b1c13658d6dcbd0647b81ec16035e87c05baf048e66391e58dd2d5c896d96cb8

Analysis

max time kernel
0s
max time network
85s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2024, 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6dc3729ef8de6acd85c30244475d4718.exe
Size

1.6MB
MD5

6dc3729ef8de6acd85c30244475d4718
SHA1

97d9ce739429a4ae292bb103cf6705a388766c37
SHA256

b1c13658d6dcbd0647b81ec16035e87c05baf048e66391e58dd2d5c896d96cb8
SHA512

2d3fa64786f8e41e276e95317320ed235452dcfe29b7249158172cde05197b76f879a83522056e3754dbe912257086541f90bef4888b534b75d70ba7f7d69f0a
SSDEEP

12288:szZq6bSwwL2bWGRdA6sQhPbWGRdA6sQxuEuZH8WF50+OJ3BHCXwpnsKvNA+XTvZu:ASwwL2vzecI50+YNpsKv2EvZHp3oWB+

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	6dc3729ef8de6acd85c30244475d4718.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6dc3729ef8de6acd85c30244475d4718.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe

Malware Dropper & Backdoor - Berbew 28 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x000300000001f45f-7.dat	family_berbew
behavioral2/files/0x0006000000023522-2631.dat	family_berbew
behavioral2/files/0x000600000002349c-2201.dat	family_berbew
behavioral2/files/0x0006000000023492-2170.dat	family_berbew
behavioral2/files/0x000600000002348c-2152.dat	family_berbew
behavioral2/files/0x0006000000023231-127.dat	family_berbew
behavioral2/files/0x000600000002322f-120.dat	family_berbew
behavioral2/files/0x000600000002322f-119.dat	family_berbew
behavioral2/files/0x000600000002322d-112.dat	family_berbew
behavioral2/files/0x000600000002322d-111.dat	family_berbew
behavioral2/files/0x000600000002322b-104.dat	family_berbew
behavioral2/files/0x0006000000023229-96.dat	family_berbew
behavioral2/files/0x0006000000023229-95.dat	family_berbew
behavioral2/files/0x0006000000023227-88.dat	family_berbew
behavioral2/files/0x0006000000023227-87.dat	family_berbew
behavioral2/files/0x0006000000023225-80.dat	family_berbew
behavioral2/files/0x0006000000023225-79.dat	family_berbew
behavioral2/files/0x0006000000023223-72.dat	family_berbew
behavioral2/files/0x0006000000023223-71.dat	family_berbew
behavioral2/files/0x0006000000023221-65.dat	family_berbew
behavioral2/files/0x000600000002321f-56.dat	family_berbew
behavioral2/files/0x000600000002321d-48.dat	family_berbew
behavioral2/files/0x000600000002321d-47.dat	family_berbew
behavioral2/files/0x000600000002321b-40.dat	family_berbew
behavioral2/files/0x0006000000023218-31.dat	family_berbew
behavioral2/files/0x0006000000023216-24.dat	family_berbew
behavioral2/files/0x000800000002320f-16.dat	family_berbew
behavioral2/files/0x000300000001f45f-8.dat	family_berbew

Executes dropped EXE 7 IoCs

pid	Process
4856	Lklnhlfb.exe
5096	Lnjjdgee.exe
4428	Lphfpbdi.exe
4396	Lcgblncm.exe
2036	Lknjmkdo.exe
2400	Mnlfigcc.exe
4464	Mdfofakp.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	6dc3729ef8de6acd85c30244475d4718.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	6dc3729ef8de6acd85c30244475d4718.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	6dc3729ef8de6acd85c30244475d4718.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Lnjjdgee.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
12436	12348	WerFault.exe	298

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	6dc3729ef8de6acd85c30244475d4718.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	6dc3729ef8de6acd85c30244475d4718.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	6dc3729ef8de6acd85c30244475d4718.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	6dc3729ef8de6acd85c30244475d4718.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	6dc3729ef8de6acd85c30244475d4718.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	6dc3729ef8de6acd85c30244475d4718.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 4856	4888	6dc3729ef8de6acd85c30244475d4718.exe	499
PID 4888 wrote to memory of 4856	4888	6dc3729ef8de6acd85c30244475d4718.exe	499
PID 4888 wrote to memory of 4856	4888	6dc3729ef8de6acd85c30244475d4718.exe	499
PID 4856 wrote to memory of 5096	4856	Lklnhlfb.exe	498
PID 4856 wrote to memory of 5096	4856	Lklnhlfb.exe	498
PID 4856 wrote to memory of 5096	4856	Lklnhlfb.exe	498
PID 5096 wrote to memory of 4428	5096	Lnjjdgee.exe	16
PID 5096 wrote to memory of 4428	5096	Lnjjdgee.exe	16
PID 5096 wrote to memory of 4428	5096	Lnjjdgee.exe	16
PID 4428 wrote to memory of 4396	4428	Lphfpbdi.exe	497
PID 4428 wrote to memory of 4396	4428	Lphfpbdi.exe	497
PID 4428 wrote to memory of 4396	4428	Lphfpbdi.exe	497
PID 4396 wrote to memory of 2036	4396	Lcgblncm.exe	496
PID 4396 wrote to memory of 2036	4396	Lcgblncm.exe	496
PID 4396 wrote to memory of 2036	4396	Lcgblncm.exe	496
PID 2036 wrote to memory of 2400	2036	Lknjmkdo.exe	495
PID 2036 wrote to memory of 2400	2036	Lknjmkdo.exe	495
PID 2036 wrote to memory of 2400	2036	Lknjmkdo.exe	495
PID 2400 wrote to memory of 4464	2400	Mnlfigcc.exe	17
PID 2400 wrote to memory of 4464	2400	Mnlfigcc.exe	17
PID 2400 wrote to memory of 4464	2400	Mnlfigcc.exe	17

C:\Users\Admin\AppData\Local\Temp\6dc3729ef8de6acd85c30244475d4718.exe
"C:\Users\Admin\AppData\Local\Temp\6dc3729ef8de6acd85c30244475d4718.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Windows\SysWOW64\Lklnhlfb.exe
  C:\Windows\system32\Lklnhlfb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4856

C:\Windows\SysWOW64\Lphfpbdi.exe
C:\Windows\system32\Lphfpbdi.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Windows\SysWOW64\Lcgblncm.exe
  C:\Windows\system32\Lcgblncm.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4396

C:\Windows\SysWOW64\Mdfofakp.exe
C:\Windows\system32\Mdfofakp.exe
1⤵
- Executes dropped EXE
PID:4464
- C:\Windows\SysWOW64\Mgekbljc.exe
  C:\Windows\system32\Mgekbljc.exe
  2⤵
  PID:64

C:\Windows\SysWOW64\Mcklgm32.exe
C:\Windows\system32\Mcklgm32.exe
1⤵
PID:1204
- C:\Windows\SysWOW64\Mkbchk32.exe
  C:\Windows\system32\Mkbchk32.exe
  2⤵
  PID:3228
- - C:\Windows\SysWOW64\Mamleegg.exe
    C:\Windows\system32\Mamleegg.exe
    3⤵
    PID:3844

C:\Windows\SysWOW64\Mjhqjg32.exe
C:\Windows\system32\Mjhqjg32.exe
1⤵
PID:828
- C:\Windows\SysWOW64\Maohkd32.exe
  C:\Windows\system32\Maohkd32.exe
  2⤵
  PID:4736

C:\Windows\SysWOW64\Mnfipekh.exe
C:\Windows\system32\Mnfipekh.exe
1⤵
PID:3260
- C:\Windows\SysWOW64\Mpdelajl.exe
  C:\Windows\system32\Mpdelajl.exe
  2⤵
  PID:4484

C:\Windows\SysWOW64\Nqfbaq32.exe
C:\Windows\system32\Nqfbaq32.exe
1⤵
PID:4244
- C:\Windows\SysWOW64\Nceonl32.exe
  C:\Windows\system32\Nceonl32.exe
  2⤵
  PID:4976

C:\Windows\SysWOW64\Nddkgonp.exe
C:\Windows\system32\Nddkgonp.exe
1⤵
PID:1328
- C:\Windows\SysWOW64\Ngcgcjnc.exe
  C:\Windows\system32\Ngcgcjnc.exe
  2⤵
  PID:856

C:\Windows\SysWOW64\Njacpf32.exe
C:\Windows\system32\Njacpf32.exe
1⤵
PID:4128
- C:\Windows\SysWOW64\Ndghmo32.exe
  C:\Windows\system32\Ndghmo32.exe
  2⤵
  PID:4516

C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
1⤵
PID:3192
- C:\Windows\SysWOW64\Nggqoj32.exe
  C:\Windows\system32\Nggqoj32.exe
  2⤵
  PID:912
- - C:\Windows\SysWOW64\Njfmke32.exe
    C:\Windows\system32\Njfmke32.exe
    3⤵
    PID:3668

C:\Windows\SysWOW64\Ndkahnhh.exe
C:\Windows\system32\Ndkahnhh.exe
1⤵
PID:1360
- C:\Windows\SysWOW64\Ogjmdigk.exe
  C:\Windows\system32\Ogjmdigk.exe
  2⤵
  PID:4660
- - C:\Windows\SysWOW64\Ojhiqefo.exe
    C:\Windows\system32\Ojhiqefo.exe
    3⤵
    PID:2180

C:\Windows\SysWOW64\Odnnnnfe.exe
C:\Windows\system32\Odnnnnfe.exe
1⤵
PID:2584
- C:\Windows\SysWOW64\Okhfjh32.exe
  C:\Windows\system32\Okhfjh32.exe
  2⤵
  PID:2412
- - C:\Windows\SysWOW64\Onfbfc32.exe
    C:\Windows\system32\Onfbfc32.exe
    3⤵
    PID:996

C:\Windows\SysWOW64\Ogogoi32.exe
C:\Windows\system32\Ogogoi32.exe
1⤵
PID:2172
- C:\Windows\SysWOW64\Ojmcld32.exe
  C:\Windows\system32\Ojmcld32.exe
  2⤵
  PID:2884

C:\Windows\SysWOW64\Odbgim32.exe
C:\Windows\system32\Odbgim32.exe
1⤵
PID:5188
- C:\Windows\SysWOW64\Ocegdjij.exe
  C:\Windows\system32\Ocegdjij.exe
  2⤵
  PID:5244

C:\Windows\SysWOW64\Ocgdji32.exe
C:\Windows\system32\Ocgdji32.exe
1⤵
PID:5432
- C:\Windows\SysWOW64\Okolkg32.exe
  C:\Windows\system32\Okolkg32.exe
  2⤵
  PID:5488
- - C:\Windows\SysWOW64\Obidhaog.exe
    C:\Windows\system32\Obidhaog.exe
    3⤵
    PID:5524

C:\Windows\SysWOW64\Pgemphmn.exe
C:\Windows\system32\Pgemphmn.exe
1⤵
PID:5624
- C:\Windows\SysWOW64\Pjdilcla.exe
  C:\Windows\system32\Pjdilcla.exe
  2⤵
  PID:5668

C:\Windows\SysWOW64\Pbkamqmd.exe
C:\Windows\system32\Pbkamqmd.exe
1⤵
PID:5720
- C:\Windows\SysWOW64\Peimil32.exe
  C:\Windows\system32\Peimil32.exe
  2⤵
  PID:5768
- - C:\Windows\SysWOW64\Pghieg32.exe
    C:\Windows\system32\Pghieg32.exe
    3⤵
    PID:5808

C:\Windows\SysWOW64\Pqpnombl.exe
C:\Windows\system32\Pqpnombl.exe
1⤵
PID:5904
- C:\Windows\SysWOW64\Peljol32.exe
  C:\Windows\system32\Peljol32.exe
  2⤵
  PID:5948

C:\Windows\SysWOW64\Pjhbgb32.exe
C:\Windows\system32\Pjhbgb32.exe
1⤵
PID:6032
- C:\Windows\SysWOW64\Pbpjhp32.exe
  C:\Windows\system32\Pbpjhp32.exe
  2⤵
  PID:6076
- - C:\Windows\SysWOW64\Pengdk32.exe
    C:\Windows\system32\Pengdk32.exe
    3⤵
    PID:6124

C:\Windows\SysWOW64\Pgmcqggf.exe
C:\Windows\system32\Pgmcqggf.exe
1⤵
PID:5172
- C:\Windows\SysWOW64\Pjkombfj.exe
  C:\Windows\system32\Pjkombfj.exe
  2⤵
  PID:5252

C:\Windows\SysWOW64\Pbbgnpgl.exe
C:\Windows\system32\Pbbgnpgl.exe
1⤵
PID:5340
- C:\Windows\SysWOW64\Peqcjkfp.exe
  C:\Windows\system32\Peqcjkfp.exe
  2⤵
  PID:5444
- - C:\Windows\SysWOW64\Pgopffec.exe
    C:\Windows\system32\Pgopffec.exe
    3⤵
    PID:5548
  - - C:\Windows\SysWOW64\Pjmlbbdg.exe
      C:\Windows\system32\Pjmlbbdg.exe
      4⤵
      PID:5612
    - - C:\Windows\SysWOW64\Pagdol32.exe
        
        C:\Windows\system32\Pagdol32.exe
        5⤵
        
        PID:5684

C:\Windows\SysWOW64\Qcepkg32.exe
C:\Windows\system32\Qcepkg32.exe
1⤵
PID:5764
- C:\Windows\SysWOW64\Qkmhlekj.exe
  C:\Windows\system32\Qkmhlekj.exe
  2⤵
  PID:5840

C:\Windows\SysWOW64\Qnkdhpjn.exe
C:\Windows\system32\Qnkdhpjn.exe
1⤵
PID:5912
- C:\Windows\SysWOW64\Qajadlja.exe
  C:\Windows\system32\Qajadlja.exe
  2⤵
  PID:5984
- - C:\Windows\SysWOW64\Qchmagie.exe
    C:\Windows\system32\Qchmagie.exe
    3⤵
    PID:6072

C:\Windows\SysWOW64\Qloebdig.exe
C:\Windows\system32\Qloebdig.exe
1⤵
PID:6112
- C:\Windows\SysWOW64\Qnnanphk.exe
  C:\Windows\system32\Qnnanphk.exe
  2⤵
  PID:5140

C:\Windows\SysWOW64\Qalnjkgo.exe
C:\Windows\system32\Qalnjkgo.exe
1⤵
PID:5320
- C:\Windows\SysWOW64\Acjjfggb.exe
  C:\Windows\system32\Acjjfggb.exe
  2⤵
  PID:5520

C:\Windows\SysWOW64\Alabgd32.exe
C:\Windows\system32\Alabgd32.exe
1⤵
PID:5660
- C:\Windows\SysWOW64\Anpncp32.exe
  C:\Windows\system32\Anpncp32.exe
  2⤵
  PID:5796

C:\Windows\SysWOW64\Aanjpk32.exe
C:\Windows\system32\Aanjpk32.exe
1⤵
PID:5960
- C:\Windows\SysWOW64\Acmflf32.exe
  C:\Windows\system32\Acmflf32.exe
  2⤵
  PID:6100

C:\Windows\SysWOW64\Ahhblemi.exe
C:\Windows\system32\Ahhblemi.exe
1⤵
PID:5280
- C:\Windows\SysWOW64\Ajfoiqll.exe
  C:\Windows\system32\Ajfoiqll.exe
  2⤵
  PID:5560

C:\Windows\SysWOW64\Abngjnmo.exe
C:\Windows\system32\Abngjnmo.exe
1⤵
PID:5752
- C:\Windows\SysWOW64\Aelcfilb.exe
  C:\Windows\system32\Aelcfilb.exe
  2⤵
  PID:5944

C:\Windows\SysWOW64\Ahkobekf.exe
C:\Windows\system32\Ahkobekf.exe
1⤵
PID:5240
- C:\Windows\SysWOW64\Alfkbc32.exe
  C:\Windows\system32\Alfkbc32.exe
  2⤵
  PID:5600
- - C:\Windows\SysWOW64\Abpcon32.exe
    C:\Windows\system32\Abpcon32.exe
    3⤵
    PID:5816

C:\Windows\SysWOW64\Aeopki32.exe
C:\Windows\system32\Aeopki32.exe
1⤵
PID:5424
- C:\Windows\SysWOW64\Ahmlgd32.exe
  C:\Windows\system32\Ahmlgd32.exe
  2⤵
  PID:5888
- - C:\Windows\SysWOW64\Alhhhcal.exe
    C:\Windows\system32\Alhhhcal.exe
    3⤵
    PID:5804

C:\Windows\SysWOW64\Abbpem32.exe
C:\Windows\system32\Abbpem32.exe
1⤵
PID:5652
- C:\Windows\SysWOW64\Aealah32.exe
  C:\Windows\system32\Aealah32.exe
  2⤵
  PID:6156

C:\Windows\SysWOW64\Ahoimd32.exe
C:\Windows\system32\Ahoimd32.exe
1⤵
PID:6204
- C:\Windows\SysWOW64\Ajneip32.exe
  C:\Windows\system32\Ajneip32.exe
  2⤵
  PID:6248
- - C:\Windows\SysWOW64\Abemjmgg.exe
    C:\Windows\system32\Abemjmgg.exe
    3⤵
    PID:6296

C:\Windows\SysWOW64\Becifhfj.exe
C:\Windows\system32\Becifhfj.exe
1⤵
PID:6332
- C:\Windows\SysWOW64\Bnlnon32.exe
  C:\Windows\system32\Bnlnon32.exe
  2⤵
  PID:6376
- - C:\Windows\SysWOW64\Bajjli32.exe
    C:\Windows\system32\Bajjli32.exe
    3⤵
    PID:6416

C:\Windows\SysWOW64\Bdhfhe32.exe
C:\Windows\system32\Bdhfhe32.exe
1⤵
PID:6448
- C:\Windows\SysWOW64\Blpnib32.exe
  C:\Windows\system32\Blpnib32.exe
  2⤵
  PID:6492

C:\Windows\SysWOW64\Bnnjen32.exe
C:\Windows\system32\Bnnjen32.exe
1⤵
PID:6532
- C:\Windows\SysWOW64\Behbag32.exe
  C:\Windows\system32\Behbag32.exe
  2⤵
  PID:6588

C:\Windows\SysWOW64\Bdkcmdhp.exe
C:\Windows\system32\Bdkcmdhp.exe
1⤵
PID:6636
- C:\Windows\SysWOW64\Bjdkjo32.exe
  C:\Windows\system32\Bjdkjo32.exe
  2⤵
  PID:6676
- - C:\Windows\SysWOW64\Bblckl32.exe
    C:\Windows\system32\Bblckl32.exe
    3⤵
    PID:6724
  - - C:\Windows\SysWOW64\Bejogg32.exe
      C:\Windows\system32\Bejogg32.exe
      4⤵
      PID:6772
    - - C:\Windows\SysWOW64\Bhikcb32.exe
        
        C:\Windows\system32\Bhikcb32.exe
        5⤵
        
        PID:6812
      - C:\Windows\SysWOW64\Baaplhef.exe
        
        C:\Windows\system32\Baaplhef.exe
        6⤵
        
        PID:6852

C:\Windows\SysWOW64\Bdolhc32.exe
C:\Windows\system32\Bdolhc32.exe
1⤵
PID:6896
- C:\Windows\SysWOW64\Blfdia32.exe
  C:\Windows\system32\Blfdia32.exe
  2⤵
  PID:6944
- - C:\Windows\SysWOW64\Boepel32.exe
    C:\Windows\system32\Boepel32.exe
    3⤵
    PID:6988

C:\Windows\SysWOW64\Cacmah32.exe
C:\Windows\system32\Cacmah32.exe
1⤵
PID:7028
- C:\Windows\SysWOW64\Ceoibflm.exe
  C:\Windows\system32\Ceoibflm.exe
  2⤵
  PID:7072

C:\Windows\SysWOW64\Cklaknjd.exe
C:\Windows\system32\Cklaknjd.exe
1⤵
PID:7160
- C:\Windows\SysWOW64\Cbcilkjg.exe
  C:\Windows\system32\Cbcilkjg.exe
  2⤵
  PID:6184

C:\Windows\SysWOW64\Ceaehfjj.exe
C:\Windows\system32\Ceaehfjj.exe
1⤵
PID:6256
- C:\Windows\SysWOW64\Cddecc32.exe
  C:\Windows\system32\Cddecc32.exe
  2⤵
  PID:960

C:\Windows\SysWOW64\Clkndpag.exe
C:\Windows\system32\Clkndpag.exe
1⤵
PID:6368
- C:\Windows\SysWOW64\Cojjqlpk.exe
  C:\Windows\system32\Cojjqlpk.exe
  2⤵
  PID:6432
- - C:\Windows\SysWOW64\Cahfmgoo.exe
    C:\Windows\system32\Cahfmgoo.exe
    3⤵
    PID:6524

C:\Windows\SysWOW64\Cdfbibnb.exe
C:\Windows\system32\Cdfbibnb.exe
1⤵
PID:6596
- C:\Windows\SysWOW64\Clnjjpod.exe
  C:\Windows\system32\Clnjjpod.exe
  2⤵
  PID:6660
- - C:\Windows\SysWOW64\Colffknh.exe
    C:\Windows\system32\Colffknh.exe
    3⤵
    PID:6688
  - - C:\Windows\SysWOW64\Cajcbgml.exe
      C:\Windows\system32\Cajcbgml.exe
      4⤵
      PID:6084

C:\Windows\SysWOW64\Cdiooblp.exe
C:\Windows\system32\Cdiooblp.exe
1⤵
PID:6848
- C:\Windows\SysWOW64\Clpgpp32.exe
  C:\Windows\system32\Clpgpp32.exe
  2⤵
  PID:6892

C:\Windows\SysWOW64\Conclk32.exe
C:\Windows\system32\Conclk32.exe
1⤵
PID:6968
- C:\Windows\SysWOW64\Cbjoljdo.exe
  C:\Windows\system32\Cbjoljdo.exe
  2⤵
  PID:7016

C:\Windows\SysWOW64\Cehkhecb.exe
C:\Windows\system32\Cehkhecb.exe
1⤵
PID:7080
- C:\Windows\SysWOW64\Chghdqbf.exe
  C:\Windows\system32\Chghdqbf.exe
  2⤵
  PID:7156

C:\Windows\SysWOW64\Ckedalaj.exe
C:\Windows\system32\Ckedalaj.exe
1⤵
PID:6232
- C:\Windows\SysWOW64\Doqpak32.exe
  C:\Windows\system32\Doqpak32.exe
  2⤵
  PID:6288

C:\Windows\SysWOW64\Daolnf32.exe
C:\Windows\system32\Daolnf32.exe
1⤵
PID:6440
- C:\Windows\SysWOW64\Ddmhja32.exe
  C:\Windows\system32\Ddmhja32.exe
  2⤵
  PID:6576
- - C:\Windows\SysWOW64\Dldpkoil.exe
    C:\Windows\system32\Dldpkoil.exe
    3⤵
    PID:6668

C:\Windows\SysWOW64\Docmgjhp.exe
C:\Windows\system32\Docmgjhp.exe
1⤵
PID:6768
- C:\Windows\SysWOW64\Daaicfgd.exe
  C:\Windows\system32\Daaicfgd.exe
  2⤵
  PID:6880

C:\Windows\SysWOW64\Ddpeoafg.exe
C:\Windows\system32\Ddpeoafg.exe
1⤵
PID:6940
- C:\Windows\SysWOW64\Dhkapp32.exe
  C:\Windows\system32\Dhkapp32.exe
  2⤵
  PID:7104

C:\Windows\SysWOW64\Dkjmlk32.exe
C:\Windows\system32\Dkjmlk32.exe
1⤵
PID:6164
- C:\Windows\SysWOW64\Dbaemi32.exe
  C:\Windows\system32\Dbaemi32.exe
  2⤵
  PID:6404
- - C:\Windows\SysWOW64\Deoaid32.exe
    C:\Windows\system32\Deoaid32.exe
    3⤵
    PID:6572

C:\Windows\SysWOW64\Dhnnep32.exe
C:\Windows\system32\Dhnnep32.exe
1⤵
PID:5428
- C:\Windows\SysWOW64\Dkljak32.exe
  C:\Windows\system32\Dkljak32.exe
  2⤵
  PID:6888

C:\Windows\SysWOW64\Dccbbhld.exe
C:\Windows\system32\Dccbbhld.exe
1⤵
PID:5516
- C:\Windows\SysWOW64\Dddojq32.exe
  C:\Windows\system32\Dddojq32.exe
  2⤵
  PID:6348
- - C:\Windows\SysWOW64\Dceohhja.exe
    C:\Windows\system32\Dceohhja.exe
    3⤵
    PID:6760
  - - C:\Windows\SysWOW64\Dedkdcie.exe
      C:\Windows\system32\Dedkdcie.exe
      4⤵
      PID:7108

C:\Windows\SysWOW64\Ddgkpp32.exe
C:\Windows\system32\Ddgkpp32.exe
1⤵
PID:6516
- C:\Windows\SysWOW64\Ekacmjgl.exe
  C:\Windows\system32\Ekacmjgl.exe
  2⤵
  PID:7064
- - C:\Windows\SysWOW64\Echknh32.exe
    C:\Windows\system32\Echknh32.exe
    3⤵
    PID:7068

C:\Windows\SysWOW64\Eefhjc32.exe
C:\Windows\system32\Eefhjc32.exe
1⤵
PID:6540
- C:\Windows\SysWOW64\Ehedfo32.exe
  C:\Windows\system32\Ehedfo32.exe
  2⤵
  PID:7196
- - C:\Windows\SysWOW64\Ekcpbj32.exe
    C:\Windows\system32\Ekcpbj32.exe
    3⤵
    PID:7232
  - - C:\Windows\SysWOW64\Eamhodmf.exe
      C:\Windows\system32\Eamhodmf.exe
      4⤵
      PID:7276

C:\Windows\SysWOW64\Edkdkplj.exe
C:\Windows\system32\Edkdkplj.exe
1⤵
PID:7316
- C:\Windows\SysWOW64\Elbmlmml.exe
  C:\Windows\system32\Elbmlmml.exe
  2⤵
  PID:7356
- - C:\Windows\SysWOW64\Eoaihhlp.exe
    C:\Windows\system32\Eoaihhlp.exe
    3⤵
    PID:7400

C:\Windows\SysWOW64\Eapedd32.exe
C:\Windows\system32\Eapedd32.exe
1⤵
PID:7444
- C:\Windows\SysWOW64\Ednaqo32.exe
  C:\Windows\system32\Ednaqo32.exe
  2⤵
  PID:7484
- - C:\Windows\SysWOW64\Ehimanbq.exe
    C:\Windows\system32\Ehimanbq.exe
    3⤵
    PID:7524

C:\Windows\SysWOW64\Ekhjmiad.exe
C:\Windows\system32\Ekhjmiad.exe
1⤵
PID:7564
- C:\Windows\SysWOW64\Ecoangbg.exe
  C:\Windows\system32\Ecoangbg.exe
  2⤵
  PID:7612
- - C:\Windows\SysWOW64\Eemnjbaj.exe
    C:\Windows\system32\Eemnjbaj.exe
    3⤵
    PID:7648

C:\Windows\SysWOW64\Ehljfnpn.exe
C:\Windows\system32\Ehljfnpn.exe
1⤵
PID:7696
- C:\Windows\SysWOW64\Ekjfcipa.exe
  C:\Windows\system32\Ekjfcipa.exe
  2⤵
  PID:7740

C:\Windows\SysWOW64\Ecandfpd.exe
C:\Windows\system32\Ecandfpd.exe
1⤵
PID:7784
- C:\Windows\SysWOW64\Eepjpb32.exe
  C:\Windows\system32\Eepjpb32.exe
  2⤵
  PID:7828

C:\Windows\SysWOW64\Fkmchi32.exe
C:\Windows\system32\Fkmchi32.exe
1⤵
PID:7908
- C:\Windows\SysWOW64\Fcckif32.exe
  C:\Windows\system32\Fcckif32.exe
  2⤵
  PID:7948

C:\Windows\SysWOW64\Febgea32.exe
C:\Windows\system32\Febgea32.exe
1⤵
PID:7988
- C:\Windows\SysWOW64\Fhqcam32.exe
  C:\Windows\system32\Fhqcam32.exe
  2⤵
  PID:8032
- - C:\Windows\SysWOW64\Fkopnh32.exe
    C:\Windows\system32\Fkopnh32.exe
    3⤵
    PID:8072

C:\Windows\SysWOW64\Fcfhof32.exe
C:\Windows\system32\Fcfhof32.exe
1⤵
PID:8112
- C:\Windows\SysWOW64\Faihkbci.exe
  C:\Windows\system32\Faihkbci.exe
  2⤵
  PID:8152

C:\Windows\SysWOW64\Flnlhk32.exe
C:\Windows\system32\Flnlhk32.exe
1⤵
PID:7240
- C:\Windows\SysWOW64\Fomhdg32.exe
  C:\Windows\system32\Fomhdg32.exe
  2⤵
  PID:7312
- - C:\Windows\SysWOW64\Fakdpb32.exe
    C:\Windows\system32\Fakdpb32.exe
    3⤵
    PID:7380

C:\Windows\SysWOW64\Ffgqqaip.exe
C:\Windows\system32\Ffgqqaip.exe
1⤵
PID:7432
- C:\Windows\SysWOW64\Fhemmlhc.exe
  C:\Windows\system32\Fhemmlhc.exe
  2⤵
  PID:7520

C:\Windows\SysWOW64\Fckajehi.exe
C:\Windows\system32\Fckajehi.exe
1⤵
PID:7644
- C:\Windows\SysWOW64\Ffimfqgm.exe
  C:\Windows\system32\Ffimfqgm.exe
  2⤵
  PID:7724
- - C:\Windows\SysWOW64\Fhgjblfq.exe
    C:\Windows\system32\Fhgjblfq.exe
    3⤵
    PID:7808

C:\Windows\SysWOW64\Fkffog32.exe
C:\Windows\system32\Fkffog32.exe
1⤵
PID:7860
- C:\Windows\SysWOW64\Fcmnpe32.exe
  C:\Windows\system32\Fcmnpe32.exe
  2⤵
  PID:7936
- - C:\Windows\SysWOW64\Ffkjlp32.exe
    C:\Windows\system32\Ffkjlp32.exe
    3⤵
    PID:8000

C:\Windows\SysWOW64\Fhjfhl32.exe
C:\Windows\system32\Fhjfhl32.exe
1⤵
PID:8068
- C:\Windows\SysWOW64\Gkhbdg32.exe
  C:\Windows\system32\Gkhbdg32.exe
  2⤵
  PID:8136
- - C:\Windows\SysWOW64\Gbbkaako.exe
    C:\Windows\system32\Gbbkaako.exe
    3⤵
    PID:7188
  - - C:\Windows\SysWOW64\Ghlcnk32.exe
      C:\Windows\system32\Ghlcnk32.exe
      4⤵
      PID:7304

C:\Windows\SysWOW64\Gkkojgao.exe
C:\Windows\system32\Gkkojgao.exe
1⤵
PID:7424
- C:\Windows\SysWOW64\Gcagkdba.exe
  C:\Windows\system32\Gcagkdba.exe
  2⤵
  PID:7536

C:\Windows\SysWOW64\Ghopckpi.exe
C:\Windows\system32\Ghopckpi.exe
1⤵
PID:7772
- C:\Windows\SysWOW64\Gkmlofol.exe
  C:\Windows\system32\Gkmlofol.exe
  2⤵
  PID:7916

C:\Windows\SysWOW64\Gohhpe32.exe
C:\Windows\system32\Gohhpe32.exe
1⤵
PID:8028
- C:\Windows\SysWOW64\Gbgdlq32.exe
  C:\Windows\system32\Gbgdlq32.exe
  2⤵
  PID:8140

C:\Windows\SysWOW64\Gdeqhl32.exe
C:\Windows\system32\Gdeqhl32.exe
1⤵
PID:7296
- C:\Windows\SysWOW64\Gmlhii32.exe
  C:\Windows\system32\Gmlhii32.exe
  2⤵
  PID:7492
- - C:\Windows\SysWOW64\Gokdeeec.exe
    C:\Windows\system32\Gokdeeec.exe
    3⤵
    PID:7632

C:\Windows\SysWOW64\Gbiaapdf.exe
C:\Windows\system32\Gbiaapdf.exe
1⤵
PID:7864
- C:\Windows\SysWOW64\Gdhmnlcj.exe
  C:\Windows\system32\Gdhmnlcj.exe
  2⤵
  PID:8124
- - C:\Windows\SysWOW64\Gmoeoidl.exe
    C:\Windows\system32\Gmoeoidl.exe
    3⤵
    PID:7464

C:\Windows\SysWOW64\Gomakdcp.exe
C:\Windows\system32\Gomakdcp.exe
1⤵
PID:7548
- C:\Windows\SysWOW64\Gblngpbd.exe
  C:\Windows\system32\Gblngpbd.exe
  2⤵
  PID:8052
- - C:\Windows\SysWOW64\Gdjjckag.exe
    C:\Windows\system32\Gdjjckag.exe
    3⤵
    PID:7260

C:\Windows\SysWOW64\Hmabdibj.exe
C:\Windows\system32\Hmabdibj.exe
1⤵
PID:7976
- C:\Windows\SysWOW64\Hkdbpe32.exe
  C:\Windows\system32\Hkdbpe32.exe
  2⤵
  PID:7752
- - C:\Windows\SysWOW64\Hckjacjg.exe
    C:\Windows\system32\Hckjacjg.exe
    3⤵
    PID:7876

C:\Windows\SysWOW64\Hfifmnij.exe
C:\Windows\system32\Hfifmnij.exe
1⤵
PID:8216
- C:\Windows\SysWOW64\Helfik32.exe
  C:\Windows\system32\Helfik32.exe
  2⤵
  PID:8256

C:\Windows\SysWOW64\Hmcojh32.exe
C:\Windows\system32\Hmcojh32.exe
1⤵
PID:8296
- C:\Windows\SysWOW64\Hobkfd32.exe
  C:\Windows\system32\Hobkfd32.exe
  2⤵
  PID:8344
- - C:\Windows\SysWOW64\Hbpgbo32.exe
    C:\Windows\system32\Hbpgbo32.exe
    3⤵
    PID:8384

C:\Windows\SysWOW64\Heocnk32.exe
C:\Windows\system32\Heocnk32.exe
1⤵
PID:8424
- C:\Windows\SysWOW64\Hmfkoh32.exe
  C:\Windows\system32\Hmfkoh32.exe
  2⤵
  PID:8472

C:\Windows\SysWOW64\Hkikkeeo.exe
C:\Windows\system32\Hkikkeeo.exe
1⤵
PID:8508
- C:\Windows\SysWOW64\Hcpclbfa.exe
  C:\Windows\system32\Hcpclbfa.exe
  2⤵
  PID:8548

C:\Windows\SysWOW64\Hfnphn32.exe
C:\Windows\system32\Hfnphn32.exe
1⤵
PID:8592
- C:\Windows\SysWOW64\Himldi32.exe
  C:\Windows\system32\Himldi32.exe
  2⤵
  PID:8640

C:\Windows\SysWOW64\Hmhhehlb.exe
C:\Windows\system32\Hmhhehlb.exe
1⤵
PID:8676
- C:\Windows\SysWOW64\Hcbpab32.exe
  C:\Windows\system32\Hcbpab32.exe
  2⤵
  PID:8724
- - C:\Windows\SysWOW64\Hfqlnm32.exe
    C:\Windows\system32\Hfqlnm32.exe
    3⤵
    PID:8764

C:\Windows\SysWOW64\Hecmijim.exe
C:\Windows\system32\Hecmijim.exe
1⤵
PID:8828
- C:\Windows\SysWOW64\Hmjdjgjo.exe
  C:\Windows\system32\Hmjdjgjo.exe
  2⤵
  PID:8868

C:\Windows\SysWOW64\Hoiafcic.exe
C:\Windows\system32\Hoiafcic.exe
1⤵
PID:8908
- C:\Windows\SysWOW64\Hbgmcnhf.exe
  C:\Windows\system32\Hbgmcnhf.exe
  2⤵
  PID:8952

C:\Windows\SysWOW64\Hfcicmqp.exe
C:\Windows\system32\Hfcicmqp.exe
1⤵
PID:8992
- C:\Windows\SysWOW64\Immapg32.exe
  C:\Windows\system32\Immapg32.exe
  2⤵
  PID:9032
- - C:\Windows\SysWOW64\Ipknlb32.exe
    C:\Windows\system32\Ipknlb32.exe
    3⤵
    PID:9076

C:\Windows\SysWOW64\Ibjjhn32.exe
C:\Windows\system32\Ibjjhn32.exe
1⤵
PID:9112
- C:\Windows\SysWOW64\Iehfdi32.exe
  C:\Windows\system32\Iehfdi32.exe
  2⤵
  PID:9160
- - C:\Windows\SysWOW64\Icifbang.exe
    C:\Windows\system32\Icifbang.exe
    3⤵
    PID:9200

C:\Windows\SysWOW64\Iblfnn32.exe
C:\Windows\system32\Iblfnn32.exe
1⤵
PID:8236
- C:\Windows\SysWOW64\Iejcji32.exe
  C:\Windows\system32\Iejcji32.exe
  2⤵
  PID:8308

C:\Windows\SysWOW64\Imakkfdg.exe
C:\Windows\system32\Imakkfdg.exe
1⤵
PID:8372
- C:\Windows\SysWOW64\Ippggbck.exe
  C:\Windows\system32\Ippggbck.exe
  2⤵
  PID:8432

C:\Windows\SysWOW64\Ickchq32.exe
C:\Windows\system32\Ickchq32.exe
1⤵
PID:8500
- C:\Windows\SysWOW64\Ifjodl32.exe
  C:\Windows\system32\Ifjodl32.exe
  2⤵
  PID:8580

C:\Windows\SysWOW64\Iihkpg32.exe
C:\Windows\system32\Iihkpg32.exe
1⤵
PID:8664
- C:\Windows\SysWOW64\Imdgqfbd.exe
  C:\Windows\system32\Imdgqfbd.exe
  2⤵
  PID:8708

C:\Windows\SysWOW64\Ibqpimpl.exe
C:\Windows\system32\Ibqpimpl.exe
1⤵
PID:8860
- C:\Windows\SysWOW64\Ifllil32.exe
  C:\Windows\system32\Ifllil32.exe
  2⤵
  PID:8940

C:\Windows\SysWOW64\Iikhfg32.exe
C:\Windows\system32\Iikhfg32.exe
1⤵
PID:9024
- C:\Windows\SysWOW64\Ilidbbgl.exe
  C:\Windows\system32\Ilidbbgl.exe
  2⤵
  PID:9108

C:\Windows\SysWOW64\Icplcpgo.exe
C:\Windows\system32\Icplcpgo.exe
1⤵
PID:9156
- C:\Windows\SysWOW64\Ibcmom32.exe
  C:\Windows\system32\Ibcmom32.exe
  2⤵
  PID:9196
- - C:\Windows\SysWOW64\Jeaikh32.exe
    C:\Windows\system32\Jeaikh32.exe
    3⤵
    PID:8284

C:\Windows\SysWOW64\Jmhale32.exe
C:\Windows\system32\Jmhale32.exe
1⤵
PID:8392
- C:\Windows\SysWOW64\Jcbihpel.exe
  C:\Windows\system32\Jcbihpel.exe
  2⤵
  PID:8516
- - C:\Windows\SysWOW64\Jbeidl32.exe
    C:\Windows\system32\Jbeidl32.exe
    3⤵
    PID:8636

C:\Windows\SysWOW64\Jedeph32.exe
C:\Windows\system32\Jedeph32.exe
1⤵
PID:8760
- C:\Windows\SysWOW64\Jmknaell.exe
  C:\Windows\system32\Jmknaell.exe
  2⤵
  PID:8892

C:\Windows\SysWOW64\Jlnnmb32.exe
C:\Windows\system32\Jlnnmb32.exe
1⤵
PID:9028
- C:\Windows\SysWOW64\Jcefno32.exe
  C:\Windows\system32\Jcefno32.exe
  2⤵
  PID:9148
- - C:\Windows\SysWOW64\Jfcbjk32.exe
    C:\Windows\system32\Jfcbjk32.exe
    3⤵
    PID:8288

C:\Windows\SysWOW64\Jianff32.exe
C:\Windows\system32\Jianff32.exe
1⤵
PID:8420
- C:\Windows\SysWOW64\Jlpkba32.exe
  C:\Windows\system32\Jlpkba32.exe
  2⤵
  PID:8624

C:\Windows\SysWOW64\Jcgbco32.exe
C:\Windows\system32\Jcgbco32.exe
1⤵
PID:8916
- C:\Windows\SysWOW64\Jfeopj32.exe
  C:\Windows\system32\Jfeopj32.exe
  2⤵
  PID:9056
- - C:\Windows\SysWOW64\Jidklf32.exe
    C:\Windows\system32\Jidklf32.exe
    3⤵
    PID:8336

C:\Windows\SysWOW64\Jmpgldhg.exe
C:\Windows\system32\Jmpgldhg.exe
1⤵
PID:8720
- C:\Windows\SysWOW64\Jpnchp32.exe
  C:\Windows\system32\Jpnchp32.exe
  2⤵
  PID:9060

C:\Windows\SysWOW64\Jblpek32.exe
C:\Windows\system32\Jblpek32.exe
1⤵
PID:8648
- C:\Windows\SysWOW64\Jeklag32.exe
  C:\Windows\system32\Jeklag32.exe
  2⤵
  PID:8864

C:\Windows\SysWOW64\Jifhaenk.exe
C:\Windows\system32\Jifhaenk.exe
1⤵
PID:8604
- C:\Windows\SysWOW64\Jlednamo.exe
  C:\Windows\system32\Jlednamo.exe
  2⤵
  PID:9104

C:\Windows\SysWOW64\Jpppnp32.exe
C:\Windows\system32\Jpppnp32.exe
1⤵
PID:9236
- C:\Windows\SysWOW64\Kboljk32.exe
  C:\Windows\system32\Kboljk32.exe
  2⤵
  PID:9280
- - C:\Windows\SysWOW64\Kemhff32.exe
    C:\Windows\system32\Kemhff32.exe
    3⤵
    PID:9320

C:\Windows\SysWOW64\Kmdqgd32.exe
C:\Windows\system32\Kmdqgd32.exe
1⤵
PID:9364
- C:\Windows\SysWOW64\Kpbmco32.exe
  C:\Windows\system32\Kpbmco32.exe
  2⤵
  PID:9400

C:\Windows\SysWOW64\Kbaipkbi.exe
C:\Windows\system32\Kbaipkbi.exe
1⤵
PID:9448
- C:\Windows\SysWOW64\Kfmepi32.exe
  C:\Windows\system32\Kfmepi32.exe
  2⤵
  PID:9492
- - C:\Windows\SysWOW64\Kikame32.exe
    C:\Windows\system32\Kikame32.exe
    3⤵
    PID:9528

C:\Windows\SysWOW64\Klimip32.exe
C:\Windows\system32\Klimip32.exe
1⤵
PID:9568
- C:\Windows\SysWOW64\Kdqejn32.exe
  C:\Windows\system32\Kdqejn32.exe
  2⤵
  PID:9612
- - C:\Windows\SysWOW64\Kfoafi32.exe
    C:\Windows\system32\Kfoafi32.exe
    3⤵
    PID:9652
  - - C:\Windows\SysWOW64\Kimnbd32.exe
      C:\Windows\system32\Kimnbd32.exe
      4⤵
      PID:9700
    - - C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        5⤵
        
        PID:9744

C:\Windows\SysWOW64\Kfankifm.exe
C:\Windows\system32\Kfankifm.exe
1⤵
PID:9788
- C:\Windows\SysWOW64\Kipkhdeq.exe
  C:\Windows\system32\Kipkhdeq.exe
  2⤵
  PID:9828

C:\Windows\SysWOW64\Klngdpdd.exe
C:\Windows\system32\Klngdpdd.exe
1⤵
PID:9872
- C:\Windows\SysWOW64\Kdeoemeg.exe
  C:\Windows\system32\Kdeoemeg.exe
  2⤵
  PID:9912
- - C:\Windows\SysWOW64\Kfckahdj.exe
    C:\Windows\system32\Kfckahdj.exe
    3⤵
    PID:9948

C:\Windows\SysWOW64\Kefkme32.exe
C:\Windows\system32\Kefkme32.exe
1⤵
PID:10000
- C:\Windows\SysWOW64\Klqcioba.exe
  C:\Windows\system32\Klqcioba.exe
  2⤵
  PID:10044
- - C:\Windows\SysWOW64\Kdgljmcd.exe
    C:\Windows\system32\Kdgljmcd.exe
    3⤵
    PID:10084

C:\Windows\SysWOW64\Lbjlfi32.exe
C:\Windows\system32\Lbjlfi32.exe
1⤵
PID:10124
- C:\Windows\SysWOW64\Leihbeib.exe
  C:\Windows\system32\Leihbeib.exe
  2⤵
  PID:10164

C:\Windows\SysWOW64\Lmppcbjd.exe
C:\Windows\system32\Lmppcbjd.exe
1⤵
PID:10208
- C:\Windows\SysWOW64\Lpnlpnih.exe
  C:\Windows\system32\Lpnlpnih.exe
  2⤵
  PID:8536

C:\Windows\SysWOW64\Ldjhpl32.exe
C:\Windows\system32\Ldjhpl32.exe
1⤵
PID:9288
- C:\Windows\SysWOW64\Lfhdlh32.exe
  C:\Windows\system32\Lfhdlh32.exe
  2⤵
  PID:9352

C:\Windows\SysWOW64\Ligqhc32.exe
C:\Windows\system32\Ligqhc32.exe
1⤵
PID:9432
- C:\Windows\SysWOW64\Llemdo32.exe
  C:\Windows\system32\Llemdo32.exe
  2⤵
  PID:9512
- - C:\Windows\SysWOW64\Ldleel32.exe
    C:\Windows\system32\Ldleel32.exe
    3⤵
    PID:9580

C:\Windows\SysWOW64\Lenamdem.exe
C:\Windows\system32\Lenamdem.exe
1⤵
PID:9692
- C:\Windows\SysWOW64\Lmdina32.exe
  C:\Windows\system32\Lmdina32.exe
  2⤵
  PID:9772
- - C:\Windows\SysWOW64\Lpcfkm32.exe
    C:\Windows\system32\Lpcfkm32.exe
    3⤵
    PID:9824

C:\Windows\SysWOW64\Lbabgh32.exe
C:\Windows\system32\Lbabgh32.exe
1⤵
PID:9896
- C:\Windows\SysWOW64\Lepncd32.exe
  C:\Windows\system32\Lepncd32.exe
  2⤵
  PID:9984
- - C:\Windows\SysWOW64\Lmgfda32.exe
    C:\Windows\system32\Lmgfda32.exe
    3⤵
    PID:10036

C:\Windows\SysWOW64\Lpebpm32.exe
C:\Windows\system32\Lpebpm32.exe
1⤵
PID:10120
- C:\Windows\SysWOW64\Lgokmgjm.exe
  C:\Windows\system32\Lgokmgjm.exe
  2⤵
  PID:10204
- - C:\Windows\SysWOW64\Lebkhc32.exe
    C:\Windows\system32\Lebkhc32.exe
    3⤵
    PID:9272

C:\Windows\SysWOW64\Lllcen32.exe
C:\Windows\system32\Lllcen32.exe
1⤵
PID:9440
- C:\Windows\SysWOW64\Mdckfk32.exe
  C:\Windows\system32\Mdckfk32.exe
  2⤵
  PID:9480
- - C:\Windows\SysWOW64\Mipcob32.exe
    C:\Windows\system32\Mipcob32.exe
    3⤵
    PID:9636

C:\Windows\SysWOW64\Mlopkm32.exe
C:\Windows\system32\Mlopkm32.exe
1⤵
PID:9724
- C:\Windows\SysWOW64\Mdehlk32.exe
  C:\Windows\system32\Mdehlk32.exe
  2⤵
  PID:4524
- - C:\Windows\SysWOW64\Mgddhf32.exe
    C:\Windows\system32\Mgddhf32.exe
    3⤵
    PID:9940

C:\Windows\SysWOW64\Mibpda32.exe
C:\Windows\system32\Mibpda32.exe
1⤵
PID:10092
- C:\Windows\SysWOW64\Mplhql32.exe
  C:\Windows\system32\Mplhql32.exe
  2⤵
  PID:10172
- - C:\Windows\SysWOW64\Mckemg32.exe
    C:\Windows\system32\Mckemg32.exe
    3⤵
    PID:9232
  - - C:\Windows\SysWOW64\Meiaib32.exe
      C:\Windows\system32\Meiaib32.exe
      4⤵
      PID:9500

C:\Windows\SysWOW64\Mmpijp32.exe
C:\Windows\system32\Mmpijp32.exe
1⤵
PID:9608
- C:\Windows\SysWOW64\Mpoefk32.exe
  C:\Windows\system32\Mpoefk32.exe
  2⤵
  PID:9816

C:\Windows\SysWOW64\Mcmabg32.exe
C:\Windows\system32\Mcmabg32.exe
1⤵
PID:10028
- C:\Windows\SysWOW64\Melnob32.exe
  C:\Windows\system32\Melnob32.exe
  2⤵
  PID:10232
- - C:\Windows\SysWOW64\Mlefklpj.exe
    C:\Windows\system32\Mlefklpj.exe
    3⤵
    PID:9624
  - - C:\Windows\SysWOW64\Mdmnlj32.exe
      C:\Windows\system32\Mdmnlj32.exe
      4⤵
      PID:9920

C:\Windows\SysWOW64\Mgkjhe32.exe
C:\Windows\system32\Mgkjhe32.exe
1⤵
PID:9956
- C:\Windows\SysWOW64\Mnebeogl.exe
  C:\Windows\system32\Mnebeogl.exe
  2⤵
  PID:9836
- - C:\Windows\SysWOW64\Npcoakfp.exe
    C:\Windows\system32\Npcoakfp.exe
    3⤵
    PID:9472

C:\Windows\SysWOW64\Ncbknfed.exe
C:\Windows\system32\Ncbknfed.exe
1⤵
PID:9596
- C:\Windows\SysWOW64\Nepgjaeg.exe
  C:\Windows\system32\Nepgjaeg.exe
  2⤵
  PID:10244
- - C:\Windows\SysWOW64\Nljofl32.exe
    C:\Windows\system32\Nljofl32.exe
    3⤵
    PID:10292
  - - C:\Windows\SysWOW64\Ncdgcf32.exe
      C:\Windows\system32\Ncdgcf32.exe
      4⤵
      PID:10328
    - - C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        5⤵
        
        PID:10372
      - C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        6⤵
        
        PID:10416

C:\Windows\SysWOW64\Ndcdmikd.exe
C:\Windows\system32\Ndcdmikd.exe
1⤵
PID:10452
- C:\Windows\SysWOW64\Ngbpidjh.exe
  C:\Windows\system32\Ngbpidjh.exe
  2⤵
  PID:10492

C:\Windows\SysWOW64\Njqmepik.exe
C:\Windows\system32\Njqmepik.exe
1⤵
PID:10540
- C:\Windows\SysWOW64\Nloiakho.exe
  C:\Windows\system32\Nloiakho.exe
  2⤵
  PID:10580
- - C:\Windows\SysWOW64\Ndfqbhia.exe
    C:\Windows\system32\Ndfqbhia.exe
    3⤵
    PID:10620

C:\Windows\SysWOW64\Ncianepl.exe
C:\Windows\system32\Ncianepl.exe
1⤵
PID:10660
- C:\Windows\SysWOW64\Nfgmjqop.exe
  C:\Windows\system32\Nfgmjqop.exe
  2⤵
  PID:10696
- - C:\Windows\SysWOW64\Nlaegk32.exe
    C:\Windows\system32\Nlaegk32.exe
    3⤵
    PID:10744

C:\Windows\SysWOW64\Ndhmhh32.exe
C:\Windows\system32\Ndhmhh32.exe
1⤵
PID:10784
- C:\Windows\SysWOW64\Nfjjppmm.exe
  C:\Windows\system32\Nfjjppmm.exe
  2⤵
  PID:10824
- - C:\Windows\SysWOW64\Nnqbanmo.exe
    C:\Windows\system32\Nnqbanmo.exe
    3⤵
    PID:10872

C:\Windows\SysWOW64\Oponmilc.exe
C:\Windows\system32\Oponmilc.exe
1⤵
PID:10912
- C:\Windows\SysWOW64\Ocnjidkf.exe
  C:\Windows\system32\Ocnjidkf.exe
  2⤵
  PID:10948
- - C:\Windows\SysWOW64\Oflgep32.exe
    C:\Windows\system32\Oflgep32.exe
    3⤵
    PID:10992

C:\Windows\SysWOW64\Oncofm32.exe
C:\Windows\system32\Oncofm32.exe
1⤵
PID:11036
- C:\Windows\SysWOW64\Opakbi32.exe
  C:\Windows\system32\Opakbi32.exe
  2⤵
  PID:11072
- - C:\Windows\SysWOW64\Ocpgod32.exe
    C:\Windows\system32\Ocpgod32.exe
    3⤵
    PID:11112

C:\Windows\SysWOW64\Ofnckp32.exe
C:\Windows\system32\Ofnckp32.exe
1⤵
PID:11152
- C:\Windows\SysWOW64\Oneklm32.exe
  C:\Windows\system32\Oneklm32.exe
  2⤵
  PID:11200

C:\Windows\SysWOW64\Ocbddc32.exe
C:\Windows\system32\Ocbddc32.exe
1⤵
PID:10256
- C:\Windows\SysWOW64\Ojllan32.exe
  C:\Windows\system32\Ojllan32.exe
  2⤵
  PID:10320
- - C:\Windows\SysWOW64\Olkhmi32.exe
    C:\Windows\system32\Olkhmi32.exe
    3⤵
    PID:10388
  - - C:\Windows\SysWOW64\Odapnf32.exe
      C:\Windows\system32\Odapnf32.exe
      4⤵
      PID:10476

C:\Windows\SysWOW64\Ogpmjb32.exe
C:\Windows\system32\Ogpmjb32.exe
1⤵
PID:10532
- C:\Windows\SysWOW64\Ojoign32.exe
  C:\Windows\system32\Ojoign32.exe
  2⤵
  PID:10612

C:\Windows\SysWOW64\Olmeci32.exe
C:\Windows\system32\Olmeci32.exe
1⤵
PID:10648
- C:\Windows\SysWOW64\Oddmdf32.exe
  C:\Windows\system32\Oddmdf32.exe
  2⤵
  PID:9396

C:\Windows\SysWOW64\Ogbipa32.exe
C:\Windows\system32\Ogbipa32.exe
1⤵
PID:10800
- C:\Windows\SysWOW64\Pnlaml32.exe
  C:\Windows\system32\Pnlaml32.exe
  2⤵
  PID:10880

C:\Windows\SysWOW64\Pcijeb32.exe
C:\Windows\system32\Pcijeb32.exe
1⤵
PID:10944
- C:\Windows\SysWOW64\Pjcbbmif.exe
  C:\Windows\system32\Pjcbbmif.exe
  2⤵
  PID:11004
- - C:\Windows\SysWOW64\Pqmjog32.exe
    C:\Windows\system32\Pqmjog32.exe
    3⤵
    PID:11096
  - - C:\Windows\SysWOW64\Pclgkb32.exe
      C:\Windows\system32\Pclgkb32.exe
      4⤵
      PID:11148
    - - C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        5⤵
        
        PID:11212

C:\Windows\SysWOW64\Pnakhkol.exe
C:\Windows\system32\Pnakhkol.exe
1⤵
PID:10252
- C:\Windows\SysWOW64\Pgioqq32.exe
  C:\Windows\system32\Pgioqq32.exe
  2⤵
  PID:10400

C:\Windows\SysWOW64\Pncgmkmj.exe
C:\Windows\system32\Pncgmkmj.exe
1⤵
PID:10440
- C:\Windows\SysWOW64\Pqbdjfln.exe
  C:\Windows\system32\Pqbdjfln.exe
  2⤵
  PID:10588

C:\Windows\SysWOW64\Pdmpje32.exe
C:\Windows\system32\Pdmpje32.exe
1⤵
PID:10712
- C:\Windows\SysWOW64\Pgllfp32.exe
  C:\Windows\system32\Pgllfp32.exe
  2⤵
  PID:10836

C:\Windows\SysWOW64\Pnfdcjkg.exe
C:\Windows\system32\Pnfdcjkg.exe
1⤵
PID:10960
- C:\Windows\SysWOW64\Pqdqof32.exe
  C:\Windows\system32\Pqdqof32.exe
  2⤵
  PID:11060
- - C:\Windows\SysWOW64\Pcbmka32.exe
    C:\Windows\system32\Pcbmka32.exe
    3⤵
    PID:9412

C:\Windows\SysWOW64\Pfaigm32.exe
C:\Windows\system32\Pfaigm32.exe
1⤵
PID:10192
- C:\Windows\SysWOW64\Qnhahj32.exe
  C:\Windows\system32\Qnhahj32.exe
  2⤵
  PID:832
- - C:\Windows\SysWOW64\Qqfmde32.exe
    C:\Windows\system32\Qqfmde32.exe
    3⤵
    PID:10608

C:\Windows\SysWOW64\Qceiaa32.exe
C:\Windows\system32\Qceiaa32.exe
1⤵
PID:10792
- C:\Windows\SysWOW64\Qfcfml32.exe
  C:\Windows\system32\Qfcfml32.exe
  2⤵
  PID:10988
- - C:\Windows\SysWOW64\Qnjnnj32.exe
    C:\Windows\system32\Qnjnnj32.exe
    3⤵
    PID:11140

C:\Windows\SysWOW64\Qqijje32.exe
C:\Windows\system32\Qqijje32.exe
1⤵
PID:10336
- C:\Windows\SysWOW64\Qcgffqei.exe
  C:\Windows\system32\Qcgffqei.exe
  2⤵
  PID:10564
- - C:\Windows\SysWOW64\Qffbbldm.exe
    C:\Windows\system32\Qffbbldm.exe
    3⤵
    PID:10956

C:\Windows\SysWOW64\Anmjcieo.exe
C:\Windows\system32\Anmjcieo.exe
1⤵
PID:10276
- C:\Windows\SysWOW64\Aqkgpedc.exe
  C:\Windows\system32\Aqkgpedc.exe
  2⤵
  PID:10424
- - C:\Windows\SysWOW64\Acjclpcf.exe
    C:\Windows\system32\Acjclpcf.exe
    3⤵
    PID:11180

C:\Windows\SysWOW64\Afhohlbj.exe
C:\Windows\system32\Afhohlbj.exe
1⤵
PID:10528
- C:\Windows\SysWOW64\Anogiicl.exe
  C:\Windows\system32\Anogiicl.exe
  2⤵
  PID:10368
- - C:\Windows\SysWOW64\Aqncedbp.exe
    C:\Windows\system32\Aqncedbp.exe
    3⤵
    PID:10728

C:\Windows\SysWOW64\Agglboim.exe
C:\Windows\system32\Agglboim.exe
1⤵
PID:11276
- C:\Windows\SysWOW64\Aqppkd32.exe
  C:\Windows\system32\Aqppkd32.exe
  2⤵
  PID:11336
- - C:\Windows\SysWOW64\Acnlgp32.exe
    C:\Windows\system32\Acnlgp32.exe
    3⤵
    PID:11372

C:\Windows\SysWOW64\Afmhck32.exe
C:\Windows\system32\Afmhck32.exe
1⤵
PID:11416
- C:\Windows\SysWOW64\Andqdh32.exe
  C:\Windows\system32\Andqdh32.exe
  2⤵
  PID:11464
- - C:\Windows\SysWOW64\Aabmqd32.exe
    C:\Windows\system32\Aabmqd32.exe
    3⤵
    PID:11504
  - - C:\Windows\SysWOW64\Afoeiklb.exe
      C:\Windows\system32\Afoeiklb.exe
      4⤵
      PID:11548
    - - C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        5⤵
        
        PID:11592
      - C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        6⤵
        
        PID:11636

C:\Windows\SysWOW64\Bfabnjjp.exe
C:\Windows\system32\Bfabnjjp.exe
1⤵
PID:11672
- C:\Windows\SysWOW64\Bnhjohkb.exe
  C:\Windows\system32\Bnhjohkb.exe
  2⤵
  PID:11712
- - C:\Windows\SysWOW64\Bebblb32.exe
    C:\Windows\system32\Bebblb32.exe
    3⤵
    PID:11764
  - - C:\Windows\SysWOW64\Bfdodjhm.exe
      C:\Windows\system32\Bfdodjhm.exe
      4⤵
      PID:11808

C:\Windows\SysWOW64\Bnkgeg32.exe
C:\Windows\system32\Bnkgeg32.exe
1⤵
PID:11848
- C:\Windows\SysWOW64\Baicac32.exe
  C:\Windows\system32\Baicac32.exe
  2⤵
  PID:11884
- - C:\Windows\SysWOW64\Bchomn32.exe
    C:\Windows\system32\Bchomn32.exe
    3⤵
    PID:11932

C:\Windows\SysWOW64\Bffkij32.exe
C:\Windows\system32\Bffkij32.exe
1⤵
PID:11972
- C:\Windows\SysWOW64\Bnmcjg32.exe
  C:\Windows\system32\Bnmcjg32.exe
  2⤵
  PID:12020

C:\Windows\SysWOW64\Balpgb32.exe
C:\Windows\system32\Balpgb32.exe
1⤵
PID:12060
- C:\Windows\SysWOW64\Bcjlcn32.exe
  C:\Windows\system32\Bcjlcn32.exe
  2⤵
  PID:12104
- - C:\Windows\SysWOW64\Bgehcmmm.exe
    C:\Windows\system32\Bgehcmmm.exe
    3⤵
    PID:12140

C:\Windows\SysWOW64\Bjddphlq.exe
C:\Windows\system32\Bjddphlq.exe
1⤵
PID:12180
- C:\Windows\SysWOW64\Banllbdn.exe
  C:\Windows\system32\Banllbdn.exe
  2⤵
  PID:12224
- - C:\Windows\SysWOW64\Bfkedibe.exe
    C:\Windows\system32\Bfkedibe.exe
    3⤵
    PID:12272
  - - C:\Windows\SysWOW64\Bmemac32.exe
      C:\Windows\system32\Bmemac32.exe
      4⤵
      PID:11032
    - - C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        5⤵
        
        PID:11364

C:\Windows\SysWOW64\Cfmajipb.exe
C:\Windows\system32\Cfmajipb.exe
1⤵
PID:11444
- C:\Windows\SysWOW64\Cndikf32.exe
  C:\Windows\system32\Cndikf32.exe
  2⤵
  PID:11516
- - C:\Windows\SysWOW64\Cabfga32.exe
    C:\Windows\system32\Cabfga32.exe
    3⤵
    PID:11584

C:\Windows\SysWOW64\Cenahpha.exe
C:\Windows\system32\Cenahpha.exe
1⤵
PID:4196
- C:\Windows\SysWOW64\Cfpnph32.exe
  C:\Windows\system32\Cfpnph32.exe
  2⤵
  PID:11708

C:\Windows\SysWOW64\Cjkjpgfi.exe
C:\Windows\system32\Cjkjpgfi.exe
1⤵
PID:11776
- C:\Windows\SysWOW64\Cmiflbel.exe
  C:\Windows\system32\Cmiflbel.exe
  2⤵
  PID:11856

C:\Windows\SysWOW64\Chokikeb.exe
C:\Windows\system32\Chokikeb.exe
1⤵
PID:11980
- C:\Windows\SysWOW64\Cjmgfgdf.exe
  C:\Windows\system32\Cjmgfgdf.exe
  2⤵
  PID:12056

C:\Windows\SysWOW64\Cmlcbbcj.exe
C:\Windows\system32\Cmlcbbcj.exe
1⤵
PID:12112
- C:\Windows\SysWOW64\Ceckcp32.exe
  C:\Windows\system32\Ceckcp32.exe
  2⤵
  PID:12176
- - C:\Windows\SysWOW64\Chagok32.exe
    C:\Windows\system32\Chagok32.exe
    3⤵
    PID:12264

C:\Windows\SysWOW64\Cjpckf32.exe
C:\Windows\system32\Cjpckf32.exe
1⤵
PID:11360
- C:\Windows\SysWOW64\Cajlhqjp.exe
  C:\Windows\system32\Cajlhqjp.exe
  2⤵
  PID:11496
- - C:\Windows\SysWOW64\Cdhhdlid.exe
    C:\Windows\system32\Cdhhdlid.exe
    3⤵
    PID:11620

C:\Windows\SysWOW64\Cffdpghg.exe
C:\Windows\system32\Cffdpghg.exe
1⤵
PID:11704
- C:\Windows\SysWOW64\Cnnlaehj.exe
  C:\Windows\system32\Cnnlaehj.exe
  2⤵
  PID:11832

C:\Windows\SysWOW64\Calhnpgn.exe
C:\Windows\system32\Calhnpgn.exe
1⤵
PID:11940
- C:\Windows\SysWOW64\Dhfajjoj.exe
  C:\Windows\system32\Dhfajjoj.exe
  2⤵
  PID:12048
- - C:\Windows\SysWOW64\Dmcibama.exe
    C:\Windows\system32\Dmcibama.exe
    3⤵
    PID:12192
  - - C:\Windows\SysWOW64\Dejacond.exe
      C:\Windows\system32\Dejacond.exe
      4⤵
      PID:11316

C:\Windows\SysWOW64\Dhhnpjmh.exe
C:\Windows\system32\Dhhnpjmh.exe
1⤵
PID:11536
- C:\Windows\SysWOW64\Djgjlelk.exe
  C:\Windows\system32\Djgjlelk.exe
  2⤵
  PID:11680

C:\Windows\SysWOW64\Dmefhako.exe
C:\Windows\system32\Dmefhako.exe
1⤵
PID:11836
- C:\Windows\SysWOW64\Delnin32.exe
  C:\Windows\system32\Delnin32.exe
  2⤵
  PID:12028
- - C:\Windows\SysWOW64\Dfnjafap.exe
    C:\Windows\system32\Dfnjafap.exe
    3⤵
    PID:12232
  - - C:\Windows\SysWOW64\Dodbbdbb.exe
      C:\Windows\system32\Dodbbdbb.exe
      4⤵
      PID:11568
    - - C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        5⤵
        
        PID:11840

C:\Windows\SysWOW64\Ddakjkqi.exe
C:\Windows\system32\Ddakjkqi.exe
1⤵
PID:12088
- C:\Windows\SysWOW64\Dfpgffpm.exe
  C:\Windows\system32\Dfpgffpm.exe
  2⤵
  PID:11664

C:\Windows\SysWOW64\Dogogcpo.exe
C:\Windows\system32\Dogogcpo.exe
1⤵
PID:12016
- C:\Windows\SysWOW64\Daekdooc.exe
  C:\Windows\system32\Daekdooc.exe
  2⤵
  PID:11752
- - C:\Windows\SysWOW64\Dddhpjof.exe
    C:\Windows\system32\Dddhpjof.exe
    3⤵
    PID:11456

C:\Windows\SysWOW64\Dhocqigp.exe
C:\Windows\system32\Dhocqigp.exe
1⤵
PID:2724
- C:\Windows\SysWOW64\Dknpmdfc.exe
  C:\Windows\system32\Dknpmdfc.exe
  2⤵
  PID:12304
- - C:\Windows\SysWOW64\Dmllipeg.exe
    C:\Windows\system32\Dmllipeg.exe
    3⤵
    PID:12348
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 12348 -s 404
      4⤵
      Program crash
      PID:12436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 12348 -ip 12348
1⤵
PID:12412

C:\Windows\SysWOW64\Ceqnmpfo.exe
C:\Windows\system32\Ceqnmpfo.exe
1⤵
PID:11924

C:\Windows\SysWOW64\Opdghh32.exe
C:\Windows\system32\Opdghh32.exe
1⤵
PID:11248

C:\Windows\SysWOW64\Lboeaifi.exe
C:\Windows\system32\Lboeaifi.exe
1⤵
PID:9640

C:\Windows\SysWOW64\Ipbdmaah.exe
C:\Windows\system32\Ipbdmaah.exe
1⤵
PID:8792

C:\Windows\SysWOW64\Gfpcgpae.exe
C:\Windows\system32\Gfpcgpae.exe
1⤵
PID:7640

C:\Windows\SysWOW64\Fkciihgg.exe
C:\Windows\system32\Fkciihgg.exe
1⤵
PID:7584

C:\Windows\SysWOW64\Fdgdgnbm.exe
C:\Windows\system32\Fdgdgnbm.exe
1⤵
PID:7176

C:\Windows\SysWOW64\Ehnglm32.exe
C:\Windows\system32\Ehnglm32.exe
1⤵
PID:7868

C:\Windows\SysWOW64\Chmeobkq.exe
C:\Windows\system32\Chmeobkq.exe
1⤵
PID:7112

C:\Windows\SysWOW64\Pgjfkg32.exe
C:\Windows\system32\Pgjfkg32.exe
1⤵
PID:5992

C:\Windows\SysWOW64\Pjffbc32.exe
C:\Windows\system32\Pjffbc32.exe
1⤵
PID:5852

C:\Windows\SysWOW64\Odgqdlnj.exe
C:\Windows\system32\Odgqdlnj.exe
1⤵
PID:5580

C:\Windows\SysWOW64\Oqihnn32.exe
C:\Windows\system32\Oqihnn32.exe
1⤵
PID:5372

C:\Windows\SysWOW64\Onklabip.exe
C:\Windows\system32\Onklabip.exe
1⤵
PID:5328

C:\Windows\SysWOW64\Okloegjl.exe
C:\Windows\system32\Okloegjl.exe
1⤵
PID:5288

C:\Windows\SysWOW64\Obdkma32.exe
C:\Windows\system32\Obdkma32.exe
1⤵
PID:5144

C:\Windows\SysWOW64\Oboaabga.exe
C:\Windows\system32\Oboaabga.exe
1⤵
PID:4828

C:\Windows\SysWOW64\Nbmelbid.exe
C:\Windows\system32\Nbmelbid.exe
1⤵
PID:4172

C:\Windows\SysWOW64\Nnolfdcn.exe
C:\Windows\system32\Nnolfdcn.exe
1⤵
PID:3476

C:\Windows\SysWOW64\Nkqpjidj.exe
C:\Windows\system32\Nkqpjidj.exe
1⤵
PID:3848

C:\Windows\SysWOW64\Nnjbke32.exe
C:\Windows\system32\Nnjbke32.exe
1⤵
PID:2880

C:\Windows\SysWOW64\Nklfoi32.exe
C:\Windows\system32\Nklfoi32.exe
1⤵
PID:4752

C:\Windows\SysWOW64\Nnhfee32.exe
C:\Windows\system32\Nnhfee32.exe
1⤵
PID:4668

C:\Windows\SysWOW64\Nkjjij32.exe
C:\Windows\system32\Nkjjij32.exe
1⤵
PID:3232

C:\Windows\SysWOW64\Mcbahlip.exe
C:\Windows\system32\Mcbahlip.exe
1⤵
PID:5036

C:\Windows\SysWOW64\Mkgmcjld.exe
C:\Windows\system32\Mkgmcjld.exe
1⤵
PID:3972

C:\Windows\SysWOW64\Mdmegp32.exe
C:\Windows\system32\Mdmegp32.exe
1⤵
PID:4688

C:\Windows\SysWOW64\Mgidml32.exe
C:\Windows\system32\Mgidml32.exe
1⤵
PID:4852

C:\Windows\SysWOW64\Mdkhapfj.exe
C:\Windows\system32\Mdkhapfj.exe
1⤵
PID:1184

C:\Windows\SysWOW64\Majopeii.exe
C:\Windows\system32\Majopeii.exe
1⤵
PID:4424

C:\Windows\SysWOW64\Mjcgohig.exe
C:\Windows\system32\Mjcgohig.exe
1⤵
PID:4060

C:\Windows\SysWOW64\Mnlfigcc.exe
C:\Windows\system32\Mnlfigcc.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2400

C:\Windows\SysWOW64\Lknjmkdo.exe
C:\Windows\system32\Lknjmkdo.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\Lnjjdgee.exe
C:\Windows\system32\Lnjjdgee.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
517KB

MD5
979fe03212667b722187b21a0dd5a7fd

SHA1
90fe5582c28e30558ea56b130e4e9df8bcf5e293

SHA256
174834ef72526267117deea8d49fd95f78d861281e1122b0f45047ebb0ef371a

SHA512
a2db97066309277e371e429a52f407c1c7fd3cbffc1a81614d7c761bca7563b3ab01c7fecf73d900af152507098fe139c308f731af0a4b1401fd88a22b252925

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
887KB

MD5
59664d0e7d6c26b7f02d09c245441f1e

SHA1
3eb2f4d6c5a28254b7578f87148c1c94ea88e344

SHA256
a7cf36b16f3f3cbe2785c0102913a811000788ddbdb3b84ba4dd322763f13a18

SHA512
ed35e192faf7bbed8cef2a619d832a91d443b829f92971a6fb0d120c34bfdcafe169ae9e28cb0d156d2b2d1edcf2cc0c7f4bca18d98c870335983c8ba080ea06

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
396KB

MD5
96f8e530a14b9e8d6b6d7d94fb4cacb5

SHA1
3a831b29d5c78e30c9077674b4df58aa3ad4b1b5

SHA256
c18bdc8aa09d124c4ca2b7e119b967f3ab64d68e801bc8554076f1bfa0099c86

SHA512
b3f057d2fe3bdea8a50bc5cf252fe677d18cecdc4a259be4c3fd023568a45cc31fd1bbcecc02309beef0cee5cd5ab4f66ceb659b249a967f93f8d6ac6314b716

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
446KB

MD5
975799989e157671e0499661539ef17b

SHA1
12300824c8cb47c885d1f12a6919fdcc0d8fa823

SHA256
9c9c7b50d48f4d24e86a5822d87f86079a21d9b50ae87ab3d06282bd05caef52

SHA512
801aa415ef3f3a9ab52de6c0f39094e99f1f092ec2f063563a3c2f7b517da67554f252b353b0a87decfce143a379ce311af2bd44a45dc6b25355090c2240d5a8

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
339KB

MD5
c9e919f119b2054fc32cd190f5e810f9

SHA1
425c2c27cf83062893e1dd7ea69bd3015ccb5300

SHA256
9b4b91c1ed12e3bf85acd9275816e85e296b458b3f495552b04fe6da145d8130

SHA512
dd202ba3bd8ed9592aec2ed9cd6521577dffb3b1d50f4b9799a98193f345f3f69bfda26fe2d45961a162373c77ef732c371d00c18cbb5629a0adf0a3e5fda128

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
501KB

MD5
bbb9da01e3189e5c46bc9b9ae0323b7e

SHA1
76b44edee87c63acb8421d4b53e40419a7cb9f82

SHA256
86a92cab142c1ec93d6356fbd7d72525b69c1854dc8a7dc242f83aa7db2f91c2

SHA512
9a9adedf31e59f21fbcf05b43a47dd5c7ac4e04134523c08a5f153270d63f66a072036db319186e1f75b463e856a644382c8121248c2a499f9f46b48edbd9ee7

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
514KB

MD5
faa634594595a7cfdb9ea88cde6971af

SHA1
06d5fe26161149bd2b85d9fcb39c4fa08ac040fe

SHA256
a10b59e981385055e7060f5d7abcba9e1e06b705f4d3f0cac26730ee472acd5b

SHA512
91d39e92b121ef02a3232ded16b679502a640242f3c537478d39ac3b3dff410878f135d2cc39130328da7654b5135683e8038df5f424a7293e8c6232b3c82f65

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
397KB

MD5
638c4963bc6d9c9c5027faa444b39668

SHA1
97ae77c110cb052f5d8a1618711eabfcf0075852

SHA256
9beac5af27664edcbeeb95157dc2cecc18edb3620937182e712ab3d026b1994e

SHA512
898f764e93faf1652004abf6f091c065dc195f897dd6a8b82edf0c4f810df8ad0a8504cfad69a8863f38aaa4768b282c63fa1003513d71712a710fe5d2cc588e

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
195KB

MD5
468fdc1f1a59fbbdd5e116b831000ca4

SHA1
b1c81262104f21ae63b0bfe9ae14c0ba41c8d8d8

SHA256
6ac9c5538e111c59c589e7ea9f5db83a39f1c6f9df47d7da35af735dee649b06

SHA512
e03e4465e314f2f198e621842e5d861793c3cf0782bc88c7922dca083c28a1f72e39e2ec5c68cc6aa373c1f0fe0ba4cc4a1743fe8c4a9646d8fcdd78f6432133

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
69KB

MD5
c6ff34204a1122e2ae725d9ee39f9397

SHA1
5e2643b554dc4d173fa8d7446c1d37ce32782020

SHA256
64eecd35de4502083aa9088ca7043cbc514b78bfec49b932a5d27733d8b83647

SHA512
dc805d6c3c936e32dd8e57b905122f4436ba1394ebd79ddcc891075ee28854d1e6044f39aa8ac0d0714bdf112884be67862071667ef26b438647c1a4bd1ada06

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
256KB

MD5
bec08539829091620f4d581e54090ef5

SHA1
e51bff627ff46271788f4b2f9a7369a4da27b1fa

SHA256
dec846723ca99bfaaf72c411dab5e345d581e7a71db72a9ee29ec26a5d4e1bae

SHA512
578d75807b4f950f0b3a59cdcae90d6bed238f9b4c555e411c9be460536a41965901c3260b9f17788838eab03e0019d85592412379cd8048d5621a8e86f37b6c

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
139KB

MD5
6c8693217de5f7dc0a7b47e7dcd8d841

SHA1
0e5b956c8b0c45d3b076342e7bafb942623bae4c

SHA256
eb611e7062a7f1edf201f2e7b860799b36385267ed0aee8ac4f0e27679b58c57

SHA512
b1ef811e70988f4d26db1498da128d27e58ba5f8df75509dfd789d9f6e6ed0934a24349aaf6ec725e49d1e3a74d747ac3a9bac5bfbad73ba18290397fd470aab

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
106KB

MD5
5a035fdde99c3475bb95b85599499d24

SHA1
49e38e672d9a552329ed222028c1516deca22d42

SHA256
2fb829ea9e7f2b77c442e60889dd3f81e77078b6d40e661fd9547593aebd7631

SHA512
7ea3dc77e52dd1088c862687b21abc37ab979a6195322dabfcb27a841adb9bba2b3b23ffbdc2c450d941ea22b1f5bf9ba726a5d7f280aa5c0c747f552942bc36

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
107KB

MD5
704ebd2dcc4406855414f32815ff198a

SHA1
5bcecfdedfcd33c679918a7fa46c299d10d74cf1

SHA256
8a55e2cb75c786c61ce9aa7e685bcece36cf3c2e8ddfa3912479948693531de0

SHA512
3ccc44fd81bed20dcf8f845749bee1dcf0f75c85a924421aaa0b8bb192218c10781c0dd1855485e392c2d1dc87d8cf5770a45dd4625b47a5ce5328c3ce17d6b4

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
1.6MB

MD5
063fbc2dc9dd634995642f2bea09f17f

SHA1
ed517a204c7634ed7cb025c542e9f60cac51a754

SHA256
5da59bf711f20be93af342a59ffb98eb7ed4ce7b0dc954a02016e108eb1b1a38

SHA512
449318b4cbcb2251121e65511f1e74423d98251bed7201eccbbe7ea2828dcd7952694acb44989ba0e21cfa9cde9242011172ef3fe09e4949348d55fb2124edba

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
92KB

MD5
33b02c7dddf616491c4ec323ec53e542

SHA1
2ac510bd7f90557cb4887716f901891606ddab88

SHA256
1c5926e7b20cb4d6aac4a7587c3872665947c91d51b8e1f7cca4d0d7e99c7828

SHA512
c7670314e8e34dd380642efdb55804d5a53ad458d195b35cd1f1bde9309aeca370193237594b88926a60f02700ea9c6255860a41f7f52347dc08ce41ac6185ac

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
1.6MB

MD5
32b6727c8b7ce1424088fb0b59ed281f

SHA1
57310415e22afab95b2aca674aa575701053cee0

SHA256
652800d4eda6ddf6edc0abb742ee025606f7b98c6ce25458f1b4950fd990840a

SHA512
807637535f68fcd9f1e34832d4290e5cba907e40a7b984b63243f13344c029769087ca3cf8886382a927bcea49ab9f900308186e99d271729b56e9751d1bdef9

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
1.6MB

MD5
603b8c8179ba0374e6090f95a39a367d

SHA1
7d567a05d7c6cab65d741ae1186afb65a8f5f60d

SHA256
12ab836471c8d8eacfa177ca3c6b21dfd7c2c6777eb40b651eee4c358f413517

SHA512
7c97ed0ebb41091434fe7d0850721bc924f587403e98af817abdbef25f920ba87eb645223859491ef62b7dae23375cb00a993b6c3435165491048ceaeefe21da

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
1.6MB

MD5
af427b02e60957bb9f8f46e4b42d6732

SHA1
72c1a0b4dbeb1d09dcac20f903bdf7283a9c1ed0

SHA256
fad1dc06b132479a8252d785d6f4b850c903b412478aa1527379e63954110c04

SHA512
35ac1811e52457bf64056e3e23c6f1efa1fd3a840163b32b5baabbfe5427f596347841b5b8524d7f03ccd8e77295693429914807c044dc7c3f5ebaf9914d2009

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
1.6MB

MD5
d2b56c362f6c341d4a26a680eed01d14

SHA1
52f439d9228877e2ae45ef5bb981515f666132e9

SHA256
54cbaa7570ed41d446a43fef51e9fac11097f60a6e3f268a32d17084c0041980

SHA512
061f4ea0bf0f8e63f5a69a83b3429c86b2de80e676e0291a68d8cb1597d4510cbe8518b48efde975548661fe74c78e57ded790ac01c626e98c56ef1a814969c9

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
1.0MB

MD5
df2a6d683b3d42e6827f3e5161a08b0a

SHA1
fd81ab271aeef7f43a11c527f595111fbbac9c83

SHA256
e148fd51232f56b95df4a5cd2bbddc755f2acc51ba2a8fde09f19284e28d16b4

SHA512
d6a4b03af89ad6cba42d26fcbe7d56188919f5539bee2e36ccd46915da7a319f68d7353ec7850a1a62240f0f588bf8649882b07223aa6d4476897e3346aa8cc3

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
1.0MB

MD5
9f05d73998e7eba418bae67bfaa10c7a

SHA1
e36028644685a020cc40ee7b94bd0b6e0eed3010

SHA256
ba5658436ae0439c735f202aebd2fd3650dd8771121c3942bfb850cf45f8a2f5

SHA512
791dd388739b118fae78ade4437e883e8cf1d5e2ac674b8d4b6f8e39b806fbaba40f9a8bd4120a27b7dbc36777075321169588c5fd65227d053c7c04a0ed1baa

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
122KB

MD5
ce4b1932e90cf4106786a61ef794e98f

SHA1
fc1911025b630ffdf947251530afc10427aea575

SHA256
3bf4749998d9f40459d6356bed0d09fcc8abe0fc1508a3384fcba3a389955195

SHA512
d4920dc10e4bebcf67ed7eb31fc8bb085aab4f7e54bdb661d5822ba6fe4f60a103e309604ef46512ef2192ecacc055e933b6634f908888527878c6bb81d347df

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
595KB

MD5
c4c070b7d31f041ecb890341a1912c94

SHA1
fab4af2dbc07d18ec72ba7f5ac7d75adee30798d

SHA256
aaf9b8dccd92f0a3311ffa0078c724db3f0db05e2284989f286149514c1bf3a6

SHA512
b999c3c0cd5066ab4fa3d5b351eb5f9c338a8f9f8fd2c6be081efeda362d39333dc42ba2ecf24c2334ee2873dcb927bb6140bb4472c982ba3fd513c7ad2c1222

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
936KB

MD5
4873d671951f28976fc09a388f9b2622

SHA1
7b29a88df840b1eb32f4250d41fa428e4becfaee

SHA256
852832e980fabe842d5fe52e30cd1071d6625576714bc9ac46e73af7a14dead3

SHA512
6c556e1be484c1b25f5f674204733f3c1b6234d0a7e7b1927c9b43e8af4bb15d286215eb94a7ce81e205830b30c0b36d85c1087fcc0897ea96e44e957bc43fe5

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
1.6MB

MD5
8a30fe6aa3903f84a35eaaad50adc3cc

SHA1
39bca7bd18b1fa6e38c773f0af1c28c34c02f499

SHA256
89f82eec2abc581fc4cfa611856df2c1dc1b688d2ba72ef3c7cd9d53f3755b4d

SHA512
2970a7ba24a3042eb14edaf7af32346e3f299e584f1909e02d5450b209621e7917f2fbfb6257670d8da7d2d7ebe5f29702cf7e3b50244d373c0814c18773e233

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
46KB

MD5
b403eb9462497ba8cc532410dc66c1f6

SHA1
32f37ad419b5e4cd5ce95d9446a92d744e306eb2

SHA256
8141083ddef15bfb6b5bb2eac0e8086ffce67197fe9d5d48b0dc04819b224351

SHA512
4a667f5f45beb2bb137195353a717356cc8400b5a4ab9e3726f836478b620809740d1e1bcad310ba88f0b45888134c7ba69b34b7726cfd64c35ba9bbc6882285

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
381KB

MD5
a6ba9619261ae9a42110998582255b2b

SHA1
1d00ce85b6e0bf17f26ef5698b0f946c4b0d34b7

SHA256
d19ec4bb5b5a9e715aea1393af9f3784a45bcdb36988b048cd366c1728b9da9b

SHA512
0eb66af313abb19dd20262d8b4a23e5f267443f88f9d79758678c049a001a10650494111f32e1b8c6eb11909e1aabfe46776123a68dd562fe5517f10f3e8e49c

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
857KB

MD5
b3d576144d469e0d5cc3131445172e41

SHA1
2c4140fee959a2966b61ea0d13cf45c78b805b1e

SHA256
c2d382e8550334731b17e9eccc238c475118644e2fc77e613d49487ef6798a51

SHA512
d5b9557fd03dd56abadaa65cb656c487e780797953a2e5a489ad8fff59e61964c928d1ae1435816e11c1b46172c45e32e90129cdb22335342f0a4f78792554d9

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
1.5MB

MD5
fff950c9b3408248b1e63b81ada2ec16

SHA1
340976ad77fb6110b479d734dee03af16c0770d7

SHA256
21cdff124a0a67a345eff9764f290f13f5e4b2ce566d7c68f7a643f45a785b4f

SHA512
c9d4f72b6ee344e597ae300e3595048a978e741e64fc4d7dc60ec852c1acc7919d5e9d12cadfde8b876b6ff62e71ff812e4dd79e4889d75735a4f4480b803f94

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
124KB

MD5
1523a8582d78eadbea8c5450fb2b064b

SHA1
ae361e633dd19367aab03e6948fbeb5f230c8a4a

SHA256
143e13ec27d9add13451dc5e5f6ea75af88abac5d883a5bd048860be9d385446

SHA512
5f6fc3a18847e67f1c0a34e4de1c0ca0ac55b758b04baabf2340df10412376dcd39e17c99db5cb1cbe1b7644d97f56e2a3941a04429fccd4d487eded0b0dfaf5

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
2KB

MD5
ab8183dcfb4b2b4d2b39d887d2b625fb

SHA1
de1fe46031e3b5de5d790b099373b5d346a2c5f4

SHA256
3e2258c1d2548c658b959930e4706034422136af4e4a6406d0f7a98977ac8840

SHA512
bfc907571f45c7b0a9608a73d18a581f0853e974a6d310964a429e42e90bb443b77a53790e68fb9b5c37f76a721b81199bb3c08fd87690fdf12e199a210c80ed

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
1.6MB

MD5
87e221e3c9fb5fd3ea122a674897861b

SHA1
dfe3056b080913e70ff107b8316610cd0eb89b7e

SHA256
0863eb4d852e4297a74ba6d5e77cf6e0dce9a6f26fb3dce157d14890a0b8374c

SHA512
502c2a947e2eadafeb0cfa3eda134c7cb367eb91044a634f441fcb12c5f3d5e0169739c91ea54984621c4043d83eca39ca52d8bb894a308cdbd5e639815079ef

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
1.3MB

MD5
5968be0d19f84aaf4435fb98a531ba15

SHA1
f9d78f2d3be78001ff11977c02a6ec707dcaefb8

SHA256
6e7264d8e1d68e7b03e06b51b41a61b9d01459e3d9c749b577dcbc0b5bdf57ad

SHA512
7604d63a85b6df0855a9a21750346c3b2760e6a434a9cc73c7adf091991b5db48a08e0523701c14801638b02e1434e9489042387065133f241f8a98154eb2af4

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
886KB

MD5
6c31b3098460ec28e0c49185ffe52782

SHA1
eaeccf2ec13da9a715a3e1d4e1dcee1abec61d30

SHA256
4dfcbb585dfc04ce656aa6a4ad387934ea9f010da027919f8d219e08fc38a1ee

SHA512
8eab7f7f38a8c9bd66a37864de7329e1445c0a6577dec5063962daecc7e1d0889023e34ada809f076612807a47f2831013cd26908a0c113837a8f88e36610846

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
898KB

MD5
0203eb0be2569d219f66cd5ae875a440

SHA1
5fb33bf53134e198662b82e5a0520bd1185c9f6f

SHA256
ada1796fa5e595733d8c11933c6ce36442a8ff89cfa3ef9dd8ab145afdc34108

SHA512
99122db7f76866c901adadb55802f8083e207e216896cc5cdc8332167f461ae3a9316c44a1f72ea4be4e578f68071e49ce7b869cc162b6d33c38f52caaea470b

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
477KB

MD5
2f3959d7bdc21cedf193a2a2ee70fe8e

SHA1
04c0d367ee78bd51568299c64afc54e0d2218c40

SHA256
286e3300d72a78da58bd408d3fa95026fad5a7977745110f1e9f81bbb3c0d6fa

SHA512
569f4e8cc118c5a33577baeb6ef7ed4815e5888db31520051e3e167f4617336f8478fb0fd335178c95c64fc6115cc6c07cbe7af0f9b6954549ad30a00c61bc41

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
837KB

MD5
bdc7d10f19258d813b2c7a7f9b5c5470

SHA1
d4d959bea89534e7eddbeb5fc3d353bf3ae57c7b

SHA256
57846243e76108d0784d200a1310bd2f6848ea700317d720802bc6dd517f3cad

SHA512
a2d04133135a0d22e1018af3670cad27313f2a29beeea34e714a24cee4c84025957600f11aec346c0f7e4601e63d8a07d2da9b2894ef19d182500d997accbbb4

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
1.3MB

MD5
ad6ad8c0ee3d5491006d43504b7443d5

SHA1
67d6d528bd670db4695445d5988d6f16de46e3ea

SHA256
d6a6d41871f4099d5430c23111ec024b7c720c9d839088e4976dbaa5dfb6258c

SHA512
592160acdb77efa63ac57c286b65a2888ecefdf28375b13b6762be6018a8bcde431af9be1b5b08cdfe49fa4890d3837d65f5e29660aeee8e05420d1bf9ec8552

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
1.6MB

MD5
236e894f3dc4cd141a31a2a3de0a4af0

SHA1
c11367ee11a074eff758828412e447a5070c6b5d

SHA256
bc41fa2b31232fd661278bd0b6fe4fa9ec0ac4a37c28b35054e0d529957088f0

SHA512
4dfbc4eec8397cd1e493d1258f254262990ed4631f23ae7b4f926f9f31a49ad8af5fb5b2eda688515f2faf557d939e88cf889ded9d591246f786901bc83a6baa

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
604KB

MD5
832307876db586ef7440dcab1cb74611

SHA1
0f06dc23df8f48f70892f19b61600a76c1dc0029

SHA256
2611e9c13f1ca3647a972155d65242a7fd1c61125b3cd93b4c6037f804e538c7

SHA512
fc42a5d21d3d1de958f5d00bf2cad44272bfc3460fb04ebabf30062a656d110c3627c202a2ac64a707948a847e44fe5f5d7d0cfde218e3cd72f3f2988cf45910

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
496KB

MD5
eafc6cddf8cb4782ae9d61048928bc63

SHA1
c3cbd08c17d24d20eaad0710a679011d2ecd2067

SHA256
7c97f41a5be423ac5422b57b209433bbd41af29566f11056a2f193e96decc530

SHA512
a0d9fdd2fc44f394692c6ee2080a214f58d144ad1122d483eadbeccc7659e7660f5ba0cdd705901466a2f6a79413e233c08bc567c07580f42fa3d1dc1db2545a

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
584KB

MD5
be73c5b1637447869ae816c8bb335885

SHA1
53ccba0f9128415223989b9b33726b1c263108f3

SHA256
f848c63afb9cb09433007e6ba517fef523af2109a8b9c3a5891266b70d388640

SHA512
55888a5b1cc1b647b0342770925a08a389a338047b9defb8d3234552063989a413bafc63b6f99984c9dfbe68b12c92ed286f1b36b0e48d00ce2df04ae1c55e87

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
674KB

MD5
5c310c07322973bf28ea0328ca34d5cf

SHA1
01373d472b21459e780fcf5152a46f1ba62a9e92

SHA256
4491a1ef5cbd6f6da4d084a19c429896fbdad231bc957afbf83c25fe21185b64

SHA512
08e3e3c247df1f5f38f7c15ce0222d8e550a52915353c5c7c688e878fd55d11ad2c64be717a45778b91d1c22e3d48f78d52bdd58171bc6e1c339c35af88f96bf

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
639KB

MD5
8acaea7d6e431cd2b19c16400191f06a

SHA1
4bb491862653efa5127d093684b2875f75fb9f1f

SHA256
235fb6cc0f1929c0805ade4673a3bf4c8fc6671054d4710572163f9779087365

SHA512
5aa1ed5152b91abcd1ced05d3f715fa8cff0aafacf3ffe069691c564df0994e38c2bba96d9025d33e3f26d8a1b733eaf1843e6f5bb8309f0ba171b82652395a0

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
546KB

MD5
7e330f22a18f25b85dd78562c418f2be

SHA1
a2b38c9908435eab98f6545f390cd2be206dd7d9

SHA256
ffe7156b4ed31895645f7222e7539f05bb1ec336c72a7940b11d475543215128

SHA512
e1a46857bfa2cdcd9d99da32deed69598f7cbf61c99c109fce06151bfa3fb93d66e61392f7e7ef6c748049ec130579cccf287e47ac732ea7c0e0a72bbb6867ac

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
96KB

MD5
c5be46bd33c47ae421f1c874d41ab43b

SHA1
13a2002b6c7816fd65969568d8c5d28ad5de3d4e

SHA256
cc6d91575c071d12fccbd9dd2105dc8f90e01647a39ad7f3ec8d2e075e5a3a70

SHA512
0b0465cf4d00e23c845f261cd66af3fea75f05d796591ef424b557c004710c81888d6a31f7ac91944ca8198a2836ef3e0f8dc67be55866524999920d38a30b65

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
225KB

MD5
3889bddba7ad7a3ac5b8ee0d6f5018a8

SHA1
575969a03bcf0eb13bfc0acae37b3f062e2ac918

SHA256
177ddefb94b75163e4ec73edec5f2f492d29e50d0172c21c00eb4d0cc34893da

SHA512
ddc7bb65601cb90f3dab7963d4c9f1cd79eee62c485536826c7d5b9619dfe7b2ac472e5cfeae8fab341332da349355d94e59cd8f4043b1c8c538bb6afa5caa45

Download Submit
memory/64-64-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/828-129-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/856-241-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/912-281-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/996-339-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1184-113-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1204-89-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1328-233-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1360-299-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2036-45-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2172-345-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2180-315-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2400-49-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2412-330-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2584-324-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2880-227-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2884-351-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3192-275-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3228-97-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3232-185-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3260-161-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3476-273-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3668-287-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3844-105-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3848-263-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3972-153-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4060-75-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4128-249-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4172-294-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4244-205-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4396-36-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4424-82-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4428-25-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4464-57-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4484-169-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4516-256-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4660-305-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4668-197-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4688-145-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4736-136-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4752-221-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4828-318-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4852-123-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4856-13-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4888-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4888-5-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4976-213-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5036-177-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5096-17-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5144-353-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5188-360-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5244-369-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5288-375-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5328-381-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5372-387-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5432-393-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5488-399-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5524-405-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5580-411-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5624-417-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5668-423-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5720-425-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5768-431-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5808-441-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads