0bdb63ff5ecc270c9d6f5d5875983a19b98a3939adf132ef041fcd13ccffb704

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-01-2024 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

571fd0cc73f2b330fa707ba760c4d694.exe
Size

72KB
MD5

571fd0cc73f2b330fa707ba760c4d694
SHA1

813a63ee8fec3a0c8588b54061c7fd29815e3fc2
SHA256

0bdb63ff5ecc270c9d6f5d5875983a19b98a3939adf132ef041fcd13ccffb704
SHA512

ef13e44ee19fe2595968207bc2b80f564a5b60a644b38ed8a481b83dc825e11dda70985ff35761555ae9a509a44c40503323c0b3651cb6eeadca3301aeff00f7
SSDEEP

1536:NgGHUjkui3y+9DIRIjAqeMsssRGu9gg9N9ogz:NPQkD98R1RsCTDz

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cecbmf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkhbdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kefkme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jifhaenk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpeiioac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mchhggno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckcgkldl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbgmcnhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojmcld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ahhblemi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dahode32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elppfmoo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkkhqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agffge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qnnanphk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daolnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpgmha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kfjhkjle.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocgdji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bbgipldd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hkikkeeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibqpimpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pkfblfab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iicbehnq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oponmilc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andgoobc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Immapg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbgdlq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doeiljfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eaklidoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmcojh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jcioiood.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbefaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fchddejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fakdpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmdina32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cliaoq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fojlngce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddbbeade.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkmlofol.exe

Executes dropped EXE 64 IoCs

pid	Process
3804	Lkdggmlj.exe
4844	Lmccchkn.exe
3980	Ldmlpbbj.exe
3008	Lgkhlnbn.exe
4028	Lijdhiaa.exe
4052	Laalifad.exe
4752	Lcbiao32.exe
440	Lgneampk.exe
4812	Lkiqbl32.exe
3728	Lnhmng32.exe
3548	Laciofpa.exe
4220	Ldaeka32.exe
2696	Lcdegnep.exe
4392	Lklnhlfb.exe
60	Ljnnch32.exe
1980	Lnjjdgee.exe
1608	Lphfpbdi.exe
4272	Lddbqa32.exe
2332	Lcgblncm.exe
1296	Lgbnmm32.exe
4860	Mjqjih32.exe
2684	Mnlfigcc.exe
4868	Mpkbebbf.exe
4544	Mdfofakp.exe
3692	Mgekbljc.exe
3368	Mkpgck32.exe
3384	Mnocof32.exe
1588	Majopeii.exe
4336	Mdiklqhm.exe
3536	Mcklgm32.exe
1864	Mkbchk32.exe
348	Mjeddggd.exe
3320	Mamleegg.exe
2928	Mpolqa32.exe
1824	Mdkhapfj.exe
4696	Mgidml32.exe
1620	Mkepnjng.exe
5008	Mjhqjg32.exe
2160	Maohkd32.exe
4496	Mpaifalo.exe
1912	Mdmegp32.exe
1280	Mcpebmkb.exe
1340	Mkgmcjld.exe
4396	Mjjmog32.exe
2888	Maaepd32.exe
3296	Mdpalp32.exe
3168	Mcbahlip.exe
388	Nkjjij32.exe
5104	Njljefql.exe
4512	Nnhfee32.exe
1540	Nqfbaq32.exe
4792	Ndbnboqb.exe
1000	Nceonl32.exe
3520	Ngpjnkpf.exe
2368	Njogjfoj.exe
4160	Nafokcol.exe
1412	Nqiogp32.exe
3668	Nddkgonp.exe
3096	Ncgkcl32.exe
4020	Ngcgcjnc.exe
4856	Njacpf32.exe
4376	Nnmopdep.exe
1188	Nbhkac32.exe
2668	Ndghmo32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mlefklpj.exe	Mcmabg32.exe
File opened for modification	C:\Windows\SysWOW64\Aacckjaf.exe	Andgoobc.exe
File opened for modification	C:\Windows\SysWOW64\Gmjlcj32.exe	Gfpcgpae.exe
File created	C:\Windows\SysWOW64\Aoohalad.dll	Kbaipkbi.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Pkfblfab.exe	Pgjfkg32.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Bhnipd32.dll	Dddojq32.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	Ageolo32.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Ogljjiei.exe	Odnnnnfe.exe
File created	C:\Windows\SysWOW64\Bkblkg32.dll	Ibqpimpl.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Dccbbhld.exe	Dkljak32.exe
File created	C:\Windows\SysWOW64\Ogpmjb32.exe	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Hbcbgk32.dll	Eeidoc32.exe
File opened for modification	C:\Windows\SysWOW64\Mmnldp32.exe	Megdccmb.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Eoolbinc.exe	Elppfmoo.exe
File created	C:\Windows\SysWOW64\Ajanck32.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Andgoobc.exe	Alfkbc32.exe
File opened for modification	C:\Windows\SysWOW64\Elbmlmml.exe	Edkdkplj.exe
File created	C:\Windows\SysWOW64\Hiclgb32.dll	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Aqkgpedc.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Ekiapn32.dll	Oqkdcn32.exe
File opened for modification	C:\Windows\SysWOW64\Bhaebcen.exe	Becifhfj.exe
File created	C:\Windows\SysWOW64\Hikhen32.dll	Glhonj32.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Agffge32.exe	Acjjfggb.exe
File opened for modification	C:\Windows\SysWOW64\Jlkagbej.exe	Jmhale32.exe
File opened for modification	C:\Windows\SysWOW64\Jfaedkdp.exe	Jbeidl32.exe
File opened for modification	C:\Windows\SysWOW64\Okolkg32.exe	Ogcpjhoq.exe
File created	C:\Windows\SysWOW64\Hbbdholl.exe	Hodgkc32.exe
File opened for modification	C:\Windows\SysWOW64\Pgefeajb.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Flakmgga.dll	Icplcpgo.exe
File opened for modification	C:\Windows\SysWOW64\Jehokgge.exe	Jfeopj32.exe
File opened for modification	C:\Windows\SysWOW64\Kdnidn32.exe	Kpbmco32.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Jmmjgejj.exe	Jianff32.exe
File created	C:\Windows\SysWOW64\Pjkombfj.exe	Pgmcqggf.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dadeieea.exe	Doeiljfn.exe
File opened for modification	C:\Windows\SysWOW64\Ikbnacmd.exe	Imoneg32.exe
File created	C:\Windows\SysWOW64\Ibqpimpl.exe	Ilghlc32.exe
File opened for modification	C:\Windows\SysWOW64\Pmoahijl.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Okeieh32.exe	Ogjmdigk.exe
File created	C:\Windows\SysWOW64\Fqqlehck.dll	Helfik32.exe
File created	C:\Windows\SysWOW64\Enoogcin.dll	Hbbdholl.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Aacckjaf.exe	Andgoobc.exe
File created	C:\Windows\SysWOW64\Ihoofe32.dll	Imdgqfbd.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Oggacefk.dll	Fhemmlhc.exe
File created	C:\Windows\SysWOW64\Eifbkgjd.dll	Jimekgff.exe
File opened for modification	C:\Windows\SysWOW64\Jfhlejnh.exe	Jcioiood.exe
File created	C:\Windows\SysWOW64\Kpgfooop.exe	Klljnp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
13572	13492	WerFault.exe	667

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ahmlgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hckjacjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njohbh32.dll"	Ifefimom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmiciaaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pohdbiic.dll"	Odnnnnfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpppnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpbmco32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ondeac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibnccmbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnmfki.dll"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmhjbhod.dll"	Ajdbcano.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Imdgqfbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kfankifm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnneknob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnmacdaj.dll"	Icgjmapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmmjgejj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aegikj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bajjli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmncnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopbjik.dll"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnepdqjg.dll"	Elppfmoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gicinj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmknaell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnkjc32.dll"	Kfmepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Onklabip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Foabofnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpnlpnih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nffbangm.dll"	Jfeopj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnamnpl.dll"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klimip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmblqfc.dll"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgmcqggf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbefaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gcagkdba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmkfhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojjffddl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dccbbhld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ifjodl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcdgpfak.dll"	Jpijnqkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Alfkbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqbodd32.dll"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gfpcgpae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hikhen32.dll"	Glhonj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cegjejoc.dll"	Daaicfgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjehihl.dll"	Dkljak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Blbknaib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmogab32.dll"	Dlgmpogj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kfoafi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofeilobp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 3804	1652	571fd0cc73f2b330fa707ba760c4d694.exe	87
PID 1652 wrote to memory of 3804	1652	571fd0cc73f2b330fa707ba760c4d694.exe	87
PID 1652 wrote to memory of 3804	1652	571fd0cc73f2b330fa707ba760c4d694.exe	87
PID 3804 wrote to memory of 4844	3804	Lkdggmlj.exe	88
PID 3804 wrote to memory of 4844	3804	Lkdggmlj.exe	88
PID 3804 wrote to memory of 4844	3804	Lkdggmlj.exe	88
PID 4844 wrote to memory of 3980	4844	Lmccchkn.exe	89
PID 4844 wrote to memory of 3980	4844	Lmccchkn.exe	89
PID 4844 wrote to memory of 3980	4844	Lmccchkn.exe	89
PID 3980 wrote to memory of 3008	3980	Ldmlpbbj.exe	90
PID 3980 wrote to memory of 3008	3980	Ldmlpbbj.exe	90
PID 3980 wrote to memory of 3008	3980	Ldmlpbbj.exe	90
PID 3008 wrote to memory of 4028	3008	Lgkhlnbn.exe	91
PID 3008 wrote to memory of 4028	3008	Lgkhlnbn.exe	91
PID 3008 wrote to memory of 4028	3008	Lgkhlnbn.exe	91
PID 4028 wrote to memory of 4052	4028	Lijdhiaa.exe	92
PID 4028 wrote to memory of 4052	4028	Lijdhiaa.exe	92
PID 4028 wrote to memory of 4052	4028	Lijdhiaa.exe	92
PID 4052 wrote to memory of 4752	4052	Laalifad.exe	93
PID 4052 wrote to memory of 4752	4052	Laalifad.exe	93
PID 4052 wrote to memory of 4752	4052	Laalifad.exe	93
PID 4752 wrote to memory of 440	4752	Lcbiao32.exe	256
PID 4752 wrote to memory of 440	4752	Lcbiao32.exe	256
PID 4752 wrote to memory of 440	4752	Lcbiao32.exe	256
PID 440 wrote to memory of 4812	440	Lgneampk.exe	255
PID 440 wrote to memory of 4812	440	Lgneampk.exe	255
PID 440 wrote to memory of 4812	440	Lgneampk.exe	255
PID 4812 wrote to memory of 3728	4812	Lkiqbl32.exe	94
PID 4812 wrote to memory of 3728	4812	Lkiqbl32.exe	94
PID 4812 wrote to memory of 3728	4812	Lkiqbl32.exe	94
PID 3728 wrote to memory of 3548	3728	Lnhmng32.exe	254
PID 3728 wrote to memory of 3548	3728	Lnhmng32.exe	254
PID 3728 wrote to memory of 3548	3728	Lnhmng32.exe	254
PID 3548 wrote to memory of 4220	3548	Laciofpa.exe	253
PID 3548 wrote to memory of 4220	3548	Laciofpa.exe	253
PID 3548 wrote to memory of 4220	3548	Laciofpa.exe	253
PID 4220 wrote to memory of 2696	4220	Ldaeka32.exe	252
PID 4220 wrote to memory of 2696	4220	Ldaeka32.exe	252
PID 4220 wrote to memory of 2696	4220	Ldaeka32.exe	252
PID 2696 wrote to memory of 4392	2696	Lcdegnep.exe	95
PID 2696 wrote to memory of 4392	2696	Lcdegnep.exe	95
PID 2696 wrote to memory of 4392	2696	Lcdegnep.exe	95
PID 4392 wrote to memory of 60	4392	Lklnhlfb.exe	251
PID 4392 wrote to memory of 60	4392	Lklnhlfb.exe	251
PID 4392 wrote to memory of 60	4392	Lklnhlfb.exe	251
PID 60 wrote to memory of 1980	60	Ljnnch32.exe	96
PID 60 wrote to memory of 1980	60	Ljnnch32.exe	96
PID 60 wrote to memory of 1980	60	Ljnnch32.exe	96
PID 1980 wrote to memory of 1608	1980	Lnjjdgee.exe	249
PID 1980 wrote to memory of 1608	1980	Lnjjdgee.exe	249
PID 1980 wrote to memory of 1608	1980	Lnjjdgee.exe	249
PID 1608 wrote to memory of 4272	1608	Lphfpbdi.exe	97
PID 1608 wrote to memory of 4272	1608	Lphfpbdi.exe	97
PID 1608 wrote to memory of 4272	1608	Lphfpbdi.exe	97
PID 4272 wrote to memory of 2332	4272	Lddbqa32.exe	247
PID 4272 wrote to memory of 2332	4272	Lddbqa32.exe	247
PID 4272 wrote to memory of 2332	4272	Lddbqa32.exe	247
PID 2332 wrote to memory of 1296	2332	Lcgblncm.exe	246
PID 2332 wrote to memory of 1296	2332	Lcgblncm.exe	246
PID 2332 wrote to memory of 1296	2332	Lcgblncm.exe	246
PID 1296 wrote to memory of 4860	1296	Lgbnmm32.exe	245
PID 1296 wrote to memory of 4860	1296	Lgbnmm32.exe	245
PID 1296 wrote to memory of 4860	1296	Lgbnmm32.exe	245
PID 4860 wrote to memory of 2684	4860	Mjqjih32.exe	244

C:\Users\Admin\AppData\Local\Temp\571fd0cc73f2b330fa707ba760c4d694.exe
"C:\Users\Admin\AppData\Local\Temp\571fd0cc73f2b330fa707ba760c4d694.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\SysWOW64\Lkdggmlj.exe
  C:\Windows\system32\Lkdggmlj.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3804
- - C:\Windows\SysWOW64\Lmccchkn.exe
    C:\Windows\system32\Lmccchkn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4844
  - - C:\Windows\SysWOW64\Ldmlpbbj.exe
      C:\Windows\system32\Ldmlpbbj.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3980
    - - C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3008
      - C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:440

C:\Windows\SysWOW64\Lnhmng32.exe
C:\Windows\system32\Lnhmng32.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3728
- C:\Windows\SysWOW64\Laciofpa.exe
  C:\Windows\system32\Laciofpa.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3548

C:\Windows\SysWOW64\Lklnhlfb.exe
C:\Windows\system32\Lklnhlfb.exe
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4392
- C:\Windows\SysWOW64\Ljnnch32.exe
  C:\Windows\system32\Ljnnch32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:60

C:\Windows\SysWOW64\Lnjjdgee.exe
C:\Windows\system32\Lnjjdgee.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\SysWOW64\Lphfpbdi.exe
  C:\Windows\system32\Lphfpbdi.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1608

C:\Windows\SysWOW64\Lddbqa32.exe
C:\Windows\system32\Lddbqa32.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4272
- C:\Windows\SysWOW64\Lcgblncm.exe
  C:\Windows\system32\Lcgblncm.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2332

C:\Windows\SysWOW64\Mkbchk32.exe
C:\Windows\system32\Mkbchk32.exe
1⤵
- Executes dropped EXE
PID:1864
- C:\Windows\SysWOW64\Mjeddggd.exe
  C:\Windows\system32\Mjeddggd.exe
  2⤵
  - Executes dropped EXE
  PID:348

C:\Windows\SysWOW64\Mgidml32.exe
C:\Windows\system32\Mgidml32.exe
1⤵
- Executes dropped EXE
PID:4696
- C:\Windows\SysWOW64\Mkepnjng.exe
  C:\Windows\system32\Mkepnjng.exe
  2⤵
  - Executes dropped EXE
  PID:1620

C:\Windows\SysWOW64\Maohkd32.exe
C:\Windows\system32\Maohkd32.exe
1⤵
- Executes dropped EXE
PID:2160
- C:\Windows\SysWOW64\Mpaifalo.exe
  C:\Windows\system32\Mpaifalo.exe
  2⤵
  - Executes dropped EXE
  PID:4496

C:\Windows\SysWOW64\Maaepd32.exe
C:\Windows\system32\Maaepd32.exe
1⤵
- Executes dropped EXE
PID:2888
- C:\Windows\SysWOW64\Mdpalp32.exe
  C:\Windows\system32\Mdpalp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  PID:3296
- - C:\Windows\SysWOW64\Mcbahlip.exe
    C:\Windows\system32\Mcbahlip.exe
    3⤵
    - Executes dropped EXE
    PID:3168

C:\Windows\SysWOW64\Njljefql.exe
C:\Windows\system32\Njljefql.exe
1⤵
- Executes dropped EXE
PID:5104
- C:\Windows\SysWOW64\Nnhfee32.exe
  C:\Windows\system32\Nnhfee32.exe
  2⤵
  - Executes dropped EXE
  PID:4512

C:\Windows\SysWOW64\Nceonl32.exe
C:\Windows\system32\Nceonl32.exe
1⤵
- Executes dropped EXE
PID:1000
- C:\Windows\SysWOW64\Ngpjnkpf.exe
  C:\Windows\system32\Ngpjnkpf.exe
  2⤵
  - Executes dropped EXE
  PID:3520
- - C:\Windows\SysWOW64\Njogjfoj.exe
    C:\Windows\system32\Njogjfoj.exe
    3⤵
    - Executes dropped EXE
    PID:2368

C:\Windows\SysWOW64\Ncgkcl32.exe
C:\Windows\system32\Ncgkcl32.exe
1⤵
- Executes dropped EXE
PID:3096
- C:\Windows\SysWOW64\Ngcgcjnc.exe
  C:\Windows\system32\Ngcgcjnc.exe
  2⤵
  - Executes dropped EXE
  PID:4020

C:\Windows\SysWOW64\Njacpf32.exe
C:\Windows\system32\Njacpf32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4856
- C:\Windows\SysWOW64\Nnmopdep.exe
  C:\Windows\system32\Nnmopdep.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  PID:4376

C:\Windows\SysWOW64\Nkqpjidj.exe
C:\Windows\system32\Nkqpjidj.exe
1⤵
PID:1072
- C:\Windows\SysWOW64\Njcpee32.exe
  C:\Windows\system32\Njcpee32.exe
  2⤵
  PID:1992

C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
1⤵
PID:2204
- C:\Windows\SysWOW64\Ndidbn32.exe
  C:\Windows\system32\Ndidbn32.exe
  2⤵
  PID:4908

C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
1⤵
- Drops file in System32 directory
PID:1840
- C:\Windows\SysWOW64\Nggqoj32.exe
  C:\Windows\system32\Nggqoj32.exe
  2⤵
  PID:1456

C:\Windows\SysWOW64\Njfmke32.exe
C:\Windows\system32\Njfmke32.exe
1⤵
PID:5148
- C:\Windows\SysWOW64\Nnaikd32.exe
  C:\Windows\system32\Nnaikd32.exe
  2⤵
  PID:5188

C:\Windows\SysWOW64\Nqpego32.exe
C:\Windows\system32\Nqpego32.exe
1⤵
PID:5232
- C:\Windows\SysWOW64\Ncnadk32.exe
  C:\Windows\system32\Ncnadk32.exe
  2⤵
  PID:5272

C:\Windows\SysWOW64\Ondeac32.exe
C:\Windows\system32\Ondeac32.exe
1⤵
- Modifies registry class
PID:5432
- C:\Windows\SysWOW64\Oqbamo32.exe
  C:\Windows\system32\Oqbamo32.exe
  2⤵
  PID:5488

C:\Windows\SysWOW64\Odnnnnfe.exe
C:\Windows\system32\Odnnnnfe.exe
1⤵
- Drops file in System32 directory
- Modifies registry class
PID:5532
- C:\Windows\SysWOW64\Ogljjiei.exe
  C:\Windows\system32\Ogljjiei.exe
  2⤵
  PID:5576

C:\Windows\SysWOW64\Ojjffddl.exe
C:\Windows\system32\Ojjffddl.exe
1⤵
- Modifies registry class
PID:5624
- C:\Windows\SysWOW64\Onfbfc32.exe
  C:\Windows\system32\Onfbfc32.exe
  2⤵
  PID:5660

C:\Windows\SysWOW64\Obangb32.exe
C:\Windows\system32\Obangb32.exe
1⤵
PID:5712
- C:\Windows\SysWOW64\Odpjcm32.exe
  C:\Windows\system32\Odpjcm32.exe
  2⤵
  PID:5748

C:\Windows\SysWOW64\Occkojkm.exe
C:\Windows\system32\Occkojkm.exe
1⤵
PID:5796
- C:\Windows\SysWOW64\Okjbpglo.exe
  C:\Windows\system32\Okjbpglo.exe
  2⤵
  PID:5836

C:\Windows\SysWOW64\Ojmcld32.exe
C:\Windows\system32\Ojmcld32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5876
- C:\Windows\SysWOW64\Obdkma32.exe
  C:\Windows\system32\Obdkma32.exe
  2⤵
  PID:5924

C:\Windows\SysWOW64\Oqgkhnjf.exe
C:\Windows\system32\Oqgkhnjf.exe
1⤵
PID:5968
- C:\Windows\SysWOW64\Odbgim32.exe
  C:\Windows\system32\Odbgim32.exe
  2⤵
  PID:6008

C:\Windows\SysWOW64\Okloegjl.exe
C:\Windows\system32\Okloegjl.exe
1⤵
PID:6096
- C:\Windows\SysWOW64\Ojopad32.exe
  C:\Windows\system32\Ojopad32.exe
  2⤵
  PID:5140
- - C:\Windows\SysWOW64\Onklabip.exe
    C:\Windows\system32\Onklabip.exe
    3⤵
    - Modifies registry class
    PID:5196

C:\Windows\SysWOW64\Ogaceh32.exe
C:\Windows\system32\Ogaceh32.exe
1⤵
PID:6056

C:\Windows\SysWOW64\Oqihnn32.exe
C:\Windows\system32\Oqihnn32.exe
1⤵
PID:5268
- C:\Windows\SysWOW64\Odednmpm.exe
  C:\Windows\system32\Odednmpm.exe
  2⤵
  PID:5340

C:\Windows\SysWOW64\Ogcpjhoq.exe
C:\Windows\system32\Ogcpjhoq.exe
1⤵
- Drops file in System32 directory
PID:5476
- C:\Windows\SysWOW64\Okolkg32.exe
  C:\Windows\system32\Okolkg32.exe
  2⤵
  PID:5168

C:\Windows\SysWOW64\Ojalgcnd.exe
C:\Windows\system32\Ojalgcnd.exe
1⤵
PID:5584
- C:\Windows\SysWOW64\Onmhgb32.exe
  C:\Windows\system32\Onmhgb32.exe
  2⤵
  PID:5668

C:\Windows\SysWOW64\Pcjapi32.exe
C:\Windows\system32\Pcjapi32.exe
1⤵
PID:5776
- C:\Windows\SysWOW64\Pgemphmn.exe
  C:\Windows\system32\Pgemphmn.exe
  2⤵
  PID:5872

C:\Windows\SysWOW64\Pkaiqf32.exe
C:\Windows\system32\Pkaiqf32.exe
1⤵
PID:5904
- C:\Windows\SysWOW64\Pjdilcla.exe
  C:\Windows\system32\Pjdilcla.exe
  2⤵
  PID:5644
- - C:\Windows\SysWOW64\Pbkamqmd.exe
    C:\Windows\system32\Pbkamqmd.exe
    3⤵
    PID:6040
  - - C:\Windows\SysWOW64\Pqnaim32.exe
      C:\Windows\system32\Pqnaim32.exe
      4⤵
      PID:6088

C:\Windows\SysWOW64\Pclneicb.exe
C:\Windows\system32\Pclneicb.exe
1⤵
PID:3912
- C:\Windows\SysWOW64\Pghieg32.exe
  C:\Windows\system32\Pghieg32.exe
  2⤵
  PID:5380

C:\Windows\SysWOW64\Pkceffcd.exe
C:\Windows\system32\Pkceffcd.exe
1⤵
PID:5512
- C:\Windows\SysWOW64\Pnbbbabh.exe
  C:\Windows\system32\Pnbbbabh.exe
  2⤵
  PID:5616

C:\Windows\SysWOW64\Pbmncp32.exe
C:\Windows\system32\Pbmncp32.exe
1⤵
PID:5708
- C:\Windows\SysWOW64\Pqpnombl.exe
  C:\Windows\system32\Pqpnombl.exe
  2⤵
  PID:5792
- - C:\Windows\SysWOW64\Peljol32.exe
    C:\Windows\system32\Peljol32.exe
    3⤵
    PID:5816
  - - C:\Windows\SysWOW64\Pgjfkg32.exe
      C:\Windows\system32\Pgjfkg32.exe
      4⤵
      Drops file in System32 directory
      PID:6000

C:\Windows\SysWOW64\Pkfblfab.exe
C:\Windows\system32\Pkfblfab.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1300
- C:\Windows\SysWOW64\Pjhbgb32.exe
  C:\Windows\system32\Pjhbgb32.exe
  2⤵
  PID:6132

C:\Windows\SysWOW64\Pbpjhp32.exe
C:\Windows\system32\Pbpjhp32.exe
1⤵
PID:5256
- C:\Windows\SysWOW64\Pengdk32.exe
  C:\Windows\system32\Pengdk32.exe
  2⤵
  PID:2976

C:\Windows\SysWOW64\Pnfkma32.exe
C:\Windows\system32\Pnfkma32.exe
1⤵
PID:6048
- C:\Windows\SysWOW64\Pbbgnpgl.exe
  C:\Windows\system32\Pbbgnpgl.exe
  2⤵
  PID:5176
- - C:\Windows\SysWOW64\Paegjl32.exe
    C:\Windows\system32\Paegjl32.exe
    3⤵
    PID:5484

C:\Windows\SysWOW64\Pjkombfj.exe
C:\Windows\system32\Pjkombfj.exe
1⤵
PID:5912

C:\Windows\SysWOW64\Pgopffec.exe
C:\Windows\system32\Pgopffec.exe
1⤵
PID:5860
- C:\Windows\SysWOW64\Pkjlge32.exe
  C:\Windows\system32\Pkjlge32.exe
  2⤵
  PID:5956

C:\Windows\SysWOW64\Pnihcq32.exe
C:\Windows\system32\Pnihcq32.exe
1⤵
PID:232
- C:\Windows\SysWOW64\Pnihcq32.exe
  C:\Windows\system32\Pnihcq32.exe
  2⤵
  PID:5572

C:\Windows\SysWOW64\Pagdol32.exe
C:\Windows\system32\Pagdol32.exe
1⤵
PID:6084
- C:\Windows\SysWOW64\Qecppkdm.exe
  C:\Windows\system32\Qecppkdm.exe
  2⤵
  PID:5744

C:\Windows\SysWOW64\Qgallfcq.exe
C:\Windows\system32\Qgallfcq.exe
1⤵
PID:5500
- C:\Windows\SysWOW64\Qkmhlekj.exe
  C:\Windows\system32\Qkmhlekj.exe
  2⤵
  PID:5000

C:\Windows\SysWOW64\Qbgqio32.exe
C:\Windows\system32\Qbgqio32.exe
1⤵
PID:6148
- C:\Windows\SysWOW64\Qajadlja.exe
  C:\Windows\system32\Qajadlja.exe
  2⤵
  PID:6192

C:\Windows\SysWOW64\Qjbena32.exe
C:\Windows\system32\Qjbena32.exe
1⤵
PID:6276
- C:\Windows\SysWOW64\Qnnanphk.exe
  C:\Windows\system32\Qnnanphk.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:6316
- - C:\Windows\SysWOW64\Qalnjkgo.exe
    C:\Windows\system32\Qalnjkgo.exe
    3⤵
    PID:6360

C:\Windows\SysWOW64\Qeemej32.exe
C:\Windows\system32\Qeemej32.exe
1⤵
PID:6232

C:\Windows\SysWOW64\Aegikj32.exe
C:\Windows\system32\Aegikj32.exe
1⤵
- Modifies registry class
PID:6412
- C:\Windows\SysWOW64\Acjjfggb.exe
  C:\Windows\system32\Acjjfggb.exe
  2⤵
  - Drops file in System32 directory
  PID:6464

C:\Windows\SysWOW64\Agffge32.exe
C:\Windows\system32\Agffge32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6512
- C:\Windows\SysWOW64\Ajdbcano.exe
  C:\Windows\system32\Ajdbcano.exe
  2⤵
  - Modifies registry class
  PID:6552

C:\Windows\SysWOW64\Anpncp32.exe
C:\Windows\system32\Anpncp32.exe
1⤵
PID:6600
- C:\Windows\SysWOW64\Abkjdnoa.exe
  C:\Windows\system32\Abkjdnoa.exe
  2⤵
  PID:6648

C:\Windows\SysWOW64\Aanjpk32.exe
C:\Windows\system32\Aanjpk32.exe
1⤵
PID:6684
- C:\Windows\SysWOW64\Acmflf32.exe
  C:\Windows\system32\Acmflf32.exe
  2⤵
  PID:6728

C:\Windows\SysWOW64\Aldomc32.exe
C:\Windows\system32\Aldomc32.exe
1⤵
PID:6804
- C:\Windows\SysWOW64\Ajfoiqll.exe
  C:\Windows\system32\Ajfoiqll.exe
  2⤵
  PID:6840

C:\Windows\SysWOW64\Abngjnmo.exe
C:\Windows\system32\Abngjnmo.exe
1⤵
PID:6892
- C:\Windows\SysWOW64\Aaqgek32.exe
  C:\Windows\system32\Aaqgek32.exe
  2⤵
  PID:6940

C:\Windows\SysWOW64\Aelcfilb.exe
C:\Windows\system32\Aelcfilb.exe
1⤵
PID:6976
- C:\Windows\SysWOW64\Ahkobekf.exe
  C:\Windows\system32\Ahkobekf.exe
  2⤵
  PID:7016

C:\Windows\SysWOW64\Alfkbc32.exe
C:\Windows\system32\Alfkbc32.exe
1⤵
- Drops file in System32 directory
- Modifies registry class
PID:7060
- C:\Windows\SysWOW64\Andgoobc.exe
  C:\Windows\system32\Andgoobc.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Drops file in System32 directory
  PID:7100
- - C:\Windows\SysWOW64\Aacckjaf.exe
    C:\Windows\system32\Aacckjaf.exe
    3⤵
    PID:7144
  - - C:\Windows\SysWOW64\Aeopki32.exe
      C:\Windows\system32\Aeopki32.exe
      4⤵
      PID:5656
    - - C:\Windows\SysWOW64\Ahmlgd32.exe
        
        C:\Windows\system32\Ahmlgd32.exe
        5⤵
        Modifies registry class
        
        PID:6200
      - C:\Windows\SysWOW64\Angddopp.exe
        
        C:\Windows\system32\Angddopp.exe
        6⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\Aealah32.exe
        
        C:\Windows\system32\Aealah32.exe
        7⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\Adcmmeog.exe
        
        C:\Windows\system32\Adcmmeog.exe
        8⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\Alkdnboj.exe
        
        C:\Windows\system32\Alkdnboj.exe
        9⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\Abemjmgg.exe
        
        C:\Windows\system32\Abemjmgg.exe
        10⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\Becifhfj.exe
        
        C:\Windows\system32\Becifhfj.exe
        11⤵
        Drops file in System32 directory
        
        PID:6568
        
        C:\Windows\SysWOW64\Bhaebcen.exe
        
        C:\Windows\system32\Bhaebcen.exe
        12⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\Bjpaooda.exe
        
        C:\Windows\system32\Bjpaooda.exe
        13⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\Bbgipldd.exe
        
        C:\Windows\system32\Bbgipldd.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6792
        
        C:\Windows\SysWOW64\Bajjli32.exe
        
        C:\Windows\system32\Bajjli32.exe
        15⤵
        Modifies registry class
        
        PID:6860
        
        C:\Windows\SysWOW64\Bdhfhe32.exe
        
        C:\Windows\system32\Bdhfhe32.exe
        16⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\Balfaiil.exe
        
        C:\Windows\system32\Balfaiil.exe
        17⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\Bdkcmdhp.exe
        
        C:\Windows\system32\Bdkcmdhp.exe
        18⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\Blbknaib.exe
        
        C:\Windows\system32\Blbknaib.exe
        19⤵
        Modifies registry class
        
        PID:6788
        
        C:\Windows\SysWOW64\Bjdkjo32.exe
        
        C:\Windows\system32\Bjdkjo32.exe
        20⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\Bblckl32.exe
        
        C:\Windows\system32\Bblckl32.exe
        21⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\Baocghgi.exe
        
        C:\Windows\system32\Baocghgi.exe
        22⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\Bhikcb32.exe
        
        C:\Windows\system32\Bhikcb32.exe
        23⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\Bobcpmfc.exe
        
        C:\Windows\system32\Bobcpmfc.exe
        24⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\Baaplhef.exe
        
        C:\Windows\system32\Baaplhef.exe
        25⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Blfdia32.exe
        
        C:\Windows\system32\Blfdia32.exe
        26⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\Cacmah32.exe
        
        C:\Windows\system32\Cacmah32.exe
        27⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\Cdainc32.exe
        
        C:\Windows\system32\Cdainc32.exe
        28⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\Cliaoq32.exe
        
        C:\Windows\system32\Cliaoq32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7112
        
        C:\Windows\SysWOW64\Cbcilkjg.exe
        
        C:\Windows\system32\Cbcilkjg.exe
        30⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\Cddecc32.exe
        
        C:\Windows\system32\Cddecc32.exe
        31⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\Clkndpag.exe
        
        C:\Windows\system32\Clkndpag.exe
        32⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\Cbefaj32.exe
        
        C:\Windows\system32\Cbefaj32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6736
        
        C:\Windows\SysWOW64\Cecbmf32.exe
        
        C:\Windows\system32\Cecbmf32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6880
        
        C:\Windows\SysWOW64\Ckpjfm32.exe
        
        C:\Windows\system32\Ckpjfm32.exe
        35⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\Cefoce32.exe
        
        C:\Windows\system32\Cefoce32.exe
        36⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\Ckcgkldl.exe
        
        C:\Windows\system32\Ckcgkldl.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6536
        
        C:\Windows\SysWOW64\Clbceo32.exe
        
        C:\Windows\system32\Clbceo32.exe
        38⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\Ckedalaj.exe
        
        C:\Windows\system32\Ckedalaj.exe
        39⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\Daolnf32.exe
        
        C:\Windows\system32\Daolnf32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6492
        
        C:\Windows\SysWOW64\Dekhneap.exe
        
        C:\Windows\system32\Dekhneap.exe
        41⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\Dhidjpqc.exe
        
        C:\Windows\system32\Dhidjpqc.exe
        42⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\Dkgqfl32.exe
        
        C:\Windows\system32\Dkgqfl32.exe
        43⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\Dboigi32.exe
        
        C:\Windows\system32\Dboigi32.exe
        44⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\Daaicfgd.exe
        
        C:\Windows\system32\Daaicfgd.exe
        45⤵
        Modifies registry class
        
        PID:7220
        
        C:\Windows\SysWOW64\Demecd32.exe
        
        C:\Windows\system32\Demecd32.exe
        46⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\Dhkapp32.exe
        
        C:\Windows\system32\Dhkapp32.exe
        47⤵
        
        PID:7304
        
        C:\Windows\SysWOW64\Dlgmpogj.exe
        
        C:\Windows\system32\Dlgmpogj.exe
        48⤵
        Modifies registry class
        
        PID:7340
        
        C:\Windows\SysWOW64\Doeiljfn.exe
        
        C:\Windows\system32\Doeiljfn.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7380
        
        C:\Windows\SysWOW64\Dadeieea.exe
        
        C:\Windows\system32\Dadeieea.exe
        50⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\Ddbbeade.exe
        
        C:\Windows\system32\Ddbbeade.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7464
        
        C:\Windows\SysWOW64\Dlijfneg.exe
        
        C:\Windows\system32\Dlijfneg.exe
        52⤵
        
        PID:7512
        
        C:\Windows\SysWOW64\Dkljak32.exe
        
        C:\Windows\system32\Dkljak32.exe
        53⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7548
        
        C:\Windows\SysWOW64\Dccbbhld.exe
        
        C:\Windows\system32\Dccbbhld.exe
        54⤵
        Modifies registry class
        
        PID:7584
        
        C:\Windows\SysWOW64\Dddojq32.exe
        
        C:\Windows\system32\Dddojq32.exe
        55⤵
        Drops file in System32 directory
        
        PID:7632
        
        C:\Windows\SysWOW64\Dllfkn32.exe
        
        C:\Windows\system32\Dllfkn32.exe
        56⤵
        
        PID:7672
        
        C:\Windows\SysWOW64\Dojcgi32.exe
        
        C:\Windows\system32\Dojcgi32.exe
        57⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\Dahode32.exe
        
        C:\Windows\system32\Dahode32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7760
        
        C:\Windows\SysWOW64\Dedkdcie.exe
        
        C:\Windows\system32\Dedkdcie.exe
        59⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\Ddgkpp32.exe
        
        C:\Windows\system32\Ddgkpp32.exe
        60⤵
        
        PID:7836
        
        C:\Windows\SysWOW64\Ekacmjgl.exe
        
        C:\Windows\system32\Ekacmjgl.exe
        61⤵
        
        PID:7880
        
        C:\Windows\SysWOW64\Echknh32.exe
        
        C:\Windows\system32\Echknh32.exe
        62⤵
        
        PID:7928
        
        C:\Windows\SysWOW64\Eaklidoi.exe
        
        C:\Windows\system32\Eaklidoi.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7968
        
        C:\Windows\SysWOW64\Edihepnm.exe
        
        C:\Windows\system32\Edihepnm.exe
        64⤵
        
        PID:8012
        
        C:\Windows\SysWOW64\Ehedfo32.exe
        
        C:\Windows\system32\Ehedfo32.exe
        65⤵
        
        PID:8056
        
        C:\Windows\SysWOW64\Elppfmoo.exe
        
        C:\Windows\system32\Elppfmoo.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:8100
        
        C:\Windows\SysWOW64\Eoolbinc.exe
        
        C:\Windows\system32\Eoolbinc.exe
        67⤵
        
        PID:8144
        
        C:\Windows\SysWOW64\Ecjhcg32.exe
        
        C:\Windows\system32\Ecjhcg32.exe
        68⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\Eeidoc32.exe
        
        C:\Windows\system32\Eeidoc32.exe
        69⤵
        Drops file in System32 directory
        
        PID:7204
        
        C:\Windows\SysWOW64\Edkdkplj.exe
        
        C:\Windows\system32\Edkdkplj.exe
        70⤵
        Drops file in System32 directory
        
        PID:7252
        
        C:\Windows\SysWOW64\Elbmlmml.exe
        
        C:\Windows\system32\Elbmlmml.exe
        71⤵
        
        PID:7312
        
        C:\Windows\SysWOW64\Ekemhj32.exe
        
        C:\Windows\system32\Ekemhj32.exe
        72⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\Eoaihhlp.exe
        
        C:\Windows\system32\Eoaihhlp.exe
        73⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\Eleiam32.exe
        
        C:\Windows\system32\Eleiam32.exe
        74⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\Eocenh32.exe
        
        C:\Windows\system32\Eocenh32.exe
        75⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\Eabbjc32.exe
        
        C:\Windows\system32\Eabbjc32.exe
        76⤵
        
        PID:7652
        
        C:\Windows\SysWOW64\Edpnfo32.exe
        
        C:\Windows\system32\Edpnfo32.exe
        77⤵
        
        PID:7704
        
        C:\Windows\SysWOW64\Ehljfnpn.exe
        
        C:\Windows\system32\Ehljfnpn.exe
        78⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\Ekjfcipa.exe
        
        C:\Windows\system32\Ekjfcipa.exe
        79⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\Eofbch32.exe
        
        C:\Windows\system32\Eofbch32.exe
        80⤵
        
        PID:7920
        
        C:\Windows\SysWOW64\Eadopc32.exe
        
        C:\Windows\system32\Eadopc32.exe
        81⤵
        
        PID:7976
        
        C:\Windows\SysWOW64\Eepjpb32.exe
        
        C:\Windows\system32\Eepjpb32.exe
        82⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\Edbklofb.exe
        
        C:\Windows\system32\Edbklofb.exe
        83⤵
        
        PID:8120
        
        C:\Windows\SysWOW64\Fohoigfh.exe
        
        C:\Windows\system32\Fohoigfh.exe
        84⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\Fafkecel.exe
        
        C:\Windows\system32\Fafkecel.exe
        85⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\Fdegandp.exe
        
        C:\Windows\system32\Fdegandp.exe
        86⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\Fhqcam32.exe
        
        C:\Windows\system32\Fhqcam32.exe
        87⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\Fkopnh32.exe
        
        C:\Windows\system32\Fkopnh32.exe
        88⤵
        
        PID:7592
        
        C:\Windows\SysWOW64\Fojlngce.exe
        
        C:\Windows\system32\Fojlngce.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7700
        
        C:\Windows\SysWOW64\Faihkbci.exe
        
        C:\Windows\system32\Faihkbci.exe
        90⤵
        
        PID:7828
        
        C:\Windows\SysWOW64\Ffddka32.exe
        
        C:\Windows\system32\Ffddka32.exe
        91⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\Fdgdgnbm.exe
        
        C:\Windows\system32\Fdgdgnbm.exe
        92⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\Flnlhk32.exe
        
        C:\Windows\system32\Flnlhk32.exe
        93⤵
        
        PID:8176
        
        C:\Windows\SysWOW64\Fkalchij.exe
        
        C:\Windows\system32\Fkalchij.exe
        94⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\Fchddejl.exe
        
        C:\Windows\system32\Fchddejl.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7432
        
        C:\Windows\SysWOW64\Fakdpb32.exe
        
        C:\Windows\system32\Fakdpb32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7616
        
        C:\Windows\SysWOW64\Fdialn32.exe
        
        C:\Windows\system32\Fdialn32.exe
        97⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\Fhemmlhc.exe
        
        C:\Windows\system32\Fhemmlhc.exe
        98⤵
        Drops file in System32 directory
        
        PID:8024
        
        C:\Windows\SysWOW64\Flqimk32.exe
        
        C:\Windows\system32\Flqimk32.exe
        99⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\Fckajehi.exe
        
        C:\Windows\system32\Fckajehi.exe
        100⤵
        
        PID:7404
        
        C:\Windows\SysWOW64\Fdlnbm32.exe
        
        C:\Windows\system32\Fdlnbm32.exe
        101⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\Foabofnn.exe
        
        C:\Windows\system32\Foabofnn.exe
        102⤵
        Modifies registry class
        
        PID:7956
        
        C:\Windows\SysWOW64\Fcmnpe32.exe
        
        C:\Windows\system32\Fcmnpe32.exe
        103⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\Ffkjlp32.exe
        
        C:\Windows\system32\Ffkjlp32.exe
        104⤵
        
        PID:7720
        
        C:\Windows\SysWOW64\Fhjfhl32.exe
        
        C:\Windows\system32\Fhjfhl32.exe
        105⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\Gkhbdg32.exe
        
        C:\Windows\system32\Gkhbdg32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8096
        
        C:\Windows\SysWOW64\Gododflk.exe
        
        C:\Windows\system32\Gododflk.exe
        107⤵
        
        PID:8084
        
        C:\Windows\SysWOW64\Gbbkaako.exe
        
        C:\Windows\system32\Gbbkaako.exe
        108⤵
        
        PID:8228
        
        C:\Windows\SysWOW64\Gdqgmmjb.exe
        
        C:\Windows\system32\Gdqgmmjb.exe
        109⤵
        
        PID:8276
        
        C:\Windows\SysWOW64\Glhonj32.exe
        
        C:\Windows\system32\Glhonj32.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8320
        
        C:\Windows\SysWOW64\Gkkojgao.exe
        
        C:\Windows\system32\Gkkojgao.exe
        111⤵
        
        PID:8360
        
        C:\Windows\SysWOW64\Gcagkdba.exe
        
        C:\Windows\system32\Gcagkdba.exe
        112⤵
        Modifies registry class
        
        PID:8404
        
        C:\Windows\SysWOW64\Gfpcgpae.exe
        
        C:\Windows\system32\Gfpcgpae.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8448
        
        C:\Windows\SysWOW64\Gmjlcj32.exe
        
        C:\Windows\system32\Gmjlcj32.exe
        114⤵
        
        PID:8484
        
        C:\Windows\SysWOW64\Gkmlofol.exe
        
        C:\Windows\system32\Gkmlofol.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8524
        
        C:\Windows\SysWOW64\Gcddpdpo.exe
        
        C:\Windows\system32\Gcddpdpo.exe
        116⤵
        
        PID:8572
        
        C:\Windows\SysWOW64\Gbgdlq32.exe
        
        C:\Windows\system32\Gbgdlq32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8616
        
        C:\Windows\SysWOW64\Gdeqhl32.exe
        
        C:\Windows\system32\Gdeqhl32.exe
        118⤵
        
        PID:8660
        
        C:\Windows\SysWOW64\Ghaliknf.exe
        
        C:\Windows\system32\Ghaliknf.exe
        119⤵
        
        PID:8708
        
        C:\Windows\SysWOW64\Gkoiefmj.exe
        
        C:\Windows\system32\Gkoiefmj.exe
        120⤵
        
        PID:8748
        
        C:\Windows\SysWOW64\Gokdeeec.exe
        
        C:\Windows\system32\Gokdeeec.exe
        121⤵
        
        PID:8792
        
        C:\Windows\SysWOW64\Gicinj32.exe
        
        C:\Windows\system32\Gicinj32.exe
        122⤵
        Modifies registry class
        
        PID:8832
        
        C:\Windows\SysWOW64\Gmoeoidl.exe
        
        C:\Windows\system32\Gmoeoidl.exe
        123⤵
        
        PID:8872
        
        C:\Windows\SysWOW64\Gkaejf32.exe
        
        C:\Windows\system32\Gkaejf32.exe
        124⤵
        
        PID:8916
        
        C:\Windows\SysWOW64\Gcimkc32.exe
        
        C:\Windows\system32\Gcimkc32.exe
        125⤵
        
        PID:8956
        
        C:\Windows\SysWOW64\Gfgjgo32.exe
        
        C:\Windows\system32\Gfgjgo32.exe
        126⤵
        
        PID:8996
        
        C:\Windows\SysWOW64\Hiefcj32.exe
        
        C:\Windows\system32\Hiefcj32.exe
        127⤵
        
        PID:9044
        
        C:\Windows\SysWOW64\Hmabdibj.exe
        
        C:\Windows\system32\Hmabdibj.exe
        128⤵
        
        PID:9084
        
        C:\Windows\SysWOW64\Hkdbpe32.exe
        
        C:\Windows\system32\Hkdbpe32.exe
        129⤵
        
        PID:9124
        
        C:\Windows\SysWOW64\Hckjacjg.exe
        
        C:\Windows\system32\Hckjacjg.exe
        130⤵
        Modifies registry class
        
        PID:9168
        
        C:\Windows\SysWOW64\Hfifmnij.exe
        
        C:\Windows\system32\Hfifmnij.exe
        131⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\Helfik32.exe
        
        C:\Windows\system32\Helfik32.exe
        132⤵
        Drops file in System32 directory
        
        PID:8224
        
        C:\Windows\SysWOW64\Hmcojh32.exe
        
        C:\Windows\system32\Hmcojh32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8312
        
        C:\Windows\SysWOW64\Hobkfd32.exe
        
        C:\Windows\system32\Hobkfd32.exe
        134⤵
        
        PID:8340
        
        C:\Windows\SysWOW64\Hbpgbo32.exe
        
        C:\Windows\system32\Hbpgbo32.exe
        135⤵
        
        PID:8424
        
        C:\Windows\SysWOW64\Hflcbngh.exe
        
        C:\Windows\system32\Hflcbngh.exe
        136⤵
        
        PID:8516
        
        C:\Windows\SysWOW64\Heocnk32.exe
        
        C:\Windows\system32\Heocnk32.exe
        137⤵
        
        PID:8564
        
        C:\Windows\SysWOW64\Hkikkeeo.exe
        
        C:\Windows\system32\Hkikkeeo.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8628
        
        C:\Windows\SysWOW64\Hodgkc32.exe
        
        C:\Windows\system32\Hodgkc32.exe
        139⤵
        Drops file in System32 directory
        
        PID:8696
        
        C:\Windows\SysWOW64\Hbbdholl.exe
        
        C:\Windows\system32\Hbbdholl.exe
        140⤵
        Drops file in System32 directory
        
        PID:8764
        
        C:\Windows\SysWOW64\Hfnphn32.exe
        
        C:\Windows\system32\Hfnphn32.exe
        141⤵
        
        PID:8840
        
        C:\Windows\SysWOW64\Hkkhqd32.exe
        
        C:\Windows\system32\Hkkhqd32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8892
        
        C:\Windows\SysWOW64\Hofdacke.exe
        
        C:\Windows\system32\Hofdacke.exe
        143⤵
        
        PID:8968
        
        C:\Windows\SysWOW64\Hbeqmoji.exe
        
        C:\Windows\system32\Hbeqmoji.exe
        144⤵
        
        PID:9036
        
        C:\Windows\SysWOW64\Hfqlnm32.exe
        
        C:\Windows\system32\Hfqlnm32.exe
        145⤵
        
        PID:9092

C:\Windows\SysWOW64\Ahhblemi.exe
C:\Windows\system32\Ahhblemi.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6768

C:\Windows\SysWOW64\Qnkdhpjn.exe
C:\Windows\system32\Qnkdhpjn.exe
1⤵
PID:4276

C:\Windows\SysWOW64\Pbddcoei.exe
C:\Windows\system32\Pbddcoei.exe
1⤵
PID:5832

C:\Windows\SysWOW64\Pcccfh32.exe
C:\Windows\system32\Pcccfh32.exe
1⤵
PID:5684

C:\Windows\SysWOW64\Pgmcqggf.exe
C:\Windows\system32\Pgmcqggf.exe
1⤵
- Drops file in System32 directory
- Modifies registry class
PID:5760

C:\Windows\SysWOW64\Pcagphom.exe
C:\Windows\system32\Pcagphom.exe
1⤵
PID:5632

C:\Windows\SysWOW64\Peimil32.exe
C:\Windows\system32\Peimil32.exe
1⤵
PID:5136

C:\Windows\SysWOW64\Oqkdcn32.exe
C:\Windows\system32\Oqkdcn32.exe
1⤵
- Drops file in System32 directory
PID:2900

C:\Windows\SysWOW64\Ocgdji32.exe
C:\Windows\system32\Ocgdji32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5396

C:\Windows\SysWOW64\Ojhiqefo.exe
C:\Windows\system32\Ojhiqefo.exe
1⤵
PID:5388

C:\Windows\SysWOW64\Okeieh32.exe
C:\Windows\system32\Okeieh32.exe
1⤵
PID:5348

C:\Windows\SysWOW64\Ogjmdigk.exe
C:\Windows\system32\Ogjmdigk.exe
1⤵
- Drops file in System32 directory
PID:5312

C:\Windows\SysWOW64\Nnolfdcn.exe
C:\Windows\system32\Nnolfdcn.exe
1⤵
PID:2196

C:\Windows\SysWOW64\Ngedij32.exe
C:\Windows\system32\Ngedij32.exe
1⤵
PID:1760

C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
1⤵
- Drops file in System32 directory
PID:2600

C:\Windows\SysWOW64\Ndghmo32.exe
C:\Windows\system32\Ndghmo32.exe
1⤵
- Executes dropped EXE
PID:2668

C:\Windows\SysWOW64\Nbhkac32.exe
C:\Windows\system32\Nbhkac32.exe
1⤵
- Executes dropped EXE
PID:1188

C:\Windows\SysWOW64\Nddkgonp.exe
C:\Windows\system32\Nddkgonp.exe
1⤵
- Executes dropped EXE
PID:3668

C:\Windows\SysWOW64\Nqiogp32.exe
C:\Windows\system32\Nqiogp32.exe
1⤵
- Executes dropped EXE
PID:1412

C:\Windows\SysWOW64\Nafokcol.exe
C:\Windows\system32\Nafokcol.exe
1⤵
- Executes dropped EXE
PID:4160

C:\Windows\SysWOW64\Ndbnboqb.exe
C:\Windows\system32\Ndbnboqb.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:4792

C:\Windows\SysWOW64\Nqfbaq32.exe
C:\Windows\system32\Nqfbaq32.exe
1⤵
- Executes dropped EXE
PID:1540

C:\Windows\SysWOW64\Nkjjij32.exe
C:\Windows\system32\Nkjjij32.exe
1⤵
- Executes dropped EXE
PID:388

C:\Windows\SysWOW64\Mjjmog32.exe
C:\Windows\system32\Mjjmog32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4396

C:\Windows\SysWOW64\Mkgmcjld.exe
C:\Windows\system32\Mkgmcjld.exe
1⤵
- Executes dropped EXE
PID:1340

C:\Windows\SysWOW64\Mcpebmkb.exe
C:\Windows\system32\Mcpebmkb.exe
1⤵
- Executes dropped EXE
PID:1280

C:\Windows\SysWOW64\Mdmegp32.exe
C:\Windows\system32\Mdmegp32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1912

C:\Windows\SysWOW64\Mjhqjg32.exe
C:\Windows\system32\Mjhqjg32.exe
1⤵
- Executes dropped EXE
PID:5008

C:\Windows\SysWOW64\Mdkhapfj.exe
C:\Windows\system32\Mdkhapfj.exe
1⤵
- Executes dropped EXE
PID:1824

C:\Windows\SysWOW64\Mpolqa32.exe
C:\Windows\system32\Mpolqa32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2928

C:\Windows\SysWOW64\Mamleegg.exe
C:\Windows\system32\Mamleegg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3320

C:\Windows\SysWOW64\Mcklgm32.exe
C:\Windows\system32\Mcklgm32.exe
1⤵
- Executes dropped EXE
PID:3536

C:\Windows\SysWOW64\Mdiklqhm.exe
C:\Windows\system32\Mdiklqhm.exe
1⤵
- Executes dropped EXE
PID:4336

C:\Windows\SysWOW64\Majopeii.exe
C:\Windows\system32\Majopeii.exe
1⤵
- Executes dropped EXE
PID:1588

C:\Windows\SysWOW64\Mnocof32.exe
C:\Windows\system32\Mnocof32.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:3384

C:\Windows\SysWOW64\Mkpgck32.exe
C:\Windows\system32\Mkpgck32.exe
1⤵
- Executes dropped EXE
PID:3368

C:\Windows\SysWOW64\Mgekbljc.exe
C:\Windows\system32\Mgekbljc.exe
1⤵
- Executes dropped EXE
PID:3692

C:\Windows\SysWOW64\Mdfofakp.exe
C:\Windows\system32\Mdfofakp.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4544

C:\Windows\SysWOW64\Mpkbebbf.exe
C:\Windows\system32\Mpkbebbf.exe
1⤵
- Executes dropped EXE
PID:4868

C:\Windows\SysWOW64\Mnlfigcc.exe
C:\Windows\system32\Mnlfigcc.exe
1⤵
- Executes dropped EXE
PID:2684

C:\Windows\SysWOW64\Mjqjih32.exe
C:\Windows\system32\Mjqjih32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4860

C:\Windows\SysWOW64\Lgbnmm32.exe
C:\Windows\system32\Lgbnmm32.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\SysWOW64\Lcdegnep.exe
C:\Windows\system32\Lcdegnep.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\SysWOW64\Ldaeka32.exe
C:\Windows\system32\Ldaeka32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4220

C:\Windows\SysWOW64\Lkiqbl32.exe
C:\Windows\system32\Lkiqbl32.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812

C:\Windows\SysWOW64\Hioiji32.exe
C:\Windows\system32\Hioiji32.exe
1⤵
PID:7752
- C:\Windows\SysWOW64\Hmjdjgjo.exe
  C:\Windows\system32\Hmjdjgjo.exe
  2⤵
  PID:8296

C:\Windows\SysWOW64\Hkmefd32.exe
C:\Windows\system32\Hkmefd32.exe
1⤵
PID:8400
- C:\Windows\SysWOW64\Hcdmga32.exe
  C:\Windows\system32\Hcdmga32.exe
  2⤵
  PID:8492

C:\Windows\SysWOW64\Hfcicmqp.exe
C:\Windows\system32\Hfcicmqp.exe
1⤵
PID:8732
- C:\Windows\SysWOW64\Iefioj32.exe
  C:\Windows\system32\Iefioj32.exe
  2⤵
  PID:8776

C:\Windows\SysWOW64\Immapg32.exe
C:\Windows\system32\Immapg32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8936
- C:\Windows\SysWOW64\Ikpaldog.exe
  C:\Windows\system32\Ikpaldog.exe
  2⤵
  PID:9068

C:\Windows\SysWOW64\Icgjmapi.exe
C:\Windows\system32\Icgjmapi.exe
1⤵
- Modifies registry class
PID:8272
- C:\Windows\SysWOW64\Ifefimom.exe
  C:\Windows\system32\Ifefimom.exe
  2⤵
  - Modifies registry class
  PID:8480

C:\Windows\SysWOW64\Iehfdi32.exe
C:\Windows\system32\Iehfdi32.exe
1⤵
PID:8632
- C:\Windows\SysWOW64\Iicbehnq.exe
  C:\Windows\system32\Iicbehnq.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:8816

C:\Windows\SysWOW64\Ikbnacmd.exe
C:\Windows\system32\Ikbnacmd.exe
1⤵
PID:9160
- C:\Windows\SysWOW64\Ipnjab32.exe
  C:\Windows\system32\Ipnjab32.exe
  2⤵
  PID:8252
- - C:\Windows\SysWOW64\Iejcji32.exe
    C:\Windows\system32\Iejcji32.exe
    3⤵
    PID:8596
  - - C:\Windows\SysWOW64\Imakkfdg.exe
      C:\Windows\system32\Imakkfdg.exe
      4⤵
      PID:8884
    - - C:\Windows\SysWOW64\Ippggbck.exe
        
        C:\Windows\system32\Ippggbck.exe
        5⤵
        
        PID:9208
      - C:\Windows\SysWOW64\Ibnccmbo.exe
        
        C:\Windows\system32\Ibnccmbo.exe
        6⤵
        Modifies registry class
        
        PID:8476
        
        C:\Windows\SysWOW64\Ifjodl32.exe
        
        C:\Windows\system32\Ifjodl32.exe
        7⤵
        Modifies registry class
        
        PID:8580
        
        C:\Windows\SysWOW64\Iemppiab.exe
        
        C:\Windows\system32\Iemppiab.exe
        8⤵
        
        PID:8736
        
        C:\Windows\SysWOW64\Imdgqfbd.exe
        
        C:\Windows\system32\Imdgqfbd.exe
        9⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8684
        
        C:\Windows\SysWOW64\Ilghlc32.exe
        
        C:\Windows\system32\Ilghlc32.exe
        10⤵
        Drops file in System32 directory
        
        PID:9248
        
        C:\Windows\SysWOW64\Ibqpimpl.exe
        
        C:\Windows\system32\Ibqpimpl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:9296
        
        C:\Windows\SysWOW64\Ieolehop.exe
        
        C:\Windows\system32\Ieolehop.exe
        12⤵
        
        PID:9332
        
        C:\Windows\SysWOW64\Imfdff32.exe
        
        C:\Windows\system32\Imfdff32.exe
        13⤵
        
        PID:9372
        
        C:\Windows\SysWOW64\Ipdqba32.exe
        
        C:\Windows\system32\Ipdqba32.exe
        14⤵
        
        PID:9412

C:\Windows\SysWOW64\Imoneg32.exe
C:\Windows\system32\Imoneg32.exe
1⤵
- Drops file in System32 directory
PID:8976

C:\Windows\SysWOW64\Ipknlb32.exe
C:\Windows\system32\Ipknlb32.exe
1⤵
PID:9204

C:\Windows\SysWOW64\Hbgmcnhf.exe
C:\Windows\system32\Hbgmcnhf.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8624

C:\Windows\SysWOW64\Hecmijim.exe
C:\Windows\system32\Hecmijim.exe
1⤵
PID:9156

C:\Windows\SysWOW64\Icplcpgo.exe
C:\Windows\system32\Icplcpgo.exe
1⤵
- Drops file in System32 directory
PID:9452
- C:\Windows\SysWOW64\Jfoiokfb.exe
  C:\Windows\system32\Jfoiokfb.exe
  2⤵
  PID:9500

C:\Windows\SysWOW64\Jimekgff.exe
C:\Windows\system32\Jimekgff.exe
1⤵
- Drops file in System32 directory
PID:9588
- C:\Windows\SysWOW64\Jmhale32.exe
  C:\Windows\system32\Jmhale32.exe
  2⤵
  - Drops file in System32 directory
  PID:9628

C:\Windows\SysWOW64\Jpgmha32.exe
C:\Windows\system32\Jpgmha32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:9708
- C:\Windows\SysWOW64\Jcbihpel.exe
  C:\Windows\system32\Jcbihpel.exe
  2⤵
  PID:9748

C:\Windows\SysWOW64\Jbeidl32.exe
C:\Windows\system32\Jbeidl32.exe
1⤵
- Drops file in System32 directory
PID:9796
- C:\Windows\SysWOW64\Jfaedkdp.exe
  C:\Windows\system32\Jfaedkdp.exe
  2⤵
  PID:9844

C:\Windows\SysWOW64\Jioaqfcc.exe
C:\Windows\system32\Jioaqfcc.exe
1⤵
PID:9884
- C:\Windows\SysWOW64\Jmknaell.exe
  C:\Windows\system32\Jmknaell.exe
  2⤵
  - Modifies registry class
  PID:9928

C:\Windows\SysWOW64\Jcefno32.exe
C:\Windows\system32\Jcefno32.exe
1⤵
PID:10056
- C:\Windows\SysWOW64\Jefbfgig.exe
  C:\Windows\system32\Jefbfgig.exe
  2⤵
  PID:10096

C:\Windows\SysWOW64\Jianff32.exe
C:\Windows\system32\Jianff32.exe
1⤵
- Drops file in System32 directory
PID:10140
- C:\Windows\SysWOW64\Jmmjgejj.exe
  C:\Windows\system32\Jmmjgejj.exe
  2⤵
  - Modifies registry class
  PID:10184

C:\Windows\SysWOW64\Jpijnqkp.exe
C:\Windows\system32\Jpijnqkp.exe
1⤵
- Modifies registry class
PID:10020

C:\Windows\SysWOW64\Jcgbco32.exe
C:\Windows\system32\Jcgbco32.exe
1⤵
PID:9256
- C:\Windows\SysWOW64\Jbjcolha.exe
  C:\Windows\system32\Jbjcolha.exe
  2⤵
  PID:9328

C:\Windows\SysWOW64\Jfeopj32.exe
C:\Windows\system32\Jfeopj32.exe
1⤵
- Drops file in System32 directory
- Modifies registry class
PID:9444
- C:\Windows\SysWOW64\Jehokgge.exe
  C:\Windows\system32\Jehokgge.exe
  2⤵
  PID:9484

C:\Windows\SysWOW64\Jlbgha32.exe
C:\Windows\system32\Jlbgha32.exe
1⤵
PID:9640
- C:\Windows\SysWOW64\Jpnchp32.exe
  C:\Windows\system32\Jpnchp32.exe
  2⤵
  PID:9704
- - C:\Windows\SysWOW64\Jcioiood.exe
    C:\Windows\system32\Jcioiood.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Drops file in System32 directory
    PID:9776
  - - C:\Windows\SysWOW64\Jfhlejnh.exe
      C:\Windows\system32\Jfhlejnh.exe
      4⤵
      PID:9828
    - - C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        5⤵
        
        PID:9912

C:\Windows\SysWOW64\Jmpgldhg.exe
C:\Windows\system32\Jmpgldhg.exe
1⤵
PID:9572

C:\Windows\SysWOW64\Jlpkba32.exe
C:\Windows\system32\Jlpkba32.exe
1⤵
PID:10236

C:\Windows\SysWOW64\Jlnnmb32.exe
C:\Windows\system32\Jlnnmb32.exe
1⤵
PID:9972

C:\Windows\SysWOW64\Jifhaenk.exe
C:\Windows\system32\Jifhaenk.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:9984
- C:\Windows\SysWOW64\Jlednamo.exe
  C:\Windows\system32\Jlednamo.exe
  2⤵
  PID:10044

C:\Windows\SysWOW64\Jpppnp32.exe
C:\Windows\system32\Jpppnp32.exe
1⤵
- Modifies registry class
PID:10092
- C:\Windows\SysWOW64\Jcllonma.exe
  C:\Windows\system32\Jcllonma.exe
  2⤵
  PID:10180

C:\Windows\SysWOW64\Kfjhkjle.exe
C:\Windows\system32\Kfjhkjle.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:9312
- C:\Windows\SysWOW64\Kemhff32.exe
  C:\Windows\system32\Kemhff32.exe
  2⤵
  PID:9496
- - C:\Windows\SysWOW64\Kmdqgd32.exe
    C:\Windows\system32\Kmdqgd32.exe
    3⤵
    PID:9568

C:\Windows\SysWOW64\Kpbmco32.exe
C:\Windows\system32\Kpbmco32.exe
1⤵
- Drops file in System32 directory
- Modifies registry class
PID:9824
- C:\Windows\SysWOW64\Kdnidn32.exe
  C:\Windows\system32\Kdnidn32.exe
  2⤵
  PID:9880

C:\Windows\SysWOW64\Kbaipkbi.exe
C:\Windows\system32\Kbaipkbi.exe
1⤵
- Drops file in System32 directory
PID:10016
- C:\Windows\SysWOW64\Kfmepi32.exe
  C:\Windows\system32\Kfmepi32.exe
  2⤵
  - Modifies registry class
  PID:10124

C:\Windows\SysWOW64\Kmfmmcbo.exe
C:\Windows\system32\Kmfmmcbo.exe
1⤵
PID:9488
- C:\Windows\SysWOW64\Klimip32.exe
  C:\Windows\system32\Klimip32.exe
  2⤵
  - Modifies registry class
  PID:9664
- - C:\Windows\SysWOW64\Kpeiioac.exe
    C:\Windows\system32\Kpeiioac.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    PID:9788
  - - C:\Windows\SysWOW64\Kdqejn32.exe
      C:\Windows\system32\Kdqejn32.exe
      4⤵
      PID:10000
    - - C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        5⤵
        Modifies registry class
        
        PID:10160

C:\Windows\SysWOW64\Kikame32.exe
C:\Windows\system32\Kikame32.exe
1⤵
PID:8460

C:\Windows\SysWOW64\Klgqcqkl.exe
C:\Windows\system32\Klgqcqkl.exe
1⤵
PID:9680

C:\Windows\SysWOW64\Kboljk32.exe
C:\Windows\system32\Kboljk32.exe
1⤵
PID:9244

C:\Windows\SysWOW64\Jlkagbej.exe
C:\Windows\system32\Jlkagbej.exe
1⤵
PID:9672

C:\Windows\SysWOW64\Jeaikh32.exe
C:\Windows\system32\Jeaikh32.exe
1⤵
PID:9544

C:\Windows\SysWOW64\Kimnbd32.exe
C:\Windows\system32\Kimnbd32.exe
1⤵
PID:9784
- C:\Windows\SysWOW64\Kmijbcpl.exe
  C:\Windows\system32\Kmijbcpl.exe
  2⤵
  PID:10028

C:\Windows\SysWOW64\Klljnp32.exe
C:\Windows\system32\Klljnp32.exe
1⤵
- Drops file in System32 directory
PID:9364
- C:\Windows\SysWOW64\Kpgfooop.exe
  C:\Windows\system32\Kpgfooop.exe
  2⤵
  PID:9764

C:\Windows\SysWOW64\Kfankifm.exe
C:\Windows\system32\Kfankifm.exe
1⤵
- Modifies registry class
PID:10224
- C:\Windows\SysWOW64\Kedoge32.exe
  C:\Windows\system32\Kedoge32.exe
  2⤵
  PID:9316
- - C:\Windows\SysWOW64\Kmkfhc32.exe
    C:\Windows\system32\Kmkfhc32.exe
    3⤵
    - Modifies registry class
    PID:10280
  - - C:\Windows\SysWOW64\Kpjcdn32.exe
      C:\Windows\system32\Kpjcdn32.exe
      4⤵
      PID:10324
    - - C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        5⤵
        
        PID:10364
      - C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        6⤵
        
        PID:10416
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10460
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        8⤵
        Modifies registry class
        
        PID:10500
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        9⤵
        
        PID:10544
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        10⤵
        
        PID:10592
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        11⤵
        
        PID:10636
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        12⤵
        Modifies registry class
        
        PID:10672
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        13⤵
        
        PID:10732
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        14⤵
        
        PID:10772
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        15⤵
        
        PID:10808
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        16⤵
        
        PID:10856
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10900
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        18⤵
        
        PID:10948
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        19⤵
        
        PID:10992
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        20⤵
        
        PID:11036
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        21⤵
        
        PID:11080
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        22⤵
        
        PID:11128
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11164
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11208
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        25⤵
        Modifies registry class
        
        PID:11248
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        26⤵
        
        PID:10256
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        27⤵
        
        PID:10320
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        28⤵
        
        PID:10384
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        29⤵
        
        PID:10448
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        30⤵
        
        PID:10528
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        31⤵
        
        PID:10568
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10656
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        33⤵
        Drops file in System32 directory
        
        PID:10740
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        34⤵
        
        PID:10820
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        35⤵
        
        PID:10896
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        36⤵
        
        PID:10968
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        37⤵
        
        PID:11088
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        38⤵
        
        PID:11156
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        39⤵
        
        PID:11244
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        40⤵
        Drops file in System32 directory
        
        PID:10396
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        41⤵
        
        PID:10436
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        42⤵
        
        PID:10616
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        43⤵
        
        PID:10748
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        44⤵
        
        PID:10848
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        45⤵
        
        PID:11012
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        46⤵
        
        PID:11124
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        47⤵
        
        PID:10360
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        48⤵
        
        PID:10492
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        49⤵
        
        PID:10728
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        50⤵
        
        PID:11076
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        51⤵
        Modifies registry class
        
        PID:9968
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        52⤵
        
        PID:10588
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:11136
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        54⤵
        
        PID:10440
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        55⤵
        
        PID:11236
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        56⤵
        
        PID:10372
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11304
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        58⤵
        
        PID:11356
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        59⤵
        Modifies registry class
        
        PID:11392
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        60⤵
        Modifies registry class
        
        PID:11448
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        61⤵
        
        PID:11488
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        62⤵
        
        PID:11524
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11572
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        64⤵
        
        PID:11608
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        65⤵
        
        PID:11648
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        66⤵
        
        PID:11700
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        67⤵
        
        PID:11740
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        68⤵
        
        PID:11788
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        69⤵
        Drops file in System32 directory
        
        PID:11828
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        70⤵
        
        PID:11872
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        71⤵
        Drops file in System32 directory
        
        PID:11912
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        72⤵
        
        PID:11960
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12008
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        74⤵
        
        PID:12064
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        75⤵
        
        PID:12100
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        76⤵
        Modifies registry class
        
        PID:12144
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:12188
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        78⤵
        
        PID:12224
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        79⤵
        Drops file in System32 directory
        
        PID:12268
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        80⤵
        
        PID:11276
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        81⤵
        
        PID:11348
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        82⤵
        
        PID:11424
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        83⤵
        
        PID:11496
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:11564
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        85⤵
        
        PID:11632
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        86⤵
        
        PID:11696
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:11764
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        88⤵
        
        PID:11812
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        89⤵
        Modifies registry class
        
        PID:11900
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:11976
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        91⤵
        Modifies registry class
        
        PID:12060
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        92⤵
        
        PID:12132
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        93⤵
        Modifies registry class
        
        PID:12196
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        94⤵
        
        PID:12264
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        95⤵
        
        PID:11312
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        96⤵
        Drops file in System32 directory
        
        PID:11432
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        97⤵
        
        PID:11548
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        98⤵
        
        PID:11640
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        99⤵
        
        PID:11752
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        100⤵
        
        PID:11868
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        101⤵
        Modifies registry class
        
        PID:11996
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        102⤵
        
        PID:12108
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        103⤵
        
        PID:12220
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:11296
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        105⤵
        
        PID:11512
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        106⤵
        Modifies registry class
        
        PID:11728
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        107⤵
        Drops file in System32 directory
        
        PID:11820
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        108⤵
        
        PID:11956
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:12212
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        110⤵
        
        PID:11472
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        111⤵
        
        PID:11688
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        112⤵
        
        PID:11944
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        113⤵
        
        PID:12280
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        114⤵
        
        PID:11920
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12240
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        116⤵
        
        PID:11796
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        117⤵
        
        PID:12168
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        118⤵
        
        PID:12320
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        119⤵
        
        PID:12364
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        120⤵
        
        PID:12404
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        121⤵
        
        PID:12444
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        122⤵
        
        PID:12484
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        123⤵
        
        PID:12520
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:12556
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        125⤵
        Drops file in System32 directory
        
        PID:12600
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12648
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        127⤵
        
        PID:12700
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        128⤵
        
        PID:12736
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        129⤵
        
        PID:12772
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:12808
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        131⤵
        
        PID:12844
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        132⤵
        
        PID:12880
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        133⤵
        
        PID:12916
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        134⤵
        
        PID:12952
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        135⤵
        
        PID:12988
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        136⤵
        
        PID:13024
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        137⤵
        
        PID:13060
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        138⤵
        
        PID:13096
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        139⤵
        
        PID:13136
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        140⤵
        
        PID:13176
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        141⤵
        
        PID:13220
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        142⤵
        
        PID:13256
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        143⤵
        Drops file in System32 directory
        
        PID:13292
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        144⤵
        
        PID:12216
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        145⤵
        
        PID:12356
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        146⤵
        
        PID:12412
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:12472
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        148⤵
        
        PID:12540
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        149⤵
        
        PID:12608
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        150⤵
        
        PID:12692
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        151⤵
        
        PID:12760
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        152⤵
        
        PID:12828

C:\Windows\SysWOW64\Kdcbom32.exe
C:\Windows\system32\Kdcbom32.exe
1⤵
PID:8600

C:\Windows\SysWOW64\Kebbafoj.exe
C:\Windows\system32\Kebbafoj.exe
1⤵
PID:9448

C:\Windows\SysWOW64\Cajlhqjp.exe
C:\Windows\system32\Cajlhqjp.exe
1⤵
PID:12944
- C:\Windows\SysWOW64\Ceehho32.exe
  C:\Windows\system32\Ceehho32.exe
  2⤵
  PID:13012

C:\Windows\SysWOW64\Chcddk32.exe
C:\Windows\system32\Chcddk32.exe
1⤵
PID:13144
- C:\Windows\SysWOW64\Chcddk32.exe
  C:\Windows\system32\Chcddk32.exe
  2⤵
  PID:13208

C:\Windows\SysWOW64\Cjbpaf32.exe
C:\Windows\system32\Cjbpaf32.exe
1⤵
PID:11400
- C:\Windows\SysWOW64\Cmqmma32.exe
  C:\Windows\system32\Cmqmma32.exe
  2⤵
  PID:12388
- - C:\Windows\SysWOW64\Calhnpgn.exe
    C:\Windows\system32\Calhnpgn.exe
    3⤵
    PID:12508
  - - C:\Windows\SysWOW64\Ddjejl32.exe
      C:\Windows\system32\Ddjejl32.exe
      4⤵
      PID:12640
    - - C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        5⤵
        
        PID:12800
      - C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        6⤵
        Drops file in System32 directory
        
        PID:12976
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        7⤵
        
        PID:13116
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        8⤵
        
        PID:13300
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        9⤵
        
        PID:968
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        10⤵
        
        PID:12548
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        11⤵
        
        PID:12724
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        12⤵
        Drops file in System32 directory
        
        PID:13048
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        13⤵
        Modifies registry class
        
        PID:12428
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:12720
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        15⤵
        
        PID:13228
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        16⤵
        
        PID:12936
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        17⤵
        Drops file in System32 directory
        
        PID:12352
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        18⤵
        
        PID:13348
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        19⤵
        
        PID:13384
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:13420
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        21⤵
        
        PID:13456
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        22⤵
        
        PID:13492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 13492 -s 432
        23⤵
        Program crash
        
        PID:13572

C:\Windows\SysWOW64\Cffdpghg.exe
C:\Windows\system32\Cffdpghg.exe
1⤵
PID:13252

C:\Windows\SysWOW64\Cdhhdlid.exe
C:\Windows\system32\Cdhhdlid.exe
1⤵
PID:13092

C:\Windows\SysWOW64\Cmnpgb32.exe
C:\Windows\system32\Cmnpgb32.exe
1⤵
PID:12872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 13492 -ip 13492
1⤵
PID:13548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aanjpk32.exe

Filesize
72KB

MD5
d2140e86a919c8a516c78c858ae67757

SHA1
83b3fccb723fb64f2838b148f8f83343b8d21461

SHA256
d8b271286e1f81d99c851d7a117f7e9dffc994207aea76f3489e0ba97fc835ff

SHA512
e175225c529227029c73d1960fbe0370a3d218be33237738e9e51885fa80a329d4b51ce9375cef3d7db8f7d25d362dbf3d0c46f40bbe147ba14011e840a5f744

Download Submit
C:\Windows\SysWOW64\Aelcfilb.exe

Filesize
72KB

MD5
9b1dd726b122a1cce540be3588af2204

SHA1
fc4418e86b0b974295508c25e60912d9e8b25410

SHA256
26fc91625d57941ab81c3ae58a6ad75cd562de6d3fb5f2608bdca40e750bae86

SHA512
7c5e881cc2397666de41a93c979a192e02a7a2c18b635efcd33b27ce24d43a8392386ecff0883e6f7dc8eb00e10af5684f21dd9164e46f5c22c1007e6bbfe256

Download Submit
C:\Windows\SysWOW64\Aldomc32.exe

Filesize
72KB

MD5
5af6e8b9b6ce017bde3c0476d15f6df9

SHA1
263ccf435a373c2de7c55df563e6b3c12047aa96

SHA256
7e58876ef54f95fbbb2d55f69ef1a557fbaca4cb62b95634b662eb432ce9755a

SHA512
d3dfd4ad80dd01a05e520ea13ad73981376f6e8194f16e30b4cad9d06a11815aa82810860aa983449a45b3571981ff88a93b2dc9cb0e7c782ba881b67980d698

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
72KB

MD5
7e4ed9599b03a0b7e259cccecc2b221c

SHA1
3b21108f5170d7249a476332959e0cf82d39afe8

SHA256
58457a0e2eab4d82e93f1e8233fc36ce57eb168a7ef9a62aa85bf18e7ce1d68b

SHA512
321222b921d0417f02574aa061ed1bf74cd61a2833881757117a3f8503675e5772891a67396c62d306b8896e8393d3f5198788204e66d6ae61a556340778986b

Download Submit
C:\Windows\SysWOW64\Blfdia32.exe

Filesize
72KB

MD5
fa8013a0b6da8ac0fb7ea638ea2f7f1a

SHA1
0f9dd7799426146e357ae4d9f7c70fad712f4fb6

SHA256
2a8ca222ed246c7d1752ab89c018372657081c4e867454751d5198982414e079

SHA512
8e94fe793227b1221ef8c688d471fa53587d15321bf934bf373d75978ba58e67a2d50eb640fdacc02a87a974b5f7cf33227a03dcc0a5a55cd59f51250214c1ab

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
72KB

MD5
e606a845c9fcee9fdc20f5644ddb9b1f

SHA1
ea93ab8be6065c87d23222350eb76f84fd6326ff

SHA256
827bf62a503a95ce84dc9a29cbf5a54b156878f803fac041ea49b6fab0d05e4e

SHA512
8afd97183b3a06364792319190003b0a6f462cd88656c1fb69ce9c985bfe59ddf5b88ddde1e42f1cb1db37a74e1cfe18bd7ec208408f91bc9d25fc069b68c8c2

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
72KB

MD5
2f58c76621d1aeca4ccae8587121d447

SHA1
b031d5e50c9d5421f5b37795b59d838fc1700e51

SHA256
6b7497ff33e438ca9d2bb41f740a26feb9f391dc163d16f479536f06717926e2

SHA512
0dc5458e8bd56cbc5b6aa6578e036555ed4ffb96dead11781026240fff4cedb0892b84fb98967af634049eb47fa9016105b78c1c722d678751d06fee451903b3

Download Submit
C:\Windows\SysWOW64\Cddecc32.exe

Filesize
72KB

MD5
6fafffa14bfdb05b85712e99550bbf9a

SHA1
d5cab3df7f48fa4ad258f8eb4f35c8afb82f7105

SHA256
ba881edef6707aa109b7426b2dd9efa39cefde4fde8e60c2df700f49cdb50d13

SHA512
144cb15a4f58d91102a457e251942612b21326fa8ff794a5c22e51f87ae5058b87e33f8678a565d5edbddd1c389364a3463a5db876a49222854c8e6c0ce17405

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
72KB

MD5
5141c549d6864ab44a4f646662ec47d8

SHA1
6703a764b45f24f6f622775b67dcb3a67ad242c3

SHA256
0d93b47184bb852a1b58f1f1e2b5f7dfd97f574d6ec7ae33d30ed7216930171a

SHA512
8adff2613e80cc4f86df2cf6b5c1b89281602b02465e7667f2532366c7a2a653baaa86b543c664631cb44f4efd47f747f69f1074fa3a567c47899d41cbd95586

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
72KB

MD5
0b7451e026294729be6b747b24d94468

SHA1
a751111f5bb62a7aced082a5bc32eccf8de562b8

SHA256
07184fd593a5d01773789d58b99d5afac0a063aa631c59be2bb26dbb5bd24024

SHA512
436f79065d7b5a3a8bf526e8912a0ada0e69309dd9c31e5b0d5125e6cb2533011d405184e7e03154fbdfbf7b9f21e9fe70312a4556853e31ae566df04ec7f20a

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
72KB

MD5
8d3dc137251b15ff6321eb558bc916cb

SHA1
4c76652b6aaea4de20dd6dd08cbba6db5e08551b

SHA256
7a9525b52d13a700dbc9e1ebedb4c8232c5299012442a663a2c34da789dc8314

SHA512
2e0403c3a275dd369aee47d09756aa5a8bfb5e13f2b89e0f94782dfea05dd9ba1d86bf37b272a0122661fd869e368eda49d15ba03a10587aa0ff3b5900083627

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
72KB

MD5
13d5ce706c4e4becdf659cb1d97f2e57

SHA1
f3926b934fc4ac26a94577e51da9fbbc4e795aca

SHA256
95470eb966059db732b9ccdf0178b48f996ae5b406a21f599f26155f2913577e

SHA512
2303b57a8fce9fdd4383e5a36b963b078c77376c94b6a55c622ec1f3747a574b31cfe1e54c40a437ee9d7a795052a7235945a17f77641072d099ee3ed6d32a09

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
72KB

MD5
372f3ffcfa400a700b107fbe26df8cf4

SHA1
ec493f3ea7eae0725588929dcd4bec0cd443d7b4

SHA256
b82d45a0a1fb4fb2a767ad32f0ca121329f42c55cade46351ee2eb71945e6062

SHA512
a0289ae1f27c902464524553a099a2a884d7ebe956ac0dc1366ced541ec275810ca387d9ccd0a95026392c3317eb6679d8d7fefbe86bb0f09b79e7b7de0b08dc

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
72KB

MD5
37c4155c64bd6979891e636e90e8c15b

SHA1
da1b0580dd03d93c830d00bba89703a18d950710

SHA256
b2a0bfc4e36f591049c0f619539da2a9d965d223b79197ebce6394b9f9562cbd

SHA512
9ecdeda0d54180f6eef966a8133660007a994ec87f48e02def71e6948f2c086aded68809ee60937b03c669c593811cfda24c767f69b000bad8145468b4f0d183

Download Submit
C:\Windows\SysWOW64\Fckajehi.exe

Filesize
72KB

MD5
c8243c3f355f02e7f5d88ba03b3aca6c

SHA1
652d07810b2e274b627dd9b2404039e99be681f9

SHA256
cad54d9160c1228ec6805b4153f0cea1146075135277f776563880e40d6e2abf

SHA512
5a60669a18865e6ab25bc73379c7716d9683d6a46b761757f1c1be93b43008721f0e61d3aab62fdc49d1f27ae93ce414e7ebc78aa88027c00e4cc63bc09cee53

Download Submit
C:\Windows\SysWOW64\Gokdeeec.exe

Filesize
72KB

MD5
6522d33d1a64c1adc984515d7b28a3d6

SHA1
2c88460ebff1953469f46ff910939adebd1988af

SHA256
0f20a1e2b3bff7b12dce5ecdf7ac67a1eea2f8d65a9f990c0b5da27741ba07f7

SHA512
c1ef4cd569c0377ce98c171b8db0f087f27bd915cc38063f966cce67e46b2367328d2ce2d1079bf8f058011c841374d0cbd317078ddba03b1847de9a0a18ce3c

Download Submit
C:\Windows\SysWOW64\Hbgmcnhf.exe

Filesize
72KB

MD5
dd2034c0fc1799084b8bb69c078f1167

SHA1
afdc6ffa84561a040b0e0913ad315c559917b266

SHA256
e7bc0c032fc03df00f0afa13725cbf51bd84490e5a849c4563dab17ee63b6d4e

SHA512
db5ac44c03fba6649c99a0af576b815b3ee08549ac642f4320b7c67a83d089ac0ecdf8436a3edf82901bde7378a1cf00cfaacf01f9bc0b8ff4d9e9a3c83baf3c

Download Submit
C:\Windows\SysWOW64\Hecmijim.exe

Filesize
72KB

MD5
c1b353b1118e79d224b87b751127efbe

SHA1
f6355ec2b8a718468f3cc6105326f290a65d707b

SHA256
5596d6e2297bcdee8cd3fc87a4e20df10f8935f29e11c79c1436884af74d515b

SHA512
93654f5e27592c642d3d8a8b6f16143fb222c5be81f9e89bff54b3d6537b0fb50a57e57ed07c6e51e704fbaaff3d12425d07535a32bd728a227292b7f9d9955b

Download Submit
C:\Windows\SysWOW64\Hobkfd32.exe

Filesize
72KB

MD5
276453b9261e3595fbf8be4f5a251012

SHA1
7547581039d25270385de9412ef6f6993d69887b

SHA256
d19dbc78c2a101d6f0f4ec3e5fa848121c5a9dfa1060b54403fb9cbf8adb5766

SHA512
0c9be043f6401a02d2d457572ad628bba6663a10f014c31ce69bdf1c5f4bb0e70f880f700fb9fea5053a71d83c7a5cb751c1dd797e65a5f8ec8a6c31229e4bfe

Download Submit
C:\Windows\SysWOW64\Imoneg32.exe

Filesize
72KB

MD5
e974b4fc0e8c7fd34a68d597347f83e8

SHA1
64e150d00fe3a0653cc7f1b09575c4545dedca02

SHA256
32fd4dcee31ec70a83f01b333e66b892849b76d5051cd59419e1c0d03d2c5f30

SHA512
62d29848ce5e8c6b61e04fdb5a360d1194bc86e9f638e42f6a9d1a3f3e31b740182f61bfc39dbc616bd6c07253a315852fa9255d817a1e3b302749a70ed424b0

Download Submit
C:\Windows\SysWOW64\Kfjhkjle.exe

Filesize
72KB

MD5
02cc72a75edb83f2b57a52eb2087308c

SHA1
02e9861fb27c57c15fb3797ee77bad8303f5de07

SHA256
720fb7cbea053b5b89e7e022e914207dbaaf5285094e765d2bd0f2b4eb3ec739

SHA512
d130ece71a461d9eab1b2489704816b7eeedfc5782894bd1d888cd34735b1d60f891b5dd46669636e9f708b04bb37d44813cdb13cdbee0fcc7319131cbbe1296

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
72KB

MD5
696c67fc23d81e0880100905324b0d69

SHA1
09d351751995e2fe0435d12aaca6c93be054a6a4

SHA256
5aede6417bc66f90cd903eadfd2a6f807cd7b5f2a047c41749ce2753a0941f88

SHA512
0f2b3af2af8c0b712663348fe315c4b0354f6acacac2ef23b64690c83de6dab7b1a94d15eab72a5ccb5df6d87bee96c8957ae5abee1f3e5f9fd2159d0cece9c4

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
72KB

MD5
9b772fa0c1d6edc980eca8cf644c4f02

SHA1
9d361ba22f3a5490fe30bd433069681f0deb6abb

SHA256
55c7b8e626f186d9a72771ab3e9501e2e15326598d7396e950d8adc8d8672720

SHA512
6f412376494b0442b6c0febfb54a35e9dcf99b120e70837e8434a4011a670abb9cd26a533ad2c1995d9f148bfd9dc0f0e40c6bdd6cfa53b186d734294406d71f

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
72KB

MD5
1530af953edd8df728a25a80ee8090cf

SHA1
fef86e828ec220a001015a3ddb1bd84cdbd01ae2

SHA256
007cc0fcae26b7429206c7158833bfb2c75bbc0ec30a636684e1b07c256588f9

SHA512
a4cc3bfa8ab376755613a03acce5fbf5e4b7cd1884f18546fee32d446aed5ae027691651fa07b46c863f11965ec80f3d915e83c0cafde478385994cbc30ea456

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
72KB

MD5
0fcfd2dabb8f49ecaa929e9d8a5a501f

SHA1
4ce85fc4a81e69b05cb3205cd7e1e2bed41d891b

SHA256
73d68e3fec84a9a4fc0ea1d7d127bff1b25952ea83f2cdd6f42a8204f15bfec0

SHA512
eaca69a97b8f25540e3e8165991af7a9fe859b888025a861571c14af760530fa096a76421769788925c68e8bf29079bcd8347e19a89a31b800c6c3958ae6c31e

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
72KB

MD5
965d87ffca9fc6c5c1842376a222bc38

SHA1
9a66bd060de18fa59b5368f8eae697e6c3fb4cd2

SHA256
f69b13f429df331ae85fa89b7bd8a17895e78df1977b0bd117754828e6172efa

SHA512
336ac4a0131935cfa2750276f2d81ea63c4abd4055550a0c868cf97ae64e5c19ccf9d8733516f7180de10d8cb3372a4c5f7237cfc393994a0b18d0d8b81cbe76

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
72KB

MD5
3994404574e26a8b17063c67fd02ab25

SHA1
2179298750478d025e40a008bf01d753afe74080

SHA256
7d2dde0c0bbd8e1eba84bbb1cf1aa9a40ca9797df9f837e6367b221647355d89

SHA512
d8dec7237c5e0f49bbd06eae15266c4abb9e10c21a8602ac4ab183801e3028a91b2f7e2000e24982f560908a1730339b075ff97af8ac2ee2491547a245971839

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
72KB

MD5
41016c854bf52e86396359f82c392b20

SHA1
7d7069415fc6939479ef0eaded4e87676bc27da6

SHA256
382017546b5dca4577f7a680f5aa5e1782379df7f1b41e3bf4ef3df638a5dd8b

SHA512
71ebbad14ce5924a4a8bd2c5bb338aed2ca7261ef38bb00697482800a2ad705c12c03d1496c6ad68886983d6824988d2009d26787ff8c290c3d60c8a00538c35

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
72KB

MD5
60b81144b49de73ce1f0b01a6390c68c

SHA1
f5a12f56399a44fa84aa52594d8614257b206f8f

SHA256
794a25aa03920d2c6dcf48166f8cb6d70c52b8630466da4bc1509faff2b2626b

SHA512
b061d6ac07cb0bedce82cde627998459073d564f980423ded8a3673f30f14b6269315343685a3bb12b5f1d8cf100e70dfca7b33aa64250a27cc92d17baf941de

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
72KB

MD5
529a86e33e24e660d06fc5cb012ea7fe

SHA1
688deba9017e5a2d3cfed50ab5e54f46f967a48a

SHA256
f437a9fd199447e2a69743be21c8d3b5a9587148a51aa4ed1381a70e955c98c1

SHA512
1f58da1e5ca699236f6d99474e37d5e02c5f89d58ad14044df0e1d57f8792ac1ed0e686e5c645d83a5d0f61dc7f780c3b764bbb518f24e8af63954cdfaa99901

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
72KB

MD5
13e6f239da0bd6056d9f2c6e4065c1e5

SHA1
dba6bf231ee9705af3a750070d18653ef4d54e38

SHA256
dc3fc83fc5fa61c894dcf496c4ea9bacb296ddfbfdf7d7c1e0db0cc6d2066369

SHA512
3990bda60bd4a5404c25dbce994a7fc0fdf982c6bc921df92a3c6482436808d45f6e0f17852bfcf67906a579e85fdd9702c428ddcb00c14458498439cf9c7008

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
72KB

MD5
6abbd5596f3135b4103c6e37c420e9a4

SHA1
6478955abccee503b863364a94c9b26b75d7de93

SHA256
2229af38ce6b9e5ca1da8930e472963242354ba2f30038bfcdfb46e0f805c99f

SHA512
9933e4817dec7c4607145caeba789ee2439b3ac954aeae9ae1a00fd61caaf41f094f8fa74cb6bbb131700f78939a9830bd3f00351406345aa61342373595107d

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
72KB

MD5
668cfb07f4e87950a166f72463c654c4

SHA1
5a01ac4d12cb64a148095fee826518a397226708

SHA256
27063412c5791ab0d1e45698fb476527b780ecc8cdf6453bf80dd71152c5daad

SHA512
d5791f878900d39243e6b814832b00b030d1fbaef432d9cf311d8ded7d9d6ce4fb95fcf88785c1d2cb4a6ce1e4c53c261653e15ee8f2c23a587676c59bd69f46

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
72KB

MD5
2fdf8216d577da9a2cbbfcfe33a3c7ab

SHA1
9f516b1918df6851beea32ad9cce6a62fb66b3cf

SHA256
f9e7ad42030f4cd1f76123b6d9448a19d6f2f355db5ce1b58feae3fbf90929e3

SHA512
8c767b19536ca2f23af662ca952bbceb20068b731e316fc5f6461ff48e3bda17d61c332d1a3ec489793a21295451b3b6ae9049380e20952c725b7e8e89224292

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
72KB

MD5
d8e90dd66276208e61cd7b2bf61a5239

SHA1
1d04cb93324b1f8472e4390be568205812e11b89

SHA256
b512ccc857fd4bf482fdbc8ba694935530b12d2b3fbd4119c8009e0bd11f4a4a

SHA512
9718f16730b306084d34ba2b3bd385b3bd51c67abc29244aac399872ebe30a1898d2394300e14805737f3423198a44f29aa3cf0f7027d3cdac29605094bffb6f

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
72KB

MD5
d806c7fd17e15c8fc8cda47c3dce27e2

SHA1
2699cb6544cf26e4cfe074fd83c6e073c7b580dc

SHA256
6d9b2a69648ccc97dc49f01bf2c940898a403f170b6382ab6f2a2eb17127edbb

SHA512
7df01a09431b7c9c30bfd04cbf77929d2b8729599e6b0a4fb18c42fdfce870dd2ec180b22adde798b37241c1bbcf569fbbc473f6ac15387e6e42dbcb996d946e

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
72KB

MD5
20cad3bf17f6977eedef20555e7daded

SHA1
ff0d7016201ee9c375e87e5adfae48b60490ba31

SHA256
70be6f2694e3e7d6798e732de68f26a8ed2dff4daf564dff33fb40f29c18edc3

SHA512
c4702b4e9e9f67220d447e8f1db08101114b3dc6622386ad98cc004863c507ac0eabc63364cc75f9bdb2f5b66010abf40f4c405b58e812ff9ae02ce28906fc44

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
72KB

MD5
67ce7e974a8a737015173f91f68d86f4

SHA1
538a9da6a5c6d3e81827d131c66dd359f1b80555

SHA256
707cb8cd3f1bb711017124a16b2039b8a830191a45553618e4068a8b1774a007

SHA512
2d11f01888cec364360eb958ccdd462e6ecbd47dbfe2e94ecf5065924883bc6bbcc82513828f7f604041674a91a0cdc1169b91bb2d5ac1a1f83603a14f3002b1

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
72KB

MD5
b6551bfd1fcaddeea0fa75a72e43f711

SHA1
30bc19589eeca18adcc033ef86cbbd5f4edff8f2

SHA256
685f8df9e53f70949aeee8978b8ea055e7b77dbe67428774515d5ac09d036dc0

SHA512
a9fb181ed07b6fa6de76a0733e204eb5e31723cfb4a65698970d42ff7c3a4e4f01999a6e939900f9ab171570a45abdbf417d2d4cfe58f5d0e734227439323bf6

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
72KB

MD5
95772f2bba298b3d43bedf1cd57abf94

SHA1
369fd41fe8e85b1570c489b6cda23a4db361044c

SHA256
cdec5c04b92bf8f7def02d96bbd0cc3ed6ac3ed1666ba2e9fc934d722b54ff4c

SHA512
f001484d20159932bad751713fb7785e86e4c18ef5ed458656fc675c2704741cc8867b1fa8dd584342226fb2b0c0a5c819af5dd5ade4a1b63e4849628732e4a7

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
72KB

MD5
f2f505d1ca7f403524912140ba2d29a4

SHA1
938a7088528f3f20b213ba41b7f36e705018c7ef

SHA256
eb687bb958b9dcd91102a0b0806b3ea8a498f5d7fbbfd6cc97ef2b018da6617f

SHA512
efa415617724f6ff36499e076d16abb485a8e9ce4e0cb23c36f3e1c341129ceac2fd7058e52273beae7b8d1535066dc92f78e0771e90ea27f3a907c43e2959ab

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
72KB

MD5
c9e5515279c4ee6c2e87fd4f36ae7440

SHA1
39557d16d39c3ddc6b8136ac88de1b1d6199d1a1

SHA256
88c7569c85026b40058c8ea46501a56b5e926d6e59f8a821173461d14e0f0b3b

SHA512
b1820929c941a1b0b09240b39baca9eefad46ef6b374b47a0a49d0262a1b0a7e60104cd7e39c5f05910464fa452120d90f4a06fc62cd6721de1bd1446edaafb6

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
72KB

MD5
61eb823a246e3b8e270a8b62c95f66da

SHA1
e2578b451893a0f6136d32ae8fef076cd4a5a3df

SHA256
bbef244606263741a9724a85ca65b92ad04ba2fd4102d1b05776e5cce2aba0e8

SHA512
d727b1bf576d8c420975ff3a67f56744bf50b41feaba15aad390f89804df7c992345a9edcf0755c29ed06dad7d9bacea49e06b277b5f8bfef2f450a4691574b5

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
72KB

MD5
d1fa4e228cc72d552137eea4628732cb

SHA1
f7fbae806e84f0f016568922ae252d69bbde86f7

SHA256
08c153ab70278637a7a8e42b1ac40801967e05006f9746d35da016c6007e07f3

SHA512
8d321e39de4ecdbfb0c0c711ac4852d43a82befc38eade07dbd7fbbcffa716ca69cc6605aec7ffc93dc47842d6590915925766f3d4a07ce0370b51bfce6d6958

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
72KB

MD5
9db4bee02c8437cf30918e125a0725a6

SHA1
a12e59459ba3b91a2bf6a85de7a868dd23e660ac

SHA256
9480eee4401f908265c0b11ca77ac90f5b35ec20db8de615f1a57c7659c84dfe

SHA512
fdd1ad6f408fa5e96a78ef1552c824561550c99c9ee13c0a40eff371e1876640d0453816631f6d1764ba940c6f6f2f24e121e5ca079307d9ce4f3e012d105cd5

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
72KB

MD5
80964730ac9350d5a1c56f9956699781

SHA1
55191a2c0421083864aed0509d9e468f73ca5741

SHA256
59dc807d6e3568032beb59588050e45ea1c62958b6f29a36b01142ca3966d6af

SHA512
063f4a8d7cec2d80a03dccb2b75abab6aa00e18cc6d7fadb065c89201ed324dfc6c120aa5d95ba1bf269a4a5d27fdd9f90e7d83c2252f9630d98ec18c22aaab7

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
72KB

MD5
11e6424c7ad3ad83934da450e11702df

SHA1
0474367c413f00d1dc82b31ca29ddd23ca255d42

SHA256
1a55ec674e813d0d1700efeb9a61fc4f890595403f4f5a3be5432f2af7fdf2ae

SHA512
a4095339da1f0ac7f395d5ef2d4ed23f0b6addcb672783db3e3cacd01c949872e40768ffc5a59aa4c717a86128cf5517ba0ef05eb091da2c7f4b244004695189

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
72KB

MD5
eb843827072ade329697b5ccb3f840fa

SHA1
772caf09365a896e32d0f8c545a454332adcf242

SHA256
4877dccaf2b44dc43ff8b313c075478f5bf95853f0da00d0a512b7182f85e696

SHA512
79ede079627d4bdc1d3f140cb3303a940a57696bfbc427836598781d403eba7f4bb104e47b4043d2b466daf9b871781d0d8b9a47e9d70500461444b43980f0a3

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
72KB

MD5
6f2888cc2298b7e57d167000fb666199

SHA1
5f390c809a8317eb9814c781791fe4ba642e693f

SHA256
d207cde016769d38ca09737f78f1a1e04185fb3ba0c83d2582442e00535ef126

SHA512
89261d1a65db9d46c4857bedc2eeb33d795bd8c921455ca4a6287956377c14c072b47d706b5fd1513d18aa0cc225d288a90a128e1f60d8ad72898e457e42bd09

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
72KB

MD5
356044cdd9e1ac8410c1c94a51455cc9

SHA1
63089590be47bda5334a7eb4c1e52a108e56eedd

SHA256
f8045c8330388dfe62c20e24795fc3697c38d185cf553f72bdb0b533d64a9c6e

SHA512
8f223ca8a31482ec7e2ed020a7cb7519832b9b647a26b0cac9112ae414c3175387342bc489a5ce9a0c268d1fee210a214207dce6ecf21aee1dad703c1106b04f

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
72KB

MD5
d3d71732333f19ef8f014ee3278d956b

SHA1
8d93be5c0e1772fb6c0f63e248dd202add429155

SHA256
ebd4f98219c2f17a930f9ec40528395ccdacf865390283f6e8d1dd04fc823986

SHA512
86f7fad61b9f877d9f619ac5da8ced8c670969bc641ab2a07d4a90b47f4dd02a2db88332ccd234da67dde501b588bc7b7ec6ffd2f89fd7c454c31aada9737c38

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
72KB

MD5
9a36d01c5ac8e3b1aa8353cb1817c4e9

SHA1
2c3fbdde346e33bec11c7afaca613df5b3d0b006

SHA256
2c09fcdf78f146980817c23be429123945ba691e33e78ba7993e6f9b14beaa70

SHA512
52823294521bd0182d7165d84a2bf2bb9fac651945cac259f9728442587835d5384456fd09a2851d25362904670aa0d47f4bc3083fbed2332fd5a8f1e657b098

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
72KB

MD5
1a1b7a8809cc1f465e18c669b2282092

SHA1
1a2ce6be80503e786290db70aef0139f718ed63a

SHA256
11bb016e581b5f1f0cc74dcc1a121b7c48bb3c0800630bd98e7134910f6fe5ef

SHA512
d5c798c723ee8e7ba7c95e51f294517a1ec2e31eb93ae671e10e913b8881cd125a3e6f8994cf13fe310f54672503253dde4f0396c94d185132943ecfd2fda755

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
72KB

MD5
37835dd3adb2e4dd5695688f03dd08af

SHA1
cbb9f1e1f7fce47dcccb7bf2ec41343b08ea039a

SHA256
34ab67e76354ab84ff5d5be45e845f6326a7d3327fd292bfd56e75d0b4f7ed0e

SHA512
b32ed93bf6bb9fa918101278afc505cddedabbb79c2f2fe221fbafad5def8957ea6c9d2f1650a5019a7d0f7e04dd60346ca27c537cbfafe64cec7bfc85aadee7

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
72KB

MD5
b59f3d99563f17cef1d735b3b1af5077

SHA1
d41b4ac8c3cf3ff0ade5264506fe469afa20c011

SHA256
25f487e303f7e0ee99b35c8afe23e43db73a1da22ea36e6fd971425f87db4e63

SHA512
e1c4cae9ea65c3f32f81fd356e19ab39afc14c4b3b5484f1b682483b30066f8f5a1a5e31cd57566b369441f7424ce520c8bdec5426d164a44b5606c983bf1b86

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
72KB

MD5
167acc0b3c6bf7c1e5c99195dae6decc

SHA1
ea8f5d1e825f103e7d35da247b13a69b7e448958

SHA256
64204ada33b606269e97852a100e38433ee608fa2e245fa3577699c50adc58e4

SHA512
cff1dfa8f42a944a69329ee8af5ec34d3fbc951d49e6493f9a871831b86ca618828223b82024a1bfa4fe6cc9a36d1b1ac8664be4067706e3592722f3f1a12ba3

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
72KB

MD5
27e9183f4c2fcc5ecfc3ef71c17d79fc

SHA1
b7befab311d2e900c5121c246a4242af3f105c75

SHA256
6190b1b52e14a213fdc38ed3401a96d524c856a2f32d29daf356d30ca88df83f

SHA512
0b86c99a09ece44dd6040682f243bb37de372de7b81759f265c4ee6092e9a42093fec95430138321642018c1b397f76984ae54d5aafa3fce97ee72118f1bb240

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
72KB

MD5
3478e40cee3fef5ccb3d228403439205

SHA1
6174a4c415a5d34de6572d349842f4c8632e4170

SHA256
40b15848e9cb0b105c279a2f1e5c4c5b437317811463359404e604c61f85a2d2

SHA512
8b5414eadcb438448cbad8ac5f2e42ec5c78cc403d05ec58f66d9b2b1596b20d1bfdf28e9d8df68f529195b64688a764ccc224f8e5ce61cbcfe181e37cb4e79b

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
72KB

MD5
23f3ace87166b9f0bafe60cde698900a

SHA1
02e72855f905858d18fed18bf02e2a6c18c4b9c0

SHA256
90e29082655117d02ec552d58b35932dc0071b468e412efcaef482fae673242e

SHA512
1d43f9bbc3ab329dcf6551b9ec35dc91eae3808e85219e3954fe14aea590f624f566c07c01a55149a3eba2cb948b3004eeef8eb8fbb5497e3eec71e3f6079bee

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
72KB

MD5
78bac59d1cb706be8e9814725625d002

SHA1
b9cced64d96bc3e73286c655a3557f6919ef572c

SHA256
b0a4fa58e185d2aab1c5dc9ac1d2b961bfcc815032a04a42b7e941a7a3011ad5

SHA512
8e4cee634dc02cea2b124f1dbc5e3d8f43e9ab71c6142f6e381111d477293d987ba5b5d9568d2e9c622778fe144c747c1f62e97d90bbf227f983f2306f2c3af5

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
72KB

MD5
cb7c910e154243b099d3611612cee9cf

SHA1
40a770dde755683f058f690b82bf8fba8de3301e

SHA256
20e3074ed4400d809b961567835b285fa5791bd423c5f18360d10680c1850144

SHA512
204476ec20c634ec983f5f0e23794f84cabffbb1ad18ecad8a51d2efd32156899cddd5be5c4bb971232a61bbb8289669c20420f37d342e800e0982093324f420

Download Submit
C:\Windows\SysWOW64\Odednmpm.exe

Filesize
72KB

MD5
fd719704156d572e4ab60acdd84846cd

SHA1
84d5b3a5ffe40deac6ab3ce17791acaab3a0ecb7

SHA256
1e6b330d5a63e3fa1b7defb07e36a4ba663aa747f8580039988499c507e73786

SHA512
3ed085fe86db5203a6dd27870ec4d6d8665993926e5efd8995a8369165b021b606e52b08b3b0ed22ceff0bc1493e88375f0c64ba0b11671732f584553b497d42

Download Submit
C:\Windows\SysWOW64\Ogijli32.dll

Filesize
7KB

MD5
780777300e335caab3238cd4e8189a83

SHA1
4f000b716534799fb337bdd1c33381f470548650

SHA256
0acfbb10a9db522421a2d1014699de6fc9d427f80f2ee2be5e3443ed29ba9a49

SHA512
679ff209748243dd0c82d8de568118f7a0c2c8e6aa3acf6c54d206cc3c6e5898f1ff901cbe1323114e4c8941c608b4f0115d1366fb312cdb078d446ffc3aac61

Download Submit
C:\Windows\SysWOW64\Onklabip.exe

Filesize
72KB

MD5
1b26f7b8fc439257700eb212dfcc8a94

SHA1
a9831873a45e9a2d690a90372689a9614c6a287e

SHA256
3c71fdbe847f0e3d463ce57742cd46abcb797288ddb1c21c4e7aa315838889e7

SHA512
448c829c3f5f3cd91e7781a1d36242e1bfafaa1acc818b2ab142fa99b79f0c03373b19d14675ac2c21b66dc9f988b971f61ff9ba94bc22dba0045a91e9fad9b5

Download Submit
C:\Windows\SysWOW64\Pagdol32.exe

Filesize
72KB

MD5
45b1eb782959075ab4ba8f2e949019e4

SHA1
7b77e007056ef9f9a1fdbcb3d3b973930f330d87

SHA256
16b7ef8da456978d9be505096592f554d7fbaaddf0373ed3a5e4ee26c3609d40

SHA512
bc391e0237ac7e7da6f5b04a4f453ad9cb38d39229d6b5643ce7a72f1c94e62d8e8736ccf7fe524aea23ae0b4d177aef2194b32e578b9c70931c9d3732efb07a

Download Submit
C:\Windows\SysWOW64\Peimil32.exe

Filesize
72KB

MD5
0659753594a3ef63023619b8b66060cf

SHA1
d0de06bfebe8b77cf46896b1e6004b39ccc70d9c

SHA256
197c1d52f073da8fc1727e4020c39ef6e819f70d5e84214eec622f1dadc1d3d9

SHA512
52d4a83d634b249084c1cd3e4075855516c7174de5bcebe69aa78e5cfb3ea10b506583b2b531bb2d51460a6a83bee5ac305db46ab8f7fd15e4c1d991c5cc8e48

Download Submit
C:\Windows\SysWOW64\Peljol32.exe

Filesize
72KB

MD5
198919828b2a5eb8c303cfae08f9c83b

SHA1
4a3064209eae161016eae44343c7ae178e9d5653

SHA256
c143dde61050f10705401d147a3029121daa53669347c1318d279050f59bf0ab

SHA512
1286e4676eec26445baeb454504cbf8056fdeda29d335b12f24c0b11e12afa94203ae635f658bda68d24a45a55c052f0d44c04556719308fbb8b22cf2c41255a

Download Submit
C:\Windows\SysWOW64\Pghieg32.exe

Filesize
72KB

MD5
0e31bdb3c46c82272c5d01fb73f32117

SHA1
1fdcefce1d282484930f2b95e7d48f5cb4712641

SHA256
55e99c7a5f93c4f5763ea9f86eb25bbcacb47249a51e5d3cee26e3a1c47805d4

SHA512
b8d571e9fcd68c6827d688b885017a2a8dc57b8c8f9c68aac038c545a9b350690f67840667904a39fa2713943cadf23c341c37f766ba7b37e56e0e5491a59154

Download Submit
C:\Windows\SysWOW64\Pkaiqf32.exe

Filesize
72KB

MD5
3999ff3626a879a79dbd7bceb1ccc4b5

SHA1
ef3a9c924a19264e6d44fdfb96a14d1045592bba

SHA256
57e58774cc4b38c8feac9ad5c6734ec69489013600ae41c867e893714f07d263

SHA512
0b4412ec9beb794f82026d6d9fbe02a9f47536c7b677f7762b64429873492d389a99ef1c43f61fff2b3e72458c062a1c18b1c14a29234226c8330936d6dd0d81

Download Submit
C:\Windows\SysWOW64\Pkjlge32.exe

Filesize
72KB

MD5
642ce05e1e830874cbf6d93f41077186

SHA1
7fc919b6283b2ead26594075052803d2fdbd0d2e

SHA256
05a7d11be38b2d12a6174895287bc74e949eeca1067dafecf6cad8eaf451c2a2

SHA512
6d5e9ee1df40c1a85351c57eee6647b14c496934d176adf79cc1d3f258d0cbe27a5f181eabbfaa516468d8ade91dba60b0f456a3e198100bf8a91441a3f9d44b

Download Submit
C:\Windows\SysWOW64\Qeemej32.exe

Filesize
72KB

MD5
eb9c62a5eb41af77ce69adac5833577a

SHA1
09b9c2b664141d46ed1999425c35e0ade19a00ec

SHA256
f2a399caf2b8cad74463249d4b07cb9ef8246186da22cbf93bc5cdced027dd66

SHA512
5425d8271a990f10ee064a8b40d16c4983b0505503b19fe2b12027140d7abf94ddfc17706ff9731c5bf2dfc6ab3222fc0ef5729c43e7385157550e7bb7f1bdd9

Download Submit
memory/60-125-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/348-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/388-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/440-68-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/968-3667-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1000-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1188-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1280-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1296-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1340-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1412-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1540-375-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1588-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1608-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1620-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1652-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1824-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1864-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1912-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1980-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2332-156-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2368-399-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2684-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2696-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2888-338-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2928-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3008-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3096-422-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3168-350-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3296-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3320-266-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3368-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3384-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3520-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3536-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3548-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3668-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3692-204-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3728-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3804-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3980-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4020-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4028-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4052-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4160-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4220-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4272-148-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4336-237-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4376-441-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4392-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4396-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4496-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4512-368-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4544-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4696-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4752-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4792-380-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4812-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4856-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4860-172-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4868-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5008-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5104-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/11400-3675-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/12352-3662-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/12388-3674-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/12472-3688-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/12508-3673-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/12540-3687-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/12548-3666-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/12608-3686-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/12640-3672-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/12692-3685-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/12724-3664-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/12760-3684-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/12800-3671-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/12828-3683-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/12872-3682-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/12936-3663-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/12944-3681-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/12976-3670-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/13012-3680-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/13048-3665-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/13092-3679-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/13116-3669-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/13144-3678-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/13208-3677-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/13252-3676-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/13300-3668-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/13348-3661-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/13384-3660-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/13420-3659-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/13456-3658-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/13492-3657-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads