8a9397247428674697a4fc16d1e37da1ef7b1d61b3d765ae0b42d4db7d353bc7

Analysis

max time kernel
105s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22-07-2024 00:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3964205bdc9c0ba1c097f82b5e1653f0N.exe
Size

272KB
MD5

3964205bdc9c0ba1c097f82b5e1653f0
SHA1

bb162dfce0d25ee509d328cc0da20ed522c76b67
SHA256

8a9397247428674697a4fc16d1e37da1ef7b1d61b3d765ae0b42d4db7d353bc7
SHA512

e69e71230b69b7d7dc13d91904c71a1ac0f181285c0e13cf447d20b0987da416285b26998bdd025f32f60cb74bcf229bde2412c219265352e2c5186477512d07
SSDEEP

6144:Pr99pSVYHOw2bByvZ6Mxv5Rar3O6B9fZSLhZmzbByvZ6Mxv5R:T4DByvNv54B9f01ZmHByvNv5

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edlhflmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hneommgd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbmgcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Akjego32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iemckeba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oaehkmok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ljjgfapg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgkfpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hfbpgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lepbnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkicic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Onnefnbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ancghk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcpojg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjpimmhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Igffla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfcihi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgqnbmdm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjljeclg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hngkbmea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnonmkdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cipkmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hmjlnikl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hgppkbkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odagbipa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfgbil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Abfjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dbihlcdm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpeohj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqancihk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icbpla32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lepbnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gdhaihdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hqckihfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ledkippd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chjaillb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ghiohe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fnbiqpgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kamiblnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jjqbdkjq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjakki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Negafmoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odhmbh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eobfgdgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jcoecigm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jneqkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgjalgam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kcflch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hmoeiigg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kedbbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mhljljfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnmcegjg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpojg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ingdijfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Melajo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gghjkcaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lncmlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkhpebd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eogobc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	3964205bdc9c0ba1c097f82b5e1653f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Inqnikmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kfqeok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nhhjghlp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phkpdelj.exe

Executes dropped EXE 64 IoCs

pid	Process
536	Edlhflmi.exe
1008	Ednell32.exe
2244	Eikndc32.exe
5016	Edpbal32.exe
3532	Eimjjb32.exe
2096	Eceobh32.exe
1384	Enkcpq32.exe
864	Echkhh32.exe
2240	Fdghbj32.exe
4364	Fehdjbhj.exe
1252	Fnbiqpgj.exe
2596	Fndffo32.exe
2964	Fcannf32.exe
4944	Fpeohj32.exe
2236	Gllpml32.exe
2752	Gfddeanm.exe
3800	Gqjhcjnc.exe
8	Gqlehi32.exe
3572	Gdhaihdi.exe
4124	Gjdiaobq.exe
4528	Gmcemjad.exe
3168	Gdjnohbf.exe
4304	Gghjkcaj.exe
3596	Gqancihk.exe
4164	Gdljdg32.exe
1360	Hgkfpc32.exe
3492	Hfnglpfb.exe
2652	Hneommgd.exe
940	Hqckihfh.exe
460	Hcagedel.exe
4884	Hfpcaodp.exe
2896	Hngkbmea.exe
4444	Hmjlnikl.exe
1764	Hdacoglo.exe
2468	Hgppkbkb.exe
1712	Hfbpgo32.exe
220	Hmlhciij.exe
5012	Hdcpefjl.exe
2704	Hcfqpc32.exe
4368	Hfdmlo32.exe
4972	Hjpimmhc.exe
408	Hmoeiigg.exe
3048	Hdfmjf32.exe
216	Hgdifa32.exe
1468	Hfgjbnng.exe
4516	Hnnacloj.exe
4312	Igffla32.exe
2832	Inqnikmg.exe
4512	Iqojeglk.exe
4240	Idjfeedd.exe
1492	Ijgonlbk.exe
644	Incknk32.exe
4916	Iemckeba.exe
4824	Igkpgqae.exe
4360	Inehdk32.exe
1980	Iqcdpf32.exe
4968	Icbpla32.exe
1480	Ingdijfo.exe
1484	Ijnenk32.exe
1400	Iedild32.exe
1568	Jjqbdkjq.exe
3944	Jfgbil32.exe
2568	Jfjonl32.exe
4072	Jaocldmh.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Algfnm32.dll	Kdllin32.exe
File created	C:\Windows\SysWOW64\Mnfpba32.dll	Nghmme32.exe
File created	C:\Windows\SysWOW64\Cfoppk32.dll	Pkdbea32.exe
File created	C:\Windows\SysWOW64\Hfpcaodp.exe	Hcagedel.exe
File created	C:\Windows\SysWOW64\Donkhj32.dll	Hjpimmhc.exe
File created	C:\Windows\SysWOW64\Dknnhimh.dll	Hfgjbnng.exe
File opened for modification	C:\Windows\SysWOW64\Ingdijfo.exe	Icbpla32.exe
File created	C:\Windows\SysWOW64\Jfjonl32.exe	Jfgbil32.exe
File opened for modification	C:\Windows\SysWOW64\Qggbea32.exe	Qdifie32.exe
File created	C:\Windows\SysWOW64\Aiilec32.exe	Ancghk32.exe
File created	C:\Windows\SysWOW64\Aipbfbjb.exe	Abfjih32.exe
File created	C:\Windows\SysWOW64\Hcapgi32.dll	Ifmihg32.exe
File created	C:\Windows\SysWOW64\Nobbdb32.exe	Nhhjghlp.exe
File created	C:\Windows\SysWOW64\Flmidc32.dll	Cgqnbmdm.exe
File created	C:\Windows\SysWOW64\Dfpkbbpl.exe	Dfnnlcbo.exe
File opened for modification	C:\Windows\SysWOW64\Edpbal32.exe	Eikndc32.exe
File created	C:\Windows\SysWOW64\Gfddeanm.exe	Gllpml32.exe
File opened for modification	C:\Windows\SysWOW64\Hneommgd.exe	Hfnglpfb.exe
File created	C:\Windows\SysWOW64\Hngkbmea.exe	Hfpcaodp.exe
File opened for modification	C:\Windows\SysWOW64\Hmoeiigg.exe	Hjpimmhc.exe
File opened for modification	C:\Windows\SysWOW64\Gqancihk.exe	Gghjkcaj.exe
File created	C:\Windows\SysWOW64\Hjpdbb32.dll	Jaocldmh.exe
File opened for modification	C:\Windows\SysWOW64\Akjego32.exe	Adpmjdeo.exe
File created	C:\Windows\SysWOW64\Mfhngk32.dll	Fldbaf32.exe
File created	C:\Windows\SysWOW64\Ifmihg32.exe	Ijfhcf32.exe
File opened for modification	C:\Windows\SysWOW64\Pkilpakn.exe	Phkpdelj.exe
File created	C:\Windows\SysWOW64\Fhdcbikg.dll	Deehcoed.exe
File opened for modification	C:\Windows\SysWOW64\Fpeohj32.exe	Fcannf32.exe
File created	C:\Windows\SysWOW64\Enobgohm.dll	Gjdiaobq.exe
File opened for modification	C:\Windows\SysWOW64\Igkpgqae.exe	Iemckeba.exe
File created	C:\Windows\SysWOW64\Blikchjk.dll	Lepbnp32.exe
File created	C:\Windows\SysWOW64\Nkbmhd32.exe	Ngfqhegp.exe
File opened for modification	C:\Windows\SysWOW64\Fldbaf32.exe	Fiffek32.exe
File opened for modification	C:\Windows\SysWOW64\Fcannf32.exe	Fndffo32.exe
File created	C:\Windows\SysWOW64\Ijogom32.dll	Hdacoglo.exe
File created	C:\Windows\SysWOW64\Hcfqpc32.exe	Hdcpefjl.exe
File created	C:\Windows\SysWOW64\Kmmjad32.exe	Kmknleog.exe
File opened for modification	C:\Windows\SysWOW64\Melajo32.exe	Mgjalgam.exe
File created	C:\Windows\SysWOW64\Iqojeglk.exe	Inqnikmg.exe
File opened for modification	C:\Windows\SysWOW64\Modfcd32.exe	Mgmnagoj.exe
File opened for modification	C:\Windows\SysWOW64\Odhmbh32.exe	Onnefnbl.exe
File created	C:\Windows\SysWOW64\Gecmkkka.exe	Gpgdcd32.exe
File created	C:\Windows\SysWOW64\Kjfdfhhi.exe	Kdllin32.exe
File created	C:\Windows\SysWOW64\Kmlfeh32.dll	Noionclg.exe
File opened for modification	C:\Windows\SysWOW64\Efinhaha.exe	Eobfgdgo.exe
File created	C:\Windows\SysWOW64\Akdqle32.dll	Kjakki32.exe
File created	C:\Windows\SysWOW64\Beiena32.dll	Lpbfcibd.exe
File opened for modification	C:\Windows\SysWOW64\Kjljeclg.exe	Kpffhj32.exe
File created	C:\Windows\SysWOW64\Idjfeedd.exe	Iqojeglk.exe
File opened for modification	C:\Windows\SysWOW64\Jfjonl32.exe	Jfgbil32.exe
File opened for modification	C:\Windows\SysWOW64\Ljjnag32.exe	Lhlael32.exe
File created	C:\Windows\SysWOW64\Agiokq32.exe	Qbmgcj32.exe
File created	C:\Windows\SysWOW64\Icggdmfh.dll	Qbmgcj32.exe
File opened for modification	C:\Windows\SysWOW64\Onnefnbl.exe	Oecqakea.exe
File opened for modification	C:\Windows\SysWOW64\Pklheq32.exe	Pdapif32.exe
File created	C:\Windows\SysWOW64\Lohblaio.dll	Cnopjghd.exe
File created	C:\Windows\SysWOW64\Ldpedmlf.exe	Lncmlf32.exe
File opened for modification	C:\Windows\SysWOW64\Lkoglgpn.exe	Lohfgfjj.exe
File opened for modification	C:\Windows\SysWOW64\Noionclg.exe	Mhogaidj.exe
File opened for modification	C:\Windows\SysWOW64\Ngfqhegp.exe	Needpm32.exe
File created	C:\Windows\SysWOW64\Negafmoo.exe	Naleen32.exe
File created	C:\Windows\SysWOW64\Mbohfpml.dll	Hpbdobbl.exe
File opened for modification	C:\Windows\SysWOW64\Jflldklp.exe	Jaocldmh.exe
File created	C:\Windows\SysWOW64\Pnjeal32.exe	Pklheq32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7992	7844	WerFault.exe	324

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opcngdpj.dll"	Gmcemjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cglfglph.dll"	Jjqbdkjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ljjnag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkjjgdmm.dll"	Ngfqhegp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pkdbea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Phpioe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapnla.dll"	Ehmgeilm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ehmgeilm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hpbdobbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Igffla32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndoklibd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qdifie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Akjego32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fofofn32.dll"	Abfjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fghgkj32.dll"	Edlhflmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hgkfpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qqdbga32.dll"	Icbpla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkdjlm32.dll"	Bfkhpebd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkicic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eegblbdp.dll"	Phkpdelj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fonebbma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gqjhcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gdljdg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hfdmlo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hojnenea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llmpfbag.dll"	Idjfeedd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iqcdpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iedild32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Enkcpq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fndffo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Akjego32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fgemdpnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fglcdohl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ifmihg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kjinpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdoiia32.dll"	Nhhjghlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gghjkcaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggdpqeob.dll"	Inehdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giecbc32.dll"	Kmmjad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Algfnm32.dll"	Kdllin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bnadii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jgfhhicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fdghbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enobgohm.dll"	Gjdiaobq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jflldklp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jglhnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oaehkmok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Odhmbh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kfqeok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gecmkkka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	3964205bdc9c0ba1c097f82b5e1653f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gqancihk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hgdifa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehphmm32.dll"	Ndoklibd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laceeael.dll"	Hlnnobdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onecje32.dll"	Kmknleog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipeakn32.dll"	Kedbbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgmnagoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eogobc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjadlomg.dll"	Glpbmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jqjcfona.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jcoecigm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fehdjbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Donkhj32.dll"	Hjpimmhc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 536	2536	3964205bdc9c0ba1c097f82b5e1653f0N.exe	86
PID 2536 wrote to memory of 536	2536	3964205bdc9c0ba1c097f82b5e1653f0N.exe	86
PID 2536 wrote to memory of 536	2536	3964205bdc9c0ba1c097f82b5e1653f0N.exe	86
PID 536 wrote to memory of 1008	536	Edlhflmi.exe	87
PID 536 wrote to memory of 1008	536	Edlhflmi.exe	87
PID 536 wrote to memory of 1008	536	Edlhflmi.exe	87
PID 1008 wrote to memory of 2244	1008	Ednell32.exe	88
PID 1008 wrote to memory of 2244	1008	Ednell32.exe	88
PID 1008 wrote to memory of 2244	1008	Ednell32.exe	88
PID 2244 wrote to memory of 5016	2244	Eikndc32.exe	90
PID 2244 wrote to memory of 5016	2244	Eikndc32.exe	90
PID 2244 wrote to memory of 5016	2244	Eikndc32.exe	90
PID 5016 wrote to memory of 3532	5016	Edpbal32.exe	91
PID 5016 wrote to memory of 3532	5016	Edpbal32.exe	91
PID 5016 wrote to memory of 3532	5016	Edpbal32.exe	91
PID 3532 wrote to memory of 2096	3532	Eimjjb32.exe	92
PID 3532 wrote to memory of 2096	3532	Eimjjb32.exe	92
PID 3532 wrote to memory of 2096	3532	Eimjjb32.exe	92
PID 2096 wrote to memory of 1384	2096	Eceobh32.exe	93
PID 2096 wrote to memory of 1384	2096	Eceobh32.exe	93
PID 2096 wrote to memory of 1384	2096	Eceobh32.exe	93
PID 1384 wrote to memory of 864	1384	Enkcpq32.exe	94
PID 1384 wrote to memory of 864	1384	Enkcpq32.exe	94
PID 1384 wrote to memory of 864	1384	Enkcpq32.exe	94
PID 864 wrote to memory of 2240	864	Echkhh32.exe	96
PID 864 wrote to memory of 2240	864	Echkhh32.exe	96
PID 864 wrote to memory of 2240	864	Echkhh32.exe	96
PID 2240 wrote to memory of 4364	2240	Fdghbj32.exe	97
PID 2240 wrote to memory of 4364	2240	Fdghbj32.exe	97
PID 2240 wrote to memory of 4364	2240	Fdghbj32.exe	97
PID 4364 wrote to memory of 1252	4364	Fehdjbhj.exe	98
PID 4364 wrote to memory of 1252	4364	Fehdjbhj.exe	98
PID 4364 wrote to memory of 1252	4364	Fehdjbhj.exe	98
PID 1252 wrote to memory of 2596	1252	Fnbiqpgj.exe	100
PID 1252 wrote to memory of 2596	1252	Fnbiqpgj.exe	100
PID 1252 wrote to memory of 2596	1252	Fnbiqpgj.exe	100
PID 2596 wrote to memory of 2964	2596	Fndffo32.exe	101
PID 2596 wrote to memory of 2964	2596	Fndffo32.exe	101
PID 2596 wrote to memory of 2964	2596	Fndffo32.exe	101
PID 2964 wrote to memory of 4944	2964	Fcannf32.exe	102
PID 2964 wrote to memory of 4944	2964	Fcannf32.exe	102
PID 2964 wrote to memory of 4944	2964	Fcannf32.exe	102
PID 4944 wrote to memory of 2236	4944	Fpeohj32.exe	103
PID 4944 wrote to memory of 2236	4944	Fpeohj32.exe	103
PID 4944 wrote to memory of 2236	4944	Fpeohj32.exe	103
PID 2236 wrote to memory of 2752	2236	Gllpml32.exe	104
PID 2236 wrote to memory of 2752	2236	Gllpml32.exe	104
PID 2236 wrote to memory of 2752	2236	Gllpml32.exe	104
PID 2752 wrote to memory of 3800	2752	Gfddeanm.exe	105
PID 2752 wrote to memory of 3800	2752	Gfddeanm.exe	105
PID 2752 wrote to memory of 3800	2752	Gfddeanm.exe	105
PID 3800 wrote to memory of 8	3800	Gqjhcjnc.exe	106
PID 3800 wrote to memory of 8	3800	Gqjhcjnc.exe	106
PID 3800 wrote to memory of 8	3800	Gqjhcjnc.exe	106
PID 8 wrote to memory of 3572	8	Gqlehi32.exe	107
PID 8 wrote to memory of 3572	8	Gqlehi32.exe	107
PID 8 wrote to memory of 3572	8	Gqlehi32.exe	107
PID 3572 wrote to memory of 4124	3572	Gdhaihdi.exe	108
PID 3572 wrote to memory of 4124	3572	Gdhaihdi.exe	108
PID 3572 wrote to memory of 4124	3572	Gdhaihdi.exe	108
PID 4124 wrote to memory of 4528	4124	Gjdiaobq.exe	109
PID 4124 wrote to memory of 4528	4124	Gjdiaobq.exe	109
PID 4124 wrote to memory of 4528	4124	Gjdiaobq.exe	109
PID 4528 wrote to memory of 3168	4528	Gmcemjad.exe	110

C:\Users\Admin\AppData\Local\Temp\3964205bdc9c0ba1c097f82b5e1653f0N.exe
"C:\Users\Admin\AppData\Local\Temp\3964205bdc9c0ba1c097f82b5e1653f0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\SysWOW64\Edlhflmi.exe
  C:\Windows\system32\Edlhflmi.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Windows\SysWOW64\Ednell32.exe
    C:\Windows\system32\Ednell32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1008
  - - C:\Windows\SysWOW64\Eikndc32.exe
      C:\Windows\system32\Eikndc32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2244
    - - C:\Windows\SysWOW64\Edpbal32.exe
        
        C:\Windows\system32\Edpbal32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5016
      - C:\Windows\SysWOW64\Eimjjb32.exe
        
        C:\Windows\system32\Eimjjb32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Windows\SysWOW64\Eceobh32.exe
        
        C:\Windows\system32\Eceobh32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Enkcpq32.exe
        
        C:\Windows\system32\Enkcpq32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\Echkhh32.exe
        
        C:\Windows\system32\Echkhh32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Windows\SysWOW64\Fdghbj32.exe
        
        C:\Windows\system32\Fdghbj32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\Fehdjbhj.exe
        
        C:\Windows\system32\Fehdjbhj.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Windows\SysWOW64\Fnbiqpgj.exe
        
        C:\Windows\system32\Fnbiqpgj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\SysWOW64\Fndffo32.exe
        
        C:\Windows\system32\Fndffo32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\SysWOW64\Fcannf32.exe
        
        C:\Windows\system32\Fcannf32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\Fpeohj32.exe
        
        C:\Windows\system32\Fpeohj32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\Gllpml32.exe
        
        C:\Windows\system32\Gllpml32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\Gfddeanm.exe
        
        C:\Windows\system32\Gfddeanm.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Gqjhcjnc.exe
        
        C:\Windows\system32\Gqjhcjnc.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3800
        
        C:\Windows\SysWOW64\Gqlehi32.exe
        
        C:\Windows\system32\Gqlehi32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\Gdhaihdi.exe
        
        C:\Windows\system32\Gdhaihdi.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Windows\SysWOW64\Gjdiaobq.exe
        
        C:\Windows\system32\Gjdiaobq.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4124
        
        C:\Windows\SysWOW64\Gmcemjad.exe
        
        C:\Windows\system32\Gmcemjad.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\SysWOW64\Gdjnohbf.exe
        
        C:\Windows\system32\Gdjnohbf.exe
        23⤵
        Executes dropped EXE
        
        PID:3168
        
        C:\Windows\SysWOW64\Gghjkcaj.exe
        
        C:\Windows\system32\Gghjkcaj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4304
        
        C:\Windows\SysWOW64\Gqancihk.exe
        
        C:\Windows\system32\Gqancihk.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Gdljdg32.exe
        
        C:\Windows\system32\Gdljdg32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4164
        
        C:\Windows\SysWOW64\Hgkfpc32.exe
        
        C:\Windows\system32\Hgkfpc32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1360
        
        C:\Windows\SysWOW64\Hfnglpfb.exe
        
        C:\Windows\system32\Hfnglpfb.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3492
        
        C:\Windows\SysWOW64\Hneommgd.exe
        
        C:\Windows\system32\Hneommgd.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2652
        
        C:\Windows\SysWOW64\Hqckihfh.exe
        
        C:\Windows\system32\Hqckihfh.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:940
        
        C:\Windows\SysWOW64\Hcagedel.exe
        
        C:\Windows\system32\Hcagedel.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:460
        
        C:\Windows\SysWOW64\Hfpcaodp.exe
        
        C:\Windows\system32\Hfpcaodp.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4884
        
        C:\Windows\SysWOW64\Hngkbmea.exe
        
        C:\Windows\system32\Hngkbmea.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2896
        
        C:\Windows\SysWOW64\Hmjlnikl.exe
        
        C:\Windows\system32\Hmjlnikl.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4444
        
        C:\Windows\SysWOW64\Hdacoglo.exe
        
        C:\Windows\system32\Hdacoglo.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1764
        
        C:\Windows\SysWOW64\Hgppkbkb.exe
        
        C:\Windows\system32\Hgppkbkb.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2468
        
        C:\Windows\SysWOW64\Hfbpgo32.exe
        
        C:\Windows\system32\Hfbpgo32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1712
        
        C:\Windows\SysWOW64\Hmlhciij.exe
        
        C:\Windows\system32\Hmlhciij.exe
        38⤵
        Executes dropped EXE
        
        PID:220
        
        C:\Windows\SysWOW64\Hdcpefjl.exe
        
        C:\Windows\system32\Hdcpefjl.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5012
        
        C:\Windows\SysWOW64\Hcfqpc32.exe
        
        C:\Windows\system32\Hcfqpc32.exe
        40⤵
        Executes dropped EXE
        
        PID:2704
        
        C:\Windows\SysWOW64\Hfdmlo32.exe
        
        C:\Windows\system32\Hfdmlo32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Hjpimmhc.exe
        
        C:\Windows\system32\Hjpimmhc.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Hmoeiigg.exe
        
        C:\Windows\system32\Hmoeiigg.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:408
        
        C:\Windows\SysWOW64\Hdfmjf32.exe
        
        C:\Windows\system32\Hdfmjf32.exe
        44⤵
        Executes dropped EXE
        
        PID:3048
        
        C:\Windows\SysWOW64\Hgdifa32.exe
        
        C:\Windows\system32\Hgdifa32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Hfgjbnng.exe
        
        C:\Windows\system32\Hfgjbnng.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1468
        
        C:\Windows\SysWOW64\Hnnacloj.exe
        
        C:\Windows\system32\Hnnacloj.exe
        47⤵
        Executes dropped EXE
        
        PID:4516
        
        C:\Windows\SysWOW64\Igffla32.exe
        
        C:\Windows\system32\Igffla32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Inqnikmg.exe
        
        C:\Windows\system32\Inqnikmg.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2832
        
        C:\Windows\SysWOW64\Iqojeglk.exe
        
        C:\Windows\system32\Iqojeglk.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4512
        
        C:\Windows\SysWOW64\Idjfeedd.exe
        
        C:\Windows\system32\Idjfeedd.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4240
        
        C:\Windows\SysWOW64\Ijgonlbk.exe
        
        C:\Windows\system32\Ijgonlbk.exe
        52⤵
        Executes dropped EXE
        
        PID:1492
        
        C:\Windows\SysWOW64\Incknk32.exe
        
        C:\Windows\system32\Incknk32.exe
        53⤵
        Executes dropped EXE
        
        PID:644
        
        C:\Windows\SysWOW64\Iemckeba.exe
        
        C:\Windows\system32\Iemckeba.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4916
        
        C:\Windows\SysWOW64\Igkpgqae.exe
        
        C:\Windows\system32\Igkpgqae.exe
        55⤵
        Executes dropped EXE
        
        PID:4824
        
        C:\Windows\SysWOW64\Inehdk32.exe
        
        C:\Windows\system32\Inehdk32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Iqcdpf32.exe
        
        C:\Windows\system32\Iqcdpf32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Icbpla32.exe
        
        C:\Windows\system32\Icbpla32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Ingdijfo.exe
        
        C:\Windows\system32\Ingdijfo.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1480
        
        C:\Windows\SysWOW64\Ijnenk32.exe
        
        C:\Windows\system32\Ijnenk32.exe
        60⤵
        Executes dropped EXE
        
        PID:1484
        
        C:\Windows\SysWOW64\Iedild32.exe
        
        C:\Windows\system32\Iedild32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1400
        
        C:\Windows\SysWOW64\Jjqbdkjq.exe
        
        C:\Windows\system32\Jjqbdkjq.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Jfgbil32.exe
        
        C:\Windows\system32\Jfgbil32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3944
        
        C:\Windows\SysWOW64\Jfjonl32.exe
        
        C:\Windows\system32\Jfjonl32.exe
        64⤵
        Executes dropped EXE
        
        PID:2568
        
        C:\Windows\SysWOW64\Jaocldmh.exe
        
        C:\Windows\system32\Jaocldmh.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4072
        
        C:\Windows\SysWOW64\Jflldklp.exe
        
        C:\Windows\system32\Jflldklp.exe
        66⤵
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Jjghdj32.exe
        
        C:\Windows\system32\Jjghdj32.exe
        67⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\Jglhnn32.exe
        
        C:\Windows\system32\Jglhnn32.exe
        68⤵
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Jneqkh32.exe
        
        C:\Windows\system32\Jneqkh32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:488
        
        C:\Windows\SysWOW64\Kcbico32.exe
        
        C:\Windows\system32\Kcbico32.exe
        70⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\Kfqeok32.exe
        
        C:\Windows\system32\Kfqeok32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Kmknleog.exe
        
        C:\Windows\system32\Kmknleog.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Kmmjad32.exe
        
        C:\Windows\system32\Kmmjad32.exe
        73⤵
        Modifies registry class
        
        PID:4732
        
        C:\Windows\SysWOW64\Kedbbb32.exe
        
        C:\Windows\system32\Kedbbb32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Kjakki32.exe
        
        C:\Windows\system32\Kjakki32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4924
        
        C:\Windows\SysWOW64\Kdiocnbo.exe
        
        C:\Windows\system32\Kdiocnbo.exe
        76⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\Kfhkpjab.exe
        
        C:\Windows\system32\Kfhkpjab.exe
        77⤵
        
        PID:388
        
        C:\Windows\SysWOW64\Kampmb32.exe
        
        C:\Windows\system32\Kampmb32.exe
        78⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\Kdllin32.exe
        
        C:\Windows\system32\Kdllin32.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5060
        
        C:\Windows\SysWOW64\Kjfdfhhi.exe
        
        C:\Windows\system32\Kjfdfhhi.exe
        80⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\Ldnion32.exe
        
        C:\Windows\system32\Ldnion32.exe
        81⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\Lncmlf32.exe
        
        C:\Windows\system32\Lncmlf32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2740
        
        C:\Windows\SysWOW64\Ldpedmlf.exe
        
        C:\Windows\system32\Ldpedmlf.exe
        83⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\Lhlael32.exe
        
        C:\Windows\system32\Lhlael32.exe
        84⤵
        Drops file in System32 directory
        
        PID:2748
        
        C:\Windows\SysWOW64\Ljjnag32.exe
        
        C:\Windows\system32\Ljjnag32.exe
        85⤵
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Lepbnp32.exe
        
        C:\Windows\system32\Lepbnp32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2636
        
        C:\Windows\SysWOW64\Lohfgfjj.exe
        
        C:\Windows\system32\Lohfgfjj.exe
        87⤵
        Drops file in System32 directory
        
        PID:4792
        
        C:\Windows\SysWOW64\Lkoglgpn.exe
        
        C:\Windows\system32\Lkoglgpn.exe
        88⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\Ledkippd.exe
        
        C:\Windows\system32\Ledkippd.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3584
        
        C:\Windows\SysWOW64\Lompbe32.exe
        
        C:\Windows\system32\Lompbe32.exe
        90⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\Mghdfgcp.exe
        
        C:\Windows\system32\Mghdfgcp.exe
        91⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\Meiddo32.exe
        
        C:\Windows\system32\Meiddo32.exe
        92⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\Mgjalgam.exe
        
        C:\Windows\system32\Mgjalgam.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4456
        
        C:\Windows\SysWOW64\Melajo32.exe
        
        C:\Windows\system32\Melajo32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1880
        
        C:\Windows\SysWOW64\Mgmnagoj.exe
        
        C:\Windows\system32\Mgmnagoj.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\Modfcd32.exe
        
        C:\Windows\system32\Modfcd32.exe
        96⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\Mhljljfm.exe
        
        C:\Windows\system32\Mhljljfm.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3868
        
        C:\Windows\SysWOW64\Mepkenef.exe
        
        C:\Windows\system32\Mepkenef.exe
        98⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Mhogaidj.exe
        
        C:\Windows\system32\Mhogaidj.exe
        99⤵
        Drops file in System32 directory
        
        PID:5188
        
        C:\Windows\SysWOW64\Noionclg.exe
        
        C:\Windows\system32\Noionclg.exe
        100⤵
        Drops file in System32 directory
        
        PID:5240
        
        C:\Windows\SysWOW64\Nagljokk.exe
        
        C:\Windows\system32\Nagljokk.exe
        101⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Ndehfjjo.exe
        
        C:\Windows\system32\Ndehfjjo.exe
        102⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Nkppcd32.exe
        
        C:\Windows\system32\Nkppcd32.exe
        103⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Nnnlop32.exe
        
        C:\Windows\system32\Nnnlop32.exe
        104⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Needpm32.exe
        
        C:\Windows\system32\Needpm32.exe
        105⤵
        Drops file in System32 directory
        
        PID:5492
        
        C:\Windows\SysWOW64\Ngfqhegp.exe
        
        C:\Windows\system32\Ngfqhegp.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Nkbmhd32.exe
        
        C:\Windows\system32\Nkbmhd32.exe
        107⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Naleen32.exe
        
        C:\Windows\system32\Naleen32.exe
        108⤵
        Drops file in System32 directory
        
        PID:5684
        
        C:\Windows\SysWOW64\Negafmoo.exe
        
        C:\Windows\system32\Negafmoo.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5736
        
        C:\Windows\SysWOW64\Nghmme32.exe
        
        C:\Windows\system32\Nghmme32.exe
        110⤵
        Drops file in System32 directory
        
        PID:5776
        
        C:\Windows\SysWOW64\Nopeob32.exe
        
        C:\Windows\system32\Nopeob32.exe
        111⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Nejnkmml.exe
        
        C:\Windows\system32\Nejnkmml.exe
        112⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Nhhjghlp.exe
        
        C:\Windows\system32\Nhhjghlp.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Nobbdb32.exe
        
        C:\Windows\system32\Nobbdb32.exe
        114⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Nnebpojg.exe
        
        C:\Windows\system32\Nnebpojg.exe
        115⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\Ndoklibd.exe
        
        C:\Windows\system32\Ndoklibd.exe
        116⤵
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Nkicic32.exe
        
        C:\Windows\system32\Nkicic32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Odagbipa.exe
        
        C:\Windows\system32\Odagbipa.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6136
        
        C:\Windows\SysWOW64\Oaehkmok.exe
        
        C:\Windows\system32\Oaehkmok.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Ohophgfg.exe
        
        C:\Windows\system32\Ohophgfg.exe
        120⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Oecqakea.exe
        
        C:\Windows\system32\Oecqakea.exe
        121⤵
        Drops file in System32 directory
        
        PID:5392
        
        C:\Windows\SysWOW64\Onnefnbl.exe
        
        C:\Windows\system32\Onnefnbl.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5484
        
        C:\Windows\SysWOW64\Odhmbh32.exe
        
        C:\Windows\system32\Odhmbh32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Ogfjocim.exe
        
        C:\Windows\system32\Ogfjocim.exe
        124⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Onqbkm32.exe
        
        C:\Windows\system32\Onqbkm32.exe
        125⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Pkdbea32.exe
        
        C:\Windows\system32\Pkdbea32.exe
        126⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Pncoam32.exe
        
        C:\Windows\system32\Pncoam32.exe
        127⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Pdmgngfd.exe
        
        C:\Windows\system32\Pdmgngfd.exe
        128⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Phkpdelj.exe
        
        C:\Windows\system32\Phkpdelj.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Pkilpakn.exe
        
        C:\Windows\system32\Pkilpakn.exe
        130⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Pbcdmk32.exe
        
        C:\Windows\system32\Pbcdmk32.exe
        131⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\Pdapif32.exe
        
        C:\Windows\system32\Pdapif32.exe
        132⤵
        Drops file in System32 directory
        
        PID:5440
        
        C:\Windows\SysWOW64\Pklheq32.exe
        
        C:\Windows\system32\Pklheq32.exe
        133⤵
        Drops file in System32 directory
        
        PID:5652
        
        C:\Windows\SysWOW64\Pnjeal32.exe
        
        C:\Windows\system32\Pnjeal32.exe
        134⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Phpioe32.exe
        
        C:\Windows\system32\Phpioe32.exe
        135⤵
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Pfcihi32.exe
        
        C:\Windows\system32\Pfcihi32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6004
        
        C:\Windows\SysWOW64\Qnonmkdj.exe
        
        C:\Windows\system32\Qnonmkdj.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6120
        
        C:\Windows\SysWOW64\Qdifie32.exe
        
        C:\Windows\system32\Qdifie32.exe
        138⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Qggbea32.exe
        
        C:\Windows\system32\Qggbea32.exe
        139⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Qbmgcj32.exe
        
        C:\Windows\system32\Qbmgcj32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5748
        
        C:\Windows\SysWOW64\Agiokq32.exe
        
        C:\Windows\system32\Agiokq32.exe
        141⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Ancghk32.exe
        
        C:\Windows\system32\Ancghk32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6088
        
        C:\Windows\SysWOW64\Aiilec32.exe
        
        C:\Windows\system32\Aiilec32.exe
        143⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Adpmjdeo.exe
        
        C:\Windows\system32\Adpmjdeo.exe
        144⤵
        Drops file in System32 directory
        
        PID:5848
        
        C:\Windows\SysWOW64\Akjego32.exe
        
        C:\Windows\system32\Akjego32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Abcmci32.exe
        
        C:\Windows\system32\Abcmci32.exe
        146⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Aebipd32.exe
        
        C:\Windows\system32\Aebipd32.exe
        147⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\Abfjih32.exe
        
        C:\Windows\system32\Abfjih32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Aipbfbjb.exe
        
        C:\Windows\system32\Aipbfbjb.exe
        149⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Afdbog32.exe
        
        C:\Windows\system32\Afdbog32.exe
        150⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Bgeogooj.exe
        
        C:\Windows\system32\Bgeogooj.exe
        151⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\Bnogci32.exe
        
        C:\Windows\system32\Bnogci32.exe
        152⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\Bbkcdhnp.exe
        
        C:\Windows\system32\Bbkcdhnp.exe
        153⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\Bnadii32.exe
        
        C:\Windows\system32\Bnadii32.exe
        154⤵
        Modifies registry class
        
        PID:6320
        
        C:\Windows\SysWOW64\Bighfacj.exe
        
        C:\Windows\system32\Bighfacj.exe
        155⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\Bpapcl32.exe
        
        C:\Windows\system32\Bpapcl32.exe
        156⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\Bfkhpebd.exe
        
        C:\Windows\system32\Bfkhpebd.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6472
        
        C:\Windows\SysWOW64\Biielaag.exe
        
        C:\Windows\system32\Biielaag.exe
        158⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\Cfpbke32.exe
        
        C:\Windows\system32\Cfpbke32.exe
        159⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\Cgqnbmdm.exe
        
        C:\Windows\system32\Cgqnbmdm.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6616
        
        C:\Windows\SysWOW64\Cipkmp32.exe
        
        C:\Windows\system32\Cipkmp32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6660
        
        C:\Windows\SysWOW64\Cnmcegjg.exe
        
        C:\Windows\system32\Cnmcegjg.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6704
        
        C:\Windows\SysWOW64\Cfdkfdji.exe
        
        C:\Windows\system32\Cfdkfdji.exe
        163⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\Cnopjghd.exe
        
        C:\Windows\system32\Cnopjghd.exe
        164⤵
        Drops file in System32 directory
        
        PID:6788
        
        C:\Windows\SysWOW64\Cbmiqenk.exe
        
        C:\Windows\system32\Cbmiqenk.exe
        165⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\Chjaillb.exe
        
        C:\Windows\system32\Chjaillb.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6880
        
        C:\Windows\SysWOW64\Cbpefdlh.exe
        
        C:\Windows\system32\Cbpefdlh.exe
        167⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\Denabpkl.exe
        
        C:\Windows\system32\Denabpkl.exe
        168⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\Dfnnlcbo.exe
        
        C:\Windows\system32\Dfnnlcbo.exe
        169⤵
        Drops file in System32 directory
        
        PID:7012
        
        C:\Windows\SysWOW64\Dfpkbbpl.exe
        
        C:\Windows\system32\Dfpkbbpl.exe
        170⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\Deehcoed.exe
        
        C:\Windows\system32\Deehcoed.exe
        171⤵
        Drops file in System32 directory
        
        PID:7104
        
        C:\Windows\SysWOW64\Diqdcn32.exe
        
        C:\Windows\system32\Diqdcn32.exe
        172⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\Dbihlcdm.exe
        
        C:\Windows\system32\Dbihlcdm.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6168
        
        C:\Windows\SysWOW64\Dlamei32.exe
        
        C:\Windows\system32\Dlamei32.exe
        174⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\Eobfgdgo.exe
        
        C:\Windows\system32\Eobfgdgo.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5076
        
        C:\Windows\SysWOW64\Efinhaha.exe
        
        C:\Windows\system32\Efinhaha.exe
        176⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\Ehjjpi32.exe
        
        C:\Windows\system32\Ehjjpi32.exe
        177⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Eeokin32.exe
        
        C:\Windows\system32\Eeokin32.exe
        178⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\Ehmgeilm.exe
        
        C:\Windows\system32\Ehmgeilm.exe
        179⤵
        Modifies registry class
        
        PID:6496
        
        C:\Windows\SysWOW64\Eogobc32.exe
        
        C:\Windows\system32\Eogobc32.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6556
        
        C:\Windows\SysWOW64\Eilcol32.exe
        
        C:\Windows\system32\Eilcol32.exe
        181⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\Folhmbod.exe
        
        C:\Windows\system32\Folhmbod.exe
        182⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\Fbgdna32.exe
        
        C:\Windows\system32\Fbgdna32.exe
        183⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\Fonebbma.exe
        
        C:\Windows\system32\Fonebbma.exe
        184⤵
        Modifies registry class
        
        PID:6864
        
        C:\Windows\SysWOW64\Fgemdpnd.exe
        
        C:\Windows\system32\Fgemdpnd.exe
        185⤵
        Modifies registry class
        
        PID:6944
        
        C:\Windows\SysWOW64\Fiffek32.exe
        
        C:\Windows\system32\Fiffek32.exe
        186⤵
        Drops file in System32 directory
        
        PID:6996
        
        C:\Windows\SysWOW64\Fldbaf32.exe
        
        C:\Windows\system32\Fldbaf32.exe
        187⤵
        Drops file in System32 directory
        
        PID:7096
        
        C:\Windows\SysWOW64\Fglcdohl.exe
        
        C:\Windows\system32\Fglcdohl.exe
        188⤵
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Fijpqjgp.exe
        
        C:\Windows\system32\Fijpqjgp.exe
        189⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\Flilmefc.exe
        
        C:\Windows\system32\Flilmefc.exe
        190⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\Gpgdcd32.exe
        
        C:\Windows\system32\Gpgdcd32.exe
        191⤵
        Drops file in System32 directory
        
        PID:6312
        
        C:\Windows\SysWOW64\Gecmkkka.exe
        
        C:\Windows\system32\Gecmkkka.exe
        192⤵
        Modifies registry class
        
        PID:6452
        
        C:\Windows\SysWOW64\Ghbigfje.exe
        
        C:\Windows\system32\Ghbigfje.exe
        193⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\Gefjqjho.exe
        
        C:\Windows\system32\Gefjqjho.exe
        194⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\Glpbmd32.exe
        
        C:\Windows\system32\Glpbmd32.exe
        195⤵
        Modifies registry class
        
        PID:6844
        
        C:\Windows\SysWOW64\Gjdbgioe.exe
        
        C:\Windows\system32\Gjdbgioe.exe
        196⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\Ghiohe32.exe
        
        C:\Windows\system32\Ghiohe32.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5284
        
        C:\Windows\SysWOW64\Hpbdobbl.exe
        
        C:\Windows\system32\Hpbdobbl.exe
        198⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6292
        
        C:\Windows\SysWOW64\Hgllkl32.exe
        
        C:\Windows\system32\Hgllkl32.exe
        199⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Hliecc32.exe
        
        C:\Windows\system32\Hliecc32.exe
        200⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\Hojnenea.exe
        
        C:\Windows\system32\Hojnenea.exe
        201⤵
        Modifies registry class
        
        PID:6908
        
        C:\Windows\SysWOW64\Hlnnobdk.exe
        
        C:\Windows\system32\Hlnnobdk.exe
        202⤵
        Modifies registry class
        
        PID:7076
        
        C:\Windows\SysWOW64\Hffbgh32.exe
        
        C:\Windows\system32\Hffbgh32.exe
        203⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\Hheoccip.exe
        
        C:\Windows\system32\Hheoccip.exe
        204⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\Ifiomhhi.exe
        
        C:\Windows\system32\Ifiomhhi.exe
        205⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\Ijfhcf32.exe
        
        C:\Windows\system32\Ijfhcf32.exe
        206⤵
        Drops file in System32 directory
        
        PID:6808
        
        C:\Windows\SysWOW64\Ifmihg32.exe
        
        C:\Windows\system32\Ifmihg32.exe
        207⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7156
        
        C:\Windows\SysWOW64\Iofmamkd.exe
        
        C:\Windows\system32\Iofmamkd.exe
        208⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\Iohjfl32.exe
        
        C:\Windows\system32\Iohjfl32.exe
        209⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\Jqjcfona.exe
        
        C:\Windows\system32\Jqjcfona.exe
        210⤵
        Modifies registry class
        
        PID:6164
        
        C:\Windows\SysWOW64\Jgdkcieo.exe
        
        C:\Windows\system32\Jgdkcieo.exe
        211⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\Jgfhhicl.exe
        
        C:\Windows\system32\Jgfhhicl.exe
        212⤵
        Modifies registry class
        
        PID:7144
        
        C:\Windows\SysWOW64\Jjgajd32.exe
        
        C:\Windows\system32\Jjgajd32.exe
        213⤵
        
        PID:928
        
        C:\Windows\SysWOW64\Jcoecigm.exe
        
        C:\Windows\system32\Jcoecigm.exe
        214⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6992
        
        C:\Windows\SysWOW64\Kjinpc32.exe
        
        C:\Windows\system32\Kjinpc32.exe
        215⤵
        Modifies registry class
        
        PID:6372
        
        C:\Windows\SysWOW64\Kpffhj32.exe
        
        C:\Windows\system32\Kpffhj32.exe
        216⤵
        Drops file in System32 directory
        
        PID:7188
        
        C:\Windows\SysWOW64\Kjljeclg.exe
        
        C:\Windows\system32\Kjljeclg.exe
        217⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7224
        
        C:\Windows\SysWOW64\Kaebbm32.exe
        
        C:\Windows\system32\Kaebbm32.exe
        218⤵
        
        PID:7268
        
        C:\Windows\SysWOW64\Kjngkcje.exe
        
        C:\Windows\system32\Kjngkcje.exe
        219⤵
        
        PID:7312
        
        C:\Windows\SysWOW64\Kcflch32.exe
        
        C:\Windows\system32\Kcflch32.exe
        220⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7356
        
        C:\Windows\SysWOW64\Kjpdpb32.exe
        
        C:\Windows\system32\Kjpdpb32.exe
        221⤵
        
        PID:7400
        
        C:\Windows\SysWOW64\Kpmlhi32.exe
        
        C:\Windows\system32\Kpmlhi32.exe
        222⤵
        
        PID:7444
        
        C:\Windows\SysWOW64\Kjbqfb32.exe
        
        C:\Windows\system32\Kjbqfb32.exe
        223⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\Kamiblnl.exe
        
        C:\Windows\system32\Kamiblnl.exe
        224⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7532
        
        C:\Windows\SysWOW64\Ljemkbdm.exe
        
        C:\Windows\system32\Ljemkbdm.exe
        225⤵
        
        PID:7576
        
        C:\Windows\SysWOW64\Lpbfcibd.exe
        
        C:\Windows\system32\Lpbfcibd.exe
        226⤵
        Drops file in System32 directory
        
        PID:7620
        
        C:\Windows\SysWOW64\Lijjln32.exe
        
        C:\Windows\system32\Lijjln32.exe
        227⤵
        
        PID:7664
        
        C:\Windows\SysWOW64\Lcpojg32.exe
        
        C:\Windows\system32\Lcpojg32.exe
        228⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7712
        
        C:\Windows\SysWOW64\Ljjgfapg.exe
        
        C:\Windows\system32\Ljjgfapg.exe
        229⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7756
        
        C:\Windows\SysWOW64\Lcbkoggh.exe
        
        C:\Windows\system32\Lcbkoggh.exe
        230⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\Liocgnep.exe
        
        C:\Windows\system32\Liocgnep.exe
        231⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7844 -s 420
        232⤵
        Program crash
        
        PID:7992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 7844 -ip 7844
1⤵
PID:7908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afdbog32.exe

Filesize
272KB

MD5
b0aeaf914468bf728b326dfa63f49781

SHA1
a4e723d2b85403ac3f9f96759b5c003fa4a333e6

SHA256
981b8ee63116e91eb9a51f30231bc204dcf55fcd1160b08bf083a9d978ea60ef

SHA512
5d36bf38214d5fbdcf332676f74165911c041169e93f73ebf30a00c2356b565e858bcc5730abe0875fd1c0b1abf3a33d7866b76bf576974c58a5f4877454ad21

Download Submit
C:\Windows\SysWOW64\Bnadii32.exe

Filesize
272KB

MD5
116f119e5f8687ca3f5756f1da3fec99

SHA1
22dd456b66ec08d81d58b61c2355616ddbe72475

SHA256
3b0ce96265aa049dcf6932c33cdb0f96d5d479d9e8df905fde94bcddf7bfcfcd

SHA512
2b17a84a85f3354012a66443bb5028713bed4470df1426e64785e9f093135758213a935a52fd1ee9d529800fc4755d4f10a356d3df85d7b267f48dbfc7e771de

Download Submit
C:\Windows\SysWOW64\Cbmiqenk.exe

Filesize
272KB

MD5
dd253afc6d2b48db04e883ba8e1d40fb

SHA1
218f462e355bf9e4b94595a30ca7f4a9b1d94c20

SHA256
6ff06a9deff6efb980f518fde75de2a68206785e9316f1c3146a3f14a1e10008

SHA512
89695f91b692effe47a2e444ce2ede79961626db5ff87ccf0361967213add661dbd8f6f86dd167e2328a92bb9d096bfcf2ff4a24c7324013a4cbc0e1b785aa5c

Download Submit
C:\Windows\SysWOW64\Cfpbke32.exe

Filesize
272KB

MD5
34e0340123d023814a2efe50f6058867

SHA1
b23cedc96a12e9a0c4045826cf683a52f4401c3c

SHA256
fc18a233730bbe6b1cec393e822f08f9339f9ff9c7d53ea53a82e04e4d33eb57

SHA512
780c425c6d08818f17d82dc4e7da6d2248dcec680ffa7d46cbd6ff27cd700ea2faf6b97f4adea86424e5e1a1d9f644628703eca34bb0005b533c2361ec246e6f

Download Submit
C:\Windows\SysWOW64\Cipkmp32.exe

Filesize
272KB

MD5
63a10583d0243aca8a919e53ba8666a2

SHA1
9a1ff4c502e194eeb742218a5ec0a505c0c9f360

SHA256
290e6ab8f4467d724d969257bf4744a05c62d029a3912279ca4ddf9b4983061f

SHA512
601417c8687b52e8a279ed238b50819f150c801e1937ec295f73ddae9ec7b3934c2c9e959549817f1dfa2cbdf87bee11a9d452459a8b14f295bac84c4820a918

Download Submit
C:\Windows\SysWOW64\Dfnnlcbo.exe

Filesize
272KB

MD5
1b258a510ca4833ac88ecc520cb829db

SHA1
ffca4dfea4e76a7da1e86d81296d9d7921e3ef91

SHA256
f4e6d59aa68872f0dd528e8b6f8f0bb97004b2784b078b1860102f88b216aabe

SHA512
5f1d7faa6e12b1f8486b40fb51c4931556888e2d7a467d53c8eb42169b2298b7de28d00effbc916b394b399f26530e6ad69f678a863ade51996e49efedff6bee

Download Submit
C:\Windows\SysWOW64\Eceobh32.exe

Filesize
272KB

MD5
3f4d4e185e62abd28fb1b3fd67a03cff

SHA1
3585be38b3dbccb14722b1136b3e0a220971cdcf

SHA256
134b52595667015e8aa475934d3d695adc5fa82e412530507bd740887f3dc4df

SHA512
d688a4039b33dfad5a1ea851d3bc0279be4723ef8cce18821212b77af4279f06c28eb3fc3e5ed86f43976dc710065977c1d7524405c4745887d99ae6f39cb691

Download Submit
C:\Windows\SysWOW64\Echkhh32.exe

Filesize
272KB

MD5
dff446c8d1d5e00f54802333ad8c5b9e

SHA1
3332a74488e3ecd094e936add4e93a49bd031b9a

SHA256
392585f879eddc6b0ab1f0e0a7f4e2caaa1a0a479b696964d32c771574183a58

SHA512
15b9f5a30f1a02f444e48123d59bd2da689189e447ef206db5c50120104275044ee600c1ce778a817c20248324fae1bec7ad925386726cefbfac83d3e6ad0034

Download Submit
C:\Windows\SysWOW64\Edlhflmi.exe

Filesize
272KB

MD5
5a5bf7a9f04c02cf50bb0218ce10b3df

SHA1
602cdc3be0bb737049b23dde572a8429b06e0ecd

SHA256
0b2f980b0bc9b70220c5a12c86da80a54d811987a6ef7b5144f96707759f473f

SHA512
08576fc1c7a195e92e10427867ffdbed763fd4f129980836229b809ac7732b720435038c3a106aae6850961b067f77d89a2293ac826f2e39e636e61fdc926fc3

Download Submit
C:\Windows\SysWOW64\Ednell32.exe

Filesize
272KB

MD5
4a547092394454f80feacbf22451c917

SHA1
d000204bca3889010b1c05398d430423540bab0c

SHA256
d0d6fc135d0043386138fd5c8cb75eb0e3c6d836df33f98896024bbafef18e61

SHA512
e07eb1836fa4cdf28bd10fdfcc88688db7409fc062649215d023356229bd1561bb625db00e49061f05b14071bfed15c4d00ca2246455f11cd389d442efdb9101

Download Submit
C:\Windows\SysWOW64\Edpbal32.exe

Filesize
272KB

MD5
1228e58008c3792b8324824e92ed63af

SHA1
efb88cae60d9fbcb08a000a3b0c1b61ca8d02dba

SHA256
e36f1bffab386e30c232f003a8addda1e67a1dde766e3c4cdcf1036ab4bb3df5

SHA512
f8691a6decbfd2049c1ac787e035c9cc96208d56082a9df906c8d6bfdfbd5772a0dd1b4b98c80aac5cfa6cf39d990caeb6fbb17369104af5ab1e90745218e7d4

Download Submit
C:\Windows\SysWOW64\Eikndc32.exe

Filesize
272KB

MD5
f2216ad554195c8d853da60b322f3e07

SHA1
3d662973cc9f9abca67dfd3045f9805065b09cc9

SHA256
9ace51c4bd6984177e26599ec5da0ecf63f570a22951601c8e16b82f016ff82c

SHA512
c8dbc06bcc3591687b89ce406b9a25174447c010e18fc918f6585b338f16d5a92bb9d7eca725e5ed4fd028e6cf2237443c96305f95d80331ed9abb830f307f7b

Download Submit
C:\Windows\SysWOW64\Eimjjb32.exe

Filesize
272KB

MD5
fff3fe7cf238e6f8868ddafbbeb93dde

SHA1
c73d6adee93a8e7d0e35c3b62068c61f7495a113

SHA256
014f6004cbb2bcaee7b97918693942d46fa7f94facf27c5c260c4a31cc99f7b0

SHA512
f01db3fab715f66d18c4ae7ad54a1edbf4c6b1d0723e696c466253aee4b3ae5e1b3a1ec60b228d41560d7d58e2e21b04bb3ca453ab13ded92881aa1c83508613

Download Submit
C:\Windows\SysWOW64\Enkcpq32.exe

Filesize
272KB

MD5
79827c7bb3832f1ac88b8c64c71d9fa8

SHA1
b81b49755f2e31d43a3da15957538a122edb7c21

SHA256
04f3262e9787ec06d8f76cdd68669ebecf737a3fba88299d5123f27f01a69f10

SHA512
9a4112c0cb6e92df2956345bd6b3ac4cabd9b61a0373b303343c7675811aab775193a09a0bcbefdf22d45eb591662ba39aa4f409a8d3122006020456250f6e2e

Download Submit
C:\Windows\SysWOW64\Eogobc32.exe

Filesize
272KB

MD5
bb24692db4556eafca0fd020ec6114de

SHA1
3744e6a6fe8ffb55b789172aff9cdcc62d5aeed6

SHA256
1f9f22e629cbc40824367ce59afab7daa1bc6fedd1df83b82950399f8c4a2d52

SHA512
9612f34ddb100521314a39735eb2bca5688cc879fae960a34aa18d6232309838b1e3e8ec32a7e399a472bc1104beb853dd86514918a7920fd063858cbae3bb32

Download Submit
C:\Windows\SysWOW64\Fbgdna32.exe

Filesize
272KB

MD5
5261ab67cdd408f1059ce4ec1fe43ec3

SHA1
cd859e03eb8d7de877a4de67b7a9bd875676a745

SHA256
0bbb5cf1998adefe4f869a3b1e0c51918ff060cff58fc97a3df1b2ebef316006

SHA512
2c387de5c7f5fea884eb6280944c00ccc0baa5061b9c037786fe219cbf37687220d8a6165af3a441d962ada052270a93854957a5ce09a98745b564eee115fdc0

Download Submit
C:\Windows\SysWOW64\Fcannf32.exe

Filesize
272KB

MD5
69268777054ff0d1f13497066aefc56a

SHA1
bd4ffc58c8750f4f3bdaef7872b5003450fcf233

SHA256
9a525e05c5dd95d65e6b2002d8adfcff09722e28d44fa26cbc5be2edecf31c0a

SHA512
67287f5e66a6f37a7957584a2a2b21330d4e7b15c5d14a155db2b386e6d488806ebfcfe6082833ce54f344a581e21a2ea5ae4dc344f62375c888d1aeb4793579

Download Submit
C:\Windows\SysWOW64\Fdghbj32.exe

Filesize
272KB

MD5
77b50be762f7f03fd3661d77f7da7b8c

SHA1
8f19be35baeb20d32655db3788788d93291daba8

SHA256
888b3a9e3a76ee474fc664c494981b29a175000ba60fae5f51800448e5327952

SHA512
30f32207c591c29addfcb0b37cf7adc5af8709c7aec7cc9a60d6a6e27283fc5b5c0299d895d59f89227c9eea097a92fdd9f997685a9bf2b46635b4e80dd8a0a3

Download Submit
C:\Windows\SysWOW64\Fdghbj32.exe

Filesize
272KB

MD5
b86a9c2309264abd83b7dff85dedf0db

SHA1
36a3d6fb8eaf8a4673d48b81f3a8fdc0fef9c34e

SHA256
97122f7184a4c1fd6508aabb9646b21983c4980306f6c9a8c3070410ef958ae4

SHA512
634e643b74b4554b75f88e8012124f01dbc4c875ac2718231dfb39f2288710a441506b5367d0c26729aa3d8ffc434a2f77dfcbc375769bbe8083598b8bedfa6a

Download Submit
C:\Windows\SysWOW64\Fehdjbhj.exe

Filesize
272KB

MD5
59de5fdb38c3bbca4e177c310e337370

SHA1
1ccc8094e1e9460e1ab45aeead135b06e76f253a

SHA256
fabc1769506122546d564a6f7fe6f270407fbb0705977816a8ee3e0b05bb4d0b

SHA512
0c8115156351a7ebd1d745d99f8629dd562b0e84c16606c4ded1700a0b2d3b2829003a6a671e53d8b23180a13722b696aa52850ac258ceac0555841252e01422

Download Submit
C:\Windows\SysWOW64\Fiffek32.exe

Filesize
272KB

MD5
9d39cf63f120c0e3d40d1b9135ec462c

SHA1
738dc3234d1f3ec140876c3b1702f6b234af6369

SHA256
db9db27cc903bef80a121037dfee56115e02fd9c064561f35cf18baab442241d

SHA512
eec19cd57b01dd56db10ac80bd7fece43d4c842ef6e5019a1d8fb7d18bb81c64060f0215fce172df90f9cba982a6eeb7ba53510bed4810d488ef2cc8f9a2bba9

Download Submit
C:\Windows\SysWOW64\Fnbiqpgj.exe

Filesize
272KB

MD5
4c5bd8b959265ffdecd52b853015050f

SHA1
92fc8802ae4837933c9034dc02c496242847061a

SHA256
bcc011a26926e75b1efddde6c434bf45d0b405bac89ad1edab34b62a1a7906de

SHA512
638bce8a4c11ea0436090320b962ae025e3cb0432f29c05fefeec476c137d17933020a2c79303d62e992095d997f7f49dd20d592162f1c7d77d2c353edca1187

Download Submit
C:\Windows\SysWOW64\Fndffo32.exe

Filesize
272KB

MD5
753aff10a7bd6299fc7f337f460e3f9a

SHA1
f73c1da63da48bbf56b54b44edf641beda2e6c2b

SHA256
27be91dddd4375dac8ba919da1a1ff0cae065a9bacc6cfdba3aae5d4c1bdba64

SHA512
8cfb0fa7d8db30dcd7fdea4cbac28ad5ba5e8c18fc7bd6345128efe62df69d9a05c972268d72868a2b1e5b3d551d201bc1d0ba69ae7ba89ca13e1eaf2b4cb271

Download Submit
C:\Windows\SysWOW64\Fpeohj32.exe

Filesize
272KB

MD5
5d686086e854c3116f57a66253a72b44

SHA1
776d18c5e1d510aa507df05df0af30f672c579fb

SHA256
3e996e7ef784c3d6d773ebed958da7235d13638e59d0a52d9bf147a9a4f8d650

SHA512
e9212cb39c88ee32d13274be6724bbbad143026e762517c00b59cf1d337e5c4fa4bdac24727672c7b06525ac0e65e6137acf8ad16170c11485d46591e18a6e65

Download Submit
C:\Windows\SysWOW64\Gdhaihdi.exe

Filesize
272KB

MD5
a92b7a73d63760317eed315fce8388a4

SHA1
35a3dfec21dd4bc8af0a1a73d19ffa6094e0cbca

SHA256
788c8fac2cdc9fa19a6fab65695bd3293f6e21ad46cf8eea5aa8d859d1371036

SHA512
5048343200e8f6ea12dbdcb865d444e6fa616839f10deb05459bc290c0f605b43d6021726cb122c3becd5cc4f2a87695112817a00c260f011bbe341ecf3f1abe

Download Submit
C:\Windows\SysWOW64\Gdjnohbf.exe

Filesize
272KB

MD5
6f5aff9ba365d41e576bd9b7c7886645

SHA1
f9b650b883b64fd6c1e271c1dc57f1515e2081f3

SHA256
bd30b395fbe02452233b8266132fa449bb4b7a711a5f91cde808bd5d2be19582

SHA512
9e94de5ae24b532fe0fe6623a882afa6966bd1d90ad3abee0b5e1187f1821c6fc476ca0aee4d4f15dfdfa8cb890b1cfd6af9236cbe35445706c0a2a56b914f3d

Download Submit
C:\Windows\SysWOW64\Gdljdg32.exe

Filesize
272KB

MD5
7b06eb82517b031a68b59bba20bf2180

SHA1
e3ee67f4d903e2e76bc412498f2867937ea426f1

SHA256
414e4502006e2b3ef37e010f5681f53985dab30a615fa1b7898e2c706ea724d0

SHA512
f1acb4ca436d09efbaf5b3aaf8d07571f38fce47644354a0b25c8a924741a945ccb029d4db4124cd3ab9cfbb37cb41fd6161d51af4d9df1d687c3e6bf83032b9

Download Submit
C:\Windows\SysWOW64\Gfddeanm.exe

Filesize
272KB

MD5
71cdbd08f0a2e314f25b327508a9fe0c

SHA1
8348f7885213994a80cdcc2709e1f0c5a07332ad

SHA256
6e7e38d3c4a608d10fc530e4ad6e2f39e34c2b5cb79f9ab2960723964b03343d

SHA512
d9aaa9bbdbcb7e8d8c2cda2d623cd3121545c43afd3ae0043da49ab4e218cbae3dcbe149a04d72bb6220445a894782fe55c66e48df42f852892c3c201aa0e16f

Download Submit
C:\Windows\SysWOW64\Gghjkcaj.exe

Filesize
272KB

MD5
dd2dc6ebd61cbe22b867c4f062957beb

SHA1
603b537bc45c4f91b01938a52529cac529e1670e

SHA256
88df40ece9dd2e6b388f5412b459179d639cb15be2d8e1c1cfbb5f969e068f18

SHA512
9dc91db09b677575b03f2cb11f4a7e93d424c8cddc7be1183d69efd40c9ae4a46eb586e954a87a44a8db6e6844e963b0d6a6a1124e485c36e0e206b8534b37b3

Download Submit
C:\Windows\SysWOW64\Gjdbgioe.exe

Filesize
272KB

MD5
973081783c6b8873bb2d68a7c24e088e

SHA1
fb594baae14284a2cdf1243e665ddf5215b2744e

SHA256
c7ae9f30a5fee2c6014145d8eb8e345dd3a4b1be9019d6bd80356a9681e7e7be

SHA512
5e79d145981e0144193e33a09db7310d749d5808b69f52fd2364817f13077b285a73d4db3b2cc6f9386dc40393b99e3990d332aa2a0f1f58ce686155f907bd6c

Download Submit
C:\Windows\SysWOW64\Gjdiaobq.exe

Filesize
272KB

MD5
dbe6f14d93958e02d75b2a013f12645b

SHA1
722a0f5b3211a1bb0d11b751b1b055b9fdced360

SHA256
10aaaef3235c8a46207cfd731dd5382d11ec2dac15a4fa5374a577f071081d0f

SHA512
a3ae870048389f952d2d6d869b1d1d1cd8de658373f37ac567628b90b6646e82addfc596bd9741b870ff45ac19682b8dd1032baf72b95be39873fb6c7e16392e

Download Submit
C:\Windows\SysWOW64\Gllpml32.exe

Filesize
272KB

MD5
f0ee48e8c8b83560af05d0fbc620ca7e

SHA1
7ec0ac3572ceb917e7107bffd7e101785f430d19

SHA256
389bcdec637915650a7f9b5f6db2d7407b96968ac216d8d93bab3bd806b78412

SHA512
f117c00b9f100c1fd860bbc52dfe076d1a8ee995bcde6ac0bc05b28d251756fece3fe7d08a53cae8b27ea3d5b24f907f33c48f796684a771decbb78c1f608395

Download Submit
C:\Windows\SysWOW64\Gmcemjad.exe

Filesize
272KB

MD5
c4ee3dcefe7a8c817ccc518be75af703

SHA1
e6fbdc38e6459ccb093fee0fe30bb29b90497802

SHA256
a6587dc12c07ac8423b386909001a4ac28641bf41ffc86f5aaba3ceca3b579f7

SHA512
e64dd20f76ca4f390df2573a778284f8d34822638048f64279bc93242ab349118756b1bafbc7549bbc3b208c93c2f38359703067620ca831332ad7e356688059

Download Submit
C:\Windows\SysWOW64\Gqancihk.exe

Filesize
272KB

MD5
15e6086d0b7e371f39626f5a5a5dd540

SHA1
5bfc380b936f69127f29f5f93c52dcf305252144

SHA256
425c0520c99d874f293744ddc37831e421825d604c78dab7c54d8462ebda5699

SHA512
712695b3755cbeeac4d0a929ea10a7a241531cbe70822f5ccc84269b5a1f6d3846e74c97ddb783b4f230d75ac9a070058854cfba32db9a7aaa1e29f1f7e5577f

Download Submit
C:\Windows\SysWOW64\Gqjhcjnc.exe

Filesize
272KB

MD5
1e8cd28fd3e18bdd05a385076ae09f3f

SHA1
bf9434432608ab1c33bc636bdea037fed8c1606d

SHA256
9c50a918caf8d5aa2a9a2f3503d118c113a765cd8acb7dd2dcfbbcb6d9a242a6

SHA512
1d4459cb55f6847889472d469f3a8760df2565e278069783cf3427f13362ce9297c07b818ceea4efd6a62a64a22da442e9b11ac3a18d9690b593919465ab73fb

Download Submit
C:\Windows\SysWOW64\Gqlehi32.exe

Filesize
272KB

MD5
a6e291869df154484cd0662e21904b6c

SHA1
fbaee12225279acf93c3739a0acc58227ca43726

SHA256
ac48b9f37df321994e81ad51d0112d80a58e07645ecef98b02fd7edee42dcf70

SHA512
b0ed6e239d26d168cee580c33d94374984a040411c5f48845c07d4400069c8c3b5c8fcdee66e13fb013fd2bb3a6cf693c73b4c6450e1412c504021f74111c7fe

Download Submit
C:\Windows\SysWOW64\Hcagedel.exe

Filesize
272KB

MD5
d7702be10657907e3918b479dbeff340

SHA1
5097eb563a64969e8a77b76f27e49cf2986c4421

SHA256
b8acdb3dec02678130d6fdcc5c7c8c5cdc6255f9a249d66f3dd1e302896dc73e

SHA512
3923cc51793ecc3e4be41bdfc861aaf987766c9ca67d0552c6c53a7c735145f1d6f5abe1a7596fee040ba35416032360e19b86eed6e4f7c43b2632bb1b947641

Download Submit
C:\Windows\SysWOW64\Hfnglpfb.exe

Filesize
272KB

MD5
4186233f44b4af17c27e558257a237ec

SHA1
59dec1d9e6758da389402f7aade9508c66d25fc1

SHA256
64292067730e56ee845817805a165c55fbf4d3060568eb9ba34acbda8a35b5af

SHA512
4edf192e6da8cd7560209395335857b878b07361aa444081b08a1cc0d98c4bff0b46c3dcd7bab9f5f2de0857478e927f974c56d984f2f5be50c9ca7b77221a59

Download Submit
C:\Windows\SysWOW64\Hfpcaodp.exe

Filesize
272KB

MD5
fa949ee0b76e8ebc22215615fe87a027

SHA1
a891647b8ad526c32c239ac88083c32022567d23

SHA256
18fef3649d374b8b32e1dbab1d5afba15f66218874c2750105746350c76a7fb9

SHA512
6028921a64e1d4588cfd5e3aeea094f26847254ebad2563adf6e21454eff4bc649553931cf1c5a51d702adede13020bd25a1daf3038339da47fb8c4002cf5e15

Download Submit
C:\Windows\SysWOW64\Hgkfpc32.exe

Filesize
272KB

MD5
f6e21aeca82245bf4da11cfd154ecadd

SHA1
851e69d6c1eb0176cfbceca578bf177a636a7e3d

SHA256
c66db3b99f68d44e85bace1d09c2cba30e4920e742c4ee30f31e3d23506e446a

SHA512
aba2e948dd118a032f1841d6ae1b52fbb4c445dfe834a240b8632d978be83d52368460898d39a4b4e953c31ef3c2c489a027807beeb386483e2c6f64bae227a6

Download Submit
C:\Windows\SysWOW64\Hneommgd.exe

Filesize
272KB

MD5
66215427aca986e67ca58132ffcdfe60

SHA1
574628513a43aca8205f6fc54f60b5b81529ec65

SHA256
89749cf286c2c4a2c3976a1efdb5059c257702675e9503e1cb7389f32c56f5e2

SHA512
b6d8ba28053700d63e3716518489647e910a0c89537c7a0c9da50ff29d032727c82ce829a862d70152aa3b5a292def78007b600873cda4209e83a2ca4cd37fc2

Download Submit
C:\Windows\SysWOW64\Hngkbmea.exe

Filesize
272KB

MD5
8cf091efc05e48f153ab4eb691dab79f

SHA1
ac2518b2b4537bcbe8bd44e593decb3bf01c18bc

SHA256
39f6da487be4927c13d1df752f0efa9989cb245a87621e2c52cde9954001b393

SHA512
8bf63edab127feaadcbee01f7c96973032c25820455df10989bed6766f1d8744bed046ff2e8765a3644c1e56ea3037532bda2b066b2ea341b03900270496ed40

Download Submit
C:\Windows\SysWOW64\Hojnenea.exe

Filesize
272KB

MD5
930e24814a12edf8a81cf9d5d456136b

SHA1
677f5831c0219f8673e6259c72c4cee430926296

SHA256
75536691906e8bd6b9206abac974db5cb52e1abc8f2e2d329ea5618cd3de8752

SHA512
25a2749f7cc3bb7267f79b8491a3949ad2e5827550f43e1b89fa7a6457c1b5612509a68f566cb9533b3b3b35cd8e845f069744a2fb5486582527a990bc08d788

Download Submit
C:\Windows\SysWOW64\Hpbdobbl.exe

Filesize
272KB

MD5
5199bf387f92c18f8c9a4e31e665331d

SHA1
b09d1c954ca476d05915174d41736f56ad1fa300

SHA256
89e22660d67f389ac396699c9925c7c253997878a26ece88f7fdec25b152ecbe

SHA512
733a7912b76a7e313dbc2e694fda74330563a20bce10cd04205b74a92e3f75024bc427f81a59d3c8d3c3546e7120c5de7ddb03979962fd1eab5c22d6349798ce

Download Submit
C:\Windows\SysWOW64\Hqckihfh.exe

Filesize
272KB

MD5
e39892bce0a6dd0c6662089e193b327f

SHA1
17669ded44eda70b08cc83d26fca6e309db2c38a

SHA256
198cb03ed6f7acf76f56a1aa9eac47e5e6f2fac5c8a1ee19d326a69dc1c3255c

SHA512
cda723e3dabaec4a7711421f7519527f86e028d0294f9777af563b6e299d851e5358a66aefb4dfa9fb466402f04bc3ffe8b2771877557c50bec49340c07118fc

Download Submit
C:\Windows\SysWOW64\Ifmihg32.exe

Filesize
272KB

MD5
b2f2fa228d3b1e2ca818f3bd8c3697ba

SHA1
cbc2150667977a55b6594638a686e1c68e856cbf

SHA256
922019242654f09ffb1b17279514af57c56bba108236e1eba64ed160c76d73ec

SHA512
db2a0bac6539b6eccbb0174a4feb2ef3e6dab9155cdcfe9eb10808b0ce5884ef6a053cae3b55d2d448991c777fefe3356638be9a75c9fd680fffe397486bfe1b

Download Submit
C:\Windows\SysWOW64\Jfgbil32.exe

Filesize
272KB

MD5
014d713f19229152087c07aaa9a718b4

SHA1
16decc35eff062dea628770e06ae9340bef64391

SHA256
a10cdff9d6f397bfc1f55b7f884f406a4c54db85aa4c9417d74a7a46886cea49

SHA512
8468c42f5f53ebbba00b8d37afc638cc27ef23eaff6730043655e2b34d5ba2e67404703d05706cc1232625ea015576975aac00591ca54a2a11aa5331bc5f76a3

Download Submit
C:\Windows\SysWOW64\Jjgajd32.exe

Filesize
272KB

MD5
7698d4fec6b22e186553105d84c483d0

SHA1
661d20285b6fb51d2f26729e8c65fb014d2794b1

SHA256
9f139bae0bfb388935bb8b85c9b56617ef55f18bfe92320bb8333f1e4b3eb14a

SHA512
44a189392db396fee6ae99a1b5ba04147597e50e96358fe921962aafb004a8b664dd72f5952908fc918c62fba12e4fa47c13b8a1a14480aece8dfc424efd0524

Download Submit
C:\Windows\SysWOW64\Jqjcfona.exe

Filesize
272KB

MD5
c7154df17e7a83113831a93e7ce445ad

SHA1
4da51f41fc11eb5cc2e9878f6ad2dd1569c96c54

SHA256
9954c3c58bc2f2839466febfde621af698350339ea564bd3aecd984be8145b28

SHA512
e7bcad34a79759d1464310cc21d15437051ad7b42448578ec30bd423839ab3b9e0e6d06809ea5837b555c6afde8b7a6224c6935565ef9f61b2fdcd9b0e280825

Download Submit
C:\Windows\SysWOW64\Kamiblnl.exe

Filesize
272KB

MD5
cb9c8030486843a137a62e10c3274f00

SHA1
fad6f8d7ceb6f64835e9b03e97efd4bc6a00cd43

SHA256
9b32d89b85baa3611758063b9a0b4723980652152914da140778b57c21622831

SHA512
77a645a86f04a50729fd0c6880510afe2ba3ba1fe6b64df0c561f3a6e012c70215da69604961b3075ab7ce3fec2174ceae96bdd551ba631c7269818c59275882

Download Submit
C:\Windows\SysWOW64\Kjakki32.exe

Filesize
272KB

MD5
0e2ecf393992f9e2acc762859478eaca

SHA1
ed89344f4fd58e70ea55c715135524b49eddf0d7

SHA256
73282df12c3c1fa63332df68df85548289a767826df53b732bc410c7404e1ab7

SHA512
fb24d6f445a48a1cd1c79513ca4ad8f5ed0efc2e16346005e0d1c514900d8cd01cb514e3fe8957a974437ea727957675182d39e4294e5772113de22ffa9f4b0f

Download Submit
C:\Windows\SysWOW64\Kjngkcje.exe

Filesize
272KB

MD5
71aa345a3c4ffca6dffe7f358c3d47ba

SHA1
dfb69aae0445f289e3467c6d5e206e929f238a6d

SHA256
7897267dc346ddaa9ecdd12f22f265b2128375098ee7d31c245aa831d1c2fef9

SHA512
a040dec080eab9a01b6fc2e19a40a6c9a741b294b6753a7d80b4dbd78fb0cd193ffd238795816b1dadb7639937213767d92b108b03e80883022b1b7d5bf84525

Download Submit
C:\Windows\SysWOW64\Kpffhj32.exe

Filesize
272KB

MD5
a3375da47bb1b5e3f2f09bc5008f6936

SHA1
ead9fc6d6b6ec4155336beaa203a550ab771a531

SHA256
ca5d7e8e41ea6658ef6027be596602319c760e75a850b18c3bb65f585bdb0861

SHA512
2eb4624538111227e6dec357c2ca43b4c141f910dead550b19f7e2a35a9e77b5f6580edf2b11668e2750656d7050b460c1506bd0c32f52b5b9351f2e09f58de4

Download Submit
C:\Windows\SysWOW64\Kpmlhi32.exe

Filesize
272KB

MD5
e1925b9732a70044b4383301e54b1180

SHA1
0afff7b238cec88ca6a9ea8c498f2eb834259764

SHA256
7b9b382369725e8350a6a21bb17d9a9102ddcff8ddb9df27a714d603c870129d

SHA512
f2daa806e12b1c8dbf8a143ab022437456f5864fcda30b5ac3bf072cb2d688bbcf1c352ca8ed56fdc94867c0c30fcefb7b7e4b9e52c115948e845a45ed24808c

Download Submit
C:\Windows\SysWOW64\Lcbkoggh.exe

Filesize
272KB

MD5
2ba4b01837cc467a4686f47a974a2806

SHA1
44606a67d0784db96f7962e20de6b01395787815

SHA256
96b45545b52d02a9fb96b25b97df368fb7c5eb31bf532a285326a5d9ef885d94

SHA512
10c8d391369aa692719384af5f3b461565327e9b69e25ec32e2509b5073937c3b454681ecd7011f5979e22ded8baddb49179bb1635b10654c3d332a35283a0c2

Download Submit
C:\Windows\SysWOW64\Ledkippd.exe

Filesize
272KB

MD5
7d8d30253ec45b2730b9cf252cabbc3f

SHA1
c4e3e33e6687841dfb517856ef69a11a2759ad88

SHA256
7333312f4fd33c0c535d80fb4a96211939f01c667890d32c2ca0ae0d4205a6cb

SHA512
a155a2e3b3928e23573a17289bd03177677929cdb28147b90c3e489df2c5f2e5e1dfefc59e20ad9655daacbee561526eb56aefac7dbab185931bfc9375ad4778

Download Submit
C:\Windows\SysWOW64\Lgmoaaho.dll

Filesize
7KB

MD5
ad8926b74a3f0fb442181f31e48c3806

SHA1
d533c712ad748e1afe6da8bdb88b71b870ed93f0

SHA256
ebce8167191d912f001afe8005f84c2d15ef32d73f409a283a0f34e0f7bb42d4

SHA512
1aad0482a34b687f190c8b08cc2b1bd5f5f8f75a1e1a31586ebf516711241211b7b3941fc96a755476c1958556d09004a69f87ca8a236431cbe442685554c078

Download Submit
C:\Windows\SysWOW64\Lhlael32.exe

Filesize
272KB

MD5
18d3968ccbda9641c8bbaec660188198

SHA1
8645aa95bbe411a90ee729f3680a6334fd7aad60

SHA256
b5dbc5b1eafd8c7fe315b183035af7f04142f4a2f1f7cbfcf6cea84e2eb755df

SHA512
748ce32b4e4282009770d3b86dfa92bd2cb4212802ee647634b9a6e012f319b6acbbb5e6fc5c8e4fda1d8add3f3a1637eb3bbaa140c43f96abc56511801073d4

Download Submit
C:\Windows\SysWOW64\Lohfgfjj.exe

Filesize
272KB

MD5
4373a048cac755cfc8ac47578e9c175d

SHA1
cb8ec0d86dc070ab511b4389b77c1bfd18c183e6

SHA256
deb23ff1dfad97e87eeb596e057cc991d2a5bdcaf53962f23c0d87b914ece409

SHA512
c9cbac9b3cef67bd6fa9ff3cf9ef3419357981d75d1c27ab7ea47942774b438de41243a383bf8eb7cad467384acec355a1e5f89b2dc04b5b674216c5bae2b4a1

Download Submit
C:\Windows\SysWOW64\Lpbfcibd.exe

Filesize
128KB

MD5
43fac6494d88ef23a626674858a36446

SHA1
89e2b5dc82b5223e295f96ccfd1de92ce3e410c6

SHA256
b9330b89f1f5c533385eef4c7ecba75d38fc5f50a401773a6bb4fbdb0e1559e6

SHA512
2865938ba1f88b4e41ad57cdd42941ff5f7b1475733d87ba277bc3d2b3b060d0efb1fb3aa5722856ebdf167fe409872835334a3d0034673f0c40fc9306019c8d

Download Submit
C:\Windows\SysWOW64\Modfcd32.exe

Filesize
272KB

MD5
046aeeead7b7e4183a1a3b2ac582f4c1

SHA1
86948aef7e7c7b816233c56bd96964b7e432cc49

SHA256
ee6f9f96de8758135d95ec41ba04aa4e2ecf70e8ccce5742ff7bccc25ab5ad15

SHA512
8ac824163ded4112a7a431f8064f5df31d74f05af97caa2cbc9c32d617e538f599f63401213a6a8c8bfcb29fffb51c3792c24b21acd6a2f76d0d9e74d4ecf8ac

Download Submit
C:\Windows\SysWOW64\Nopeob32.exe

Filesize
272KB

MD5
51d43296f40729b06ff4875272df7170

SHA1
6561640147b891b5dd5b616d48c93ac1535337fb

SHA256
fe44e84b9ce48279012dbce5d6cdc1f03fc24c941996961bfe18c3888c73bf6c

SHA512
1f81627a7f16f7d3c929e65dc7f5726376f0aa9ce29536996dfde4aa56a5a86dfb5771d8ecc49135df6de5a4f912e5be3da5e078bec1c995a304049716368479

Download Submit
C:\Windows\SysWOW64\Odagbipa.exe

Filesize
272KB

MD5
d4f3cdf022ed3892c10bf9eded9c5635

SHA1
916abf01befd90461cc2a38d563b5135556f5dcf

SHA256
f80520db80b03154811c3c2866fd04dbdc9a39f2405808616d816c66f80eb167

SHA512
acd4c4c336e9b36767b876a40c607c0797e5a0c889071b7224a41bd5f214dc578ad9b4ae6871d70fc07cb522eb0809539174afcef5e6cb27cf9b16a3c2228963

Download Submit
C:\Windows\SysWOW64\Pdmgngfd.exe

Filesize
272KB

MD5
a4e9a5f5df83cdf3632e4c9a80eb06f2

SHA1
3506d685a271b2c133117aee6e4e62299e101b09

SHA256
2e44b997bb2951855da0ed77d1c19c4d5d5878032a7e6bdf709251c9403eddac

SHA512
c005032394088a24a7a93d1c4522278602b170dddfa03b91ae5441c723a1d60063966c9bfb4ceadf8b5622da00aac2a9e2dd073c76a9acc623dc7218df13d1d5

Download Submit
memory/8-148-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/216-338-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/220-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/372-628-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/388-520-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/408-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/460-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/488-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/536-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/644-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/864-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/940-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1008-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1252-87-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1360-319-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1384-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1400-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1480-415-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1492-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1568-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1712-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1764-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1880-622-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1940-598-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-530-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2096-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-482-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2244-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2468-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2636-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-550-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-562-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2832-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2840-514-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-103-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-568-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3168-179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3492-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3532-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3572-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3584-592-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3596-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3712-561-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3800-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3832-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3944-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4072-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4108-538-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4124-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4128-634-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4160-544-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4164-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4240-399-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4304-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4312-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-404-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4364-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4368-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4444-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4456-616-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-178-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4628-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4636-610-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4732-500-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4780-604-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4792-584-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4824-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-586-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4916-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4924-508-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4944-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4948-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4968-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5012-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5060-532-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6808-1618-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7312-1594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7620-1581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7664-1580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7756-1577-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads