2feeb80f94dc16d7986a17cb451dd52db494a43238c54ca90e1bc95f9d501684

Analysis

max time kernel
0s
max time network
11s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
05/01/2024, 15:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b027ad722a3deb4425ff5d99570bfb23.exe
Size

85KB
MD5

b027ad722a3deb4425ff5d99570bfb23
SHA1

4c0c59c5a5cfc8fe40c56c86b2bbfc10d500beb4
SHA256

2feeb80f94dc16d7986a17cb451dd52db494a43238c54ca90e1bc95f9d501684
SHA512

bf15a255f741683f52236442b501c3c2b39f1b2968486cc8f605aa64a313ecd2b3af1c2e3447abb853818d46a39ccebf6b871c28c9a6ee51a9aca0914154e195
SSDEEP

1536:MS03XryPFHWc26qkbtoAyuEwd7z2LHaMQ262AjCsQ2PCZZrqOlNfVSLUK+:M9GPlKAyuEbHaMQH2qC7ZQOlzSLUK+

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b027ad722a3deb4425ff5d99570bfb23.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	b027ad722a3deb4425ff5d99570bfb23.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daolnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daolnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmhja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmhja32.exe

Executes dropped EXE 3 IoCs

pid	Process
628	Daolnf32.exe
712	Ddmhja32.exe
1012	Dldpkoil.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Npfhbbpk.dll	Ddmhja32.exe
File created	C:\Windows\SysWOW64\Dhcbhjlp.dll	Dldpkoil.exe
File created	C:\Windows\SysWOW64\Daolnf32.exe	b027ad722a3deb4425ff5d99570bfb23.exe
File created	C:\Windows\SysWOW64\Jcpfco32.dll	b027ad722a3deb4425ff5d99570bfb23.exe
File created	C:\Windows\SysWOW64\Ddmhja32.exe	Daolnf32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmhja32.exe	Daolnf32.exe
File created	C:\Windows\SysWOW64\Dnqmalhn.dll	Daolnf32.exe
File created	C:\Windows\SysWOW64\Dldpkoil.exe	Ddmhja32.exe
File opened for modification	C:\Windows\SysWOW64\Dldpkoil.exe	Ddmhja32.exe
File created	C:\Windows\SysWOW64\Docmgjhp.exe	Dldpkoil.exe
File opened for modification	C:\Windows\SysWOW64\Daolnf32.exe	b027ad722a3deb4425ff5d99570bfb23.exe
File opened for modification	C:\Windows\SysWOW64\Docmgjhp.exe	Dldpkoil.exe

Program crash 1 IoCs

pid	pid_target	Process
9884	9768	WerFault.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmhja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	b027ad722a3deb4425ff5d99570bfb23.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	b027ad722a3deb4425ff5d99570bfb23.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daolnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnqmalhn.dll"	Daolnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npfhbbpk.dll"	Ddmhja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmhja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	b027ad722a3deb4425ff5d99570bfb23.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	b027ad722a3deb4425ff5d99570bfb23.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daolnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	b027ad722a3deb4425ff5d99570bfb23.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpfco32.dll"	b027ad722a3deb4425ff5d99570bfb23.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dldpkoil.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4748 wrote to memory of 628	4748	b027ad722a3deb4425ff5d99570bfb23.exe	364
PID 4748 wrote to memory of 628	4748	b027ad722a3deb4425ff5d99570bfb23.exe	364
PID 4748 wrote to memory of 628	4748	b027ad722a3deb4425ff5d99570bfb23.exe	364
PID 628 wrote to memory of 712	628	Daolnf32.exe	363
PID 628 wrote to memory of 712	628	Daolnf32.exe	363
PID 628 wrote to memory of 712	628	Daolnf32.exe	363
PID 712 wrote to memory of 1012	712	Ddmhja32.exe	18
PID 712 wrote to memory of 1012	712	Ddmhja32.exe	18
PID 712 wrote to memory of 1012	712	Ddmhja32.exe	18

C:\Users\Admin\AppData\Local\Temp\b027ad722a3deb4425ff5d99570bfb23.exe
"C:\Users\Admin\AppData\Local\Temp\b027ad722a3deb4425ff5d99570bfb23.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Windows\SysWOW64\Daolnf32.exe
  C:\Windows\system32\Daolnf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:628

C:\Windows\SysWOW64\Dldpkoil.exe
C:\Windows\system32\Dldpkoil.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1012
- C:\Windows\SysWOW64\Docmgjhp.exe
  C:\Windows\system32\Docmgjhp.exe
  2⤵
  PID:2436

C:\Windows\SysWOW64\Ddbbeade.exe
C:\Windows\system32\Ddbbeade.exe
1⤵
PID:4048
- C:\Windows\SysWOW64\Dlijfneg.exe
  C:\Windows\system32\Dlijfneg.exe
  2⤵
  PID:4528

C:\Windows\SysWOW64\Deanodkh.exe
C:\Windows\system32\Deanodkh.exe
1⤵
PID:3244
- C:\Windows\SysWOW64\Dhpjkojk.exe
  C:\Windows\system32\Dhpjkojk.exe
  2⤵
  PID:4512

C:\Windows\SysWOW64\Ddgkpp32.exe
C:\Windows\system32\Ddgkpp32.exe
1⤵
PID:3920
- C:\Windows\SysWOW64\Dlncan32.exe
  C:\Windows\system32\Dlncan32.exe
  2⤵
  PID:2160

C:\Windows\SysWOW64\Eoaihhlp.exe
C:\Windows\system32\Eoaihhlp.exe
1⤵
PID:4700
- C:\Windows\SysWOW64\Ednaqo32.exe
  C:\Windows\system32\Ednaqo32.exe
  2⤵
  PID:64

C:\Windows\SysWOW64\Eofbch32.exe
C:\Windows\system32\Eofbch32.exe
1⤵
PID:1188
- C:\Windows\SysWOW64\Edbklofb.exe
  C:\Windows\system32\Edbklofb.exe
  2⤵
  PID:2264

C:\Windows\SysWOW64\Fkmchi32.exe
C:\Windows\system32\Fkmchi32.exe
1⤵
PID:5056
- C:\Windows\SysWOW64\Fcckif32.exe
  C:\Windows\system32\Fcckif32.exe
  2⤵
  PID:2268

C:\Windows\SysWOW64\Fhqcam32.exe
C:\Windows\system32\Fhqcam32.exe
1⤵
PID:5080
- C:\Windows\SysWOW64\Fkopnh32.exe
  C:\Windows\system32\Fkopnh32.exe
  2⤵
  PID:4616

C:\Windows\SysWOW64\Fbnafb32.exe
C:\Windows\system32\Fbnafb32.exe
1⤵
PID:688
- C:\Windows\SysWOW64\Fhgjblfq.exe
  C:\Windows\system32\Fhgjblfq.exe
  2⤵
  PID:624
- - C:\Windows\SysWOW64\Fkffog32.exe
    C:\Windows\system32\Fkffog32.exe
    3⤵
    PID:3852

C:\Windows\SysWOW64\Fcmnpe32.exe
C:\Windows\system32\Fcmnpe32.exe
1⤵
PID:3460
- C:\Windows\SysWOW64\Ffkjlp32.exe
  C:\Windows\system32\Ffkjlp32.exe
  2⤵
  PID:552

C:\Windows\SysWOW64\Fdnjgmle.exe
C:\Windows\system32\Fdnjgmle.exe
1⤵
PID:1248
- C:\Windows\SysWOW64\Gododflk.exe
  C:\Windows\system32\Gododflk.exe
  2⤵
  PID:4400
- - C:\Windows\SysWOW64\Gbbkaako.exe
    C:\Windows\system32\Gbbkaako.exe
    3⤵
    PID:468
  - - C:\Windows\SysWOW64\Gdqgmmjb.exe
      C:\Windows\system32\Gdqgmmjb.exe
      4⤵
      PID:1152
    - - C:\Windows\SysWOW64\Glhonj32.exe
        
        C:\Windows\system32\Glhonj32.exe
        5⤵
        
        PID:4084

C:\Windows\SysWOW64\Gcagkdba.exe
C:\Windows\system32\Gcagkdba.exe
1⤵
PID:1916
- C:\Windows\SysWOW64\Gbdgfa32.exe
  C:\Windows\system32\Gbdgfa32.exe
  2⤵
  PID:3480
- - C:\Windows\SysWOW64\Ghopckpi.exe
    C:\Windows\system32\Ghopckpi.exe
    3⤵
    PID:3352
  - - C:\Windows\SysWOW64\Gkmlofol.exe
      C:\Windows\system32\Gkmlofol.exe
      4⤵
      PID:3104

C:\Windows\SysWOW64\Gbgdlq32.exe
C:\Windows\system32\Gbgdlq32.exe
1⤵
PID:2908
- C:\Windows\SysWOW64\Gdeqhl32.exe
  C:\Windows\system32\Gdeqhl32.exe
  2⤵
  PID:3532
- - C:\Windows\SysWOW64\Ghaliknf.exe
    C:\Windows\system32\Ghaliknf.exe
    3⤵
    PID:3728

C:\Windows\SysWOW64\Gkoiefmj.exe
C:\Windows\system32\Gkoiefmj.exe
1⤵
PID:1160
- C:\Windows\SysWOW64\Gkaejf32.exe
  C:\Windows\system32\Gkaejf32.exe
  2⤵
  PID:1776

C:\Windows\SysWOW64\Gblngpbd.exe
C:\Windows\system32\Gblngpbd.exe
1⤵
PID:3064
- C:\Windows\SysWOW64\Gfgjgo32.exe
  C:\Windows\system32\Gfgjgo32.exe
  2⤵
  PID:4076

C:\Windows\SysWOW64\Hiefcj32.exe
C:\Windows\system32\Hiefcj32.exe
1⤵
PID:4212
- C:\Windows\SysWOW64\Hopnqdan.exe
  C:\Windows\system32\Hopnqdan.exe
  2⤵
  PID:4664
- - C:\Windows\SysWOW64\Hfifmnij.exe
    C:\Windows\system32\Hfifmnij.exe
    3⤵
    PID:5132

C:\Windows\SysWOW64\Helfik32.exe
C:\Windows\system32\Helfik32.exe
1⤵
PID:5176
- C:\Windows\SysWOW64\Hmcojh32.exe
  C:\Windows\system32\Hmcojh32.exe
  2⤵
  PID:5224
- - C:\Windows\SysWOW64\Hobkfd32.exe
    C:\Windows\system32\Hobkfd32.exe
    3⤵
    PID:5280

C:\Windows\SysWOW64\Hflcbngh.exe
C:\Windows\system32\Hflcbngh.exe
1⤵
PID:5316
- C:\Windows\SysWOW64\Heocnk32.exe
  C:\Windows\system32\Heocnk32.exe
  2⤵
  PID:5368
- - C:\Windows\SysWOW64\Hmfkoh32.exe
    C:\Windows\system32\Hmfkoh32.exe
    3⤵
    PID:5412
  - - C:\Windows\SysWOW64\Hodgkc32.exe
      C:\Windows\system32\Hodgkc32.exe
      4⤵
      PID:5456

C:\Windows\SysWOW64\Hbbdholl.exe
C:\Windows\system32\Hbbdholl.exe
1⤵
PID:5496
- C:\Windows\SysWOW64\Heapdjlp.exe
  C:\Windows\system32\Heapdjlp.exe
  2⤵
  PID:5536
- - C:\Windows\SysWOW64\Hkkhqd32.exe
    C:\Windows\system32\Hkkhqd32.exe
    3⤵
    PID:5576

C:\Windows\SysWOW64\Hcbpab32.exe
C:\Windows\system32\Hcbpab32.exe
1⤵
PID:5616
- C:\Windows\SysWOW64\Hfqlnm32.exe
  C:\Windows\system32\Hfqlnm32.exe
  2⤵
  PID:5656
- - C:\Windows\SysWOW64\Hioiji32.exe
    C:\Windows\system32\Hioiji32.exe
    3⤵
    PID:5700

C:\Windows\SysWOW64\Hkmefd32.exe
C:\Windows\system32\Hkmefd32.exe
1⤵
PID:5744
- C:\Windows\SysWOW64\Hcdmga32.exe
  C:\Windows\system32\Hcdmga32.exe
  2⤵
  PID:5788
- - C:\Windows\SysWOW64\Hbgmcnhf.exe
    C:\Windows\system32\Hbgmcnhf.exe
    3⤵
    PID:5836

C:\Windows\SysWOW64\Iefioj32.exe
C:\Windows\system32\Iefioj32.exe
1⤵
PID:5872
- C:\Windows\SysWOW64\Immapg32.exe
  C:\Windows\system32\Immapg32.exe
  2⤵
  PID:5924

C:\Windows\SysWOW64\Ipknlb32.exe
C:\Windows\system32\Ipknlb32.exe
1⤵
PID:5968
- C:\Windows\SysWOW64\Ibjjhn32.exe
  C:\Windows\system32\Ibjjhn32.exe
  2⤵
  PID:6016

C:\Windows\SysWOW64\Iehfdi32.exe
C:\Windows\system32\Iehfdi32.exe
1⤵
PID:6060
- C:\Windows\SysWOW64\Imoneg32.exe
  C:\Windows\system32\Imoneg32.exe
  2⤵
  PID:6100

C:\Windows\SysWOW64\Ipnjab32.exe
C:\Windows\system32\Ipnjab32.exe
1⤵
PID:1928
- C:\Windows\SysWOW64\Iejcji32.exe
  C:\Windows\system32\Iejcji32.exe
  2⤵
  PID:5184

C:\Windows\SysWOW64\Iifokh32.exe
C:\Windows\system32\Iifokh32.exe
1⤵
PID:5260
- C:\Windows\SysWOW64\Ippggbck.exe
  C:\Windows\system32\Ippggbck.exe
  2⤵
  PID:5332
- - C:\Windows\SysWOW64\Ibnccmbo.exe
    C:\Windows\system32\Ibnccmbo.exe
    3⤵
    PID:5400

C:\Windows\SysWOW64\Iemppiab.exe
C:\Windows\system32\Iemppiab.exe
1⤵
PID:5480
- C:\Windows\SysWOW64\Iihkpg32.exe
  C:\Windows\system32\Iihkpg32.exe
  2⤵
  PID:5544

C:\Windows\SysWOW64\Imdgqfbd.exe
C:\Windows\system32\Imdgqfbd.exe
1⤵
PID:5596
- C:\Windows\SysWOW64\Ipbdmaah.exe
  C:\Windows\system32\Ipbdmaah.exe
  2⤵
  PID:5684

C:\Windows\SysWOW64\Ibqpimpl.exe
C:\Windows\system32\Ibqpimpl.exe
1⤵
PID:5752
- C:\Windows\SysWOW64\Ieolehop.exe
  C:\Windows\system32\Ieolehop.exe
  2⤵
  PID:5820
- - C:\Windows\SysWOW64\Imfdff32.exe
    C:\Windows\system32\Imfdff32.exe
    3⤵
    PID:5828

C:\Windows\SysWOW64\Ilidbbgl.exe
C:\Windows\system32\Ilidbbgl.exe
1⤵
PID:5960
- C:\Windows\SysWOW64\Ibcmom32.exe
  C:\Windows\system32\Ibcmom32.exe
  2⤵
  PID:6000
- - C:\Windows\SysWOW64\Jfoiokfb.exe
    C:\Windows\system32\Jfoiokfb.exe
    3⤵
    PID:6092

C:\Windows\SysWOW64\Jimekgff.exe
C:\Windows\system32\Jimekgff.exe
1⤵
PID:5144
- C:\Windows\SysWOW64\Jlkagbej.exe
  C:\Windows\system32\Jlkagbej.exe
  2⤵
  PID:5252
- - C:\Windows\SysWOW64\Jcbihpel.exe
    C:\Windows\system32\Jcbihpel.exe
    3⤵
    PID:5388

C:\Windows\SysWOW64\Jfaedkdp.exe
C:\Windows\system32\Jfaedkdp.exe
1⤵
PID:5448
- C:\Windows\SysWOW64\Jioaqfcc.exe
  C:\Windows\system32\Jioaqfcc.exe
  2⤵
  PID:5608
- - C:\Windows\SysWOW64\Jlnnmb32.exe
    C:\Windows\system32\Jlnnmb32.exe
    3⤵
    PID:5708
  - - C:\Windows\SysWOW64\Jmmjgejj.exe
      C:\Windows\system32\Jmmjgejj.exe
      4⤵
      PID:5800
    - - C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        5⤵
        
        PID:5932

C:\Windows\SysWOW64\Jfeopj32.exe
C:\Windows\system32\Jfeopj32.exe
1⤵
PID:6084
- C:\Windows\SysWOW64\Jidklf32.exe
  C:\Windows\system32\Jidklf32.exe
  2⤵
  PID:5208
- - C:\Windows\SysWOW64\Jlbgha32.exe
    C:\Windows\system32\Jlbgha32.exe
    3⤵
    PID:5452

C:\Windows\SysWOW64\Jcioiood.exe
C:\Windows\system32\Jcioiood.exe
1⤵
PID:5604
- C:\Windows\SysWOW64\Jfhlejnh.exe
  C:\Windows\system32\Jfhlejnh.exe
  2⤵
  PID:5724
- - C:\Windows\SysWOW64\Jmbdbd32.exe
    C:\Windows\system32\Jmbdbd32.exe
    3⤵
    PID:5892

C:\Windows\SysWOW64\Jpppnp32.exe
C:\Windows\system32\Jpppnp32.exe
1⤵
PID:5156
- C:\Windows\SysWOW64\Jcllonma.exe
  C:\Windows\system32\Jcllonma.exe
  2⤵
  PID:5424
- - C:\Windows\SysWOW64\Kfjhkjle.exe
    C:\Windows\system32\Kfjhkjle.exe
    3⤵
    PID:5816

C:\Windows\SysWOW64\Kiidgeki.exe
C:\Windows\system32\Kiidgeki.exe
1⤵
PID:6048
- C:\Windows\SysWOW64\Klgqcqkl.exe
  C:\Windows\system32\Klgqcqkl.exe
  2⤵
  PID:5532

C:\Windows\SysWOW64\Kdnidn32.exe
C:\Windows\system32\Kdnidn32.exe
1⤵
PID:6012
- C:\Windows\SysWOW64\Kfmepi32.exe
  C:\Windows\system32\Kfmepi32.exe
  2⤵
  PID:5956
- - C:\Windows\SysWOW64\Kikame32.exe
    C:\Windows\system32\Kikame32.exe
    3⤵
    PID:5736

C:\Windows\SysWOW64\Klimip32.exe
C:\Windows\system32\Klimip32.exe
1⤵
PID:6160
- C:\Windows\SysWOW64\Kdqejn32.exe
  C:\Windows\system32\Kdqejn32.exe
  2⤵
  PID:6204

C:\Windows\SysWOW64\Kfoafi32.exe
C:\Windows\system32\Kfoafi32.exe
1⤵
PID:6244
- C:\Windows\SysWOW64\Kebbafoj.exe
  C:\Windows\system32\Kebbafoj.exe
  2⤵
  PID:6288
- - C:\Windows\SysWOW64\Kfankifm.exe
    C:\Windows\system32\Kfankifm.exe
    3⤵
    PID:6332
  - - C:\Windows\SysWOW64\Kedoge32.exe
      C:\Windows\system32\Kedoge32.exe
      4⤵
      PID:6376

C:\Windows\SysWOW64\Kmkfhc32.exe
C:\Windows\system32\Kmkfhc32.exe
1⤵
PID:6420
- C:\Windows\SysWOW64\Kpjcdn32.exe
  C:\Windows\system32\Kpjcdn32.exe
  2⤵
  PID:6464
- - C:\Windows\SysWOW64\Kdeoemeg.exe
    C:\Windows\system32\Kdeoemeg.exe
    3⤵
    PID:6508

C:\Windows\SysWOW64\Kefkme32.exe
C:\Windows\system32\Kefkme32.exe
1⤵
PID:6588
- C:\Windows\SysWOW64\Kmncnb32.exe
  C:\Windows\system32\Kmncnb32.exe
  2⤵
  PID:6640
- - C:\Windows\SysWOW64\Kplpjn32.exe
    C:\Windows\system32\Kplpjn32.exe
    3⤵
    PID:6684

C:\Windows\SysWOW64\Lffhfh32.exe
C:\Windows\system32\Lffhfh32.exe
1⤵
PID:6764
- C:\Windows\SysWOW64\Liddbc32.exe
  C:\Windows\system32\Liddbc32.exe
  2⤵
  PID:6820
- - C:\Windows\SysWOW64\Llcpoo32.exe
    C:\Windows\system32\Llcpoo32.exe
    3⤵
    PID:6860

C:\Windows\SysWOW64\Ldjhpl32.exe
C:\Windows\system32\Ldjhpl32.exe
1⤵
PID:6900
- C:\Windows\SysWOW64\Lfhdlh32.exe
  C:\Windows\system32\Lfhdlh32.exe
  2⤵
  PID:6952
- - C:\Windows\SysWOW64\Ligqhc32.exe
    C:\Windows\system32\Ligqhc32.exe
    3⤵
    PID:7000

C:\Windows\SysWOW64\Ldleel32.exe
C:\Windows\system32\Ldleel32.exe
1⤵
PID:7088
- C:\Windows\SysWOW64\Lfkaag32.exe
  C:\Windows\system32\Lfkaag32.exe
  2⤵
  PID:7132

C:\Windows\SysWOW64\Lenamdem.exe
C:\Windows\system32\Lenamdem.exe
1⤵
PID:6156
- C:\Windows\SysWOW64\Lmdina32.exe
  C:\Windows\system32\Lmdina32.exe
  2⤵
  PID:6196
- - C:\Windows\SysWOW64\Lpcfkm32.exe
    C:\Windows\system32\Lpcfkm32.exe
    3⤵
    PID:6268

C:\Windows\SysWOW64\Lbabgh32.exe
C:\Windows\system32\Lbabgh32.exe
1⤵
PID:6344
- C:\Windows\SysWOW64\Lgmngglp.exe
  C:\Windows\system32\Lgmngglp.exe
  2⤵
  PID:6428

C:\Windows\SysWOW64\Lpebpm32.exe
C:\Windows\system32\Lpebpm32.exe
1⤵
PID:6556
- C:\Windows\SysWOW64\Lgokmgjm.exe
  C:\Windows\system32\Lgokmgjm.exe
  2⤵
  PID:6628
- - C:\Windows\SysWOW64\Lingibiq.exe
    C:\Windows\system32\Lingibiq.exe
    3⤵
    PID:6720

C:\Windows\SysWOW64\Lllcen32.exe
C:\Windows\system32\Lllcen32.exe
1⤵
PID:6756
- C:\Windows\SysWOW64\Mdckfk32.exe
  C:\Windows\system32\Mdckfk32.exe
  2⤵
  PID:6848
- - C:\Windows\SysWOW64\Mgagbf32.exe
    C:\Windows\system32\Mgagbf32.exe
    3⤵
    PID:6916

C:\Windows\SysWOW64\Medgncoe.exe
C:\Windows\system32\Medgncoe.exe
1⤵
PID:6988
- C:\Windows\SysWOW64\Mlopkm32.exe
  C:\Windows\system32\Mlopkm32.exe
  2⤵
  PID:7060

C:\Windows\SysWOW64\Mpjlklok.exe
C:\Windows\system32\Mpjlklok.exe
1⤵
PID:7128
- C:\Windows\SysWOW64\Mchhggno.exe
  C:\Windows\system32\Mchhggno.exe
  2⤵
  PID:6180
- - C:\Windows\SysWOW64\Megdccmb.exe
    C:\Windows\system32\Megdccmb.exe
    3⤵
    PID:6296

C:\Windows\SysWOW64\Mmnldp32.exe
C:\Windows\system32\Mmnldp32.exe
1⤵
PID:6416
- C:\Windows\SysWOW64\Mplhql32.exe
  C:\Windows\system32\Mplhql32.exe
  2⤵
  PID:7152
- - C:\Windows\SysWOW64\Mckemg32.exe
    C:\Windows\system32\Mckemg32.exe
    3⤵
    PID:6612
  - - C:\Windows\SysWOW64\Meiaib32.exe
      C:\Windows\system32\Meiaib32.exe
      4⤵
      PID:6736

C:\Windows\SysWOW64\Mlcifmbl.exe
C:\Windows\system32\Mlcifmbl.exe
1⤵
PID:6828
- C:\Windows\SysWOW64\Mpoefk32.exe
  C:\Windows\system32\Mpoefk32.exe
  2⤵
  PID:6996
- - C:\Windows\SysWOW64\Mgimcebb.exe
    C:\Windows\system32\Mgimcebb.exe
    3⤵
    PID:7096

C:\Windows\SysWOW64\Melnob32.exe
C:\Windows\system32\Melnob32.exe
1⤵
PID:6192
- C:\Windows\SysWOW64\Mmbfpp32.exe
  C:\Windows\system32\Mmbfpp32.exe
  2⤵
  PID:6408
- - C:\Windows\SysWOW64\Mpablkhc.exe
    C:\Windows\system32\Mpablkhc.exe
    3⤵
    PID:6604

C:\Windows\SysWOW64\Mcpnhfhf.exe
C:\Windows\system32\Mcpnhfhf.exe
1⤵
PID:6752
- C:\Windows\SysWOW64\Menjdbgj.exe
  C:\Windows\system32\Menjdbgj.exe
  2⤵
  PID:6940

C:\Windows\SysWOW64\Miifeq32.exe
C:\Windows\system32\Miifeq32.exe
1⤵
PID:7160
- C:\Windows\SysWOW64\Mlhbal32.exe
  C:\Windows\system32\Mlhbal32.exe
  2⤵
  PID:6404

C:\Windows\SysWOW64\Ndokbi32.exe
C:\Windows\system32\Ndokbi32.exe
1⤵
PID:6716
- C:\Windows\SysWOW64\Nepgjaeg.exe
  C:\Windows\system32\Nepgjaeg.exe
  2⤵
  PID:7072

C:\Windows\SysWOW64\Nljofl32.exe
C:\Windows\system32\Nljofl32.exe
1⤵
PID:6364
- C:\Windows\SysWOW64\Ndaggimg.exe
  C:\Windows\system32\Ndaggimg.exe
  2⤵
  PID:6800

C:\Windows\SysWOW64\Ngpccdlj.exe
C:\Windows\system32\Ngpccdlj.exe
1⤵
PID:6536
- C:\Windows\SysWOW64\Nebdoa32.exe
  C:\Windows\system32\Nebdoa32.exe
  2⤵
  PID:6960
- - C:\Windows\SysWOW64\Nnjlpo32.exe
    C:\Windows\system32\Nnjlpo32.exe
    3⤵
    PID:6240

C:\Windows\SysWOW64\Nlmllkja.exe
C:\Windows\system32\Nlmllkja.exe
1⤵
PID:7184
- C:\Windows\SysWOW64\Ndcdmikd.exe
  C:\Windows\system32\Ndcdmikd.exe
  2⤵
  PID:7224

C:\Windows\SysWOW64\Ngbpidjh.exe
C:\Windows\system32\Ngbpidjh.exe
1⤵
PID:7264
- C:\Windows\SysWOW64\Njqmepik.exe
  C:\Windows\system32\Njqmepik.exe
  2⤵
  PID:7308

C:\Windows\SysWOW64\Nnlhfn32.exe
C:\Windows\system32\Nnlhfn32.exe
1⤵
PID:7352
- C:\Windows\SysWOW64\Npjebj32.exe
  C:\Windows\system32\Npjebj32.exe
  2⤵
  PID:7396

C:\Windows\SysWOW64\Ncianepl.exe
C:\Windows\system32\Ncianepl.exe
1⤵
PID:7432
- C:\Windows\SysWOW64\Nfgmjqop.exe
  C:\Windows\system32\Nfgmjqop.exe
  2⤵
  PID:7476
- - C:\Windows\SysWOW64\Njciko32.exe
    C:\Windows\system32\Njciko32.exe
    3⤵
    PID:7516
  - - C:\Windows\SysWOW64\Nckndeni.exe
      C:\Windows\system32\Nckndeni.exe
      4⤵
      PID:7560

C:\Windows\SysWOW64\Olcbmj32.exe
C:\Windows\system32\Olcbmj32.exe
1⤵
PID:7644
- C:\Windows\SysWOW64\Odkjng32.exe
  C:\Windows\system32\Odkjng32.exe
  2⤵
  PID:7688

C:\Windows\SysWOW64\Ogifjcdp.exe
C:\Windows\system32\Ogifjcdp.exe
1⤵
PID:7732
- C:\Windows\SysWOW64\Ojgbfocc.exe
  C:\Windows\system32\Ojgbfocc.exe
  2⤵
  PID:7776
- - C:\Windows\SysWOW64\Olfobjbg.exe
    C:\Windows\system32\Olfobjbg.exe
    3⤵
    PID:7820

C:\Windows\SysWOW64\Odmgcgbi.exe
C:\Windows\system32\Odmgcgbi.exe
1⤵
PID:7860
- C:\Windows\SysWOW64\Ofnckp32.exe
  C:\Windows\system32\Ofnckp32.exe
  2⤵
  PID:7904

C:\Windows\SysWOW64\Olhlhjpd.exe
C:\Windows\system32\Olhlhjpd.exe
1⤵
PID:7944
- C:\Windows\SysWOW64\Odocigqg.exe
  C:\Windows\system32\Odocigqg.exe
  2⤵
  PID:7992
- - C:\Windows\SysWOW64\Ofqpqo32.exe
    C:\Windows\system32\Ofqpqo32.exe
    3⤵
    PID:8028

C:\Windows\SysWOW64\Onhhamgg.exe
C:\Windows\system32\Onhhamgg.exe
1⤵
PID:8080
- C:\Windows\SysWOW64\Oqfdnhfk.exe
  C:\Windows\system32\Oqfdnhfk.exe
  2⤵
  PID:8128

C:\Windows\SysWOW64\Ocdqjceo.exe
C:\Windows\system32\Ocdqjceo.exe
1⤵
PID:8164
- C:\Windows\SysWOW64\Ofcmfodb.exe
  C:\Windows\system32\Ofcmfodb.exe
  2⤵
  PID:7192
- - C:\Windows\SysWOW64\Onjegled.exe
    C:\Windows\system32\Onjegled.exe
    3⤵
    PID:7252
  - - C:\Windows\SysWOW64\Oqhacgdh.exe
      C:\Windows\system32\Oqhacgdh.exe
      4⤵
      PID:7344

C:\Windows\SysWOW64\Ogbipa32.exe
C:\Windows\system32\Ogbipa32.exe
1⤵
PID:7404
- C:\Windows\SysWOW64\Ofeilobp.exe
  C:\Windows\system32\Ofeilobp.exe
  2⤵
  PID:7472

C:\Windows\SysWOW64\Pnlaml32.exe
C:\Windows\system32\Pnlaml32.exe
1⤵
PID:7544
- C:\Windows\SysWOW64\Pmoahijl.exe
  C:\Windows\system32\Pmoahijl.exe
  2⤵
  PID:7628

C:\Windows\SysWOW64\Pdfjifjo.exe
C:\Windows\system32\Pdfjifjo.exe
1⤵
PID:7684
- C:\Windows\SysWOW64\Pfhfan32.exe
  C:\Windows\system32\Pfhfan32.exe
  2⤵
  PID:7740

C:\Windows\SysWOW64\Pnonbk32.exe
C:\Windows\system32\Pnonbk32.exe
1⤵
PID:7804
- C:\Windows\SysWOW64\Pqmjog32.exe
  C:\Windows\system32\Pqmjog32.exe
  2⤵
  PID:7880

C:\Windows\SysWOW64\Pclgkb32.exe
C:\Windows\system32\Pclgkb32.exe
1⤵
PID:7936
- C:\Windows\SysWOW64\Pggbkagp.exe
  C:\Windows\system32\Pggbkagp.exe
  2⤵
  PID:8000

C:\Windows\SysWOW64\Pnakhkol.exe
C:\Windows\system32\Pnakhkol.exe
1⤵
PID:8068
- C:\Windows\SysWOW64\Pmdkch32.exe
  C:\Windows\system32\Pmdkch32.exe
  2⤵
  PID:8052

C:\Windows\SysWOW64\Pdkcde32.exe
C:\Windows\system32\Pdkcde32.exe
1⤵
PID:8188
- C:\Windows\SysWOW64\Pcncpbmd.exe
  C:\Windows\system32\Pcncpbmd.exe
  2⤵
  PID:7244

C:\Windows\SysWOW64\Pflplnlg.exe
C:\Windows\system32\Pflplnlg.exe
1⤵
PID:7380
- C:\Windows\SysWOW64\Pjhlml32.exe
  C:\Windows\system32\Pjhlml32.exe
  2⤵
  PID:7556
- - C:\Windows\SysWOW64\Pqbdjfln.exe
    C:\Windows\system32\Pqbdjfln.exe
    3⤵
    PID:7580

C:\Windows\SysWOW64\Pdmpje32.exe
C:\Windows\system32\Pdmpje32.exe
1⤵
PID:7696
- C:\Windows\SysWOW64\Pgllfp32.exe
  C:\Windows\system32\Pgllfp32.exe
  2⤵
  PID:7812
- - C:\Windows\SysWOW64\Pjjhbl32.exe
    C:\Windows\system32\Pjjhbl32.exe
    3⤵
    PID:7928

C:\Windows\SysWOW64\Pmidog32.exe
C:\Windows\system32\Pmidog32.exe
1⤵
PID:8036
- C:\Windows\SysWOW64\Pqdqof32.exe
  C:\Windows\system32\Pqdqof32.exe
  2⤵
  PID:8112
- - C:\Windows\SysWOW64\Pcbmka32.exe
    C:\Windows\system32\Pcbmka32.exe
    3⤵
    PID:7212

C:\Windows\SysWOW64\Pjmehkqk.exe
C:\Windows\system32\Pjmehkqk.exe
1⤵
PID:7388
- C:\Windows\SysWOW64\Qmkadgpo.exe
  C:\Windows\system32\Qmkadgpo.exe
  2⤵
  PID:7540
- - C:\Windows\SysWOW64\Qdbiedpa.exe
    C:\Windows\system32\Qdbiedpa.exe
    3⤵
    PID:7712

C:\Windows\SysWOW64\Qgqeappe.exe
C:\Windows\system32\Qgqeappe.exe
1⤵
PID:7924
- C:\Windows\SysWOW64\Qfcfml32.exe
  C:\Windows\system32\Qfcfml32.exe
  2⤵
  PID:8088
- - C:\Windows\SysWOW64\Qmmnjfnl.exe
    C:\Windows\system32\Qmmnjfnl.exe
    3⤵
    PID:7348
  - - C:\Windows\SysWOW64\Qcgffqei.exe
      C:\Windows\system32\Qcgffqei.exe
      4⤵
      PID:7572
    - - C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        5⤵
        
        PID:7848
      - C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        6⤵
        
        PID:8148

C:\Windows\SysWOW64\Acjclpcf.exe
C:\Windows\system32\Acjclpcf.exe
1⤵
PID:7596
- C:\Windows\SysWOW64\Afhohlbj.exe
  C:\Windows\system32\Afhohlbj.exe
  2⤵
  PID:7816

C:\Windows\SysWOW64\Anogiicl.exe
C:\Windows\system32\Anogiicl.exe
1⤵
PID:7988
- C:\Windows\SysWOW64\Aqncedbp.exe
  C:\Windows\system32\Aqncedbp.exe
  2⤵
  PID:7528
- - C:\Windows\SysWOW64\Aeiofcji.exe
    C:\Windows\system32\Aeiofcji.exe
    3⤵
    PID:7460

C:\Windows\SysWOW64\Agglboim.exe
C:\Windows\system32\Agglboim.exe
1⤵
PID:8208
- C:\Windows\SysWOW64\Ajfhnjhq.exe
  C:\Windows\system32\Ajfhnjhq.exe
  2⤵
  PID:8248

C:\Windows\SysWOW64\Anadoi32.exe
C:\Windows\system32\Anadoi32.exe
1⤵
PID:8296
- C:\Windows\SysWOW64\Aqppkd32.exe
  C:\Windows\system32\Aqppkd32.exe
  2⤵
  PID:8340

C:\Windows\SysWOW64\Aeklkchg.exe
C:\Windows\system32\Aeklkchg.exe
1⤵
PID:8376
- C:\Windows\SysWOW64\Agjhgngj.exe
  C:\Windows\system32\Agjhgngj.exe
  2⤵
  PID:8424

C:\Windows\SysWOW64\Afmhck32.exe
C:\Windows\system32\Afmhck32.exe
1⤵
PID:8460
- C:\Windows\SysWOW64\Ajhddjfn.exe
  C:\Windows\system32\Ajhddjfn.exe
  2⤵
  PID:8516

C:\Windows\SysWOW64\Aeniabfd.exe
C:\Windows\system32\Aeniabfd.exe
1⤵
PID:8596
- C:\Windows\SysWOW64\Aglemn32.exe
  C:\Windows\system32\Aglemn32.exe
  2⤵
  PID:8644
- - C:\Windows\SysWOW64\Afoeiklb.exe
    C:\Windows\system32\Afoeiklb.exe
    3⤵
    PID:8680

C:\Windows\SysWOW64\Anfmjhmd.exe
C:\Windows\system32\Anfmjhmd.exe
1⤵
PID:8728
- C:\Windows\SysWOW64\Aminee32.exe
  C:\Windows\system32\Aminee32.exe
  2⤵
  PID:8772

C:\Windows\SysWOW64\Aepefb32.exe
C:\Windows\system32\Aepefb32.exe
1⤵
PID:8812
- C:\Windows\SysWOW64\Agoabn32.exe
  C:\Windows\system32\Agoabn32.exe
  2⤵
  PID:8848
- - C:\Windows\SysWOW64\Bfabnjjp.exe
    C:\Windows\system32\Bfabnjjp.exe
    3⤵
    PID:8896

C:\Windows\SysWOW64\Bagflcje.exe
C:\Windows\system32\Bagflcje.exe
1⤵
PID:8976
- C:\Windows\SysWOW64\Bcebhoii.exe
  C:\Windows\system32\Bcebhoii.exe
  2⤵
  PID:9024
- - C:\Windows\SysWOW64\Bfdodjhm.exe
    C:\Windows\system32\Bfdodjhm.exe
    3⤵
    PID:9068

C:\Windows\SysWOW64\Bnkgeg32.exe
C:\Windows\system32\Bnkgeg32.exe
1⤵
PID:9108
- C:\Windows\SysWOW64\Baicac32.exe
  C:\Windows\system32\Baicac32.exe
  2⤵
  PID:9148
- - C:\Windows\SysWOW64\Beeoaapl.exe
    C:\Windows\system32\Beeoaapl.exe
    3⤵
    PID:9192

C:\Windows\SysWOW64\Bgcknmop.exe
C:\Windows\system32\Bgcknmop.exe
1⤵
PID:8216
- C:\Windows\SysWOW64\Bjagjhnc.exe
  C:\Windows\system32\Bjagjhnc.exe
  2⤵
  PID:8272

C:\Windows\SysWOW64\Bnmcjg32.exe
C:\Windows\system32\Bnmcjg32.exe
1⤵
PID:8324
- C:\Windows\SysWOW64\Balpgb32.exe
  C:\Windows\system32\Balpgb32.exe
  2⤵
  PID:8412

C:\Windows\SysWOW64\Bcjlcn32.exe
C:\Windows\system32\Bcjlcn32.exe
1⤵
PID:8508
- C:\Windows\SysWOW64\Bfhhoi32.exe
  C:\Windows\system32\Bfhhoi32.exe
  2⤵
  PID:8552

C:\Windows\SysWOW64\Bjddphlq.exe
C:\Windows\system32\Bjddphlq.exe
1⤵
PID:8636
- C:\Windows\SysWOW64\Bmbplc32.exe
  C:\Windows\system32\Bmbplc32.exe
  2⤵
  PID:8696
- - C:\Windows\SysWOW64\Bclhhnca.exe
    C:\Windows\system32\Bclhhnca.exe
    3⤵
    PID:8752

C:\Windows\SysWOW64\Bhhdil32.exe
C:\Windows\system32\Bhhdil32.exe
1⤵
PID:8540
- C:\Windows\SysWOW64\Bjfaeh32.exe
  C:\Windows\system32\Bjfaeh32.exe
  2⤵
  PID:8904

C:\Windows\SysWOW64\Bmemac32.exe
C:\Windows\system32\Bmemac32.exe
1⤵
PID:8956
- C:\Windows\SysWOW64\Belebq32.exe
  C:\Windows\system32\Belebq32.exe
  2⤵
  PID:9044
- - C:\Windows\SysWOW64\Cfmajipb.exe
    C:\Windows\system32\Cfmajipb.exe
    3⤵
    PID:9104

C:\Windows\SysWOW64\Cjinkg32.exe
C:\Windows\system32\Cjinkg32.exe
1⤵
PID:9160
- C:\Windows\SysWOW64\Cmgjgcgo.exe
  C:\Windows\system32\Cmgjgcgo.exe
  2⤵
  PID:7900

C:\Windows\SysWOW64\Cabfga32.exe
C:\Windows\system32\Cabfga32.exe
1⤵
PID:8332
- C:\Windows\SysWOW64\Cdabcm32.exe
  C:\Windows\system32\Cdabcm32.exe
  2⤵
  PID:8392

C:\Windows\SysWOW64\Chmndlge.exe
C:\Windows\system32\Chmndlge.exe
1⤵
PID:8528
- C:\Windows\SysWOW64\Cjkjpgfi.exe
  C:\Windows\system32\Cjkjpgfi.exe
  2⤵
  PID:8608

C:\Windows\SysWOW64\Cnffqf32.exe
C:\Windows\system32\Cnffqf32.exe
1⤵
PID:4280
- C:\Windows\SysWOW64\Caebma32.exe
  C:\Windows\system32\Caebma32.exe
  2⤵
  PID:5276

C:\Windows\SysWOW64\Ceqnmpfo.exe
C:\Windows\system32\Ceqnmpfo.exe
1⤵
PID:8736
- C:\Windows\SysWOW64\Chokikeb.exe
  C:\Windows\system32\Chokikeb.exe
  2⤵
  PID:8784
- - C:\Windows\SysWOW64\Cnicfe32.exe
    C:\Windows\system32\Cnicfe32.exe
    3⤵
    PID:8972

C:\Windows\SysWOW64\Cagobalc.exe
C:\Windows\system32\Cagobalc.exe
1⤵
PID:9048
- C:\Windows\SysWOW64\Ceckcp32.exe
  C:\Windows\system32\Ceckcp32.exe
  2⤵
  PID:9188

C:\Windows\SysWOW64\Chagok32.exe
C:\Windows\system32\Chagok32.exe
1⤵
PID:8316
- C:\Windows\SysWOW64\Cjpckf32.exe
  C:\Windows\system32\Cjpckf32.exe
  2⤵
  PID:8492

C:\Windows\SysWOW64\Cnkplejl.exe
C:\Windows\system32\Cnkplejl.exe
1⤵
PID:456
- C:\Windows\SysWOW64\Cajlhqjp.exe
  C:\Windows\system32\Cajlhqjp.exe
  2⤵
  PID:232

C:\Windows\SysWOW64\Cffdpghg.exe
C:\Windows\system32\Cffdpghg.exe
1⤵
PID:9008
- C:\Windows\SysWOW64\Cnnlaehj.exe
  C:\Windows\system32\Cnnlaehj.exe
  2⤵
  PID:3200

C:\Windows\SysWOW64\Calhnpgn.exe
C:\Windows\system32\Calhnpgn.exe
1⤵
PID:8384
- C:\Windows\SysWOW64\Cegdnopg.exe
  C:\Windows\system32\Cegdnopg.exe
  2⤵
  PID:3736

C:\Windows\SysWOW64\Dhfajjoj.exe
C:\Windows\system32\Dhfajjoj.exe
1⤵
PID:8360
- C:\Windows\SysWOW64\Dfiafg32.exe
  C:\Windows\system32\Dfiafg32.exe
  2⤵
  PID:9000

C:\Windows\SysWOW64\Dopigd32.exe
C:\Windows\system32\Dopigd32.exe
1⤵
PID:8404
- C:\Windows\SysWOW64\Dmcibama.exe
  C:\Windows\system32\Dmcibama.exe
  2⤵
  PID:8672

C:\Windows\SysWOW64\Ddmaok32.exe
C:\Windows\system32\Ddmaok32.exe
1⤵
PID:3196
- C:\Windows\SysWOW64\Dfknkg32.exe
  C:\Windows\system32\Dfknkg32.exe
  2⤵
  PID:8468
- - C:\Windows\SysWOW64\Dobfld32.exe
    C:\Windows\system32\Dobfld32.exe
    3⤵
    PID:8888

C:\Windows\SysWOW64\Delnin32.exe
C:\Windows\system32\Delnin32.exe
1⤵
PID:9244
- C:\Windows\SysWOW64\Dhkjej32.exe
  C:\Windows\system32\Dhkjej32.exe
  2⤵
  PID:9296
- - C:\Windows\SysWOW64\Dkifae32.exe
    C:\Windows\system32\Dkifae32.exe
    3⤵
    PID:9336

C:\Windows\SysWOW64\Daconoae.exe
C:\Windows\system32\Daconoae.exe
1⤵
PID:9420
- C:\Windows\SysWOW64\Ddakjkqi.exe
  C:\Windows\system32\Ddakjkqi.exe
  2⤵
  PID:9468
- - C:\Windows\SysWOW64\Dfpgffpm.exe
    C:\Windows\system32\Dfpgffpm.exe
    3⤵
    PID:9512

C:\Windows\SysWOW64\Dogogcpo.exe
C:\Windows\system32\Dogogcpo.exe
1⤵
PID:9556
- C:\Windows\SysWOW64\Daekdooc.exe
  C:\Windows\system32\Daekdooc.exe
  2⤵
  PID:9600
- - C:\Windows\SysWOW64\Dddhpjof.exe
    C:\Windows\system32\Dddhpjof.exe
    3⤵
    PID:9644

C:\Windows\SysWOW64\Dgbdlf32.exe
C:\Windows\system32\Dgbdlf32.exe
1⤵
PID:9684
- C:\Windows\SysWOW64\Doilmc32.exe
  C:\Windows\system32\Doilmc32.exe
  2⤵
  PID:9720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 9768 -ip 9768
1⤵
PID:9828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9768 -s 216
1⤵
- Program crash
PID:9884

C:\Windows\SysWOW64\Dmllipeg.exe
C:\Windows\system32\Dmllipeg.exe
1⤵
PID:9768

C:\Windows\SysWOW64\Dodbbdbb.exe
C:\Windows\system32\Dodbbdbb.exe
1⤵
PID:9376

C:\Windows\SysWOW64\Daqbip32.exe
C:\Windows\system32\Daqbip32.exe
1⤵
PID:8512

C:\Windows\SysWOW64\Dejacond.exe
C:\Windows\system32\Dejacond.exe
1⤵
PID:9140

C:\Windows\SysWOW64\Cdhhdlid.exe
C:\Windows\system32\Cdhhdlid.exe
1⤵
PID:8756

C:\Windows\SysWOW64\Bmkjkd32.exe
C:\Windows\system32\Bmkjkd32.exe
1⤵
PID:8936

C:\Windows\SysWOW64\Amgapeea.exe
C:\Windows\system32\Amgapeea.exe
1⤵
PID:8556

C:\Windows\SysWOW64\Nfjjppmm.exe
C:\Windows\system32\Nfjjppmm.exe
1⤵
PID:7604

C:\Windows\SysWOW64\Likjcbkc.exe
C:\Windows\system32\Likjcbkc.exe
1⤵
PID:6500

C:\Windows\SysWOW64\Llemdo32.exe
C:\Windows\system32\Llemdo32.exe
1⤵
PID:7044

C:\Windows\SysWOW64\Lbjlfi32.exe
C:\Windows\system32\Lbjlfi32.exe
1⤵
PID:6724

C:\Windows\SysWOW64\Kfckahdj.exe
C:\Windows\system32\Kfckahdj.exe
1⤵
PID:6548

C:\Windows\SysWOW64\Fooeif32.exe
C:\Windows\system32\Fooeif32.exe
1⤵
PID:2024

C:\Windows\SysWOW64\Flqimk32.exe
C:\Windows\system32\Flqimk32.exe
1⤵
PID:2296

C:\Windows\SysWOW64\Fdialn32.exe
C:\Windows\system32\Fdialn32.exe
1⤵
PID:5092

C:\Windows\SysWOW64\Ffgqqaip.exe
C:\Windows\system32\Ffgqqaip.exe
1⤵
PID:2308

C:\Windows\SysWOW64\Fchddejl.exe
C:\Windows\system32\Fchddejl.exe
1⤵
PID:4408

C:\Windows\SysWOW64\Fkalchij.exe
C:\Windows\system32\Fkalchij.exe
1⤵
PID:380

C:\Windows\SysWOW64\Fdgdgnbm.exe
C:\Windows\system32\Fdgdgnbm.exe
1⤵
PID:1576

C:\Windows\SysWOW64\Faihkbci.exe
C:\Windows\system32\Faihkbci.exe
1⤵
PID:4852

C:\Windows\SysWOW64\Febgea32.exe
C:\Windows\system32\Febgea32.exe
1⤵
PID:5076

C:\Windows\SysWOW64\Ehljfnpn.exe
C:\Windows\system32\Ehljfnpn.exe
1⤵
PID:1708

C:\Windows\SysWOW64\Eabbjc32.exe
C:\Windows\system32\Eabbjc32.exe
1⤵
PID:1276

C:\Windows\SysWOW64\Eocenh32.exe
C:\Windows\system32\Eocenh32.exe
1⤵
PID:4648

C:\Windows\SysWOW64\Elbmlmml.exe
C:\Windows\system32\Elbmlmml.exe
1⤵
PID:1540

C:\Windows\SysWOW64\Edkdkplj.exe
C:\Windows\system32\Edkdkplj.exe
1⤵
PID:4432

C:\Windows\SysWOW64\Eoolbinc.exe
C:\Windows\system32\Eoolbinc.exe
1⤵
PID:1668

C:\Windows\SysWOW64\Edihepnm.exe
C:\Windows\system32\Edihepnm.exe
1⤵
PID:852

C:\Windows\SysWOW64\Echknh32.exe
C:\Windows\system32\Echknh32.exe
1⤵
PID:2640

C:\Windows\SysWOW64\Dahode32.exe
C:\Windows\system32\Dahode32.exe
1⤵
PID:2972

C:\Windows\SysWOW64\Dojcgi32.exe
C:\Windows\system32\Dojcgi32.exe
1⤵
PID:1772

C:\Windows\SysWOW64\Dohfbj32.exe
C:\Windows\system32\Dohfbj32.exe
1⤵
PID:2620

C:\Windows\SysWOW64\Dbaemi32.exe
C:\Windows\system32\Dbaemi32.exe
1⤵
PID:4072

C:\Windows\SysWOW64\Dlgmpogj.exe
C:\Windows\system32\Dlgmpogj.exe
1⤵
PID:3288

C:\Windows\SysWOW64\Demecd32.exe
C:\Windows\system32\Demecd32.exe
1⤵
PID:4884

C:\Windows\SysWOW64\Ddmhja32.exe
C:\Windows\system32\Ddmhja32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
85KB

MD5
9f7c958cba1182b22773688231b4897a

SHA1
072b4c0807605cbe1e3a1fd1bd1308bf082b548a

SHA256
ef6bc6ddadebda09b44e00837614a7d549c5d5ffb255cee289a21ead66b551eb

SHA512
39aad042acca5a28fc8762f5bc41ed4b1e9c922d70d0dc4744efd342fe337ccef66a386012c35b49bce5865952a684b96c0b2e0290dcbb7f768efff29ebc0a81

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
67KB

MD5
72bf4163667378b38ce0a9b65ccf3406

SHA1
48e3e01123faa864d0480ab5411c0b86147b8185

SHA256
018d96b7d575d9fad2498900d2da29578d108e37711436cf5a49b0434c0d252e

SHA512
d9ef872e1402fe0ff18014e444b301dcdec48952524442ef9a384dab8c83f18dc6d89a934de5f6b9284fe985be1dd62d926665d6b9ec1607c44bdec0174ff53f

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
4KB

MD5
09e5013f3d72f79999e9cfaecb1f1ddd

SHA1
940c5596181072400f88c19e4f069d1cbd07806d

SHA256
7cac9b0b9bccae190c08200340f212b9f9386339d706995ae7cbc7c35cdab829

SHA512
3931230ddecd7dd46cdda3b8ea66279d6f51f1467c494e26e602f85ba3c1fa89003b483d17d0c670f5a5d066ba6d35f87970dffbafbd0e1211995c7d28702324

Download Submit
C:\Windows\SysWOW64\Dahode32.exe

Filesize
85KB

MD5
e0fc640a6967df58802c98f2eb5ac07f

SHA1
239818eb93b7d65803afd18257e8a465bf30c639

SHA256
d12d61b5d49b3253bef322a82253f9f72658448b76b8c8a436a09c8adf3cd603

SHA512
12164e3ecea4b24b8f5c4ec70eb8e68774c3e2f816438274dc222688b3ecb63408645aa96285139252ca3285ef2189f0c4db08513d4d6a944f1058ce896b4872

Download Submit
C:\Windows\SysWOW64\Daolnf32.exe

Filesize
73KB

MD5
fe868c5948fc484151e42f7b0f95afe1

SHA1
7d8446d851a41f52d2959607a21684743855527e

SHA256
8323a401aaf0b493ed3f3dd3c11ad0b0ee34e7bf5455813913103f340ac11205

SHA512
10dba9e8962b7a7ef1892167363dae90cfe1812d3f364e8be6c8d5af6cbcf14e7a343d1dd9b5cbac229ee0e7908eac9e6515e719608bfa6f390abcf2a5fed7a2

Download Submit
C:\Windows\SysWOW64\Ddgkpp32.exe

Filesize
85KB

MD5
775bb07f722e2f40f9c580df7a0335ae

SHA1
61949c3400a14182022c1044e6daa7dc7f40a950

SHA256
c5ee120bdad0242b47eb2d85ea88b7dbfc9c777fd0361d61f444941dd197a3c6

SHA512
23943a9257bb243bc75c2d68a27dc951c86008bbf54f9c383791dd11d65da2935d82dc46e89a4a3245f45981eaf3ca8c7014ddf05056632e3d80440ac7edd7b9

Download Submit
C:\Windows\SysWOW64\Ddmhja32.exe

Filesize
78KB

MD5
17d2601611652d354077155ad24f77ac

SHA1
98fbe7903a19100d18e89d6aff1f73fbf50aa991

SHA256
9a62e946c5d68d5dba57716a379533a0a844ebe860999f9e61bca52a48752b10

SHA512
bc712107fe63003251fd800de8700bc1ac4cb97933506f206c124c292be987b4e15a8e5ea8d1f8795c7a30a6e733cb92040a545773632538766065aeb321b7ac

Download Submit
C:\Windows\SysWOW64\Ddmhja32.exe

Filesize
33KB

MD5
52a50e7b4b2d5c63d2bb4b20286493d9

SHA1
fd7889de3535d83237c39ea751955c45eddd4eda

SHA256
514307eeddaa35022d748cf635f455fbe7144240fdd94f9df382f28af6669675

SHA512
bc76b62a1b0456cee8e30bc98342a14bf4e4f02aca810c5d5ef3dc061def70b3ee91d1e6b4a9641ef670e6b5db69cdcc7e2f6cb87e76a362ea245a53997b7e00

Download Submit
C:\Windows\SysWOW64\Demecd32.exe

Filesize
44KB

MD5
65a1d07cf1a16b5ff54465d6c499648e

SHA1
9e8cf137e7d2113b5dc691bd358f63ae9c48f8a3

SHA256
a295af7337ad949b5559b21abf6157ab7aefbc851a360a0d973ef40e2c71bf89

SHA512
e931f63f7d9c4d7d89d8e3207055634f481c915a5b290cd0068334a7e9ef511ab0831411c19b413d10c9a3271562c2f31913f794f7092cf3cf1402cd967926b3

Download Submit
C:\Windows\SysWOW64\Dhpjkojk.exe

Filesize
85KB

MD5
dde210c445ecdd105bf481c3e54bc790

SHA1
1230ea29f6bedba563b07362c556302a5900d1f1

SHA256
73e0593163caff46af2a1034589a337f51def9bd35c9327040d239e710ae9167

SHA512
108e0366f55a1f15674a2e83181637a61e2e05aca763b5fec96578d6661199f27c1292d301f857dabd6ef2d59c90df2a8c77e46e607a1c8060340da5894fc7ec

Download Submit
C:\Windows\SysWOW64\Dldpkoil.exe

Filesize
85KB

MD5
36347f06f832a3dbdd77641098d990a9

SHA1
316b39bfa0266761c1ad79fbc244f0883680192e

SHA256
e47db7b5dd5bf7053d3fa5272b27aa9b4007ac77af7016a57d3e1c586ef835b7

SHA512
427a839facf64b45b775268a38c6bca92667a48aa63c85007d73035bfb1eb8d77c347ad7d20c369bb3b833499b4d7eb8922ebf0114440c147276abe5c4633920

Download Submit
C:\Windows\SysWOW64\Dlijfneg.exe

Filesize
85KB

MD5
84ff0d36e6379ade3c5d281fb9f81cc3

SHA1
52ce6f0a0bfde5f69075741fe0ea5d8c53378541

SHA256
e5dbe64f7c4eb7de31b682b55ef121b0688441d834c62bb3413670b10f065915

SHA512
31a6135e2fd6ae66fe5ae1630c08ee69fa10e0b6b41454bfa7a047bb0c19c910eb41a0a00a3b7146c3c9922b89ed4eec6d16f8951a2c9b97edcd123161ad352f

Download Submit
C:\Windows\SysWOW64\Dlncan32.exe

Filesize
85KB

MD5
5feedf536eb30e05493f1b266b455467

SHA1
3efa652cd460de60cc766029577ea171e7d86ad4

SHA256
a102c3902ab0f6dc6ec49720be9c29d8e9a1f09698999ed9c64e5f937d506ff2

SHA512
d6840ae95a2bec4664179d3ec026246092fb396a20ecbe6fc102cf3f9aeb44632e578ebebcb5750c18e5d68841fcff0bca8a04d3161518024665d64458f04427

Download Submit
C:\Windows\SysWOW64\Docmgjhp.exe

Filesize
85KB

MD5
42bba7c8a9fa29491373ab704b4ff230

SHA1
6ad96d7bde6f9127d7a567bdd507582b338d9598

SHA256
b42772897130743fba2994482e30c41ff1795bead2e49271001eb18054130e38

SHA512
1973b319171b64f7a6b51898b841a8d72fd794030a14150de921ee2a4e32d6e2d5890cd08e697758100252259f0d331198814ede601437ac34d95b2153c19081

Download Submit
C:\Windows\SysWOW64\Docmgjhp.exe

Filesize
68KB

MD5
3ba9cd997ff06fd152925ab882f2e1fc

SHA1
e6754d87f359d8e521cd762dd352e1547c0fb23c

SHA256
3c844b2e59c06908b3e5997d105ee94ac6261d13fb15fd112bc04e095e1a1c42

SHA512
5b2fb6f0903b75311388fb2ba24a0e781bb2dabacf499276b11e71190c6ef397e1391ee517d7eba360903a32fd2a91c736de819788a914bc0a085a18dab3866a

Download Submit
C:\Windows\SysWOW64\Dojcgi32.exe

Filesize
85KB

MD5
ba7b0151b988557482c380a549aaec05

SHA1
2f3f00319966e26d4d0dd273f9ba944fe66301fa

SHA256
cbe65c193909772fd5494f11881af17def8cfa6a0336e78946219b3d4fcc4009

SHA512
ee46348a7e8a02c407b3b3453df5a5d3c2b7a6b4b52280708b9f2d330322911b3ae656662790f072c1264968c789ee98b2026eda3cf957583d9b6ddc2c657a41

Download Submit
C:\Windows\SysWOW64\Echknh32.exe

Filesize
85KB

MD5
5189e4b41249316799644f0dea34fea1

SHA1
1622789a52911f927fc7391b1e2f5edff4e20102

SHA256
ed5edcd6805f0ee1e80e1be3a58c8914f6faa6c9a176f647beb8b6c22d01eae8

SHA512
3dcef71da6c1daf55937d3cc84284c5d3405f3d709972324976ac4342905b3d02e1a043d0e8210bbcfcc76acd0fb7630490ef8338929f00e191cfa50b807f2e1

Download Submit
C:\Windows\SysWOW64\Echknh32.exe

Filesize
64KB

MD5
f3272544beae9c3addc370caa889f7af

SHA1
080f30b03dc98fdf07f6dedc47b115e9003bb609

SHA256
b3ace1a55738f3796856f099c1ee16788697189e6541e1e2285ea9debe388661

SHA512
01c66fa9a34c0081dbb9b7699c1a1f6e5e4d347eee1e64dffec922e143598e0fdf3186089896f7376beb6c79780bd88bce9d35051e65b3873e6a66035dd0e153

Download Submit
C:\Windows\SysWOW64\Echknh32.exe

Filesize
55KB

MD5
913a95a51009ad8e0ffe41665f00922e

SHA1
0c4a787e15b7962e5f722a01c740ac88616c81b6

SHA256
caeca40f7acdb2396461af120e6ecc8784ba2f76446ef04327862c5d8a1f9e52

SHA512
fd7ce4dc7a714ea08198d0ec4a19fa1b28eb078a9fccfb518cbbac99565c2431955572bc7a85cc0baf816573b7b7df921dded3a554ec00199ecd918cd4b0468d

Download Submit
C:\Windows\SysWOW64\Edihepnm.exe

Filesize
85KB

MD5
cc18af4e3e0f4bd1cce9088cd57b7bb6

SHA1
6f83288441a26baf79ad18ca209cafbc027822e8

SHA256
cbb18da4636bb8ec724a01ff0c0c8c9b8612f7d6919601100f7fb9580695bcf3

SHA512
c8dbc1bb434d3eaad8dc7bcc88eefe999429386995d97126b2cb08f56b6b40d219fa89025de8f2199f887585f5283ca8d29c421ddfb3f781cf8a6390399d8299

Download Submit
C:\Windows\SysWOW64\Edihepnm.exe

Filesize
67KB

MD5
a9a1d7f8eaa027f6af81d64b6de8b8d6

SHA1
f84f742dd568cba3f9a9bb67691627417810258e

SHA256
f87f8f213093bbf9ff8b5a6e34cf31df3a19d86a894c02819f9277362a6f28e6

SHA512
bdcab810c5581a693405534857c55b37b6a1f0961bba4a3ed21221c5d9edc0677ae721388143f2caea0ac05b9794c8fbc4d910333be05d72b0625d79b598ce0b

Download Submit
C:\Windows\SysWOW64\Elbmlmml.exe

Filesize
85KB

MD5
7c85927c90ac2c9a73eec8c2b47b85d4

SHA1
2861464744cf4686d45a966d67d46e060021b25f

SHA256
25f5f1c0d4a9ef9e0026c378bc1d18117f7705faa98d9c498a26f2296dab416e

SHA512
f852a72581bc7d29cb7f27e06c297ff37cd55667e0249d89b9461d2618c28844869a8bbe9b7b94f3d7da437160e3b9fb4566350ff98ec62ec7ed3adcfe31bbd5

Download Submit
C:\Windows\SysWOW64\Eocenh32.exe

Filesize
85KB

MD5
084a7fb7c83fbbbf34427b8d8f791741

SHA1
db27212affecc3cf5cc6a0557b45bdb2150a9641

SHA256
b8ecb6515be95ad3f09eabb481b4b54d72982a8658872e498b3a18650bea5d29

SHA512
0c89906cefa2f8080ed86e12dca761568e3a5807309a6a7a0dac2fd70e34ebc534258c98a50468f64482054df44dbfa5f28dc0427f5187741c8c9b07fe56dac7

Download Submit
C:\Windows\SysWOW64\Eoolbinc.exe

Filesize
22KB

MD5
da481d15825cd983159ea176a9f9e5d6

SHA1
920fe9d49970de13762bed9e7b5e9d5e5ca93947

SHA256
f2f52d25511309e4067750a08646f19982bd20ba6c9ea0bc63b8e0989e5c9080

SHA512
7ee80dd0a617076d2555c4153da584e118b3369057c198156de97076940fbc52e33bb2d81c0739219648f0f8f2f3b5009b6746a20c9a115cfac44eabf3174f34

Download Submit
C:\Windows\SysWOW64\Eoolbinc.exe

Filesize
21KB

MD5
f0bcda509f27d6c048ec8a7826945a30

SHA1
fca0a92283ac46e80a14d7128e72abc4f02ada5e

SHA256
5a6d840162c0a496d1bcf253e4e01c5b9ebd4e72f960a1634b56949d2b46fb8b

SHA512
055a1a9be8816896c68822b4a63050a8702019a7516722e84cf4527debf8f4bafc27e7b7e6893c04868e7e8cedc15f5d45bc149017bc069ac9a788710eef1436

Download Submit
C:\Windows\SysWOW64\Fhqcam32.exe

Filesize
32KB

MD5
3069968befee4cf61f2490bcb4001808

SHA1
e713d1f289c7f9d74f167c5ec103e2d03413a133

SHA256
8f2072e9d34ed13291d541283ce5821227396c45027b50a91b851f596e393e7f

SHA512
47da53188bc52bc08ce2ef60508d26c7a632cb2458553341d356adb486aa2da4ff0421d6d58df72ffc5055b1a48833c8be5c32e648a2ae6080cad29f8246e9a2

Download Submit
C:\Windows\SysWOW64\Fhqcam32.exe

Filesize
85KB

MD5
27378feba0ae85c99fab75583a23da20

SHA1
e40ad7a2319ff63a47b06eecdc31e9f1420ab0f2

SHA256
39b5e3c401d6e2c2985f9649c7781bcd03fd6826064d756ccc7bd7fa760f4a27

SHA512
42672d67f9a1baa2e6c4dfcc01fb7f38a90c0be35b783dd78e3a9b438539216f79c2c2f1a349daeead1b840c3728447340036798cb72f8b8d6a66a61e669f752

Download Submit
C:\Windows\SysWOW64\Gbbkaako.exe

Filesize
85KB

MD5
f0ce25fb9bef3f4cafdaa7a9be76722a

SHA1
a48f4ea95e305a6dc3a592315ec31edc1f1ab4ee

SHA256
abf803c6947a2b4085b68477bb105573675b90340ee6ed835db39b4c6e1679e8

SHA512
af602987c5a453a41d756d3e46f7c11ae2fce607273c10bf511c15edbc442540055c0db304b595910e16dc6439b9c43eb89c5fdfcef9dd8c0cc05db1c8d1661c

Download Submit
C:\Windows\SysWOW64\Gdeqhl32.exe

Filesize
85KB

MD5
f88a687c14919aab0d98a61b519ed680

SHA1
b163f8682d2cc4c36eb259e031e55491d7370cfc

SHA256
7ed9a54b4c88f46e14f94b05730a937802f212fe1e8aa53d0c6be7c884df28d4

SHA512
2e624cf43652a4e31459f96738f9112ad9f19922ac7004da41fd0601e623c158ef22c9c6aaa2fcc1fe9b5cfff7085ab5df36ded87ff9b56b8ff6a190286d464f

Download Submit
C:\Windows\SysWOW64\Hkmefd32.exe

Filesize
85KB

MD5
581fa0137d361f3f71ac62e1861df548

SHA1
7dea43b07685501f78f1ff61d570a925bf1f4b41

SHA256
a6c8513e61590bdd04fe3c78a3a2e1b271cfb98af6d1f084c398be43b17f88d4

SHA512
03570a480ba5852c1af0508d2a963f361359eb4b5ecc3a2141a99b3b76c4bc14aceadd18337bcb6e57f0f4d4b2f784c58122c3cbf8c927abb2c3504090e3bb92

Download Submit
C:\Windows\SysWOW64\Hmcojh32.exe

Filesize
85KB

MD5
a6301253f1d397df7b6edf2bb690dd13

SHA1
7ab1c6040b78b99347fc97d14ea4831b2750998d

SHA256
3b08656aa3f3bec859af13a46640674f6891d3ea56ce7dab9e78f7371e9f578c

SHA512
4c4c35074de1f44b53aec54731472393be8bbd02c12c0d2349af66c7fbb4252381d420c0035a05a44f39b71a6822c474d5b150d5aa445e000042ab49ed32cd9e

Download Submit
C:\Windows\SysWOW64\Hmfkoh32.exe

Filesize
85KB

MD5
c83bb784b71238b0ac009a18a36beeb1

SHA1
635456611ef6c4479d262c07930ac81a12d85739

SHA256
ab6018aaf45e89dbde147be39b8814da480ade2c870d53610ffd6c1020196325

SHA512
96b38bc3d79759d37c0765de82dedcf1732f9bf8fad2654d3352d2a217540dcdb1d3f3663663eabf6e30fee659bc9c863d09cf9f7ca7d6909c397fcea2dcbb96

Download Submit
C:\Windows\SysWOW64\Iehfdi32.exe

Filesize
28KB

MD5
65f1aab3fa59f6a2e92b0ab36abf80b0

SHA1
51b80d2884cc74a0ade959d3170f6633af93570d

SHA256
7068cf8119a6e4d03d43ca2ae30f8100b0d1975d81bdcac78722c3a303fad690

SHA512
563a15519e64aec0eca40131844ce8ce82973f179684fec954643addb62bea38ab78ae7ef83f6f5a213fc2a4604251d6a613232f2dc6a2f67e2fcd5fc034e69f

Download Submit
C:\Windows\SysWOW64\Jfhlejnh.exe

Filesize
46KB

MD5
d7a517b6496f03431e092cc1e6f99dfd

SHA1
f258bb928d6bda15419db657a5d79b9fc9bb38fa

SHA256
ce0a0784c134d479d1d08ffbbfb18e10e82c35dca40883d9c1b030e9954e1cd4

SHA512
f5e1d2da2111e3672b743eef3c3e015673292a1d05ed473b9317a1621ebd7d6a2d10a2466a647b115d2ffefa148297cdcf0ca7d3a50ae891bed5ee5883c5625c

Download Submit
C:\Windows\SysWOW64\Jfoiokfb.exe

Filesize
85KB

MD5
a275a1b04a7632a26e0ece93b55da46e

SHA1
f214b0fe2449637c681426fe3370cfed3271b508

SHA256
1dfc698b6f7badc1210b158586e6872f298982c610bf34269ced5e79f65e004c

SHA512
fbd2af2c388e2a1e88bb896513f34ecfc0520d239937608670b388763057579de3c99f60ec487b2eac0db3af97b4f2e8bad62b8c9845f519922bb6437ea0797d

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
1KB

MD5
74b6b56f37cf8a376f9cb6bd8903dfbd

SHA1
a0ff86c15be755b74bf63ef79f9e1357bb853d42

SHA256
37741148d88e28b36bac49e8562caf1227ecedbe0cdb0b38f40052965fbac955

SHA512
c2bd6dcbb8da7550f28806307d7c71ba95de383aaa537bdfe5a73dec889aefafc973e6358645bb4fc59b892a9c020491ab47fc060333a5c27112a19cf8fe2887

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
85KB

MD5
a7c5d2f9d622997054da02e7ae601bd5

SHA1
9da82122f9b1cdeb1fe85a0b1e30bc2e466307a4

SHA256
7cde4defb70ce2b6cd703872ce4915ed9373feac9dadcb86d0088a6eec0e015d

SHA512
fcd4e9211194a9d6aa0686a98dbb7545a99cd306ea70c259eb73f1fd6fdef22300ba98868783bb200d20f979427272ba12d9f3f0740e24199d98c67716e427ad

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
85KB

MD5
5201498c667a451f77bea437787ea71b

SHA1
a806b4220385bad63b77fbf370b50c7f649bf150

SHA256
d71d1254485bb85fb6f104e64c4a89d1559da97729405fa51adb1f785933634d

SHA512
384559d9bb8cd8d96bfbb152d17945bdfabdd37b91ca8ae3fe409867f45afd5429b5f4c42514ac70a61cc9584dd6a4e0fd14eb2d8bea0d498d2b923b0161f087

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
85KB

MD5
8d2ef3c78ec92dd205749bc981ad79fd

SHA1
d6090eb6e3b6c6b85bbfae6d1dfd3d6a1d4e5be9

SHA256
511398962868e723f8a2cd1ff253db1e24b58bf878ac9edf6aadb451e144e315

SHA512
4f3d8b2d5f5f5a2efc6e36009649e23223c30a75be77fc016f6099894e81196c979ffbf8f7d83066c7ffa18cdd7a647ac4e25243add61d9f6ba016b8057c441f

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
85KB

MD5
2c278b544b7312b3e87bedf22e2b5108

SHA1
b4baea3abdfa2fc19267e42891e3e24c2460f30b

SHA256
ae3e639a3b7117ee1483b30ec9acadf11e7700671498d8a0533c728659d63daa

SHA512
2fb636ce165b611be13b84f56de6fdacff5be4b150677abcb44a15692e92d48214d3877a6760ec3e9bfa56e66015487d4181f930a519c894d40bae6c672f01ee

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
85KB

MD5
c7168195416d387e6e74e8352746a473

SHA1
870ebb9f2480d815aeacbe62bce2e8eafd58dbc7

SHA256
069c8929932d1266720a236b9e5ac133721a1450da4957b3b0ab456a34781c8b

SHA512
265e6cf6bcad93e6c833d6cbce41b4cba155634deca09f414417886c04ee20808a408f84eebf398623da776067f42673f7babc649a7c86b3a17d0aa3eb225ba5

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
85KB

MD5
78425099d67e185526f811c55d2a21a4

SHA1
5274a6d62bccda4743e218a12fb75c6c8591e5cf

SHA256
30c2886b5c4b1ba844b0ebf168852d5aff8f117bc1573ad5971c64a6c620e239

SHA512
d54f9494f5fda89c1e55f3594e5e9baae542907fd606859793c27cd124bd8800b5eb6cd9d010680de3e66421dcb1373d30a0933f9a2397390c644ecfb78394a2

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
85KB

MD5
7be4248965bfa10525c5e500044ad001

SHA1
f157cca444140cd8739ef467fcecead935bd2de0

SHA256
ad847ccfbdba5ab4314c3bd2d4e94700bf315d7d375123cde94e186129540e14

SHA512
a7951aeb980ef0c2654bd3d20fdcdc49582b7add9ead118cb8e82f0f5b6a4411439e5243e6331715dbcd50bb57560227ed90ee9cdb9b9b49614a77a5a07328bd

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
85KB

MD5
1fadeb3f37951714f9b192ff6fdbcd98

SHA1
55032af1f7409cea82a50bd127f3d3ab5f1ae3f1

SHA256
cf6e9328cd3088be0a32b0f7c10e31569c3e5ab703b6b48019c8759a11aba119

SHA512
66abe580b0705ad93084571a80239f93f0109c9651c230b82a7c68f17e79efb27021b701fc83388b771ad02467a2268c096f2e3836e950f99985b5ad6e19f377

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
15KB

MD5
625516e1426b067bded2a9b2c91684ce

SHA1
bbe3bd1d5ba54171a086e379da85bf4d15d789ca

SHA256
34a8619bd42a5149ca521e40907593a58548389ebf406023b1459119a30a0f84

SHA512
7e201c67e40baed1348b09dd8fb99d629f61c3e420e63e7e56f252db4d6e498564eb47120b73c7a6e0647dccad818c39bc6b2aad26a0a4fe718df71a622631b7

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
30KB

MD5
95a0fe70395ef96714ef86021497a132

SHA1
286b4457c5d2a20e2134e544e91298041d914ca6

SHA256
c0a3ffc81a14b1ae6f6cf83fdb933e4d0eb05288a770213605f4728ae2b5e721

SHA512
9a0d58660756a8ea1818cab83318b6b4299fb9436a4ee245278ef5efcce0982d09579a83982b22cb971c1066538bd65f2c62424d3e1ae9e7f28c85d39c2fd736

Download Submit
memory/64-283-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/64-196-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/380-303-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/628-8-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/628-89-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/712-102-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/712-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/852-238-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/852-153-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1012-25-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1012-106-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1188-230-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1188-305-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1276-296-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1276-212-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1540-185-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1576-298-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1668-169-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1708-225-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1772-108-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1772-194-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2160-220-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2160-134-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2264-243-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2268-329-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2268-255-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2296-331-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2308-316-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2436-116-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2436-33-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2620-80-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2620-182-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2640-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2640-229-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2972-121-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3244-94-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3288-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3288-133-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3920-130-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4048-65-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4048-151-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4072-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4072-142-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4408-306-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4432-176-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4512-103-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4528-73-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4528-165-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4616-278-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4648-204-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4648-285-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4700-271-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4700-187-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4748-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4748-6-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4852-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4884-41-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4884-125-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5056-247-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5056-318-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5076-263-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5076-332-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5080-276-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5092-319-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads