f441e6bb12a17d2ef68609cc9bfe5e563230e4f7fa19d6366ef664f9ffe56dde

Analysis

max time kernel
141s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
15-11-2023 07:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.d8ab61ba7c50b5d0a1957a0a35466dd0.exe
Size

125KB
MD5

d8ab61ba7c50b5d0a1957a0a35466dd0
SHA1

44c8a5b50fd4899134e8c6127a9d1ff15c26466a
SHA256

f441e6bb12a17d2ef68609cc9bfe5e563230e4f7fa19d6366ef664f9ffe56dde
SHA512

b2fd62eab3aa7bab699c3669176fec82e6d5961d4b6dd22d86816051460d25daf62ea3976c7b51cc1c9fe4291523db0b1806c01e663040c8848a800154b823be
SSDEEP

3072:kVYMUOhj3qix+W1cf1WdTCn93OGey/ZhJakrPF:kVZvhT+W1cQTCndOGeKTaG

Score

10^/10

dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chglab32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekaapi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmafajfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amjbbfgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Knalji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjlhgaqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdmdnadc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bebjdgmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdpjlb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eejeiocj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gncchb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnplfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	NEAS.d8ab61ba7c50b5d0a1957a0a35466dd0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qhngolpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndeii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpkibf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpelhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njmhhefi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmaamn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhpofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Boihcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bajqda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bopocbcq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdbfab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mqfpckhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjnqh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nncccnol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ooejohhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Phdnngdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eblimcdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eejeiocj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njfkmphe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fealin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcdjbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgflcifg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afbgkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Allpejfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nndjndbh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohlqcagj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lghcocol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efccmidp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koodbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lomqcjie.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lggldm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hplbickp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bobabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnplfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qobhkjdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Achegd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bblnindg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmflbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Phfjcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngndaccj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Felbnn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pefhlaie.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Allpejfe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bblnindg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgepom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qlgpod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebimgcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iebngial.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfmmplad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgqfdnah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgccinoe.exe

Malware Backdoor - Berbew 64 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral2/memory/4628-0-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x00040000000006e5-6.dat	family_berbew
behavioral2/memory/4288-13-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0008000000022ddd-14.dat	family_berbew
behavioral2/files/0x00040000000006e5-7.dat	family_berbew
behavioral2/memory/3920-16-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0008000000022ddd-15.dat	family_berbew
behavioral2/files/0x0006000000022e11-21.dat	family_berbew
behavioral2/files/0x0006000000022e11-24.dat	family_berbew
behavioral2/memory/4880-23-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/memory/696-32-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e13-31.dat	family_berbew
behavioral2/files/0x0006000000022e13-30.dat	family_berbew
behavioral2/files/0x0006000000022e16-37.dat	family_berbew
behavioral2/memory/4492-40-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e16-39.dat	family_berbew
behavioral2/files/0x0006000000022e19-41.dat	family_berbew
behavioral2/files/0x0006000000022e19-46.dat	family_berbew
behavioral2/memory/2812-47-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e19-48.dat	family_berbew
behavioral2/files/0x0006000000022e1b-54.dat	family_berbew
behavioral2/files/0x0006000000022e1b-55.dat	family_berbew
behavioral2/memory/3548-56-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e1e-62.dat	family_berbew
behavioral2/memory/3484-64-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e1e-63.dat	family_berbew
behavioral2/memory/2236-76-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e20-71.dat	family_berbew
behavioral2/files/0x0006000000022e20-70.dat	family_berbew
behavioral2/files/0x0006000000022e22-78.dat	family_berbew
behavioral2/memory/4372-80-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e22-79.dat	family_berbew
behavioral2/memory/3008-87-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e24-88.dat	family_berbew
behavioral2/files/0x0006000000022e26-94.dat	family_berbew
behavioral2/files/0x0006000000022e24-86.dat	family_berbew
behavioral2/memory/3084-95-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e26-96.dat	family_berbew
behavioral2/files/0x0006000000022e28-102.dat	family_berbew
behavioral2/files/0x0006000000022e28-103.dat	family_berbew
behavioral2/memory/2736-104-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e2a-110.dat	family_berbew
behavioral2/files/0x0006000000022e2a-112.dat	family_berbew
behavioral2/memory/5064-111-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e2c-113.dat	family_berbew
behavioral2/files/0x0006000000022e2c-118.dat	family_berbew
behavioral2/memory/856-120-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e2c-119.dat	family_berbew
behavioral2/files/0x0006000000022e2e-126.dat	family_berbew
behavioral2/memory/2676-128-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e2e-127.dat	family_berbew
behavioral2/memory/4084-135-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e30-134.dat	family_berbew
behavioral2/files/0x0006000000022e30-136.dat	family_berbew
behavioral2/files/0x0006000000022e32-142.dat	family_berbew
behavioral2/files/0x0006000000022e32-144.dat	family_berbew
behavioral2/memory/4696-143-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e34-150.dat	family_berbew
behavioral2/memory/760-152-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e34-151.dat	family_berbew
behavioral2/files/0x0006000000022e36-158.dat	family_berbew
behavioral2/files/0x0006000000022e36-159.dat	family_berbew
behavioral2/memory/4268-160-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e38-166.dat	family_berbew

Executes dropped EXE 64 IoCs

pid	Process
4288	Legjmh32.exe
3920	Lkabjbih.exe
4880	Lghcocol.exe
696	Meamcg32.exe
4492	Mbgjbkfg.exe
2812	Mlbkap32.exe
3548	Naaqofgj.exe
3484	Nhkikq32.exe
2236	Nbqmiinl.exe
4372	Nhmeapmd.exe
3008	Neafjdkn.exe
3084	Nknobkje.exe
2736	Ooqqdi32.exe
5064	Ooejohhq.exe
856	Pedlgbkh.exe
2676	Pefhlaie.exe
4084	Pamiaboj.exe
4696	Poajkgnc.exe
760	Plejdkmm.exe
4268	Pabblb32.exe
2036	Qlggjk32.exe
4016	Qhngolpo.exe
2960	Qaflgago.exe
4872	Allpejfe.exe
384	Aaiimadl.exe
1492	Achegd32.exe
4488	Bhcjqinf.exe
4296	Bblnindg.exe
4072	Bopocbcq.exe
3456	Cjecpkcg.exe
1036	Cbphdn32.exe
1332	Cmflbf32.exe
4400	Cjjlkk32.exe
3508	Cofecami.exe
2836	Cjliajmo.exe
2216	Ccdnjp32.exe
3668	Cjnffjkl.exe
1832	Ckpbnb32.exe
224	Dmoohe32.exe
1836	Dblgpl32.exe
1816	Dmalne32.exe
3196	Dihlbf32.exe
4924	Dcnqpo32.exe
1912	Dikihe32.exe
2808	Dcpmen32.exe
3772	Dimenegi.exe
3280	Ecbjkngo.exe
4840	Ejlbhh32.exe
4680	Efccmidp.exe
4728	Elpkep32.exe
2712	Ejalcgkg.exe
2148	Epndknin.exe
4212	Embddb32.exe
3564	Ipmbjgpi.exe
2732	Jkgpbp32.exe
2356	Jjlmclqa.exe
916	Jlobkg32.exe
2456	Jcikgacl.exe
4516	Kqmkae32.exe
1192	Kclgmq32.exe
4500	Knalji32.exe
2708	Kcndbp32.exe
3552	Kjhloj32.exe
4444	Kdmqmc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nccokk32.exe	Naecop32.exe
File created	C:\Windows\SysWOW64\Ilqoobdd.exe	Ibhkfm32.exe
File opened for modification	C:\Windows\SysWOW64\Ponfka32.exe	Phdnngdn.exe
File created	C:\Windows\SysWOW64\Ccoecbmi.dll	Bobabg32.exe
File created	C:\Windows\SysWOW64\Nhmeapmd.exe	Nbqmiinl.exe
File opened for modification	C:\Windows\SysWOW64\Jjlmclqa.exe	Jkgpbp32.exe
File created	C:\Windows\SysWOW64\Ohlqcagj.exe	Opeiadfg.exe
File created	C:\Windows\SysWOW64\Ajmdgelp.dll	Dcpmen32.exe
File opened for modification	C:\Windows\SysWOW64\Embddb32.exe	Epndknin.exe
File created	C:\Windows\SysWOW64\Cleegp32.exe	Cndeii32.exe
File created	C:\Windows\SysWOW64\Neclenfo.exe	Nmlddqem.exe
File created	C:\Windows\SysWOW64\Cmpmfmao.dll	Anobgl32.exe
File created	C:\Windows\SysWOW64\Pqhfnd32.dll	Hemdlj32.exe
File created	C:\Windows\SysWOW64\Cjijid32.dll	Nncccnol.exe
File created	C:\Windows\SysWOW64\Offnhpfo.exe	Oplfkeob.exe
File opened for modification	C:\Windows\SysWOW64\Nhkikq32.exe	Naaqofgj.exe
File opened for modification	C:\Windows\SysWOW64\Bopocbcq.exe	Bblnindg.exe
File created	C:\Windows\SysWOW64\Ckpbnb32.exe	Cjnffjkl.exe
File created	C:\Windows\SysWOW64\Caageq32.exe	Cglbhhga.exe
File opened for modification	C:\Windows\SysWOW64\Ojgjndno.exe	Oejbfmpg.exe
File opened for modification	C:\Windows\SysWOW64\Lgbloglj.exe	Lqhdbm32.exe
File created	C:\Windows\SysWOW64\Lhjlnlii.dll	Ooejohhq.exe
File opened for modification	C:\Windows\SysWOW64\Aaiimadl.exe	Allpejfe.exe
File created	C:\Windows\SysWOW64\Nmnqjp32.exe	Nlmdbh32.exe
File created	C:\Windows\SysWOW64\Bnffda32.dll	Dblgpl32.exe
File created	C:\Windows\SysWOW64\Omjpeo32.exe	Ohmhmh32.exe
File created	C:\Windows\SysWOW64\Dmkalh32.dll	Fmfgek32.exe
File created	C:\Windows\SysWOW64\Jjofoqdn.dll	Hpqldc32.exe
File created	C:\Windows\SysWOW64\Lblldc32.dll	Ibfnqmpf.exe
File created	C:\Windows\SysWOW64\Ibhkfm32.exe	Iedjmioj.exe
File created	C:\Windows\SysWOW64\Lcdciiec.exe	Lljklo32.exe
File created	C:\Windows\SysWOW64\Mcpcdg32.exe	Lncjlq32.exe
File created	C:\Windows\SysWOW64\Injmlc32.dll	Dihlbf32.exe
File opened for modification	C:\Windows\SysWOW64\Adkgje32.exe	Akccap32.exe
File created	C:\Windows\SysWOW64\Klqcmdnk.dll	Hplbickp.exe
File created	C:\Windows\SysWOW64\Bgpcliao.exe	Bacjdbch.exe
File opened for modification	C:\Windows\SysWOW64\Caageq32.exe	Cglbhhga.exe
File created	C:\Windows\SysWOW64\Kcmmhj32.exe	Kgflcifg.exe
File created	C:\Windows\SysWOW64\Pabblb32.exe	Plejdkmm.exe
File opened for modification	C:\Windows\SysWOW64\Dimenegi.exe	Dcpmen32.exe
File created	C:\Windows\SysWOW64\Felbnn32.exe	Enbjad32.exe
File created	C:\Windows\SysWOW64\Coqncejg.exe	Chfegk32.exe
File created	C:\Windows\SysWOW64\Lcjkqlam.dll	Ooqqdi32.exe
File created	C:\Windows\SysWOW64\Bahkih32.exe	Bllbaa32.exe
File opened for modification	C:\Windows\SysWOW64\Fpgpgfmh.exe	Fealin32.exe
File created	C:\Windows\SysWOW64\Nmlddqem.exe	Njmhhefi.exe
File opened for modification	C:\Windows\SysWOW64\Nceefd32.exe	Nmkmjjaa.exe
File created	C:\Windows\SysWOW64\Fmpbqoqg.dll	Cjnffjkl.exe
File opened for modification	C:\Windows\SysWOW64\Jlobkg32.exe	Jjlmclqa.exe
File opened for modification	C:\Windows\SysWOW64\Gbeejp32.exe	Glkmmefl.exe
File opened for modification	C:\Windows\SysWOW64\Ipmbjgpi.exe	Embddb32.exe
File created	C:\Windows\SysWOW64\Aamebb32.dll	Coegoe32.exe
File created	C:\Windows\SysWOW64\Fimhbfpl.dll	Fpdcag32.exe
File opened for modification	C:\Windows\SysWOW64\Lobjni32.exe	Ljeafb32.exe
File opened for modification	C:\Windows\SysWOW64\Bkibgh32.exe	Bpdnjple.exe
File opened for modification	C:\Windows\SysWOW64\Phcgcqab.exe	Paiogf32.exe
File created	C:\Windows\SysWOW64\Dgcihgaj.exe	Dafppp32.exe
File created	C:\Windows\SysWOW64\Pgapfg32.dll	Cjliajmo.exe
File created	C:\Windows\SysWOW64\Kbopqlen.dll	Pejkmk32.exe
File created	C:\Windows\SysWOW64\Fiaael32.exe	Fnlmhc32.exe
File created	C:\Windows\SysWOW64\Qfmmplad.exe	Qaqegecm.exe
File opened for modification	C:\Windows\SysWOW64\Dkqaoe32.exe	Ddgibkpc.exe
File opened for modification	C:\Windows\SysWOW64\Jcikgacl.exe	Jlobkg32.exe
File opened for modification	C:\Windows\SysWOW64\Anobgl32.exe	Alnfpcag.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
9648	9556	WerFault.exe	417

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehkga32.dll"	Nndjndbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pkgcea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbbnpg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jcikgacl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghjnkpdc.dll"	Gpbpbecj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmennnni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqppgj32.dll"	Bkibgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clnedaem.dll"	Nbqmiinl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jkgpbp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ebimgcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjbmjjno.dll"	Knnhjcog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ljnlecmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lomqcjie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnfpnk32.dll"	Pnifekmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pedlgbkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfojjf32.dll"	Jkgpbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjlmclqa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igpoaebh.dll"	Pkpmdbfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iebngial.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lfgipd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfhepbll.dll"	Dmoohe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Naecop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgbefe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kcbfcigf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibfnqmpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbfgkffn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhqndghj.dll"	Bajqda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgqfdnah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npjfngdm.dll"	Lggldm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gemkelcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mmmqhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aaoaic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cofecami.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dcnqpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Efccmidp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjeehbgh.dll"	Alelqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjgjmg32.dll"	Hefnkkkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekoglqie.dll"	Kcmmhj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqpcjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcdibc32.dll"	Cglbhhga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Memfnodb.dll"	Ckpbnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ljeafb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhpofl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmpkadnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qdphngfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqqpnlk.dll"	Cndeii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eejeiocj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Konidd32.dll"	Fnlmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdkcckgg.dll"	Ncofplba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pahilmoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Akccap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edommp32.dll"	Eeelnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Geaepk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bpdnjple.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nmnqjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dicdcemd.dll"	Nqpcjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmgagk32.dll"	Lncjlq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Enbjad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnbcohkd.dll"	Ejalcgkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dbkqfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iefeek32.dll"	Ibhkfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcdciiec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnindhpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kcndbp32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	7172	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4628 wrote to memory of 4288	4628	NEAS.d8ab61ba7c50b5d0a1957a0a35466dd0.exe	86
PID 4628 wrote to memory of 4288	4628	NEAS.d8ab61ba7c50b5d0a1957a0a35466dd0.exe	86
PID 4628 wrote to memory of 4288	4628	NEAS.d8ab61ba7c50b5d0a1957a0a35466dd0.exe	86
PID 4288 wrote to memory of 3920	4288	Legjmh32.exe	87
PID 4288 wrote to memory of 3920	4288	Legjmh32.exe	87
PID 4288 wrote to memory of 3920	4288	Legjmh32.exe	87
PID 3920 wrote to memory of 4880	3920	Lkabjbih.exe	88
PID 3920 wrote to memory of 4880	3920	Lkabjbih.exe	88
PID 3920 wrote to memory of 4880	3920	Lkabjbih.exe	88
PID 4880 wrote to memory of 696	4880	Lghcocol.exe	89
PID 4880 wrote to memory of 696	4880	Lghcocol.exe	89
PID 4880 wrote to memory of 696	4880	Lghcocol.exe	89
PID 696 wrote to memory of 4492	696	Meamcg32.exe	91
PID 696 wrote to memory of 4492	696	Meamcg32.exe	91
PID 696 wrote to memory of 4492	696	Meamcg32.exe	91
PID 4492 wrote to memory of 2812	4492	Mbgjbkfg.exe	92
PID 4492 wrote to memory of 2812	4492	Mbgjbkfg.exe	92
PID 4492 wrote to memory of 2812	4492	Mbgjbkfg.exe	92
PID 2812 wrote to memory of 3548	2812	Mlbkap32.exe	93
PID 2812 wrote to memory of 3548	2812	Mlbkap32.exe	93
PID 2812 wrote to memory of 3548	2812	Mlbkap32.exe	93
PID 3548 wrote to memory of 3484	3548	Naaqofgj.exe	94
PID 3548 wrote to memory of 3484	3548	Naaqofgj.exe	94
PID 3548 wrote to memory of 3484	3548	Naaqofgj.exe	94
PID 3484 wrote to memory of 2236	3484	Nhkikq32.exe	95
PID 3484 wrote to memory of 2236	3484	Nhkikq32.exe	95
PID 3484 wrote to memory of 2236	3484	Nhkikq32.exe	95
PID 2236 wrote to memory of 4372	2236	Nbqmiinl.exe	96
PID 2236 wrote to memory of 4372	2236	Nbqmiinl.exe	96
PID 2236 wrote to memory of 4372	2236	Nbqmiinl.exe	96
PID 4372 wrote to memory of 3008	4372	Nhmeapmd.exe	97
PID 4372 wrote to memory of 3008	4372	Nhmeapmd.exe	97
PID 4372 wrote to memory of 3008	4372	Nhmeapmd.exe	97
PID 3008 wrote to memory of 3084	3008	Neafjdkn.exe	98
PID 3008 wrote to memory of 3084	3008	Neafjdkn.exe	98
PID 3008 wrote to memory of 3084	3008	Neafjdkn.exe	98
PID 3084 wrote to memory of 2736	3084	Nknobkje.exe	100
PID 3084 wrote to memory of 2736	3084	Nknobkje.exe	100
PID 3084 wrote to memory of 2736	3084	Nknobkje.exe	100
PID 2736 wrote to memory of 5064	2736	Ooqqdi32.exe	101
PID 2736 wrote to memory of 5064	2736	Ooqqdi32.exe	101
PID 2736 wrote to memory of 5064	2736	Ooqqdi32.exe	101
PID 5064 wrote to memory of 856	5064	Ooejohhq.exe	102
PID 5064 wrote to memory of 856	5064	Ooejohhq.exe	102
PID 5064 wrote to memory of 856	5064	Ooejohhq.exe	102
PID 856 wrote to memory of 2676	856	Pedlgbkh.exe	103
PID 856 wrote to memory of 2676	856	Pedlgbkh.exe	103
PID 856 wrote to memory of 2676	856	Pedlgbkh.exe	103
PID 2676 wrote to memory of 4084	2676	Pefhlaie.exe	104
PID 2676 wrote to memory of 4084	2676	Pefhlaie.exe	104
PID 2676 wrote to memory of 4084	2676	Pefhlaie.exe	104
PID 4084 wrote to memory of 4696	4084	Pamiaboj.exe	105
PID 4084 wrote to memory of 4696	4084	Pamiaboj.exe	105
PID 4084 wrote to memory of 4696	4084	Pamiaboj.exe	105
PID 4696 wrote to memory of 760	4696	Poajkgnc.exe	106
PID 4696 wrote to memory of 760	4696	Poajkgnc.exe	106
PID 4696 wrote to memory of 760	4696	Poajkgnc.exe	106
PID 760 wrote to memory of 4268	760	Plejdkmm.exe	107
PID 760 wrote to memory of 4268	760	Plejdkmm.exe	107
PID 760 wrote to memory of 4268	760	Plejdkmm.exe	107
PID 4268 wrote to memory of 2036	4268	Pabblb32.exe	108
PID 4268 wrote to memory of 2036	4268	Pabblb32.exe	108
PID 4268 wrote to memory of 2036	4268	Pabblb32.exe	108
PID 2036 wrote to memory of 4016	2036	Qlggjk32.exe	109

C:\Users\Admin\AppData\Local\Temp\NEAS.d8ab61ba7c50b5d0a1957a0a35466dd0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.d8ab61ba7c50b5d0a1957a0a35466dd0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:4628
- C:\Windows\SysWOW64\Legjmh32.exe
  C:\Windows\system32\Legjmh32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4288
- - C:\Windows\SysWOW64\Lkabjbih.exe
    C:\Windows\system32\Lkabjbih.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3920
  - - C:\Windows\SysWOW64\Lghcocol.exe
      C:\Windows\system32\Lghcocol.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4880
    - - C:\Windows\SysWOW64\Meamcg32.exe
        
        C:\Windows\system32\Meamcg32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:696
      - C:\Windows\SysWOW64\Mbgjbkfg.exe
        
        C:\Windows\system32\Mbgjbkfg.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\SysWOW64\Mlbkap32.exe
        
        C:\Windows\system32\Mlbkap32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\Naaqofgj.exe
        
        C:\Windows\system32\Naaqofgj.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\SysWOW64\Nhkikq32.exe
        
        C:\Windows\system32\Nhkikq32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\SysWOW64\Nbqmiinl.exe
        
        C:\Windows\system32\Nbqmiinl.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\Nhmeapmd.exe
        
        C:\Windows\system32\Nhmeapmd.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\SysWOW64\Neafjdkn.exe
        
        C:\Windows\system32\Neafjdkn.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Nknobkje.exe
        
        C:\Windows\system32\Nknobkje.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Windows\SysWOW64\Ooqqdi32.exe
        
        C:\Windows\system32\Ooqqdi32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\Ooejohhq.exe
        
        C:\Windows\system32\Ooejohhq.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\SysWOW64\Pedlgbkh.exe
        
        C:\Windows\system32\Pedlgbkh.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\SysWOW64\Pefhlaie.exe
        
        C:\Windows\system32\Pefhlaie.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Pamiaboj.exe
        
        C:\Windows\system32\Pamiaboj.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\SysWOW64\Poajkgnc.exe
        
        C:\Windows\system32\Poajkgnc.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\Plejdkmm.exe
        
        C:\Windows\system32\Plejdkmm.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\SysWOW64\Pabblb32.exe
        
        C:\Windows\system32\Pabblb32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Windows\SysWOW64\Qlggjk32.exe
        
        C:\Windows\system32\Qlggjk32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Qhngolpo.exe
        
        C:\Windows\system32\Qhngolpo.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4016
        
        C:\Windows\SysWOW64\Qaflgago.exe
        
        C:\Windows\system32\Qaflgago.exe
        24⤵
        Executes dropped EXE
        
        PID:2960
        
        C:\Windows\SysWOW64\Allpejfe.exe
        
        C:\Windows\system32\Allpejfe.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4872
        
        C:\Windows\SysWOW64\Aaiimadl.exe
        
        C:\Windows\system32\Aaiimadl.exe
        26⤵
        Executes dropped EXE
        
        PID:384
        
        C:\Windows\SysWOW64\Achegd32.exe
        
        C:\Windows\system32\Achegd32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1492
        
        C:\Windows\SysWOW64\Bhcjqinf.exe
        
        C:\Windows\system32\Bhcjqinf.exe
        28⤵
        Executes dropped EXE
        
        PID:4488
        
        C:\Windows\SysWOW64\Bblnindg.exe
        
        C:\Windows\system32\Bblnindg.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4296
        
        C:\Windows\SysWOW64\Bopocbcq.exe
        
        C:\Windows\system32\Bopocbcq.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4072
        
        C:\Windows\SysWOW64\Cjecpkcg.exe
        
        C:\Windows\system32\Cjecpkcg.exe
        31⤵
        Executes dropped EXE
        
        PID:3456
        
        C:\Windows\SysWOW64\Cbphdn32.exe
        
        C:\Windows\system32\Cbphdn32.exe
        32⤵
        Executes dropped EXE
        
        PID:1036
        
        C:\Windows\SysWOW64\Cmflbf32.exe
        
        C:\Windows\system32\Cmflbf32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1332
        
        C:\Windows\SysWOW64\Cjjlkk32.exe
        
        C:\Windows\system32\Cjjlkk32.exe
        34⤵
        Executes dropped EXE
        
        PID:4400
        
        C:\Windows\SysWOW64\Cofecami.exe
        
        C:\Windows\system32\Cofecami.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3508
        
        C:\Windows\SysWOW64\Cjliajmo.exe
        
        C:\Windows\system32\Cjliajmo.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2836
        
        C:\Windows\SysWOW64\Ccdnjp32.exe
        
        C:\Windows\system32\Ccdnjp32.exe
        37⤵
        Executes dropped EXE
        
        PID:2216
        
        C:\Windows\SysWOW64\Cjnffjkl.exe
        
        C:\Windows\system32\Cjnffjkl.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3668
        
        C:\Windows\SysWOW64\Ckpbnb32.exe
        
        C:\Windows\system32\Ckpbnb32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1832
        
        C:\Windows\SysWOW64\Dmoohe32.exe
        
        C:\Windows\system32\Dmoohe32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Dblgpl32.exe
        
        C:\Windows\system32\Dblgpl32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1836
        
        C:\Windows\SysWOW64\Dmalne32.exe
        
        C:\Windows\system32\Dmalne32.exe
        42⤵
        Executes dropped EXE
        
        PID:1816
        
        C:\Windows\SysWOW64\Dihlbf32.exe
        
        C:\Windows\system32\Dihlbf32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3196
        
        C:\Windows\SysWOW64\Dcnqpo32.exe
        
        C:\Windows\system32\Dcnqpo32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Dikihe32.exe
        
        C:\Windows\system32\Dikihe32.exe
        45⤵
        Executes dropped EXE
        
        PID:1912
        
        C:\Windows\SysWOW64\Dcpmen32.exe
        
        C:\Windows\system32\Dcpmen32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2808
        
        C:\Windows\SysWOW64\Dimenegi.exe
        
        C:\Windows\system32\Dimenegi.exe
        47⤵
        Executes dropped EXE
        
        PID:3772
        
        C:\Windows\SysWOW64\Ecbjkngo.exe
        
        C:\Windows\system32\Ecbjkngo.exe
        48⤵
        Executes dropped EXE
        
        PID:3280
        
        C:\Windows\SysWOW64\Ejlbhh32.exe
        
        C:\Windows\system32\Ejlbhh32.exe
        49⤵
        Executes dropped EXE
        
        PID:4840
        
        C:\Windows\SysWOW64\Efccmidp.exe
        
        C:\Windows\system32\Efccmidp.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\Elpkep32.exe
        
        C:\Windows\system32\Elpkep32.exe
        51⤵
        Executes dropped EXE
        
        PID:4728
        
        C:\Windows\SysWOW64\Ejalcgkg.exe
        
        C:\Windows\system32\Ejalcgkg.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\Epndknin.exe
        
        C:\Windows\system32\Epndknin.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2148
        
        C:\Windows\SysWOW64\Embddb32.exe
        
        C:\Windows\system32\Embddb32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4212
        
        C:\Windows\SysWOW64\Ipmbjgpi.exe
        
        C:\Windows\system32\Ipmbjgpi.exe
        55⤵
        Executes dropped EXE
        
        PID:3564
        
        C:\Windows\SysWOW64\Jkgpbp32.exe
        
        C:\Windows\system32\Jkgpbp32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Jjlmclqa.exe
        
        C:\Windows\system32\Jjlmclqa.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Jlobkg32.exe
        
        C:\Windows\system32\Jlobkg32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:916
        
        C:\Windows\SysWOW64\Jcikgacl.exe
        
        C:\Windows\system32\Jcikgacl.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Kqmkae32.exe
        
        C:\Windows\system32\Kqmkae32.exe
        60⤵
        Executes dropped EXE
        
        PID:4516
        
        C:\Windows\SysWOW64\Kclgmq32.exe
        
        C:\Windows\system32\Kclgmq32.exe
        61⤵
        Executes dropped EXE
        
        PID:1192
        
        C:\Windows\SysWOW64\Knalji32.exe
        
        C:\Windows\system32\Knalji32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4500
        
        C:\Windows\SysWOW64\Kcndbp32.exe
        
        C:\Windows\system32\Kcndbp32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Kjhloj32.exe
        
        C:\Windows\system32\Kjhloj32.exe
        64⤵
        Executes dropped EXE
        
        PID:3552
        
        C:\Windows\SysWOW64\Kdmqmc32.exe
        
        C:\Windows\system32\Kdmqmc32.exe
        65⤵
        Executes dropped EXE
        
        PID:4444
        
        C:\Windows\SysWOW64\Kcbnnpka.exe
        
        C:\Windows\system32\Kcbnnpka.exe
        66⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\Kmkbfeab.exe
        
        C:\Windows\system32\Kmkbfeab.exe
        67⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\Lgqfdnah.exe
        
        C:\Windows\system32\Lgqfdnah.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Lnjnqh32.exe
        
        C:\Windows\system32\Lnjnqh32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4428
        
        C:\Windows\SysWOW64\Lqikmc32.exe
        
        C:\Windows\system32\Lqikmc32.exe
        70⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\Lgccinoe.exe
        
        C:\Windows\system32\Lgccinoe.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1576
        
        C:\Windows\SysWOW64\Lmpkadnm.exe
        
        C:\Windows\system32\Lmpkadnm.exe
        72⤵
        Modifies registry class
        
        PID:3164
        
        C:\Windows\SysWOW64\Lgepom32.exe
        
        C:\Windows\system32\Lgepom32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4340
        
        C:\Windows\SysWOW64\Lqndhcdc.exe
        
        C:\Windows\system32\Lqndhcdc.exe
        74⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\Lggldm32.exe
        
        C:\Windows\system32\Lggldm32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Lqpamb32.exe
        
        C:\Windows\system32\Lqpamb32.exe
        76⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\Ncofplba.exe
        
        C:\Windows\system32\Ncofplba.exe
        77⤵
        Modifies registry class
        
        PID:3128
        
        C:\Windows\SysWOW64\Nndjndbh.exe
        
        C:\Windows\system32\Nndjndbh.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3892
        
        C:\Windows\SysWOW64\Ncabfkqo.exe
        
        C:\Windows\system32\Ncabfkqo.exe
        79⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\Njkkbehl.exe
        
        C:\Windows\system32\Njkkbehl.exe
        80⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\Naecop32.exe
        
        C:\Windows\system32\Naecop32.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Nccokk32.exe
        
        C:\Windows\system32\Nccokk32.exe
        82⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Njmhhefi.exe
        
        C:\Windows\system32\Njmhhefi.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5212
        
        C:\Windows\SysWOW64\Nmlddqem.exe
        
        C:\Windows\system32\Nmlddqem.exe
        84⤵
        Drops file in System32 directory
        
        PID:5252
        
        C:\Windows\SysWOW64\Neclenfo.exe
        
        C:\Windows\system32\Neclenfo.exe
        85⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Nlmdbh32.exe
        
        C:\Windows\system32\Nlmdbh32.exe
        86⤵
        Drops file in System32 directory
        
        PID:5340
        
        C:\Windows\SysWOW64\Nmnqjp32.exe
        
        C:\Windows\system32\Nmnqjp32.exe
        87⤵
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Oeehkn32.exe
        
        C:\Windows\system32\Oeehkn32.exe
        88⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Onnmdcjm.exe
        
        C:\Windows\system32\Onnmdcjm.exe
        89⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Odjeljhd.exe
        
        C:\Windows\system32\Odjeljhd.exe
        90⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Ojdnid32.exe
        
        C:\Windows\system32\Ojdnid32.exe
        91⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Oejbfmpg.exe
        
        C:\Windows\system32\Oejbfmpg.exe
        92⤵
        Drops file in System32 directory
        
        PID:5608
        
        C:\Windows\SysWOW64\Ojgjndno.exe
        
        C:\Windows\system32\Ojgjndno.exe
        93⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Oelolmnd.exe
        
        C:\Windows\system32\Oelolmnd.exe
        94⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\Ojigdcll.exe
        
        C:\Windows\system32\Ojigdcll.exe
        95⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\Oacoqnci.exe
        
        C:\Windows\system32\Oacoqnci.exe
        96⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\Ohmhmh32.exe
        
        C:\Windows\system32\Ohmhmh32.exe
        97⤵
        Drops file in System32 directory
        
        PID:5824
        
        C:\Windows\SysWOW64\Omjpeo32.exe
        
        C:\Windows\system32\Omjpeo32.exe
        98⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Phodcg32.exe
        
        C:\Windows\system32\Phodcg32.exe
        99⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Pahilmoc.exe
        
        C:\Windows\system32\Pahilmoc.exe
        100⤵
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Pkpmdbfd.exe
        
        C:\Windows\system32\Pkpmdbfd.exe
        101⤵
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Pmoiqneg.exe
        
        C:\Windows\system32\Pmoiqneg.exe
        102⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Phdnngdn.exe
        
        C:\Windows\system32\Phdnngdn.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6092
        
        C:\Windows\SysWOW64\Ponfka32.exe
        
        C:\Windows\system32\Ponfka32.exe
        104⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Phfjcf32.exe
        
        C:\Windows\system32\Phfjcf32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5160
        
        C:\Windows\SysWOW64\Pkegpb32.exe
        
        C:\Windows\system32\Pkegpb32.exe
        106⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Pejkmk32.exe
        
        C:\Windows\system32\Pejkmk32.exe
        107⤵
        Drops file in System32 directory
        
        PID:5264
        
        C:\Windows\SysWOW64\Pkgcea32.exe
        
        C:\Windows\system32\Pkgcea32.exe
        108⤵
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Qdphngfl.exe
        
        C:\Windows\system32\Qdphngfl.exe
        109⤵
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Qlgpod32.exe
        
        C:\Windows\system32\Qlgpod32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5532
        
        C:\Windows\SysWOW64\Aojefobm.exe
        
        C:\Windows\system32\Aojefobm.exe
        111⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Alnfpcag.exe
        
        C:\Windows\system32\Alnfpcag.exe
        112⤵
        Drops file in System32 directory
        
        PID:5660
        
        C:\Windows\SysWOW64\Anobgl32.exe
        
        C:\Windows\system32\Anobgl32.exe
        113⤵
        Drops file in System32 directory
        
        PID:5724
        
        C:\Windows\SysWOW64\Adikdfna.exe
        
        C:\Windows\system32\Adikdfna.exe
        114⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Akccap32.exe
        
        C:\Windows\system32\Akccap32.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Adkgje32.exe
        
        C:\Windows\system32\Adkgje32.exe
        116⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Akepfpcl.exe
        
        C:\Windows\system32\Akepfpcl.exe
        117⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Aekddhcb.exe
        
        C:\Windows\system32\Aekddhcb.exe
        118⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Alelqb32.exe
        
        C:\Windows\system32\Alelqb32.exe
        119⤵
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Bochmn32.exe
        
        C:\Windows\system32\Bochmn32.exe
        120⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Bdpaeehj.exe
        
        C:\Windows\system32\Bdpaeehj.exe
        121⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Bkjiao32.exe
        
        C:\Windows\system32\Bkjiao32.exe
        122⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Bdbnjdfg.exe
        
        C:\Windows\system32\Bdbnjdfg.exe
        123⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Bohbhmfm.exe
        
        C:\Windows\system32\Bohbhmfm.exe
        124⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Bebjdgmj.exe
        
        C:\Windows\system32\Bebjdgmj.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5760
        
        C:\Windows\SysWOW64\Bllbaa32.exe
        
        C:\Windows\system32\Bllbaa32.exe
        126⤵
        Drops file in System32 directory
        
        PID:5852
        
        C:\Windows\SysWOW64\Bahkih32.exe
        
        C:\Windows\system32\Bahkih32.exe
        127⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Blnoga32.exe
        
        C:\Windows\system32\Blnoga32.exe
        128⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Bakgoh32.exe
        
        C:\Windows\system32\Bakgoh32.exe
        129⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Blqllqqa.exe
        
        C:\Windows\system32\Blqllqqa.exe
        130⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Coohhlpe.exe
        
        C:\Windows\system32\Coohhlpe.exe
        131⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Chglab32.exe
        
        C:\Windows\system32\Chglab32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5720
        
        C:\Windows\SysWOW64\Cndeii32.exe
        
        C:\Windows\system32\Cndeii32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Cleegp32.exe
        
        C:\Windows\system32\Cleegp32.exe
        134⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Cbbnpg32.exe
        
        C:\Windows\system32\Cbbnpg32.exe
        135⤵
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Cdpjlb32.exe
        
        C:\Windows\system32\Cdpjlb32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5644
        
        C:\Windows\SysWOW64\Ckjbhmad.exe
        
        C:\Windows\system32\Ckjbhmad.exe
        137⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Cnindhpg.exe
        
        C:\Windows\system32\Cnindhpg.exe
        138⤵
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Cdbfab32.exe
        
        C:\Windows\system32\Cdbfab32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5648
        
        C:\Windows\SysWOW64\Cljobphg.exe
        
        C:\Windows\system32\Cljobphg.exe
        140⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Cbfgkffn.exe
        
        C:\Windows\system32\Cbfgkffn.exe
        141⤵
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Dbkqfe32.exe
        
        C:\Windows\system32\Dbkqfe32.exe
        142⤵
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Dmadco32.exe
        
        C:\Windows\system32\Dmadco32.exe
        143⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\Dbnmke32.exe
        
        C:\Windows\system32\Dbnmke32.exe
        144⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\Digehphc.exe
        
        C:\Windows\system32\Digehphc.exe
        145⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\Doaneiop.exe
        
        C:\Windows\system32\Doaneiop.exe
        146⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\Dflfac32.exe
        
        C:\Windows\system32\Dflfac32.exe
        147⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\Dmennnni.exe
        
        C:\Windows\system32\Dmennnni.exe
        148⤵
        Modifies registry class
        
        PID:6408
        
        C:\Windows\SysWOW64\Dngjff32.exe
        
        C:\Windows\system32\Dngjff32.exe
        149⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\Deqcbpld.exe
        
        C:\Windows\system32\Deqcbpld.exe
        150⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\Ekkkoj32.exe
        
        C:\Windows\system32\Ekkkoj32.exe
        151⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\Eecphp32.exe
        
        C:\Windows\system32\Eecphp32.exe
        152⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Eoideh32.exe
        
        C:\Windows\system32\Eoideh32.exe
        153⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\Eeelnp32.exe
        
        C:\Windows\system32\Eeelnp32.exe
        154⤵
        Modifies registry class
        
        PID:6664
        
        C:\Windows\SysWOW64\Emmdom32.exe
        
        C:\Windows\system32\Emmdom32.exe
        155⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\Ebimgcfi.exe
        
        C:\Windows\system32\Ebimgcfi.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6756
        
        C:\Windows\SysWOW64\Eicedn32.exe
        
        C:\Windows\system32\Eicedn32.exe
        157⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\Ekaapi32.exe
        
        C:\Windows\system32\Ekaapi32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6840
        
        C:\Windows\SysWOW64\Eblimcdf.exe
        
        C:\Windows\system32\Eblimcdf.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6880
        
        C:\Windows\SysWOW64\Eejeiocj.exe
        
        C:\Windows\system32\Eejeiocj.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6924
        
        C:\Windows\SysWOW64\Emanjldl.exe
        
        C:\Windows\system32\Emanjldl.exe
        161⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\Enbjad32.exe
        
        C:\Windows\system32\Enbjad32.exe
        162⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7016
        
        C:\Windows\SysWOW64\Felbnn32.exe
        
        C:\Windows\system32\Felbnn32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7060
        
        C:\Windows\SysWOW64\Fmcjpl32.exe
        
        C:\Windows\system32\Fmcjpl32.exe
        164⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\Fbpchb32.exe
        
        C:\Windows\system32\Fbpchb32.exe
        165⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\Fmfgek32.exe
        
        C:\Windows\system32\Fmfgek32.exe
        166⤵
        Drops file in System32 directory
        
        PID:6196
        
        C:\Windows\SysWOW64\Fpdcag32.exe
        
        C:\Windows\system32\Fpdcag32.exe
        167⤵
        Drops file in System32 directory
        
        PID:6344
        
        C:\Windows\SysWOW64\Fealin32.exe
        
        C:\Windows\system32\Fealin32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6416
        
        C:\Windows\SysWOW64\Fpgpgfmh.exe
        
        C:\Windows\system32\Fpgpgfmh.exe
        169⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\Fechomko.exe
        
        C:\Windows\system32\Fechomko.exe
        170⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\Flmqlg32.exe
        
        C:\Windows\system32\Flmqlg32.exe
        171⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\Fnlmhc32.exe
        
        C:\Windows\system32\Fnlmhc32.exe
        172⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6692
        
        C:\Windows\SysWOW64\Fiaael32.exe
        
        C:\Windows\system32\Fiaael32.exe
        173⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\Fpkibf32.exe
        
        C:\Windows\system32\Fpkibf32.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6852
        
        C:\Windows\SysWOW64\Gfeaopqo.exe
        
        C:\Windows\system32\Gfeaopqo.exe
        175⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\Gmojkj32.exe
        
        C:\Windows\system32\Gmojkj32.exe
        176⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\Gpnfge32.exe
        
        C:\Windows\system32\Gpnfge32.exe
        177⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\Gfhndpol.exe
        
        C:\Windows\system32\Gfhndpol.exe
        178⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\Gmafajfi.exe
        
        C:\Windows\system32\Gmafajfi.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6360
        
        C:\Windows\SysWOW64\Gncchb32.exe
        
        C:\Windows\system32\Gncchb32.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6512
        
        C:\Windows\SysWOW64\Gemkelcd.exe
        
        C:\Windows\system32\Gemkelcd.exe
        181⤵
        Modifies registry class
        
        PID:6616
        
        C:\Windows\SysWOW64\Gpbpbecj.exe
        
        C:\Windows\system32\Gpbpbecj.exe
        182⤵
        Modifies registry class
        
        PID:6776
        
        C:\Windows\SysWOW64\Gflhoo32.exe
        
        C:\Windows\system32\Gflhoo32.exe
        183⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\Gpelhd32.exe
        
        C:\Windows\system32\Gpelhd32.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7044
        
        C:\Windows\SysWOW64\Geaepk32.exe
        
        C:\Windows\system32\Geaepk32.exe
        185⤵
        Modifies registry class
        
        PID:6424
        
        C:\Windows\SysWOW64\Glkmmefl.exe
        
        C:\Windows\system32\Glkmmefl.exe
        186⤵
        Drops file in System32 directory
        
        PID:6608
        
        C:\Windows\SysWOW64\Gbeejp32.exe
        
        C:\Windows\system32\Gbeejp32.exe
        187⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\Hedafk32.exe
        
        C:\Windows\system32\Hedafk32.exe
        188⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\Holfoqcm.exe
        
        C:\Windows\system32\Holfoqcm.exe
        189⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Hefnkkkj.exe
        
        C:\Windows\system32\Hefnkkkj.exe
        190⤵
        Modifies registry class
        
        PID:6748
        
        C:\Windows\SysWOW64\Hplbickp.exe
        
        C:\Windows\system32\Hplbickp.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7136
        
        C:\Windows\SysWOW64\Hlbcnd32.exe
        
        C:\Windows\system32\Hlbcnd32.exe
        192⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\Hblkjo32.exe
        
        C:\Windows\system32\Hblkjo32.exe
        193⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\Hmbphg32.exe
        
        C:\Windows\system32\Hmbphg32.exe
        194⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\Hpqldc32.exe
        
        C:\Windows\system32\Hpqldc32.exe
        195⤵
        Drops file in System32 directory
        
        PID:7252
        
        C:\Windows\SysWOW64\Hemdlj32.exe
        
        C:\Windows\system32\Hemdlj32.exe
        196⤵
        Drops file in System32 directory
        
        PID:7292
        
        C:\Windows\SysWOW64\Hpchib32.exe
        
        C:\Windows\system32\Hpchib32.exe
        197⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\Ifmqfm32.exe
        
        C:\Windows\system32\Ifmqfm32.exe
        198⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\Imgicgca.exe
        
        C:\Windows\system32\Imgicgca.exe
        199⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\Iohejo32.exe
        
        C:\Windows\system32\Iohejo32.exe
        200⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\Iebngial.exe
        
        C:\Windows\system32\Iebngial.exe
        201⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7508
        
        C:\Windows\SysWOW64\Ibfnqmpf.exe
        
        C:\Windows\system32\Ibfnqmpf.exe
        202⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7548
        
        C:\Windows\SysWOW64\Iedjmioj.exe
        
        C:\Windows\system32\Iedjmioj.exe
        203⤵
        Drops file in System32 directory
        
        PID:7600
        
        C:\Windows\SysWOW64\Ibhkfm32.exe
        
        C:\Windows\system32\Ibhkfm32.exe
        204⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7644
        
        C:\Windows\SysWOW64\Ilqoobdd.exe
        
        C:\Windows\system32\Ilqoobdd.exe
        205⤵
        
        PID:7684
        
        C:\Windows\SysWOW64\Iidphgcn.exe
        
        C:\Windows\system32\Iidphgcn.exe
        206⤵
        
        PID:7728
        
        C:\Windows\SysWOW64\Jiglnf32.exe
        
        C:\Windows\system32\Jiglnf32.exe
        207⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\Jpaekqhh.exe
        
        C:\Windows\system32\Jpaekqhh.exe
        208⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\Jenmcggo.exe
        
        C:\Windows\system32\Jenmcggo.exe
        209⤵
        
        PID:7848
        
        C:\Windows\SysWOW64\Jljbeali.exe
        
        C:\Windows\system32\Jljbeali.exe
        210⤵
        
        PID:7896
        
        C:\Windows\SysWOW64\Jcdjbk32.exe
        
        C:\Windows\system32\Jcdjbk32.exe
        211⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7936
        
        C:\Windows\SysWOW64\Jokkgl32.exe
        
        C:\Windows\system32\Jokkgl32.exe
        212⤵
        
        PID:7976
        
        C:\Windows\SysWOW64\Jjpode32.exe
        
        C:\Windows\system32\Jjpode32.exe
        213⤵
        
        PID:8016
        
        C:\Windows\SysWOW64\Kcidmkpq.exe
        
        C:\Windows\system32\Kcidmkpq.exe
        214⤵
        
        PID:8056
        
        C:\Windows\SysWOW64\Knnhjcog.exe
        
        C:\Windows\system32\Knnhjcog.exe
        215⤵
        Modifies registry class
        
        PID:8100
        
        C:\Windows\SysWOW64\Koodbl32.exe
        
        C:\Windows\system32\Koodbl32.exe
        216⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8140
        
        C:\Windows\SysWOW64\Kgflcifg.exe
        
        C:\Windows\system32\Kgflcifg.exe
        217⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6752
        
        C:\Windows\SysWOW64\Kcmmhj32.exe
        
        C:\Windows\system32\Kcmmhj32.exe
        218⤵
        Modifies registry class
        
        PID:7272
        
        C:\Windows\SysWOW64\Kpanan32.exe
        
        C:\Windows\system32\Kpanan32.exe
        219⤵
        
        PID:7324
        
        C:\Windows\SysWOW64\Kgkfnh32.exe
        
        C:\Windows\system32\Kgkfnh32.exe
        220⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\Knenkbio.exe
        
        C:\Windows\system32\Knenkbio.exe
        221⤵
        
        PID:7440
        
        C:\Windows\SysWOW64\Kcbfcigf.exe
        
        C:\Windows\system32\Kcbfcigf.exe
        222⤵
        Modifies registry class
        
        PID:7536
        
        C:\Windows\SysWOW64\Kjlopc32.exe
        
        C:\Windows\system32\Kjlopc32.exe
        223⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\Lljklo32.exe
        
        C:\Windows\system32\Lljklo32.exe
        224⤵
        Drops file in System32 directory
        
        PID:7664
        
        C:\Windows\SysWOW64\Lcdciiec.exe
        
        C:\Windows\system32\Lcdciiec.exe
        225⤵
        Modifies registry class
        
        PID:7748
        
        C:\Windows\SysWOW64\Ljnlecmp.exe
        
        C:\Windows\system32\Ljnlecmp.exe
        226⤵
        Modifies registry class
        
        PID:7780
        
        C:\Windows\SysWOW64\Lqhdbm32.exe
        
        C:\Windows\system32\Lqhdbm32.exe
        227⤵
        Drops file in System32 directory
        
        PID:7880
        
        C:\Windows\SysWOW64\Lgbloglj.exe
        
        C:\Windows\system32\Lgbloglj.exe
        228⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\Lnldla32.exe
        
        C:\Windows\system32\Lnldla32.exe
        229⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\Lomqcjie.exe
        
        C:\Windows\system32\Lomqcjie.exe
        230⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7956
        
        C:\Windows\SysWOW64\Lfgipd32.exe
        
        C:\Windows\system32\Lfgipd32.exe
        231⤵
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Lmaamn32.exe
        
        C:\Windows\system32\Lmaamn32.exe
        232⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8092
        
        C:\Windows\SysWOW64\Lckiihok.exe
        
        C:\Windows\system32\Lckiihok.exe
        233⤵
        
        PID:8136
        
        C:\Windows\SysWOW64\Ljeafb32.exe
        
        C:\Windows\system32\Ljeafb32.exe
        234⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7196
        
        C:\Windows\SysWOW64\Lobjni32.exe
        
        C:\Windows\system32\Lobjni32.exe
        235⤵
        
        PID:7320
        
        C:\Windows\SysWOW64\Lncjlq32.exe
        
        C:\Windows\system32\Lncjlq32.exe
        236⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7392
        
        C:\Windows\SysWOW64\Mcpcdg32.exe
        
        C:\Windows\system32\Mcpcdg32.exe
        237⤵
        
        PID:7532
        
        C:\Windows\SysWOW64\Mmhgmmbf.exe
        
        C:\Windows\system32\Mmhgmmbf.exe
        238⤵
        
        PID:7652
        
        C:\Windows\SysWOW64\Mcbpjg32.exe
        
        C:\Windows\system32\Mcbpjg32.exe
        239⤵
        
        PID:7736
        
        C:\Windows\SysWOW64\Mjlhgaqp.exe
        
        C:\Windows\system32\Mjlhgaqp.exe
        240⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7924
        
        C:\Windows\SysWOW64\Mqfpckhm.exe
        
        C:\Windows\system32\Mqfpckhm.exe
        241⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:376
        
        C:\Windows\SysWOW64\Mfchlbfd.exe
        
        C:\Windows\system32\Mfchlbfd.exe
        242⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\Mmmqhl32.exe
        
        C:\Windows\system32\Mmmqhl32.exe
        243⤵
        Modifies registry class
        
        PID:8120
        
        C:\Windows\SysWOW64\Mgbefe32.exe
        
        C:\Windows\system32\Mgbefe32.exe
        244⤵
        Modifies registry class
        
        PID:7340
        
        C:\Windows\SysWOW64\Mqkiok32.exe
        
        C:\Windows\system32\Mqkiok32.exe
        245⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\Mgeakekd.exe
        
        C:\Windows\system32\Mgeakekd.exe
        246⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\Mjcngpjh.exe
        
        C:\Windows\system32\Mjcngpjh.exe
        247⤵
        
        PID:7888
        
        C:\Windows\SysWOW64\Nqmfdj32.exe
        
        C:\Windows\system32\Nqmfdj32.exe
        248⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\Nggnadib.exe
        
        C:\Windows\system32\Nggnadib.exe
        249⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\Njfkmphe.exe
        
        C:\Windows\system32\Njfkmphe.exe
        250⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6956
        
        C:\Windows\SysWOW64\Nqpcjj32.exe
        
        C:\Windows\system32\Nqpcjj32.exe
        251⤵
        Modifies registry class
        
        PID:7488
        
        C:\Windows\SysWOW64\Ngjkfd32.exe
        
        C:\Windows\system32\Ngjkfd32.exe
        252⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\Nncccnol.exe
        
        C:\Windows\system32\Nncccnol.exe
        253⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3488
        
        C:\Windows\SysWOW64\Npepkf32.exe
        
        C:\Windows\system32\Npepkf32.exe
        254⤵
        
        PID:8108
        
        C:\Windows\SysWOW64\Nfohgqlg.exe
        
        C:\Windows\system32\Nfohgqlg.exe
        255⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\Nadleilm.exe
        
        C:\Windows\system32\Nadleilm.exe
        256⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\Ngndaccj.exe
        
        C:\Windows\system32\Ngndaccj.exe
        257⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7576
        
        C:\Windows\SysWOW64\Nmkmjjaa.exe
        
        C:\Windows\system32\Nmkmjjaa.exe
        258⤵
        Drops file in System32 directory
        
        PID:7248
        
        C:\Windows\SysWOW64\Nceefd32.exe
        
        C:\Windows\system32\Nceefd32.exe
        259⤵
        
        PID:7864
        
        C:\Windows\SysWOW64\Ojomcopk.exe
        
        C:\Windows\system32\Ojomcopk.exe
        260⤵
        
        PID:8196
        
        C:\Windows\SysWOW64\Oplfkeob.exe
        
        C:\Windows\system32\Oplfkeob.exe
        261⤵
        Drops file in System32 directory
        
        PID:8240
        
        C:\Windows\SysWOW64\Offnhpfo.exe
        
        C:\Windows\system32\Offnhpfo.exe
        262⤵
        
        PID:8284
        
        C:\Windows\SysWOW64\Oakbehfe.exe
        
        C:\Windows\system32\Oakbehfe.exe
        263⤵
        
        PID:8324
        
        C:\Windows\SysWOW64\Ofhknodl.exe
        
        C:\Windows\system32\Ofhknodl.exe
        264⤵
        
        PID:8364
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        265⤵
        
        PID:8400
        
        C:\Windows\SysWOW64\Ofkgcobj.exe
        
        C:\Windows\system32\Ofkgcobj.exe
        266⤵
        
        PID:8448
        
        C:\Windows\SysWOW64\Omdppiif.exe
        
        C:\Windows\system32\Omdppiif.exe
        267⤵
        
        PID:8496
        
        C:\Windows\SysWOW64\Ogjdmbil.exe
        
        C:\Windows\system32\Ogjdmbil.exe
        268⤵
        
        PID:8536
        
        C:\Windows\SysWOW64\Ondljl32.exe
        
        C:\Windows\system32\Ondljl32.exe
        269⤵
        
        PID:8580
        
        C:\Windows\SysWOW64\Opeiadfg.exe
        
        C:\Windows\system32\Opeiadfg.exe
        270⤵
        Drops file in System32 directory
        
        PID:8620
        
        C:\Windows\SysWOW64\Ohlqcagj.exe
        
        C:\Windows\system32\Ohlqcagj.exe
        271⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8664
        
        C:\Windows\SysWOW64\Pjkmomfn.exe
        
        C:\Windows\system32\Pjkmomfn.exe
        272⤵
        
        PID:8708
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        273⤵
        
        PID:8748
        
        C:\Windows\SysWOW64\Pfandnla.exe
        
        C:\Windows\system32\Pfandnla.exe
        274⤵
        
        PID:8792
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        275⤵
        Modifies registry class
        
        PID:8844
        
        C:\Windows\SysWOW64\Pfdjinjo.exe
        
        C:\Windows\system32\Pfdjinjo.exe
        276⤵
        
        PID:8904
        
        C:\Windows\SysWOW64\Paiogf32.exe
        
        C:\Windows\system32\Paiogf32.exe
        277⤵
        Drops file in System32 directory
        
        PID:8952
        
        C:\Windows\SysWOW64\Phcgcqab.exe
        
        C:\Windows\system32\Phcgcqab.exe
        278⤵
        
        PID:8996
        
        C:\Windows\SysWOW64\Pmpolgoi.exe
        
        C:\Windows\system32\Pmpolgoi.exe
        279⤵
        
        PID:9048
        
        C:\Windows\SysWOW64\Pnplfj32.exe
        
        C:\Windows\system32\Pnplfj32.exe
        280⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9124
        
        C:\Windows\SysWOW64\Pdmdnadc.exe
        
        C:\Windows\system32\Pdmdnadc.exe
        281⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9176
        
        C:\Windows\SysWOW64\Qobhkjdi.exe
        
        C:\Windows\system32\Qobhkjdi.exe
        282⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4672
        
        C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        283⤵
        Drops file in System32 directory
        
        PID:8308
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        284⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8384
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        285⤵
        
        PID:8476
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        286⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8548
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        287⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8628
        
        C:\Windows\SysWOW64\Aagkhd32.exe
        
        C:\Windows\system32\Aagkhd32.exe
        288⤵
        
        PID:8692
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        289⤵
        
        PID:8776
        
        C:\Windows\SysWOW64\Adhdjpjf.exe
        
        C:\Windows\system32\Adhdjpjf.exe
        290⤵
        
        PID:8912
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        291⤵
        
        PID:8972
        
        C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        292⤵
        Modifies registry class
        
        PID:9044
        
        C:\Windows\SysWOW64\Bhhiemoj.exe
        
        C:\Windows\system32\Bhhiemoj.exe
        293⤵
        
        PID:9120
        
        C:\Windows\SysWOW64\Bobabg32.exe
        
        C:\Windows\system32\Bobabg32.exe
        294⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8228
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        295⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8352
        
        C:\Windows\SysWOW64\Bkibgh32.exe
        
        C:\Windows\system32\Bkibgh32.exe
        296⤵
        Modifies registry class
        
        PID:8456
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        297⤵
        Drops file in System32 directory
        
        PID:8592
        
        C:\Windows\SysWOW64\Bgpcliao.exe
        
        C:\Windows\system32\Bgpcliao.exe
        298⤵
        
        PID:8700
        
        C:\Windows\SysWOW64\Bmjkic32.exe
        
        C:\Windows\system32\Bmjkic32.exe
        299⤵
        
        PID:8860
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        300⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8944
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        301⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9156
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        302⤵
        
        PID:7400
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        303⤵
        
        PID:8340
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        304⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8604
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        305⤵
        
        PID:8800
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        306⤵
        
        PID:8940
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        307⤵
        Drops file in System32 directory
        
        PID:9184
        
        C:\Windows\SysWOW64\Coqncejg.exe
        
        C:\Windows\system32\Coqncejg.exe
        308⤵
        
        PID:8520
        
        C:\Windows\SysWOW64\Cpbjkn32.exe
        
        C:\Windows\system32\Cpbjkn32.exe
        309⤵
        
        PID:8760
        
        C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        310⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7384
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        311⤵
        
        PID:8856
        
        C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        312⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        313⤵
        Drops file in System32 directory
        
        PID:9116
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        314⤵
        
        PID:9256
        
        C:\Windows\SysWOW64\Chnlgjlb.exe
        
        C:\Windows\system32\Chnlgjlb.exe
        315⤵
        
        PID:9296
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        316⤵
        
        PID:9340
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        317⤵
        Drops file in System32 directory
        
        PID:9384
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        318⤵
        
        PID:9420
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        319⤵
        
        PID:9464
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        320⤵
        Drops file in System32 directory
        
        PID:9508
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        321⤵
        
        PID:9556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9556 -s 412
        322⤵
        Program crash
        
        PID:9648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 9556 -ip 9556
1⤵
PID:9620

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:7380

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
7490116fd8a84d868aad6b31bccb2467

SHA1
0bc05127a2cb1c0451b0f93f6906f8984c6d388a

SHA256
2789d8a86127218a852866e54b1e04c28a89820d35c909367c4fb71fa99930b7

SHA512
1140d85c5ee1504c0f747b11b495d5213fc0ac90d9e39b6518cb12d7279d61dbb85b53c36d96212e63a30207ea44a6a5efacf639423e0fb27e3c64881e0d8e31

Download Submit
C:\Windows\SysWOW64\Aaiimadl.exe

Filesize
125KB

MD5
c158ab0ee49b971bfc1c79d7ec6c8aa6

SHA1
8e32bf12f49ea48cee0e89034d33af134dccd736

SHA256
e9565d6b346cdbe7b323c35e2fcc1d328ef9104b567add1820d3d5f1906984a8

SHA512
ee41a77dd7c01ed3700652ecc08ec37004280168ad5ece9067f891dfd54e7108c4be7d243d6a64b44261d6a9e1479209f0a1d44f446810d9bcb0987c50450914

Download Submit
C:\Windows\SysWOW64\Aaiimadl.exe

Filesize
125KB

MD5
c158ab0ee49b971bfc1c79d7ec6c8aa6

SHA1
8e32bf12f49ea48cee0e89034d33af134dccd736

SHA256
e9565d6b346cdbe7b323c35e2fcc1d328ef9104b567add1820d3d5f1906984a8

SHA512
ee41a77dd7c01ed3700652ecc08ec37004280168ad5ece9067f891dfd54e7108c4be7d243d6a64b44261d6a9e1479209f0a1d44f446810d9bcb0987c50450914

Download Submit
C:\Windows\SysWOW64\Achegd32.exe

Filesize
125KB

MD5
397c75aa052e0de6567905609d96ea5b

SHA1
ad4c6e6a12f1af1ed8e9cdbd50c6c816f05ddb77

SHA256
1e52b96dfb7d81f0c0bf844b249546579de5c93f26833819de2925450130219c

SHA512
435eabd4a6d1e1965f64ad75860c55b4d9618a8d0688704a5d34d1ce10ecfc0954ec4cf33d32ba6c3983f1b187c2a49cebc667c7268c40cc5d035dc7fcc0914c

Download Submit
C:\Windows\SysWOW64\Achegd32.exe

Filesize
125KB

MD5
397c75aa052e0de6567905609d96ea5b

SHA1
ad4c6e6a12f1af1ed8e9cdbd50c6c816f05ddb77

SHA256
1e52b96dfb7d81f0c0bf844b249546579de5c93f26833819de2925450130219c

SHA512
435eabd4a6d1e1965f64ad75860c55b4d9618a8d0688704a5d34d1ce10ecfc0954ec4cf33d32ba6c3983f1b187c2a49cebc667c7268c40cc5d035dc7fcc0914c

Download Submit
C:\Windows\SysWOW64\Allpejfe.exe

Filesize
125KB

MD5
2859c256d3ce1101895de5f38648164e

SHA1
2e7a2b7adaa41ec1d248f6306d9a22c11be90fa0

SHA256
c2eeb8d8db0885c2fafeb754da201b0a256048c3093a6663dc49870b107bd8b7

SHA512
ca791c07dc7c68e7fe16d2cf6cf107c605c7dc9dffc552da9f1ca8a86a3151c272740966967465bbe9b13ff14601654622ca5a795d88e0c7d71d093039d3eee3

Download Submit
C:\Windows\SysWOW64\Allpejfe.exe

Filesize
125KB

MD5
2859c256d3ce1101895de5f38648164e

SHA1
2e7a2b7adaa41ec1d248f6306d9a22c11be90fa0

SHA256
c2eeb8d8db0885c2fafeb754da201b0a256048c3093a6663dc49870b107bd8b7

SHA512
ca791c07dc7c68e7fe16d2cf6cf107c605c7dc9dffc552da9f1ca8a86a3151c272740966967465bbe9b13ff14601654622ca5a795d88e0c7d71d093039d3eee3

Download Submit
C:\Windows\SysWOW64\Bblnindg.exe

Filesize
125KB

MD5
391c101b2ab74846aee4ccec56adcd0e

SHA1
b96c0ee9145ac074a64b837ae85d534d432a9d74

SHA256
622128579552c275bcdf48e560c852712637e42be2e55ca2f8b32d0198ff4d82

SHA512
34ea90618fbce8b60e05cb17ebe48b9a25d2a73a60e0187c47631cb00fbbb374e59a7ccd49880a958f02dc1a75d67de782fb75892db1a686e82c6c692e36f30e

Download Submit
C:\Windows\SysWOW64\Bblnindg.exe

Filesize
125KB

MD5
391c101b2ab74846aee4ccec56adcd0e

SHA1
b96c0ee9145ac074a64b837ae85d534d432a9d74

SHA256
622128579552c275bcdf48e560c852712637e42be2e55ca2f8b32d0198ff4d82

SHA512
34ea90618fbce8b60e05cb17ebe48b9a25d2a73a60e0187c47631cb00fbbb374e59a7ccd49880a958f02dc1a75d67de782fb75892db1a686e82c6c692e36f30e

Download Submit
C:\Windows\SysWOW64\Bhcjqinf.exe

Filesize
125KB

MD5
406b337c1ce8b456c65fb0093df2f580

SHA1
be904c5abacc948dada82c561645432e4e621f91

SHA256
3a038f92c997eb4bfc652d01ad75331d3d588fbdc267677785e4b5a9420a7218

SHA512
1e703b0775e763117ba4337936897efa66aed5955a43da473c876ec4a556ec4d1b166ce046e4f29cc20ae4acac5dac4e526063b16bf69779c2885301fd01140e

Download Submit
C:\Windows\SysWOW64\Bhcjqinf.exe

Filesize
125KB

MD5
406b337c1ce8b456c65fb0093df2f580

SHA1
be904c5abacc948dada82c561645432e4e621f91

SHA256
3a038f92c997eb4bfc652d01ad75331d3d588fbdc267677785e4b5a9420a7218

SHA512
1e703b0775e763117ba4337936897efa66aed5955a43da473c876ec4a556ec4d1b166ce046e4f29cc20ae4acac5dac4e526063b16bf69779c2885301fd01140e

Download Submit
C:\Windows\SysWOW64\Bkjiao32.exe

Filesize
125KB

MD5
4c76f75a36a36f74ff7abbd51c3b7fe2

SHA1
cb16fb0b762cd8a17956a50f9cfce55dd8c34d81

SHA256
836719692b56d99e0695487500933c89997578ece5a4ec77bbc8498de6b37a8a

SHA512
3daa5bcbccd497d6678abc72e940482bfd8b51cd8401e70bc95cc0900d1572aad08a2a7b2dbec30a88628bf9b2fe8400623945fe7ad6e3efd137f4a91ed34cf3

Download Submit
C:\Windows\SysWOW64\Boldhf32.exe

Filesize
125KB

MD5
e9955e684b584d8081b2fb9cda78a840

SHA1
e403f1d52f4c057e51c7a22f9c187e85f475a2fa

SHA256
b3a27a8f6d33d61c813f1c41d4a1f22f52473e3ca7904b05a07e73473c8bdecd

SHA512
1f8e882235af4586eab77d54d22d2135e16a6520f6b609cefc0c410d32746fee47cd87dd3c029f46363acdf93cc573eeb659cdbc3843388e379d7ef5837108c2

Download Submit
C:\Windows\SysWOW64\Bopocbcq.exe

Filesize
125KB

MD5
9632ca43b15ac0b1d3ddc371fad9d8ca

SHA1
9b633ec0c3eaa6b54feb055473d5e1da68f9ce2b

SHA256
99828d64db1a681d0095ca807602d63ac113bdf7465c00a5e024506153eaf513

SHA512
2d11562877eb787a708cd2b10ff232c99f3b1192fdf0a29b410f9fa48893e0cadb964ee6fe7c08b4b599da7b5d1fe5a189ac9e08139d3a5eb418baef5a7bf572

Download Submit
C:\Windows\SysWOW64\Bopocbcq.exe

Filesize
125KB

MD5
9632ca43b15ac0b1d3ddc371fad9d8ca

SHA1
9b633ec0c3eaa6b54feb055473d5e1da68f9ce2b

SHA256
99828d64db1a681d0095ca807602d63ac113bdf7465c00a5e024506153eaf513

SHA512
2d11562877eb787a708cd2b10ff232c99f3b1192fdf0a29b410f9fa48893e0cadb964ee6fe7c08b4b599da7b5d1fe5a189ac9e08139d3a5eb418baef5a7bf572

Download Submit
C:\Windows\SysWOW64\Cbphdn32.exe

Filesize
125KB

MD5
5e9327111f9cddd369b2d9526df3c3fe

SHA1
51a235a15d8b730833b763d41e37b3b68195fbcb

SHA256
32800f750f638bc13244d5cb32e4a8c95978d7a20ff26b4864ff2549e55b862f

SHA512
42a70ca912acb3aa5466c8d41f14386920eac1095024ae8bd454030f7787c745f988ed31ff92aeea202bf72b1c85d625dcd4f16462e8387409f59aaed23bd95f

Download Submit
C:\Windows\SysWOW64\Cbphdn32.exe

Filesize
125KB

MD5
5e9327111f9cddd369b2d9526df3c3fe

SHA1
51a235a15d8b730833b763d41e37b3b68195fbcb

SHA256
32800f750f638bc13244d5cb32e4a8c95978d7a20ff26b4864ff2549e55b862f

SHA512
42a70ca912acb3aa5466c8d41f14386920eac1095024ae8bd454030f7787c745f988ed31ff92aeea202bf72b1c85d625dcd4f16462e8387409f59aaed23bd95f

Download Submit
C:\Windows\SysWOW64\Cjecpkcg.exe

Filesize
125KB

MD5
026241b53b51b4d1cf034005767cd823

SHA1
a21017c7219cc8c58a4d0e87a202b7f8282ae7e2

SHA256
2f83e45b97933cfe7eba67de59bd3601c88130cf4111704c2e96ce184926d8c2

SHA512
ea362b4a830dd5fc778e0555aac24c501016b2b0abc555afbff9ae2e24e0caeae034ff2aa078f0af9ef68a3a3431a58ac4456a920019516bd49559e699e909a9

Download Submit
C:\Windows\SysWOW64\Cjecpkcg.exe

Filesize
125KB

MD5
026241b53b51b4d1cf034005767cd823

SHA1
a21017c7219cc8c58a4d0e87a202b7f8282ae7e2

SHA256
2f83e45b97933cfe7eba67de59bd3601c88130cf4111704c2e96ce184926d8c2

SHA512
ea362b4a830dd5fc778e0555aac24c501016b2b0abc555afbff9ae2e24e0caeae034ff2aa078f0af9ef68a3a3431a58ac4456a920019516bd49559e699e909a9

Download Submit
C:\Windows\SysWOW64\Cmflbf32.exe

Filesize
125KB

MD5
9009f20eca5c9ff9d6dd1c186c8557b9

SHA1
247d4171416776ea9b31b21dc50edb1a0a9d9af3

SHA256
859c4a052a7c44cf41e00cb9b52a5d38fbc60f0fb9db764849a1f495a00be8b3

SHA512
d4620c846b55b4012f80c2afab6a3edef9ecfa1ea87706a4abd141298f3945fd9f70f7e37ab17103017035878649471847fbb04a8fbd5ad4134b57e06607efe2

Download Submit
C:\Windows\SysWOW64\Cmflbf32.exe

Filesize
125KB

MD5
9009f20eca5c9ff9d6dd1c186c8557b9

SHA1
247d4171416776ea9b31b21dc50edb1a0a9d9af3

SHA256
859c4a052a7c44cf41e00cb9b52a5d38fbc60f0fb9db764849a1f495a00be8b3

SHA512
d4620c846b55b4012f80c2afab6a3edef9ecfa1ea87706a4abd141298f3945fd9f70f7e37ab17103017035878649471847fbb04a8fbd5ad4134b57e06607efe2

Download Submit
C:\Windows\SysWOW64\Fiebmc32.dll

Filesize
7KB

MD5
4c3ed32e26bda4c257d7dab4ade68e5b

SHA1
3a2eeeb184df8948aa0b855e531e957943f4ba16

SHA256
64024b3020e1d39862fc05b4f5cf63126fff90c991c157988cb606db87134a67

SHA512
0d177cc3e605e28c30520a1c6687c5529e4db27bd074b9b8cf965f2e28f548fdb1a4645692a3a44361049a1a278c14d1167fd80f7d65b6356eff941bffc44d2d

Download Submit
C:\Windows\SysWOW64\Jjlmclqa.exe

Filesize
125KB

MD5
ae8912196849882634e0a46e69d0a303

SHA1
f69058625bf47dd68dbfada749ace188ca8174e5

SHA256
af7daa4f4e8129a295fe68fd81a15eca0959600f896eb5c0c0420b9ccaa5b274

SHA512
be34853cf4339508c109c7a160c636f08d9c5d1af51a1f3395ee5909e908e9840701719996a610296ad1c3f3de794e3472aaf0fe6130064a730e2ce14c9d4a9d

Download Submit
C:\Windows\SysWOW64\Kcmmhj32.exe

Filesize
64KB

MD5
46553899c3951b30ca24e18600a0c680

SHA1
6a27a458c3afd49b21dda920cfb8ae186a80aee8

SHA256
63c2d607a9c500accbbf24ce79d1ce1035098e9e2c2c712d329c051f0a63ffe9

SHA512
c6b8e3c284c7e6575cdc1f2361b515f334ae17a52f214e73bd6287fa1cc44817b9696a8433d436cf706d152874b4a85c99e76413a9a18aa22460e084c12f3838

Download Submit
C:\Windows\SysWOW64\Legjmh32.exe

Filesize
125KB

MD5
c138f21c2743b02ba7bd4dabf739fed3

SHA1
133437d426f6a77dec6e2b7002c18849fa65fb29

SHA256
7abbf99ae7fb4b634dda66c2966c478f756afc157761657c5622a7e4a7e1ad5c

SHA512
6ac176051d6a89d171d3734af799b9d79ec18d1153600a5233917efcedc9fd3ccf80100a29ca25d009e45770db7f48a8fa578a49eaf9228d99c40619bf67175a

Download Submit
C:\Windows\SysWOW64\Legjmh32.exe

Filesize
125KB

MD5
c138f21c2743b02ba7bd4dabf739fed3

SHA1
133437d426f6a77dec6e2b7002c18849fa65fb29

SHA256
7abbf99ae7fb4b634dda66c2966c478f756afc157761657c5622a7e4a7e1ad5c

SHA512
6ac176051d6a89d171d3734af799b9d79ec18d1153600a5233917efcedc9fd3ccf80100a29ca25d009e45770db7f48a8fa578a49eaf9228d99c40619bf67175a

Download Submit
C:\Windows\SysWOW64\Lghcocol.exe

Filesize
125KB

MD5
af0c6b0f85bc36b17bf1fad2967a162c

SHA1
09a0da6459ec2e8b9e57351f7e376366797a96d8

SHA256
862bac4b7757ac10b87177f099447b1d86ce9c446d7df39de0bce076ae279600

SHA512
d00da112f56638e9f40ada16b47cd0b726006ce13b234cc6641a475f726c029996bc77e53b963a3e79fcada95bca78fb47380b1b7d93ef6df6e48c252ba0b12c

Download Submit
C:\Windows\SysWOW64\Lghcocol.exe

Filesize
125KB

MD5
af0c6b0f85bc36b17bf1fad2967a162c

SHA1
09a0da6459ec2e8b9e57351f7e376366797a96d8

SHA256
862bac4b7757ac10b87177f099447b1d86ce9c446d7df39de0bce076ae279600

SHA512
d00da112f56638e9f40ada16b47cd0b726006ce13b234cc6641a475f726c029996bc77e53b963a3e79fcada95bca78fb47380b1b7d93ef6df6e48c252ba0b12c

Download Submit
C:\Windows\SysWOW64\Lkabjbih.exe

Filesize
125KB

MD5
8a15cfbb12e9ff7fbc08d77307d4dd0f

SHA1
a3daf427b42a939ee1eb555ccbb749063531d58c

SHA256
d55a08b4e7230c759e78dd80c4b7abaed9c482997b74acc4ae460f38ce06506f

SHA512
026863b66540e5125067a427c6fa4d72d4c11a55505b4d423d87125cf6e600b67eab65cf94250646818034745d5c05dd38689ebba15b84797407e0d43d01eae5

Download Submit
C:\Windows\SysWOW64\Lkabjbih.exe

Filesize
125KB

MD5
8a15cfbb12e9ff7fbc08d77307d4dd0f

SHA1
a3daf427b42a939ee1eb555ccbb749063531d58c

SHA256
d55a08b4e7230c759e78dd80c4b7abaed9c482997b74acc4ae460f38ce06506f

SHA512
026863b66540e5125067a427c6fa4d72d4c11a55505b4d423d87125cf6e600b67eab65cf94250646818034745d5c05dd38689ebba15b84797407e0d43d01eae5

Download Submit
C:\Windows\SysWOW64\Lmpkadnm.exe

Filesize
125KB

MD5
ed887847e522b08f0a9ef9e43c05c5a7

SHA1
f9058e11f8a12269330542b6a6548987ed564a19

SHA256
003718e7ebe971bf856265404371c8b61c1f750d6e4549549c80aa76e123e2c6

SHA512
2bfae332c26710336323af586530cc72a2c492caed61705814bb5e131a2892564d906d3fe7d714ee2634315cd29c8d05051fc60624f9c344d7036c0b5c8770a1

Download Submit
C:\Windows\SysWOW64\Mbgjbkfg.exe

Filesize
125KB

MD5
b886d95620474d553d5fe16f00c3e977

SHA1
e69f693e0880534eb1afbe8a2ca606305995a7e5

SHA256
1a2dddba89824fbb7c960bc47ed002133baadeffefd0a5586a5d47e7e5717ef4

SHA512
14921676704942908ef34eaa47db04324d6d9caa94ba12307fa78688a3352c4a57c8ae2f40b8a7990c36ce2b6454a49fd3935e3c0bd78f5aa04c2c4472229841

Download Submit
C:\Windows\SysWOW64\Mbgjbkfg.exe

Filesize
125KB

MD5
b886d95620474d553d5fe16f00c3e977

SHA1
e69f693e0880534eb1afbe8a2ca606305995a7e5

SHA256
1a2dddba89824fbb7c960bc47ed002133baadeffefd0a5586a5d47e7e5717ef4

SHA512
14921676704942908ef34eaa47db04324d6d9caa94ba12307fa78688a3352c4a57c8ae2f40b8a7990c36ce2b6454a49fd3935e3c0bd78f5aa04c2c4472229841

Download Submit
C:\Windows\SysWOW64\Meamcg32.exe

Filesize
125KB

MD5
6f5a09e1248337c22798eb2fe473c7e2

SHA1
fb808f0a7a48f236f1a2abaa214c2f7cbb37a679

SHA256
a481cbe1c06d4906ebfe291a151949c0563e5c262dcd94f7499986e604498684

SHA512
40983aed36646c1422d6ee030424525cb1e785d2f9b1187ce9167e87c6fc330f7031616204e13929f53c56ac2e17f87c11fb3911d19522dc86d6b94fb8f42b38

Download Submit
C:\Windows\SysWOW64\Meamcg32.exe

Filesize
125KB

MD5
6f5a09e1248337c22798eb2fe473c7e2

SHA1
fb808f0a7a48f236f1a2abaa214c2f7cbb37a679

SHA256
a481cbe1c06d4906ebfe291a151949c0563e5c262dcd94f7499986e604498684

SHA512
40983aed36646c1422d6ee030424525cb1e785d2f9b1187ce9167e87c6fc330f7031616204e13929f53c56ac2e17f87c11fb3911d19522dc86d6b94fb8f42b38

Download Submit
C:\Windows\SysWOW64\Mlbkap32.exe

Filesize
125KB

MD5
d5eded86444e8058f38d7e4adb2c1f98

SHA1
ff06a35113a405feba3c81707c01c5f7757e5fdf

SHA256
ea6b65399709cad4cf800bf8a7c6dbd7b85dd4c35488bf1f4e12ea56f0dcdd32

SHA512
82953f77bcd43bbc18cd813824e27c35346418ad103c4b04727179821b50b2b10606b4d5b9b1899e1868950150cb70e8e71be42d2fd8fe12b0736752f97f55cb

Download Submit
C:\Windows\SysWOW64\Mlbkap32.exe

Filesize
125KB

MD5
d5eded86444e8058f38d7e4adb2c1f98

SHA1
ff06a35113a405feba3c81707c01c5f7757e5fdf

SHA256
ea6b65399709cad4cf800bf8a7c6dbd7b85dd4c35488bf1f4e12ea56f0dcdd32

SHA512
82953f77bcd43bbc18cd813824e27c35346418ad103c4b04727179821b50b2b10606b4d5b9b1899e1868950150cb70e8e71be42d2fd8fe12b0736752f97f55cb

Download Submit
C:\Windows\SysWOW64\Mlbkap32.exe

Filesize
125KB

MD5
d5eded86444e8058f38d7e4adb2c1f98

SHA1
ff06a35113a405feba3c81707c01c5f7757e5fdf

SHA256
ea6b65399709cad4cf800bf8a7c6dbd7b85dd4c35488bf1f4e12ea56f0dcdd32

SHA512
82953f77bcd43bbc18cd813824e27c35346418ad103c4b04727179821b50b2b10606b4d5b9b1899e1868950150cb70e8e71be42d2fd8fe12b0736752f97f55cb

Download Submit
C:\Windows\SysWOW64\Naaqofgj.exe

Filesize
125KB

MD5
30bb220eccde5589f7a5d5d8b33f0a32

SHA1
4d390142c068a7bccb66a151b04ea0f02f8a266b

SHA256
ed7faeafa9934061ade5ae96a3595489f0e960b70aad65dede7d54b62b804559

SHA512
4799fc6c8b8a7d84f309345883e1891c9b36e76bc93eb9cbe1648254437d025534eae02543858c4b8e009ff4dcd74deb48bc6bd0b8a4b30998972216e8d62aa2

Download Submit
C:\Windows\SysWOW64\Naaqofgj.exe

Filesize
125KB

MD5
30bb220eccde5589f7a5d5d8b33f0a32

SHA1
4d390142c068a7bccb66a151b04ea0f02f8a266b

SHA256
ed7faeafa9934061ade5ae96a3595489f0e960b70aad65dede7d54b62b804559

SHA512
4799fc6c8b8a7d84f309345883e1891c9b36e76bc93eb9cbe1648254437d025534eae02543858c4b8e009ff4dcd74deb48bc6bd0b8a4b30998972216e8d62aa2

Download Submit
C:\Windows\SysWOW64\Nbqmiinl.exe

Filesize
125KB

MD5
69c22f2f19ba9a9308091831eb18ebb2

SHA1
1a8f1680f6f59e1278b1223020a92370a11bfd4b

SHA256
0893ce5281950b64b58e63069da472b17833312c8321b21c5de4477253ff6850

SHA512
9e6ec9320d92ce3792f9ac7ec5615388e2444d29f0ce9e7006757bf6c7355980aa8182fcbae80d25e8248c6ad2d7f0ab89723ee839fff69366c360e62be37c09

Download Submit
C:\Windows\SysWOW64\Nbqmiinl.exe

Filesize
125KB

MD5
69c22f2f19ba9a9308091831eb18ebb2

SHA1
1a8f1680f6f59e1278b1223020a92370a11bfd4b

SHA256
0893ce5281950b64b58e63069da472b17833312c8321b21c5de4477253ff6850

SHA512
9e6ec9320d92ce3792f9ac7ec5615388e2444d29f0ce9e7006757bf6c7355980aa8182fcbae80d25e8248c6ad2d7f0ab89723ee839fff69366c360e62be37c09

Download Submit
C:\Windows\SysWOW64\Neafjdkn.exe

Filesize
125KB

MD5
7c18b32126514c567bd672a5d234695e

SHA1
f32dd5069911bb159ff9f370fe42f8710bfabad5

SHA256
d95e55d76f30c1a6b0934d9f2232a60d8e741ee2bd5e2cde887ff8c872cba10d

SHA512
3b8664c825ebd4a2bc32f61f746c9bad5d4a411b93a6d0d1f1c9f52226d11c8b0859c4b6ed1a7a066876320576f84cef50365ef4144bbdf189daeb5a3e9d03aa

Download Submit
C:\Windows\SysWOW64\Neafjdkn.exe

Filesize
125KB

MD5
7c18b32126514c567bd672a5d234695e

SHA1
f32dd5069911bb159ff9f370fe42f8710bfabad5

SHA256
d95e55d76f30c1a6b0934d9f2232a60d8e741ee2bd5e2cde887ff8c872cba10d

SHA512
3b8664c825ebd4a2bc32f61f746c9bad5d4a411b93a6d0d1f1c9f52226d11c8b0859c4b6ed1a7a066876320576f84cef50365ef4144bbdf189daeb5a3e9d03aa

Download Submit
C:\Windows\SysWOW64\Nhkikq32.exe

Filesize
125KB

MD5
6c8aa046e14d2c2bd1debfe4589333fb

SHA1
e8f376e0c653bb911d7ca66a6ad1f099b75a8ca2

SHA256
ccf133e6e61cc5df476f6ca36cfc158e2019b0e103b6caa1d8c100bb73e4c334

SHA512
2285e8e888cbd67d037f7568b8605e81afb200d873dc99d9e86b7cabb2192a75ecc77f003df6a86156523ef6d9d8e2734e60687e24c3f4e57ddb309aedfe1e1b

Download Submit
C:\Windows\SysWOW64\Nhkikq32.exe

Filesize
125KB

MD5
6c8aa046e14d2c2bd1debfe4589333fb

SHA1
e8f376e0c653bb911d7ca66a6ad1f099b75a8ca2

SHA256
ccf133e6e61cc5df476f6ca36cfc158e2019b0e103b6caa1d8c100bb73e4c334

SHA512
2285e8e888cbd67d037f7568b8605e81afb200d873dc99d9e86b7cabb2192a75ecc77f003df6a86156523ef6d9d8e2734e60687e24c3f4e57ddb309aedfe1e1b

Download Submit
C:\Windows\SysWOW64\Nhmeapmd.exe

Filesize
125KB

MD5
4948cd21c691d594d39a154726e859f4

SHA1
0c15668e6e157c0c49b7d43aba4ed29ab3123216

SHA256
685a0bf6965177b4d0059e07c582a178ed5799dd4830c4112a85fb47033e3941

SHA512
5cdea98d17c25df5e8bd97c1e23dd94104841171fe5436f229ef396ebe9289d18b509ddb28581ae7c79bad178697256be939f97fb59adbc96cecf7539075a828

Download Submit
C:\Windows\SysWOW64\Nhmeapmd.exe

Filesize
125KB

MD5
4948cd21c691d594d39a154726e859f4

SHA1
0c15668e6e157c0c49b7d43aba4ed29ab3123216

SHA256
685a0bf6965177b4d0059e07c582a178ed5799dd4830c4112a85fb47033e3941

SHA512
5cdea98d17c25df5e8bd97c1e23dd94104841171fe5436f229ef396ebe9289d18b509ddb28581ae7c79bad178697256be939f97fb59adbc96cecf7539075a828

Download Submit
C:\Windows\SysWOW64\Nknobkje.exe

Filesize
125KB

MD5
7fd138fd53b44a22f880c7be1edd3136

SHA1
01e2154b33ebcb910059b6cac12409c6bf58ce0e

SHA256
63380b7c5dfc7c736faa6981fbbcbdbb1bf0fec064f076dad0e3400e404a9879

SHA512
ab2a73f2b79813aa7ccf019d8532ba277c3c719d90d7fef1186561fe8f11e90f2ef13ae79ef4e77d089d9e17ae0196201d49f089c7df387492c254723bba1c83

Download Submit
C:\Windows\SysWOW64\Nknobkje.exe

Filesize
125KB

MD5
7fd138fd53b44a22f880c7be1edd3136

SHA1
01e2154b33ebcb910059b6cac12409c6bf58ce0e

SHA256
63380b7c5dfc7c736faa6981fbbcbdbb1bf0fec064f076dad0e3400e404a9879

SHA512
ab2a73f2b79813aa7ccf019d8532ba277c3c719d90d7fef1186561fe8f11e90f2ef13ae79ef4e77d089d9e17ae0196201d49f089c7df387492c254723bba1c83

Download Submit
C:\Windows\SysWOW64\Ojomcopk.exe

Filesize
125KB

MD5
cfa23e9d8383d9fd399708918d3e79cf

SHA1
91b51c5e2dea4cdccd201531ad6ed1dad428ead1

SHA256
8f5aa1671f94e265f4f8e20914ddf526e9fd19352ee541ca5f2b81e800b919cc

SHA512
b97d1070b1b0b3e3e54fbde82c244fca137f93c8f20669d5c5eebcdc481ef4ecf88e45edad897fdc187a2fa96edfaa68b1aca69bc83681f469bfac2a95748c84

Download Submit
C:\Windows\SysWOW64\Ooejohhq.exe

Filesize
125KB

MD5
0da798d989cd5e9e79a983ca9f360aac

SHA1
b02db964bf92616be4e1398111407d65a4fcaa0d

SHA256
4d866df4db6b5b2e20570ba186e8348d98bc8137f0f2f7dd1c27654cb62ff102

SHA512
312d8afb19eb2f54ed4a1a4a7c273050c1aea7e95163d3fa712716f3adb74c652c7e931ad8e182a22518b337fd293cbcfdf4fa4c911ea6cf89eb023f5a578348

Download Submit
C:\Windows\SysWOW64\Ooejohhq.exe

Filesize
125KB

MD5
0da798d989cd5e9e79a983ca9f360aac

SHA1
b02db964bf92616be4e1398111407d65a4fcaa0d

SHA256
4d866df4db6b5b2e20570ba186e8348d98bc8137f0f2f7dd1c27654cb62ff102

SHA512
312d8afb19eb2f54ed4a1a4a7c273050c1aea7e95163d3fa712716f3adb74c652c7e931ad8e182a22518b337fd293cbcfdf4fa4c911ea6cf89eb023f5a578348

Download Submit
C:\Windows\SysWOW64\Ooqqdi32.exe

Filesize
125KB

MD5
a008dca79793f91bb867c3469dc91989

SHA1
4c6f885d739c219d27b9e1decbd7e5a6f203aa2f

SHA256
a92c74442e57d681037857cc7953861d46831f09500d286ee9ea34b5e8386995

SHA512
5c5b7afd274170de83c21c66b4a7b738456669fe6122ee0a378cb06ee9d3a73835c639985842945de3a3dcaf3fa2f351471f0ece1233846da4fc62ef31e66366

Download Submit
C:\Windows\SysWOW64\Ooqqdi32.exe

Filesize
125KB

MD5
a008dca79793f91bb867c3469dc91989

SHA1
4c6f885d739c219d27b9e1decbd7e5a6f203aa2f

SHA256
a92c74442e57d681037857cc7953861d46831f09500d286ee9ea34b5e8386995

SHA512
5c5b7afd274170de83c21c66b4a7b738456669fe6122ee0a378cb06ee9d3a73835c639985842945de3a3dcaf3fa2f351471f0ece1233846da4fc62ef31e66366

Download Submit
C:\Windows\SysWOW64\Pabblb32.exe

Filesize
125KB

MD5
418e4651fad818b8b6e463a5e8f1cfc7

SHA1
a2b235d73e15aa5bfa5d0a5338f8c3807a6948f7

SHA256
3a02edb2f048378a5e49a84c0ebca56260a7d72dedce65fd8d5f1d5242dfc6e5

SHA512
fc86ec3bfe052ece9c3c83d56c5595be3f3e2593769d676b510a2c037f8e63b4e10543ec1372d287cc1bdb30c8d619ad4e9df7cc6caaac5b7fd7b5fa7db03461

Download Submit
C:\Windows\SysWOW64\Pabblb32.exe

Filesize
125KB

MD5
418e4651fad818b8b6e463a5e8f1cfc7

SHA1
a2b235d73e15aa5bfa5d0a5338f8c3807a6948f7

SHA256
3a02edb2f048378a5e49a84c0ebca56260a7d72dedce65fd8d5f1d5242dfc6e5

SHA512
fc86ec3bfe052ece9c3c83d56c5595be3f3e2593769d676b510a2c037f8e63b4e10543ec1372d287cc1bdb30c8d619ad4e9df7cc6caaac5b7fd7b5fa7db03461

Download Submit
C:\Windows\SysWOW64\Pahilmoc.exe

Filesize
125KB

MD5
34c94491fb92d61ad9a8f7f9ecb22d65

SHA1
1752149a6beefefc68cf3abd09785dcab39c6d2b

SHA256
c0907ab81504fd158fa02a6046df95fc5af8b11c0decae12f370e488225dabb2

SHA512
6f2f86856cda0614f0ffe54f35a33092b3ea51eaab9c08c7f6b6121db7d3a572063ca0a8287862634685ec344e86e953ad21e1ce30171ddb01f4605f73aa10e8

Download Submit
C:\Windows\SysWOW64\Pamiaboj.exe

Filesize
125KB

MD5
8746b5404a9bdd688e385b8c837a981c

SHA1
5fb4861d61d2d5b5e7076ad509f12bf22be99e8f

SHA256
6bb7001fe78818fc765ef7f426db1d102b063d03715462c1303a39bba6253e58

SHA512
434bff6dd5c0545a8a1e0568b0e80cff222f1f2fbdc37e26ccfc7496a78d33247bd8b1ba6c75b4bcce74deb33c1d28f894e023fcb4f342ec76d38ef50aaca46a

Download Submit
C:\Windows\SysWOW64\Pamiaboj.exe

Filesize
125KB

MD5
8746b5404a9bdd688e385b8c837a981c

SHA1
5fb4861d61d2d5b5e7076ad509f12bf22be99e8f

SHA256
6bb7001fe78818fc765ef7f426db1d102b063d03715462c1303a39bba6253e58

SHA512
434bff6dd5c0545a8a1e0568b0e80cff222f1f2fbdc37e26ccfc7496a78d33247bd8b1ba6c75b4bcce74deb33c1d28f894e023fcb4f342ec76d38ef50aaca46a

Download Submit
C:\Windows\SysWOW64\Pedlgbkh.exe

Filesize
125KB

MD5
c8411af0b3e720557bcb736280b58c6f

SHA1
256fb4673a4f1bc86cf489bd6f96a4e35c5f8faf

SHA256
bd7fc26ebea53dc4276fe0713d29332b0956f1b73f9b239548faeaea9ae3fbf2

SHA512
6acc7dbdf74c5f71885e2700188ae49c3537cfa8f0fe6aaedea50c5f846f4c3e8f15fe190467c482ddc312be7920bc2e87b471b242a588874db6c787eb6348bd

Download Submit
C:\Windows\SysWOW64\Pedlgbkh.exe

Filesize
125KB

MD5
c8411af0b3e720557bcb736280b58c6f

SHA1
256fb4673a4f1bc86cf489bd6f96a4e35c5f8faf

SHA256
bd7fc26ebea53dc4276fe0713d29332b0956f1b73f9b239548faeaea9ae3fbf2

SHA512
6acc7dbdf74c5f71885e2700188ae49c3537cfa8f0fe6aaedea50c5f846f4c3e8f15fe190467c482ddc312be7920bc2e87b471b242a588874db6c787eb6348bd

Download Submit
C:\Windows\SysWOW64\Pedlgbkh.exe

Filesize
125KB

MD5
c8411af0b3e720557bcb736280b58c6f

SHA1
256fb4673a4f1bc86cf489bd6f96a4e35c5f8faf

SHA256
bd7fc26ebea53dc4276fe0713d29332b0956f1b73f9b239548faeaea9ae3fbf2

SHA512
6acc7dbdf74c5f71885e2700188ae49c3537cfa8f0fe6aaedea50c5f846f4c3e8f15fe190467c482ddc312be7920bc2e87b471b242a588874db6c787eb6348bd

Download Submit
C:\Windows\SysWOW64\Pefhlaie.exe

Filesize
125KB

MD5
732c994edfa42bf1b8dca365a6b746bd

SHA1
c0110cfb155ec6d338fd7cbb2c0d04f3875dd26f

SHA256
f3b3a86e95b60123709df59f9aebe19a17f872c4c338dae94e3880da7f4543b0

SHA512
56fc5b819a1f68bf3f870c6a97ebf0115291d8b7854309913752e80a52b66ccb7dafd206302939f78eb7dff4359000e43769802e3d3e48dfbb561dc44d7b9258

Download Submit
C:\Windows\SysWOW64\Pefhlaie.exe

Filesize
125KB

MD5
732c994edfa42bf1b8dca365a6b746bd

SHA1
c0110cfb155ec6d338fd7cbb2c0d04f3875dd26f

SHA256
f3b3a86e95b60123709df59f9aebe19a17f872c4c338dae94e3880da7f4543b0

SHA512
56fc5b819a1f68bf3f870c6a97ebf0115291d8b7854309913752e80a52b66ccb7dafd206302939f78eb7dff4359000e43769802e3d3e48dfbb561dc44d7b9258

Download Submit
C:\Windows\SysWOW64\Plejdkmm.exe

Filesize
125KB

MD5
c9f979708b48bc8609ca3ba3a509a565

SHA1
78113e70152c95c3e8f9ccdac509690ba1828e83

SHA256
22bf02c4c8a43faf3007e1b6c89c7bc909baa5dc491f1f99e335422ad55c92dd

SHA512
18d3584a5202a2e94fa6d4529b0b5b731da1581dde5bc5c8cafe50e45103aa568cb87c3572c1804bdda910e0f2d78e356f240c55600e205e810ac26d1bf54362

Download Submit
C:\Windows\SysWOW64\Plejdkmm.exe

Filesize
125KB

MD5
c9f979708b48bc8609ca3ba3a509a565

SHA1
78113e70152c95c3e8f9ccdac509690ba1828e83

SHA256
22bf02c4c8a43faf3007e1b6c89c7bc909baa5dc491f1f99e335422ad55c92dd

SHA512
18d3584a5202a2e94fa6d4529b0b5b731da1581dde5bc5c8cafe50e45103aa568cb87c3572c1804bdda910e0f2d78e356f240c55600e205e810ac26d1bf54362

Download Submit
C:\Windows\SysWOW64\Poajkgnc.exe

Filesize
125KB

MD5
c7655d4024b7482c38de6a02613b0bd2

SHA1
00e2be416559e7ed2612d77f783447f12f5bc3c8

SHA256
11bbae493ec3e5ef33853cf27fa49cec4c4903feba99b85339e014d873c21f6b

SHA512
accc7a19cedac0fb92054e2a7aa6365fc721552c5c4dbb6122056710dd11e71a68b8221627327b85e46dfc92e65c7100135645f4a53614172caee10c4afab6f6

Download Submit
C:\Windows\SysWOW64\Poajkgnc.exe

Filesize
125KB

MD5
c7655d4024b7482c38de6a02613b0bd2

SHA1
00e2be416559e7ed2612d77f783447f12f5bc3c8

SHA256
11bbae493ec3e5ef33853cf27fa49cec4c4903feba99b85339e014d873c21f6b

SHA512
accc7a19cedac0fb92054e2a7aa6365fc721552c5c4dbb6122056710dd11e71a68b8221627327b85e46dfc92e65c7100135645f4a53614172caee10c4afab6f6

Download Submit
C:\Windows\SysWOW64\Qaflgago.exe

Filesize
125KB

MD5
0ee11432d494ec0dd7b0c1ce3e693bf3

SHA1
b727ebb666bb61d46c50226f6262508388b5f590

SHA256
5c89543b19fddbbfa477b583d3a801aa73193e88e858234b1d1ecbb2f36595e0

SHA512
1ad00d13b1bc53effcdd494e2a779e1596192ced712a6487ba16e58c59da07d4707d934181eb5c20f4aa6a5bb09c8a49bb4760fd864e2a49e0f1b93054c0c62f

Download Submit
C:\Windows\SysWOW64\Qaflgago.exe

Filesize
125KB

MD5
0ee11432d494ec0dd7b0c1ce3e693bf3

SHA1
b727ebb666bb61d46c50226f6262508388b5f590

SHA256
5c89543b19fddbbfa477b583d3a801aa73193e88e858234b1d1ecbb2f36595e0

SHA512
1ad00d13b1bc53effcdd494e2a779e1596192ced712a6487ba16e58c59da07d4707d934181eb5c20f4aa6a5bb09c8a49bb4760fd864e2a49e0f1b93054c0c62f

Download Submit
C:\Windows\SysWOW64\Qhngolpo.exe

Filesize
125KB

MD5
3f3a260758f57670fe7c76b41e8179a5

SHA1
326602037f4ae27d072bd3e4427ccbaea1b7821e

SHA256
e3c7b1fe2d9f858a1a1e6449580789dbb1e26f2106a515b3141d903b25bce749

SHA512
c69c241f392bf129ecdb172af3c72fb1db1ec4397023a9eab49ad1bc53535330de3baaa4c381846cc53b833ca3ccf3b8b564da59b13bed576a704f245d362b79

Download Submit
C:\Windows\SysWOW64\Qhngolpo.exe

Filesize
125KB

MD5
3f3a260758f57670fe7c76b41e8179a5

SHA1
326602037f4ae27d072bd3e4427ccbaea1b7821e

SHA256
e3c7b1fe2d9f858a1a1e6449580789dbb1e26f2106a515b3141d903b25bce749

SHA512
c69c241f392bf129ecdb172af3c72fb1db1ec4397023a9eab49ad1bc53535330de3baaa4c381846cc53b833ca3ccf3b8b564da59b13bed576a704f245d362b79

Download Submit
C:\Windows\SysWOW64\Qlggjk32.exe

Filesize
125KB

MD5
30cf8cc270ebf5e6e13fd7d85571f872

SHA1
de6979c56656919e8f09cd93da83fe13bc360c8d

SHA256
4ccfc4658512afa371509e362532c1ab4ecb577dac1078567d1025e04c4bfa8b

SHA512
054b8f81516187aad73017935dd291ee3ffe55b1673ca4bb5e67ce33e8ef699458be50edd48a56f0a05b0d80911f488dc5fe39769801ffbc355535dd72321dfa

Download Submit
C:\Windows\SysWOW64\Qlggjk32.exe

Filesize
125KB

MD5
30cf8cc270ebf5e6e13fd7d85571f872

SHA1
de6979c56656919e8f09cd93da83fe13bc360c8d

SHA256
4ccfc4658512afa371509e362532c1ab4ecb577dac1078567d1025e04c4bfa8b

SHA512
054b8f81516187aad73017935dd291ee3ffe55b1673ca4bb5e67ce33e8ef699458be50edd48a56f0a05b0d80911f488dc5fe39769801ffbc355535dd72321dfa

Download Submit
memory/224-302-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/384-199-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/696-32-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/760-152-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/856-120-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/916-406-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1036-248-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1192-424-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1332-256-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1492-208-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1816-310-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1832-292-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1836-304-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1912-332-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2036-167-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2148-380-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2216-280-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2236-76-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2356-400-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2456-412-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2676-128-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2708-436-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2712-370-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2732-394-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2736-104-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2808-334-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2812-47-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2836-274-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2960-184-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3008-87-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3084-95-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3196-316-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3280-350-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3456-239-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3484-64-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3508-272-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3548-56-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3552-442-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3564-388-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3668-286-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3772-340-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3920-16-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4016-176-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4072-232-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4084-135-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4212-382-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4268-160-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4288-13-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4296-224-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4372-80-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4400-265-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4488-216-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4492-40-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4500-430-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4516-418-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4628-0-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4680-360-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4696-143-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4728-364-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4840-352-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4872-192-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4880-23-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4924-322-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5064-111-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/7172-2210-0x0000029821EF0000-0x0000029821EF1000-memory.dmp

Filesize
4KB

Download
memory/7172-2220-0x0000029821F10000-0x0000029821F11000-memory.dmp

Filesize
4KB

Download
memory/7172-2211-0x0000029821F00000-0x0000029821F01000-memory.dmp

Filesize
4KB

Download
memory/7172-2212-0x0000029821F00000-0x0000029821F01000-memory.dmp

Filesize
4KB

Download
memory/7172-2213-0x0000029821F00000-0x0000029821F01000-memory.dmp

Filesize
4KB

Download
memory/7172-2214-0x0000029821F00000-0x0000029821F01000-memory.dmp

Filesize
4KB

Download
memory/7172-2215-0x0000029821F00000-0x0000029821F01000-memory.dmp

Filesize
4KB

Download
memory/7172-2216-0x0000029821F00000-0x0000029821F01000-memory.dmp

Filesize
4KB

Download
memory/7172-2217-0x0000029821F00000-0x0000029821F01000-memory.dmp

Filesize
4KB

Download
memory/7172-2218-0x0000029821F10000-0x0000029821F11000-memory.dmp

Filesize
4KB

Download
memory/7172-2219-0x0000029821F10000-0x0000029821F11000-memory.dmp

Filesize
4KB

Download
memory/7172-2194-0x0000029819940000-0x0000029819950000-memory.dmp

Filesize
64KB

Download
memory/7172-2221-0x0000029821B40000-0x0000029821B41000-memory.dmp

Filesize
4KB

Download
memory/7172-2222-0x0000029821B30000-0x0000029821B31000-memory.dmp

Filesize
4KB

Download
memory/7172-2224-0x0000029821B40000-0x0000029821B41000-memory.dmp

Filesize
4KB

Download
memory/7172-2227-0x0000029821B30000-0x0000029821B31000-memory.dmp

Filesize
4KB

Download
memory/7172-2230-0x0000029821A70000-0x0000029821A71000-memory.dmp

Filesize
4KB

Download
memory/7172-2178-0x0000029819840000-0x0000029819850000-memory.dmp

Filesize
64KB

Download
memory/7172-2242-0x0000029821C70000-0x0000029821C71000-memory.dmp

Filesize
4KB

Download
memory/7172-2244-0x0000029821C80000-0x0000029821C81000-memory.dmp

Filesize
4KB

Download
memory/7172-2245-0x0000029821C80000-0x0000029821C81000-memory.dmp

Filesize
4KB

Download
memory/7172-2246-0x0000029821D90000-0x0000029821D91000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads