e3788ab83c5cec69296d74ec54ba92e3bd8d2b16fe30463cce1402f50fc263bb

Analysis

max time kernel
150s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2024, 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f079f8e71e104eaa004d362fc163da69.exe
Size

71KB
MD5

f079f8e71e104eaa004d362fc163da69
SHA1

7b55a5f2b6a079e32100030fa01ad17ba99af664
SHA256

e3788ab83c5cec69296d74ec54ba92e3bd8d2b16fe30463cce1402f50fc263bb
SHA512

65237a25379aa135784b1354eb33c5b177c7aac07766222af6dbd8477e8055ef9ba29fd66cd91579dd16c06f263da3a426cb10fcb3c9b7a4c9898c38d0b7dce8
SSDEEP

1536:v6xebaTRyHxPVXoNziTBdxqRuRQfDK1P+ATT:vieWW502BdEue2P+A3

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f079f8e71e104eaa004d362fc163da69.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbaojpgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fbajbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmaopfjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojqcnhkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gdheol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Meiabh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjnqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afbgkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chnlgjlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lggeej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qckbggad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mebcop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ledepn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mlialb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ollgiplp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgcoaock.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldnbdnlc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hpdfnolo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mccfdmmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dqnjgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jeocna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mfkkqmiq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nehekq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdilnojp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hnaqgd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haoimcgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ompfej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nblolm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Olndnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oemofpel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Enkmfolf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Akgcdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Embdofop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngqagcag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgifbhid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgcmdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgffci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdpmbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mckefmai.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdpkflfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnjnqh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocjoadei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fnkfmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmajbnha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kiejfo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emdaee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ionbcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ibobdqid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Keekjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjpjgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acmomgoa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akgcdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkggfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nblfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkjlciem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gphgbafl.exe

Executes dropped EXE 64 IoCs

pid	Process
4556	Ogpmjb32.exe
644	Onjegled.exe
2300	Oddmdf32.exe
4236	Ogbipa32.exe
4472	Pmoahijl.exe
3416	Pcijeb32.exe
2816	Pfhfan32.exe
4888	Pmannhhj.exe
1228	Pclgkb32.exe
4684	Pqpgdfnp.exe
660	Pcncpbmd.exe
2664	Pjhlml32.exe
968	Pmfhig32.exe
1152	Pcppfaka.exe
5104	Pqdqof32.exe
5080	Pfaigm32.exe
1424	Qmkadgpo.exe
3536	Qdbiedpa.exe
4460	Qjoankoi.exe
3880	Qmmnjfnl.exe
1544	Qcgffqei.exe
4412	Qgcbgo32.exe
5060	Ampkof32.exe
4240	Adgbpc32.exe
3588	Afhohlbj.exe
2212	Aqncedbp.exe
4072	Agglboim.exe
3660	Amddjegd.exe
4984	Aeklkchg.exe
4324	Afmhck32.exe
3220	Andqdh32.exe
4136	Acqimo32.exe
4080	Afoeiklb.exe
5032	Aminee32.exe
3308	Agoabn32.exe
3120	Bjmnoi32.exe
3092	Bmkjkd32.exe
1556	Bebblb32.exe
4968	Bnkgeg32.exe
1224	Bgcknmop.exe
4052	Bjagjhnc.exe
1428	Bmpcfdmg.exe
568	Beglgani.exe
916	Bfhhoi32.exe
1484	Bjddphlq.exe
2576	Banllbdn.exe
808	BackgroundTaskHost.exe
3332	Bfkedibe.exe
2176	Bjfaeh32.exe
5012	Bmemac32.exe
1628	Bcoenmao.exe
1592	Cfmajipb.exe
4976	Gilapgqb.exe
4304	Gpfjma32.exe
3188	Ghmbno32.exe
4616	Gnjjfegi.exe
4224	Gphgbafl.exe
1896	Ggbook32.exe
1744	Gnlgleef.exe
4508	Gdfoio32.exe
4580	Hkpheidp.exe
1980	Hajpbckl.exe
1832	Hdilnojp.exe
3884	Hkbdki32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ofalfi32.exe	Odcojm32.exe
File opened for modification	C:\Windows\SysWOW64\Eepbabjj.exe	Enfjdh32.exe
File created	C:\Windows\SysWOW64\Clpchk32.dll	Alhpkldp.exe
File created	C:\Windows\SysWOW64\Mjpjgj32.exe	Mbibfm32.exe
File opened for modification	C:\Windows\SysWOW64\Mlofcf32.exe	Mjpjgj32.exe
File created	C:\Windows\SysWOW64\Amnlme32.exe	Ahaceo32.exe
File opened for modification	C:\Windows\SysWOW64\Kbinlp32.exe	Kkkldg32.exe
File created	C:\Windows\SysWOW64\Dgcoaock.exe	Dedceddg.exe
File opened for modification	C:\Windows\SysWOW64\Mjpjgj32.exe	Mbibfm32.exe
File opened for modification	C:\Windows\SysWOW64\Fchlhnlo.exe	Feella32.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Fdnpclpq.dll	Jlobkg32.exe
File created	C:\Windows\SysWOW64\Lpjjmg32.exe	Llnnmhfe.exe
File created	C:\Windows\SysWOW64\Edjmknkk.dll	Pbmffi32.exe
File opened for modification	C:\Windows\SysWOW64\Kgjggkqi.exe	Kbmoodbb.exe
File created	C:\Windows\SysWOW64\Plpjfnfg.dll	Gphgbafl.exe
File opened for modification	C:\Windows\SysWOW64\Mldhacpj.exe	Midoph32.exe
File created	C:\Windows\SysWOW64\Dopbcedj.dll	Oinkmdml.exe
File created	C:\Windows\SysWOW64\Bclgnh32.dll	Nlbnhkqo.exe
File created	C:\Windows\SysWOW64\Mmihfl32.dll	Conanfli.exe
File created	C:\Windows\SysWOW64\Lllagh32.exe	Lindkm32.exe
File created	C:\Windows\SysWOW64\Plkiaf32.dll	Apobakpn.exe
File created	C:\Windows\SysWOW64\Baeaeo32.dll	Imofip32.exe
File created	C:\Windows\SysWOW64\Lpghll32.dll	Ompfej32.exe
File opened for modification	C:\Windows\SysWOW64\Hbgkei32.exe	Hioflcbj.exe
File opened for modification	C:\Windows\SysWOW64\Cejjdlap.exe	Ebcdjc32.exe
File created	C:\Windows\SysWOW64\Dndhqgbm.dll	Ajlpepbi.exe
File created	C:\Windows\SysWOW64\Ollgiplp.exe	Oinkmdml.exe
File opened for modification	C:\Windows\SysWOW64\Ollgiplp.exe	Oinkmdml.exe
File created	C:\Windows\SysWOW64\Ijogmdqm.exe	Igqkqiai.exe
File created	C:\Windows\SysWOW64\Mjcngpjh.exe	Mcifkf32.exe
File created	C:\Windows\SysWOW64\Ipgkjlmg.exe	Iimcma32.exe
File opened for modification	C:\Windows\SysWOW64\Fbdehlip.exe	Fofilp32.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Keiifian.dll	Ebcdjc32.exe
File opened for modification	C:\Windows\SysWOW64\Bpkdjofm.exe	Bpfkpp32.exe
File created	C:\Windows\SysWOW64\Almifk32.exe	Ajnmjp32.exe
File created	C:\Windows\SysWOW64\Dedceddg.exe	Dmnkdfce.exe
File created	C:\Windows\SysWOW64\Cjjfon32.dll	Kmkbfeab.exe
File opened for modification	C:\Windows\SysWOW64\Mmmqhl32.exe	Moipoh32.exe
File opened for modification	C:\Windows\SysWOW64\Foapaa32.exe	Fgjhpcmo.exe
File created	C:\Windows\SysWOW64\Gijcclkf.dll	Eabjkdcc.exe
File opened for modification	C:\Windows\SysWOW64\Nlbnhkqo.exe	Nmommn32.exe
File created	C:\Windows\SysWOW64\Omdghmfo.exe	Oemofpel.exe
File created	C:\Windows\SysWOW64\Kmkbfeab.exe	Kkjeomld.exe
File created	C:\Windows\SysWOW64\Hldiinke.exe	Hpmhdmea.exe
File opened for modification	C:\Windows\SysWOW64\Ejdhcjpl.exe	Ecjpfp32.exe
File created	C:\Windows\SysWOW64\Ichelm32.dll	Kocgbend.exe
File opened for modification	C:\Windows\SysWOW64\Acdeneij.exe	Aljmal32.exe
File opened for modification	C:\Windows\SysWOW64\Gpmomo32.exe	Ggfglb32.exe
File opened for modification	C:\Windows\SysWOW64\Lindkm32.exe	Lafmjp32.exe
File created	C:\Windows\SysWOW64\Afajcjap.dll	Odcojm32.exe
File opened for modification	C:\Windows\SysWOW64\Ahaceo32.exe	Aagkhd32.exe
File created	C:\Windows\SysWOW64\Iohmnmmb.dll	Aaldccip.exe
File created	C:\Windows\SysWOW64\Fnkfmm32.exe	Fkmjaa32.exe
File opened for modification	C:\Windows\SysWOW64\Hdilnojp.exe	Hajpbckl.exe
File created	C:\Windows\SysWOW64\Lcbmlbig.exe	Lkkekdhe.exe
File opened for modification	C:\Windows\SysWOW64\Lkjhfh32.exe	Lhkkjl32.exe
File created	C:\Windows\SysWOW64\Bhkflmfi.dll	Fdpnpe32.exe
File opened for modification	C:\Windows\SysWOW64\Jojdlfeo.exe	Jhplpl32.exe
File created	C:\Windows\SysWOW64\Kocgbend.exe	Khiofk32.exe
File created	C:\Windows\SysWOW64\Cjmnoo32.dll	Pkkdhe32.exe
File created	C:\Windows\SysWOW64\Dkcndeen.exe	Ddifgk32.exe
File created	C:\Windows\SysWOW64\Kplmliko.exe	Klpakj32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjjfon32.dll"	Kmkbfeab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ghojbq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkgppbgc.dll"	Lljdai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnpjdfpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ladnhcdo.dll"	Gnjjfegi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mccfdmmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lafmjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnaolm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfokdq32.dll"	Hajpbckl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okhbek32.dll"	Cdkifmjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocfgbfdm.dll"	Figgdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blbhngfl.dll"	Ccnnmmbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gilapgqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afbgkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eakdje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqhgagfn.dll"	Fagcfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hkiclepa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hdfapjbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gehfdaje.dll"	Kjffngap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ogcnmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kocgbend.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqblfm32.dll"	Oemofpel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Onocomdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Khlklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhdjkflc.dll"	Pakdbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfnimde.dll"	Gdkbdllj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfaddg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kmkbfeab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mnmmboed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofmfi32.dll"	Ogcnmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alapqh32.dll"	Nblolm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eelifc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Glompi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laahglpp.dll"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fcepbooa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afekjp32.dll"	Kbkaiddd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eqlfhjig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lohqnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbdkmelh.dll"	Pboblika.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amagqp32.dll"	Dqbadf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plkdkcqg.dll"	Knhkkfod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Agglboim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fmndkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gphgbafl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bajqda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdejf32.dll"	Bdpqcg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hhmdeink.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpkaa32.dll"	Lggeej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbkigk32.dll"	Lgffci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghndhd32.dll"	Keekjc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Npiiffqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngqagcag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddifgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fdmfcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Keekjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jponoqjl.dll"	Pmlfqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mibpng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kggcnoic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ebcdjc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pboblika.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eepbabjj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 4556	2508	f079f8e71e104eaa004d362fc163da69.exe	88
PID 2508 wrote to memory of 4556	2508	f079f8e71e104eaa004d362fc163da69.exe	88
PID 2508 wrote to memory of 4556	2508	f079f8e71e104eaa004d362fc163da69.exe	88
PID 4556 wrote to memory of 644	4556	Ogpmjb32.exe	89
PID 4556 wrote to memory of 644	4556	Ogpmjb32.exe	89
PID 4556 wrote to memory of 644	4556	Ogpmjb32.exe	89
PID 644 wrote to memory of 2300	644	Onjegled.exe	90
PID 644 wrote to memory of 2300	644	Onjegled.exe	90
PID 644 wrote to memory of 2300	644	Onjegled.exe	90
PID 2300 wrote to memory of 4236	2300	Oddmdf32.exe	91
PID 2300 wrote to memory of 4236	2300	Oddmdf32.exe	91
PID 2300 wrote to memory of 4236	2300	Oddmdf32.exe	91
PID 4236 wrote to memory of 4472	4236	Ogbipa32.exe	141
PID 4236 wrote to memory of 4472	4236	Ogbipa32.exe	141
PID 4236 wrote to memory of 4472	4236	Ogbipa32.exe	141
PID 4472 wrote to memory of 3416	4472	Pmoahijl.exe	92
PID 4472 wrote to memory of 3416	4472	Pmoahijl.exe	92
PID 4472 wrote to memory of 3416	4472	Pmoahijl.exe	92
PID 3416 wrote to memory of 2816	3416	Pcijeb32.exe	94
PID 3416 wrote to memory of 2816	3416	Pcijeb32.exe	94
PID 3416 wrote to memory of 2816	3416	Pcijeb32.exe	94
PID 2816 wrote to memory of 4888	2816	Pfhfan32.exe	93
PID 2816 wrote to memory of 4888	2816	Pfhfan32.exe	93
PID 2816 wrote to memory of 4888	2816	Pfhfan32.exe	93
PID 4888 wrote to memory of 1228	4888	Pmannhhj.exe	95
PID 4888 wrote to memory of 1228	4888	Pmannhhj.exe	95
PID 4888 wrote to memory of 1228	4888	Pmannhhj.exe	95
PID 1228 wrote to memory of 4684	1228	Pclgkb32.exe	139
PID 1228 wrote to memory of 4684	1228	Pclgkb32.exe	139
PID 1228 wrote to memory of 4684	1228	Pclgkb32.exe	139
PID 4684 wrote to memory of 660	4684	Pqpgdfnp.exe	96
PID 4684 wrote to memory of 660	4684	Pqpgdfnp.exe	96
PID 4684 wrote to memory of 660	4684	Pqpgdfnp.exe	96
PID 660 wrote to memory of 2664	660	Pcncpbmd.exe	97
PID 660 wrote to memory of 2664	660	Pcncpbmd.exe	97
PID 660 wrote to memory of 2664	660	Pcncpbmd.exe	97
PID 2664 wrote to memory of 968	2664	Pjhlml32.exe	98
PID 2664 wrote to memory of 968	2664	Pjhlml32.exe	98
PID 2664 wrote to memory of 968	2664	Pjhlml32.exe	98
PID 968 wrote to memory of 1152	968	Pmfhig32.exe	137
PID 968 wrote to memory of 1152	968	Pmfhig32.exe	137
PID 968 wrote to memory of 1152	968	Pmfhig32.exe	137
PID 1152 wrote to memory of 5104	1152	Pcppfaka.exe	136
PID 1152 wrote to memory of 5104	1152	Pcppfaka.exe	136
PID 1152 wrote to memory of 5104	1152	Pcppfaka.exe	136
PID 5104 wrote to memory of 5080	5104	Pqdqof32.exe	99
PID 5104 wrote to memory of 5080	5104	Pqdqof32.exe	99
PID 5104 wrote to memory of 5080	5104	Pqdqof32.exe	99
PID 5080 wrote to memory of 1424	5080	Pfaigm32.exe	134
PID 5080 wrote to memory of 1424	5080	Pfaigm32.exe	134
PID 5080 wrote to memory of 1424	5080	Pfaigm32.exe	134
PID 1424 wrote to memory of 3536	1424	Qmkadgpo.exe	133
PID 1424 wrote to memory of 3536	1424	Qmkadgpo.exe	133
PID 1424 wrote to memory of 3536	1424	Qmkadgpo.exe	133
PID 3536 wrote to memory of 4460	3536	Qdbiedpa.exe	100
PID 3536 wrote to memory of 4460	3536	Qdbiedpa.exe	100
PID 3536 wrote to memory of 4460	3536	Qdbiedpa.exe	100
PID 4460 wrote to memory of 3880	4460	Qjoankoi.exe	101
PID 4460 wrote to memory of 3880	4460	Qjoankoi.exe	101
PID 4460 wrote to memory of 3880	4460	Qjoankoi.exe	101
PID 3880 wrote to memory of 1544	3880	Qmmnjfnl.exe	132
PID 3880 wrote to memory of 1544	3880	Qmmnjfnl.exe	132
PID 3880 wrote to memory of 1544	3880	Qmmnjfnl.exe	132
PID 1544 wrote to memory of 4412	1544	Qcgffqei.exe	131

C:\Users\Admin\AppData\Local\Temp\f079f8e71e104eaa004d362fc163da69.exe
"C:\Users\Admin\AppData\Local\Temp\f079f8e71e104eaa004d362fc163da69.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\SysWOW64\Ogpmjb32.exe
  C:\Windows\system32\Ogpmjb32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4556
- - C:\Windows\SysWOW64\Onjegled.exe
    C:\Windows\system32\Onjegled.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:644
  - - C:\Windows\SysWOW64\Oddmdf32.exe
      C:\Windows\system32\Oddmdf32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2300
    - - C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4236
      - C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4472

C:\Windows\SysWOW64\Pcijeb32.exe
C:\Windows\system32\Pcijeb32.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3416
- C:\Windows\SysWOW64\Pfhfan32.exe
  C:\Windows\system32\Pfhfan32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2816

C:\Windows\SysWOW64\Pmannhhj.exe
C:\Windows\system32\Pmannhhj.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Windows\SysWOW64\Pclgkb32.exe
  C:\Windows\system32\Pclgkb32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Windows\SysWOW64\Pqpgdfnp.exe
    C:\Windows\system32\Pqpgdfnp.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4684

C:\Windows\SysWOW64\Pcncpbmd.exe
C:\Windows\system32\Pcncpbmd.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:660
- C:\Windows\SysWOW64\Pjhlml32.exe
  C:\Windows\system32\Pjhlml32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\SysWOW64\Pmfhig32.exe
    C:\Windows\system32\Pmfhig32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:968
  - - C:\Windows\SysWOW64\Pcppfaka.exe
      C:\Windows\system32\Pcppfaka.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1152
  - - C:\Windows\SysWOW64\Eepbabjj.exe
      C:\Windows\system32\Eepbabjj.exe
      4⤵
      Modifies registry class
      PID:7208
    - - C:\Windows\SysWOW64\Eljknl32.exe
        
        C:\Windows\system32\Eljknl32.exe
        5⤵
        
        PID:7244
      - C:\Windows\SysWOW64\Ejmkiiha.exe
        
        C:\Windows\system32\Ejmkiiha.exe
        6⤵
        
        PID:7368

C:\Windows\SysWOW64\Pfaigm32.exe
C:\Windows\system32\Pfaigm32.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Windows\SysWOW64\Qmkadgpo.exe
  C:\Windows\system32\Qmkadgpo.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1424

C:\Windows\SysWOW64\Qjoankoi.exe
C:\Windows\system32\Qjoankoi.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460
- C:\Windows\SysWOW64\Qmmnjfnl.exe
  C:\Windows\system32\Qmmnjfnl.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3880
- - C:\Windows\SysWOW64\Qcgffqei.exe
    C:\Windows\system32\Qcgffqei.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1544

C:\Windows\SysWOW64\Andqdh32.exe
C:\Windows\system32\Andqdh32.exe
1⤵
- Executes dropped EXE
PID:3220
- C:\Windows\SysWOW64\Acqimo32.exe
  C:\Windows\system32\Acqimo32.exe
  2⤵
  - Executes dropped EXE
  PID:4136

C:\Windows\SysWOW64\Aminee32.exe
C:\Windows\system32\Aminee32.exe
1⤵
- Executes dropped EXE
PID:5032
- C:\Windows\SysWOW64\Agoabn32.exe
  C:\Windows\system32\Agoabn32.exe
  2⤵
  - Executes dropped EXE
  PID:3308

C:\Windows\SysWOW64\Bebblb32.exe
C:\Windows\system32\Bebblb32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1556
- C:\Windows\SysWOW64\Bnkgeg32.exe
  C:\Windows\system32\Bnkgeg32.exe
  2⤵
  - Executes dropped EXE
  PID:4968
- - C:\Windows\SysWOW64\Bgcknmop.exe
    C:\Windows\system32\Bgcknmop.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    PID:1224
  - - C:\Windows\SysWOW64\Bjagjhnc.exe
      C:\Windows\system32\Bjagjhnc.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      PID:4052
    - - C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        5⤵
        Executes dropped EXE
        
        PID:1428
      - C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        6⤵
        Executes dropped EXE
        
        PID:568
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        7⤵
        Executes dropped EXE
        
        PID:916
    - - C:\Windows\SysWOW64\Npiiffqe.exe
        
        C:\Windows\system32\Npiiffqe.exe
        5⤵
        Modifies registry class
        
        PID:4088
      - C:\Windows\SysWOW64\Ngqagcag.exe
        
        C:\Windows\system32\Ngqagcag.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Onkidm32.exe
        
        C:\Windows\system32\Onkidm32.exe
        7⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\Oplfkeob.exe
        
        C:\Windows\system32\Oplfkeob.exe
        8⤵
        
        PID:3224

C:\Windows\SysWOW64\Banllbdn.exe
C:\Windows\system32\Banllbdn.exe
1⤵
- Executes dropped EXE
PID:2576
- C:\Windows\SysWOW64\Bclhhnca.exe
  C:\Windows\system32\Bclhhnca.exe
  2⤵
  PID:808

C:\Windows\SysWOW64\Bfkedibe.exe
C:\Windows\system32\Bfkedibe.exe
1⤵
- Executes dropped EXE
PID:3332
- C:\Windows\SysWOW64\Bjfaeh32.exe
  C:\Windows\system32\Bjfaeh32.exe
  2⤵
  - Executes dropped EXE
  PID:2176

C:\Windows\SysWOW64\Bcoenmao.exe
C:\Windows\system32\Bcoenmao.exe
1⤵
- Executes dropped EXE
PID:1628
- C:\Windows\SysWOW64\Cfmajipb.exe
  C:\Windows\system32\Cfmajipb.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:1592
- - C:\Windows\SysWOW64\Gilapgqb.exe
    C:\Windows\system32\Gilapgqb.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:4976
  - - C:\Windows\SysWOW64\Gpfjma32.exe
      C:\Windows\system32\Gpfjma32.exe
      4⤵
      Executes dropped EXE
      PID:4304

C:\Windows\SysWOW64\Bmemac32.exe
C:\Windows\system32\Bmemac32.exe
1⤵
- Executes dropped EXE
PID:5012

C:\Windows\SysWOW64\Bjddphlq.exe
C:\Windows\system32\Bjddphlq.exe
1⤵
- Executes dropped EXE
PID:1484

C:\Windows\SysWOW64\Bmkjkd32.exe
C:\Windows\system32\Bmkjkd32.exe
1⤵
- Executes dropped EXE
PID:3092

C:\Windows\SysWOW64\Bjmnoi32.exe
C:\Windows\system32\Bjmnoi32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3120

C:\Windows\SysWOW64\Afoeiklb.exe
C:\Windows\system32\Afoeiklb.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4080

C:\Windows\SysWOW64\Afmhck32.exe
C:\Windows\system32\Afmhck32.exe
1⤵
- Executes dropped EXE
PID:4324

C:\Windows\SysWOW64\Aeklkchg.exe
C:\Windows\system32\Aeklkchg.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4984

C:\Windows\SysWOW64\Amddjegd.exe
C:\Windows\system32\Amddjegd.exe
1⤵
- Executes dropped EXE
PID:3660

C:\Windows\SysWOW64\Agglboim.exe
C:\Windows\system32\Agglboim.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4072

C:\Windows\SysWOW64\Aqncedbp.exe
C:\Windows\system32\Aqncedbp.exe
1⤵
- Executes dropped EXE
PID:2212

C:\Windows\SysWOW64\Afhohlbj.exe
C:\Windows\system32\Afhohlbj.exe
1⤵
- Executes dropped EXE
PID:3588

C:\Windows\SysWOW64\Adgbpc32.exe
C:\Windows\system32\Adgbpc32.exe
1⤵
- Executes dropped EXE
PID:4240

C:\Windows\SysWOW64\Ampkof32.exe
C:\Windows\system32\Ampkof32.exe
1⤵
- Executes dropped EXE
PID:5060

C:\Windows\SysWOW64\Qgcbgo32.exe
C:\Windows\system32\Qgcbgo32.exe
1⤵
- Executes dropped EXE
PID:4412

C:\Windows\SysWOW64\Qdbiedpa.exe
C:\Windows\system32\Qdbiedpa.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536

C:\Windows\SysWOW64\Pqdqof32.exe
C:\Windows\system32\Pqdqof32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104

C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
1⤵
- Executes dropped EXE
PID:808

C:\Windows\SysWOW64\Gnjjfegi.exe
C:\Windows\system32\Gnjjfegi.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:4616
- C:\Windows\SysWOW64\Gphgbafl.exe
  C:\Windows\system32\Gphgbafl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:4224
- - C:\Windows\SysWOW64\Ggbook32.exe
    C:\Windows\system32\Ggbook32.exe
    3⤵
    - Executes dropped EXE
    PID:1896

C:\Windows\SysWOW64\Gdfoio32.exe
C:\Windows\system32\Gdfoio32.exe
1⤵
- Executes dropped EXE
PID:4508
- C:\Windows\SysWOW64\Hkpheidp.exe
  C:\Windows\system32\Hkpheidp.exe
  2⤵
  - Executes dropped EXE
  PID:4580
- - C:\Windows\SysWOW64\Hajpbckl.exe
    C:\Windows\system32\Hajpbckl.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    PID:1980
  - - C:\Windows\SysWOW64\Hdilnojp.exe
      C:\Windows\system32\Hdilnojp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      PID:1832
    - - C:\Windows\SysWOW64\Hkbdki32.exe
        
        C:\Windows\system32\Hkbdki32.exe
        5⤵
        Executes dropped EXE
        
        PID:3884
      - C:\Windows\SysWOW64\Hnaqgd32.exe
        
        C:\Windows\system32\Hnaqgd32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4964
        
        C:\Windows\SysWOW64\Hpomcp32.exe
        
        C:\Windows\system32\Hpomcp32.exe
        7⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\Hkeaqi32.exe
        
        C:\Windows\system32\Hkeaqi32.exe
        8⤵
        
        PID:760
        
        C:\Windows\SysWOW64\Haoimcgg.exe
        
        C:\Windows\system32\Haoimcgg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:412
        
        C:\Windows\SysWOW64\Hhiajmod.exe
        
        C:\Windows\system32\Hhiajmod.exe
        10⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Hjjnae32.exe
        
        C:\Windows\system32\Hjjnae32.exe
        11⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Hpdfnolo.exe
        
        C:\Windows\system32\Hpdfnolo.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5220
        
        C:\Windows\SysWOW64\Kbhmbdle.exe
        
        C:\Windows\system32\Kbhmbdle.exe
        12⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Heohinog.exe
        
        C:\Windows\system32\Heohinog.exe
        13⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\Hhmdeink.exe
        
        C:\Windows\system32\Hhmdeink.exe
        14⤵
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Hklpaeno.exe
        
        C:\Windows\system32\Hklpaeno.exe
        15⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\Jojdlfeo.exe
        
        C:\Windows\system32\Jojdlfeo.exe
        8⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\Jahqiaeb.exe
        
        C:\Windows\system32\Jahqiaeb.exe
        9⤵
        
        PID:2940

C:\Windows\SysWOW64\Hgnoki32.exe
C:\Windows\system32\Hgnoki32.exe
1⤵
PID:5256
- C:\Windows\SysWOW64\Hnhghcki.exe
  C:\Windows\system32\Hnhghcki.exe
  2⤵
  PID:5296
- - C:\Windows\SysWOW64\Idbodn32.exe
    C:\Windows\system32\Idbodn32.exe
    3⤵
    PID:5344
  - - C:\Windows\SysWOW64\Igqkqiai.exe
      C:\Windows\system32\Igqkqiai.exe
      4⤵
      Drops file in System32 directory
      PID:5384

C:\Windows\SysWOW64\Ijogmdqm.exe
C:\Windows\system32\Ijogmdqm.exe
1⤵
PID:5416
- C:\Windows\SysWOW64\Iqipio32.exe
  C:\Windows\system32\Iqipio32.exe
  2⤵
  PID:5464
- - C:\Windows\SysWOW64\Ihphkl32.exe
    C:\Windows\system32\Ihphkl32.exe
    3⤵
    PID:5504
  - - C:\Windows\SysWOW64\Ikndgg32.exe
      C:\Windows\system32\Ikndgg32.exe
      4⤵
      PID:5552
    - - C:\Windows\SysWOW64\Ihbdplfi.exe
        
        C:\Windows\system32\Ihbdplfi.exe
        5⤵
        
        PID:5600
      - C:\Windows\SysWOW64\Ijcahd32.exe
        
        C:\Windows\system32\Ijcahd32.exe
        6⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Iakiia32.exe
        
        C:\Windows\system32\Iakiia32.exe
        7⤵
        
        PID:5680
- C:\Windows\SysWOW64\Admkgifd.exe
  C:\Windows\system32\Admkgifd.exe
  2⤵
  PID:1116
- - C:\Windows\SysWOW64\Acpkbf32.exe
    C:\Windows\system32\Acpkbf32.exe
    3⤵
    PID:7588
  - - C:\Windows\SysWOW64\Akgcdc32.exe
      C:\Windows\system32\Akgcdc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      PID:1628
    - - C:\Windows\SysWOW64\Alhpkldp.exe
        
        C:\Windows\system32\Alhpkldp.exe
        5⤵
        Drops file in System32 directory
        
        PID:2912
  - - C:\Windows\SysWOW64\Cfaddg32.exe
      C:\Windows\system32\Cfaddg32.exe
      4⤵
      Modifies registry class
      PID:1824
    - - C:\Windows\SysWOW64\Cipppc32.exe
        
        C:\Windows\system32\Cipppc32.exe
        5⤵
        
        PID:6816

C:\Windows\SysWOW64\Idieem32.exe
C:\Windows\system32\Idieem32.exe
1⤵
PID:5720
- C:\Windows\SysWOW64\Ikcmbfcj.exe
  C:\Windows\system32\Ikcmbfcj.exe
  2⤵
  PID:5760
- - C:\Windows\SysWOW64\Iqpfjnba.exe
    C:\Windows\system32\Iqpfjnba.exe
    3⤵
    PID:5800
  - - C:\Windows\SysWOW64\Ibobdqid.exe
      C:\Windows\system32\Ibobdqid.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      PID:5844
    - - C:\Windows\SysWOW64\Jkhgmf32.exe
        
        C:\Windows\system32\Jkhgmf32.exe
        5⤵
        
        PID:5884
      - C:\Windows\SysWOW64\Jbaojpgb.exe
        
        C:\Windows\system32\Jbaojpgb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5924
        
        C:\Windows\SysWOW64\Jdpkflfe.exe
        
        C:\Windows\system32\Jdpkflfe.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5964
        
        C:\Windows\SysWOW64\Jgogbgei.exe
        
        C:\Windows\system32\Jgogbgei.exe
        8⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Dbndfl32.exe
        
        C:\Windows\system32\Dbndfl32.exe
        9⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\Fbajbi32.exe
        
        C:\Windows\system32\Fbajbi32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5264
        
        C:\Windows\SysWOW64\Fpejlmcf.exe
        
        C:\Windows\system32\Fpejlmcf.exe
        11⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\Fimodc32.exe
        
        C:\Windows\system32\Fimodc32.exe
        12⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Fpggamqc.exe
        
        C:\Windows\system32\Fpggamqc.exe
        13⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Fjmkoeqi.exe
        
        C:\Windows\system32\Fjmkoeqi.exe
        14⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\Fdepgkgj.exe
        
        C:\Windows\system32\Fdepgkgj.exe
        15⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Jlobkg32.exe
        
        C:\Windows\system32\Jlobkg32.exe
        16⤵
        Drops file in System32 directory
        
        PID:5676
        
        C:\Windows\SysWOW64\Jcikgacl.exe
        
        C:\Windows\system32\Jcikgacl.exe
        17⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Kjccdkki.exe
        
        C:\Windows\system32\Kjccdkki.exe
        18⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Kmaopfjm.exe
        
        C:\Windows\system32\Kmaopfjm.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5876
        
        C:\Windows\SysWOW64\Kggcnoic.exe
        
        C:\Windows\system32\Kggcnoic.exe
        20⤵
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Kglmio32.exe
        
        C:\Windows\system32\Kglmio32.exe
        21⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Knfeeimj.exe
        
        C:\Windows\system32\Knfeeimj.exe
        22⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Kdpmbc32.exe
        
        C:\Windows\system32\Kdpmbc32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3752
        
        C:\Windows\SysWOW64\Kkjeomld.exe
        
        C:\Windows\system32\Kkjeomld.exe
        24⤵
        Drops file in System32 directory
        
        PID:5164
        
        C:\Windows\SysWOW64\Kmkbfeab.exe
        
        C:\Windows\system32\Kmkbfeab.exe
        25⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Kdbjhbbd.exe
        
        C:\Windows\system32\Kdbjhbbd.exe
        26⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\Lklbdm32.exe
        
        C:\Windows\system32\Lklbdm32.exe
        27⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\Lnjnqh32.exe
        
        C:\Windows\system32\Lnjnqh32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5528
        
        C:\Windows\SysWOW64\Lqikmc32.exe
        
        C:\Windows\system32\Lqikmc32.exe
        29⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Lknojl32.exe
        
        C:\Windows\system32\Lknojl32.exe
        30⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Lqkgbcff.exe
        
        C:\Windows\system32\Lqkgbcff.exe
        31⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Lgepom32.exe
        
        C:\Windows\system32\Lgepom32.exe
        32⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Lqndhcdc.exe
        
        C:\Windows\system32\Lqndhcdc.exe
        33⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Ljfhqh32.exe
        
        C:\Windows\system32\Ljfhqh32.exe
        34⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Lcnmin32.exe
        
        C:\Windows\system32\Lcnmin32.exe
        35⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\Lndagg32.exe
        
        C:\Windows\system32\Lndagg32.exe
        36⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Lqbncb32.exe
        
        C:\Windows\system32\Lqbncb32.exe
        37⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Mkhapk32.exe
        
        C:\Windows\system32\Mkhapk32.exe
        38⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Mnfnlf32.exe
        
        C:\Windows\system32\Mnfnlf32.exe
        39⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Mccfdmmo.exe
        
        C:\Windows\system32\Mccfdmmo.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Mmkkmc32.exe
        
        C:\Windows\system32\Mmkkmc32.exe
        41⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Mebcop32.exe
        
        C:\Windows\system32\Mebcop32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6116
        
        C:\Windows\SysWOW64\Mjokgg32.exe
        
        C:\Windows\system32\Mjokgg32.exe
        43⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\Jedccfqg.exe
        
        C:\Windows\system32\Jedccfqg.exe
        44⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\Kgflcifg.exe
        
        C:\Windows\system32\Kgflcifg.exe
        45⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\Moipoh32.exe
        
        C:\Windows\system32\Moipoh32.exe
        46⤵
        Drops file in System32 directory
        
        PID:5084
        
        C:\Windows\SysWOW64\Mmmqhl32.exe
        
        C:\Windows\system32\Mmmqhl32.exe
        47⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\Mokmdh32.exe
        
        C:\Windows\system32\Mokmdh32.exe
        48⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\Mgbefe32.exe
        
        C:\Windows\system32\Mgbefe32.exe
        49⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\Mnmmboed.exe
        
        C:\Windows\system32\Mnmmboed.exe
        50⤵
        Modifies registry class
        
        PID:3760
        
        C:\Windows\SysWOW64\Mqkiok32.exe
        
        C:\Windows\system32\Mqkiok32.exe
        51⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\Mcifkf32.exe
        
        C:\Windows\system32\Mcifkf32.exe
        52⤵
        Drops file in System32 directory
        
        PID:3208
        
        C:\Windows\SysWOW64\Mjcngpjh.exe
        
        C:\Windows\system32\Mjcngpjh.exe
        53⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\Nmbjcljl.exe
        
        C:\Windows\system32\Nmbjcljl.exe
        54⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\Nggnadib.exe
        
        C:\Windows\system32\Nggnadib.exe
        55⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\Njfkmphe.exe
        
        C:\Windows\system32\Njfkmphe.exe
        56⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\Nmdgikhi.exe
        
        C:\Windows\system32\Nmdgikhi.exe
        57⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\Ngjkfd32.exe
        
        C:\Windows\system32\Ngjkfd32.exe
        58⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\Nncccnol.exe
        
        C:\Windows\system32\Nncccnol.exe
        59⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\Npepkf32.exe
        
        C:\Windows\system32\Npepkf32.exe
        60⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\Nglhld32.exe
        
        C:\Windows\system32\Nglhld32.exe
        61⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\Njjdho32.exe
        
        C:\Windows\system32\Njjdho32.exe
        62⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\Nmipdk32.exe
        
        C:\Windows\system32\Nmipdk32.exe
        63⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\Npgmpf32.exe
        
        C:\Windows\system32\Npgmpf32.exe
        64⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\Ngndaccj.exe
        
        C:\Windows\system32\Ngndaccj.exe
        65⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Nnhmnn32.exe
        
        C:\Windows\system32\Nnhmnn32.exe
        66⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\Fcepbooa.exe
        
        C:\Windows\system32\Fcepbooa.exe
        63⤵
        Modifies registry class
        
        PID:8380
        
        C:\Windows\SysWOW64\Bjcfeola.exe
        
        C:\Windows\system32\Bjcfeola.exe
        56⤵
        
        PID:8260
        
        C:\Windows\SysWOW64\Blabakle.exe
        
        C:\Windows\system32\Blabakle.exe
        57⤵
        
        PID:8344
        
        C:\Windows\SysWOW64\Bdhkchlg.exe
        
        C:\Windows\system32\Bdhkchlg.exe
        58⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\Bkbcpb32.exe
        
        C:\Windows\system32\Bkbcpb32.exe
        59⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\Bnaolm32.exe
        
        C:\Windows\system32\Bnaolm32.exe
        60⤵
        Modifies registry class
        
        PID:8552
        
        C:\Windows\SysWOW64\Eenflbll.exe
        
        C:\Windows\system32\Eenflbll.exe
        50⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\Eglbhnkp.exe
        
        C:\Windows\system32\Eglbhnkp.exe
        51⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Gonilenb.exe
        
        C:\Windows\system32\Gonilenb.exe
        41⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\Galfhpmf.exe
        
        C:\Windows\system32\Galfhpmf.exe
        42⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\Gdkbdllj.exe
        
        C:\Windows\system32\Gdkbdllj.exe
        43⤵
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Glajeiml.exe
        
        C:\Windows\system32\Glajeiml.exe
        44⤵
        
        PID:8640
  - - C:\Windows\SysWOW64\Kadpdp32.exe
      C:\Windows\system32\Kadpdp32.exe
      4⤵
      PID:5888
    - - C:\Windows\SysWOW64\Likhem32.exe
        
        C:\Windows\system32\Likhem32.exe
        5⤵
        
        PID:5224
      - C:\Windows\SysWOW64\Lljdai32.exe
        
        C:\Windows\system32\Lljdai32.exe
        6⤵
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\Lohqnd32.exe
        
        C:\Windows\system32\Lohqnd32.exe
        7⤵
        Modifies registry class
        
        PID:7304
        
        C:\Windows\SysWOW64\Lafmjp32.exe
        
        C:\Windows\system32\Lafmjp32.exe
        8⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5724

C:\Windows\SysWOW64\Gnlgleef.exe
C:\Windows\system32\Gnlgleef.exe
1⤵
- Executes dropped EXE
PID:1744

C:\Windows\SysWOW64\Ghmbno32.exe
C:\Windows\system32\Ghmbno32.exe
1⤵
- Executes dropped EXE
PID:3188

C:\Windows\SysWOW64\Ogcnmc32.exe
C:\Windows\system32\Ogcnmc32.exe
1⤵
- Modifies registry class
PID:3324
- C:\Windows\SysWOW64\Ojajin32.exe
  C:\Windows\system32\Ojajin32.exe
  2⤵
  PID:4092
- - C:\Windows\SysWOW64\Ompfej32.exe
    C:\Windows\system32\Ompfej32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Drops file in System32 directory
    PID:4900

C:\Windows\SysWOW64\Ocjoadei.exe
C:\Windows\system32\Ocjoadei.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1176
- C:\Windows\SysWOW64\Ofhknodl.exe
  C:\Windows\system32\Ofhknodl.exe
  2⤵
  PID:2660
- - C:\Windows\SysWOW64\Onocomdo.exe
    C:\Windows\system32\Onocomdo.exe
    3⤵
    - Modifies registry class
    PID:1092
  - - C:\Windows\SysWOW64\Oclkgccf.exe
      C:\Windows\system32\Oclkgccf.exe
      4⤵
      PID:5100

C:\Windows\SysWOW64\Ofkgcobj.exe
C:\Windows\system32\Ofkgcobj.exe
1⤵
PID:4736
- C:\Windows\SysWOW64\Omdppiif.exe
  C:\Windows\system32\Omdppiif.exe
  2⤵
  PID:3632
- - C:\Windows\SysWOW64\Ocohmc32.exe
    C:\Windows\system32\Ocohmc32.exe
    3⤵
    PID:2364
  - - C:\Windows\SysWOW64\Ocaebc32.exe
      C:\Windows\system32\Ocaebc32.exe
      4⤵
      PID:4412
    - - C:\Windows\SysWOW64\Pnfiplog.exe
        
        C:\Windows\system32\Pnfiplog.exe
        5⤵
        
        PID:4548

C:\Windows\SysWOW64\Pmiikh32.exe
C:\Windows\system32\Pmiikh32.exe
1⤵
PID:5056
- C:\Windows\SysWOW64\Ppgegd32.exe
  C:\Windows\system32\Ppgegd32.exe
  2⤵
  PID:2240

C:\Windows\SysWOW64\Pjmjdm32.exe
C:\Windows\system32\Pjmjdm32.exe
1⤵
PID:1484
- C:\Windows\SysWOW64\Pmlfqh32.exe
  C:\Windows\system32\Pmlfqh32.exe
  2⤵
  - Modifies registry class
  PID:2576
- - C:\Windows\SysWOW64\Ppjbmc32.exe
    C:\Windows\system32\Ppjbmc32.exe
    3⤵
    PID:1540
  - - C:\Windows\SysWOW64\Pnplfj32.exe
      C:\Windows\system32\Pnplfj32.exe
      4⤵
      PID:2740

C:\Windows\SysWOW64\Pdmdnadc.exe
C:\Windows\system32\Pdmdnadc.exe
1⤵
PID:3284
- C:\Windows\SysWOW64\Qobhkjdi.exe
  C:\Windows\system32\Qobhkjdi.exe
  2⤵
  PID:1204
- - C:\Windows\SysWOW64\Qaqegecm.exe
    C:\Windows\system32\Qaqegecm.exe
    3⤵
    PID:4360
  - - C:\Windows\SysWOW64\Qfmmplad.exe
      C:\Windows\system32\Qfmmplad.exe
      4⤵
      PID:4720
    - - C:\Windows\SysWOW64\Qpeahb32.exe
        
        C:\Windows\system32\Qpeahb32.exe
        5⤵
        
        PID:3836
      - C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        6⤵
        
        PID:4584
    - - C:\Windows\SysWOW64\Ikpjmd32.exe
        
        C:\Windows\system32\Ikpjmd32.exe
        5⤵
        
        PID:8652
      - C:\Windows\SysWOW64\Imofip32.exe
        
        C:\Windows\system32\Imofip32.exe
        6⤵
        Drops file in System32 directory
        
        PID:1944
        
        C:\Windows\SysWOW64\Iefnjm32.exe
        
        C:\Windows\system32\Iefnjm32.exe
        7⤵
        
        PID:8844
        
        C:\Windows\SysWOW64\Ionbcb32.exe
        
        C:\Windows\system32\Ionbcb32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8544
        
        C:\Windows\SysWOW64\Nmmqgo32.exe
        
        C:\Windows\system32\Nmmqgo32.exe
        9⤵
        
        PID:8208
        
        C:\Windows\SysWOW64\Nehekq32.exe
        
        C:\Windows\system32\Nehekq32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8416

C:\Windows\SysWOW64\Aogbfi32.exe
C:\Windows\system32\Aogbfi32.exe
1⤵
PID:2692
- C:\Windows\SysWOW64\Aaenbd32.exe
  C:\Windows\system32\Aaenbd32.exe
  2⤵
  PID:6184
- - C:\Windows\SysWOW64\Afbgkl32.exe
    C:\Windows\system32\Afbgkl32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Modifies registry class
    PID:6224
  - - C:\Windows\SysWOW64\Aagkhd32.exe
      C:\Windows\system32\Aagkhd32.exe
      4⤵
      Drops file in System32 directory
      PID:6268
    - - C:\Windows\SysWOW64\Ahaceo32.exe
        
        C:\Windows\system32\Ahaceo32.exe
        5⤵
        Drops file in System32 directory
        
        PID:6312
      - C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        6⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        7⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\Aonhghjl.exe
        
        C:\Windows\system32\Aonhghjl.exe
        8⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\Aaldccip.exe
        
        C:\Windows\system32\Aaldccip.exe
        9⤵
        Drops file in System32 directory
        
        PID:6540
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        10⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        11⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        12⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\Bdojjo32.exe
        
        C:\Windows\system32\Bdojjo32.exe
        13⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        14⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        15⤵
        Drops file in System32 directory
        
        PID:6812
        
        C:\Windows\SysWOW64\Bpkdjofm.exe
        
        C:\Windows\system32\Bpkdjofm.exe
        16⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\Bgelgi32.exe
        
        C:\Windows\system32\Bgelgi32.exe
        17⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        18⤵
        Modifies registry class
        
        PID:6944
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        19⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        20⤵
        Drops file in System32 directory
        
        PID:7036
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        21⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\Ofjokc32.exe
        
        C:\Windows\system32\Ofjokc32.exe
        16⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Oemofpel.exe
        
        C:\Windows\system32\Oemofpel.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:9208

C:\Windows\SysWOW64\Cdkifmjq.exe
C:\Windows\system32\Cdkifmjq.exe
1⤵
- Modifies registry class
PID:7124
- C:\Windows\SysWOW64\Cgifbhid.exe
  C:\Windows\system32\Cgifbhid.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:7164

C:\Windows\SysWOW64\Coqncejg.exe
C:\Windows\system32\Coqncejg.exe
1⤵
PID:6172
- C:\Windows\SysWOW64\Cpbjkn32.exe
  C:\Windows\system32\Cpbjkn32.exe
  2⤵
  PID:6264
- - C:\Windows\SysWOW64\Chiblk32.exe
    C:\Windows\system32\Chiblk32.exe
    3⤵
    PID:6328
  - - C:\Windows\SysWOW64\Ckgohf32.exe
      C:\Windows\system32\Ckgohf32.exe
      4⤵
      PID:6396
    - - C:\Windows\SysWOW64\Cnfkdb32.exe
        
        C:\Windows\system32\Cnfkdb32.exe
        5⤵
        
        PID:6476

C:\Windows\SysWOW64\Cpdgqmnb.exe
C:\Windows\system32\Cpdgqmnb.exe
1⤵
PID:6564
- C:\Windows\SysWOW64\Chkobkod.exe
  C:\Windows\system32\Chkobkod.exe
  2⤵
  PID:6660
- - C:\Windows\SysWOW64\Coegoe32.exe
    C:\Windows\system32\Coegoe32.exe
    3⤵
    PID:6568
  - - C:\Windows\SysWOW64\Cacckp32.exe
      C:\Windows\system32\Cacckp32.exe
      4⤵
      PID:6772
- - C:\Windows\SysWOW64\Endnohdp.exe
    C:\Windows\system32\Endnohdp.exe
    3⤵
    PID:6844
  - - C:\Windows\SysWOW64\Eabjkdcc.exe
      C:\Windows\system32\Eabjkdcc.exe
      4⤵
      Drops file in System32 directory
      PID:2452

C:\Windows\SysWOW64\Chnlgjlb.exe
C:\Windows\system32\Chnlgjlb.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6844
- C:\Windows\SysWOW64\Cnjdpaki.exe
  C:\Windows\system32\Cnjdpaki.exe
  2⤵
  PID:6912

C:\Windows\SysWOW64\Dgcihgaj.exe
C:\Windows\system32\Dgcihgaj.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6980
- C:\Windows\SysWOW64\Dojqjdbl.exe
  C:\Windows\system32\Dojqjdbl.exe
  2⤵
  PID:7028

C:\Windows\SysWOW64\Dahmfpap.exe
C:\Windows\system32\Dahmfpap.exe
1⤵
PID:7116
- C:\Windows\SysWOW64\Ddgibkpc.exe
  C:\Windows\system32\Ddgibkpc.exe
  2⤵
  PID:3296
- - C:\Windows\SysWOW64\Dgeenfog.exe
    C:\Windows\system32\Dgeenfog.exe
    3⤵
    PID:6252
  - - C:\Windows\SysWOW64\Dqnjgl32.exe
      C:\Windows\system32\Dqnjgl32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      PID:6348
    - - C:\Windows\SysWOW64\Ddifgk32.exe
        
        C:\Windows\system32\Ddifgk32.exe
        5⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6512
      - C:\Windows\SysWOW64\Dkcndeen.exe
        
        C:\Windows\system32\Dkcndeen.exe
        6⤵
        
        PID:6636

C:\Windows\SysWOW64\Damfao32.exe
C:\Windows\system32\Damfao32.exe
1⤵
PID:6788
- C:\Windows\SysWOW64\Dhgonidg.exe
  C:\Windows\system32\Dhgonidg.exe
  2⤵
  PID:6904

C:\Windows\SysWOW64\Dndgfpbo.exe
C:\Windows\system32\Dndgfpbo.exe
1⤵
PID:7004
- C:\Windows\SysWOW64\Dqbcbkab.exe
  C:\Windows\system32\Dqbcbkab.exe
  2⤵
  PID:7108
- - C:\Windows\SysWOW64\Enfckp32.exe
    C:\Windows\system32\Enfckp32.exe
    3⤵
    PID:6800
  - - C:\Windows\SysWOW64\Ebaplnie.exe
      C:\Windows\system32\Ebaplnie.exe
      4⤵
      PID:6208

C:\Windows\SysWOW64\Edplhjhi.exe
C:\Windows\system32\Edplhjhi.exe
1⤵
PID:6504
- C:\Windows\SysWOW64\Ebdlangb.exe
  C:\Windows\system32\Ebdlangb.exe
  2⤵
  PID:6756
- - C:\Windows\SysWOW64\Ehndnh32.exe
    C:\Windows\system32\Ehndnh32.exe
    3⤵
    PID:6932
  - - C:\Windows\SysWOW64\Eklajcmc.exe
      C:\Windows\system32\Eklajcmc.exe
      4⤵
      PID:6808
    - - C:\Windows\SysWOW64\Enkmfolf.exe
        
        C:\Windows\system32\Enkmfolf.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6280

C:\Windows\SysWOW64\Ekonpckp.exe
C:\Windows\system32\Ekonpckp.exe
1⤵
PID:6552
- C:\Windows\SysWOW64\Eqlfhjig.exe
  C:\Windows\system32\Eqlfhjig.exe
  2⤵
  - Modifies registry class
  PID:6884

C:\Windows\SysWOW64\Ekajec32.exe
C:\Windows\system32\Ekajec32.exe
1⤵
PID:6616
- C:\Windows\SysWOW64\Eomffaag.exe
  C:\Windows\system32\Eomffaag.exe
  2⤵
  PID:7144
- - C:\Windows\SysWOW64\Eqncnj32.exe
    C:\Windows\system32\Eqncnj32.exe
    3⤵
    PID:6468
  - - C:\Windows\SysWOW64\Eiekog32.exe
      C:\Windows\system32\Eiekog32.exe
      4⤵
      PID:7188

C:\Windows\SysWOW64\Eghkjdoa.exe
C:\Windows\system32\Eghkjdoa.exe
1⤵
PID:7232
- C:\Windows\SysWOW64\Fooclapd.exe
  C:\Windows\system32\Fooclapd.exe
  2⤵
  PID:7268
- - C:\Windows\SysWOW64\Fbmohmoh.exe
    C:\Windows\system32\Fbmohmoh.exe
    3⤵
    PID:7312

C:\Windows\SysWOW64\Figgdg32.exe
C:\Windows\system32\Figgdg32.exe
1⤵
- Modifies registry class
PID:7356
- C:\Windows\SysWOW64\Fgjhpcmo.exe
  C:\Windows\system32\Fgjhpcmo.exe
  2⤵
  - Drops file in System32 directory
  PID:7392
- - C:\Windows\SysWOW64\Pbmffi32.exe
    C:\Windows\system32\Pbmffi32.exe
    3⤵
    - Drops file in System32 directory
    PID:7512
  - - C:\Windows\SysWOW64\Pkdngf32.exe
      C:\Windows\system32\Pkdngf32.exe
      4⤵
      PID:4324
    - - C:\Windows\SysWOW64\Pmbjcb32.exe
        
        C:\Windows\system32\Pmbjcb32.exe
        5⤵
        
        PID:4240
      - C:\Windows\SysWOW64\Ppafpm32.exe
        
        C:\Windows\system32\Ppafpm32.exe
        6⤵
        
        PID:7736

C:\Windows\SysWOW64\Foapaa32.exe
C:\Windows\system32\Foapaa32.exe
1⤵
PID:7432
- C:\Windows\SysWOW64\Fbplml32.exe
  C:\Windows\system32\Fbplml32.exe
  2⤵
  PID:7476

C:\Windows\SysWOW64\Fdnhih32.exe
C:\Windows\system32\Fdnhih32.exe
1⤵
PID:7520
- C:\Windows\SysWOW64\Fgmdec32.exe
  C:\Windows\system32\Fgmdec32.exe
  2⤵
  PID:7556
- - C:\Windows\SysWOW64\Foclgq32.exe
    C:\Windows\system32\Foclgq32.exe
    3⤵
    PID:7600

C:\Windows\SysWOW64\Fbbicl32.exe
C:\Windows\system32\Fbbicl32.exe
1⤵
PID:7648
- C:\Windows\SysWOW64\Feqeog32.exe
  C:\Windows\system32\Feqeog32.exe
  2⤵
  PID:7692
- - C:\Windows\SysWOW64\Fofilp32.exe
    C:\Windows\system32\Fofilp32.exe
    3⤵
    - Drops file in System32 directory
    PID:7736
  - - C:\Windows\SysWOW64\Fbdehlip.exe
      C:\Windows\system32\Fbdehlip.exe
      4⤵
      PID:7776
  - - C:\Windows\SysWOW64\Pboblika.exe
      C:\Windows\system32\Pboblika.exe
      4⤵
      Modifies registry class
      PID:7936
    - - C:\Windows\SysWOW64\Pkfjmfld.exe
        
        C:\Windows\system32\Pkfjmfld.exe
        5⤵
        
        PID:7924

C:\Windows\SysWOW64\Fecadghc.exe
C:\Windows\system32\Fecadghc.exe
1⤵
PID:7820
- C:\Windows\SysWOW64\Fkmjaa32.exe
  C:\Windows\system32\Fkmjaa32.exe
  2⤵
  - Drops file in System32 directory
  PID:7872
- - C:\Windows\SysWOW64\Fnkfmm32.exe
    C:\Windows\system32\Fnkfmm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    PID:7924
  - - C:\Windows\SysWOW64\Pmefiakh.exe
      C:\Windows\system32\Pmefiakh.exe
      4⤵
      PID:5852
    - - C:\Windows\SysWOW64\Plhgdn32.exe
        
        C:\Windows\system32\Plhgdn32.exe
        5⤵
        
        PID:2524

C:\Windows\SysWOW64\Fajbjh32.exe
C:\Windows\system32\Fajbjh32.exe
1⤵
PID:7976
- C:\Windows\SysWOW64\Fiqjke32.exe
  C:\Windows\system32\Fiqjke32.exe
  2⤵
  PID:8044

C:\Windows\SysWOW64\Fkofga32.exe
C:\Windows\system32\Fkofga32.exe
1⤵
PID:8088
- C:\Windows\SysWOW64\Gbiockdj.exe
  C:\Windows\system32\Gbiockdj.exe
  2⤵
  PID:8148
- - C:\Windows\SysWOW64\Gegkpf32.exe
    C:\Windows\system32\Gegkpf32.exe
    3⤵
    PID:6516

C:\Windows\SysWOW64\Gpmomo32.exe
C:\Windows\system32\Gpmomo32.exe
1⤵
PID:7320
- C:\Windows\SysWOW64\Gbkkik32.exe
  C:\Windows\system32\Gbkkik32.exe
  2⤵
  PID:7412
- - C:\Windows\SysWOW64\Gejhef32.exe
    C:\Windows\system32\Gejhef32.exe
    3⤵
    PID:7508
  - - C:\Windows\SysWOW64\Gghdaa32.exe
      C:\Windows\system32\Gghdaa32.exe
      4⤵
      PID:7572

C:\Windows\SysWOW64\Gpolbo32.exe
C:\Windows\system32\Gpolbo32.exe
1⤵
PID:7636
- C:\Windows\SysWOW64\Gbnhoj32.exe
  C:\Windows\system32\Gbnhoj32.exe
  2⤵
  PID:7716

C:\Windows\SysWOW64\Glfmgp32.exe
C:\Windows\system32\Glfmgp32.exe
1⤵
PID:7772
- C:\Windows\SysWOW64\Gacepg32.exe
  C:\Windows\system32\Gacepg32.exe
  2⤵
  PID:7904

C:\Windows\SysWOW64\Ggmmlamj.exe
C:\Windows\system32\Ggmmlamj.exe
1⤵
PID:7960
- C:\Windows\SysWOW64\Glhimp32.exe
  C:\Windows\system32\Glhimp32.exe
  2⤵
  PID:8072

C:\Windows\SysWOW64\Gngeik32.exe
C:\Windows\system32\Gngeik32.exe
1⤵
PID:8160
- C:\Windows\SysWOW64\Gaebef32.exe
  C:\Windows\system32\Gaebef32.exe
  2⤵
  PID:7240
- C:\Windows\SysWOW64\Gdheol32.exe
  C:\Windows\system32\Gdheol32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:560
- - C:\Windows\SysWOW64\Glompi32.exe
    C:\Windows\system32\Glompi32.exe
    3⤵
    - Modifies registry class
    PID:2028

C:\Windows\SysWOW64\Geanfelc.exe
C:\Windows\system32\Geanfelc.exe
1⤵
PID:7384
- C:\Windows\SysWOW64\Ghojbq32.exe
  C:\Windows\system32\Ghojbq32.exe
  2⤵
  - Modifies registry class
  PID:7472

C:\Windows\SysWOW64\Hpfbcn32.exe
C:\Windows\system32\Hpfbcn32.exe
1⤵
PID:7544
- C:\Windows\SysWOW64\Hahokfag.exe
  C:\Windows\system32\Hahokfag.exe
  2⤵
  PID:7656
- - C:\Windows\SysWOW64\Pcfhlh32.exe
    C:\Windows\system32\Pcfhlh32.exe
    3⤵
    PID:7888
  - - C:\Windows\SysWOW64\Qkmqne32.exe
      C:\Windows\system32\Qkmqne32.exe
      4⤵
      PID:5744
    - - C:\Windows\SysWOW64\Qmlmjq32.exe
        
        C:\Windows\system32\Qmlmjq32.exe
        5⤵
        
        PID:8852

C:\Windows\SysWOW64\Hioflcbj.exe
C:\Windows\system32\Hioflcbj.exe
1⤵
- Drops file in System32 directory
PID:7744
- C:\Windows\SysWOW64\Hbgkei32.exe
  C:\Windows\system32\Hbgkei32.exe
  2⤵
  PID:7888

C:\Windows\SysWOW64\Ieccbbkn.exe
C:\Windows\system32\Ieccbbkn.exe
1⤵
PID:7228
- C:\Windows\SysWOW64\Jbojlfdp.exe
  C:\Windows\system32\Jbojlfdp.exe
  2⤵
  PID:7488
- - C:\Windows\SysWOW64\Joekag32.exe
    C:\Windows\system32\Joekag32.exe
    3⤵
    PID:5076

C:\Windows\SysWOW64\Jlikkkhn.exe
C:\Windows\system32\Jlikkkhn.exe
1⤵
PID:7592
- C:\Windows\SysWOW64\Jafdcbge.exe
  C:\Windows\system32\Jafdcbge.exe
  2⤵
  PID:2912
- - C:\Windows\SysWOW64\Jhplpl32.exe
    C:\Windows\system32\Jhplpl32.exe
    3⤵
    - Drops file in System32 directory
    PID:4108
- - C:\Windows\SysWOW64\Adohmidb.exe
    C:\Windows\system32\Adohmidb.exe
    3⤵
    PID:2904
  - - C:\Windows\SysWOW64\Agndidce.exe
      C:\Windows\system32\Agndidce.exe
      4⤵
      PID:5764
- C:\Windows\SysWOW64\Ccnnmmbp.exe
  C:\Windows\system32\Ccnnmmbp.exe
  2⤵
  - Modifies registry class
  PID:1208
- - C:\Windows\SysWOW64\Cgijnk32.exe
    C:\Windows\system32\Cgijnk32.exe
    3⤵
    PID:2036

C:\Windows\SysWOW64\Kefiopki.exe
C:\Windows\system32\Kefiopki.exe
1⤵
PID:5856
- C:\Windows\SysWOW64\Kibeoo32.exe
  C:\Windows\system32\Kibeoo32.exe
  2⤵
  PID:1208

C:\Windows\SysWOW64\Klpakj32.exe
C:\Windows\system32\Klpakj32.exe
1⤵
- Drops file in System32 directory
PID:5464
- C:\Windows\SysWOW64\Kplmliko.exe
  C:\Windows\system32\Kplmliko.exe
  2⤵
  PID:5604

C:\Windows\SysWOW64\Kcjjhdjb.exe
C:\Windows\system32\Kcjjhdjb.exe
1⤵
PID:5640
- C:\Windows\SysWOW64\Keifdpif.exe
  C:\Windows\system32\Keifdpif.exe
  2⤵
  PID:5088
- - C:\Windows\SysWOW64\Khgbqkhj.exe
    C:\Windows\system32\Khgbqkhj.exe
    3⤵
    PID:7732

C:\Windows\SysWOW64\Klbnajqc.exe
C:\Windows\system32\Klbnajqc.exe
1⤵
PID:5848
- C:\Windows\SysWOW64\Koajmepf.exe
  C:\Windows\system32\Koajmepf.exe
  2⤵
  PID:5616

C:\Windows\SysWOW64\Kekbjo32.exe
C:\Windows\system32\Kekbjo32.exe
1⤵
PID:5736
- C:\Windows\SysWOW64\Khiofk32.exe
  C:\Windows\system32\Khiofk32.exe
  2⤵
  - Drops file in System32 directory
  PID:4212
- - C:\Windows\SysWOW64\Kocgbend.exe
    C:\Windows\system32\Kocgbend.exe
    3⤵
    - Drops file in System32 directory
    - Modifies registry class
    PID:5188
  - - C:\Windows\SysWOW64\Kcoccc32.exe
      C:\Windows\system32\Kcoccc32.exe
      4⤵
      PID:7916
- C:\Windows\SysWOW64\Bgbmdd32.exe
  C:\Windows\system32\Bgbmdd32.exe
  2⤵
  PID:1540
- - C:\Windows\SysWOW64\Bnlfqngm.exe
    C:\Windows\system32\Bnlfqngm.exe
    3⤵
    PID:5800
  - - C:\Windows\SysWOW64\Bdfnmhnj.exe
      C:\Windows\system32\Bdfnmhnj.exe
      4⤵
      PID:6372
    - - C:\Windows\SysWOW64\Bgdjicmn.exe
        
        C:\Windows\system32\Bgdjicmn.exe
        5⤵
        
        PID:4588

C:\Windows\SysWOW64\Kemooo32.exe
C:\Windows\system32\Kemooo32.exe
1⤵
PID:5468
- C:\Windows\SysWOW64\Khlklj32.exe
  C:\Windows\system32\Khlklj32.exe
  2⤵
  - Modifies registry class
  PID:5356

C:\Windows\SysWOW64\Kpccmhdg.exe
C:\Windows\system32\Kpccmhdg.exe
1⤵
PID:7564
- C:\Windows\SysWOW64\Kcapicdj.exe
  C:\Windows\system32\Kcapicdj.exe
  2⤵
  PID:5800

C:\Windows\SysWOW64\Lindkm32.exe
C:\Windows\system32\Lindkm32.exe
1⤵
- Drops file in System32 directory
PID:1740
- C:\Windows\SysWOW64\Lllagh32.exe
  C:\Windows\system32\Lllagh32.exe
  2⤵
  PID:4932

C:\Windows\SysWOW64\Ledepn32.exe
C:\Windows\system32\Ledepn32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5984
- C:\Windows\SysWOW64\Llnnmhfe.exe
  C:\Windows\system32\Llnnmhfe.exe
  2⤵
  - Drops file in System32 directory
  PID:5552
- - C:\Windows\SysWOW64\Lpjjmg32.exe
    C:\Windows\system32\Lpjjmg32.exe
    3⤵
    PID:5804

C:\Windows\SysWOW64\Lhenai32.exe
C:\Windows\system32\Lhenai32.exe
1⤵
PID:5964
- C:\Windows\SysWOW64\Lplfcf32.exe
  C:\Windows\system32\Lplfcf32.exe
  2⤵
  PID:5236
- - C:\Windows\SysWOW64\Lckboblp.exe
    C:\Windows\system32\Lckboblp.exe
    3⤵
    PID:7324

C:\Windows\SysWOW64\Lfiokmkc.exe
C:\Windows\system32\Lfiokmkc.exe
1⤵
PID:5132
- C:\Windows\SysWOW64\Llcghg32.exe
  C:\Windows\system32\Llcghg32.exe
  2⤵
  PID:7252
- - C:\Windows\SysWOW64\Loacdc32.exe
    C:\Windows\system32\Loacdc32.exe
    3⤵
    PID:1980
  - - C:\Windows\SysWOW64\Mfkkqmiq.exe
      C:\Windows\system32\Mfkkqmiq.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      PID:5312
    - - C:\Windows\SysWOW64\Mledmg32.exe
        
        C:\Windows\system32\Mledmg32.exe
        5⤵
        
        PID:1944

C:\Windows\SysWOW64\Modpib32.exe
C:\Windows\system32\Modpib32.exe
1⤵
PID:8200
- C:\Windows\SysWOW64\Mablfnne.exe
  C:\Windows\system32\Mablfnne.exe
  2⤵
  PID:8244
- - C:\Windows\SysWOW64\Mjidgkog.exe
    C:\Windows\system32\Mjidgkog.exe
    3⤵
    PID:8288

C:\Windows\SysWOW64\Mlhqcgnk.exe
C:\Windows\system32\Mlhqcgnk.exe
1⤵
PID:8332
- C:\Windows\SysWOW64\Mofmobmo.exe
  C:\Windows\system32\Mofmobmo.exe
  2⤵
  PID:8372
- - C:\Windows\SysWOW64\Mbdiknlb.exe
    C:\Windows\system32\Mbdiknlb.exe
    3⤵
    PID:8408

C:\Windows\SysWOW64\Mjlalkmd.exe
C:\Windows\system32\Mjlalkmd.exe
1⤵
PID:8456
- C:\Windows\SysWOW64\Mljmhflh.exe
  C:\Windows\system32\Mljmhflh.exe
  2⤵
  PID:8500

C:\Windows\SysWOW64\Mlljnf32.exe
C:\Windows\system32\Mlljnf32.exe
1⤵
PID:8532
- C:\Windows\SysWOW64\Mokfja32.exe
  C:\Windows\system32\Mokfja32.exe
  2⤵
  PID:8572
- - C:\Windows\SysWOW64\Mbibfm32.exe
    C:\Windows\system32\Mbibfm32.exe
    3⤵
    - Drops file in System32 directory
    PID:8624

C:\Windows\SysWOW64\Mjpjgj32.exe
C:\Windows\system32\Mjpjgj32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:8672
- C:\Windows\SysWOW64\Mlofcf32.exe
  C:\Windows\system32\Mlofcf32.exe
  2⤵
  PID:8712

C:\Windows\SysWOW64\Nblolm32.exe
C:\Windows\system32\Nblolm32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:8792
- C:\Windows\SysWOW64\Njbgmjgl.exe
  C:\Windows\system32\Njbgmjgl.exe
  2⤵
  PID:8828
- - C:\Windows\SysWOW64\Nhegig32.exe
    C:\Windows\system32\Nhegig32.exe
    3⤵
    PID:8872

C:\Windows\SysWOW64\Nqmojd32.exe
C:\Windows\system32\Nqmojd32.exe
1⤵
PID:8912
- C:\Windows\SysWOW64\Nckkfp32.exe
  C:\Windows\system32\Nckkfp32.exe
  2⤵
  PID:8948

C:\Windows\SysWOW64\Nbnlaldg.exe
C:\Windows\system32\Nbnlaldg.exe
1⤵
PID:8992
- C:\Windows\SysWOW64\Njedbjej.exe
  C:\Windows\system32\Njedbjej.exe
  2⤵
  PID:9032
- - C:\Windows\SysWOW64\Nqoloc32.exe
    C:\Windows\system32\Nqoloc32.exe
    3⤵
    PID:9076
  - - C:\Windows\SysWOW64\Nfldgk32.exe
      C:\Windows\system32\Nfldgk32.exe
      4⤵
      PID:9116
    - - C:\Windows\SysWOW64\Nijqcf32.exe
        
        C:\Windows\system32\Nijqcf32.exe
        5⤵
        
        PID:9160
    - - C:\Windows\SysWOW64\Nifnao32.exe
        
        C:\Windows\system32\Nifnao32.exe
        5⤵
        
        PID:6216
      - C:\Windows\SysWOW64\Nmajbnha.exe
        
        C:\Windows\system32\Nmajbnha.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8404
        
        C:\Windows\SysWOW64\Nppfnige.exe
        
        C:\Windows\system32\Nppfnige.exe
        7⤵
        
        PID:5828

C:\Windows\SysWOW64\Momcpa32.exe
C:\Windows\system32\Momcpa32.exe
1⤵
PID:8752

C:\Windows\SysWOW64\Ocdnln32.exe
C:\Windows\system32\Ocdnln32.exe
1⤵
PID:9200
- C:\Windows\SysWOW64\Ofckhj32.exe
  C:\Windows\system32\Ofckhj32.exe
  2⤵
  PID:8232
- - C:\Windows\SysWOW64\Ommceclc.exe
    C:\Windows\system32\Ommceclc.exe
    3⤵
    PID:8284
  - - C:\Windows\SysWOW64\Ocgkan32.exe
      C:\Windows\system32\Ocgkan32.exe
      4⤵
      PID:8356
    - - C:\Windows\SysWOW64\Ojqcnhkl.exe
        
        C:\Windows\system32\Ojqcnhkl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5324

C:\Windows\SysWOW64\Oonlfo32.exe
C:\Windows\system32\Oonlfo32.exe
1⤵
PID:8392
- C:\Windows\SysWOW64\Oblhcj32.exe
  C:\Windows\system32\Oblhcj32.exe
  2⤵
  PID:8436
- - C:\Windows\SysWOW64\Omalpc32.exe
    C:\Windows\system32\Omalpc32.exe
    3⤵
    PID:8516
  - - C:\Windows\SysWOW64\Obnehj32.exe
      C:\Windows\system32\Obnehj32.exe
      4⤵
      PID:8592
    - - C:\Windows\SysWOW64\Ojemig32.exe
        
        C:\Windows\system32\Ojemig32.exe
        5⤵
        
        PID:8660
      - C:\Windows\SysWOW64\Oikjkc32.exe
        
        C:\Windows\system32\Oikjkc32.exe
        6⤵
        
        PID:8692
        
        C:\Windows\SysWOW64\Pmhbqbae.exe
        
        C:\Windows\system32\Pmhbqbae.exe
        7⤵
        
        PID:8772
        
        C:\Windows\SysWOW64\Pfagighf.exe
        
        C:\Windows\system32\Pfagighf.exe
        8⤵
        
        PID:8868
        
        C:\Windows\SysWOW64\Piocecgj.exe
        
        C:\Windows\system32\Piocecgj.exe
        9⤵
        
        PID:8940
        
        C:\Windows\SysWOW64\Paihlpfi.exe
        
        C:\Windows\system32\Paihlpfi.exe
        10⤵
        
        PID:9020
        
        C:\Windows\SysWOW64\Pcgdhkem.exe
        
        C:\Windows\system32\Pcgdhkem.exe
        11⤵
        
        PID:9064
        
        C:\Windows\SysWOW64\Pakdbp32.exe
        
        C:\Windows\system32\Pakdbp32.exe
        12⤵
        Modifies registry class
        
        PID:9144
        
        C:\Windows\SysWOW64\Apggckbf.exe
        
        C:\Windows\system32\Apggckbf.exe
        13⤵
        
        PID:9212
        
        C:\Windows\SysWOW64\Afhfaddk.exe
        
        C:\Windows\system32\Afhfaddk.exe
        14⤵
        
        PID:8320
        
        C:\Windows\SysWOW64\Epffbd32.exe
        
        C:\Windows\system32\Epffbd32.exe
        15⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Fqdbdbna.exe
        
        C:\Windows\system32\Fqdbdbna.exe
        16⤵
        
        PID:8496
        
        C:\Windows\SysWOW64\Gbpnjdkg.exe
        
        C:\Windows\system32\Gbpnjdkg.exe
        17⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Nhgmcp32.exe
        
        C:\Windows\system32\Nhgmcp32.exe
        18⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\Epeohn32.exe
        
        C:\Windows\system32\Epeohn32.exe
        19⤵
        
        PID:8252
        
        C:\Windows\SysWOW64\Keekjc32.exe
        
        C:\Windows\system32\Keekjc32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Ebcdjc32.exe
        
        C:\Windows\system32\Ebcdjc32.exe
        21⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3284
        
        C:\Windows\SysWOW64\Cejjdlap.exe
        
        C:\Windows\system32\Cejjdlap.exe
        22⤵
        
        PID:208
        
        C:\Windows\SysWOW64\Enbhdojn.exe
        
        C:\Windows\system32\Enbhdojn.exe
        23⤵
        
        PID:9024
        
        C:\Windows\SysWOW64\Jchaoe32.exe
        
        C:\Windows\system32\Jchaoe32.exe
        24⤵
        
        PID:9104
        
        C:\Windows\SysWOW64\Kkkldg32.exe
        
        C:\Windows\system32\Kkkldg32.exe
        25⤵
        Drops file in System32 directory
        
        PID:6260
        
        C:\Windows\SysWOW64\Kbinlp32.exe
        
        C:\Windows\system32\Kbinlp32.exe
        26⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\Kicfijal.exe
        
        C:\Windows\system32\Kicfijal.exe
        27⤵
        
        PID:8268
        
        C:\Windows\SysWOW64\Lbqdmodg.exe
        
        C:\Windows\system32\Lbqdmodg.exe
        28⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\Lkkekdhe.exe
        
        C:\Windows\system32\Lkkekdhe.exe
        29⤵
        Drops file in System32 directory
        
        PID:6792
        
        C:\Windows\SysWOW64\Lcbmlbig.exe
        
        C:\Windows\system32\Lcbmlbig.exe
        30⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\Mcggga32.exe
        
        C:\Windows\system32\Mcggga32.exe
        31⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\Midoph32.exe
        
        C:\Windows\system32\Midoph32.exe
        32⤵
        Drops file in System32 directory
        
        PID:5304
        
        C:\Windows\SysWOW64\Mldhacpj.exe
        
        C:\Windows\system32\Mldhacpj.exe
        33⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\Mlialb32.exe
        
        C:\Windows\system32\Mlialb32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3208
        
        C:\Windows\SysWOW64\Nmkkle32.exe
        
        C:\Windows\system32\Nmkkle32.exe
        35⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Nbhcdl32.exe
        
        C:\Windows\system32\Nbhcdl32.exe
        36⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Nmmgae32.exe
        
        C:\Windows\system32\Nmmgae32.exe
        37⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\Lkcaeige.exe
        
        C:\Windows\system32\Lkcaeige.exe
        18⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\Lnanadfi.exe
        
        C:\Windows\system32\Lnanadfi.exe
        19⤵
        
        PID:7360
        
        C:\Windows\SysWOW64\Ldkfno32.exe
        
        C:\Windows\system32\Ldkfno32.exe
        20⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Dcgackke.exe
        
        C:\Windows\system32\Dcgackke.exe
        11⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\Dgcmdj32.exe
        
        C:\Windows\system32\Dgcmdj32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8576
        
        C:\Windows\SysWOW64\Djaipe32.exe
        
        C:\Windows\system32\Djaipe32.exe
        13⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\Dannbogl.exe
        
        C:\Windows\system32\Dannbogl.exe
        14⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\Dpqonl32.exe
        
        C:\Windows\system32\Dpqonl32.exe
        15⤵
        
        PID:9000

C:\Windows\SysWOW64\Klndfj32.exe
C:\Windows\system32\Klndfj32.exe
1⤵
PID:5172

C:\Windows\SysWOW64\Jeocna32.exe
C:\Windows\system32\Jeocna32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3648

C:\Windows\SysWOW64\Ipgkjlmg.exe
C:\Windows\system32\Ipgkjlmg.exe
1⤵
PID:1728
- C:\Windows\SysWOW64\Anccjp32.exe
  C:\Windows\system32\Anccjp32.exe
  2⤵
  PID:5416

C:\Windows\SysWOW64\Iimcma32.exe
C:\Windows\system32\Iimcma32.exe
1⤵
- Drops file in System32 directory
PID:1576

C:\Windows\SysWOW64\Ilfennic.exe
C:\Windows\system32\Ilfennic.exe
1⤵
PID:7680

C:\Windows\SysWOW64\Haaaaeim.exe
C:\Windows\system32\Haaaaeim.exe
1⤵
PID:7552
- C:\Windows\SysWOW64\Lhkkjl32.exe
  C:\Windows\system32\Lhkkjl32.exe
  2⤵
  - Drops file in System32 directory
  PID:5700
- - C:\Windows\SysWOW64\Lkjhfh32.exe
    C:\Windows\system32\Lkjhfh32.exe
    3⤵
    PID:3688
  - - C:\Windows\SysWOW64\Mdnlkl32.exe
      C:\Windows\system32\Mdnlkl32.exe
      4⤵
      PID:5980
    - - C:\Windows\SysWOW64\Ojopki32.exe
        
        C:\Windows\system32\Ojopki32.exe
        5⤵
        
        PID:7668
      - C:\Windows\SysWOW64\Fdpnpe32.exe
        
        C:\Windows\system32\Fdpnpe32.exe
        6⤵
        Drops file in System32 directory
        
        PID:1428
        
        C:\Windows\SysWOW64\Fklcbocl.exe
        
        C:\Windows\system32\Fklcbocl.exe
        7⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\Mibpng32.exe
        
        C:\Windows\system32\Mibpng32.exe
        8⤵
        Modifies registry class
        
        PID:6708
        
        C:\Windows\SysWOW64\Mckefmai.exe
        
        C:\Windows\system32\Mckefmai.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5560
        
        C:\Windows\SysWOW64\Meiabh32.exe
        
        C:\Windows\system32\Meiabh32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8848
        
        C:\Windows\SysWOW64\Afcffb32.exe
        
        C:\Windows\system32\Afcffb32.exe
        11⤵
        
        PID:7872
        
        C:\Windows\SysWOW64\Fneohd32.exe
        
        C:\Windows\system32\Fneohd32.exe
        12⤵
        
        PID:8412
        
        C:\Windows\SysWOW64\Fdpgen32.exe
        
        C:\Windows\system32\Fdpgen32.exe
        13⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\Mfaqafjl.exe
        
        C:\Windows\system32\Mfaqafjl.exe
        14⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Nockfgao.exe
        
        C:\Windows\system32\Nockfgao.exe
        15⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\Biadoeib.exe
        
        C:\Windows\system32\Biadoeib.exe
        16⤵
        
        PID:7592

C:\Windows\SysWOW64\Hldiinke.exe
C:\Windows\system32\Hldiinke.exe
1⤵
PID:4856

C:\Windows\SysWOW64\Hpmhdmea.exe
C:\Windows\system32\Hpmhdmea.exe
1⤵
- Drops file in System32 directory
PID:232

C:\Windows\SysWOW64\Hehdfdek.exe
C:\Windows\system32\Hehdfdek.exe
1⤵
PID:8140

C:\Windows\SysWOW64\Hlppno32.exe
C:\Windows\system32\Hlppno32.exe
1⤵
PID:7996

C:\Windows\SysWOW64\Ggfglb32.exe
C:\Windows\system32\Ggfglb32.exe
1⤵
- Drops file in System32 directory
PID:7260

C:\Windows\SysWOW64\Ehbnigjj.exe
C:\Windows\system32\Ehbnigjj.exe
1⤵
PID:7160

C:\Windows\SysWOW64\Nmbamdkm.exe
C:\Windows\system32\Nmbamdkm.exe
1⤵
PID:6428
- C:\Windows\SysWOW64\Npqmipjq.exe
  C:\Windows\system32\Npqmipjq.exe
  2⤵
  PID:6404

C:\Windows\SysWOW64\Olgnnqpe.exe
C:\Windows\system32\Olgnnqpe.exe
1⤵
PID:6248
- C:\Windows\SysWOW64\Ojhnlh32.exe
  C:\Windows\system32\Ojhnlh32.exe
  2⤵
  PID:1772

C:\Windows\SysWOW64\Odqbdnod.exe
C:\Windows\system32\Odqbdnod.exe
1⤵
PID:6624
- C:\Windows\SysWOW64\Ofooqinh.exe
  C:\Windows\system32\Ofooqinh.exe
  2⤵
  PID:1924
- - C:\Windows\SysWOW64\Oinkmdml.exe
    C:\Windows\system32\Oinkmdml.exe
    3⤵
    - Drops file in System32 directory
    PID:6932
  - - C:\Windows\SysWOW64\Ollgiplp.exe
      C:\Windows\system32\Ollgiplp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      PID:660
    - - C:\Windows\SysWOW64\Odcojm32.exe
        
        C:\Windows\system32\Odcojm32.exe
        5⤵
        Drops file in System32 directory
        
        PID:4488

C:\Windows\SysWOW64\Ofalfi32.exe
C:\Windows\system32\Ofalfi32.exe
1⤵
PID:6280
- C:\Windows\SysWOW64\Olndnp32.exe
  C:\Windows\system32\Olndnp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:7748

C:\Windows\SysWOW64\Okodlgbl.exe
C:\Windows\system32\Okodlgbl.exe
1⤵
PID:6840
- C:\Windows\SysWOW64\Omnqhbap.exe
  C:\Windows\system32\Omnqhbap.exe
  2⤵
  PID:7900
- - C:\Windows\SysWOW64\Odhiemil.exe
    C:\Windows\system32\Odhiemil.exe
    3⤵
    PID:4048
  - - C:\Windows\SysWOW64\Offeahhp.exe
      C:\Windows\system32\Offeahhp.exe
      4⤵
      PID:7268
    - - C:\Windows\SysWOW64\Pmpmnb32.exe
        
        C:\Windows\system32\Pmpmnb32.exe
        5⤵
        
        PID:8164
      - C:\Windows\SysWOW64\Ppoijn32.exe
        
        C:\Windows\system32\Ppoijn32.exe
        6⤵
        
        PID:7392

C:\Windows\SysWOW64\Pdoofl32.exe
C:\Windows\system32\Pdoofl32.exe
1⤵
PID:5124
- C:\Windows\SysWOW64\Pgmkbg32.exe
  C:\Windows\system32\Pgmkbg32.exe
  2⤵
  PID:4708
- - C:\Windows\SysWOW64\Pmgcoaie.exe
    C:\Windows\system32\Pmgcoaie.exe
    3⤵
    PID:8432
  - - C:\Windows\SysWOW64\Ppepkmhi.exe
      C:\Windows\system32\Ppepkmhi.exe
      4⤵
      PID:7808

C:\Windows\SysWOW64\Pcdlghgl.exe
C:\Windows\system32\Pcdlghgl.exe
1⤵
PID:5584
- C:\Windows\SysWOW64\Pkkdhe32.exe
  C:\Windows\system32\Pkkdhe32.exe
  2⤵
  - Drops file in System32 directory
  PID:7484

C:\Windows\SysWOW64\Pllppnnm.exe
C:\Windows\system32\Pllppnnm.exe
1⤵
PID:5456
- C:\Windows\SysWOW64\Pdchakoo.exe
  C:\Windows\system32\Pdchakoo.exe
  2⤵
  PID:7656

C:\Windows\SysWOW64\Qpjifl32.exe
C:\Windows\system32\Qpjifl32.exe
1⤵
PID:4420
- C:\Windows\SysWOW64\Qdfefkll.exe
  C:\Windows\system32\Qdfefkll.exe
  2⤵
  PID:4412
- - C:\Windows\SysWOW64\Qkpmcddi.exe
    C:\Windows\system32\Qkpmcddi.exe
    3⤵
    PID:5264
  - - C:\Windows\SysWOW64\Qpmfklbq.exe
      C:\Windows\system32\Qpmfklbq.exe
      4⤵
      PID:5408
    - - C:\Windows\SysWOW64\Qckbggad.exe
        
        C:\Windows\system32\Qckbggad.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7700

C:\Windows\SysWOW64\Akbjidbf.exe
C:\Windows\system32\Akbjidbf.exe
1⤵
PID:8648
- C:\Windows\SysWOW64\Anqfepaj.exe
  C:\Windows\system32\Anqfepaj.exe
  2⤵
  PID:8908
- - C:\Windows\SysWOW64\Apobakpn.exe
    C:\Windows\system32\Apobakpn.exe
    3⤵
    - Drops file in System32 directory
    PID:1536
- - C:\Windows\SysWOW64\Cmipkb32.exe
    C:\Windows\system32\Cmipkb32.exe
    3⤵
    PID:1728
  - - C:\Windows\SysWOW64\Ccbhhl32.exe
      C:\Windows\system32\Ccbhhl32.exe
      4⤵
      PID:7588

C:\Windows\SysWOW64\Acmomgoa.exe
C:\Windows\system32\Acmomgoa.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7680
- C:\Windows\SysWOW64\Agikne32.exe
  C:\Windows\system32\Agikne32.exe
  2⤵
  PID:2776

C:\Windows\SysWOW64\Ajlpepbi.exe
C:\Windows\system32\Ajlpepbi.exe
1⤵
- Drops file in System32 directory
PID:5172
- C:\Windows\SysWOW64\Aljmal32.exe
  C:\Windows\system32\Aljmal32.exe
  2⤵
  - Drops file in System32 directory
  PID:5860

C:\Windows\SysWOW64\Acdeneij.exe
C:\Windows\system32\Acdeneij.exe
1⤵
PID:5600
- C:\Windows\SysWOW64\Ajnmjp32.exe
  C:\Windows\system32\Ajnmjp32.exe
  2⤵
  - Drops file in System32 directory
  PID:5088
- - C:\Windows\SysWOW64\Almifk32.exe
    C:\Windows\system32\Almifk32.exe
    3⤵
    PID:3536
  - - C:\Windows\SysWOW64\Addahh32.exe
      C:\Windows\system32\Addahh32.exe
      4⤵
      PID:5736

C:\Windows\SysWOW64\Bqokhi32.exe
C:\Windows\system32\Bqokhi32.exe
1⤵
PID:7252
- C:\Windows\SysWOW64\Bdkghg32.exe
  C:\Windows\system32\Bdkghg32.exe
  2⤵
  PID:8724

C:\Windows\SysWOW64\Bkepeaaa.exe
C:\Windows\system32\Bkepeaaa.exe
1⤵
PID:4584
- C:\Windows\SysWOW64\Bnclamqe.exe
  C:\Windows\system32\Bnclamqe.exe
  2⤵
  PID:8280
- - C:\Windows\SysWOW64\Bdmdng32.exe
    C:\Windows\system32\Bdmdng32.exe
    3⤵
    PID:6600
  - - C:\Windows\SysWOW64\Bglpjb32.exe
      C:\Windows\system32\Bglpjb32.exe
      4⤵
      PID:8964

C:\Windows\SysWOW64\Bjjmfn32.exe
C:\Windows\system32\Bjjmfn32.exe
1⤵
PID:8460
- C:\Windows\SysWOW64\Bnehgmob.exe
  C:\Windows\system32\Bnehgmob.exe
  2⤵
  PID:6272
- - C:\Windows\SysWOW64\Bdpqcg32.exe
    C:\Windows\system32\Bdpqcg32.exe
    3⤵
    - Modifies registry class
    PID:6736

C:\Windows\SysWOW64\Cqmgigfk.exe
C:\Windows\system32\Cqmgigfk.exe
1⤵
PID:9176
- C:\Windows\SysWOW64\Cjflblll.exe
  C:\Windows\system32\Cjflblll.exe
  2⤵
  PID:8368
- - C:\Windows\SysWOW64\Cmdhnhkp.exe
    C:\Windows\system32\Cmdhnhkp.exe
    3⤵
    PID:9192

C:\Windows\SysWOW64\Dcnqkb32.exe
C:\Windows\system32\Dcnqkb32.exe
1⤵
PID:4512
- C:\Windows\SysWOW64\Dgjmkqke.exe
  C:\Windows\system32\Dgjmkqke.exe
  2⤵
  PID:8716
- - C:\Windows\SysWOW64\Dncehk32.exe
    C:\Windows\system32\Dncehk32.exe
    3⤵
    PID:8832

C:\Windows\SysWOW64\Dmfecgim.exe
C:\Windows\system32\Dmfecgim.exe
1⤵
PID:9088
- C:\Windows\SysWOW64\Dqbadf32.exe
  C:\Windows\system32\Dqbadf32.exe
  2⤵
  - Modifies registry class
  PID:6628
- - C:\Windows\SysWOW64\Dccjfaog.exe
    C:\Windows\system32\Dccjfaog.exe
    3⤵
    PID:4008
  - - C:\Windows\SysWOW64\Dkjbgooi.exe
      C:\Windows\system32\Dkjbgooi.exe
      4⤵
      PID:5372
    - - C:\Windows\SysWOW64\Dnhncjom.exe
        
        C:\Windows\system32\Dnhncjom.exe
        5⤵
        
        PID:9160
      - C:\Windows\SysWOW64\Debfpd32.exe
        
        C:\Windows\system32\Debfpd32.exe
        6⤵
        
        PID:6256

C:\Windows\SysWOW64\Dcegkamd.exe
C:\Windows\system32\Dcegkamd.exe
1⤵
PID:8400
- C:\Windows\SysWOW64\Dmnkdfce.exe
  C:\Windows\system32\Dmnkdfce.exe
  2⤵
  - Drops file in System32 directory
  PID:6356
- - C:\Windows\SysWOW64\Dedceddg.exe
    C:\Windows\system32\Dedceddg.exe
    3⤵
    - Drops file in System32 directory
    PID:6416

C:\Windows\SysWOW64\Djalnkbo.exe
C:\Windows\system32\Djalnkbo.exe
1⤵
PID:6096
- C:\Windows\SysWOW64\Dmphjfab.exe
  C:\Windows\system32\Dmphjfab.exe
  2⤵
  PID:1336

C:\Windows\SysWOW64\Eakdje32.exe
C:\Windows\system32\Eakdje32.exe
1⤵
- Modifies registry class
PID:8904
- C:\Windows\SysWOW64\Ecjpfp32.exe
  C:\Windows\system32\Ecjpfp32.exe
  2⤵
  - Drops file in System32 directory
  PID:9040
- - C:\Windows\SysWOW64\Ejdhcjpl.exe
    C:\Windows\system32\Ejdhcjpl.exe
    3⤵
    PID:5876

C:\Windows\SysWOW64\Embdofop.exe
C:\Windows\system32\Embdofop.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3748
- C:\Windows\SysWOW64\Eeimqc32.exe
  C:\Windows\system32\Eeimqc32.exe
  2⤵
  PID:652
- - C:\Windows\SysWOW64\Eclmlpfl.exe
    C:\Windows\system32\Eclmlpfl.exe
    3⤵
    PID:8816
  - - C:\Windows\SysWOW64\Emdaee32.exe
      C:\Windows\system32\Emdaee32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      PID:8896
    - - C:\Windows\SysWOW64\Eelifc32.exe
        
        C:\Windows\system32\Eelifc32.exe
        5⤵
        Modifies registry class
        
        PID:6012

C:\Windows\SysWOW64\Egjebn32.exe
C:\Windows\system32\Egjebn32.exe
1⤵
PID:6324
- C:\Windows\SysWOW64\Ejhanj32.exe
  C:\Windows\system32\Ejhanj32.exe
  2⤵
  PID:6660

C:\Windows\SysWOW64\Elhnhm32.exe
C:\Windows\system32\Elhnhm32.exe
1⤵
PID:8352
- C:\Windows\SysWOW64\Enfjdh32.exe
  C:\Windows\system32\Enfjdh32.exe
  2⤵
  - Drops file in System32 directory
  PID:968

C:\Windows\SysWOW64\Emlgedge.exe
C:\Windows\system32\Emlgedge.exe
1⤵
PID:7492
- C:\Windows\SysWOW64\Fagcfc32.exe
  C:\Windows\system32\Fagcfc32.exe
  2⤵
  - Modifies registry class
  PID:4472

C:\Windows\SysWOW64\Fhalcm32.exe
C:\Windows\system32\Fhalcm32.exe
1⤵
PID:6884
- C:\Windows\SysWOW64\Fmndkd32.exe
  C:\Windows\system32\Fmndkd32.exe
  2⤵
  - Modifies registry class
  PID:5768
- - C:\Windows\SysWOW64\Feella32.exe
    C:\Windows\system32\Feella32.exe
    3⤵
    - Drops file in System32 directory
    PID:7272

C:\Windows\SysWOW64\Fchlhnlo.exe
C:\Windows\system32\Fchlhnlo.exe
1⤵
PID:7356
- C:\Windows\SysWOW64\Flodilma.exe
  C:\Windows\system32\Flodilma.exe
  2⤵
  PID:7596

C:\Windows\SysWOW64\Fnmqegle.exe
C:\Windows\system32\Fnmqegle.exe
1⤵
PID:7648
- C:\Windows\SysWOW64\Fmpaqd32.exe
  C:\Windows\system32\Fmpaqd32.exe
  2⤵
  PID:7884

C:\Windows\SysWOW64\Fegiba32.exe
C:\Windows\system32\Fegiba32.exe
1⤵
PID:2640
- C:\Windows\SysWOW64\Fhfenmbe.exe
  C:\Windows\system32\Fhfenmbe.exe
  2⤵
  PID:1328
- - C:\Windows\SysWOW64\Fnpmkg32.exe
    C:\Windows\system32\Fnpmkg32.exe
    3⤵
    PID:7584
  - - C:\Windows\SysWOW64\Fanigb32.exe
      C:\Windows\system32\Fanigb32.exe
      4⤵
      PID:7920
    - - C:\Windows\SysWOW64\Fdmfcn32.exe
        
        C:\Windows\system32\Fdmfcn32.exe
        5⤵
        Modifies registry class
        
        PID:8160

C:\Windows\SysWOW64\Hopfadlp.exe
C:\Windows\system32\Hopfadlp.exe
1⤵
PID:5932
- C:\Windows\SysWOW64\Haobnpkc.exe
  C:\Windows\system32\Haobnpkc.exe
  2⤵
  PID:5480

C:\Windows\SysWOW64\Hhhkjj32.exe
C:\Windows\system32\Hhhkjj32.exe
1⤵
PID:8132
- C:\Windows\SysWOW64\Hkggfe32.exe
  C:\Windows\system32\Hkggfe32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:2416
- - C:\Windows\SysWOW64\Haaocp32.exe
    C:\Windows\system32\Haaocp32.exe
    3⤵
    PID:7640

C:\Windows\SysWOW64\Hdokok32.exe
C:\Windows\system32\Hdokok32.exe
1⤵
PID:8080
- C:\Windows\SysWOW64\Hkiclepa.exe
  C:\Windows\system32\Hkiclepa.exe
  2⤵
  - Modifies registry class
  PID:7400
- - C:\Windows\SysWOW64\Hoepmd32.exe
    C:\Windows\system32\Hoepmd32.exe
    3⤵
    PID:5816

C:\Windows\SysWOW64\Hoglbc32.exe
C:\Windows\system32\Hoglbc32.exe
1⤵
PID:4908
- C:\Windows\SysWOW64\Haeino32.exe
  C:\Windows\system32\Haeino32.exe
  2⤵
  PID:3880
- - C:\Windows\SysWOW64\Hecadm32.exe
    C:\Windows\system32\Hecadm32.exe
    3⤵
    PID:6432

C:\Windows\SysWOW64\Hdfapjbl.exe
C:\Windows\system32\Hdfapjbl.exe
1⤵
- Modifies registry class
PID:8472
- C:\Windows\SysWOW64\Hlmiagbo.exe
  C:\Windows\system32\Hlmiagbo.exe
  2⤵
  PID:4720

C:\Windows\SysWOW64\Dgcoaock.exe
C:\Windows\system32\Dgcoaock.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6612

C:\Windows\SysWOW64\Ajggjq32.exe
C:\Windows\system32\Ajggjq32.exe
1⤵
PID:1728

C:\Windows\SysWOW64\Pindcboi.exe
C:\Windows\system32\Pindcboi.exe
1⤵
PID:7768

C:\Windows\SysWOW64\Nmommn32.exe
C:\Windows\system32\Nmommn32.exe
1⤵
- Drops file in System32 directory
PID:8876
- C:\Windows\SysWOW64\Nlbnhkqo.exe
  C:\Windows\system32\Nlbnhkqo.exe
  2⤵
  - Drops file in System32 directory
  PID:6496

C:\Windows\SysWOW64\Nblfee32.exe
C:\Windows\system32\Nblfee32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4364
- C:\Windows\SysWOW64\Nfgbec32.exe
  C:\Windows\system32\Nfgbec32.exe
  2⤵
  PID:9116

C:\Windows\SysWOW64\Omdghmfo.exe
C:\Windows\system32\Omdghmfo.exe
1⤵
PID:6948
- C:\Windows\SysWOW64\Olfgcj32.exe
  C:\Windows\system32\Olfgcj32.exe
  2⤵
  PID:7164
- - C:\Windows\SysWOW64\Olidijjf.exe
    C:\Windows\system32\Olidijjf.exe
    3⤵
    PID:6508
  - - C:\Windows\SysWOW64\Khkbcopl.exe
      C:\Windows\system32\Khkbcopl.exe
      4⤵
      PID:6776
    - - C:\Windows\SysWOW64\Kkioojpp.exe
        
        C:\Windows\system32\Kkioojpp.exe
        5⤵
        
        PID:644
      - C:\Windows\SysWOW64\Koekpi32.exe
        
        C:\Windows\system32\Koekpi32.exe
        6⤵
        
        PID:4892

C:\Windows\SysWOW64\Nnbfjf32.exe
C:\Windows\system32\Nnbfjf32.exe
1⤵
PID:6812

C:\Windows\SysWOW64\Nnpjdfpb.exe
C:\Windows\system32\Nnpjdfpb.exe
1⤵
- Modifies registry class
PID:6632

C:\Windows\SysWOW64\Kpfggang.exe
C:\Windows\system32\Kpfggang.exe
1⤵
PID:7196
- C:\Windows\SysWOW64\Kdbchp32.exe
  C:\Windows\system32\Kdbchp32.exe
  2⤵
  PID:2508
- - C:\Windows\SysWOW64\Kgpodk32.exe
    C:\Windows\system32\Kgpodk32.exe
    3⤵
    PID:7576
  - - C:\Windows\SysWOW64\Ldiiio32.exe
      C:\Windows\system32\Ldiiio32.exe
      4⤵
      PID:5216
    - - C:\Windows\SysWOW64\Lggeej32.exe
        
        C:\Windows\system32\Lggeej32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6008

C:\Windows\SysWOW64\Knhkkfod.exe
C:\Windows\system32\Knhkkfod.exe
1⤵
- Modifies registry class
PID:436

C:\Windows\SysWOW64\Lhgbomfo.exe
C:\Windows\system32\Lhgbomfo.exe
1⤵
PID:7820
- C:\Windows\SysWOW64\Lgibjj32.exe
  C:\Windows\system32\Lgibjj32.exe
  2⤵
  PID:7296

C:\Windows\SysWOW64\Loqjlg32.exe
C:\Windows\system32\Loqjlg32.exe
1⤵
PID:7508
- C:\Windows\SysWOW64\Laofhbmp.exe
  C:\Windows\system32\Laofhbmp.exe
  2⤵
  PID:3344

C:\Windows\SysWOW64\Ldnbdnlc.exe
C:\Windows\system32\Ldnbdnlc.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5952
- C:\Windows\SysWOW64\Lhiodm32.exe
  C:\Windows\system32\Lhiodm32.exe
  2⤵
  PID:8140
- - C:\Windows\SysWOW64\Locgagli.exe
    C:\Windows\system32\Locgagli.exe
    3⤵
    PID:4856
  - - C:\Windows\SysWOW64\Lqdcio32.exe
      C:\Windows\system32\Lqdcio32.exe
      4⤵
      PID:7552

C:\Windows\SysWOW64\Cjhfjg32.exe
C:\Windows\system32\Cjhfjg32.exe
1⤵
PID:5616
- C:\Windows\SysWOW64\Cikgecag.exe
  C:\Windows\system32\Cikgecag.exe
  2⤵
  PID:9196

C:\Windows\SysWOW64\Cmfcfb32.exe
C:\Windows\system32\Cmfcfb32.exe
1⤵
PID:6332
- C:\Windows\SysWOW64\Ccpkblqn.exe
  C:\Windows\system32\Ccpkblqn.exe
  2⤵
  PID:4000
- - C:\Windows\SysWOW64\Cjjcof32.exe
    C:\Windows\system32\Cjjcof32.exe
    3⤵
    PID:8908

C:\Windows\SysWOW64\Cafhap32.exe
C:\Windows\system32\Cafhap32.exe
1⤵
PID:3816
- C:\Windows\SysWOW64\Ccednl32.exe
  C:\Windows\system32\Ccednl32.exe
  2⤵
  PID:8536

C:\Windows\SysWOW64\Dgqqnjea.exe
C:\Windows\system32\Dgqqnjea.exe
1⤵
PID:4456
- C:\Windows\SysWOW64\Djomjfde.exe
  C:\Windows\system32\Djomjfde.exe
  2⤵
  PID:8800
- - C:\Windows\SysWOW64\Dmmifaci.exe
    C:\Windows\system32\Dmmifaci.exe
    3⤵
    PID:9016
  - - C:\Windows\SysWOW64\Daiegp32.exe
      C:\Windows\system32\Daiegp32.exe
      4⤵
      PID:9020

C:\Windows\SysWOW64\Dfjgjf32.exe
C:\Windows\system32\Dfjgjf32.exe
1⤵
PID:5308
- C:\Windows\SysWOW64\Diicfa32.exe
  C:\Windows\system32\Diicfa32.exe
  2⤵
  PID:6572
- - C:\Windows\SysWOW64\Dmdogpmq.exe
    C:\Windows\system32\Dmdogpmq.exe
    3⤵
    PID:1312
  - - C:\Windows\SysWOW64\Kjdjhgdb.exe
      C:\Windows\system32\Kjdjhgdb.exe
      4⤵
      PID:6608
    - - C:\Windows\SysWOW64\Kbkaiddd.exe
        
        C:\Windows\system32\Kbkaiddd.exe
        5⤵
        Modifies registry class
        
        PID:8284
      - C:\Windows\SysWOW64\Kiejfo32.exe
        
        C:\Windows\system32\Kiejfo32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9172
        
        C:\Windows\SysWOW64\Kjffngap.exe
        
        C:\Windows\system32\Kjffngap.exe
        7⤵
        Modifies registry class
        
        PID:9140
        
        C:\Windows\SysWOW64\Kbmoodbb.exe
        
        C:\Windows\system32\Kbmoodbb.exe
        8⤵
        Drops file in System32 directory
        
        PID:6796
        
        C:\Windows\SysWOW64\Kgjggkqi.exe
        
        C:\Windows\system32\Kgjggkqi.exe
        9⤵
        
        PID:8364
        
        C:\Windows\SysWOW64\Kjhccf32.exe
        
        C:\Windows\system32\Kjhccf32.exe
        10⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\Kbpkdd32.exe
        
        C:\Windows\system32\Kbpkdd32.exe
        11⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Kengqo32.exe
        
        C:\Windows\system32\Kengqo32.exe
        12⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\Kijcanhl.exe
        
        C:\Windows\system32\Kijcanhl.exe
        13⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\Kkhpmigp.exe
        
        C:\Windows\system32\Kkhpmigp.exe
        14⤵
        
        PID:8664
        
        C:\Windows\SysWOW64\Knfliefc.exe
        
        C:\Windows\system32\Knfliefc.exe
        15⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\Kaehepeg.exe
        
        C:\Windows\system32\Kaehepeg.exe
        16⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\Kepdfo32.exe
        
        C:\Windows\system32\Kepdfo32.exe
        17⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\Kgopbj32.exe
        
        C:\Windows\system32\Kgopbj32.exe
        18⤵
        
        PID:7336
        
        C:\Windows\SysWOW64\Lkjlciem.exe
        
        C:\Windows\system32\Lkjlciem.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8896
        
        C:\Windows\SysWOW64\Lbddpclj.exe
        
        C:\Windows\system32\Lbddpclj.exe
        20⤵
        
        PID:7600
        
        C:\Windows\SysWOW64\Linmlm32.exe
        
        C:\Windows\system32\Linmlm32.exe
        21⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Lkmihi32.exe
        
        C:\Windows\system32\Lkmihi32.exe
        22⤵
        
        PID:7604
        
        C:\Windows\SysWOW64\Lnkedd32.exe
        
        C:\Windows\system32\Lnkedd32.exe
        23⤵
        
        PID:8032
        
        C:\Windows\SysWOW64\Laiaqp32.exe
        
        C:\Windows\system32\Laiaqp32.exe
        24⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\Liqibm32.exe
        
        C:\Windows\system32\Liqibm32.exe
        25⤵
        
        PID:7492
        
        C:\Windows\SysWOW64\Ljbfiegb.exe
        
        C:\Windows\system32\Ljbfiegb.exe
        26⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\Lalnfooo.exe
        
        C:\Windows\system32\Lalnfooo.exe
        27⤵
        
        PID:7236
        
        C:\Windows\SysWOW64\Lgffci32.exe
        
        C:\Windows\system32\Lgffci32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:880

C:\Windows\SysWOW64\Dhgfoioi.exe
C:\Windows\system32\Dhgfoioi.exe
1⤵
PID:4012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acdeneij.exe

Filesize
71KB

MD5
d41ce44cee73aa6d63809ee5fa49920a

SHA1
acf56896d64f5045316a82284e88785538c5e17a

SHA256
96ad4a2047a20867ff83448f6aac5871ecdcc1224873a68ff0f88a5e2758264c

SHA512
518671a5f49eaeed8d9ff64e26c7dcf2f5d866c50953e77186c8c0d8300e30b91ff92b3bc9cb228ce347a89c750443d6e4fb0e7c198ad797a92e64cf9b18a08a

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
71KB

MD5
8b9d938681732ef5414d6dbf88520019

SHA1
8e76cd8c9a32a12ef8583071384747c481f08660

SHA256
279053e7ea32f91e76c077ed0ca75eb94c92bf0f3e9dbb63ef6f00099fb68c1a

SHA512
d2d5519fdb271d527ff8d4874f540a9323b4a1cc108930feb2890b5628aac3f648b319760aa0a5fe588470c0a148834b3f049eb8ad45c6d53e9a8202345df687

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
71KB

MD5
9412bca7774a893cc103e1b13476e446

SHA1
1344d8f78bf70b92d563aa40d8b62a26db220dfa

SHA256
283c4939911400f9d65e44c011bf12505f4c97ebccef040f35f68778667bad0a

SHA512
019c29fc5044ff07f0cc2ae7d3cd23bfa06e10ced66add5c2973f2616bd442e35d93baf083ff56f15b66e0bbfd28b65ada1bdbe404017a1d9d56f8588b96a412

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
43KB

MD5
09e6e0b931917292ba507d1fbcbcc746

SHA1
732c0a6ac284e83dc1efc3df7883f686c078260f

SHA256
e23e9307f0df778ace6b17d6e36b0253549166b3eaa62dd8ccf92d5802337ded

SHA512
76e154f8cade020cd0e2b064fcb8c837b8fa66092aaafdc2fb2f458aabe92f05fe4c9a25eb9f9711aaf4fbf6fa18ec29d2ced9e487b47c4f57550658a817353e

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
71KB

MD5
8f65cd97fd372e97056a8110e7a0b449

SHA1
a2762bb22ee9152081ee91fbc47b7c17b9b4aa75

SHA256
4292a9eb61af7b185dacffd57a7b1336326e358d905ab919505bdb5204c5dbb1

SHA512
68b8d5d5eb68d9a0a2b5c34c02bc574810fb5c3aea2b209ec12dc6b8eb8c9af663af4fca66e27a94f0cb6951857d277e3b2dbe03586dc1897fdb083c28304f4e

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
1KB

MD5
09cb09e890d6f62419e8323283a3fe89

SHA1
69cab076ed9d03312f2214e6b506d51826b788a0

SHA256
3ae596772d8e53ab37efcb7795a0f34ab32a9bfaa9f2a326c3eb8024ada900d9

SHA512
35ea13feacbacf83ecacf30f40787c7727493edf2bca9b00a8267db350f7dc4fe897883f7ae9e2f3226ffa8f99fe79b148512c6f3998e65b10044bf2e2ea33cb

Download Submit
C:\Windows\SysWOW64\Afbgkl32.exe

Filesize
16KB

MD5
e55fd73e5b14b9983efc72f3309dbb48

SHA1
5db67f1f201842a4a3df2554dc4f08b2d399c6e4

SHA256
5cf1df40e2aba0591e19824ef5c956f47be73b91f25a66a87cb3f93c2b73ebfc

SHA512
9c3426095ad53ac96a4790f4f4833d111d5e6be03e209f612c3a9c934230fe59a18af7f435ef23fd611efbfd291b80ae1a41a22f88dba4ed483333b69da21edb

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
5KB

MD5
5859ade0614bcae38d52627ddf967b36

SHA1
4eece4e8fe895c940685fb417e792392a9880ea8

SHA256
929bc31e5e1ceef6e48ff76fcdcb601cac50783d8be335efbce2478a949eae25

SHA512
19ce4e91dd086141d2d5eee5435abce6b996eb1853a20b465d12808d4652f60e4390fcc7bb8c9fb561afcaa3223285a3ee2dbb65b037ca76d12f8af1abe56bec

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
71KB

MD5
9f55f4dd0621ea7bf85fe09c15b88512

SHA1
66ca87ab5cf0a217b103f660d48e84cf6d1ed1e6

SHA256
8baec4a79d2f62f04602ad63d136e8483faa5ca25dbfc0b21044b716711a4078

SHA512
9b98e6fd9961c8aeb0a91eb692d33195ea1697ad2e797695fcd0fa0b361d955deced91f00414444ce4b562e656e5fd273a6b928e055bcd26e44581c0875a01f6

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
71KB

MD5
f36ec8b38eaaff34d7ae6f6049d0560e

SHA1
0aef8fe09ee8c1a78125e24684e7aa9515c59b90

SHA256
1391983e1145a1df37b46572bf8c4eb5b0764d69246908c9e63e7792154eb76a

SHA512
76a34f705ac34d339fc137a9285c4a5d4cff335e196caff79a1004d820d7a2166d7309a73cf3353e2b470be6f6ae47dc70ed3cf9e5db9984266117cd750c5142

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
9KB

MD5
01b2d3636517cbdbffd438c29a081738

SHA1
b80edf2a85dfd7fb631fffb8ededd37589369d24

SHA256
7d465a80d72906bc74831c130a92487cb25e3a135bbf3336c53fde67de337ce7

SHA512
f1174f57f835b0cb2a5292a1f0dd1c64e7707d4cb6d0e6c3f8b111b185221934d7d988e83c72b3f138c9b614d8c388e06c36490b6b0e6b223b13d949f009d21e

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
8KB

MD5
11f9b8a2dd8449fb45c26cece4cca55a

SHA1
38dc5583e130630670f7c7bec1aa61683416747e

SHA256
8140ac35c2fab8b9ed40f96250401ceaeb8d23c61ab3ff01101e4c4277440e68

SHA512
5848bf626af758447c101da174ab444a70bd87a2f266991de5742a69bbb558f464ea28fca83696da67cc334f458394928688af99e9a6d20bbada386cfaa5e548

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
71KB

MD5
4122c932541cd7cd2139f8c1fce9bab4

SHA1
9940f961f0017c80e68e79970fb5b344472d6d50

SHA256
f79ddb0fb3a3cda31219cb2e7e0bc2bba175e94405838b84f3fefc24452f0524

SHA512
d0a73bc63a38dcccf5be52ab0e4bb131938e90f1468b6ffea477a89120317457c59dc9cf228fbf7564ee893f7fa6595b243c6b744fd1bd821469fdedab4303e9

Download Submit
C:\Windows\SysWOW64\Amcehdod.exe

Filesize
11KB

MD5
fee1c103875692226e4ae99989eb5593

SHA1
4c512a99711f388d0d992e862e5ac0dc3e1fcb24

SHA256
e9957eac409910a45b0bda314dee1b2e06978c557709c198a2970fe901fddd40

SHA512
9a394b615e949f9e5099cc1cd9a9959f35e0ebd0fe5af0f7d7a20439b0e29b09f1037e45e776118d547acfc8f6f22b4b545356abdfb9af02300c4f1420ffa29f

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
20KB

MD5
d854d562f48cbf09b2280f8d36f935dd

SHA1
1e085bed10801c094fb5d0afc2fdd539c2fcc20f

SHA256
66c8841d43274b67cb7d995afd7cc5c5225055835e194b78ad0c7e936d3aba5f

SHA512
25d94339688a582f0e76e3c88ae73e9c2cda605f417b3d4178edf743387c1963980007748eda65268a33853176c5662b8a9a42011d11379c0a0c36a47b0f7ac8

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
71KB

MD5
32f0135c9c601be98d3a7fb2d869d506

SHA1
9a95784aef7d6b1161e650474442192c1df665df

SHA256
e3aa91acea0b4f11978703eb0cb5d51104ab6917e97ee18e68c7d03d3a5af002

SHA512
0862961b7be720e701b83b0b6f11e027700f1ecbc086f5e12344e16fd36abb6d2dce2d5638c2fea0149952fcd8d25d60afd61043dfa9f40d9c9b317190982a86

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
71KB

MD5
3c255733aca10da5e21da05707c25ef2

SHA1
13f3eb47766cdf39b94a1173761f88790d1b3671

SHA256
71f1f365f903d27b1deab3884dbab6b869310c83623487ed63baa3b164bda5e0

SHA512
1415e3db35c81a10180325f1b0f8ecdf196115fb225518e541c73ac61726248203505fe9619080c07fef3fbb95d3a4d94cec616523f827a041bbaf9780f64af2

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
71KB

MD5
5161fa646d70aed5d8bcd13128cf20d7

SHA1
f836e286659dc79ca1c620f63a661ec9ea05e155

SHA256
e32e52011eefb524456a584113742b799262ad2c133005333fbc7eb08b6919b6

SHA512
8f74c34f983796a2da9ef6ab2dd5f6353bc34e2f9811d40147848d3db15cd15b037fe8d84e9263b2ae1fb177c7929776ef841fe80873c3e24bd6762c3931dea5

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
41KB

MD5
6075f1eab223336a87aa1874cba595aa

SHA1
d94f8910b6674fcbf2dc2e2a3ceff327c20e1f57

SHA256
6b8150828adcae24d4817606ddaf2e7a240856e429aa5f4bb61ac846be86010b

SHA512
cdd649a4aea5aa3337402a73d4607a31b0d5aee6060c422230703a44ecc1cf2849568605b7e628315e4c23c83b33813f2f59f63fcc0ce9e467cf7e4a0e76b654

Download Submit
C:\Windows\SysWOW64\Anccjp32.exe

Filesize
71KB

MD5
c1d47d16d7bdee27d748f3266733f089

SHA1
12891ec855f24571f97b7915d6679dcce35b4ec2

SHA256
95b602e09976643361f7b078e93c95fe7d525a69db36c5f164362eeb68597579

SHA512
a4607a7d46d100fbd8d5f7c1dbdc1aa9bd159066da2de87a5057e24b88668958799d0b5648296c2c986c1771546ec8c1b1dfd6cc5ac111621007adab440c2032

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
71KB

MD5
6ab254101f4e2823e6ca558cf00b2715

SHA1
fd2ce8dfe764b431663980dbaf9518622b406932

SHA256
48f1184a691160753b8ef42e32526e4efaa0370cdd089b525e89aea2cb5b696f

SHA512
d1f360cc86dfb39d42b415781de88e62d4fe65256677230f6c0609b2e67a212b47f69d61820bc4d250e3e111fb3cea4a5c8ce600b4c513b2fe6473de027e1cde

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
57KB

MD5
62bbc2376189f044e662492657206a68

SHA1
a64d4af162078cc0fa1255493c2115700f1ef056

SHA256
a790b0e03b0601e28bce72b2f8af9e722164871472323d2e3993cdf27fa9a297

SHA512
5e0aba9790e8d2ee87fb8705a9109db53b3789ab5b9a6d863750ef7b735d49c61759038af59d6d7adc0d7f5df7360af493b6b3e5ab5461342e936e8893bfcc1e

Download Submit
C:\Windows\SysWOW64\Anqfepaj.exe

Filesize
71KB

MD5
cb403668b0d4420beaa7e0a0d0e013fb

SHA1
3616e6dd02867d5edcf0710fd95ed155a6eeb325

SHA256
ade086180b1aea6833295392f5367120a97a72783fd53d39ce019fac2ced2df3

SHA512
7b4b2f87bd19a6bb650382c991a490955eefbd761141431cda1dd4b1635bd76a0ee884237f41eb44bd655522af330d06e5a89477c556c36dbeba2fae1bf76979

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
71KB

MD5
0be2c8afd528e5910fc859a2874e3298

SHA1
b9310c8164e633f669e538a8b76d49ec00a5f661

SHA256
86c5018c09b0050a6c8cd2731aaf200f0ec17af6f9e6ca1f4edc791f7f5c77d4

SHA512
9666503c7405f1b23673931d06da1a0f19604a68c527b70a3068ff28a1bd82b2c042bf33bbfe179faffa745bf21aaf8ab797be1fbf9be51e9c7ff9d43c9c125f

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
33KB

MD5
914a3902943c31f25ae1fed79dcfafe4

SHA1
d2a2f34b4a58c87ddb57fb1ec3bc1ee99dd036f3

SHA256
8a4938882c81ba6c0d00d82da7428a7c20a4721baf6469597edda91c88e9c820

SHA512
c7f41cb54180c0d225b702a84841d9b34b7a1873f7efb17cc4a0943950dafdbf7bac8036bcf112bc5cee295d0de28a59f3ae04844f41765f10af6b468f75fbf1

Download Submit
C:\Windows\SysWOW64\Biadoeib.exe

Filesize
71KB

MD5
f3a22b308b2d4060858a1fb0fea288db

SHA1
22d080a11792381cc5817951c37551e080bf2c3b

SHA256
19d2919451850a0559b1b6e0ce23583093326e8918f3f8752da3dd9ca7a13c32

SHA512
c87e6b6c52972aa4ebdb3cf2cc05826652ddce5e4491de10f4a35672a2129ec3494e8e7cd7093534947490fed45c32cd5bb9305ba3b5161ef8c46aee8ff83a27

Download Submit
C:\Windows\SysWOW64\Blabakle.exe

Filesize
71KB

MD5
7002d9136598fd972c565be8dd266ba4

SHA1
9dd7f7ba282b24c08f23edef998ea82dbdb51441

SHA256
6fddd9b849cb21d2ddbd0552917e097e3fe782da090a30e59371caf434c874a3

SHA512
26663b1f24e139c9622aea832c6c7286b7b0892d1ca1a58d234939495943a9373dcf75450e9c6f147850f1fe0dc2847a301d45ea0cc1ddc029ddc79f221b0855

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
42KB

MD5
935a4587cc51d3247b5dfc7cdd72a0f0

SHA1
98d7729701089fa996febcbef4e451586505c817

SHA256
cf75383eacff1f4b0c6545dafa36cbb7cd811831cf103f4f32483b9f5c61b2c5

SHA512
dfda443d9ef8a7b31fa9bd965ac591e22ad38175f841804ff44f8617ca2ce111354e4f3e0b6ecdad8766402a0eb7c326aea40e4a9624148ee41a480b472fe8f2

Download Submit
C:\Windows\SysWOW64\Bpfkpp32.exe

Filesize
31KB

MD5
8642d066eb18a5bfb6bd74e564ea7c1e

SHA1
090c5cf185dfacc6d722014fc347ee2cda18a0e6

SHA256
7cbaf4a77e9d45e8b605d4d9400be68e77d7581b02f2e39ef1f6c7185d681001

SHA512
eb1d4cdbee8f6fc0ee908a10e972a821fdb8918378ff0358d3b6bd95085e783cd0c1252ede3adfcb61a4fd5a834b07c4c401a2a0d7d4fe7f2706f057f8ed43ab

Download Submit
C:\Windows\SysWOW64\Chnlgjlb.exe

Filesize
11KB

MD5
10b43f3a863d56a7a6a698cdc0c51d60

SHA1
6822a26eeb32403806d2ce72c52964ec4db9e31f

SHA256
b725b64ba7c632b586dc86ecb7747873d69b7ffa31cfafd183d0899d47dfb744

SHA512
5d507e00a4468720c107c0577a7c88b8a36d518f349d629c22dc962c6c5fd19c2126e21208ea60ec2d907324e469e8a7dce336a15998d71e5204f300bf096441

Download Submit
C:\Windows\SysWOW64\Cikgecag.exe

Filesize
71KB

MD5
6f57201add122f03945358686bd25444

SHA1
cb27541f938a841cff1fc5cd4edf9f8901bc1685

SHA256
143c1bedd8443c600ad7e02ee38ac8a8269db4157c69b864a968201909f38639

SHA512
61dce48024779699ba9b6b246db62cee7e213184778cf2c460f74d0d3221c6b37a0195acaf59fa244de2bd91c3ae59cb1ea4e17276f4bb321a37dee05be27f9b

Download Submit
C:\Windows\SysWOW64\Cmipkb32.exe

Filesize
71KB

MD5
0b9000ec10c7a6c31c491e4fa299e87a

SHA1
4de545c43a9282896e64b62eec531fe35a8a1294

SHA256
0e649d57c4ae8eb90e0b8d03c958cf3720bbe545f9e9f81d75e2ddb2f897147c

SHA512
0c53d8ea912a6a2005c459bb94ed6ad6e1cbf14696008682b8ad7e51f8a88f014e25070d42a8c54951b63e1be46471128db8bfd93ede7b85af1787e49ce0e8a2

Download Submit
C:\Windows\SysWOW64\Dgcmdj32.exe

Filesize
71KB

MD5
f338a1e2fffcbe1b774bbe616028e68b

SHA1
dd1fd8b2d614bf94cc31332771dcf049f654d231

SHA256
d0b341aa39701dbda63550a69c677a0d15da4bf1d99c269acb72344b1914d798

SHA512
d26f317a09ad1adde734af623ed99182d724455775fb6927b7debb47fe70a0a287c773150813be97018a3ca28449faac90ec647e7129d9c1c1638a75cebd4879

Download Submit
C:\Windows\SysWOW64\Djomjfde.exe

Filesize
71KB

MD5
51c676d50b57564793275da6c1bace33

SHA1
5540836dda77d3a75938250ba0281c4a427b2e1b

SHA256
9de0147c490fdec7b4a1bdf7fca28bf050680c05164773eef0b327b55b721a87

SHA512
45237381bb77011daeaa3c41616fded86094e8f6ccb0f651c7c1791449361f06534a635560e7e8155ec583ffe899adc71c71cbdb04b36a8a46248c924ef32eee

Download Submit
C:\Windows\SysWOW64\Ehndnh32.exe

Filesize
5KB

MD5
7df5f1aed6f45d13250a7bbac0024983

SHA1
3c344a481be1ccdc149b9dfde20c55ba22106f13

SHA256
3c89e472e0936d9d86d79f73f760070e11974538029f851d4613fc56cb4565c2

SHA512
092885acb4dd0b6912402f86c9373559e777e82c9ff446c6490677170812c720f40e711e9373fb87e8c1558f42fc23fad9ca1888a03fe935d7b12b3668be94ec

Download Submit
C:\Windows\SysWOW64\Ekonpckp.exe

Filesize
71KB

MD5
10f7f61a898aa5c47c9ac6dee0cff6a6

SHA1
6af94861849107ea3e153c6cf644ba13969f2c32

SHA256
3ebd7a241a70d983c6921a8eb9da54444104d6dcc2bc85f833e8640cbd05ba37

SHA512
bd0f2df09bc63e15002bb7c4d5920c921e8698074e4612e9824799f68556359d1292e4cad58bf12397d4fed75b56e6e34920302145004bd79d3d2cd6954a685c

Download Submit
C:\Windows\SysWOW64\Enbhdojn.exe

Filesize
71KB

MD5
e5abd322c36ace13967b78d9b6e929c3

SHA1
1a13b3976233cf17fa7a2531b9636b7c9b3244ea

SHA256
b59e951677fa78888664cf07e54767ba43ebe31c7ade528fc07c2dfe23e1e29d

SHA512
763cddabd92fc3ccf2346db2f5030ae4313a54053d85422e734638556007a3cad54465754579373302f2d794340e9edd2f672266b122ddaec5f5fae73c5516dd

Download Submit
C:\Windows\SysWOW64\Fbplml32.exe

Filesize
71KB

MD5
370b283909853a465a00ff2ecc76beff

SHA1
227fb13682f0da06d5c63e213bde9420022b438d

SHA256
103c3d1fe239bdf55b61923aba36caa7f9a1e7c5d9688a59d3d59d6c503ad948

SHA512
2e7ce59cdb6f7ab7e0109833518c6db8d70fc236c3d81e718060b1cb2671e8882d938fa1691e9dd8182cdcd6b4f7b96a729f9595059ac43366880fa47cf4cadb

Download Submit
C:\Windows\SysWOW64\Feqeog32.exe

Filesize
71KB

MD5
18258e3b546ff9b05bfb3ae2a7b92b5c

SHA1
257c43671d157f49eb9c3b7951767f1dfe82b88f

SHA256
f573297f3fe35d9beade4f2e3a8707a763cc5972a64d3cd865595c86104939ba

SHA512
134604b92b31d528cec381340e25832f3c527b6c230305f4cf2ab72bd5c35496fe9db8a168c5528fbd9bcdb33c07a1904744863b14a2a5adce51694c416c8e18

Download Submit
C:\Windows\SysWOW64\Hajpbckl.exe

Filesize
71KB

MD5
cd20b6fb30c99c7184d6a08fbb987edf

SHA1
7632bf2651ceba75315061cfdb9abb586a81b478

SHA256
6cd363582c2c92e71e3d4a22063dff4aa6f6fb1e3c1611758d5dcc81f26aa0c3

SHA512
75ed3a851e699da7410c85fa575f196299d8e810e426d9f8e368f3f15a35d6a07714349b20432f7182f9fed4d258fbc769334e281f6d54c6960cd1ffdfc9df16

Download Submit
C:\Windows\SysWOW64\Ijcahd32.exe

Filesize
71KB

MD5
4b682131a8c9a9ff7552b689d7b326bb

SHA1
b0fafa66b166f41fcbfc10e84524164a2bd36b09

SHA256
8fc5e20c88f926db9d401a166a6db9e100baea0a6eccf62126d8ae1c81ea49d8

SHA512
b3518c40da7a0bf5cd574d0f9cdfbdda606e9ae77213d46adf4bf8bd2ebe7305a0bac0fd76a2e29ee2ef8ca1885cb838bbc08670dec5b5898bac46631d2f171b

Download Submit
C:\Windows\SysWOW64\Kdpmbc32.exe

Filesize
71KB

MD5
a1782671adfe164ba6165e722afbdb28

SHA1
3263af9a2023d1b5d03f4f81b384107c48b12b23

SHA256
be6808d92f15c936d18dbaf32b1c58676e328066423b637edf8b60d5a8d8181c

SHA512
b7d796f22359495a2f6523e6341ff63fbd6183a3d8c39d9a743a53d9a9cf6c3aa55accefde301e6cb67b1b7ee6135b030e60c7811d8c0316eb57f22311cd7a8a

Download Submit
C:\Windows\SysWOW64\Kgpodk32.exe

Filesize
35KB

MD5
0757813b19e43a39b93b0f8b5e381807

SHA1
c37fee007c60966bcd5f9d08c0253a3f91aa86d4

SHA256
b320e67163a58540abca93a689e4cd6bbf59715d224258a17237a84eefd11025

SHA512
381486df6a13169ef634accc16288f9ba680358e139e59e036c0d0b5020d7ff22a89f61ea7c409ea46e7cb1741425fd07a38fd8d1971f26cb546fde2738797fa

Download Submit
C:\Windows\SysWOW64\Lhiodm32.exe

Filesize
41KB

MD5
38131e37dd9e5b034dae3d9b99d69b7d

SHA1
865608dc004e80c48f803c1df29c26988f7f8bf9

SHA256
d0784e2abd0e70c1d8b06129bdac40ec711beb7a161e9ccd1eb2aef1955d0212

SHA512
a1438b3739d11a76a989fcdd8b0a898c47d7c44f141303ffe52f7bd19bddff269a5e7478e304e087e7c61c0e067080b7a1ca3dc2c2bdad14e9d9c250abd42fb7

Download Submit
C:\Windows\SysWOW64\Linmlm32.exe

Filesize
71KB

MD5
2134c8068e73a8894dc746d7b3791acd

SHA1
6242ae723b978431a21faf98be56ffae0db28253

SHA256
78a13736732413e2201141cd043905bcc4c6b03115538e97479bd2c3ee8b82f0

SHA512
5217d2fe81e3482a372300a54ef64ceea1cb81c7cf798c34dc578040c144aebb5e5ff9b8a154144193869ce0e992825c8c9e09d639c9ac7b2100cb25bbae08c6

Download Submit
C:\Windows\SysWOW64\Ljbfiegb.exe

Filesize
71KB

MD5
90e96f2f1ff2701180af084b3d2c8ca5

SHA1
d2b771ea00081c21fa7e4e5df21c3cc878835944

SHA256
bcb1a4812cfae92240b8f830e5d3d38947c031d97b01429e95e0808af9b4ba01

SHA512
7253175f741aca83b3499e5e6c70e9f058f7d9658bf1b5b99803e67df79f16eab11c28348089f7547f59fa1a85afdcb356b40f18357cccaddac7acef2455a64e

Download Submit
C:\Windows\SysWOW64\Lkjhfh32.exe

Filesize
31KB

MD5
aefcc52302e093156b11ea40759c60c5

SHA1
13f1d7f4eaa80b5fd6d0f8ec208b180a4939c9f3

SHA256
a850f81e19bc5e9ea4e82efb82289160dfe24d434bd2228bef166a80f5344032

SHA512
c17ceab0a63af76e6528541782869c426857ff2df96841d35b33d8e058ef25dd3d268d3d633c19f00e3fb9b84499f7e8e8e1eacbaec829bfaad13dffe6cc36e3

Download Submit
C:\Windows\SysWOW64\Locgagli.exe

Filesize
33KB

MD5
5af4417df1b2046403a4282d0e12bbcb

SHA1
a9695711a1d77ae6e71d7fb353ea5fb815ba6dff

SHA256
6aa413301cb5a74af184b6f734bfa02efcd3ae4a45ceae4623233430f342879e

SHA512
ca55893a38ff64cecda12d5bdc27b6500980c2c4b896c6a1d4bc4eebe225132ac11d2a58adc5df3930ac244fb368181f10abc779b930d2eb1a567924277f927c

Download Submit
C:\Windows\SysWOW64\Nbhcdl32.exe

Filesize
71KB

MD5
f9036fd719cfd9c4e77697900b721fec

SHA1
8f510d2c649c68737a495474f029ed54f0938b39

SHA256
bd5b51b05de5da53aff5e6ba4beac912cbf3d7c0f7d8b29d450b45f3484b90e5

SHA512
fa087be1d3c1d0a06c669b78e2fefeb622b027ce4efa875f558cde899210d5b8002bb92a7168801e76ea94e89f0ff14cbd9941fdaa51cfb3d59d48773a68dc76

Download Submit
C:\Windows\SysWOW64\Nmajbnha.exe

Filesize
1KB

MD5
b41cc2c4bf1b7a3345d182fdc5a7307e

SHA1
e488b6d7e1f2e052717ceeed2b19729cc0dd17e6

SHA256
3fdd426daec4c799219216259e7c453dc1f2cb0c45afbd12fea4cea1e0e5d5f4

SHA512
9dbc8a624b83c9d79f65759a54f9a1f8e806d09dc914749e47f977e4f7050e33e72a82594f531ffd73189cc266671378ff2e270a5117cf14b3ae06929a0e0f95

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
71KB

MD5
6d3e230c7e870ef1efd758cbb5264ed7

SHA1
4fbb7e9e6c1b706a2a674498142f6c14e281517a

SHA256
880425a4fbe7959be74d0efcc9ed0ed98dfa73b8c482ea41274475701c16e134

SHA512
dbe2c56baacad2eebe28382f2335d024ebd7c3199a00f0768b990b20027dda599bc445dc03a3dd4d77d9c89b551b11c135c49f18dcc95b7c7718510b535c5034

Download Submit
C:\Windows\SysWOW64\Oemofpel.exe

Filesize
36KB

MD5
5c24a4832be09bcfd7176911d8acf8b6

SHA1
3810024421f52f314ecac6faf9dc0a25abbc2a90

SHA256
8412ebfc328bb94a62f89375845f4b6a24febfb7851a5377fd65741327b502b0

SHA512
c623e8457bca4ab77aacff30d083f9669f7a48bd58b871a155556c4a5dd92ca94d1bc7d427cfc9d24cacc409733823e8ff3199b99f19512783c07bdb99ccd41c

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
71KB

MD5
05a453a130b84f5c438d0901216f9b3c

SHA1
b2e27a4da7eb083d85cd1d31aa187ab86b5422b3

SHA256
71463f544a0370224e57002c4770bfc75e38a30ccbab1982317ac0d30d241248

SHA512
e3efa8af7a140526e41d633aa3c7f54f5e983b092c72936e9faa8aac966999c4de8a8c9af5a47670f2c9e42fe6434e1599707a62765cdef4bf5df5204ef4c49e

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
71KB

MD5
a0562a77a05140cd75d5c885f02803a5

SHA1
1d364a27486b54f5539c4690eac1eb7ddddb004e

SHA256
75178b0f2f0bec9a4f6300370e2e9c8a7e7df8da91330de8b0deb00ad8a1dbb9

SHA512
f19e9cf826e1aaa266225999202a91895ad13744f698188f8b70f8cf0a259412e63d8f993527a3ab0696e4f719705bce32963a6fa75fd85ef34741f25a9f0b92

Download Submit
C:\Windows\SysWOW64\Okodlgbl.exe

Filesize
71KB

MD5
867694d7654f71493b7b7a9cece9a6d2

SHA1
3b641687e8cd20e6ed537e7affe6293a4f14ff96

SHA256
3a91dad3d38916ceea668f29667e7555a8f5b214026ea91b704e08eee4d355ba

SHA512
986eee2ce0c15ef2355914e98bd79abfb234c97db51b38b5c7c44ef99362d0ea3d3e4e3c66ba5045f5c9bb91dff1679ee6328ad4b3f3583a3963dc8def1b9b9f

Download Submit
C:\Windows\SysWOW64\Olidijjf.exe

Filesize
57KB

MD5
44c5c2c5ca92d2ddc3611839d0ac8331

SHA1
440e8f18d95863bec2d84878bf2e56d88d3d0e33

SHA256
293ff8abf7944b62f8126fe6e5bc7abb6ce8dce0e45360abcff59becebd41e5f

SHA512
788835db61ac4f1d9ef575c2a7e19b464b0e1ff3437d6e72dbabf4914f40e98212d7f251e560b6e312382fefa8296a36fb79a952a5e015fa218d0beaefdad5ac

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
71KB

MD5
e1a63390fb26d25d5c040678ac8e3576

SHA1
f9a1bcd81e998c9e4258ee0979cde676ad57f841

SHA256
1acf905406a576ec60ef16e176a69b6523697c3fc21c3347bac9b7aff4ef237a

SHA512
61dc88f6cdabe047e60e913aee6e9f44418e730fe1836899e02b26eca214590289fff2da7bb3693c29d311315cf0f2c43d76c234b34bd48f20d1a20c754199ba

Download Submit
C:\Windows\SysWOW64\Pboblika.exe

Filesize
71KB

MD5
97711d0b34d05b57570fac07fda3d7a7

SHA1
a22dea55db4afd36b03e39653286ca1b9e4d69d0

SHA256
ce62003493098fcae9f8765583e0258e549ef9b1ce286ae241771c99696967da

SHA512
1dba75bf56096ce01e9134a2ca5e14ffacd319e5e5d8c03f99bc3c369f05c34f426b9ecd71ae463031d3ab9a4bc728394ad944a34fb8cf181a2685b4f81d18f9

Download Submit
C:\Windows\SysWOW64\Pcfhlh32.exe

Filesize
71KB

MD5
b989dddd58e18b9c5ff71dcb0395a7e7

SHA1
ed170a2dfcc1038aa89588e47fc5ba0eff633b18

SHA256
4a948ad6b0fb03aed09931ec4ffd2e797303eed470d2501eac38e04ef7511141

SHA512
e4d914f5e88a7396f9bfc4427210991e3f7ed6a3b06ec598a3e2fa93544915ca57057a3ac82aec04f8ee3bb56e06a980261f8d97812e8fdc30f56e731db737b2

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
44KB

MD5
9cbe3ea1013bc48116e55b2ae824d833

SHA1
fc6ee5bacd45691a09e9243d5b2fe7028cde8860

SHA256
5dda25d573f184584c355a1eb438dfba95866ce7e029a24d87d75cf62815bcc1

SHA512
3290880e28bb13a819a363429548b6168bbbf865892fbb8ed0274cd0935d2b1c900b878c4ef8096e057ff1f542a4ba03cf8006306ef7aa730d0b3c2633f454fe

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
64KB

MD5
5e64150974539648fc370c374c981730

SHA1
052a8d9b3b55d9a9c32d77abc7c28185e502d2a7

SHA256
6d0e95f182eba88ea98ac7febd808ae8d93471c03400242d3ebb35d02bd36d38

SHA512
b3a356140fa3fb40cb4c8d00d5c77d1db10cd9a008ebcc0b36b93945ee8edce91ea0d5585dd40f97082c596022724b53c67196c4db8ad2237a3a0d1c0c823f93

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
45KB

MD5
fc7050391461e4082bf2410a09528b72

SHA1
d8d01e10d59c436275f4e6a942ddbe9c37219786

SHA256
94a05085b1ad2672abdbf4c98f0d6d13c08938be3efec4b6c9ba60d0a26d95b6

SHA512
2886b9c41c7d0e4c267e84a401cb0bd38e7040e29b6f03da73dfefad2b4df7c03c7d2243c970e30aed3d9de105b31075c179434b3686e0f9ddc218b51b6a6eba

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
71KB

MD5
02417df0e26ae3e45e91b80e43ff42ba

SHA1
583d6420a44904d987d8ec19cd5e4f48a4f28c9d

SHA256
6bb1e768093000a01d171d8acffe6fb0b96f17c6c587a99263b3d521fade498e

SHA512
9a0f1614d90ca2425d7376eaeac82d39a37ac40d7db0d7fb20db153326cf79ec58d9a4744322760be5917a1663d5beb39dedd055a5918af525f995a1c28278c9

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
71KB

MD5
906cbbda5193d3452708f4f95a4e9b57

SHA1
3652f06c619239f8195f97a72d0b3d27f0d14de9

SHA256
aa508a33353e1ae05078e67a19a300a08a63008c579b1ee103ca9e81a34f6a61

SHA512
61d7ce782451ff9d67b064ceec9fa79b9728f0484c27d60707e41c17e39d0e4a795961f8a0688e1bbe1fb910e52dd5a293390ff610e4852dd443a792cbdc03be

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
71KB

MD5
2031974980bd2f3622bb00d3a038532f

SHA1
229e899a4114f8c5b8ea44ce5064b32f8cf1b0b7

SHA256
b54d4b30534e61b26c5f6dcd4f32060c1d19e6681d32fa760fb7eb8d27fcca7f

SHA512
ad887a49c1c1f73a493200bb3dd105952f01e24f6ef42b2bbf7c2235adc646bc1b931ba8179593f4753d1704533ecef649efe832e7743c30ede8fd621bbbb4cb

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
71KB

MD5
a8e70ce25e62a26fb1471f8b31df22d5

SHA1
2b4b93c03efaacea3e34b2048e17ad14b620de8a

SHA256
9ca02a41ab546132cd12adeebb9b73b4462e6f24a7f49288eb7fef62d520ee6f

SHA512
67896b0d0a5cf9a60374f4276b1ed559f6915ec0c480f143b84681fb64639c2960f09492ce90c11c392b858be3438aca8ce00e6d01d6d4587d8f4c499735d3d7

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
71KB

MD5
c94ac3fb715c99ee5be4f474b8b82883

SHA1
274b41e97d8e1557563d4ed6415b08d289177fd4

SHA256
c96a6124500385335433390e55397412fd2dd35f6633f4717abd5ab6f4d6c55b

SHA512
5254bdd3a3bde66cd803452665bebfd7b2944f0b2ceae32613b8177771b62da91e4b2d632350503c935e05ac3e8ede2df4241b1c2e87df08ba47e78151ddd1fd

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
55KB

MD5
4a2a0ae7a89e8f27d8fab260969b8909

SHA1
0a187249cccdc70deefcd9e9004c032bd678ad04

SHA256
c6b21831a0efb75102981dc0d97c10a333d4c2c92258fcf4355d3459487884db

SHA512
1f7685785c7641121e387b1e1ade79ffeec44689d441b9b219676a70328e8089de71c2603753b6d061bc2e05a487d552e1d7c8cb51d3eaa639454e4907ba742c

Download Submit
C:\Windows\SysWOW64\Pindcboi.exe

Filesize
71KB

MD5
396009cca0e0fdebf0dccc5c3b25ed28

SHA1
8f42755d6a264b7ecf0a72f9e15cd356a2239e72

SHA256
72daaab9437245c48ebfd0feb3c1b34a207797931cbf03b1077cac4a0dfe17b2

SHA512
361c101772b94d2f364a554928351907a9358e5b7ffdf7cebf9b2ff0cd980e47fb85765164ecf9c16e551dc5127ee8163555487d6cb89042b295030970195492

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
71KB

MD5
2ed3e0fb52d1444e43db87fcc205e415

SHA1
ab7986bfad349cb52cf62b7f6e364a894ddc6598

SHA256
a55d009ddd922d69f22c9f18eee457b076dfea65eef3f1bb0be86f086dc0d0a0

SHA512
5d2facde52d55dd35b1c350c97fc3a6cd3fc5d0ec9caeecab2a735570bf673d986751d159ede5074a0c46d8d9d29014f30b4b4fa229a67590ca32b719ff77844

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
57KB

MD5
a46e84b136cb708dcddbefb5d8f0cac0

SHA1
d54bc5c6586b6729e5274af2fdb62dc6cd9daf26

SHA256
8b408919d327bd2daaebaa702d3921352c5ecea331b577e009088da6a3e42c12

SHA512
575b3eb8961959e3ad850cab0afdd32195a9172e864c45b7bd2454135551768b460473cc8cc25510bede6397367643c2a5f17fa7f1f4ca759bda052ff52b96dd

Download Submit
C:\Windows\SysWOW64\Pkdngf32.exe

Filesize
71KB

MD5
0ff8bf2d7a31120a662c3130d2f5dabc

SHA1
862851b94945705decafdb372c03e9e67f261fe3

SHA256
4884720b7548bb5ff148b4a813fa40a0122b73084f7a02f23f992d480f2f11ec

SHA512
474907ffca4036bdea1f186c9825c1da4b1b2be19d6207da50dee6d4dd5e1471725a176389921169d4e8c1511d80677b64b4f6f406229c5757f978480669249a

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
45KB

MD5
edc549217cfd0a2ae6602175f586fd37

SHA1
9c3cb5165da556981b434eaff5355def955cf3ff

SHA256
c0dca6d694912cd1b73a54700ce718162c8d7b28b7cbf5bd50a17b1121724a53

SHA512
f70277f2fd30efdeac9f84a7baf06132f847291b20fbbe57c923557aa5873f6947f87f7319eb5bd06bd83e05b1f0ef5e19d726b0de12848cf18e909216044e82

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
52KB

MD5
9e7349b687608634a7e45b7a08d694aa

SHA1
a643dbe4f8939d0e52a7a46e5192fc51e2b9e0cf

SHA256
5c4fbcfce5d43629da0892df05dfadcda84413669af78e391af9d78f8064a0af

SHA512
c3bd3e051d8df17e7ca45d283fb5dd5268c6f838b0ba5feec2110b350107a7f18c64c93b0a309dd5465e14e3676804b907ffce388881e0de6117b42e3d1d9e11

Download Submit
C:\Windows\SysWOW64\Pmefiakh.exe

Filesize
71KB

MD5
92f19e46c062df9a9cd66c1626e33e29

SHA1
ea1299872fe366c072de83e0a7a1d44b6d05e0f3

SHA256
f99f902cbef188dc1dd7cd83d984bfcdb65d3b4a80d0c9ed114f7756bee1ce24

SHA512
b34c7372e451f9bfdad1284f36eb292fec27e5a79ef82c394712dd92e8d91a286a5f0585d7f9ed363c45bc283c6b66b246c1f1363bd873e247ba921d23306228

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
22KB

MD5
beecd9a020bb379a7c6618135ba4494c

SHA1
fa0727657f4a2281be097ddace05cae10240b566

SHA256
fcfd1bf8b450e538e80af022564b3164525ee9297c31104add4e9fb6c86d6a9e

SHA512
40ecc0158d2804e5fe0c7b6d78615c5fdfcd3c16896ad0e8351ed2b3a490824899d5825fbcb619ab0f4d58f67f5ae6439475dc793fa43daba0613cbd85afcd3c

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
12KB

MD5
70d53e8f98963fb459308fdbe144d111

SHA1
0a4930491b24eb07ee5ec756959fd714e36e89d8

SHA256
5da143096fa2d17abde7847ede974d64fbe02c3fd9186bb376cccb286d86ec79

SHA512
b2d0ba01584650b4ef22fd80d537ee7b89865d714cddb2e1027a53fe7e47121d1447735f3fd542a91bdd3457556401eeca4b8055fbdff368e2dbacbc58d85bcb

Download Submit
C:\Windows\SysWOW64\Pmgcoaie.exe

Filesize
71KB

MD5
0e0dc06a3abc6d31e820e4b3767daa95

SHA1
82ad863fbd3ef2a5ce43e860b2945e5ee62ca1b1

SHA256
5cd45d5223f0f41173429557cfa23d14fe489f28ed4edfefb755f3e3564854ac

SHA512
4b308b6efd01ec862ccd7fc6adf4d204bcc440fed4987ee0c1f4d3ed3dbd276f1bb063b871dfe83962834945dbc5e8daadef1d4708bab0b39533281cf8974795

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
32KB

MD5
b5461cf242c0cabf8df458a96a613e53

SHA1
3e56d401093294deae034b15f60aaac64b057fdb

SHA256
742f115329be68d5c5ced4a7cc889e8b102d64f9baf4b56a6ff28810984b0dee

SHA512
1e9bf671adaee04280798f170ba8422f94263218a726a43d30ce7c50012892598eacab051d9ff7e937872a4496649abf127e56f68076bb3615315133e1f0b6e6

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
71KB

MD5
346cd05c4ca1666ee54d41933736c805

SHA1
4e44a78d4f209f36b42aa460450db974cfcd604e

SHA256
98633cb29b45f1cd24c4f6d0bdb7d0741a27fd32e9fe9ed094b129ebeaa4f339

SHA512
b594a405a09d4c2be1a7bea1ef134138053787507c8ebd578bb1302765afd484d8be5f68d73ee0c2f86dbdd557132d1fced56accbf0a141fd071f4319ffdc257

Download Submit
C:\Windows\SysWOW64\Ppjbmc32.exe

Filesize
55KB

MD5
b13627ca97daaedda75b0d42a830c861

SHA1
b3d1345b8adcf96a1134e3946fea7834b152e400

SHA256
406d154e03a0919e8e3982984591f725c93b856c6ca9cb09ca3dc9a2d73541be

SHA512
c5917b2737887ff8e1570b86cd2237646cc841778fdd936cbcbf738e309d54e1315a344477fe9f833ecf63b95e2a73cc590693aed7b4ee1396be10fedcdbfc56

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
71KB

MD5
f3afec87d25b81333c6b8d2f7031dd62

SHA1
5ece92078b70819abb625a209a7a3fe1010f2c0c

SHA256
a67a3ea6d7e7c87c27b8a15788512fc36b35cbfae2d9a25683327cf04f3d4557

SHA512
79f09a163167de80ddb54e4082f9e9696b495ef3a5ec8e39d32a980baaece446f955c9810dbeec0b786d52ddc57726a147f588d841b58d68d2554e43b9b678d5

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
57KB

MD5
56df33596c4730b62ecd2ec7f656db63

SHA1
515448a72d4be0ad5b58f3aa952175fd0a931688

SHA256
10784aa2e8b80c99b816a5ebfc36c94764713485c85534dae0791b1707d82535

SHA512
403a23e3f549cb96cd436d8be5818500bc6fae570fdc7ad8a4e4376824afde45d895e78cb652a5fe243f5e347775c30b976c2141dab82b210ed845194024a782

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
71KB

MD5
e14c835e941f087f6c1d2b0882dc55c6

SHA1
fc1cd185f3755b173536c8297e0812cc0d2f11b8

SHA256
28b2c3073d547dc4301038a805512b88662e14942338deb6cff9439aec207636

SHA512
79d57505979951f4225519d14614696ff03828f3abbb11f88ca642bd77c7881d776b55ddeba3ee7983c31b218eb6587f8a4f20778773c837b469b347dd5d980d

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
71KB

MD5
93258a03802ae6dc5f551ab1ac5169b2

SHA1
7e41d8689b51cfc7e8b3568c7feb01c56d2ce60d

SHA256
668b194903884db3732c03a58d1dd144ab6eec026349b7d6d09fbe13b9c1e35d

SHA512
10291d4119d2ed464763ca74157f183d35d7575317da7751f01716093f38c13848cc4a0c153d64256fc420c76f1fe1d75a6946c7c4c4afb6bc61077e420ba7a4

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
71KB

MD5
bc97f74b659cc1aeacdb82445bfaaa38

SHA1
0ee7fe08025f9a0057bd2024f954d0d75d2b8715

SHA256
36a9e19b0ac552cb620788da361440391329fe69b5bc39321ae2bc8e425cb163

SHA512
b8d339cec083e32640de19a5fc3bae3ed726b7c3dac57cfbeab0dc093519fb49c44a268c3bbd131eaf83a43655f35e02dc9ef708dd35fb84f3c5308a7b195be2

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
71KB

MD5
2b98dce5ccfa5f81384228a84f640319

SHA1
fafca1d66b04abe8a5f6e42c2aac5ebb0a31b5b5

SHA256
5b47a1693a5113b1a829c62a872096ea2851adb0eece41c63cec9c6e2656db8c

SHA512
b70ec88d3de8aee27554e47cc11d1e5b501c0193ac38a0e8d3599f1a32aa62138be8064f655b22a890c2df93da83b065544cd958c864d87dab7970f5ac8cc626

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
71KB

MD5
c8f54da8360f5cb6c0d40ab2d0749baf

SHA1
93a5e370eb8f9492419f528e1025901ffc61a818

SHA256
48f5bbca66e1411993dea8ff53de8d6e8db66f042feb55a04be47b80b54bbbe5

SHA512
5dc501ad92d4f6b9b7899b58c1186073bee97da1eee687c0ed55173b70b352ee49b3bcf8928cc5727c76513d00bddbc5e1f24bf3293ab4a34e62ee86c76f881c

Download Submit
C:\Windows\SysWOW64\Qgppolie.dll

Filesize
7KB

MD5
32d5ac5f7644fb51b22848a26cc0eb34

SHA1
b0c604c72bc11561154ec68d560770daa08ffdd2

SHA256
a7e81c28b55c6170838e6264c7a096698c2152463fd1de491ed8db2af50a2b15

SHA512
8019a5f9fee4149884cd4083b67c10208911ef88d90be44e574f89eab97c9fb5e983713daa9eb55b95e4d1cc9506016b5ec793cea52eb918d3a8aa15ca13faa2

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
43KB

MD5
9aa5aaa190b2ed9da4c64e01aca35e40

SHA1
36c8fd4370b7db6ce3d8cf98dc70f40da1eed85c

SHA256
747059dcc71905a77c5e71202a985773f435037136200fff0e8a9b3dc3e400e4

SHA512
eb7721ad30c072630f92bb1325e7b1a0c6166a53310952ff1f7374f3cd5bd48ff7adcfa1b33c378fbc610f2ed51fd0aaec587a618f69b45df5812f999bcb70f7

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
71KB

MD5
bac63d7d6c5585872c9fc8ec01c07d9a

SHA1
b1323e46e5e35737c8dd1bf7edbdf3b32e8d52d3

SHA256
c2e3dbd28588c4efdfda48394d9b1e51e345e2731124ed07c7530b4902c06988

SHA512
320f0383417545a853bec222aeb456f0be788d60ae57d5bfb9495667d6d60dedf729495fa0c874b7e2754bdfc7e894138df8dfb3031dd80bb96c51d1fff8570a

Download Submit
C:\Windows\SysWOW64\Qkpmcddi.exe

Filesize
71KB

MD5
75dc2c19ecc88c661a0b22d656907143

SHA1
1ede8d1044fd78598db205a0b1c8f858e29e21b9

SHA256
a63faa8f53d031552566663936970abc0740c400adf881f41c7504780e8ef187

SHA512
6aa58cb5d71a8015ea2aff430fc2dc1239809b4412fff068b063cd1b9a189123ecf45a77994f95113506f1323bf728820c6f9bfacb533217f143c141b870d416

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
71KB

MD5
a2c4301d6463c30b957f58eefd7bff0a

SHA1
d8fc55b9fe7e9f3fe82e7571d01f56d144d043a5

SHA256
56d40c61fc0cd5a33946f467f13dbf9e566d15d28e6394e334fb7b9c3a1702e0

SHA512
5fc7fc4241ddded4a5545379136bdac463117a429d13216db90ffeb206d342ad717d63747c4aeb0f92a07372b28afdab59ea59f97aa2d0645f73bf2ef9108aa5

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
71KB

MD5
dd1b57c4be2ce4feeed5633c3d8415aa

SHA1
a52dd6c5cf0a2ebffc5c2a79b762784d0a1b976a

SHA256
ffb25082c87eb0289313a5d48754d60d6c9f2b1fcb11093c362aab01dc58f568

SHA512
72e34eebdf79f440c7caf1ed57fa158ce89b5fb8fb6d58e02ac4f6ef127b92dbef8c208bc48b7649e0a1100fb6784596e44e7418f8301a312391ca9dc3053928

Download Submit
memory/568-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/644-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/644-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/660-386-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/660-87-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/808-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/916-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1152-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1152-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1224-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1228-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1228-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1424-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1424-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1428-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-338-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1544-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1544-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-438-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1628-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1744-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1832-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1896-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2176-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-421-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2300-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2508-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2508-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2664-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2664-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2816-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2816-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3092-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3120-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3188-446-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3220-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3220-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3332-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3416-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3416-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3536-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3536-399-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-416-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3660-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3660-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3880-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3880-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4052-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4072-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4072-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4080-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4136-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4224-452-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4236-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4236-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4240-415-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4240-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4304-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4324-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4324-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-404-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4472-380-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4472-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4508-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-12-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4580-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4616-447-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4684-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4684-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4888-63-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4888-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4968-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4976-439-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4984-429-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4984-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5012-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5032-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5060-188-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5080-132-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5080-392-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads