Windows\system32\Jlgoek32.exe
        69⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\Joekag32.exe
        
        C:\Windows\system32\Joekag32.exe
        70⤵
        
        PID:10404
        
        C:\Windows\SysWOW64\Jhnojl32.exe
        
        C:\Windows\system32\Jhnojl32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5904
        
        C:\Windows\SysWOW64\Jpegkj32.exe
        
        C:\Windows\system32\Jpegkj32.exe
        72⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Jafdcbge.exe
        
        C:\Windows\system32\Jafdcbge.exe
        73⤵
        Drops file in System32 directory
        
        PID:852
        
        C:\Windows\SysWOW64\Jimldogg.exe
        
        C:\Windows\system32\Jimldogg.exe
        74⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Kiphjo32.exe
        
        C:\Windows\system32\Kiphjo32.exe
        75⤵
        Modifies registry class
        
        PID:4120
        
        C:\Windows\SysWOW64\Kefiopki.exe
        
        C:\Windows\system32\Kefiopki.exe
        76⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Kheekkjl.exe
        
        C:\Windows\system32\Kheekkjl.exe
        77⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Kplmliko.exe
        
        C:\Windows\system32\Kplmliko.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Kamjda32.exe
        
        C:\Windows\system32\Kamjda32.exe
        79⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\Kidben32.exe
        
        C:\Windows\system32\Kidben32.exe
        80⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Klbnajqc.exe
        
        C:\Windows\system32\Klbnajqc.exe
        81⤵
        
        PID:8
        
        C:\Windows\SysWOW64\Koajmepf.exe
        
        C:\Windows\system32\Koajmepf.exe
        82⤵
        
        PID:892
        
        C:\Windows\SysWOW64\Kekbjo32.exe
        
        C:\Windows\system32\Kekbjo32.exe
        83⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\Klekfinp.exe
        
        C:\Windows\system32\Klekfinp.exe
        84⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\Kocgbend.exe
        
        C:\Windows\system32\Kocgbend.exe
        85⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Kemooo32.exe
        
        C:\Windows\system32\Kemooo32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5448
        
        C:\Windows\SysWOW64\Klggli32.exe
        
        C:\Windows\system32\Klggli32.exe
        87⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\Kcapicdj.exe
        
        C:\Windows\system32\Kcapicdj.exe
        88⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Lepleocn.exe
        
        C:\Windows\system32\Lepleocn.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11304
        
        C:\Windows\SysWOW64\Lljdai32.exe
        
        C:\Windows\system32\Lljdai32.exe
        90⤵
        
        PID:11348
        
        C:\Windows\SysWOW64\Lohqnd32.exe
        
        C:\Windows\system32\Lohqnd32.exe
        91⤵
        Modifies registry class
        
        PID:11392
        
        C:\Windows\SysWOW64\Lafmjp32.exe
        
        C:\Windows\system32\Lafmjp32.exe
        92⤵
        
        PID:11436
        
        C:\Windows\SysWOW64\Lindkm32.exe
        
        C:\Windows\system32\Lindkm32.exe
        93⤵
        Modifies registry class
        
        PID:11480
        
        C:\Windows\SysWOW64\Lojmcdgl.exe
        
        C:\Windows\system32\Lojmcdgl.exe
        94⤵
        
        PID:11528
        
        C:\Windows\SysWOW64\Laiipofp.exe
        
        C:\Windows\system32\Laiipofp.exe
        95⤵
        Drops file in System32 directory
        
        PID:11576
        
        C:\Windows\SysWOW64\Llnnmhfe.exe
        
        C:\Windows\system32\Llnnmhfe.exe
        96⤵
        
        PID:11612
        
        C:\Windows\SysWOW64\Legben32.exe
        
        C:\Windows\system32\Legben32.exe
        97⤵
        
        PID:11660
        
        C:\Windows\SysWOW64\Lckboblp.exe
        
        C:\Windows\system32\Lckboblp.exe
        98⤵
        
        PID:11708

C:\Windows\SysWOW64\Ioopml32.exe
C:\Windows\system32\Ioopml32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4768

C:\Windows\SysWOW64\Hblkjo32.exe
C:\Windows\system32\Hblkjo32.exe
1⤵
PID:10020
- C:\Windows\SysWOW64\Hifcgion.exe
  C:\Windows\system32\Hifcgion.exe
  2⤵
  - Drops file in System32 directory
  PID:10068
- - C:\Windows\SysWOW64\Hlepcdoa.exe
    C:\Windows\system32\Hlepcdoa.exe
    3⤵
    PID:10108
  - - C:\Windows\SysWOW64\Hemdlj32.exe
      C:\Windows\system32\Hemdlj32.exe
      4⤵
      PID:10160
    - - C:\Windows\SysWOW64\Iepaaico.exe
        
        C:\Windows\system32\Iepaaico.exe
        5⤵
        
        PID:10220
      - C:\Windows\SysWOW64\Ipeeobbe.exe
        
        C:\Windows\system32\Ipeeobbe.exe
        6⤵
        
        PID:9228
        
        C:\Windows\SysWOW64\Iipfmggc.exe
        
        C:\Windows\system32\Iipfmggc.exe
        7⤵
        
        PID:9292
        
        C:\Windows\SysWOW64\Ilnbicff.exe
        
        C:\Windows\system32\Ilnbicff.exe
        8⤵
        
        PID:9372
        
        C:\Windows\SysWOW64\Iomoenej.exe
        
        C:\Windows\system32\Iomoenej.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9436
        
        C:\Windows\SysWOW64\Iibccgep.exe
        
        C:\Windows\system32\Iibccgep.exe
        10⤵
        
        PID:9512
        
        C:\Windows\SysWOW64\Ioolkncg.exe
        
        C:\Windows\system32\Ioolkncg.exe
        11⤵
        
        PID:9592
        
        C:\Windows\SysWOW64\Ieidhh32.exe
        
        C:\Windows\system32\Ieidhh32.exe
        12⤵
        
        PID:9640
        
        C:\Windows\SysWOW64\Ilcldb32.exe
        
        C:\Windows\system32\Ilcldb32.exe
        13⤵
        
        PID:9724
        
        C:\Windows\SysWOW64\Jekqmhia.exe
        
        C:\Windows\system32\Jekqmhia.exe
        14⤵
        
        PID:9808
        
        C:\Windows\SysWOW64\Jocefm32.exe
        
        C:\Windows\system32\Jocefm32.exe
        15⤵
        
        PID:9856
        
        C:\Windows\SysWOW64\Jenmcggo.exe
        
        C:\Windows\system32\Jenmcggo.exe
        16⤵
        
        PID:9920
        
        C:\Windows\SysWOW64\Jmeede32.exe
        
        C:\Windows\system32\Jmeede32.exe
        17⤵
        
        PID:9964
        
        C:\Windows\SysWOW64\Jepjhg32.exe
        
        C:\Windows\system32\Jepjhg32.exe
        18⤵
        Modifies registry class
        
        PID:10036
        
        C:\Windows\SysWOW64\Jngbjd32.exe
        
        C:\Windows\system32\Jngbjd32.exe
        19⤵
        
        PID:10096
        
        C:\Windows\SysWOW64\Jgpfbjlo.exe
        
        C:\Windows\system32\Jgpfbjlo.exe
        20⤵
        
        PID:10140
        
        C:\Windows\SysWOW64\Jniood32.exe
        
        C:\Windows\system32\Jniood32.exe
        21⤵
        
        PID:10184
        
        C:\Windows\SysWOW64\Jphkkpbp.exe
        
        C:\Windows\system32\Jphkkpbp.exe
        22⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\Jgbchj32.exe
        
        C:\Windows\system32\Jgbchj32.exe
        23⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\Jjpode32.exe
        
        C:\Windows\system32\Jjpode32.exe
        24⤵
        
        PID:9268
        
        C:\Windows\SysWOW64\Komhll32.exe
        
        C:\Windows\system32\Komhll32.exe
        25⤵
        
        PID:9412
        
        C:\Windows\SysWOW64\Klahfp32.exe
        
        C:\Windows\system32\Klahfp32.exe
        26⤵
        
        PID:9132
        
        C:\Windows\SysWOW64\Kckqbj32.exe
        
        C:\Windows\system32\Kckqbj32.exe
        27⤵
        
        PID:9520
        
        C:\Windows\SysWOW64\Keimof32.exe
        
        C:\Windows\system32\Keimof32.exe
        28⤵
        
        PID:9612
        
        C:\Windows\SysWOW64\Koaagkcb.exe
        
        C:\Windows\system32\Koaagkcb.exe
        29⤵
        
        PID:9704
        
        C:\Windows\SysWOW64\Klfaapbl.exe
        
        C:\Windows\system32\Klfaapbl.exe
        30⤵
        Modifies registry class
        
        PID:4620
        
        C:\Windows\SysWOW64\Kodnmkap.exe
        
        C:\Windows\system32\Kodnmkap.exe
        31⤵
        
        PID:9872
        
        C:\Windows\SysWOW64\Kfnfjehl.exe
        
        C:\Windows\system32\Kfnfjehl.exe
        32⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\Klhnfo32.exe
        
        C:\Windows\system32\Klhnfo32.exe
        33⤵
        
        PID:9952
        
        C:\Windows\SysWOW64\Lljklo32.exe
        
        C:\Windows\system32\Lljklo32.exe
        34⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\Lfbped32.exe
        
        C:\Windows\system32\Lfbped32.exe
        35⤵
        Modifies registry class
        
        PID:10116
        
        C:\Windows\SysWOW64\Lcgpni32.exe
        
        C:\Windows\system32\Lcgpni32.exe
        36⤵
        
        PID:9024
        
        C:\Windows\SysWOW64\Ljqhkckn.exe
        
        C:\Windows\system32\Ljqhkckn.exe
        37⤵
        
        PID:9240
        
        C:\Windows\SysWOW64\Llodgnja.exe
        
        C:\Windows\system32\Llodgnja.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9432
        
        C:\Windows\SysWOW64\Lmaamn32.exe
        
        C:\Windows\system32\Lmaamn32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9508
        
        C:\Windows\SysWOW64\Lggejg32.exe
        
        C:\Windows\system32\Lggejg32.exe
        40⤵
        Drops file in System32 directory
        
        PID:9572
        
        C:\Windows\SysWOW64\Lmdnbn32.exe
        
        C:\Windows\system32\Lmdnbn32.exe
        41⤵
        
        PID:9664
        
        C:\Windows\SysWOW64\Lflbkcll.exe
        
        C:\Windows\system32\Lflbkcll.exe
        42⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\Mmfkhmdi.exe
        
        C:\Windows\system32\Mmfkhmdi.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9864
        
        C:\Windows\SysWOW64\Modgdicm.exe
        
        C:\Windows\system32\Modgdicm.exe
        44⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\Mgloefco.exe
        
        C:\Windows\system32\Mgloefco.exe
        45⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\Mnegbp32.exe
        
        C:\Windows\system32\Mnegbp32.exe
        46⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\Mogcihaj.exe
        
        C:\Windows\system32\Mogcihaj.exe
        47⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Mgnlkfal.exe
        
        C:\Windows\system32\Mgnlkfal.exe
        48⤵
        Modifies registry class
        
        PID:10212
        
        C:\Windows\SysWOW64\Mjlhgaqp.exe
        
        C:\Windows\system32\Mjlhgaqp.exe
        49⤵
        
        PID:9304
        
        C:\Windows\SysWOW64\Mqfpckhm.exe
        
        C:\Windows\system32\Mqfpckhm.exe
        50⤵
        
        PID:9296
        
        C:\Windows\SysWOW64\Mcelpggq.exe
        
        C:\Windows\system32\Mcelpggq.exe
        51⤵
        
        PID:9464
        
        C:\Windows\SysWOW64\Mjodla32.exe
        
        C:\Windows\system32\Mjodla32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9156
        
        C:\Windows\SysWOW64\Mmmqhl32.exe
        
        C:\Windows\system32\Mmmqhl32.exe
        53⤵
        
        PID:9540
        
        C:\Windows\SysWOW64\Mfeeabda.exe
        
        C:\Windows\system32\Mfeeabda.exe
        54⤵
        
        PID:412
        
        C:\Windows\SysWOW64\Mmpmnl32.exe
        
        C:\Windows\system32\Mmpmnl32.exe
        55⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\Monjjgkb.exe
        
        C:\Windows\system32\Monjjgkb.exe
        56⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\Mfhbga32.exe
        
        C:\Windows\system32\Mfhbga32.exe
        57⤵
        
        PID:10008
        
        C:\Windows\SysWOW64\Nmbjcljl.exe
        
        C:\Windows\system32\Nmbjcljl.exe
        58⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\Nggnadib.exe
        
        C:\Windows\system32\Nggnadib.exe
        59⤵
        
        PID:744
        
        C:\Windows\SysWOW64\Njfkmphe.exe
        
        C:\Windows\system32\Njfkmphe.exe
        60⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\Nmdgikhi.exe
        
        C:\Windows\system32\Nmdgikhi.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9496
        
        C:\Windows\SysWOW64\Npbceggm.exe
        
        C:\Windows\system32\Npbceggm.exe
        62⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\Njhgbp32.exe
        
        C:\Windows\system32\Njhgbp32.exe
        63⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\Nqbpojnp.exe
        
        C:\Windows\system32\Nqbpojnp.exe
        64⤵
        Modifies registry class
        
        PID:10016
        
        C:\Windows\SysWOW64\Ncqlkemc.exe
        
        C:\Windows\system32\Ncqlkemc.exe
        65⤵
        
        PID:10044
        
        C:\Windows\SysWOW64\Nfohgqlg.exe
        
        C:\Windows\system32\Nfohgqlg.exe
        66⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\Nnfpinmi.exe
        
        C:\Windows\system32\Nnfpinmi.exe
        67⤵
        
        PID:9368
        
        C:\Windows\SysWOW64\Ncchae32.exe
        
        C:\Windows\system32\Ncchae32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3996
        
        C:\Windows\SysWOW64\Nfaemp32.exe
        
        C:\Windows\system32\Nfaemp32.exe
        69⤵
        
        PID:9912
        
        C:\Windows\SysWOW64\Nnhmnn32.exe
        
        C:\Windows\system32\Nnhmnn32.exe
        70⤵
        Drops file in System32 directory
        
        PID:9492
        
        C:\Windows\SysWOW64\Nagiji32.exe
        
        C:\Windows\system32\Nagiji32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8256
        
        C:\Windows\SysWOW64\Ngqagcag.exe
        
        C:\Windows\system32\Ngqagcag.exe
        72⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\Ojomcopk.exe
        
        C:\Windows\system32\Ojomcopk.exe
        73⤵
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Ocgbld32.exe
        
        C:\Windows\system32\Ocgbld32.exe
        74⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\Oakbehfe.exe
        
        C:\Windows\system32\Oakbehfe.exe
        75⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\Ocjoadei.exe
        
        C:\Windows\system32\Ocjoadei.exe
        76⤵
        
        PID:9660
        
        C:\Windows\SysWOW64\Ojdgnn32.exe
        
        C:\Windows\system32\Ojdgnn32.exe
        77⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10248
        
        C:\Windows\SysWOW64\Ofkgcobj.exe
        
        C:\Windows\system32\Ofkgcobj.exe
        79⤵
        
        PID:10288
        
        C:\Windows\SysWOW64\Omdppiif.exe
        
        C:\Windows\system32\Omdppiif.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10340
        
        C:\Windows\SysWOW64\Opclldhj.exe
        
        C:\Windows\system32\Opclldhj.exe
        81⤵
        
        PID:10380
        
        C:\Windows\SysWOW64\Ofmdio32.exe
        
        C:\Windows\system32\Ofmdio32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10424
        
        C:\Windows\SysWOW64\Omgmeigd.exe
        
        C:\Windows\system32\Omgmeigd.exe
        83⤵
        
        PID:10464
        
        C:\Windows\SysWOW64\Ocaebc32.exe
        
        C:\Windows\system32\Ocaebc32.exe
        84⤵
        
        PID:10504
        
        C:\Windows\SysWOW64\Pfoann32.exe
        
        C:\Windows\system32\Pfoann32.exe
        85⤵
        
        PID:10548
        
        C:\Windows\SysWOW64\Pmiikh32.exe
        
        C:\Windows\system32\Pmiikh32.exe
        86⤵
        
        PID:10588
        
        C:\Windows\SysWOW64\Ppgegd32.exe
        
        C:\Windows\system32\Ppgegd32.exe
        87⤵
        
        PID:10632
        
        C:\Windows\SysWOW64\Pmlfqh32.exe
        
        C:\Windows\system32\Pmlfqh32.exe
        88⤵
        
        PID:10676
        
        C:\Windows\SysWOW64\Phajna32.exe
        
        C:\Windows\system32\Phajna32.exe
        89⤵
        
        PID:10716
        
        C:\Windows\SysWOW64\Pnkbkk32.exe
        
        C:\Windows\system32\Pnkbkk32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10752
        
        C:\Windows\SysWOW64\Pdhkcb32.exe
        
        C:\Windows\system32\Pdhkcb32.exe
        91⤵
        
        PID:10796
        
        C:\Windows\SysWOW64\Pmpolgoi.exe
        
        C:\Windows\system32\Pmpolgoi.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10836
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        93⤵
        
        PID:10884
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        94⤵
        
        PID:10928
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        95⤵
        Modifies registry class
        
        PID:10968
        
        C:\Windows\SysWOW64\Akkffkhk.exe
        
        C:\Windows\system32\Akkffkhk.exe
        96⤵
        
        PID:11004
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        97⤵
        Drops file in System32 directory
        
        PID:11056
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        98⤵
        
        PID:11096
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        99⤵
        
        PID:11132
        
        C:\Windows\SysWOW64\Adfgdpmi.exe
        
        C:\Windows\system32\Adfgdpmi.exe
        100⤵
        
        PID:11172
        
        C:\Windows\SysWOW64\Akpoaj32.exe
        
        C:\Windows\system32\Akpoaj32.exe
        101⤵
        
        PID:11220
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        102⤵
        
        PID:11260
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        103⤵
        
        PID:10284
        
        C:\Windows\SysWOW64\Aonhghjl.exe
        
        C:\Windows\system32\Aonhghjl.exe
        104⤵
        
        PID:10364
        
        C:\Windows\SysWOW64\Apodoq32.exe
        
        C:\Windows\system32\Apodoq32.exe
        105⤵
        
        PID:10416
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        106⤵
        
        PID:10500
        
        C:\Windows\SysWOW64\Akdilipp.exe
        
        C:\Windows\system32\Akdilipp.exe
        107⤵
        
        PID:10572
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        108⤵
        
        PID:10640
        
        C:\Windows\SysWOW64\Bhhiemoj.exe
        
        C:\Windows\system32\Bhhiemoj.exe
        109⤵
        
        PID:10708
        
        C:\Windows\SysWOW64\Bmeandma.exe
        
        C:\Windows\system32\Bmeandma.exe
        110⤵
        
        PID:10780
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        111⤵
        
        PID:10844
        
        C:\Windows\SysWOW64\Bkibgh32.exe
        
        C:\Windows\system32\Bkibgh32.exe
        112⤵
        
        PID:10920
        
        C:\Windows\SysWOW64\Bmhocd32.exe
        
        C:\Windows\system32\Bmhocd32.exe
        113⤵
        
        PID:10964
        
        C:\Windows\SysWOW64\Bdagpnbk.exe
        
        C:\Windows\system32\Bdagpnbk.exe
        114⤵
        
        PID:11044
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        115⤵
        Modifies registry class
        
        PID:11116
        
        C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        116⤵
        
        PID:11188
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        117⤵
        
        PID:11256
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        118⤵
        
        PID:10356
        
        C:\Windows\SysWOW64\Bpkdjofm.exe
        
        C:\Windows\system32\Bpkdjofm.exe
        119⤵
        
        PID:10444
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        120⤵
        Drops file in System32 directory
        
        PID:10536
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        121⤵
        
        PID:10656
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        122⤵
        
        PID:10736
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        123⤵
        
        PID:10872
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        124⤵
        
        PID:10956
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        125⤵
        
        PID:11080
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        126⤵
        
        PID:11164
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        127⤵
        
        PID:10244
        
        C:\Windows\SysWOW64\Cnfkdb32.exe
        
        C:\Windows\system32\Cnfkdb32.exe
        128⤵
        
        PID:10516
        
        C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        129⤵
        
        PID:10724
        
        C:\Windows\SysWOW64\Ckjknfnh.exe
        
        C:\Windows\system32\Ckjknfnh.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10908
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        131⤵
        
        PID:11180
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        132⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        133⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        134⤵
        
        PID:10740
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        135⤵
        
        PID:11076
        
        C:\Windows\SysWOW64\Dolmodpi.exe
        
        C:\Windows\system32\Dolmodpi.exe
        136⤵
        
        PID:11024
        
        C:\Windows\SysWOW64\Dkcndeen.exe
        
        C:\Windows\system32\Dkcndeen.exe
        137⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\Damfao32.exe
        
        C:\Windows\system32\Damfao32.exe
        138⤵
        
        PID:10496
        
        C:\Windows\SysWOW64\Ddkbmj32.exe
        
        C:\Windows\system32\Ddkbmj32.exe
        139⤵
        
        PID:10700
        
        C:\Windows\SysWOW64\Dgjoif32.exe
        
        C:\Windows\system32\Dgjoif32.exe
        140⤵
        
        PID:11168
        
        C:\Windows\SysWOW64\Ddnobj32.exe
        
        C:\Windows\system32\Ddnobj32.exe
        141⤵
        Drops file in System32 directory
        
        PID:3412
        
        C:\Windows\SysWOW64\Ebaplnie.exe
        
        C:\Windows\system32\Ebaplnie.exe
        142⤵
        Drops file in System32 directory
        
        PID:4368
        
        C:\Windows\SysWOW64\Eohmkb32.exe
        
        C:\Windows\system32\Eohmkb32.exe
        143⤵
        Modifies registry class
        
        PID:10824
        
        C:\Windows\SysWOW64\Ehpadhll.exe
        
        C:\Windows\system32\Ehpadhll.exe
        144⤵
        
        PID:11208
        
        C:\Windows\SysWOW64\Enmjlojd.exe
        
        C:\Windows\system32\Enmjlojd.exe
        145⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\Edgbii32.exe
        
        C:\Windows\system32\Edgbii32.exe
        146⤵
        
        PID:456
        
        C:\Windows\SysWOW64\Egened32.exe
        
        C:\Windows\system32\Egened32.exe
        147⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\Enpfan32.exe
        
        C:\Windows\system32\Enpfan32.exe
        148⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\Edionhpn.exe
        
        C:\Windows\system32\Edionhpn.exe
        149⤵
        
        PID:10264
        
        C:\Windows\SysWOW64\Ekcgkb32.exe
        
        C:\Windows\system32\Ekcgkb32.exe
        150⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\Fdlkdhnk.exe
        
        C:\Windows\system32\Fdlkdhnk.exe
        151⤵
        
        PID:408
        
        C:\Windows\SysWOW64\Fndpmndl.exe
        
        C:\Windows\system32\Fndpmndl.exe
        152⤵
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Feqeog32.exe
        
        C:\Windows\system32\Feqeog32.exe
        153⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\Fbdehlip.exe
        
        C:\Windows\system32\Fbdehlip.exe
        154⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\Finnef32.exe
        
        C:\Windows\system32\Finnef32.exe
        155⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\Fiqjke32.exe
        
        C:\Windows\system32\Fiqjke32.exe
        156⤵
        
        PID:11148
        
        C:\Windows\SysWOW64\Ganldgib.exe
        
        C:\Windows\system32\Ganldgib.exe
        157⤵
        Drops file in System32 directory
        
        PID:2208
        
        C:\Windows\SysWOW64\Gpolbo32.exe
        
        C:\Windows\system32\Gpolbo32.exe
        158⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\Gaqhjggp.exe
        
        C:\Windows\system32\Gaqhjggp.exe
        159⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\Gihpkd32.exe
        
        C:\Windows\system32\Gihpkd32.exe
        160⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\Gpaihooo.exe
        
        C:\Windows\system32\Gpaihooo.exe
        161⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\Geoapenf.exe
        
        C:\Windows\system32\Geoapenf.exe
        162⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\Ggmmlamj.exe
        
        C:\Windows\system32\Ggmmlamj.exe
        163⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\Gbbajjlp.exe
        
        C:\Windows\system32\Gbbajjlp.exe
        164⤵
        
        PID:1004

C:\Windows\SysWOW64\Ljdkll32.exe
C:\Windows\system32\Ljdkll32.exe
1⤵
PID:11752
- C:\Windows\SysWOW64\Mfkkqmiq.exe
  C:\Windows\system32\Mfkkqmiq.exe
  2⤵
  PID:11812
- - C:\Windows\SysWOW64\Mpapnfhg.exe
    C:\Windows\system32\Mpapnfhg.exe
    3⤵
    - Modifies registry class
    PID:11852
  - - C:\Windows\SysWOW64\Mablfnne.exe
      C:\Windows\system32\Mablfnne.exe
      4⤵
      PID:11896
    - - C:\Windows\SysWOW64\Mjidgkog.exe
        
        C:\Windows\system32\Mjidgkog.exe
        5⤵
        
        PID:11940

C:\Windows\SysWOW64\Mpclce32.exe
C:\Windows\system32\Mpclce32.exe
1⤵
PID:11984
- C:\Windows\SysWOW64\Mohidbkl.exe
  C:\Windows\system32\Mohidbkl.exe
  2⤵
  PID:12044
- - C:\Windows\SysWOW64\Mjnnbk32.exe
    C:\Windows\system32\Mjnnbk32.exe
    3⤵
    PID:12092
  - - C:\Windows\SysWOW64\Mjpjgj32.exe
      C:\Windows\system32\Mjpjgj32.exe
      4⤵
      PID:12152
    - - C:\Windows\SysWOW64\Momcpa32.exe
        
        C:\Windows\system32\Momcpa32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12196
      - C:\Windows\SysWOW64\Nfgklkoc.exe
        
        C:\Windows\system32\Nfgklkoc.exe
        6⤵
        
        PID:12240
        
        C:\Windows\SysWOW64\Nhegig32.exe
        
        C:\Windows\system32\Nhegig32.exe
        7⤵
        
        PID:12284
        
        C:\Windows\SysWOW64\Nckkfp32.exe
        
        C:\Windows\system32\Nckkfp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11296
        
        C:\Windows\SysWOW64\Njedbjej.exe
        
        C:\Windows\system32\Njedbjej.exe
        9⤵
        
        PID:11340
        
        C:\Windows\SysWOW64\Nqoloc32.exe
        
        C:\Windows\system32\Nqoloc32.exe
        10⤵
        
        PID:11424
        
        C:\Windows\SysWOW64\Ncmhko32.exe
        
        C:\Windows\system32\Ncmhko32.exe
        11⤵
        
        PID:11472
        
        C:\Windows\SysWOW64\Njgqhicg.exe
        
        C:\Windows\system32\Njgqhicg.exe
        12⤵
        
        PID:11536
        
        C:\Windows\SysWOW64\Ncpeaoih.exe
        
        C:\Windows\system32\Ncpeaoih.exe
        13⤵
        
        PID:11588
        
        C:\Windows\SysWOW64\Njjmni32.exe
        
        C:\Windows\system32\Njjmni32.exe
        14⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Nofefp32.exe
        
        C:\Windows\system32\Nofefp32.exe
        15⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Nbebbk32.exe
        
        C:\Windows\system32\Nbebbk32.exe
        16⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:11732
        
        C:\Windows\SysWOW64\Niojoeel.exe
        
        C:\Windows\system32\Niojoeel.exe
        17⤵
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Nqfbpb32.exe
        
        C:\Windows\system32\Nqfbpb32.exe
        18⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\Ocdnln32.exe
        
        C:\Windows\system32\Ocdnln32.exe
        19⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Ofckhj32.exe
        
        C:\Windows\system32\Ofckhj32.exe
        20⤵
        
        PID:11840
        
        C:\Windows\SysWOW64\Ookoaokf.exe
        
        C:\Windows\system32\Ookoaokf.exe
        21⤵
        Modifies registry class
        
        PID:11880
        
        C:\Windows\SysWOW64\Ojqcnhkl.exe
        
        C:\Windows\system32\Ojqcnhkl.exe
        22⤵
        
        PID:11948
        
        C:\Windows\SysWOW64\Oonlfo32.exe
        
        C:\Windows\system32\Oonlfo32.exe
        23⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Ofgdcipq.exe
        
        C:\Windows\system32\Ofgdcipq.exe
        24⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Oqoefand.exe
        
        C:\Windows\system32\Oqoefand.exe
        25⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\Obqanjdb.exe
        
        C:\Windows\system32\Obqanjdb.exe
        26⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        27⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Omfekbdh.exe
        
        C:\Windows\system32\Omfekbdh.exe
        28⤵
        
        PID:12212
        
        C:\Windows\SysWOW64\Ppdbgncl.exe
        
        C:\Windows\system32\Ppdbgncl.exe
        29⤵
        
        PID:12236
        
        C:\Windows\SysWOW64\Pjjfdfbb.exe
        
        C:\Windows\system32\Pjjfdfbb.exe
        30⤵
        
        PID:12260
        
        C:\Windows\SysWOW64\Pmhbqbae.exe
        
        C:\Windows\system32\Pmhbqbae.exe
        31⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Ppgomnai.exe
        
        C:\Windows\system32\Ppgomnai.exe
        32⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Pbekii32.exe
        
        C:\Windows\system32\Pbekii32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:11468
        
        C:\Windows\SysWOW64\Pjlcjf32.exe
        
        C:\Windows\system32\Pjlcjf32.exe
        34⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Pmkofa32.exe
        
        C:\Windows\system32\Pmkofa32.exe
        35⤵
        
        PID:11512
        
        C:\Windows\SysWOW64\Pbhgoh32.exe
        
        C:\Windows\system32\Pbhgoh32.exe
        36⤵
        
        PID:11624
        
        C:\Windows\SysWOW64\Pjoppf32.exe
        
        C:\Windows\system32\Pjoppf32.exe
        37⤵
        Drops file in System32 directory
        
        PID:5632
        
        C:\Windows\SysWOW64\Paihlpfi.exe
        
        C:\Windows\system32\Paihlpfi.exe
        38⤵
        
        PID:11680
        
        C:\Windows\SysWOW64\Pjaleemj.exe
        
        C:\Windows\system32\Pjaleemj.exe
        39⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Pakdbp32.exe
        
        C:\Windows\system32\Pakdbp32.exe
        40⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Pciqnk32.exe
        
        C:\Windows\system32\Pciqnk32.exe
        41⤵
        
        PID:11792
        
        C:\Windows\SysWOW64\Pfhmjf32.exe
        
        C:\Windows\system32\Pfhmjf32.exe
        42⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Pmbegqjk.exe
        
        C:\Windows\system32\Pmbegqjk.exe
        43⤵
        
        PID:11936
        
        C:\Windows\SysWOW64\Qjffpe32.exe
        
        C:\Windows\system32\Qjffpe32.exe
        44⤵
        
        PID:11992
        
        C:\Windows\SysWOW64\Qmdblp32.exe
        
        C:\Windows\system32\Qmdblp32.exe
        45⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Ajjokd32.exe
        
        C:\Windows\system32\Ajjokd32.exe
        46⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\Apggckbf.exe
        
        C:\Windows\system32\Apggckbf.exe
        47⤵
        
        PID:12128
        
        C:\Windows\SysWOW64\Aagdnn32.exe
        
        C:\Windows\system32\Aagdnn32.exe
        48⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Abhqefpg.exe
        
        C:\Windows\system32\Abhqefpg.exe
        49⤵
        
        PID:11292
        
        C:\Windows\SysWOW64\Ajohfcpj.exe
        
        C:\Windows\system32\Ajohfcpj.exe
        50⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\Amnebo32.exe
        
        C:\Windows\system32\Amnebo32.exe
        51⤵
        
        PID:11384
        
        C:\Windows\SysWOW64\Adgmoigj.exe
        
        C:\Windows\system32\Adgmoigj.exe
        52⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Aidehpea.exe
        
        C:\Windows\system32\Aidehpea.exe
        53⤵
        
        PID:11560
        
        C:\Windows\SysWOW64\Bigbmpco.exe
        
        C:\Windows\system32\Bigbmpco.exe
        54⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Bjfogbjb.exe
        
        C:\Windows\system32\Bjfogbjb.exe
        55⤵
        
        PID:11704
        
        C:\Windows\SysWOW64\Bapgdm32.exe
        
        C:\Windows\system32\Bapgdm32.exe
        56⤵
        
        PID:5148

C:\Windows\SysWOW64\Bjhkmbho.exe
C:\Windows\system32\Bjhkmbho.exe
1⤵
PID:5312
- C:\Windows\SysWOW64\Bbdpad32.exe
  C:\Windows\system32\Bbdpad32.exe
  2⤵
  PID:11972
- - C:\Windows\SysWOW64\Bmidnm32.exe
    C:\Windows\system32\Bmidnm32.exe
    3⤵
    PID:6264
  - - C:\Windows\SysWOW64\Bbfmgd32.exe
      C:\Windows\system32\Bbfmgd32.exe
      4⤵
      PID:5380
    - - C:\Windows\SysWOW64\Bipecnkd.exe
        
        C:\Windows\system32\Bipecnkd.exe
        5⤵
        
        PID:5640
      - C:\Windows\SysWOW64\Bbhildae.exe
        
        C:\Windows\system32\Bbhildae.exe
        6⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Ckbncapd.exe
        
        C:\Windows\system32\Ckbncapd.exe
        7⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Calfpk32.exe
        
        C:\Windows\system32\Calfpk32.exe
        8⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\Cdjblf32.exe
        
        C:\Windows\system32\Cdjblf32.exe
        9⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\Cgiohbfi.exe
        
        C:\Windows\system32\Cgiohbfi.exe
        10⤵
        
        PID:6744

C:\Windows\SysWOW64\Cpcpfg32.exe
C:\Windows\system32\Cpcpfg32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:11376
- C:\Windows\SysWOW64\Dmjmekgn.exe
  C:\Windows\system32\Dmjmekgn.exe
  2⤵
  PID:6928
- - C:\Windows\SysWOW64\Dggkipii.exe
    C:\Windows\system32\Dggkipii.exe
    3⤵
    - Drops file in System32 directory
    PID:7104
  - - C:\Windows\SysWOW64\Dalofi32.exe
      C:\Windows\system32\Dalofi32.exe
      4⤵
      PID:6416
    - - C:\Windows\SysWOW64\Dkedonpo.exe
        
        C:\Windows\system32\Dkedonpo.exe
        5⤵
        
        PID:11656
      - C:\Windows\SysWOW64\Egkddo32.exe
        
        C:\Windows\system32\Egkddo32.exe
        6⤵
        Modifies registry class
        
        PID:6544
        
        C:\Windows\SysWOW64\Epdime32.exe
        
        C:\Windows\system32\Epdime32.exe
        7⤵
        Drops file in System32 directory
        
        PID:5728
        
        C:\Windows\SysWOW64\Ecbeip32.exe
        
        C:\Windows\system32\Ecbeip32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:11828
        
        C:\Windows\SysWOW64\Ejlnfjbd.exe
        
        C:\Windows\system32\Ejlnfjbd.exe
        9⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Eaceghcg.exe
        
        C:\Windows\system32\Eaceghcg.exe
        10⤵
        Drops file in System32 directory
        
        PID:11920
        
        C:\Windows\SysWOW64\Edaaccbj.exe
        
        C:\Windows\system32\Edaaccbj.exe
        11⤵
        Modifies registry class
        
        PID:11964
        
        C:\Windows\SysWOW64\Egpnooan.exe
        
        C:\Windows\system32\Egpnooan.exe
        12⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\Ejojljqa.exe
        
        C:\Windows\system32\Ejojljqa.exe
        13⤵
        Modifies registry class
        
        PID:6856
        
        C:\Windows\SysWOW64\Eafbmgad.exe
        
        C:\Windows\system32\Eafbmgad.exe
        14⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\Ecgodpgb.exe
        
        C:\Windows\system32\Ecgodpgb.exe
        15⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\Ekngemhd.exe
        
        C:\Windows\system32\Ekngemhd.exe
        16⤵
        
        PID:12136
        
        C:\Windows\SysWOW64\Eahobg32.exe
        
        C:\Windows\system32\Eahobg32.exe
        17⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Edfknb32.exe
        
        C:\Windows\system32\Edfknb32.exe
        18⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\Egegjn32.exe
        
        C:\Windows\system32\Egegjn32.exe
        19⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\Ejccgi32.exe
        
        C:\Windows\system32\Ejccgi32.exe
        20⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\Eajlhg32.exe
        
        C:\Windows\system32\Eajlhg32.exe
        21⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Edihdb32.exe
        
        C:\Windows\system32\Edihdb32.exe
        22⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\Fjeplijj.exe
        
        C:\Windows\system32\Fjeplijj.exe
        23⤵
        Modifies registry class
        
        PID:11460
        
        C:\Windows\SysWOW64\Famhmfkl.exe
        
        C:\Windows\system32\Famhmfkl.exe
        24⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Fdkdibjp.exe
        
        C:\Windows\system32\Fdkdibjp.exe
        25⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\Fjhmbihg.exe
        
        C:\Windows\system32\Fjhmbihg.exe
        26⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\Fdmaoahm.exe
        
        C:\Windows\system32\Fdmaoahm.exe
        27⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\Fkgillpj.exe
        
        C:\Windows\system32\Fkgillpj.exe
        28⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\Fnffhgon.exe
        
        C:\Windows\system32\Fnffhgon.exe
        29⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\Fdpnda32.exe
        
        C:\Windows\system32\Fdpnda32.exe
        30⤵
        
        PID:6548

C:\Windows\SysWOW64\Fgnjqm32.exe
C:\Windows\system32\Fgnjqm32.exe
1⤵
PID:6584
- C:\Windows\SysWOW64\Fqfojblo.exe
  C:\Windows\system32\Fqfojblo.exe
  2⤵
  - Drops file in System32 directory
  PID:11836
- - C:\Windows\SysWOW64\Fnjocf32.exe
    C:\Windows\system32\Fnjocf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    PID:6428
  - - C:\Windows\SysWOW64\Gddgpqbe.exe
      C:\Windows\system32\Gddgpqbe.exe
      4⤵
      PID:6724
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6724 -s 404
        5⤵
        Program crash
        
        PID:6912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 6724 -ip 6724
1⤵
PID:5320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bgeaifia.exe

Filesize
325KB

MD5
ee1fb08fa2b0c2454efcc83ef2219ce0

SHA1
f1d30107a15fb2d42c3864d67a24cc488fb7140e

SHA256
dc5e0b7710061247865270193284cdb253877c5c845382006ad3f69c6cd039ff

SHA512
7194ba3e6f00ac97333ce610ec744b75951c97922e17115d9bfb8fb0e228a0030720a64f64848e87bede8a763fe58ebc705e0d338e37c1b5a7fd24ccdb25c092

Download Submit
C:\Windows\SysWOW64\Bgeaifia.exe

Filesize
325KB

MD5
ee1fb08fa2b0c2454efcc83ef2219ce0

SHA1
f1d30107a15fb2d42c3864d67a24cc488fb7140e

SHA256
dc5e0b7710061247865270193284cdb253877c5c845382006ad3f69c6cd039ff

SHA512
7194ba3e6f00ac97333ce610ec744b75951c97922e17115d9bfb8fb0e228a0030720a64f64848e87bede8a763fe58ebc705e0d338e37c1b5a7fd24ccdb25c092

Download Submit
C:\Windows\SysWOW64\Bifmqo32.exe

Filesize
325KB

MD5
44f8ee5da6c256ce07e0ef535667242d

SHA1
7a8a1bd8ac48100122aa4e3c3ce41bd026ebdd94

SHA256
d88306d1ea752a6fb1eecf288eafa5257947c1dbb6bd0d518f2ef2e6d717901e

SHA512
909128e1431874a96216efd86913d5da40df5954d786f26c7645d7fccff56035e2e848c02e9f06ea3ba411584e8d14f0e4c42514fab69fba3a9c1afc2f6f0b13

Download Submit
C:\Windows\SysWOW64\Bifmqo32.exe

Filesize
325KB

MD5
44f8ee5da6c256ce07e0ef535667242d

SHA1
7a8a1bd8ac48100122aa4e3c3ce41bd026ebdd94

SHA256
d88306d1ea752a6fb1eecf288eafa5257947c1dbb6bd0d518f2ef2e6d717901e

SHA512
909128e1431874a96216efd86913d5da40df5954d786f26c7645d7fccff56035e2e848c02e9f06ea3ba411584e8d14f0e4c42514fab69fba3a9c1afc2f6f0b13

Download Submit
C:\Windows\SysWOW64\Blnoga32.exe

Filesize
325KB

MD5
bace6298eb931c46ae8889fe6dc1870b

SHA1
3e206d65f7b87e29d5487d166826472874c030aa

SHA256
562a1b1d552b698332b67437d8771ed7fe12a008eded1093838c2d89c8dec051

SHA512
47ba1bd3f854676b92cafb48fa69cbb7f10f62685fa64a62712a50873df2fa29fde15981c4ebe4f34720ce8e1ceb328cfeae19c9539f80db3e0de0ded922feb6

Download Submit
C:\Windows\SysWOW64\Cgcmjd32.exe

Filesize
325KB

MD5
2a4ddcc08994b87028b7690eb1a33386

SHA1
ec33c3b85d7281f08968a18f607cb60a44b9c3db

SHA256
ad7bd81c06738bfdbaa97f3ed929274d3447aac7e9bab6f796358a4de811eb31

SHA512
0636155700c438227802be7456d55d2e207324f9cb927e93a9aa9b2277d80c0df45ad4a70e529877d802a23b9bf7604fc1da0c1d1c952a19da3c5267e451500f

Download Submit
C:\Windows\SysWOW64\Cglgjeci.exe

Filesize
325KB

MD5
4facfd9617f29145400568e578e1aac0

SHA1
58836a0a739934ba4ed9a9d6631be790f57be5d9

SHA256
d94ef27ac79cd00671dfff6e2d05c6c9b4031b2fb9c9d40b56e31d05655e43a8

SHA512
83a264b1025be638d8cedf34e9024d944eb5a2d1013048eaa5873aa4b18c554463f97c6297daf24a8c7c8e0837ad1f4c8dfc91358ebf3696ebf280e023a195b4

Download Submit
C:\Windows\SysWOW64\Cglgjeci.exe

Filesize
325KB

MD5
f6b178faf10c841abb4f995ac6bde622

SHA1
7c63c655e4787e903902bd6a7f8512a831c61860

SHA256
a52aa777a2dbb0482cc22053102f9e02202e1dc094a8807ca7c1a6766985a630

SHA512
eb92c4f9a62d35e0caebeddf003d0490b09fe2c4627c342aaf6e6d91b71d736092ab983c714f4661f4a1c6eca7ec461b06d99c66cbdeb8f7007eaf5ef90041ba

Download Submit
C:\Windows\SysWOW64\Cglgjeci.exe

Filesize
325KB

MD5
f6b178faf10c841abb4f995ac6bde622

SHA1
7c63c655e4787e903902bd6a7f8512a831c61860

SHA256
a52aa777a2dbb0482cc22053102f9e02202e1dc094a8807ca7c1a6766985a630

SHA512
eb92c4f9a62d35e0caebeddf003d0490b09fe2c4627c342aaf6e6d91b71d736092ab983c714f4661f4a1c6eca7ec461b06d99c66cbdeb8f7007eaf5ef90041ba

Download Submit
C:\Windows\SysWOW64\Cjmpkqqj.exe

Filesize
325KB

MD5
a874f0d9c34b2bb549f5774c0ddbbfc5

SHA1
dd015effa183f0911b52b95cb4157a6737860a87

SHA256
9703613b85b19fe51b8bb24d9170a729ca1cdf68d4b3868d596626fae36364be

SHA512
2d5d21a940535400f18b1bfac11188f4d048f6b21cc375fe6e8df1ff680b4ffcbcabb62271f69a817702727a72ccc2cc962b5371feddb16f56cebaeb27228cd5

Download Submit
C:\Windows\SysWOW64\Cjmpkqqj.exe

Filesize
325KB

MD5
a874f0d9c34b2bb549f5774c0ddbbfc5

SHA1
dd015effa183f0911b52b95cb4157a6737860a87

SHA256
9703613b85b19fe51b8bb24d9170a729ca1cdf68d4b3868d596626fae36364be

SHA512
2d5d21a940535400f18b1bfac11188f4d048f6b21cc375fe6e8df1ff680b4ffcbcabb62271f69a817702727a72ccc2cc962b5371feddb16f56cebaeb27228cd5

Download Submit
C:\Windows\SysWOW64\Cobkhb32.exe

Filesize
128KB

MD5
5bedf42f4a2849f7a5b2a6fc212baaac

SHA1
d8f1a8cb11b6c5ff795be2ceab4335506628c867

SHA256
d2d8b96c87180fb41f280a17854afc833999264af355c3c1cfe64b26f5cb51ac

SHA512
2f83dd69b5692719e9d4d4733d5371dce6005f90739a3292044c7af059aa880adecc060f02a991245b5a62190a8290d46baf8e00af55c68c2b822d42f1a0b8ad

Download Submit
C:\Windows\SysWOW64\Cqpbglno.exe

Filesize
325KB

MD5
4facfd9617f29145400568e578e1aac0

SHA1
58836a0a739934ba4ed9a9d6631be790f57be5d9

SHA256
d94ef27ac79cd00671dfff6e2d05c6c9b4031b2fb9c9d40b56e31d05655e43a8

SHA512
83a264b1025be638d8cedf34e9024d944eb5a2d1013048eaa5873aa4b18c554463f97c6297daf24a8c7c8e0837ad1f4c8dfc91358ebf3696ebf280e023a195b4

Download Submit
C:\Windows\SysWOW64\Cqpbglno.exe

Filesize
325KB

MD5
4facfd9617f29145400568e578e1aac0

SHA1
58836a0a739934ba4ed9a9d6631be790f57be5d9

SHA256
d94ef27ac79cd00671dfff6e2d05c6c9b4031b2fb9c9d40b56e31d05655e43a8

SHA512
83a264b1025be638d8cedf34e9024d944eb5a2d1013048eaa5873aa4b18c554463f97c6297daf24a8c7c8e0837ad1f4c8dfc91358ebf3696ebf280e023a195b4

Download Submit
C:\Windows\SysWOW64\Dblgpl32.exe

Filesize
325KB

MD5
1cd947c2a645c18a6effc4d7d498b200

SHA1
82ecfee95c3ce7de700a817de0dc699e328eb659

SHA256
1361665fa22132510af92483ff609626c063e3130d7c2b793925b705b3ffa020

SHA512
8052d3344f860403dc68363a80195ac1520c76a6628da2d0ca7748d2c51e0f08bf80cce13646ce2d9b26ea8bcb5e206bb3c1f9fe6511fc59fb9532753658785b

Download Submit
C:\Windows\SysWOW64\Ehailbaa.exe

Filesize
325KB

MD5
dd09022b1584a8d142dd86cf29dc0e4f

SHA1
1fa0c986189d0629eccaae321255bde30287ac1e

SHA256
75077c8256a42d1f594f81eceb32c5f17fe3de1bbd6c3ebcb2627f5f1ac5f4ac

SHA512
e9862304e20003fb7880e9817c8f04c8fb43f88691d8bf203967263d5363a5dadc97ed07956c2b5208cc9854607739427e1e6d483fef1dba2f5b7be0bcb06306

Download Submit
C:\Windows\SysWOW64\Emjgim32.exe

Filesize
325KB

MD5
ec97279a04754925e39ada208354bdc0

SHA1
501dfd53edb568c484e05fb1850ac230c4307754

SHA256
0da9631ff9b84670fd283c9f3f632047e2c3f2eb4acf5d3cc09ffc34b0c9616b

SHA512
95f962b488dfa2b05a7c36e588e2f7a3a14d3a99ac2c6b9d362cf31214ad14a49978ea94c077e6035e9cd23b252b3e59b477d169182f2e692e304fe53c7634d7

Download Submit
C:\Windows\SysWOW64\Fmpqfq32.exe

Filesize
325KB

MD5
db0ee2fa56c02b9f8db48502ec31cb0d

SHA1
9dcdb9d46db5b1ef82e171e770c24ba6b32fbfdd

SHA256
d91646d65b3e8e99695ddcf1df219db65c86ebd3e691cbe7d42a755c7fae6e5c

SHA512
6b0197fcac54c46f51bc907c9ae61893d083c4245045c374d85c50502ed7cc19f39c3db778a0526a4b98eb85f0290ced8a2042452b4a69f55e6d9e5b644837ee

Download Submit
C:\Windows\SysWOW64\Gahjgj32.exe

Filesize
325KB

MD5
c4409bb0a45e7f4a97fa0be4492c56e6

SHA1
139d7bfbdb0fd89b222b4ff180a8534156366a1f

SHA256
6da2b8146aa564bacb0e8d695ed9901e1f98ca63c2060f6a3b7bd2a541192fdc

SHA512
5d58e590e849390a60637f89c3049b344eccff22933ef563b01a313e288134ee6b419d5a7759ef3c9fe3475990e2da2dc02a498e121cd8ffa4466a75d35da361

Download Submit
C:\Windows\SysWOW64\Gahjgj32.exe

Filesize
325KB

MD5
c4409bb0a45e7f4a97fa0be4492c56e6

SHA1
139d7bfbdb0fd89b222b4ff180a8534156366a1f

SHA256
6da2b8146aa564bacb0e8d695ed9901e1f98ca63c2060f6a3b7bd2a541192fdc

SHA512
5d58e590e849390a60637f89c3049b344eccff22933ef563b01a313e288134ee6b419d5a7759ef3c9fe3475990e2da2dc02a498e121cd8ffa4466a75d35da361

Download Submit
C:\Windows\SysWOW64\Gddinf32.exe

Filesize
325KB

MD5
4b012cb044fb42695daca19381d68aeb

SHA1
dd87de89338c04c6ca64b4d5722d3c1e5421ccb2

SHA256
4a68366ad52b7da518ddbab612f264c0220a7f743da8072f6637da794abfae83

SHA512
6a85aca6b3d065122d71db8d5143b23285a3bf20c816041f70033ef4b600dd71552210789ae7406af1e2207cbed8112450cd2151ea1a5a0e72a77f97aa2a25d6

Download Submit
C:\Windows\SysWOW64\Gddinf32.exe

Filesize
325KB

MD5
4b012cb044fb42695daca19381d68aeb

SHA1
dd87de89338c04c6ca64b4d5722d3c1e5421ccb2

SHA256
4a68366ad52b7da518ddbab612f264c0220a7f743da8072f6637da794abfae83

SHA512
6a85aca6b3d065122d71db8d5143b23285a3bf20c816041f70033ef4b600dd71552210789ae7406af1e2207cbed8112450cd2151ea1a5a0e72a77f97aa2a25d6

Download Submit
C:\Windows\SysWOW64\Gdoihpbk.exe

Filesize
325KB

MD5
7554ac4db982a5f11a74faf183d35b3d

SHA1
a75c34a4bc63af140066fc090aa220fb9417acdb

SHA256
477aa3278ae3e55ebcab568fc267aa1c94248189198793a1874dad0b0167e4c7

SHA512
0e2d82975abeae8368bea15d120d7b78a544e0e612743f75397c4941f974980289bc75453ed49c31e314d796ea844b09e08b5450bcf4b70b779eb27d522c971c

Download Submit
C:\Windows\SysWOW64\Gkleeplq.exe

Filesize
325KB

MD5
43df209aec32af24931240648f1634b8

SHA1
0dea2a8dc4c58989c748b5b7b6fe92e4202cdaec

SHA256
0a08fbc0630f79415bab353649f171ba1b301f03ecb50059297172fa7948b28d

SHA512
7a0d604f84651d208d99922bd4f07ab8f202ff82b69774a67e2bbbd5617432aa0fc3b5c68bbcb5cb8398900be1cb8e1865ae94ab78ef50d9fe98a6cf62a5cce7

Download Submit
C:\Windows\SysWOW64\Gkleeplq.exe

Filesize
325KB

MD5
43df209aec32af24931240648f1634b8

SHA1
0dea2a8dc4c58989c748b5b7b6fe92e4202cdaec

SHA256
0a08fbc0630f79415bab353649f171ba1b301f03ecb50059297172fa7948b28d

SHA512
7a0d604f84651d208d99922bd4f07ab8f202ff82b69774a67e2bbbd5617432aa0fc3b5c68bbcb5cb8398900be1cb8e1865ae94ab78ef50d9fe98a6cf62a5cce7

Download Submit
C:\Windows\SysWOW64\Hajpbckl.exe

Filesize
325KB

MD5
e1dd84f2eb22ea9dc7cff3f0e25f31e7

SHA1
69e433c46e935d4d66e40c4b3dc0c82c12baa497

SHA256
ac01cf8d90179c5dc2b4dbc8bcb3d61b6bf1f05cc4ffcdb0d258690539ca1a8f

SHA512
c351bb48f6f3d5fcd394e3c721e6124b296ed171b6c80f03173a7e82dcd5e9e9ce987217e70f869491776500d64d9e696da24bee3c3f26d1d096a81d1ddf6709

Download Submit
C:\Windows\SysWOW64\Hfipbh32.exe

Filesize
325KB

MD5
b252e5233c5a291a346c5fdee0122f51

SHA1
f335aa0d4c815866eda7409276b99b894805c25f

SHA256
506b5a787ac6fdafe2096a7e9b3456a4454b438e7ad6b968c7cc12af5578b665

SHA512
4f8f64424f291a55cc0a845c6dada7726c12f9292f2e18153fa592c67367153fd00e75ae6d373d8b6391d5979af2e84b26a683e18428058702a3276dfddcc040

Download Submit
C:\Windows\SysWOW64\Hfipbh32.exe

Filesize
325KB

MD5
b252e5233c5a291a346c5fdee0122f51

SHA1
f335aa0d4c815866eda7409276b99b894805c25f

SHA256
506b5a787ac6fdafe2096a7e9b3456a4454b438e7ad6b968c7cc12af5578b665

SHA512
4f8f64424f291a55cc0a845c6dada7726c12f9292f2e18153fa592c67367153fd00e75ae6d373d8b6391d5979af2e84b26a683e18428058702a3276dfddcc040

Download Submit
C:\Windows\SysWOW64\Hgabkoee.exe

Filesize
325KB

MD5
1fa3efa3533565a45dc04cd6c99254c0

SHA1
7afdbac738bbce71fa05250a56e113ee3d25dc73

SHA256
30fdad949af192a55bd3cb997b69bf94a77a8510b4bc498b38f06ef6ff5a1328

SHA512
5a897ccd9ff2bb6e486c3bb3e373753120a4f90545044ba2ed586e0f1a9a7434a4578f4d17fc4cb59f6774ba7f1df43fd86c34c0f71ba8188992f1ce513641d4

Download Submit
C:\Windows\SysWOW64\Hgabkoee.exe

Filesize
325KB

MD5
1fa3efa3533565a45dc04cd6c99254c0

SHA1
7afdbac738bbce71fa05250a56e113ee3d25dc73

SHA256
30fdad949af192a55bd3cb997b69bf94a77a8510b4bc498b38f06ef6ff5a1328

SHA512
5a897ccd9ff2bb6e486c3bb3e373753120a4f90545044ba2ed586e0f1a9a7434a4578f4d17fc4cb59f6774ba7f1df43fd86c34c0f71ba8188992f1ce513641d4

Download Submit
C:\Windows\SysWOW64\Hheoid32.exe

Filesize
325KB

MD5
bec0d8b00480a10632c1dfbf563ec63a

SHA1
207be991eafce77dd26e084158c4842034712024

SHA256
a102f9dfda5c4c69a99a8cb3385ad36597e5e6ce5678228cdcdf3b4e9e267522

SHA512
1a6f30d353ee8f00b27f42a4412bc01626c1d0778836ccacb0582c196d15f2db8e55fe001c1a1ddfe7220052563427fa19554a333025ec9c0acd9f9feed864ba

Download Submit
C:\Windows\SysWOW64\Hheoid32.exe

Filesize
325KB

MD5
bec0d8b00480a10632c1dfbf563ec63a

SHA1
207be991eafce77dd26e084158c4842034712024

SHA256
a102f9dfda5c4c69a99a8cb3385ad36597e5e6ce5678228cdcdf3b4e9e267522

SHA512
1a6f30d353ee8f00b27f42a4412bc01626c1d0778836ccacb0582c196d15f2db8e55fe001c1a1ddfe7220052563427fa19554a333025ec9c0acd9f9feed864ba

Download Submit
C:\Windows\SysWOW64\Hkehkocf.exe

Filesize
325KB

MD5
d6d74bf3eac265ea580d7efe23308eda

SHA1
630313540ccce9032f0e70acf39f470d48f9fc01

SHA256
2fa1cd315364d0707ae5bcd83018a9379a2a1eb8c1fc1d2d26d4cdb5a485a6e9

SHA512
d09d0787bba75f49f2dde58c5ffbb41716f182bb4186aa963203b672b0b71d022d27938abdfba2d2e4fccc1ff2bf6f6fde39bf23d66be082a28238aaeab9de68

Download Submit
C:\Windows\SysWOW64\Hkehkocf.exe

Filesize
325KB

MD5
d6d74bf3eac265ea580d7efe23308eda

SHA1
630313540ccce9032f0e70acf39f470d48f9fc01

SHA256
2fa1cd315364d0707ae5bcd83018a9379a2a1eb8c1fc1d2d26d4cdb5a485a6e9

SHA512
d09d0787bba75f49f2dde58c5ffbb41716f182bb4186aa963203b672b0b71d022d27938abdfba2d2e4fccc1ff2bf6f6fde39bf23d66be082a28238aaeab9de68

Download Submit
C:\Windows\SysWOW64\Hninbj32.exe

Filesize
325KB

MD5
0c718e641c890800df5bbf711d755fb0

SHA1
bfe398bc0aa3e509e1309ff3c134d42aac8a82e8

SHA256
b6ebeb7a65362849dc7f8c1bffcb6826d72622d00f01dccc80d72a8ec2376a61

SHA512
e0058896d287fad7a100c1029f7c6b4727e2e803dcf63457a169266ffdb854baf578b7c4526207c047f734eaa9f7d529cfc8a0fb7ce30706d79e83bb2dd91f6f

Download Submit
C:\Windows\SysWOW64\Hninbj32.exe

Filesize
325KB

MD5
0c718e641c890800df5bbf711d755fb0

SHA1
bfe398bc0aa3e509e1309ff3c134d42aac8a82e8

SHA256
b6ebeb7a65362849dc7f8c1bffcb6826d72622d00f01dccc80d72a8ec2376a61

SHA512
e0058896d287fad7a100c1029f7c6b4727e2e803dcf63457a169266ffdb854baf578b7c4526207c047f734eaa9f7d529cfc8a0fb7ce30706d79e83bb2dd91f6f

Download Submit
C:\Windows\SysWOW64\Hocqam32.exe

Filesize
325KB

MD5
af78c7a4449d810c508c18e129e481a2

SHA1
e944e4f92805829c53e2dd8cd828c8bed55d5b77

SHA256
a3f2b5468df1031d908bbba3216aa089a4877ca6fef6da9a0b5d8b8c78b43160

SHA512
c04c49198ee56194eef13f38ed348c04846f51d33c280811fe0b6f8d0ffc485dffddd3115997d2b9409be3dfa7edcfbaa9f609cddee19df6ed0b9e1ae8c73253

Download Submit
C:\Windows\SysWOW64\Hocqam32.exe

Filesize
325KB

MD5
af78c7a4449d810c508c18e129e481a2

SHA1
e944e4f92805829c53e2dd8cd828c8bed55d5b77

SHA256
a3f2b5468df1031d908bbba3216aa089a4877ca6fef6da9a0b5d8b8c78b43160

SHA512
c04c49198ee56194eef13f38ed348c04846f51d33c280811fe0b6f8d0ffc485dffddd3115997d2b9409be3dfa7edcfbaa9f609cddee19df6ed0b9e1ae8c73253

Download Submit
C:\Windows\SysWOW64\Igjeanmj.exe

Filesize
325KB

MD5
dcd5c84ff0909e4a79fe1c3847e182a2

SHA1
181f5eaceca1a40f7c820cc7bca43a47fbd8150d

SHA256
99a1709ace89bb5ddfd4860097be6ed4a245e1f2f701204241ecc84d086027f6

SHA512
7b2136f57687e547e5350c197e1f9a169233c992c4a2124a76e6a048bd0a7176ff074c0d7db4b8be84dfef40f48ebaee3bac9077cf54cfe583ff94a4faa4fc0f

Download Submit
C:\Windows\SysWOW64\Igjeanmj.exe

Filesize
325KB

MD5
dcd5c84ff0909e4a79fe1c3847e182a2

SHA1
181f5eaceca1a40f7c820cc7bca43a47fbd8150d

SHA256
99a1709ace89bb5ddfd4860097be6ed4a245e1f2f701204241ecc84d086027f6

SHA512
7b2136f57687e547e5350c197e1f9a169233c992c4a2124a76e6a048bd0a7176ff074c0d7db4b8be84dfef40f48ebaee3bac9077cf54cfe583ff94a4faa4fc0f

Download Submit
C:\Windows\SysWOW64\Iiehpahb.exe

Filesize
325KB

MD5
64c11147bb26e1a19aaf1cf2eedc6308

SHA1
39698a59b73955a11881efd3368605334ba58df8

SHA256
ee30e2da1a49c1576a76d155b1d287ea716ee168eda424beb62362686de73fff

SHA512
fba0c60a02e9ff25e839f0e59a380d945be5765b910b8d48b7d8bfc45022ff2ddb3028b1b3cf7d562eb9aea4053c1825fd79965c5707d2cf6f6a779ebe9504ae

Download Submit
C:\Windows\SysWOW64\Iiehpahb.exe

Filesize
325KB

MD5
64c11147bb26e1a19aaf1cf2eedc6308

SHA1
39698a59b73955a11881efd3368605334ba58df8

SHA256
ee30e2da1a49c1576a76d155b1d287ea716ee168eda424beb62362686de73fff

SHA512
fba0c60a02e9ff25e839f0e59a380d945be5765b910b8d48b7d8bfc45022ff2ddb3028b1b3cf7d562eb9aea4053c1825fd79965c5707d2cf6f6a779ebe9504ae

Download Submit
C:\Windows\SysWOW64\Ikaggmii.exe

Filesize
325KB

MD5
b21e823375d63abca638f1ee2f71adba

SHA1
41f2307dab8a25bf868a814907ba6fa662f16012

SHA256
a2db20359877ca59b49338affcaf21265629037e52d406544618131b403ad3e6

SHA512
4e7f86907f75920dacb46748353e471dc1bcddbbb57e28414ff860d2ac08c1c0d9acd420e3fa1992afb5e9a3a5d722ced0b2a770c62a1bb0750e49547dee9ad5

Download Submit
C:\Windows\SysWOW64\Ikaggmii.exe

Filesize
325KB

MD5
b21e823375d63abca638f1ee2f71adba

SHA1
41f2307dab8a25bf868a814907ba6fa662f16012

SHA256
a2db20359877ca59b49338affcaf21265629037e52d406544618131b403ad3e6

SHA512
4e7f86907f75920dacb46748353e471dc1bcddbbb57e28414ff860d2ac08c1c0d9acd420e3fa1992afb5e9a3a5d722ced0b2a770c62a1bb0750e49547dee9ad5

Download Submit
C:\Windows\SysWOW64\Iokgal32.exe

Filesize
325KB

MD5
767b166c3da4a6447bc3299ed07ff3a9

SHA1
5460b281559ec45a185f120477524d086648d1d4

SHA256
b0c37abd140b2e1b5587a27c319cdbebe8906b3455a4e77b61a07ad32f33f0ff

SHA512
0261117edf0703069b9814275e77698d7629c062beba8caab76283a67ad7a56069130883b715c17dfa776a7ca1d129188cd52d6c4419f53f717400f51d19d38a

Download Submit
C:\Windows\SysWOW64\Iokgal32.exe

Filesize
325KB

MD5
767b166c3da4a6447bc3299ed07ff3a9

SHA1
5460b281559ec45a185f120477524d086648d1d4

SHA256
b0c37abd140b2e1b5587a27c319cdbebe8906b3455a4e77b61a07ad32f33f0ff

SHA512
0261117edf0703069b9814275e77698d7629c062beba8caab76283a67ad7a56069130883b715c17dfa776a7ca1d129188cd52d6c4419f53f717400f51d19d38a

Download Submit
C:\Windows\SysWOW64\Ioopml32.exe

Filesize
325KB

MD5
1f9566a7c49729f12afac154f6ebf763

SHA1
21723b6c97918f799d9b9dac23944ef4017a81f6

SHA256
59cab99e8c569205cfbdecc1d5b768102b12bbf06a678f5557cd0c238ee37407

SHA512
7902ba4308b7212fd8486801602af5cd268dcc569d1655ed1437d80ff9bcb63fe8a83ba99b531386b2a63a4476a50b683478737caaa93242e06b0fa5bc8931c9

Download Submit
C:\Windows\SysWOW64\Ioopml32.exe

Filesize
325KB

MD5
1f9566a7c49729f12afac154f6ebf763

SHA1
21723b6c97918f799d9b9dac23944ef4017a81f6

SHA256
59cab99e8c569205cfbdecc1d5b768102b12bbf06a678f5557cd0c238ee37407

SHA512
7902ba4308b7212fd8486801602af5cd268dcc569d1655ed1437d80ff9bcb63fe8a83ba99b531386b2a63a4476a50b683478737caaa93242e06b0fa5bc8931c9

Download Submit
C:\Windows\SysWOW64\Jeekkafl.exe

Filesize
325KB

MD5
a3fd7fcf4bad25c2f3585dd0840f9b17

SHA1
41dcc6ac1ac7904b58529ad5cb82c51e2b5de528

SHA256
a6fbc2694c52e4f0c92e3d750a8d6d970ffaa2997a51f4ed23ebfbfebef4def5

SHA512
a9263a55ea6b23100a549461bc24ae5f42ecf23070f18f966bd7ec9ea727505393cd5ac6994e147c61af1a1b388202f1d58e8602adff547c7a533d73bd0d0adc

Download Submit
C:\Windows\SysWOW64\Jeekkafl.exe

Filesize
325KB

MD5
a3fd7fcf4bad25c2f3585dd0840f9b17

SHA1
41dcc6ac1ac7904b58529ad5cb82c51e2b5de528

SHA256
a6fbc2694c52e4f0c92e3d750a8d6d970ffaa2997a51f4ed23ebfbfebef4def5

SHA512
a9263a55ea6b23100a549461bc24ae5f42ecf23070f18f966bd7ec9ea727505393cd5ac6994e147c61af1a1b388202f1d58e8602adff547c7a533d73bd0d0adc

Download Submit
C:\Windows\SysWOW64\Jfehed32.exe

Filesize
325KB

MD5
d326b77ea01626f62984b65751ebd021

SHA1
5c41513d7171d685cea28d997d26ecd92a294735

SHA256
7a0e146e2591f706034e4f2bfcb93f080e34d132846c0718952f76f49090b16e

SHA512
fa98670f135ebdd07b96c544fd00de97911274005f9ae586d2f4a502f2c9f39781de63b6261917f30d71ea31b3ece247cfae6ec9e446894d211e6bb6f46a011c

Download Submit
C:\Windows\SysWOW64\Jfehed32.exe

Filesize
325KB

MD5
d326b77ea01626f62984b65751ebd021

SHA1
5c41513d7171d685cea28d997d26ecd92a294735

SHA256
7a0e146e2591f706034e4f2bfcb93f080e34d132846c0718952f76f49090b16e

SHA512
fa98670f135ebdd07b96c544fd00de97911274005f9ae586d2f4a502f2c9f39781de63b6261917f30d71ea31b3ece247cfae6ec9e446894d211e6bb6f46a011c

Download Submit
C:\Windows\SysWOW64\Jilnqqbj.exe

Filesize
325KB

MD5
c95e7bf25d064df4bc0b07ba9f1081e2

SHA1
6640639b047419ac2bd5cf6f43d6c710164f583e

SHA256
29b1d28a536944144a666b5f83bf2aeb9cffb06128e9f2cd0b84632fdbf47577

SHA512
205ae0793f81177be28908f5805b48280c979faa15baac1a145c8d6ee6d6486a81c0fbc95089adb4e2f96abd45c35177ff988f2267fc52516db5a3fa3e2ad4fa

Download Submit
C:\Windows\SysWOW64\Jilnqqbj.exe

Filesize
325KB

MD5
c95e7bf25d064df4bc0b07ba9f1081e2

SHA1
6640639b047419ac2bd5cf6f43d6c710164f583e

SHA256
29b1d28a536944144a666b5f83bf2aeb9cffb06128e9f2cd0b84632fdbf47577

SHA512
205ae0793f81177be28908f5805b48280c979faa15baac1a145c8d6ee6d6486a81c0fbc95089adb4e2f96abd45c35177ff988f2267fc52516db5a3fa3e2ad4fa

Download Submit
C:\Windows\SysWOW64\Jkaqnk32.exe

Filesize
325KB

MD5
4085deb23e5755580768999e8a1375d5

SHA1
b81f91532192aca5945e592e710d063ab0bef05f

SHA256
064e75641a6d8576bdbff079bb92642e1882d13593eb60ef1973e16ab317317c

SHA512
552d09073d68bfd25159fc0bafc5206f7c3b2fc787efda0cb949863fad523b0fbb0143b9a193289eafa0125a0bec0eacfc0b45a2bf4e49b4fab43cdf547b073b

Download Submit
C:\Windows\SysWOW64\Jkaqnk32.exe

Filesize
325KB

MD5
4085deb23e5755580768999e8a1375d5

SHA1
b81f91532192aca5945e592e710d063ab0bef05f

SHA256
064e75641a6d8576bdbff079bb92642e1882d13593eb60ef1973e16ab317317c

SHA512
552d09073d68bfd25159fc0bafc5206f7c3b2fc787efda0cb949863fad523b0fbb0143b9a193289eafa0125a0bec0eacfc0b45a2bf4e49b4fab43cdf547b073b

Download Submit
C:\Windows\SysWOW64\Jnifigpa.exe

Filesize
325KB

MD5
0398453a33b213c2c5c42549f5df9c00

SHA1
260bc8a29baf9811743e27ede2bbc3d9c0442924

SHA256
b54cb7ad271b01a873fd1cc0726198b8a3025c7f5adc6e7c78d7679bf9e62bc8

SHA512
129da17939efe06d40958bd3319e62191998638d90185e7eabca0633e5494636012e4f46522d08e19e508afd36a1c3dc0a3fa70cf69f6f05476a741ce12cb4e9

Download Submit
C:\Windows\SysWOW64\Jnifigpa.exe

Filesize
325KB

MD5
0398453a33b213c2c5c42549f5df9c00

SHA1
260bc8a29baf9811743e27ede2bbc3d9c0442924

SHA256
b54cb7ad271b01a873fd1cc0726198b8a3025c7f5adc6e7c78d7679bf9e62bc8

SHA512
129da17939efe06d40958bd3319e62191998638d90185e7eabca0633e5494636012e4f46522d08e19e508afd36a1c3dc0a3fa70cf69f6f05476a741ce12cb4e9

Download Submit
C:\Windows\SysWOW64\Kbghfc32.exe

Filesize
325KB

MD5
0ecc13e9379e627406fc6610970960f2

SHA1
7b9f6ec288cec7000041e68347f6e89c15cee2ab

SHA256
77b4a21c2b2e81b93d71667bb7b3ed00ec68ceba16d4c19484f5d1c7ba93dbcf

SHA512
507599c32339a42387b1607bb4761e07c2d7ce728567c48e26bc58778ca309ee277270f84185fdc2956a282d852e241927e367997e57e841f05243326272a744

Download Submit
C:\Windows\SysWOW64\Kbghfc32.exe

Filesize
325KB

MD5
0ecc13e9379e627406fc6610970960f2

SHA1
7b9f6ec288cec7000041e68347f6e89c15cee2ab

SHA256
77b4a21c2b2e81b93d71667bb7b3ed00ec68ceba16d4c19484f5d1c7ba93dbcf

SHA512
507599c32339a42387b1607bb4761e07c2d7ce728567c48e26bc58778ca309ee277270f84185fdc2956a282d852e241927e367997e57e841f05243326272a744

Download Submit
C:\Windows\SysWOW64\Kbpbed32.exe

Filesize
325KB

MD5
4fec5b5d2f7bb84d432e68fe77637802

SHA1
633387868d1d35fec87fd59292ec0444f18edd8c

SHA256
5c2fdc7802d5cd6b5ea1c8f8d364697c51ce3528a86cd5b48c973bfc5d1a195b

SHA512
7b8f8127cd67edf0e36ab86d4931fe4653eb640c609714b60cb197e2eca63d6539a3583ec26f1df7c857a22c11d0d3218955333dd6bfa2d13e1f96dd3bcc0b48

Download Submit
C:\Windows\SysWOW64\Kbpbed32.exe

Filesize
325KB

MD5
4fec5b5d2f7bb84d432e68fe77637802

SHA1
633387868d1d35fec87fd59292ec0444f18edd8c

SHA256
5c2fdc7802d5cd6b5ea1c8f8d364697c51ce3528a86cd5b48c973bfc5d1a195b

SHA512
7b8f8127cd67edf0e36ab86d4931fe4653eb640c609714b60cb197e2eca63d6539a3583ec26f1df7c857a22c11d0d3218955333dd6bfa2d13e1f96dd3bcc0b48

Download Submit
C:\Windows\SysWOW64\Kcpahpmd.exe

Filesize
325KB

MD5
2f77fae79098f9ae2f8811f0b435c4fd

SHA1
3344a7e9253dbc4f13c7a1ced3d0179cf6fab336

SHA256
96b2e0d7b8a5bc271975475c7e2f67c081edbf2a95189364e6e1ffe2fc5430d8

SHA512
74540b92be6e9ae3f4a6ba6aa9f7ac94150a55bb56c0ad3e3fdb6450a3ac02336ec59fc2b84170b45f09fcb76ce1752f7b780af3261cfc967c637cc323e5909c

Download Submit
C:\Windows\SysWOW64\Kefdbo32.exe

Filesize
325KB

MD5
98187f41a18868c2557bae209c47d761

SHA1
da928f14542086c0034b52116cbd3cd4b210e10e

SHA256
5e8095909f284e5b2dd7048ec83c22aaf80a030dfafdcc213a21f30008667906

SHA512
4014cbacd67809e5b482c1043eade9e0f4e52b47133927111411bb58c353a8a61653982205261c292843150ca24c88a1ac79bef2bea43bcc08aba2e8123531d1

Download Submit
C:\Windows\SysWOW64\Kefdbo32.exe

Filesize
325KB

MD5
98187f41a18868c2557bae209c47d761

SHA1
da928f14542086c0034b52116cbd3cd4b210e10e

SHA256
5e8095909f284e5b2dd7048ec83c22aaf80a030dfafdcc213a21f30008667906

SHA512
4014cbacd67809e5b482c1043eade9e0f4e52b47133927111411bb58c353a8a61653982205261c292843150ca24c88a1ac79bef2bea43bcc08aba2e8123531d1

Download Submit
C:\Windows\SysWOW64\Khbdikip.exe

Filesize
325KB

MD5
872378e36e1aa8fa74314ac1973c816e

SHA1
e2c82843600fb74590d44b946a34a8671ac5a9bc

SHA256
a99ec292274973bdbdd0cd19fcab31f24b60fa6503cb7553ceeafa87227c0a76

SHA512
723ffb6c76180a69ba99dff9bb30bb0d0f7c1fd58c60af0b895b27ab7dd0b669a1948f232a36eb280e17f3f3cf596b00d944268bcc76e085b59a6b2bf221906f

Download Submit
C:\Windows\SysWOW64\Khbdikip.exe

Filesize
325KB

MD5
872378e36e1aa8fa74314ac1973c816e

SHA1
e2c82843600fb74590d44b946a34a8671ac5a9bc

SHA256
a99ec292274973bdbdd0cd19fcab31f24b60fa6503cb7553ceeafa87227c0a76

SHA512
723ffb6c76180a69ba99dff9bb30bb0d0f7c1fd58c60af0b895b27ab7dd0b669a1948f232a36eb280e17f3f3cf596b00d944268bcc76e085b59a6b2bf221906f

Download Submit
C:\Windows\SysWOW64\Knbiofhg.exe

Filesize
325KB

MD5
5cf7af3d1711b566c5aeb6d41cdfaa1a

SHA1
9ac4c9d803c2f77dc45af5af6d4731aec1196329

SHA256
797a046611f79569fb91db7454aae47e8a255385d3a8f09940227ddb4eac486f

SHA512
525d8b75e4acc1c5faab997e0ba2584ce9bc900705bfd3ece396bc25260827815cb0b9c2467d47a51241ad12e82d1b16a15af107788cc5561919fc64fc4b04c3

Download Submit
C:\Windows\SysWOW64\Knbiofhg.exe

Filesize
325KB

MD5
5cf7af3d1711b566c5aeb6d41cdfaa1a

SHA1
9ac4c9d803c2f77dc45af5af6d4731aec1196329

SHA256
797a046611f79569fb91db7454aae47e8a255385d3a8f09940227ddb4eac486f

SHA512
525d8b75e4acc1c5faab997e0ba2584ce9bc900705bfd3ece396bc25260827815cb0b9c2467d47a51241ad12e82d1b16a15af107788cc5561919fc64fc4b04c3

Download Submit
C:\Windows\SysWOW64\Kpdboimg.exe

Filesize
325KB

MD5
87b0f30ab1791e12789c5fe854cbb326

SHA1
f20af95269b837d12fe852bbb94fcec9a08b3ba7

SHA256
28dcbcb7f9c275f4c897749b105c5d06ad8a103dbb45c4055ed82a4f760652c1

SHA512
d8fafaa2a7504e17729c674078f9d2626c5e0bad27c06359dee32d37631b7c7fb307d4db177212875b1f05e305573386e8388a706b7bb9a20bf046dc69bdf2cb

Download Submit
C:\Windows\SysWOW64\Kpdboimg.exe

Filesize
325KB

MD5
87b0f30ab1791e12789c5fe854cbb326

SHA1
f20af95269b837d12fe852bbb94fcec9a08b3ba7

SHA256
28dcbcb7f9c275f4c897749b105c5d06ad8a103dbb45c4055ed82a4f760652c1

SHA512
d8fafaa2a7504e17729c674078f9d2626c5e0bad27c06359dee32d37631b7c7fb307d4db177212875b1f05e305573386e8388a706b7bb9a20bf046dc69bdf2cb

Download Submit
C:\Windows\SysWOW64\Kpgodhkd.exe

Filesize
325KB

MD5
e8bc2cbd3dc072ebc6bc437726949335

SHA1
602b35e34452374ef56aeb8ed9ecbefa51995a6e

SHA256
03d53cc5c78dcd526dfbb1f17b0ce4e3aaf36121d5d79311a201682eb5a0e9af

SHA512
398e095774d4fae9b30ecea9a82f2c5c7882326458345187b7033c6c25d761efe780f1a817bc6863e275ba1ea202ed1d179a97a2178c200bc8a0b7ea297e5844

Download Submit
C:\Windows\SysWOW64\Kpgodhkd.exe

Filesize
325KB

MD5
e8bc2cbd3dc072ebc6bc437726949335

SHA1
602b35e34452374ef56aeb8ed9ecbefa51995a6e

SHA256
03d53cc5c78dcd526dfbb1f17b0ce4e3aaf36121d5d79311a201682eb5a0e9af

SHA512
398e095774d4fae9b30ecea9a82f2c5c7882326458345187b7033c6c25d761efe780f1a817bc6863e275ba1ea202ed1d179a97a2178c200bc8a0b7ea297e5844

Download Submit
C:\Windows\SysWOW64\Lkabjbih.exe

Filesize
325KB

MD5
cacad526b7fe3e0e33760db727c7176c

SHA1
97ec8d701a243da921b313ac118927203ac99da1

SHA256
e96c8813f1726d3481810898788259c35dd478762104cf5005f4c2a1dab88a75

SHA512
e9c5401ba1f444d2081cb4503ed6ffe4951becbb46501de6b390ece27315c343d249c11d5f4933ded61c3e3a5e2ec979750038539ac0b42ed79699ace8be2178

Download Submit
C:\Windows\SysWOW64\Llpmoiof.exe

Filesize
325KB

MD5
21e07285224efb3c4f46d4414a106e3c

SHA1
cd5aa4f4f65e67cc2d275e1e3d0467b4563a89b8

SHA256
cdb5a4c0190e19ce8202b89be997ac1d15ffff97ce070e553d36d546f7ee5f81

SHA512
0b8ef38609407217a71eb74b2f0fd9a5d3f53980b2031cc9398a43d28e9b7632af71ff2bfe67000bd0734c490a081c787139bbb17ce4f4ac51fbb6784ad9b5ec

Download Submit
C:\Windows\SysWOW64\Llpmoiof.exe

Filesize
325KB

MD5
21e07285224efb3c4f46d4414a106e3c

SHA1
cd5aa4f4f65e67cc2d275e1e3d0467b4563a89b8

SHA256
cdb5a4c0190e19ce8202b89be997ac1d15ffff97ce070e553d36d546f7ee5f81

SHA512
0b8ef38609407217a71eb74b2f0fd9a5d3f53980b2031cc9398a43d28e9b7632af71ff2bfe67000bd0734c490a081c787139bbb17ce4f4ac51fbb6784ad9b5ec

Download Submit
C:\Windows\SysWOW64\Manmoq32.exe

Filesize
325KB

MD5
558ebb1589512f75ec9fa446522a2ae0

SHA1
c9615e89c145ff2cf4284946bb8ad018eaf0ae14

SHA256
5b7964025f9219c5b43bd761afba63cbe9110b88f0f9261b6ce84487866ddd73

SHA512
0fd94052ec1bed965cfd3bf2c05dfe0b4aa0e1196c21e9c750135fb2d87e240c32fa38b06e0185cc1dc83064d931ab696545176753c05be86718cafdda8a5cf8

Download Submit
C:\Windows\SysWOW64\Miofjepg.exe

Filesize
325KB

MD5
fe0ec14fc7de2a1c6ddacaee7b0ed184

SHA1
eab10641daadb851de44710b473cfcac3d5352ac

SHA256
8979041fc290cea0226eeae8d1d4092d1a73d4b8e6cd669e1ddf39ade03137a0

SHA512
b96d330187839b027dac6dc1b291a047babe3e4dae4e56416d1fc855fac3a72a3865edcf6eb8520efbc4c804158abe64cb6416251d5a86ba9142e5437975f8c7

Download Submit
C:\Windows\SysWOW64\Nbcjnilj.exe

Filesize
325KB

MD5
2e4523260f6d24f685308fb7b62681d0

SHA1
356c2c1be40da036397532b2f2beff57998877af

SHA256
9cc806cebc60e13f8e66b572f84121fc5c5b05cbffb7e35cce07b3db1e9d7808

SHA512
cac6f178729f58f021ca82fe21efdf1c86e0ecbb323be1ec8084bf80bd6989eaf60d61e2cb44fef3d0d2d2d72361219c6f84b3a1503ce9b33264fc50087e264c

Download Submit
C:\Windows\SysWOW64\Nbqmiinl.exe

Filesize
325KB

MD5
d8ff0580324e4775e7943447cb064ee7

SHA1
ee58dc3ea474ca45ce69571dbc936a4fdf96630c

SHA256
5f632a644cf11b158e85781c63b34c22be744ed5b2e0aa9262fb708b0391e824

SHA512
598a5393b5bcd6c0766031ef7f76dd18adb1e93a57c2939c91733d6bd203c6f8c307357d895e13c8d666e8203e8bdbf40f4eca5a5f9d8e5ef0bc246f3d8edae5

Download Submit
C:\Windows\SysWOW64\Ocgbld32.exe

Filesize
325KB

MD5
37935f4c5820b72be9ea6075321a11f8

SHA1
5c07a6274b8cab7234938fedd90cac72ba078f41

SHA256
2f7ecc51838e23a55e723eb5cd6a0d14bfe7febce7faac46dc524a87c674f170

SHA512
a8325b0b2f59ae264a6ae5fc97c32359bfae7a9c44a4e14d7fe2374aa89bc9266b694f7926b13d7a49c80982895d1c25d0306b8f8aae29b3e8b394c1033d4c43

Download Submit
C:\Windows\SysWOW64\Ohghgodi.exe

Filesize
325KB

MD5
8a38f64ee98d5c75c3a1490991c45e74

SHA1
5e46e5dd3baabbb41602f31b16d7915233041ec1

SHA256
d66724e24484793104509d262564e2d4f4e886b247eff7d64f860b33a2e1fdd5

SHA512
38a159ab06161f77625cdcca4bd9d86e1f2d7dbdaaf57dfe9cb0366ade2c19cf0b3fa33874d1d4ed6b064d7f5197e952556f685366ca9f4b79f20bd15b14e033

Download Submit
C:\Windows\SysWOW64\Pdhkcb32.exe

Filesize
325KB

MD5
335af55784244bd667d580c9a9b37314

SHA1
9ccc3696e063b25feb62f8eef8f55c0c6f944ffb

SHA256
82e34f8b57588ecb9777b6fa0dbc2ae63182efb2a95e9b736114a0d709888a6a

SHA512
30884eb8cc88b3a460bf08a59707edf2fe7b5575a26e7edc7cc1ee0d9957a726f8da1bc9de1be7d16100578f94182f2d5858d79207f7c662b1dfbc8aa8ceef8b

Download Submit
C:\Windows\SysWOW64\Pkogiikb.exe

Filesize
325KB

MD5
be66b05d3b14ab93e6fbe1dd48f7067a

SHA1
7b70a9ce212ccc47ceef9f1fac05680f2cdecaa5

SHA256
013a5d868ef519e27c9b573116863446370f8811c4cb353e76b8022668b45fdb

SHA512
5ddfa03c3ea45609ee56f02ea1366241111a918fcf9753d8a5c01c37ddaea714d3b9a9e8aff74a08f91f6f2d90b2cd48e7a986451c61e8fb4c466e681c818eef

Download Submit
C:\Windows\SysWOW64\Ppgegd32.exe

Filesize
325KB

MD5
7d7a2fa17baab625b9fe25164f7e6c50

SHA1
c4fa201624845a3bd028e2db897c11fec449eaa8

SHA256
d337d2704088858f8babec9ca3de80a33160b48464db045fda41175f467ec5e1

SHA512
8cf607d4c87f2359f9d94c165e71cdf60005b610005d5447daeb5c90e3639349e723f32f3aae5dbf48102b724778b13fbc8c52ea6f5e2ecefb47571cb173f61c

Download Submit
memory/32-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/180-661-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/180-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/420-562-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/420-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/456-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/720-483-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/720-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/932-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1004-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1044-664-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1044-194-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1316-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1328-647-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1328-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1356-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1388-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1388-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1408-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1492-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1500-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-82-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1692-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1692-596-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1800-516-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1800-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1904-4-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1904-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1904-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1996-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2196-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2196-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2208-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2292-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2364-206-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2372-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2372-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2448-522-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2448-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-633-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2676-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2676-653-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2684-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-654-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3104-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3124-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3160-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3208-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3224-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3260-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3260-463-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3304-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3356-94-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3368-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3792-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3868-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3924-660-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3924-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4056-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4196-464-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4196-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4272-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4312-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4448-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4692-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4736-676-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4736-218-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-111-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-589-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4772-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4832-178-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4832-662-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-126-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4868-663-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4868-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4872-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-671-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-210-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5020-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5096-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5096-542-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads