bfffe79e585ee9218166a209d0dafd83938d1d28095a5513795d3d2abffb96c8

Analysis

max time kernel
0s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
02/01/2024, 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f154385ab3044eeda9e7ec6cde8b2ced.exe
Size

242KB
MD5

f154385ab3044eeda9e7ec6cde8b2ced
SHA1

fe7a280012389a1e69afe2ed52003247de3df927
SHA256

bfffe79e585ee9218166a209d0dafd83938d1d28095a5513795d3d2abffb96c8
SHA512

e52479f7adfaa6d2b2cab08a971a17e7185271c379443dca463eec051ac0eab8398b8c846ad4753b9eae8fca028c3d9e38a7363f1f950bad3ed262d43a31ac15
SSDEEP

3072:gHSu7kO0I59mM16HZfiPV6V8ZLB6V16VKcWmjRrzKbKcWmjRrzK8VHkdYaM88KC:gHSlO0ITEZfiPV66LB6X62UyHEYa0

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f154385ab3044eeda9e7ec6cde8b2ced.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	f154385ab3044eeda9e7ec6cde8b2ced.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkhoae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Paegjl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgopffec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgopffec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkhoae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfkma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnfkma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paegjl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Peqcjkfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Peqcjkfp.exe

Executes dropped EXE 6 IoCs

pid	Process
4240	Pkhoae32.exe
3816	Pnfkma32.exe
3608	Paegjl32.exe
3908	Peqcjkfp.exe
2656	Pgopffec.exe
4768	Pjmlbbdg.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dnhqigge.dll	Peqcjkfp.exe
File created	C:\Windows\SysWOW64\Pjmlbbdg.exe	Pgopffec.exe
File created	C:\Windows\SysWOW64\Pkhoae32.exe	f154385ab3044eeda9e7ec6cde8b2ced.exe
File opened for modification	C:\Windows\SysWOW64\Pkhoae32.exe	f154385ab3044eeda9e7ec6cde8b2ced.exe
File created	C:\Windows\SysWOW64\Gfniiokn.dll	f154385ab3044eeda9e7ec6cde8b2ced.exe
File created	C:\Windows\SysWOW64\Pnfkma32.exe	Pkhoae32.exe
File created	C:\Windows\SysWOW64\Pjoheljj.dll	Pkhoae32.exe
File created	C:\Windows\SysWOW64\Pgopffec.exe	Peqcjkfp.exe
File opened for modification	C:\Windows\SysWOW64\Paegjl32.exe	Pnfkma32.exe
File created	C:\Windows\SysWOW64\Pkjnpq32.dll	Paegjl32.exe
File opened for modification	C:\Windows\SysWOW64\Pgopffec.exe	Peqcjkfp.exe
File opened for modification	C:\Windows\SysWOW64\Pnfkma32.exe	Pkhoae32.exe
File created	C:\Windows\SysWOW64\Paegjl32.exe	Pnfkma32.exe
File created	C:\Windows\SysWOW64\Peqcjkfp.exe	Paegjl32.exe
File opened for modification	C:\Windows\SysWOW64\Peqcjkfp.exe	Paegjl32.exe
File created	C:\Windows\SysWOW64\Klqmnp32.dll	Pgopffec.exe
File created	C:\Windows\SysWOW64\Qdldlm32.dll	Pnfkma32.exe
File opened for modification	C:\Windows\SysWOW64\Pjmlbbdg.exe	Pgopffec.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
11432	3756	WerFault.exe	235

Modifies registry class 21 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnfkma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Paegjl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Peqcjkfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgopffec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfniiokn.dll"	f154385ab3044eeda9e7ec6cde8b2ced.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	f154385ab3044eeda9e7ec6cde8b2ced.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjoheljj.dll"	Pkhoae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkhoae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdldlm32.dll"	Pnfkma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnhqigge.dll"	Peqcjkfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkhoae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnfkma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkjnpq32.dll"	Paegjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klqmnp32.dll"	Pgopffec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	f154385ab3044eeda9e7ec6cde8b2ced.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	f154385ab3044eeda9e7ec6cde8b2ced.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	f154385ab3044eeda9e7ec6cde8b2ced.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgopffec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	f154385ab3044eeda9e7ec6cde8b2ced.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Paegjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Peqcjkfp.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 4240	2484	f154385ab3044eeda9e7ec6cde8b2ced.exe	466
PID 2484 wrote to memory of 4240	2484	f154385ab3044eeda9e7ec6cde8b2ced.exe	466
PID 2484 wrote to memory of 4240	2484	f154385ab3044eeda9e7ec6cde8b2ced.exe	466
PID 4240 wrote to memory of 3816	4240	Pkhoae32.exe	465
PID 4240 wrote to memory of 3816	4240	Pkhoae32.exe	465
PID 4240 wrote to memory of 3816	4240	Pkhoae32.exe	465
PID 3816 wrote to memory of 3608	3816	Pnfkma32.exe	464
PID 3816 wrote to memory of 3608	3816	Pnfkma32.exe	464
PID 3816 wrote to memory of 3608	3816	Pnfkma32.exe	464
PID 3608 wrote to memory of 3908	3608	Paegjl32.exe	463
PID 3608 wrote to memory of 3908	3608	Paegjl32.exe	463
PID 3608 wrote to memory of 3908	3608	Paegjl32.exe	463
PID 3908 wrote to memory of 2656	3908	Peqcjkfp.exe	462
PID 3908 wrote to memory of 2656	3908	Peqcjkfp.exe	462
PID 3908 wrote to memory of 2656	3908	Peqcjkfp.exe	462
PID 2656 wrote to memory of 4768	2656	Pgopffec.exe	461
PID 2656 wrote to memory of 4768	2656	Pgopffec.exe	461
PID 2656 wrote to memory of 4768	2656	Pgopffec.exe	461

C:\Users\Admin\AppData\Local\Temp\f154385ab3044eeda9e7ec6cde8b2ced.exe
"C:\Users\Admin\AppData\Local\Temp\f154385ab3044eeda9e7ec6cde8b2ced.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\SysWOW64\Pkhoae32.exe
  C:\Windows\system32\Pkhoae32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4240

C:\Windows\SysWOW64\Qgciaf32.exe
C:\Windows\system32\Qgciaf32.exe
1⤵
PID:4540
- C:\Windows\SysWOW64\Qjbena32.exe
  C:\Windows\system32\Qjbena32.exe
  2⤵
  PID:2356

C:\Windows\SysWOW64\Aldomc32.exe
C:\Windows\system32\Aldomc32.exe
1⤵
PID:3628
- C:\Windows\SysWOW64\Abngjnmo.exe
  C:\Windows\system32\Abngjnmo.exe
  2⤵
  PID:3712
- - C:\Windows\SysWOW64\Aelcfilb.exe
    C:\Windows\system32\Aelcfilb.exe
    3⤵
    PID:1744

C:\Windows\SysWOW64\Andgoobc.exe
C:\Windows\system32\Andgoobc.exe
1⤵
PID:4948
- C:\Windows\SysWOW64\Bahmfj32.exe
  C:\Windows\system32\Bahmfj32.exe
  2⤵
  PID:4256

C:\Windows\SysWOW64\Bajjli32.exe
C:\Windows\system32\Bajjli32.exe
1⤵
PID:4068
- C:\Windows\SysWOW64\Bhdbhcck.exe
  C:\Windows\system32\Bhdbhcck.exe
  2⤵
  PID:4188

C:\Windows\SysWOW64\Bobcpmfc.exe
C:\Windows\system32\Bobcpmfc.exe
1⤵
PID:4680
- C:\Windows\SysWOW64\Baaplhef.exe
  C:\Windows\system32\Baaplhef.exe
  2⤵
  PID:4488

C:\Windows\SysWOW64\Bkidenlg.exe
C:\Windows\system32\Bkidenlg.exe
1⤵
PID:5072
- C:\Windows\SysWOW64\Cbqlfkmi.exe
  C:\Windows\system32\Cbqlfkmi.exe
  2⤵
  PID:3008
- - C:\Windows\SysWOW64\Ceoibflm.exe
    C:\Windows\system32\Ceoibflm.exe
    3⤵
    PID:3680

C:\Windows\SysWOW64\Cklaknjd.exe
C:\Windows\system32\Cklaknjd.exe
1⤵
PID:1644
- C:\Windows\SysWOW64\Cbcilkjg.exe
  C:\Windows\system32\Cbcilkjg.exe
  2⤵
  PID:1556

C:\Windows\SysWOW64\Ckpjfm32.exe
C:\Windows\system32\Ckpjfm32.exe
1⤵
PID:2492
- C:\Windows\SysWOW64\Cbgbgj32.exe
  C:\Windows\system32\Cbgbgj32.exe
  2⤵
  PID:5040

C:\Windows\SysWOW64\Chghdqbf.exe
C:\Windows\system32\Chghdqbf.exe
1⤵
PID:5180
- C:\Windows\SysWOW64\Ckedalaj.exe
  C:\Windows\system32\Ckedalaj.exe
  2⤵
  PID:5216
- - C:\Windows\SysWOW64\Dbllbibl.exe
    C:\Windows\system32\Dbllbibl.exe
    3⤵
    PID:5260

C:\Windows\SysWOW64\Dekhneap.exe
C:\Windows\system32\Dekhneap.exe
1⤵
PID:5296
- C:\Windows\SysWOW64\Ddmhja32.exe
  C:\Windows\system32\Ddmhja32.exe
  2⤵
  PID:5340
- - C:\Windows\SysWOW64\Dldpkoil.exe
    C:\Windows\system32\Dldpkoil.exe
    3⤵
    PID:5380

C:\Windows\SysWOW64\Dkjmlk32.exe
C:\Windows\system32\Dkjmlk32.exe
1⤵
PID:5560
- C:\Windows\SysWOW64\Doeiljfn.exe
  C:\Windows\system32\Doeiljfn.exe
  2⤵
  PID:5600

C:\Windows\SysWOW64\Dadeieea.exe
C:\Windows\system32\Dadeieea.exe
1⤵
PID:5640
- C:\Windows\SysWOW64\Deoaid32.exe
  C:\Windows\system32\Deoaid32.exe
  2⤵
  PID:5680

C:\Windows\SysWOW64\Dhnnep32.exe
C:\Windows\system32\Dhnnep32.exe
1⤵
PID:5720
- C:\Windows\SysWOW64\Dkljak32.exe
  C:\Windows\system32\Dkljak32.exe
  2⤵
  PID:5768

C:\Windows\SysWOW64\Dccbbhld.exe
C:\Windows\system32\Dccbbhld.exe
1⤵
PID:5804
- C:\Windows\SysWOW64\Dafbne32.exe
  C:\Windows\system32\Dafbne32.exe
  2⤵
  PID:5844
- - C:\Windows\SysWOW64\Dddojq32.exe
    C:\Windows\system32\Dddojq32.exe
    3⤵
    PID:5880

C:\Windows\SysWOW64\Dllfkn32.exe
C:\Windows\system32\Dllfkn32.exe
1⤵
PID:5920
- C:\Windows\SysWOW64\Dojcgi32.exe
  C:\Windows\system32\Dojcgi32.exe
  2⤵
  PID:5968

C:\Windows\SysWOW64\Dahode32.exe
C:\Windows\system32\Dahode32.exe
1⤵
PID:6008
- C:\Windows\SysWOW64\Ddgkpp32.exe
  C:\Windows\system32\Ddgkpp32.exe
  2⤵
  PID:6048

C:\Windows\SysWOW64\Dhbgqohi.exe
C:\Windows\system32\Dhbgqohi.exe
1⤵
PID:6088
- C:\Windows\SysWOW64\Ekacmjgl.exe
  C:\Windows\system32\Ekacmjgl.exe
  2⤵
  PID:6128
- - C:\Windows\SysWOW64\Echknh32.exe
    C:\Windows\system32\Echknh32.exe
    3⤵
    PID:5160

C:\Windows\SysWOW64\Eaklidoi.exe
C:\Windows\system32\Eaklidoi.exe
1⤵
PID:2672
- C:\Windows\SysWOW64\Edihepnm.exe
  C:\Windows\system32\Edihepnm.exe
  2⤵
  PID:5280

C:\Windows\SysWOW64\Elppfmoo.exe
C:\Windows\system32\Elppfmoo.exe
1⤵
PID:5368
- C:\Windows\SysWOW64\Ecjhcg32.exe
  C:\Windows\system32\Ecjhcg32.exe
  2⤵
  PID:5460

C:\Windows\SysWOW64\Eamhodmf.exe
C:\Windows\system32\Eamhodmf.exe
1⤵
PID:5528
- C:\Windows\SysWOW64\Elbmlmml.exe
  C:\Windows\system32\Elbmlmml.exe
  2⤵
  PID:5584

C:\Windows\SysWOW64\Eoaihhlp.exe
C:\Windows\system32\Eoaihhlp.exe
1⤵
PID:5668
- C:\Windows\SysWOW64\Eapedd32.exe
  C:\Windows\system32\Eapedd32.exe
  2⤵
  PID:3840

C:\Windows\SysWOW64\Eekaebcm.exe
C:\Windows\system32\Eekaebcm.exe
1⤵
PID:5796
- C:\Windows\SysWOW64\Ehimanbq.exe
  C:\Windows\system32\Ehimanbq.exe
  2⤵
  PID:5864

C:\Windows\SysWOW64\Eleiam32.exe
C:\Windows\system32\Eleiam32.exe
1⤵
PID:5960
- C:\Windows\SysWOW64\Eocenh32.exe
  C:\Windows\system32\Eocenh32.exe
  2⤵
  PID:6004
- - C:\Windows\SysWOW64\Ecoangbg.exe
    C:\Windows\system32\Ecoangbg.exe
    3⤵
    PID:6096

C:\Windows\SysWOW64\Ehljfnpn.exe
C:\Windows\system32\Ehljfnpn.exe
1⤵
PID:5288
- C:\Windows\SysWOW64\Ekjfcipa.exe
  C:\Windows\system32\Ekjfcipa.exe
  2⤵
  PID:2608
- - C:\Windows\SysWOW64\Ecandfpd.exe
    C:\Windows\system32\Ecandfpd.exe
    3⤵
    PID:5596

C:\Windows\SysWOW64\Eepjpb32.exe
C:\Windows\system32\Eepjpb32.exe
1⤵
PID:5708
- C:\Windows\SysWOW64\Edbklofb.exe
  C:\Windows\system32\Edbklofb.exe
  2⤵
  PID:2336
- - C:\Windows\SysWOW64\Fljcmlfd.exe
    C:\Windows\system32\Fljcmlfd.exe
    3⤵
    PID:5904

C:\Windows\SysWOW64\Fohoigfh.exe
C:\Windows\system32\Fohoigfh.exe
1⤵
PID:6000
- C:\Windows\SysWOW64\Fafkecel.exe
  C:\Windows\system32\Fafkecel.exe
  2⤵
  PID:6124

C:\Windows\SysWOW64\Fdegandp.exe
C:\Windows\system32\Fdegandp.exe
1⤵
PID:5240
- C:\Windows\SysWOW64\Fllpbldb.exe
  C:\Windows\system32\Fllpbldb.exe
  2⤵
  PID:5556

C:\Windows\SysWOW64\Fojlngce.exe
C:\Windows\system32\Fojlngce.exe
1⤵
PID:5812
- C:\Windows\SysWOW64\Ffddka32.exe
  C:\Windows\system32\Ffddka32.exe
  2⤵
  PID:5912
- - C:\Windows\SysWOW64\Fhcpgmjf.exe
    C:\Windows\system32\Fhcpgmjf.exe
    3⤵
    PID:6116

C:\Windows\SysWOW64\Fkalchij.exe
C:\Windows\system32\Fkalchij.exe
1⤵
PID:5512
- C:\Windows\SysWOW64\Fchddejl.exe
  C:\Windows\system32\Fchddejl.exe
  2⤵
  PID:5832
- - C:\Windows\SysWOW64\Ffgqqaip.exe
    C:\Windows\system32\Ffgqqaip.exe
    3⤵
    PID:6108
  - - C:\Windows\SysWOW64\Fhemmlhc.exe
      C:\Windows\system32\Fhemmlhc.exe
      4⤵
      PID:5664

C:\Windows\SysWOW64\Fkciihgg.exe
C:\Windows\system32\Fkciihgg.exe
1⤵
PID:5480
- C:\Windows\SysWOW64\Fckajehi.exe
  C:\Windows\system32\Fckajehi.exe
  2⤵
  PID:5412
- - C:\Windows\SysWOW64\Ffimfqgm.exe
    C:\Windows\system32\Ffimfqgm.exe
    3⤵
    PID:6156

C:\Windows\SysWOW64\Fhgjblfq.exe
C:\Windows\system32\Fhgjblfq.exe
1⤵
PID:6192
- C:\Windows\SysWOW64\Fkffog32.exe
  C:\Windows\system32\Fkffog32.exe
  2⤵
  PID:6232
- - C:\Windows\SysWOW64\Fcmnpe32.exe
    C:\Windows\system32\Fcmnpe32.exe
    3⤵
    PID:6272

C:\Windows\SysWOW64\Ffkjlp32.exe
C:\Windows\system32\Ffkjlp32.exe
1⤵
PID:6316
- C:\Windows\SysWOW64\Fhjfhl32.exe
  C:\Windows\system32\Fhjfhl32.exe
  2⤵
  PID:6356

C:\Windows\SysWOW64\Gkhbdg32.exe
C:\Windows\system32\Gkhbdg32.exe
1⤵
PID:6400
- C:\Windows\SysWOW64\Gcojed32.exe
  C:\Windows\system32\Gcojed32.exe
  2⤵
  PID:6436

C:\Windows\SysWOW64\Gfngap32.exe
C:\Windows\system32\Gfngap32.exe
1⤵
PID:6476
- C:\Windows\SysWOW64\Ghlcnk32.exe
  C:\Windows\system32\Ghlcnk32.exe
  2⤵
  PID:6520
- - C:\Windows\SysWOW64\Gkkojgao.exe
    C:\Windows\system32\Gkkojgao.exe
    3⤵
    PID:6568
  - - C:\Windows\SysWOW64\Ghopckpi.exe
      C:\Windows\system32\Ghopckpi.exe
      4⤵
      PID:6612
    - - C:\Windows\SysWOW64\Gkmlofol.exe
        
        C:\Windows\system32\Gkmlofol.exe
        5⤵
        
        PID:6648

C:\Windows\SysWOW64\Gbgdlq32.exe
C:\Windows\system32\Gbgdlq32.exe
1⤵
PID:6728
- C:\Windows\SysWOW64\Gfbploob.exe
  C:\Windows\system32\Gfbploob.exe
  2⤵
  PID:6776
- - C:\Windows\SysWOW64\Gmlhii32.exe
    C:\Windows\system32\Gmlhii32.exe
    3⤵
    PID:6816

C:\Windows\SysWOW64\Gkoiefmj.exe
C:\Windows\system32\Gkoiefmj.exe
1⤵
PID:6860
- C:\Windows\SysWOW64\Gbiaapdf.exe
  C:\Windows\system32\Gbiaapdf.exe
  2⤵
  PID:6904

C:\Windows\SysWOW64\Gfembo32.exe
C:\Windows\system32\Gfembo32.exe
1⤵
PID:6948
- C:\Windows\SysWOW64\Gicinj32.exe
  C:\Windows\system32\Gicinj32.exe
  2⤵
  PID:6992

C:\Windows\SysWOW64\Gmoeoidl.exe
C:\Windows\system32\Gmoeoidl.exe
1⤵
PID:7028
- C:\Windows\SysWOW64\Gomakdcp.exe
  C:\Windows\system32\Gomakdcp.exe
  2⤵
  PID:7068
- - C:\Windows\SysWOW64\Gblngpbd.exe
    C:\Windows\system32\Gblngpbd.exe
    3⤵
    PID:7120

C:\Windows\SysWOW64\Gfgjgo32.exe
C:\Windows\system32\Gfgjgo32.exe
1⤵
PID:7156
- C:\Windows\SysWOW64\Hiefcj32.exe
  C:\Windows\system32\Hiefcj32.exe
  2⤵
  PID:6180

C:\Windows\SysWOW64\Hopnqdan.exe
C:\Windows\system32\Hopnqdan.exe
1⤵
PID:6324
- C:\Windows\SysWOW64\Hckjacjg.exe
  C:\Windows\system32\Hckjacjg.exe
  2⤵
  PID:6384
- - C:\Windows\SysWOW64\Hfifmnij.exe
    C:\Windows\system32\Hfifmnij.exe
    3⤵
    PID:6464

C:\Windows\SysWOW64\Hkfoeega.exe
C:\Windows\system32\Hkfoeega.exe
1⤵
PID:6684
- C:\Windows\SysWOW64\Hcmgfbhd.exe
  C:\Windows\system32\Hcmgfbhd.exe
  2⤵
  PID:6760

C:\Windows\SysWOW64\Hbpgbo32.exe
C:\Windows\system32\Hbpgbo32.exe
1⤵
PID:6852
- C:\Windows\SysWOW64\Heocnk32.exe
  C:\Windows\system32\Heocnk32.exe
  2⤵
  PID:6888

C:\Windows\SysWOW64\Hmfkoh32.exe
C:\Windows\system32\Hmfkoh32.exe
1⤵
PID:6988
- C:\Windows\SysWOW64\Hkikkeeo.exe
  C:\Windows\system32\Hkikkeeo.exe
  2⤵
  PID:7064

C:\Windows\SysWOW64\Hbbdholl.exe
C:\Windows\system32\Hbbdholl.exe
1⤵
PID:4196
- C:\Windows\SysWOW64\Hfnphn32.exe
  C:\Windows\system32\Hfnphn32.exe
  2⤵
  PID:6216

C:\Windows\SysWOW64\Himldi32.exe
C:\Windows\system32\Himldi32.exe
1⤵
PID:6348
- C:\Windows\SysWOW64\Hmhhehlb.exe
  C:\Windows\system32\Hmhhehlb.exe
  2⤵
  PID:6428
- - C:\Windows\SysWOW64\Hofdacke.exe
    C:\Windows\system32\Hofdacke.exe
    3⤵
    PID:6544

C:\Windows\SysWOW64\Hbeqmoji.exe
C:\Windows\system32\Hbeqmoji.exe
1⤵
PID:6676
- C:\Windows\SysWOW64\Hfqlnm32.exe
  C:\Windows\system32\Hfqlnm32.exe
  2⤵
  PID:6824

C:\Windows\SysWOW64\Hioiji32.exe
C:\Windows\system32\Hioiji32.exe
1⤵
PID:6916
- C:\Windows\SysWOW64\Hmjdjgjo.exe
  C:\Windows\system32\Hmjdjgjo.exe
  2⤵
  PID:7024

C:\Windows\SysWOW64\Hoiafcic.exe
C:\Windows\system32\Hoiafcic.exe
1⤵
PID:1788
- C:\Windows\SysWOW64\Hcdmga32.exe
  C:\Windows\system32\Hcdmga32.exe
  2⤵
  PID:6224

C:\Windows\SysWOW64\Ikpaldog.exe
C:\Windows\system32\Ikpaldog.exe
1⤵
PID:6980
- C:\Windows\SysWOW64\Ibjjhn32.exe
  C:\Windows\system32\Ibjjhn32.exe
  2⤵
  PID:6200
- - C:\Windows\SysWOW64\Ifefimom.exe
    C:\Windows\system32\Ifefimom.exe
    3⤵
    PID:6508

C:\Windows\SysWOW64\Iicbehnq.exe
C:\Windows\system32\Iicbehnq.exe
1⤵
PID:6812
- C:\Windows\SysWOW64\Imoneg32.exe
  C:\Windows\system32\Imoneg32.exe
  2⤵
  PID:7116

C:\Windows\SysWOW64\Ipnjab32.exe
C:\Windows\system32\Ipnjab32.exe
1⤵
PID:6764
- C:\Windows\SysWOW64\Icifbang.exe
  C:\Windows\system32\Icifbang.exe
  2⤵
  PID:7108

C:\Windows\SysWOW64\Iblfnn32.exe
C:\Windows\system32\Iblfnn32.exe
1⤵
PID:2376
- C:\Windows\SysWOW64\Iejcji32.exe
  C:\Windows\system32\Iejcji32.exe
  2⤵
  PID:6756

C:\Windows\SysWOW64\Ildkgc32.exe
C:\Windows\system32\Ildkgc32.exe
1⤵
PID:7228
- C:\Windows\SysWOW64\Ippggbck.exe
  C:\Windows\system32\Ippggbck.exe
  2⤵
  PID:7268

C:\Windows\SysWOW64\Ibnccmbo.exe
C:\Windows\system32\Ibnccmbo.exe
1⤵
PID:7308
- C:\Windows\SysWOW64\Iemppiab.exe
  C:\Windows\system32\Iemppiab.exe
  2⤵
  PID:7356
- - C:\Windows\SysWOW64\Iihkpg32.exe
    C:\Windows\system32\Iihkpg32.exe
    3⤵
    PID:7396

C:\Windows\SysWOW64\Ilghlc32.exe
C:\Windows\system32\Ilghlc32.exe
1⤵
PID:7436
- C:\Windows\SysWOW64\Icnpmp32.exe
  C:\Windows\system32\Icnpmp32.exe
  2⤵
  PID:7476

C:\Windows\SysWOW64\Ieolehop.exe
C:\Windows\system32\Ieolehop.exe
1⤵
PID:7548
- C:\Windows\SysWOW64\Imfdff32.exe
  C:\Windows\system32\Imfdff32.exe
  2⤵
  PID:7596

C:\Windows\SysWOW64\Ipdqba32.exe
C:\Windows\system32\Ipdqba32.exe
1⤵
PID:7640
- C:\Windows\SysWOW64\Icplcpgo.exe
  C:\Windows\system32\Icplcpgo.exe
  2⤵
  PID:7680

C:\Windows\SysWOW64\Ibcmom32.exe
C:\Windows\system32\Ibcmom32.exe
1⤵
PID:7716
- C:\Windows\SysWOW64\Jeaikh32.exe
  C:\Windows\system32\Jeaikh32.exe
  2⤵
  PID:7756
- - C:\Windows\SysWOW64\Jimekgff.exe
    C:\Windows\system32\Jimekgff.exe
    3⤵
    PID:7792

C:\Windows\SysWOW64\Jlkagbej.exe
C:\Windows\system32\Jlkagbej.exe
1⤵
PID:7828
- C:\Windows\SysWOW64\Jcbihpel.exe
  C:\Windows\system32\Jcbihpel.exe
  2⤵
  PID:7864

C:\Windows\SysWOW64\Jfaedkdp.exe
C:\Windows\system32\Jfaedkdp.exe
1⤵
PID:7908
- C:\Windows\SysWOW64\Jioaqfcc.exe
  C:\Windows\system32\Jioaqfcc.exe
  2⤵
  PID:7952
- - C:\Windows\SysWOW64\Jmknaell.exe
    C:\Windows\system32\Jmknaell.exe
    3⤵
    PID:7992

C:\Windows\SysWOW64\Jpijnqkp.exe
C:\Windows\system32\Jpijnqkp.exe
1⤵
PID:8028
- C:\Windows\SysWOW64\Jbhfjljd.exe
  C:\Windows\system32\Jbhfjljd.exe
  2⤵
  PID:8068

C:\Windows\SysWOW64\Jefbfgig.exe
C:\Windows\system32\Jefbfgig.exe
1⤵
PID:8104
- C:\Windows\SysWOW64\Jianff32.exe
  C:\Windows\system32\Jianff32.exe
  2⤵
  PID:8140
- - C:\Windows\SysWOW64\Jlpkba32.exe
    C:\Windows\system32\Jlpkba32.exe
    3⤵
    PID:8180

C:\Windows\SysWOW64\Jbjcolha.exe
C:\Windows\system32\Jbjcolha.exe
1⤵
PID:7276
- C:\Windows\SysWOW64\Jfeopj32.exe
  C:\Windows\system32\Jfeopj32.exe
  2⤵
  PID:7352

C:\Windows\SysWOW64\Jpnchp32.exe
C:\Windows\system32\Jpnchp32.exe
1⤵
PID:7556
- C:\Windows\SysWOW64\Jcioiood.exe
  C:\Windows\system32\Jcioiood.exe
  2⤵
  PID:7620

C:\Windows\SysWOW64\Jfhlejnh.exe
C:\Windows\system32\Jfhlejnh.exe
1⤵
PID:7708
- C:\Windows\SysWOW64\Jeklag32.exe
  C:\Windows\system32\Jeklag32.exe
  2⤵
  PID:7776

C:\Windows\SysWOW64\Jmbdbd32.exe
C:\Windows\system32\Jmbdbd32.exe
1⤵
PID:7848
- C:\Windows\SysWOW64\Jlednamo.exe
  C:\Windows\system32\Jlednamo.exe
  2⤵
  PID:7940

C:\Windows\SysWOW64\Kemhff32.exe
C:\Windows\system32\Kemhff32.exe
1⤵
PID:7976
- C:\Windows\SysWOW64\Kiidgeki.exe
  C:\Windows\system32\Kiidgeki.exe
  2⤵
  PID:8060

C:\Windows\SysWOW64\Kmdqgd32.exe
C:\Windows\system32\Kmdqgd32.exe
1⤵
PID:8128
- C:\Windows\SysWOW64\Kpbmco32.exe
  C:\Windows\system32\Kpbmco32.exe
  2⤵
  PID:8188

C:\Windows\SysWOW64\Kbaipkbi.exe
C:\Windows\system32\Kbaipkbi.exe
1⤵
PID:7404
- C:\Windows\SysWOW64\Kfmepi32.exe
  C:\Windows\system32\Kfmepi32.exe
  2⤵
  PID:7536

C:\Windows\SysWOW64\Kikame32.exe
C:\Windows\system32\Kikame32.exe
1⤵
PID:1176
- C:\Windows\SysWOW64\Kmfmmcbo.exe
  C:\Windows\system32\Kmfmmcbo.exe
  2⤵
  PID:7764

C:\Windows\SysWOW64\Klimip32.exe
C:\Windows\system32\Klimip32.exe
1⤵
PID:7916
- C:\Windows\SysWOW64\Kdqejn32.exe
  C:\Windows\system32\Kdqejn32.exe
  2⤵
  PID:8056

C:\Windows\SysWOW64\Kebbafoj.exe
C:\Windows\system32\Kebbafoj.exe
1⤵
PID:7316
- C:\Windows\SysWOW64\Kimnbd32.exe
  C:\Windows\system32\Kimnbd32.exe
  2⤵
  PID:7544

C:\Windows\SysWOW64\Kmijbcpl.exe
C:\Windows\system32\Kmijbcpl.exe
1⤵
PID:7676
- C:\Windows\SysWOW64\Kpgfooop.exe
  C:\Windows\system32\Kpgfooop.exe
  2⤵
  PID:7880

C:\Windows\SysWOW64\Kdcbom32.exe
C:\Windows\system32\Kdcbom32.exe
1⤵
PID:8100
- C:\Windows\SysWOW64\Kfankifm.exe
  C:\Windows\system32\Kfankifm.exe
  2⤵
  PID:7252

C:\Windows\SysWOW64\Kedoge32.exe
C:\Windows\system32\Kedoge32.exe
1⤵
PID:7744
- C:\Windows\SysWOW64\Kmkfhc32.exe
  C:\Windows\system32\Kmkfhc32.exe
  2⤵
  PID:8052

C:\Windows\SysWOW64\Kdeoemeg.exe
C:\Windows\system32\Kdeoemeg.exe
1⤵
PID:7264
- C:\Windows\SysWOW64\Kbhoqj32.exe
  C:\Windows\system32\Kbhoqj32.exe
  2⤵
  PID:7628

C:\Windows\SysWOW64\Kfckahdj.exe
C:\Windows\system32\Kfckahdj.exe
1⤵
PID:8208
- C:\Windows\SysWOW64\Kibgmdcn.exe
  C:\Windows\system32\Kibgmdcn.exe
  2⤵
  PID:8248

C:\Windows\SysWOW64\Kmncnb32.exe
C:\Windows\system32\Kmncnb32.exe
1⤵
PID:8284
- C:\Windows\SysWOW64\Kplpjn32.exe
  C:\Windows\system32\Kplpjn32.exe
  2⤵
  PID:8324

C:\Windows\SysWOW64\Kdgljmcd.exe
C:\Windows\system32\Kdgljmcd.exe
1⤵
PID:8356
- C:\Windows\SysWOW64\Lbjlfi32.exe
  C:\Windows\system32\Lbjlfi32.exe
  2⤵
  PID:8400

C:\Windows\SysWOW64\Leihbeib.exe
C:\Windows\system32\Leihbeib.exe
1⤵
PID:8436
- C:\Windows\SysWOW64\Liddbc32.exe
  C:\Windows\system32\Liddbc32.exe
  2⤵
  PID:8476

C:\Windows\SysWOW64\Lpnlpnih.exe
C:\Windows\system32\Lpnlpnih.exe
1⤵
PID:8552
- C:\Windows\SysWOW64\Ldjhpl32.exe
  C:\Windows\system32\Ldjhpl32.exe
  2⤵
  PID:8592

C:\Windows\SysWOW64\Lbmhlihl.exe
C:\Windows\system32\Lbmhlihl.exe
1⤵
PID:8628
- C:\Windows\SysWOW64\Lekehdgp.exe
  C:\Windows\system32\Lekehdgp.exe
  2⤵
  PID:8672

C:\Windows\SysWOW64\Lmbmibhb.exe
C:\Windows\system32\Lmbmibhb.exe
1⤵
PID:8748
- C:\Windows\SysWOW64\Lpqiemge.exe
  C:\Windows\system32\Lpqiemge.exe
  2⤵
  PID:8788
- - C:\Windows\SysWOW64\Ldleel32.exe
    C:\Windows\system32\Ldleel32.exe
    3⤵
    PID:8824

C:\Windows\SysWOW64\Lenamdem.exe
C:\Windows\system32\Lenamdem.exe
1⤵
PID:8904
- C:\Windows\SysWOW64\Liimncmf.exe
  C:\Windows\system32\Liimncmf.exe
  2⤵
  PID:8940

C:\Windows\SysWOW64\Lmdina32.exe
C:\Windows\system32\Lmdina32.exe
1⤵
PID:8976
- C:\Windows\SysWOW64\Lpcfkm32.exe
  C:\Windows\system32\Lpcfkm32.exe
  2⤵
  PID:9020

C:\Windows\SysWOW64\Lgmngglp.exe
C:\Windows\system32\Lgmngglp.exe
1⤵
PID:9092
- C:\Windows\SysWOW64\Likjcbkc.exe
  C:\Windows\system32\Likjcbkc.exe
  2⤵
  PID:9128
- - C:\Windows\SysWOW64\Lmgfda32.exe
    C:\Windows\system32\Lmgfda32.exe
    3⤵
    PID:9164

C:\Windows\SysWOW64\Lpebpm32.exe
C:\Windows\system32\Lpebpm32.exe
1⤵
PID:8244
- C:\Windows\SysWOW64\Lbdolh32.exe
  C:\Windows\system32\Lbdolh32.exe
  2⤵
  PID:8312

C:\Windows\SysWOW64\Lgokmgjm.exe
C:\Windows\system32\Lgokmgjm.exe
1⤵
PID:8364
- C:\Windows\SysWOW64\Lingibiq.exe
  C:\Windows\system32\Lingibiq.exe
  2⤵
  PID:8424

C:\Windows\SysWOW64\Lmiciaaj.exe
C:\Windows\system32\Lmiciaaj.exe
1⤵
PID:8504
- C:\Windows\SysWOW64\Lllcen32.exe
  C:\Windows\system32\Lllcen32.exe
  2⤵
  PID:8572

C:\Windows\SysWOW64\Mdckfk32.exe
C:\Windows\system32\Mdckfk32.exe
1⤵
PID:8640
- C:\Windows\SysWOW64\Mbfkbhpa.exe
  C:\Windows\system32\Mbfkbhpa.exe
  2⤵
  PID:8704
- - C:\Windows\SysWOW64\Mipcob32.exe
    C:\Windows\system32\Mipcob32.exe
    3⤵
    PID:8776
  - - C:\Windows\SysWOW64\Mlopkm32.exe
      C:\Windows\system32\Mlopkm32.exe
      4⤵
      PID:8832

C:\Windows\SysWOW64\Mdehlk32.exe
C:\Windows\system32\Mdehlk32.exe
1⤵
PID:8892
- C:\Windows\SysWOW64\Mgddhf32.exe
  C:\Windows\system32\Mgddhf32.exe
  2⤵
  PID:8972

C:\Windows\SysWOW64\Megdccmb.exe
C:\Windows\system32\Megdccmb.exe
1⤵
PID:9044
- C:\Windows\SysWOW64\Mmnldp32.exe
  C:\Windows\system32\Mmnldp32.exe
  2⤵
  PID:9108

C:\Windows\SysWOW64\Mplhql32.exe
C:\Windows\system32\Mplhql32.exe
1⤵
PID:9184
- C:\Windows\SysWOW64\Mckemg32.exe
  C:\Windows\system32\Mckemg32.exe
  2⤵
  PID:8276

C:\Windows\SysWOW64\Meiaib32.exe
C:\Windows\system32\Meiaib32.exe
1⤵
PID:8352
- C:\Windows\SysWOW64\Mlcifmbl.exe
  C:\Windows\system32\Mlcifmbl.exe
  2⤵
  PID:8544
- - C:\Windows\SysWOW64\Mdjagjco.exe
    C:\Windows\system32\Mdjagjco.exe
    3⤵
    PID:8656

C:\Windows\SysWOW64\Mgimcebb.exe
C:\Windows\system32\Mgimcebb.exe
1⤵
PID:8744
- C:\Windows\SysWOW64\Melnob32.exe
  C:\Windows\system32\Melnob32.exe
  2⤵
  PID:8884
- - C:\Windows\SysWOW64\Mmbfpp32.exe
    C:\Windows\system32\Mmbfpp32.exe
    3⤵
    PID:9028

C:\Windows\SysWOW64\Mpablkhc.exe
C:\Windows\system32\Mpablkhc.exe
1⤵
PID:9148
- C:\Windows\SysWOW64\Mcpnhfhf.exe
  C:\Windows\system32\Mcpnhfhf.exe
  2⤵
  PID:8204

C:\Windows\SysWOW64\Menjdbgj.exe
C:\Windows\system32\Menjdbgj.exe
1⤵
PID:8484
- C:\Windows\SysWOW64\Miifeq32.exe
  C:\Windows\system32\Miifeq32.exe
  2⤵
  PID:1160
- - C:\Windows\SysWOW64\Npcoakfp.exe
    C:\Windows\system32\Npcoakfp.exe
    3⤵
    PID:8888

C:\Windows\SysWOW64\Ngmgne32.exe
C:\Windows\system32\Ngmgne32.exe
1⤵
PID:9152
- C:\Windows\SysWOW64\Nepgjaeg.exe
  C:\Windows\system32\Nepgjaeg.exe
  2⤵
  PID:8468
- - C:\Windows\SysWOW64\Nljofl32.exe
    C:\Windows\system32\Nljofl32.exe
    3⤵
    PID:8848

C:\Windows\SysWOW64\Ndaggimg.exe
C:\Windows\system32\Ndaggimg.exe
1⤵
PID:9160
- C:\Windows\SysWOW64\Ncdgcf32.exe
  C:\Windows\system32\Ncdgcf32.exe
  2⤵
  PID:8696
- - C:\Windows\SysWOW64\Nebdoa32.exe
    C:\Windows\system32\Nebdoa32.exe
    3⤵
    PID:8856

C:\Windows\SysWOW64\Nnjlpo32.exe
C:\Windows\system32\Nnjlpo32.exe
1⤵
PID:8320
- C:\Windows\SysWOW64\Nphhmj32.exe
  C:\Windows\system32\Nphhmj32.exe
  2⤵
  PID:9252

C:\Windows\SysWOW64\Ndcdmikd.exe
C:\Windows\system32\Ndcdmikd.exe
1⤵
PID:9288
- C:\Windows\SysWOW64\Ngbpidjh.exe
  C:\Windows\system32\Ngbpidjh.exe
  2⤵
  PID:9328

C:\Windows\SysWOW64\Nnlhfn32.exe
C:\Windows\system32\Nnlhfn32.exe
1⤵
PID:9372
- C:\Windows\SysWOW64\Nloiakho.exe
  C:\Windows\system32\Nloiakho.exe
  2⤵
  PID:9408
- - C:\Windows\SysWOW64\Ndfqbhia.exe
    C:\Windows\system32\Ndfqbhia.exe
    3⤵
    PID:9448

C:\Windows\SysWOW64\Ngdmod32.exe
C:\Windows\system32\Ngdmod32.exe
1⤵
PID:9488
- C:\Windows\SysWOW64\Njciko32.exe
  C:\Windows\system32\Njciko32.exe
  2⤵
  PID:9524
- - C:\Windows\SysWOW64\Nlaegk32.exe
    C:\Windows\system32\Nlaegk32.exe
    3⤵
    PID:9564

C:\Windows\SysWOW64\Ndhmhh32.exe
C:\Windows\system32\Ndhmhh32.exe
1⤵
PID:9600
- C:\Windows\SysWOW64\Nggjdc32.exe
  C:\Windows\system32\Nggjdc32.exe
  2⤵
  PID:9636
- - C:\Windows\SysWOW64\Njefqo32.exe
    C:\Windows\system32\Njefqo32.exe
    3⤵
    PID:9676

C:\Windows\SysWOW64\Olcbmj32.exe
C:\Windows\system32\Olcbmj32.exe
1⤵
PID:9716
- C:\Windows\SysWOW64\Odkjng32.exe
  C:\Windows\system32\Odkjng32.exe
  2⤵
  PID:9756
- - C:\Windows\SysWOW64\Ogifjcdp.exe
    C:\Windows\system32\Ogifjcdp.exe
    3⤵
    PID:9796

C:\Windows\SysWOW64\Ojgbfocc.exe
C:\Windows\system32\Ojgbfocc.exe
1⤵
PID:9836
- C:\Windows\SysWOW64\Olfobjbg.exe
  C:\Windows\system32\Olfobjbg.exe
  2⤵
  PID:9880
- - C:\Windows\SysWOW64\Odmgcgbi.exe
    C:\Windows\system32\Odmgcgbi.exe
    3⤵
    PID:9916

C:\Windows\SysWOW64\Ogkcpbam.exe
C:\Windows\system32\Ogkcpbam.exe
1⤵
PID:9952
- C:\Windows\SysWOW64\Ojjolnaq.exe
  C:\Windows\system32\Ojjolnaq.exe
  2⤵
  PID:9992

C:\Windows\SysWOW64\Olhlhjpd.exe
C:\Windows\system32\Olhlhjpd.exe
1⤵
PID:10024
- C:\Windows\SysWOW64\Ocbddc32.exe
  C:\Windows\system32\Ocbddc32.exe
  2⤵
  PID:10064
- - C:\Windows\SysWOW64\Onhhamgg.exe
    C:\Windows\system32\Onhhamgg.exe
    3⤵
    PID:10112

C:\Windows\SysWOW64\Ogpmjb32.exe
C:\Windows\system32\Ogpmjb32.exe
1⤵
PID:10196
- C:\Windows\SysWOW64\Ojoign32.exe
  C:\Windows\system32\Ojoign32.exe
  2⤵
  PID:9236
- - C:\Windows\SysWOW64\Oqhacgdh.exe
    C:\Windows\system32\Oqhacgdh.exe
    3⤵
    PID:9308
  - - C:\Windows\SysWOW64\Ocgmpccl.exe
      C:\Windows\system32\Ocgmpccl.exe
      4⤵
      PID:9356
    - - C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        5⤵
        
        PID:9436

C:\Windows\SysWOW64\Pmoahijl.exe
C:\Windows\system32\Pmoahijl.exe
1⤵
PID:9520
- C:\Windows\SysWOW64\Pdfjifjo.exe
  C:\Windows\system32\Pdfjifjo.exe
  2⤵
  PID:9572
- - C:\Windows\SysWOW64\Pgefeajb.exe
    C:\Windows\system32\Pgefeajb.exe
    3⤵
    PID:9632

C:\Windows\SysWOW64\Pjcbbmif.exe
C:\Windows\system32\Pjcbbmif.exe
1⤵
PID:9704
- C:\Windows\SysWOW64\Pmannhhj.exe
  C:\Windows\system32\Pmannhhj.exe
  2⤵
  PID:9744

C:\Windows\SysWOW64\Pfjcgn32.exe
C:\Windows\system32\Pfjcgn32.exe
1⤵
PID:9972
- C:\Windows\SysWOW64\Pnakhkol.exe
  C:\Windows\system32\Pnakhkol.exe
  2⤵
  PID:10056
- - C:\Windows\SysWOW64\Pqpgdfnp.exe
    C:\Windows\system32\Pqpgdfnp.exe
    3⤵
    PID:10140

C:\Windows\SysWOW64\Pcncpbmd.exe
C:\Windows\system32\Pcncpbmd.exe
1⤵
PID:8992
- C:\Windows\SysWOW64\Pgioqq32.exe
  C:\Windows\system32\Pgioqq32.exe
  2⤵
  PID:9316

C:\Windows\SysWOW64\Pjhlml32.exe
C:\Windows\system32\Pjhlml32.exe
1⤵
PID:9416
- C:\Windows\SysWOW64\Pncgmkmj.exe
  C:\Windows\system32\Pncgmkmj.exe
  2⤵
  PID:9532

C:\Windows\SysWOW64\Pqbdjfln.exe
C:\Windows\system32\Pqbdjfln.exe
1⤵
PID:9624
- C:\Windows\SysWOW64\Pcppfaka.exe
  C:\Windows\system32\Pcppfaka.exe
  2⤵
  PID:9764

C:\Windows\SysWOW64\Pgllfp32.exe
C:\Windows\system32\Pgllfp32.exe
1⤵
PID:9960
- C:\Windows\SysWOW64\Pnfdcjkg.exe
  C:\Windows\system32\Pnfdcjkg.exe
  2⤵
  PID:10048
- - C:\Windows\SysWOW64\Pqdqof32.exe
    C:\Windows\system32\Pqdqof32.exe
    3⤵
    PID:10204

C:\Windows\SysWOW64\Pdpmpdbd.exe
C:\Windows\system32\Pdpmpdbd.exe
1⤵
PID:9428
- C:\Windows\SysWOW64\Pgnilpah.exe
  C:\Windows\system32\Pgnilpah.exe
  2⤵
  PID:9656

C:\Windows\SysWOW64\Pjmehkqk.exe
C:\Windows\system32\Pjmehkqk.exe
1⤵
PID:9868
- C:\Windows\SysWOW64\Qmkadgpo.exe
  C:\Windows\system32\Qmkadgpo.exe
  2⤵
  PID:10020
- - C:\Windows\SysWOW64\Qdbiedpa.exe
    C:\Windows\system32\Qdbiedpa.exe
    3⤵
    PID:9336

C:\Windows\SysWOW64\Qceiaa32.exe
C:\Windows\system32\Qceiaa32.exe
1⤵
PID:9584
- C:\Windows\SysWOW64\Qfcfml32.exe
  C:\Windows\system32\Qfcfml32.exe
  2⤵
  PID:10008

C:\Windows\SysWOW64\Qnjnnj32.exe
C:\Windows\system32\Qnjnnj32.exe
1⤵
PID:9348
- C:\Windows\SysWOW64\Qqijje32.exe
  C:\Windows\system32\Qqijje32.exe
  2⤵
  PID:9784

C:\Windows\SysWOW64\Qcgffqei.exe
C:\Windows\system32\Qcgffqei.exe
1⤵
PID:9788
- C:\Windows\SysWOW64\Qffbbldm.exe
  C:\Windows\system32\Qffbbldm.exe
  2⤵
  PID:9368

C:\Windows\SysWOW64\Ajanck32.exe
C:\Windows\system32\Ajanck32.exe
1⤵
PID:10252
- C:\Windows\SysWOW64\Ampkof32.exe
  C:\Windows\system32\Ampkof32.exe
  2⤵
  PID:10288
- - C:\Windows\SysWOW64\Adgbpc32.exe
    C:\Windows\system32\Adgbpc32.exe
    3⤵
    PID:10336

C:\Windows\SysWOW64\Ageolo32.exe
C:\Windows\system32\Ageolo32.exe
1⤵
PID:10376
- C:\Windows\SysWOW64\Anogiicl.exe
  C:\Windows\system32\Anogiicl.exe
  2⤵
  PID:10420
- - C:\Windows\SysWOW64\Aqncedbp.exe
    C:\Windows\system32\Aqncedbp.exe
    3⤵
    PID:10460

C:\Windows\SysWOW64\Aclpap32.exe
C:\Windows\system32\Aclpap32.exe
1⤵
PID:10500
- C:\Windows\SysWOW64\Afjlnk32.exe
  C:\Windows\system32\Afjlnk32.exe
  2⤵
  PID:10544
- - C:\Windows\SysWOW64\Anadoi32.exe
    C:\Windows\system32\Anadoi32.exe
    3⤵
    PID:10588

C:\Windows\SysWOW64\Aqppkd32.exe
C:\Windows\system32\Aqppkd32.exe
1⤵
PID:10632
- C:\Windows\SysWOW64\Agjhgngj.exe
  C:\Windows\system32\Agjhgngj.exe
  2⤵
  PID:10692
- - C:\Windows\SysWOW64\Afoeiklb.exe
    C:\Windows\system32\Afoeiklb.exe
    3⤵
    PID:10728

C:\Windows\SysWOW64\Ajkaii32.exe
C:\Windows\system32\Ajkaii32.exe
1⤵
PID:10808
- C:\Windows\SysWOW64\Aadifclh.exe
  C:\Windows\system32\Aadifclh.exe
  2⤵
  PID:10872

C:\Windows\SysWOW64\Accfbokl.exe
C:\Windows\system32\Accfbokl.exe
1⤵
PID:10912
- C:\Windows\SysWOW64\Bfabnjjp.exe
  C:\Windows\system32\Bfabnjjp.exe
  2⤵
  PID:10956
- - C:\Windows\SysWOW64\Bmkjkd32.exe
    C:\Windows\system32\Bmkjkd32.exe
    3⤵
    PID:11004

C:\Windows\SysWOW64\Bebblb32.exe
C:\Windows\system32\Bebblb32.exe
1⤵
PID:11056
- C:\Windows\SysWOW64\Bfdodjhm.exe
  C:\Windows\system32\Bfdodjhm.exe
  2⤵
  PID:11100
- - C:\Windows\SysWOW64\Bmngqdpj.exe
    C:\Windows\system32\Bmngqdpj.exe
    3⤵
    PID:11140

C:\Windows\SysWOW64\Beeoaapl.exe
C:\Windows\system32\Beeoaapl.exe
1⤵
PID:11188
- C:\Windows\SysWOW64\Bgcknmop.exe
  C:\Windows\system32\Bgcknmop.exe
  2⤵
  PID:11244

C:\Windows\SysWOW64\Bjagjhnc.exe
C:\Windows\system32\Bjagjhnc.exe
1⤵
PID:10264
- C:\Windows\SysWOW64\Balpgb32.exe
  C:\Windows\system32\Balpgb32.exe
  2⤵
  PID:10388

C:\Windows\SysWOW64\Beglgani.exe
C:\Windows\system32\Beglgani.exe
1⤵
PID:10468
- C:\Windows\SysWOW64\Bgehcmmm.exe
  C:\Windows\system32\Bgehcmmm.exe
  2⤵
  PID:10552
- - C:\Windows\SysWOW64\Bjddphlq.exe
    C:\Windows\system32\Bjddphlq.exe
    3⤵
    PID:10596

C:\Windows\SysWOW64\Bnpppgdj.exe
C:\Windows\system32\Bnpppgdj.exe
1⤵
PID:10656
- C:\Windows\SysWOW64\Banllbdn.exe
  C:\Windows\system32\Banllbdn.exe
  2⤵
  PID:10816

C:\Windows\SysWOW64\Bhhdil32.exe
C:\Windows\system32\Bhhdil32.exe
1⤵
PID:10896
- C:\Windows\SysWOW64\Bjfaeh32.exe
  C:\Windows\system32\Bjfaeh32.exe
  2⤵
  PID:10952
- - C:\Windows\SysWOW64\Bmemac32.exe
    C:\Windows\system32\Bmemac32.exe
    3⤵
    PID:10992

C:\Windows\SysWOW64\Bcoenmao.exe
C:\Windows\system32\Bcoenmao.exe
1⤵
PID:11160
- C:\Windows\SysWOW64\Cfmajipb.exe
  C:\Windows\system32\Cfmajipb.exe
  2⤵
  PID:11252

C:\Windows\SysWOW64\Cjinkg32.exe
C:\Windows\system32\Cjinkg32.exe
1⤵
PID:10260
- C:\Windows\SysWOW64\Cndikf32.exe
  C:\Windows\system32\Cndikf32.exe
  2⤵
  PID:10428

C:\Windows\SysWOW64\Cenahpha.exe
C:\Windows\system32\Cenahpha.exe
1⤵
PID:528
- C:\Windows\SysWOW64\Cdabcm32.exe
  C:\Windows\system32\Cdabcm32.exe
  2⤵
  PID:10768

C:\Windows\SysWOW64\Cjkjpgfi.exe
C:\Windows\system32\Cjkjpgfi.exe
1⤵
PID:11080
- C:\Windows\SysWOW64\Cnffqf32.exe
  C:\Windows\system32\Cnffqf32.exe
  2⤵
  PID:11216

C:\Windows\SysWOW64\Caebma32.exe
C:\Windows\system32\Caebma32.exe
1⤵
PID:10384
- C:\Windows\SysWOW64\Cdcoim32.exe
  C:\Windows\system32\Cdcoim32.exe
  2⤵
  PID:10564

C:\Windows\SysWOW64\Cjmgfgdf.exe
C:\Windows\system32\Cjmgfgdf.exe
1⤵
PID:10516
- C:\Windows\SysWOW64\Cjmgfgdf.exe
  C:\Windows\system32\Cjmgfgdf.exe
  2⤵
  PID:11040
- - C:\Windows\SysWOW64\Cmlcbbcj.exe
    C:\Windows\system32\Cmlcbbcj.exe
    3⤵
    PID:10356

C:\Windows\SysWOW64\Cagobalc.exe
C:\Windows\system32\Cagobalc.exe
1⤵
PID:7540
- C:\Windows\SysWOW64\Cdfkolkf.exe
  C:\Windows\system32\Cdfkolkf.exe
  2⤵
  PID:11204

C:\Windows\SysWOW64\Cfdhkhjj.exe
C:\Windows\system32\Cfdhkhjj.exe
1⤵
PID:10724
- C:\Windows\SysWOW64\Cnkplejl.exe
  C:\Windows\system32\Cnkplejl.exe
  2⤵
  PID:10792

C:\Windows\SysWOW64\Cajlhqjp.exe
C:\Windows\system32\Cajlhqjp.exe
1⤵
PID:11304
- C:\Windows\SysWOW64\Ceehho32.exe
  C:\Windows\system32\Ceehho32.exe
  2⤵
  PID:11344

C:\Windows\SysWOW64\Chcddk32.exe
C:\Windows\system32\Chcddk32.exe
1⤵
PID:11384
- C:\Windows\SysWOW64\Cffdpghg.exe
  C:\Windows\system32\Cffdpghg.exe
  2⤵
  PID:11424

C:\Windows\SysWOW64\Cnnlaehj.exe
C:\Windows\system32\Cnnlaehj.exe
1⤵
PID:11460
- C:\Windows\SysWOW64\Cmqmma32.exe
  C:\Windows\system32\Cmqmma32.exe
  2⤵
  PID:11496

C:\Windows\SysWOW64\Calhnpgn.exe
C:\Windows\system32\Calhnpgn.exe
1⤵
PID:11528
- C:\Windows\SysWOW64\Ddjejl32.exe
  C:\Windows\system32\Ddjejl32.exe
  2⤵
  PID:11568

C:\Windows\SysWOW64\Djdmffnn.exe
C:\Windows\system32\Djdmffnn.exe
1⤵
PID:11660
- C:\Windows\SysWOW64\Dmcibama.exe
  C:\Windows\system32\Dmcibama.exe
  2⤵
  PID:11696
- - C:\Windows\SysWOW64\Dejacond.exe
    C:\Windows\system32\Dejacond.exe
    3⤵
    PID:11732

C:\Windows\SysWOW64\Dhhnpjmh.exe
C:\Windows\system32\Dhhnpjmh.exe
1⤵
PID:11768
- C:\Windows\SysWOW64\Dfknkg32.exe
  C:\Windows\system32\Dfknkg32.exe
  2⤵
  PID:11808

C:\Windows\SysWOW64\Dobfld32.exe
C:\Windows\system32\Dobfld32.exe
1⤵
PID:11844
- C:\Windows\SysWOW64\Daqbip32.exe
  C:\Windows\system32\Daqbip32.exe
  2⤵
  PID:11884

C:\Windows\SysWOW64\Delnin32.exe
C:\Windows\system32\Delnin32.exe
1⤵
PID:11920
- C:\Windows\SysWOW64\Dhkjej32.exe
  C:\Windows\system32\Dhkjej32.exe
  2⤵
  PID:11960
- - C:\Windows\SysWOW64\Dkifae32.exe
    C:\Windows\system32\Dkifae32.exe
    3⤵
    PID:11996

C:\Windows\SysWOW64\Dmgbnq32.exe
C:\Windows\system32\Dmgbnq32.exe
1⤵
PID:12032
- C:\Windows\SysWOW64\Ddakjkqi.exe
  C:\Windows\system32\Ddakjkqi.exe
  2⤵
  PID:12076
- - C:\Windows\SysWOW64\Dfpgffpm.exe
    C:\Windows\system32\Dfpgffpm.exe
    3⤵
    PID:12112

C:\Windows\SysWOW64\Dogogcpo.exe
C:\Windows\system32\Dogogcpo.exe
1⤵
PID:12148
- C:\Windows\SysWOW64\Daekdooc.exe
  C:\Windows\system32\Daekdooc.exe
  2⤵
  PID:12192
- - C:\Windows\SysWOW64\Dddhpjof.exe
    C:\Windows\system32\Dddhpjof.exe
    3⤵
    PID:12232

C:\Windows\SysWOW64\Dknpmdfc.exe
C:\Windows\system32\Dknpmdfc.exe
1⤵
PID:11300
- C:\Windows\SysWOW64\Dmllipeg.exe
  C:\Windows\system32\Dmllipeg.exe
  2⤵
  PID:3756
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 396
    3⤵
    - Program crash
    PID:11432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3756 -ip 3756
1⤵
PID:11392

C:\Windows\SysWOW64\Dgbdlf32.exe
C:\Windows\system32\Dgbdlf32.exe
1⤵
PID:12272

C:\Windows\SysWOW64\Dhfajjoj.exe
C:\Windows\system32\Dhfajjoj.exe
1⤵
PID:11612

C:\Windows\SysWOW64\Cfpnph32.exe
C:\Windows\system32\Cfpnph32.exe
1⤵
PID:10988

C:\Windows\SysWOW64\Cabfga32.exe
C:\Windows\system32\Cabfga32.exe
1⤵
PID:10528

C:\Windows\SysWOW64\Belebq32.exe
C:\Windows\system32\Belebq32.exe
1⤵
PID:11084

C:\Windows\SysWOW64\Pclgkb32.exe
C:\Windows\system32\Pclgkb32.exe
1⤵
PID:9904

C:\Windows\SysWOW64\Pqmjog32.exe
C:\Windows\system32\Pqmjog32.exe
1⤵
PID:9824

C:\Windows\SysWOW64\Oqfdnhfk.exe
C:\Windows\system32\Oqfdnhfk.exe
1⤵
PID:10148

C:\Windows\SysWOW64\Lljfpnjg.exe
C:\Windows\system32\Lljfpnjg.exe
1⤵
PID:9204

C:\Windows\SysWOW64\Ldoaklml.exe
C:\Windows\system32\Ldoaklml.exe
1⤵
PID:9056

C:\Windows\SysWOW64\Lfkaag32.exe
C:\Windows\system32\Lfkaag32.exe
1⤵
PID:8864

C:\Windows\SysWOW64\Ligqhc32.exe
C:\Windows\system32\Ligqhc32.exe
1⤵
PID:8712

C:\Windows\SysWOW64\Lmppcbjd.exe
C:\Windows\system32\Lmppcbjd.exe
1⤵
PID:8512

C:\Windows\SysWOW64\Klngdpdd.exe
C:\Windows\system32\Klngdpdd.exe
1⤵
PID:7636

C:\Windows\SysWOW64\Kbceejpf.exe
C:\Windows\system32\Kbceejpf.exe
1⤵
PID:8176

C:\Windows\SysWOW64\Kdnidn32.exe
C:\Windows\system32\Kdnidn32.exe
1⤵
PID:7296

C:\Windows\SysWOW64\Jmpgldhg.exe
C:\Windows\system32\Jmpgldhg.exe
1⤵
PID:7460

C:\Windows\SysWOW64\Jehokgge.exe
C:\Windows\system32\Jehokgge.exe
1⤵
PID:7424

C:\Windows\SysWOW64\Jplfcpin.exe
C:\Windows\system32\Jplfcpin.exe
1⤵
PID:7216

C:\Windows\SysWOW64\Ibqpimpl.exe
C:\Windows\system32\Ibqpimpl.exe
1⤵
PID:7512

C:\Windows\SysWOW64\Iifokh32.exe
C:\Windows\system32\Iifokh32.exe
1⤵
PID:7192

C:\Windows\SysWOW64\Iiaephpc.exe
C:\Windows\system32\Iiaephpc.exe
1⤵
PID:6772

C:\Windows\SysWOW64\Iefioj32.exe
C:\Windows\system32\Iefioj32.exe
1⤵
PID:6632

C:\Windows\SysWOW64\Hbgmcnhf.exe
C:\Windows\system32\Hbgmcnhf.exe
1⤵
PID:6472

C:\Windows\SysWOW64\Hodgkc32.exe
C:\Windows\system32\Hodgkc32.exe
1⤵
PID:7100

C:\Windows\SysWOW64\Hmcojh32.exe
C:\Windows\system32\Hmcojh32.exe
1⤵
PID:6620

C:\Windows\SysWOW64\Hihbijhn.exe
C:\Windows\system32\Hihbijhn.exe
1⤵
PID:6528

C:\Windows\SysWOW64\Hmabdibj.exe
C:\Windows\system32\Hmabdibj.exe
1⤵
PID:6260

C:\Windows\SysWOW64\Gohhpe32.exe
C:\Windows\system32\Gohhpe32.exe
1⤵
PID:6692

C:\Windows\SysWOW64\Edpnfo32.exe
C:\Windows\system32\Edpnfo32.exe
1⤵
PID:5132

C:\Windows\SysWOW64\Dhkapp32.exe
C:\Windows\system32\Dhkapp32.exe
1⤵
PID:5516

C:\Windows\SysWOW64\Daaicfgd.exe
C:\Windows\system32\Daaicfgd.exe
1⤵
PID:5472

C:\Windows\SysWOW64\Docmgjhp.exe
C:\Windows\system32\Docmgjhp.exe
1⤵
PID:5432

C:\Windows\SysWOW64\Cehkhecb.exe
C:\Windows\system32\Cehkhecb.exe
1⤵
PID:5136

C:\Windows\SysWOW64\Cbjoljdo.exe
C:\Windows\system32\Cbjoljdo.exe
1⤵
PID:1112

C:\Windows\SysWOW64\Ckcgkldl.exe
C:\Windows\system32\Ckcgkldl.exe
1⤵
PID:348

C:\Windows\SysWOW64\Cdiooblp.exe
C:\Windows\system32\Cdiooblp.exe
1⤵
PID:4656

C:\Windows\SysWOW64\Cefoce32.exe
C:\Windows\system32\Cefoce32.exe
1⤵
PID:1736

C:\Windows\SysWOW64\Chbnia32.exe
C:\Windows\system32\Chbnia32.exe
1⤵
PID:2920

C:\Windows\SysWOW64\Cahfmgoo.exe
C:\Windows\system32\Cahfmgoo.exe
1⤵
PID:312

C:\Windows\SysWOW64\Cojjqlpk.exe
C:\Windows\system32\Cojjqlpk.exe
1⤵
PID:3444

C:\Windows\SysWOW64\Cknnpm32.exe
C:\Windows\system32\Cknnpm32.exe
1⤵
PID:640

C:\Windows\SysWOW64\Chpada32.exe
C:\Windows\system32\Chpada32.exe
1⤵
PID:3844

C:\Windows\SysWOW64\Ceaehfjj.exe
C:\Windows\system32\Ceaehfjj.exe
1⤵
PID:3360

C:\Windows\SysWOW64\Chmeobkq.exe
C:\Windows\system32\Chmeobkq.exe
1⤵
PID:2128

C:\Windows\SysWOW64\Bdolhc32.exe
C:\Windows\system32\Bdolhc32.exe
1⤵
PID:3364

C:\Windows\SysWOW64\Bjghpn32.exe
C:\Windows\system32\Bjghpn32.exe
1⤵
PID:2884

C:\Windows\SysWOW64\Bdmpcdfm.exe
C:\Windows\system32\Bdmpcdfm.exe
1⤵
PID:3404

C:\Windows\SysWOW64\Bopgjmhe.exe
C:\Windows\system32\Bopgjmhe.exe
1⤵
PID:2024

C:\Windows\SysWOW64\Bhfonc32.exe
C:\Windows\system32\Bhfonc32.exe
1⤵
PID:4344

C:\Windows\SysWOW64\Behbag32.exe
C:\Windows\system32\Behbag32.exe
1⤵
PID:4760

C:\Windows\SysWOW64\Bjbndobo.exe
C:\Windows\system32\Bjbndobo.exe
1⤵
PID:3264

C:\Windows\SysWOW64\Bnlnon32.exe
C:\Windows\system32\Bnlnon32.exe
1⤵
PID:4944

C:\Windows\SysWOW64\Bdfibe32.exe
C:\Windows\system32\Bdfibe32.exe
1⤵
PID:3396

C:\Windows\SysWOW64\Ahkobekf.exe
C:\Windows\system32\Ahkobekf.exe
1⤵
PID:1836

C:\Windows\SysWOW64\Aejfpjne.exe
C:\Windows\system32\Aejfpjne.exe
1⤵
PID:4264

C:\Windows\SysWOW64\Aegikj32.exe
C:\Windows\system32\Aegikj32.exe
1⤵
PID:3196

C:\Windows\SysWOW64\Qalnjkgo.exe
C:\Windows\system32\Qalnjkgo.exe
1⤵
PID:5036

C:\Windows\SysWOW64\Qeemej32.exe
C:\Windows\system32\Qeemej32.exe
1⤵
PID:1544

C:\Windows\SysWOW64\Qnkdhpjn.exe
C:\Windows\system32\Qnkdhpjn.exe
1⤵
PID:4808

C:\Windows\SysWOW64\Qkmhlekj.exe
C:\Windows\system32\Qkmhlekj.exe
1⤵
PID:4144

C:\Windows\SysWOW64\Qcepkg32.exe
C:\Windows\system32\Qcepkg32.exe
1⤵
PID:3296

C:\Windows\SysWOW64\Pagdol32.exe
C:\Windows\system32\Pagdol32.exe
1⤵
PID:3460

C:\Windows\SysWOW64\Pnihcq32.exe
C:\Windows\system32\Pnihcq32.exe
1⤵
PID:4092

C:\Windows\SysWOW64\Pjmlbbdg.exe
C:\Windows\system32\Pjmlbbdg.exe
1⤵
- Executes dropped EXE
PID:4768

C:\Windows\SysWOW64\Pgopffec.exe
C:\Windows\system32\Pgopffec.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\SysWOW64\Peqcjkfp.exe
C:\Windows\system32\Peqcjkfp.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3908

C:\Windows\SysWOW64\Paegjl32.exe
C:\Windows\system32\Paegjl32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3608

C:\Windows\SysWOW64\Pnfkma32.exe
C:\Windows\system32\Pnfkma32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abngjnmo.exe

Filesize
242KB

MD5
17b544518c08102253e38783ae4ce5f3

SHA1
74065af744fd4f63739fffc88ead44347776636e

SHA256
c32e0d169f98e244c2a08fdca0133a6f2d63ba808d8c30fc9202b837264f52a1

SHA512
aa97d7a2a8c976821bbb298da975cea5b010f6b93c1e7b4affe37f55fb14d0f81a1ea9872cc1ccd85913ef503bb917e1846751218a2640cb80063bb43ce02679

Download Submit
C:\Windows\SysWOW64\Aegikj32.exe

Filesize
242KB

MD5
3b722133256a5d831e9d9e4a6d5a1ced

SHA1
fa3cca99a836f780adb3bdbf6269ed3fb0d5869e

SHA256
ac43b46146dc38442203a814c6c9665c100465f55e1b9572231718a1cd1bc6bf

SHA512
22a273e90debcf9ed66f59490e22e1f69f707f2e6f31627f624d6dfea19198f2cb86aabef4bbbcb81a967ec0a6213885182449fca39dc0ebbc75aa75a7622318

Download Submit
C:\Windows\SysWOW64\Aejfpjne.exe

Filesize
94KB

MD5
aaf44e9fa3039bc88132cd86ad63d3e5

SHA1
c7d6debb7e7bc906172401d3769a423678a9e91c

SHA256
b292d11aa93204409a1645effa0a96e3de0f0697ff667e452c5f91609eecbf2b

SHA512
5edf9ec044eb0d025deba410360898256e6efe1d74d6c5e9bf7a8890c2449db96d66e107a4b5d61f99e0d7024920913a2933b44396934abe5f5abdcb60de716b

Download Submit
C:\Windows\SysWOW64\Aejfpjne.exe

Filesize
242KB

MD5
8684c66112fcb7a8a77e32972a58b17e

SHA1
b0b38f9f830aa30429565194fcb20fe3a135f9d8

SHA256
d9a0cb2649c87b1aad33b160022cc3e690b95c7dc809d9d3ec3d70d31a61935d

SHA512
ee48c807ccfd52deb64ba911e2950715bb5f5254c12b67af940915853db914bfd4409ceb0cb0b586f46f530ff722c62766bc78e76ce1553b413ee1071e18f5d9

Download Submit
C:\Windows\SysWOW64\Aelcfilb.exe

Filesize
242KB

MD5
ff8304b012bbcfc6380f60b8aa435dbf

SHA1
64249f9574175cbdd7a745860b0100bb64a8d6f0

SHA256
28d2b0955f0d43812d5acbdca2565f966c22827ef0e03f7e4fb345a2c3741e5f

SHA512
593176424f78186bdf16b3af135faf4cd081105256e66ccc4dddd0f422e3b7d79ee50c0f525a9b3256d30481d7c39c64fed729c2b9af700d9a7102a8dd0907bb

Download Submit
C:\Windows\SysWOW64\Aldomc32.exe

Filesize
242KB

MD5
1cb72b6a859fd2ec915c6dcb50eb297f

SHA1
316797a28710e1a179051f5b55deb03611159e42

SHA256
e46d01295ae0335e910f146ec60e26517f0a72f9a0d7f0e1175fd4e20469260c

SHA512
f1b16e1fa8fa771a66c0f95f7a64b8bbd483325997e51265b3b8ba740159219b3ce3354ef4f3225ec847efdbf366c52aa325bcb1c3c38f55c316b01c6d881981

Download Submit
C:\Windows\SysWOW64\Andgoobc.exe

Filesize
242KB

MD5
c2dfc79e5164532f3124a3a9997b03bc

SHA1
e033ccf5b605bdd985b2e7f9ed4cf3fe2c7c88d2

SHA256
d21068a885c0aabfd6455ea06a648dc6ad2bf8c92e98bd66ca5c88db410706e8

SHA512
b7a1d7805ab86981eea45f08e08c24ebb74e2bdd8b64ac1fe31f63f1fcf807161f6792dfcb8c3868d565c5342f743f6a0c17ee9e4612d27ca9723c79d111bf52

Download Submit
C:\Windows\SysWOW64\Andgoobc.exe

Filesize
242KB

MD5
58465aab89dcdcaed97088f4495c6dd0

SHA1
a4e7e044c1d97112a60756bc5e224003daea3496

SHA256
582c4418561b44d91fe0ff3712145426c577ef652d2bc7a1ad0ba3455cb1ab6a

SHA512
3ff963119a06e24dac6a9f1adf2e224b1f1a734888f8190b75c8141686d29e1f3b56262bf371972052d57d33953b1ccb99fc0df2ecc87f20a7c5a575295579e6

Download Submit
C:\Windows\SysWOW64\Bahmfj32.exe

Filesize
242KB

MD5
2058f7186e2a240acf0f8c7603ff4ce0

SHA1
66818b3fe65dc0f8129e6535ad17e579c2649bac

SHA256
f62614708256b1e4d30c538ef29e265021a2ea3112070897e304fcdc719ff2bf

SHA512
231221c1254ceb6a3006d2fe64d0c9fb83be3c8aeace10829e5f5a87183e8a9a97ff6baa094edae69a78327d35f9a1732a925fef39d9c9b33af36653be8c5441

Download Submit
C:\Windows\SysWOW64\Bajjli32.exe

Filesize
242KB

MD5
4564b3eb42cf1d4cb52ba873fb21be83

SHA1
9e56e0ca0269807fccdfce0087255e3f6521851d

SHA256
fe95996ee3d4aa5b7b06126e9b335032c73e84a8355d0178c35101d5ba3995d0

SHA512
000797bb6e5a8e415acab2933558fee574c59b0e8c4020f61e2c021a3a4ea8b60a98a1b7c155091a10164de97578f908a5234b76ad015716f6cabdb78d73118d

Download Submit
C:\Windows\SysWOW64\Bdfibe32.exe

Filesize
242KB

MD5
a64a3b0a6b094d0240b316b1098bd558

SHA1
a36994342b0cc8c2cc7c2178d9a8b12f1fdb17c1

SHA256
6e2e5ccd0c85ff9d587611edc806d17ab04fc6bce194d453c527aa2c51f07693

SHA512
58b4c328d1e503bec01fd56f5591d7f1a462b23c2781ea12758d96b39d7bca21bb534557131906e63024586f986bb10b149b375bff7dca7a2d974cf616a6fa95

Download Submit
C:\Windows\SysWOW64\Bdmpcdfm.exe

Filesize
242KB

MD5
f4209b498eb628eb42ff24939223034c

SHA1
f5cd2600ebbef8ff2695f9c1b58f106571a5568c

SHA256
1e7cb10cb5760268caa35d5876c7303e8321e7d5eb8e0e7b25bf13707f5637e3

SHA512
41cbbfc86ab3f7c9e61fdba7a0b6ef3762004fc7ad6f3e35d196f3a88ff1332921fa0adad23f2d75f48c813dfa32ccbb68ab41dbdd94cb11a4971efad14f6941

Download Submit
C:\Windows\SysWOW64\Behbag32.exe

Filesize
242KB

MD5
f5b0954664f95fce34e00ea53bcc96c9

SHA1
5bc5be5d2ec9769874f6802c9f432e78cab791eb

SHA256
5da00eeb78be25ded63cfba81b150aec07a31ef1148be12388730eb981ee521e

SHA512
e26ea0d04317af698ae4409adbc56636e1202827577a25ab1348416f1178daf9028985e38c26c124ca9a5d11cf1f51162e3773a5398cab3d1b895aa6c629a6f0

Download Submit
C:\Windows\SysWOW64\Bhdbhcck.exe

Filesize
242KB

MD5
8d50efac170a04de4b33d17d5a2254be

SHA1
368875e054293a63772fdd8ce4b48eafcadc702b

SHA256
66592bdb4463a0050b03bd1860845d617fba0282be533cfe073eaf73e3de743f

SHA512
295ec76e56776d1b5620916bb87c136e1a1ef1878e13917f56764e1cf49cd0d0d56dfd8b8108b70a89dd4d9572a74d3d1a5b089dcd5c7e00d55cd47ab618f88f

Download Submit
C:\Windows\SysWOW64\Bhfonc32.exe

Filesize
242KB

MD5
e206378c91d8b8cb38a3818251e0d620

SHA1
30ef57345b9fa8fabf1d11d276344d275e94f23b

SHA256
89cf3b207bfb0bbff5e410597d40d56de1bfd8d62c59a5777994f1ca1e292b43

SHA512
c51a2762859976bb9e5be95d1e271f458dc605e11cc409201ae0944f37acba0ec6b4b85c4d0809455f3f60aaee635bf9b9518b69c2f44b489c0dcbefde06d1b9

Download Submit
C:\Windows\SysWOW64\Bjbndobo.exe

Filesize
242KB

MD5
82748a236409dedaa2f7d242d2e3d975

SHA1
53952e3f831fe27f408b0e78d071b3c63827a007

SHA256
1af75105ec40187e0f455d6fe024dc53003cc998e452582b0e3113f1d67bb03c

SHA512
7b1c6b16848aeb014bc8fae917cd17bdd012cab422244ee708c7d1e38422e1ca5c2524e4088ce1307b49199b77de5fa4e3aa30cae50a5b4eed930e06ed0eef4e

Download Submit
C:\Windows\SysWOW64\Bnlnon32.exe

Filesize
242KB

MD5
43b487e8eea065f1dddb402c29d6c8b8

SHA1
f74d4903b06e6d98d89f3d3816c258e7b58435c8

SHA256
80121f9bf3fb04af08838d80f7e2440e223350038261cd885e58f19e53c4cc5a

SHA512
ddc10bce0b1b2b96f8caa1f1c3bef4ede3171cc4080e0c9e7bb36d1caf2e0208be849348088d22b16206617ea581c1ee789795f360b89a2ef3e8819433d09b21

Download Submit
C:\Windows\SysWOW64\Bopgjmhe.exe

Filesize
242KB

MD5
60f1faeb6c0c6b3fa2ea987988106da1

SHA1
55d7dc3ecf3ea1ef1dc76f40f4784b3138bea07a

SHA256
3477cdece9546208f1d91c5304277770f696cde7d768508447a56eae5ebb60d0

SHA512
b72ef8d2d8921f06ab074cc72c9cbab2f85a0240678ec7fdd98cf2a0e2eb47b9185f21b62dc7f3e6b54b39c54e6aaca8b317752294e908cd4f81c5d202e1f477

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
242KB

MD5
725fc8e474971f4be9552efa0703bfb5

SHA1
d14272b7fd04a1a74602fe47d9b6b4dce8abbe1d

SHA256
a6c4c692046ce76e89422092348e298796c9193256a0a3b240c6cf5c60233a45

SHA512
238228a016c2edb81aa000d5f51576c940724d1930157267c530d0cdcd3a2ffd451b57634e65600a6140a89fb0e4bb19fa4a71feae53097ed2d77f6306b6568e

Download Submit
C:\Windows\SysWOW64\Daaicfgd.exe

Filesize
242KB

MD5
18bb1074c1d23c725f172ab87009ea98

SHA1
6caa1798d488528c9492102554afb72402b0aaa1

SHA256
2196514baf6d5e70929e4522907bff1ad7d52d386e77b3e5e09f3a1d53c5679a

SHA512
f544c341c3b49a8a798b7fef53ee85ac8011b8043beb26ed9da4dee2ea0a10d0c191161a5561c9546419302468a2c9430e5b2a38f28b7e7949ba741c481edc10

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
242KB

MD5
1fc623be1a3279fac46dc0891770ef5c

SHA1
58a4f9241b7ab60ff8a7826f1ae5eb3a17ea34f9

SHA256
1df8120db0a30779918cdb9e6b75529ad97f264e2eacc1d3490c99e0897aa362

SHA512
04681c84960b6a5c5a5a4d6966b541aa56a725ea7592ae5bbf9e6bd95ae07bc128c088b3e17061703b4fd83115ec0337ce7e314faf819eb4fbe64b559f055ff8

Download Submit
C:\Windows\SysWOW64\Ddgkpp32.exe

Filesize
242KB

MD5
b9994f620b3ca8c98106fab5f144d87b

SHA1
61138b02bbfdf714d65c6542f65b414a94ec2f9d

SHA256
cacc1d8dc73ed655fe60b1abcb960002d5c164f8927a6dfb475d3d70555f13be

SHA512
587d5b77e98043ed24caf613f595d2082134eb2c6442f61588d3a4290fbec2e6fed90e575ab55475626660f897dd1ed56587ee5fea06564a81d02b70fe1103f2

Download Submit
C:\Windows\SysWOW64\Eamhodmf.exe

Filesize
242KB

MD5
28d707c3dab91c8dc53e40460b66f7fd

SHA1
abd22fce124b3fe7bdf4893dfe9e4cb86196265b

SHA256
3722d4af8827e87bcd9f1ec2e0dbdcbdf7a534163b2cb929ac32e6fa5d636ea0

SHA512
7db93c1e3eab62181391cab6144e740d8bc38041c4acad568887de42bb5df76eabaa1d5718d71a13f02013cb508afef6202742f876185463e046cfa0e1fd1feb

Download Submit
C:\Windows\SysWOW64\Fafkecel.exe

Filesize
242KB

MD5
d750d3cc96e8213d78d9bb23094ec45a

SHA1
cacc586eb11838c2a4eff08635ff42cd08ddf4c0

SHA256
acd3bd2f70df1f78cfcbc71424074de815979abca09fb4a6856d499e5020e26f

SHA512
160e82872c3979dc1e9f719fe55550d37e5fd141c277ec81892f6d88aa74a1b215c87e26856f2562ffdfe683a543e01988706026aa16838ef1238302dbb66a99

Download Submit
C:\Windows\SysWOW64\Gfgjgo32.exe

Filesize
242KB

MD5
5531f86421aa5df166f0e7aed377f780

SHA1
90e620a804955daa9ef03992d45d6acc654dbd19

SHA256
ff416b6cccd12ccb53bc1312c1f4d92c0d4ef64992ad64cea6685b06c6388d2d

SHA512
c0ad9c97e08d689b4709f792ff9253d42112083449e1c711a40f9b296b60f3ffe32929ec7bcbfd86ff06c25ea71252c8bd1033717c2634dac73b3a9d69c2edea

Download Submit
C:\Windows\SysWOW64\Gkoiefmj.exe

Filesize
242KB

MD5
8b9a9f628ef1ee34a06428fa6282ef1a

SHA1
4c5334e5646d6c3a8a3c775fff2435c4354d5b5c

SHA256
4109ae1a16f595ff55ad466a0fb07a4cafbfae3842099473eab19a799b3f3af9

SHA512
e4868f5baf291c92def95472e9bb00e393a4190721973c6afb2b300fc241230a7a3c851c82bba50c71d25d0c39556c5afcf912ffc73d3a92c3e05ed1c4bab965

Download Submit
C:\Windows\SysWOW64\Gmoeoidl.exe

Filesize
242KB

MD5
3b8c94147a77bd00c5ca5d132ec0db5a

SHA1
0a35859a80ddfd18f637196dea091964438fd723

SHA256
40e15fc969e276394826e5e2f341e2256342bc3c91666eca31e0a806314ff41e

SHA512
a6ffa1601a2b56c2a37589ba13dbd92fa23e9cb25a7450ce97c7e3c8a9cdcbf65f75a0b774fe590482afe921cfe11f1712d9a04c4d39f9950ce686a0a3a4480f

Download Submit
C:\Windows\SysWOW64\Hmcojh32.exe

Filesize
92KB

MD5
6b7dc602df9ffed2c1919563f5e1310f

SHA1
cf05de5a83da0ed1d1df68fa91cdb89e26f47e8c

SHA256
b92ddb189740b25eca513a8317ab6f1b0f5ab82c69e2c7a3662a076351d420b4

SHA512
18931dd255a702d34ebe618fc3090cfa024698207bbee6dfa3061984bb51ca156de0f05dec628604323a521bcf4a6fadba9266e4666bf289f0a20eb42eab22c2

Download Submit
C:\Windows\SysWOW64\Hodgkc32.exe

Filesize
92KB

MD5
111b84d9032e35479ed01b4cdab77021

SHA1
4691dc9b7f93667885bddca5ec5c1d31c2b3ae29

SHA256
51f034fc35e06b162d3b9f7bb83245d0598472ca8b57616ad367315034b16230

SHA512
205dc9893231aadf904110a0e3c2c05a2d941924a3b7c99a16aae8f7b127ae0c2109eef71b34c1be1a8226701cbbb86facef709f7020c2f64100e68740423817

Download Submit
C:\Windows\SysWOW64\Kedoge32.exe

Filesize
242KB

MD5
b5a35c121b8b32e3aaf88edd737f41fa

SHA1
ff520c6552372b86153520ca01540b5831e5ab35

SHA256
10ba4a581aa46d87b088c77d869f04b8339527848196e43cf8429960bd11a05a

SHA512
5b56761c1357f1f667dbf333f97386e965201ea9ea4b71f121da478ccd9d53fff6ddf86197e6792576ddaf53dc8fdf719d1c690f65d648cbd34df125b23371d2

Download Submit
C:\Windows\SysWOW64\Kmdqgd32.exe

Filesize
242KB

MD5
5e4d5b3ebb1b246597f9fb98f27c002a

SHA1
7f31438fd72acc868bbf8c73c46d47e592430a1a

SHA256
e4997bef24c87908fe47b8b85d8e17f55453232d999a44624207718fcd663e48

SHA512
7ee1403d20b26980a0c242e0002eac317d13af607b6b5c678e3fc0958d244df54417f742f2b0134356ff1e246084ff58756771a77fbe3ce30a6991e604a9865e

Download Submit
C:\Windows\SysWOW64\Kmncnb32.exe

Filesize
242KB

MD5
506f7d65be9227c525833f625f818668

SHA1
349e8aa634ec527c34b00992c4777c114922c979

SHA256
8dcd10492be2d66de49a7d05230dd8a005ca68145a3ed19a02a30261da151805

SHA512
e1dfde204e37719670d7acb74020062f6b104f95a492ad0cd31592e46271ad0335b4274df96417e9f7bd98451b7eeaf86609f0e55f922631122dba4107f7801d

Download Submit
C:\Windows\SysWOW64\Lbmhlihl.exe

Filesize
242KB

MD5
ac0c9342af15fe8671985be4b74588f2

SHA1
bbc63b84d41ef654344d6d7bfe7817972a3c7bf4

SHA256
5bff6ce5f9ed3890f709d9d7d059ac2f8c2deb8fcbc8ab060c3e0526de717c33

SHA512
74f7dd2facebcb82e37e926894400597aa4af28fc67df9136a34e4fbb65f78a664de34fdd9f9c2e715afa52edee6620cdde978912ea7e060b9253df0fca04305

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
242KB

MD5
901c524273763e5377e444a4759b9ea5

SHA1
88d4c187043c96703b268499a7c46adc67273e14

SHA256
c6564642e3b25f3c1f5f6f9c1fd87c19ddf923d11cb60971bc967f278ffb4400

SHA512
b4a1a34e275dfb82d93b729fe70fee8c03dca88227b28810341412b99defb88e69493ca9a17cf5774c0b2fb9a5ef3242668d6099beca772759eaa8e3fe1faf82

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
242KB

MD5
3ffc04d4318f88f17e137ade134721c2

SHA1
01599f36d879a636f168a7ee132c1e12d47b9405

SHA256
4cc99c55d514f46edd6bc7a77e49e0dd2cbc87bfb86e6a2cbd00d1bc2d456093

SHA512
9a4a743b533eb90ebf7c82679745365d25670dcdd9be302457c8dbcf2e2c532875de42d805c3b10a2f281aa975d6b23a394d4949d6c16756ad370d8573434ac3

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
242KB

MD5
284119d98b8ed2380bf1c4c792040f7a

SHA1
5c74a72f8bac859f65de83535822dc75b872419c

SHA256
041c4ca8978af685865c3a96340a605c5cb4b648f1926e5d0d7f6fbc30742bcb

SHA512
af3a6f6d3cd65c97f590dcdbd7b8b3b811f608505569f799fc002dcc1e0644874047c23ce97f8efb6099fc6d45ab662280e17a14752cf8a01fbe11489cec0023

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
242KB

MD5
326356fd56f2e78ad7f88b2d6f3c94d5

SHA1
29b4217e2f27b09054f0702734eed457bf832f85

SHA256
f5a0b0e8cc59ccda49d3734ee7a755323596f483a543e6d9d56efba1670b85be

SHA512
17f19727329c71a937f6390f565fd19b2c87fe513b259d8c1158ea152d3fa6d4b339fec6b69e3ce936b4721d51f68361587178e0e99c1e432e39d357ab8ce3e2

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
242KB

MD5
46ca797824383c2b584d85a14c77a00f

SHA1
31580676e71a17bf06295fb045a76132c94da2eb

SHA256
d7269aa1818345db3f939cdbcf1388f3e11d3971fad8f339ddc4c9b173dee21d

SHA512
53a8198893a6da5919f73d72a8a3ad0c9ea1a7c2999af06a4b1ed4bd258c37815a1949f5c88861c8b5c05d34aea72b4ac4688c81a9537144cae940002f94c7b7

Download Submit
C:\Windows\SysWOW64\Lmppcbjd.exe

Filesize
242KB

MD5
48bf5651160c9e2d041a00fb2ab4bfb3

SHA1
3078fde3213af5218ddc28e333162390ebd54e6d

SHA256
76c8a7b9839bb36037af7dff8d11987f3827a5db94b8faa81b4be0cc4551f24b

SHA512
688232a5183433976ce0b71163ebe608a6c97aab35a476fdb24a473231e37cbb9d05d1ddf0ec8f61c376096babc7a5d4de77b219a4bc46f7c5d1eac0b61922c1

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
242KB

MD5
a8d93146a5ea72e3f978dec6b637b70d

SHA1
ea70185aa1263412e1c60cb5a4b2a73b585e8190

SHA256
1d420542d9868bf43d7ccfaab458ef42dc11457bae189b775af7b4984a1b01e4

SHA512
ced9f1b3296790ee5205d107e8769525585b26af71ec35bb42c4fe6ab6a893c2a624740c9a0b0be9491d8d79a000179b62164484e0d1f58e0102de2bebe6c0b3

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
242KB

MD5
bb56c02e099f611e0e870207534b975c

SHA1
666b5b9543ff91c2b8494b9af29720091576e9f8

SHA256
ce647b2d4789fa83d2958518ff4e54c195353efbcd37f9bd2694401448572c1e

SHA512
d20e88d3cd70ef57474dab119fe099549f8b98c7533c5df940dc76c4ce6e912467c5fd566e7e0dab3a3196ef71b1fd4c76cf0368ff0c962d62ee14d0db1cf7c2

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
242KB

MD5
12a1ebe451888c4e64d70aab895679ac

SHA1
281b51eea420eab1b0fc7bb7d41e3879c3905636

SHA256
4db0099e39c3bc503df4d59062d5ad04d4527e2143e612207a83452598efadd4

SHA512
91b1ce921826a84ef6a96b624e12748a8fd794b402b0d0591dad051582557393e1ff102e9e21f73f7dde9113d87d2ecd79b4cc3f5aaa339884bbd22eef27f4ce

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
242KB

MD5
db06f65c3f095775b90a3378c9625284

SHA1
f4756b773c4330e9f3f161c4e96ecc7b2ea192d3

SHA256
4a913c7962eaf8aef26325e9fc4fff9b7dcc901e8b1ca3282c85b2f5f6dcb739

SHA512
06d362cb34f0743f0d2e849217adf1962a80ae0eed54a6a4149fd9d4ed0bc0de7605316b6f348a90c9238a5aad77f9378688cb2f8058f074d5503a5024581ebc

Download Submit
C:\Windows\SysWOW64\Paegjl32.exe

Filesize
242KB

MD5
e5f0299625d5872373be53050915d9a7

SHA1
3b1ba02d936f5b6d86320c2caff6fb43b4444e77

SHA256
1623939c5361f23fb7936de4b5cce0676e131fbcd812dea83fb9f96f17af8b01

SHA512
e679939360c450ea2e59afe1a7b10b771c8d8bd482326464e9af8a5d0958ebadf1dada6f571866a6bddfda1340ac42dd70e345f0069fa2e56930fd1ed6ac3b65

Download Submit
C:\Windows\SysWOW64\Pagdol32.exe

Filesize
242KB

MD5
bf2f98ca207000cee66cc257e033a96a

SHA1
5ffa134de064ddca98609c0585539acd9402e9f8

SHA256
e85a7a4f1bd879866a44bdef12f2f7a69af46572dd00e0cde8ff94e1d431ad92

SHA512
5a37fcab3c0d0f2f37e647948af4f449126325d499f3ac315ebec69a653d03e3629964e264137ef51c439bae63bd69f68d1333fab75a1d7f926e6c1649a3a05b

Download Submit
C:\Windows\SysWOW64\Peqcjkfp.exe

Filesize
242KB

MD5
40557d066361b462f210b70653b0ce39

SHA1
018d5d6160a30fb506224109a93c57588b6eae9d

SHA256
d9e93638729bdb555ff01e931e2cb2804bd90428454b5253602f299d96d24361

SHA512
67765abbbfaa45c80f0b5784399a6caf8cc75f9c335029b217858fe11d874eaccdaba005e8aaed8a72d68a36e82d268ff3bda8f6a2dcdf93b7d56923db863bcf

Download Submit
C:\Windows\SysWOW64\Pgopffec.exe

Filesize
242KB

MD5
01ca26244e94d53463abbbc06b5ed0ac

SHA1
c59e43ef00549d1e95cc4815584809fe7460dabb

SHA256
12234dfcab09266135cdb4cf55c0ce424cef73265e91a1ca6cf007c6ce570b74

SHA512
265e8a1573c417cb5d1eb828e7cbef357072b184f68b364d5f3f09664902b85bad9312034b6a5f3447c48b8cf3c9b74bd9d60c04de7d3c8c9555c3e29c927bdf

Download Submit
C:\Windows\SysWOW64\Pjmlbbdg.exe

Filesize
242KB

MD5
772de4a61765458137b8c90f2884bff4

SHA1
ae6bd4d9e345a4770834ed25ef27826bbb8fdf3c

SHA256
4606b16fe7e67a70a05628b34164f2ac6ace8721316af848dab6ca9ce96657b2

SHA512
ffd7984b827cd243eb92fedd58df5d527cf69898dd40963feea66b5838c4cd85638dc748f7369039516fa992274aa7827d5289156f73dfa857f11273da51d361

Download Submit
C:\Windows\SysWOW64\Pkhoae32.exe

Filesize
242KB

MD5
7c49219afb60a55e98161f70391604c0

SHA1
391b4a96e5b3ab4b4ff9082a6ac7fb769ffbf01d

SHA256
684412538c27378e166d985ee08c144098ec0d6c1355ed903c4a22f606fb175f

SHA512
40025c46a938708f63f88709136823199a10d02c171844bafba30e7e000499a93e6c529c1e00ce693b4350435de95bd9b098fc4bd5ec4de6157412940715581b

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
242KB

MD5
538f359d077eb25a6802ed46e23395a6

SHA1
8725882ebe1fb36eca77dcdc77b408d00217ac55

SHA256
225d5331ea1d1aec8eb9f75a9544d10aae365b1f56459a2e36b698b64715cfa6

SHA512
62426017134292c93a25a597a66b8a7a8d87cc742eb7fee3be13cdcec6fba989278996f260067c2389fdb3dc3ee14ad589f42c8e2ee9ba2d8c813cefd7070905

Download Submit
C:\Windows\SysWOW64\Pnfkma32.exe

Filesize
242KB

MD5
c5bf7759eb3ec02a6ef688add09a9555

SHA1
c1b2dbcc988391d84661a84a5fbbab5cde0c6557

SHA256
748e8ffa57b378996439db98299528cb973f68bc99d2377a3e633703d9ded254

SHA512
9ccc0647f1e9e8cdb0596eacad255ab7185bb6f450d5c5c5811a8c050ce0f255eed50434e2ca2595c33e7ee5cb019fc3799c9a98b4781b815b7a8b2e65dff04c

Download Submit
C:\Windows\SysWOW64\Pnihcq32.exe

Filesize
242KB

MD5
3a5d833b8a348fe602231136a4c20339

SHA1
0c2499ed6822132b3c985ad0d6e1ffcd42ff6d4a

SHA256
78228d3b02996fee1a2949a135828ca9948124bc874be2bac39fb3707558811d

SHA512
ee97c8f81f9987f5969fee49694b61da4fa62cd54a9c3a5bb96896597b40ab10619b067bd9882a18f87ccebb7d1acf4f4c220a84768e7e3b142ff4cdecf94d1e

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
242KB

MD5
cab997e6067447b7989c647529dfa006

SHA1
269edad511f6036deeba9a8cd6e900a97e37c837

SHA256
df9edeb3d5b4f71d39ec87a795cdd066a7515b004008e3d848b8b5086b268194

SHA512
2630d8dcb0ab9e7d23fd1b560819c7cd20168394e90e35e5d939b9a2561653afc62cefe3ac5bfe660f14f4422a87ba94b5156d1698382febbd7348e3c913ba0c

Download Submit
C:\Windows\SysWOW64\Qalnjkgo.exe

Filesize
242KB

MD5
c57b7c7042b246c6195988e1a7277e11

SHA1
3313f3a45d3ff8b2eeb241d59de41b08256a97e8

SHA256
7b6e73164e4bbe5cbd8e6d0945ffab5360275eda0ca9fd8076877a551e00c730

SHA512
16f88cbc2bc76b48809d6752b8eb55237f3da2c646a9f6ec62c87b52c58d7f4253e483325bf66e2175c94d2d3d07bf12075868adff5d2adfde2f387b28106713

Download Submit
C:\Windows\SysWOW64\Qcepkg32.exe

Filesize
242KB

MD5
909c238d8a0fdbcf97557876be4a6eec

SHA1
cfbdd3acf7ed7902000d416e856b8ef5e7ec2f13

SHA256
7fefa100ea8f9be222cfadd3875822f22dcd2d3ce5782428ac8ba4793222750c

SHA512
e82b14b30b36e18745cb38ef37a56ca5221c8220c82f597a542da80e90039a333f18dae79f9af8bb665420a85343a1453c81d12bfe1e29fffa98e6143d68ee7e

Download Submit
C:\Windows\SysWOW64\Qeemej32.exe

Filesize
242KB

MD5
483320e5b2795be0ef20313ef50eb6d7

SHA1
752bc4017d85867341aaf7cbc6bcfb143900a5b3

SHA256
f9b111e2d6f9f7a6ea328b2a16242f85b1fa3aa40cca8499b3e3e5bf507b32ad

SHA512
ab3d0028ad5c62779ff7cdc9c2afb47e27e3e15593642921731e09f69fe8bdf6718ffcd6e034b29a1b7828bb0bd3e7ef42c62fd223290fc8e310f823dea672f7

Download Submit
C:\Windows\SysWOW64\Qgciaf32.exe

Filesize
242KB

MD5
b1ce7475a50cf48ccc7be9b0786862f7

SHA1
d8f5aa40d2f4a9e6def2f8dbfb09f0f3fecfef6b

SHA256
6720920cabae3cd9f7769656b1d3a56938d7218a831e95e37f2cbafa46fddf50

SHA512
2f62b2f06b9db461d688329ad0d6de37f4d73cd6324b078bd8c906f9662c01c71f6392af2d4cfd884edff63f0aa5bc74beff5533521ccc5b1ff56c248fc3cc43

Download Submit
C:\Windows\SysWOW64\Qjbena32.exe

Filesize
242KB

MD5
906312726e87dc393277b5749462c925

SHA1
15db3893ed07241889b306715575c90d2d41b8c2

SHA256
f20599cc3cb422ce298a4ec0a7be7a6d1f7a06bbb1e98839e3a545039df3d128

SHA512
05f442be01bfb379118af59c19f3b98176fc57fa49cd8f85911977c392f415640eba00d1c0e8a7aa76c63f5b9bb5ce0e2077146d6b044eb62d2a85cdc2bc65d0

Download Submit
C:\Windows\SysWOW64\Qkmhlekj.exe

Filesize
242KB

MD5
c2c19cdc1dd34084a1caf9a5809f4948

SHA1
735dc1d14828ee66f3b0873213f6118bbf7c8fb1

SHA256
e0d78babbcbe0bbe447026f11ddce387a4e829af8cf30bac44aaae5ed5d017e0

SHA512
4faec24d77431f70adaa1a7be0c8282e64cccfde722f649b49505f61d51a951391eebe73618861a2745bc88de559054a54b34079da1498c7ec78779472451c91

Download Submit
C:\Windows\SysWOW64\Qnkdhpjn.exe

Filesize
242KB

MD5
26a583161dd0bb05f1a1607e21eb3290

SHA1
3f865113c52044f9611ae868222de68c93f49a48

SHA256
4f771cd29fc2ee4a1c814a471c3d61b166a868a8d410495a260a611727954f0e

SHA512
d6fb1f39b2081e8bdeb0ed3f1242c5dc3500767dbb80878dc00a15814a67d482e94ca5e7024a88a1efb91536d6bee5f7b069e52a60cb9714343bf3cc830a82f5

Download Submit
memory/312-347-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/348-387-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/640-335-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1112-394-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1544-97-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1556-317-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1644-315-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1736-375-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1744-161-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1836-169-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2024-253-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2128-309-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2356-113-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2484-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2484-73-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2484-5-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2492-364-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2656-45-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2884-263-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2920-357-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3008-297-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3196-133-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3264-225-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3360-323-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3364-281-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3396-197-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3404-262-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3444-346-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3460-65-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3608-29-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3628-145-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3680-300-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3712-153-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3816-17-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3844-333-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3908-35-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4068-209-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4092-57-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4144-81-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4188-217-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4240-9-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4256-189-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4264-136-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4344-241-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4488-275-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4540-105-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4656-377-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4680-269-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4760-233-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4768-49-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4808-89-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4944-201-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4948-177-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5036-121-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5040-369-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5072-287-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5136-395-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5180-406-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5216-409-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5260-418-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5296-419-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5340-429-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5380-431-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5432-442-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads