a1c61e89f5237914d62f35384a774c785ddcd55e95ae0f1868d68922c97e834d

Analysis

max time kernel
95s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 23:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

251d2092bd8211af57a43197273499a0_NeikiAnalytics.exe
Size

85KB
MD5

251d2092bd8211af57a43197273499a0
SHA1

a900acf8e29acb6a017afb250b9c92650968c223
SHA256

a1c61e89f5237914d62f35384a774c785ddcd55e95ae0f1868d68922c97e834d
SHA512

b0e857bd9d146bd76b157f0ff3fc08791e11b11ae257fe538fe56b8f2f9be93224115ef0936d6e47756b9b415432e99ac54c6bc0f95a319135d7540286666996
SSDEEP

1536:OsjrDK4gkdsn8fNv9O9y1qP2LHxMQ262AjCsQ2PCZZrqOlNfVSLUK+:OsjreGs8i9eqUHxMQH2qC7ZQOlzSLUK+

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkljak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddgkpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fomhdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhcpgmjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbnafb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icifbang.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkfblfab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfembo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hodgkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oponmilc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkmchi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gblngpbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bblckl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gododflk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghlcnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcbpab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jefbfgig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdqejn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alhhhcal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkgqfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flceckoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlbgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmjlcj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfbploob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doqpak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdialn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfnphn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpablkhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojmcld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bajjli32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffddka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjghpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbnpqk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Helfik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnebeogl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ednaqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Heocnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imakkfdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjghpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bemlmgnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfpcgpae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qchmagie.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojjffddl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqfmde32.exe

Executes dropped EXE 64 IoCs

pid	Process
1008	Ojjffddl.exe
228	Ogogoi32.exe
2216	Ojmcld32.exe
3036	Ocegdjij.exe
4344	Ojopad32.exe
4912	Odednmpm.exe
1720	Onmhgb32.exe
1524	Pcjapi32.exe
2464	Pnpemb32.exe
1840	Pqnaim32.exe
5044	Pbmncp32.exe
3464	Pkfblfab.exe
4536	Pengdk32.exe
1448	Pkhoae32.exe
4888	Pkjlge32.exe
3760	Pnihcq32.exe
3544	Qnkdhpjn.exe
740	Qchmagie.exe
2328	Qalnjkgo.exe
1320	Ajdbcano.exe
1428	Ahhblemi.exe
3540	Aelcfilb.exe
4480	Andgoobc.exe
2960	Alhhhcal.exe
1356	Aealah32.exe
2580	Ajneip32.exe
3868	Bdfibe32.exe
2732	Bajjli32.exe
2360	Bdhfhe32.exe
756	Bnnjen32.exe
1484	Bdkcmdhp.exe
2084	Bblckl32.exe
3988	Bjghpn32.exe
1960	Bbnpqk32.exe
1572	Bemlmgnp.exe
916	Bkidenlg.exe
548	Cbqlfkmi.exe
2452	Cdainc32.exe
5080	Ceaehfjj.exe
3648	Chpada32.exe
4176	Cojjqlpk.exe
5072	Cdfbibnb.exe
848	Cajcbgml.exe
1012	Chdkoa32.exe
4788	Camphf32.exe
380	Doqpak32.exe
2156	Dekhneap.exe
4508	Dkgqfl32.exe
2568	Ddpeoafg.exe
3664	Dadeieea.exe
3640	Dkljak32.exe
2884	Dccbbhld.exe
1120	Dojcgi32.exe
4288	Ddgkpp32.exe
4412	Ekacmjgl.exe
2024	Echknh32.exe
2680	Elppfmoo.exe
4160	Ekcpbj32.exe
944	Eamhodmf.exe
1644	Ehgqln32.exe
2904	Ekemhj32.exe
2608	Eapedd32.exe
776	Ednaqo32.exe
1392	Eleiam32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Aclpap32.exe
File created	C:\Windows\SysWOW64\Bkidenlg.exe	Bemlmgnp.exe
File created	C:\Windows\SysWOW64\Hmjehihl.dll	Dkljak32.exe
File created	C:\Windows\SysWOW64\Nlmbpgdl.dll	Ednaqo32.exe
File opened for modification	C:\Windows\SysWOW64\Jfeopj32.exe	Jplfcpin.exe
File created	C:\Windows\SysWOW64\Fibbmq32.dll	Neeqea32.exe
File created	C:\Windows\SysWOW64\Hmphmhjc.dll	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Pnpemb32.exe	Pcjapi32.exe
File opened for modification	C:\Windows\SysWOW64\Cdainc32.exe	Cbqlfkmi.exe
File opened for modification	C:\Windows\SysWOW64\Mpablkhc.exe	Mdjagjco.exe
File created	C:\Windows\SysWOW64\Onhhamgg.exe	Ognpebpj.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Qgppolie.dll	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Ojopad32.exe	Ocegdjij.exe
File opened for modification	C:\Windows\SysWOW64\Pnihcq32.exe	Pkjlge32.exe
File opened for modification	C:\Windows\SysWOW64\Ffddka32.exe	Fcfhof32.exe
File created	C:\Windows\SysWOW64\Ecnpbjmi.dll	Hcdmga32.exe
File created	C:\Windows\SysWOW64\Imfdff32.exe	Icnpmp32.exe
File created	C:\Windows\SysWOW64\Pemfincl.dll	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Fiknll32.dll	Fdegandp.exe
File created	C:\Windows\SysWOW64\Fbnafb32.exe	Fkciihgg.exe
File created	C:\Windows\SysWOW64\Gfbploob.exe	Gohhpe32.exe
File opened for modification	C:\Windows\SysWOW64\Gokdeeec.exe	Gfbploob.exe
File created	C:\Windows\SysWOW64\Ejfenk32.dll	Pdfjifjo.exe
File opened for modification	C:\Windows\SysWOW64\Pgnilpah.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Ocdqjceo.exe	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Pbmncp32.exe	Pqnaim32.exe
File opened for modification	C:\Windows\SysWOW64\Pkhoae32.exe	Pengdk32.exe
File opened for modification	C:\Windows\SysWOW64\Qalnjkgo.exe	Qchmagie.exe
File opened for modification	C:\Windows\SysWOW64\Ddgkpp32.exe	Dojcgi32.exe
File created	C:\Windows\SysWOW64\Gfpcgpae.exe	Gcagkdba.exe
File opened for modification	C:\Windows\SysWOW64\Hecmijim.exe	Hcbpab32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Cajcbgml.exe	Cdfbibnb.exe
File created	C:\Windows\SysWOW64\Ddgkpp32.exe	Dojcgi32.exe
File created	C:\Windows\SysWOW64\Nhdlom32.dll	Fdnjgmle.exe
File opened for modification	C:\Windows\SysWOW64\Kdqejn32.exe	Kikame32.exe
File opened for modification	C:\Windows\SysWOW64\Oflgep32.exe	Oponmilc.exe
File created	C:\Windows\SysWOW64\Qnhahj32.exe	Pgnilpah.exe
File opened for modification	C:\Windows\SysWOW64\Fhcpgmjf.exe	Ffddka32.exe
File created	C:\Windows\SysWOW64\Oalnaifk.dll	Flceckoj.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Cbqlfkmi.exe	Bkidenlg.exe
File created	C:\Windows\SysWOW64\Ncdgcf32.exe	Ngmgne32.exe
File opened for modification	C:\Windows\SysWOW64\Nlaegk32.exe	Nfgmjqop.exe
File opened for modification	C:\Windows\SysWOW64\Njefqo32.exe	Nckndeni.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Ogogoi32.exe	Ojjffddl.exe
File created	C:\Windows\SysWOW64\Bnnjen32.exe	Bdhfhe32.exe
File created	C:\Windows\SysWOW64\Ipdqba32.exe	Imfdff32.exe
File created	C:\Windows\SysWOW64\Ippohl32.dll	Jefbfgig.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Fkciihgg.exe	Fdialn32.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Bdjinlko.dll	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Bemlmgnp.exe	Bbnpqk32.exe
File created	C:\Windows\SysWOW64\Imdhga32.dll	Cdainc32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7732	7636	WerFault.exe	330

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bajjli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cojjqlpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiknll32.dll"	Fdegandp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdeflhhf.dll"	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bblckl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbnafb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clbcapmm.dll"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imhkcaln.dll"	Hmabdibj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfnphn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfeopj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlampmdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiejmbkl.dll"	Ojopad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fomhdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdmann32.dll"	Gbbkaako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ikbnacmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jlkagbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocegdjij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djhgpa32.dll"	Eapedd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Flceckoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlineehd.dll"	Kdgljmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oolpjdob.dll"	Ligqhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Likjcbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjghpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfoafi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgepdkpo.dll"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmolq32.dll"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	251d2092bd8211af57a43197273499a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fllpbldb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hecmijim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jlkagbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpablkhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogogoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjqaij32.dll"	Dccbbhld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbaqqh32.dll"	Oneklm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcjapi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpqdba32.dll"	Bblckl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aogmoeik.dll"	Ffddka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fhcpgmjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhdlom32.dll"	Fdnjgmle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jlbgha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdkpdef.dll"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgjpndjd.dll"	Qalnjkgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dadeieea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfgkmfoj.dll"	Gkkojgao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifjigbdo.dll"	Hcbpab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ligqhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Cnffqf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4728 wrote to memory of 1008	4728	251d2092bd8211af57a43197273499a0_NeikiAnalytics.exe	82
PID 4728 wrote to memory of 1008	4728	251d2092bd8211af57a43197273499a0_NeikiAnalytics.exe	82
PID 4728 wrote to memory of 1008	4728	251d2092bd8211af57a43197273499a0_NeikiAnalytics.exe	82
PID 1008 wrote to memory of 228	1008	Ojjffddl.exe	83
PID 1008 wrote to memory of 228	1008	Ojjffddl.exe	83
PID 1008 wrote to memory of 228	1008	Ojjffddl.exe	83
PID 228 wrote to memory of 2216	228	Ogogoi32.exe	84
PID 228 wrote to memory of 2216	228	Ogogoi32.exe	84
PID 228 wrote to memory of 2216	228	Ogogoi32.exe	84
PID 2216 wrote to memory of 3036	2216	Ojmcld32.exe	85
PID 2216 wrote to memory of 3036	2216	Ojmcld32.exe	85
PID 2216 wrote to memory of 3036	2216	Ojmcld32.exe	85
PID 3036 wrote to memory of 4344	3036	Ocegdjij.exe	86
PID 3036 wrote to memory of 4344	3036	Ocegdjij.exe	86
PID 3036 wrote to memory of 4344	3036	Ocegdjij.exe	86
PID 4344 wrote to memory of 4912	4344	Ojopad32.exe	88
PID 4344 wrote to memory of 4912	4344	Ojopad32.exe	88
PID 4344 wrote to memory of 4912	4344	Ojopad32.exe	88
PID 4912 wrote to memory of 1720	4912	Odednmpm.exe	89
PID 4912 wrote to memory of 1720	4912	Odednmpm.exe	89
PID 4912 wrote to memory of 1720	4912	Odednmpm.exe	89
PID 1720 wrote to memory of 1524	1720	Onmhgb32.exe	90
PID 1720 wrote to memory of 1524	1720	Onmhgb32.exe	90
PID 1720 wrote to memory of 1524	1720	Onmhgb32.exe	90
PID 1524 wrote to memory of 2464	1524	Pcjapi32.exe	92
PID 1524 wrote to memory of 2464	1524	Pcjapi32.exe	92
PID 1524 wrote to memory of 2464	1524	Pcjapi32.exe	92
PID 2464 wrote to memory of 1840	2464	Pnpemb32.exe	93
PID 2464 wrote to memory of 1840	2464	Pnpemb32.exe	93
PID 2464 wrote to memory of 1840	2464	Pnpemb32.exe	93
PID 1840 wrote to memory of 5044	1840	Pqnaim32.exe	94
PID 1840 wrote to memory of 5044	1840	Pqnaim32.exe	94
PID 1840 wrote to memory of 5044	1840	Pqnaim32.exe	94
PID 5044 wrote to memory of 3464	5044	Pbmncp32.exe	95
PID 5044 wrote to memory of 3464	5044	Pbmncp32.exe	95
PID 5044 wrote to memory of 3464	5044	Pbmncp32.exe	95
PID 3464 wrote to memory of 4536	3464	Pkfblfab.exe	96
PID 3464 wrote to memory of 4536	3464	Pkfblfab.exe	96
PID 3464 wrote to memory of 4536	3464	Pkfblfab.exe	96
PID 4536 wrote to memory of 1448	4536	Pengdk32.exe	98
PID 4536 wrote to memory of 1448	4536	Pengdk32.exe	98
PID 4536 wrote to memory of 1448	4536	Pengdk32.exe	98
PID 1448 wrote to memory of 4888	1448	Pkhoae32.exe	99
PID 1448 wrote to memory of 4888	1448	Pkhoae32.exe	99
PID 1448 wrote to memory of 4888	1448	Pkhoae32.exe	99
PID 4888 wrote to memory of 3760	4888	Pkjlge32.exe	100
PID 4888 wrote to memory of 3760	4888	Pkjlge32.exe	100
PID 4888 wrote to memory of 3760	4888	Pkjlge32.exe	100
PID 3760 wrote to memory of 3544	3760	Pnihcq32.exe	101
PID 3760 wrote to memory of 3544	3760	Pnihcq32.exe	101
PID 3760 wrote to memory of 3544	3760	Pnihcq32.exe	101
PID 3544 wrote to memory of 740	3544	Qnkdhpjn.exe	102
PID 3544 wrote to memory of 740	3544	Qnkdhpjn.exe	102
PID 3544 wrote to memory of 740	3544	Qnkdhpjn.exe	102
PID 740 wrote to memory of 2328	740	Qchmagie.exe	103
PID 740 wrote to memory of 2328	740	Qchmagie.exe	103
PID 740 wrote to memory of 2328	740	Qchmagie.exe	103
PID 2328 wrote to memory of 1320	2328	Qalnjkgo.exe	104
PID 2328 wrote to memory of 1320	2328	Qalnjkgo.exe	104
PID 2328 wrote to memory of 1320	2328	Qalnjkgo.exe	104
PID 1320 wrote to memory of 1428	1320	Ajdbcano.exe	105
PID 1320 wrote to memory of 1428	1320	Ajdbcano.exe	105
PID 1320 wrote to memory of 1428	1320	Ajdbcano.exe	105
PID 1428 wrote to memory of 3540	1428	Ahhblemi.exe	106

C:\Users\Admin\AppData\Local\Temp\251d2092bd8211af57a43197273499a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\251d2092bd8211af57a43197273499a0_NeikiAnalytics.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4728
- C:\Windows\SysWOW64\Ojjffddl.exe
  C:\Windows\system32\Ojjffddl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1008
- - C:\Windows\SysWOW64\Ogogoi32.exe
    C:\Windows\system32\Ogogoi32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:228
  - - C:\Windows\SysWOW64\Ojmcld32.exe
      C:\Windows\system32\Ojmcld32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2216
    - - C:\Windows\SysWOW64\Ocegdjij.exe
        
        C:\Windows\system32\Ocegdjij.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3036
      - C:\Windows\SysWOW64\Ojopad32.exe
        
        C:\Windows\system32\Ojopad32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\SysWOW64\Odednmpm.exe
        
        C:\Windows\system32\Odednmpm.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Onmhgb32.exe
        
        C:\Windows\system32\Onmhgb32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\Pcjapi32.exe
        
        C:\Windows\system32\Pcjapi32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\Pnpemb32.exe
        
        C:\Windows\system32\Pnpemb32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Pqnaim32.exe
        
        C:\Windows\system32\Pqnaim32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\SysWOW64\Pbmncp32.exe
        
        C:\Windows\system32\Pbmncp32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Pkfblfab.exe
        
        C:\Windows\system32\Pkfblfab.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\SysWOW64\Pengdk32.exe
        
        C:\Windows\system32\Pengdk32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\SysWOW64\Pkhoae32.exe
        
        C:\Windows\system32\Pkhoae32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\SysWOW64\Pkjlge32.exe
        
        C:\Windows\system32\Pkjlge32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\Pnihcq32.exe
        
        C:\Windows\system32\Pnihcq32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3760
        
        C:\Windows\SysWOW64\Qnkdhpjn.exe
        
        C:\Windows\system32\Qnkdhpjn.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3544
        
        C:\Windows\SysWOW64\Qchmagie.exe
        
        C:\Windows\system32\Qchmagie.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:740
        
        C:\Windows\SysWOW64\Qalnjkgo.exe
        
        C:\Windows\system32\Qalnjkgo.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Ajdbcano.exe
        
        C:\Windows\system32\Ajdbcano.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\SysWOW64\Ahhblemi.exe
        
        C:\Windows\system32\Ahhblemi.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\SysWOW64\Aelcfilb.exe
        
        C:\Windows\system32\Aelcfilb.exe
        23⤵
        Executes dropped EXE
        
        PID:3540
        
        C:\Windows\SysWOW64\Andgoobc.exe
        
        C:\Windows\system32\Andgoobc.exe
        24⤵
        Executes dropped EXE
        
        PID:4480
        
        C:\Windows\SysWOW64\Alhhhcal.exe
        
        C:\Windows\system32\Alhhhcal.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2960
        
        C:\Windows\SysWOW64\Aealah32.exe
        
        C:\Windows\system32\Aealah32.exe
        26⤵
        Executes dropped EXE
        
        PID:1356
        
        C:\Windows\SysWOW64\Ajneip32.exe
        
        C:\Windows\system32\Ajneip32.exe
        27⤵
        Executes dropped EXE
        
        PID:2580
        
        C:\Windows\SysWOW64\Bdfibe32.exe
        
        C:\Windows\system32\Bdfibe32.exe
        28⤵
        Executes dropped EXE
        
        PID:3868
        
        C:\Windows\SysWOW64\Bajjli32.exe
        
        C:\Windows\system32\Bajjli32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Bdhfhe32.exe
        
        C:\Windows\system32\Bdhfhe32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2360
        
        C:\Windows\SysWOW64\Bnnjen32.exe
        
        C:\Windows\system32\Bnnjen32.exe
        31⤵
        Executes dropped EXE
        
        PID:756
        
        C:\Windows\SysWOW64\Bdkcmdhp.exe
        
        C:\Windows\system32\Bdkcmdhp.exe
        32⤵
        Executes dropped EXE
        
        PID:1484
        
        C:\Windows\SysWOW64\Bblckl32.exe
        
        C:\Windows\system32\Bblckl32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2084
        
        C:\Windows\SysWOW64\Bjghpn32.exe
        
        C:\Windows\system32\Bjghpn32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Bbnpqk32.exe
        
        C:\Windows\system32\Bbnpqk32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1960
        
        C:\Windows\SysWOW64\Bemlmgnp.exe
        
        C:\Windows\system32\Bemlmgnp.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1572
        
        C:\Windows\SysWOW64\Bkidenlg.exe
        
        C:\Windows\system32\Bkidenlg.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:916
        
        C:\Windows\SysWOW64\Cbqlfkmi.exe
        
        C:\Windows\system32\Cbqlfkmi.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:548
        
        C:\Windows\SysWOW64\Cdainc32.exe
        
        C:\Windows\system32\Cdainc32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2452
        
        C:\Windows\SysWOW64\Ceaehfjj.exe
        
        C:\Windows\system32\Ceaehfjj.exe
        40⤵
        Executes dropped EXE
        
        PID:5080
        
        C:\Windows\SysWOW64\Chpada32.exe
        
        C:\Windows\system32\Chpada32.exe
        41⤵
        Executes dropped EXE
        
        PID:3648
        
        C:\Windows\SysWOW64\Cojjqlpk.exe
        
        C:\Windows\system32\Cojjqlpk.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4176
        
        C:\Windows\SysWOW64\Cdfbibnb.exe
        
        C:\Windows\system32\Cdfbibnb.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5072
        
        C:\Windows\SysWOW64\Cajcbgml.exe
        
        C:\Windows\system32\Cajcbgml.exe
        44⤵
        Executes dropped EXE
        
        PID:848
        
        C:\Windows\SysWOW64\Chdkoa32.exe
        
        C:\Windows\system32\Chdkoa32.exe
        45⤵
        Executes dropped EXE
        
        PID:1012
        
        C:\Windows\SysWOW64\Camphf32.exe
        
        C:\Windows\system32\Camphf32.exe
        46⤵
        Executes dropped EXE
        
        PID:4788
        
        C:\Windows\SysWOW64\Doqpak32.exe
        
        C:\Windows\system32\Doqpak32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:380
        
        C:\Windows\SysWOW64\Dekhneap.exe
        
        C:\Windows\system32\Dekhneap.exe
        48⤵
        Executes dropped EXE
        
        PID:2156
        
        C:\Windows\SysWOW64\Dkgqfl32.exe
        
        C:\Windows\system32\Dkgqfl32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4508
        
        C:\Windows\SysWOW64\Ddpeoafg.exe
        
        C:\Windows\system32\Ddpeoafg.exe
        50⤵
        Executes dropped EXE
        
        PID:2568
        
        C:\Windows\SysWOW64\Dadeieea.exe
        
        C:\Windows\system32\Dadeieea.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Dkljak32.exe
        
        C:\Windows\system32\Dkljak32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3640
        
        C:\Windows\SysWOW64\Dccbbhld.exe
        
        C:\Windows\system32\Dccbbhld.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Dojcgi32.exe
        
        C:\Windows\system32\Dojcgi32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1120
        
        C:\Windows\SysWOW64\Ddgkpp32.exe
        
        C:\Windows\system32\Ddgkpp32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4288
        
        C:\Windows\SysWOW64\Ekacmjgl.exe
        
        C:\Windows\system32\Ekacmjgl.exe
        56⤵
        Executes dropped EXE
        
        PID:4412
        
        C:\Windows\SysWOW64\Echknh32.exe
        
        C:\Windows\system32\Echknh32.exe
        57⤵
        Executes dropped EXE
        
        PID:2024
        
        C:\Windows\SysWOW64\Elppfmoo.exe
        
        C:\Windows\system32\Elppfmoo.exe
        58⤵
        Executes dropped EXE
        
        PID:2680
        
        C:\Windows\SysWOW64\Ekcpbj32.exe
        
        C:\Windows\system32\Ekcpbj32.exe
        59⤵
        Executes dropped EXE
        
        PID:4160
        
        C:\Windows\SysWOW64\Eamhodmf.exe
        
        C:\Windows\system32\Eamhodmf.exe
        60⤵
        Executes dropped EXE
        
        PID:944
        
        C:\Windows\SysWOW64\Ehgqln32.exe
        
        C:\Windows\system32\Ehgqln32.exe
        61⤵
        Executes dropped EXE
        
        PID:1644
        
        C:\Windows\SysWOW64\Ekemhj32.exe
        
        C:\Windows\system32\Ekemhj32.exe
        62⤵
        Executes dropped EXE
        
        PID:2904
        
        C:\Windows\SysWOW64\Eapedd32.exe
        
        C:\Windows\system32\Eapedd32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Ednaqo32.exe
        
        C:\Windows\system32\Ednaqo32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:776
        
        C:\Windows\SysWOW64\Eleiam32.exe
        
        C:\Windows\system32\Eleiam32.exe
        65⤵
        Executes dropped EXE
        
        PID:1392
        
        C:\Windows\SysWOW64\Eocenh32.exe
        
        C:\Windows\system32\Eocenh32.exe
        66⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\Eabbjc32.exe
        
        C:\Windows\system32\Eabbjc32.exe
        67⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\Edpnfo32.exe
        
        C:\Windows\system32\Edpnfo32.exe
        68⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\Ekjfcipa.exe
        
        C:\Windows\system32\Ekjfcipa.exe
        69⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\Ecandfpd.exe
        
        C:\Windows\system32\Ecandfpd.exe
        70⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\Eepjpb32.exe
        
        C:\Windows\system32\Eepjpb32.exe
        71⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\Ehnglm32.exe
        
        C:\Windows\system32\Ehnglm32.exe
        72⤵
        
        PID:660
        
        C:\Windows\SysWOW64\Fkmchi32.exe
        
        C:\Windows\system32\Fkmchi32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2780
        
        C:\Windows\SysWOW64\Fcckif32.exe
        
        C:\Windows\system32\Fcckif32.exe
        74⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\Fafkecel.exe
        
        C:\Windows\system32\Fafkecel.exe
        75⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\Fdegandp.exe
        
        C:\Windows\system32\Fdegandp.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3376
        
        C:\Windows\SysWOW64\Fllpbldb.exe
        
        C:\Windows\system32\Fllpbldb.exe
        77⤵
        Modifies registry class
        
        PID:3748
        
        C:\Windows\SysWOW64\Fcfhof32.exe
        
        C:\Windows\system32\Fcfhof32.exe
        78⤵
        Drops file in System32 directory
        
        PID:3292
        
        C:\Windows\SysWOW64\Ffddka32.exe
        
        C:\Windows\system32\Ffddka32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3948
        
        C:\Windows\SysWOW64\Fhcpgmjf.exe
        
        C:\Windows\system32\Fhcpgmjf.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3204
        
        C:\Windows\SysWOW64\Fomhdg32.exe
        
        C:\Windows\system32\Fomhdg32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3196
        
        C:\Windows\SysWOW64\Fakdpb32.exe
        
        C:\Windows\system32\Fakdpb32.exe
        82⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\Fdialn32.exe
        
        C:\Windows\system32\Fdialn32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4148
        
        C:\Windows\SysWOW64\Fkciihgg.exe
        
        C:\Windows\system32\Fkciihgg.exe
        84⤵
        Drops file in System32 directory
        
        PID:700
        
        C:\Windows\SysWOW64\Fbnafb32.exe
        
        C:\Windows\system32\Fbnafb32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\Fdlnbm32.exe
        
        C:\Windows\system32\Fdlnbm32.exe
        86⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\Flceckoj.exe
        
        C:\Windows\system32\Flceckoj.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\Foabofnn.exe
        
        C:\Windows\system32\Foabofnn.exe
        88⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\Fbpnkama.exe
        
        C:\Windows\system32\Fbpnkama.exe
        89⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\Fdnjgmle.exe
        
        C:\Windows\system32\Fdnjgmle.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Glebhjlg.exe
        
        C:\Windows\system32\Glebhjlg.exe
        91⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\Gododflk.exe
        
        C:\Windows\system32\Gododflk.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:420
        
        C:\Windows\SysWOW64\Gbbkaako.exe
        
        C:\Windows\system32\Gbbkaako.exe
        93⤵
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Ghlcnk32.exe
        
        C:\Windows\system32\Ghlcnk32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1360
        
        C:\Windows\SysWOW64\Gkkojgao.exe
        
        C:\Windows\system32\Gkkojgao.exe
        95⤵
        Modifies registry class
        
        PID:4056
        
        C:\Windows\SysWOW64\Gcagkdba.exe
        
        C:\Windows\system32\Gcagkdba.exe
        96⤵
        Drops file in System32 directory
        
        PID:1932
        
        C:\Windows\SysWOW64\Gfpcgpae.exe
        
        C:\Windows\system32\Gfpcgpae.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3356
        
        C:\Windows\SysWOW64\Gmjlcj32.exe
        
        C:\Windows\system32\Gmjlcj32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1724
        
        C:\Windows\SysWOW64\Gohhpe32.exe
        
        C:\Windows\system32\Gohhpe32.exe
        99⤵
        Drops file in System32 directory
        
        PID:2996
        
        C:\Windows\SysWOW64\Gfbploob.exe
        
        C:\Windows\system32\Gfbploob.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4824
        
        C:\Windows\SysWOW64\Gokdeeec.exe
        
        C:\Windows\system32\Gokdeeec.exe
        101⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\Gfembo32.exe
        
        C:\Windows\system32\Gfembo32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1872
        
        C:\Windows\SysWOW64\Gmoeoidl.exe
        
        C:\Windows\system32\Gmoeoidl.exe
        103⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Gblngpbd.exe
        
        C:\Windows\system32\Gblngpbd.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5180
        
        C:\Windows\SysWOW64\Hmabdibj.exe
        
        C:\Windows\system32\Hmabdibj.exe
        105⤵
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Helfik32.exe
        
        C:\Windows\system32\Helfik32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5264
        
        C:\Windows\SysWOW64\Hcmgfbhd.exe
        
        C:\Windows\system32\Hcmgfbhd.exe
        107⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Heocnk32.exe
        
        C:\Windows\system32\Heocnk32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5356
        
        C:\Windows\SysWOW64\Hodgkc32.exe
        
        C:\Windows\system32\Hodgkc32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5400
        
        C:\Windows\SysWOW64\Hfnphn32.exe
        
        C:\Windows\system32\Hfnphn32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Hkkhqd32.exe
        
        C:\Windows\system32\Hkkhqd32.exe
        111⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Hcbpab32.exe
        
        C:\Windows\system32\Hcbpab32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Hecmijim.exe
        
        C:\Windows\system32\Hecmijim.exe
        113⤵
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Hcdmga32.exe
        
        C:\Windows\system32\Hcdmga32.exe
        114⤵
        Drops file in System32 directory
        
        PID:5620
        
        C:\Windows\SysWOW64\Iefioj32.exe
        
        C:\Windows\system32\Iefioj32.exe
        115⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Ikpaldog.exe
        
        C:\Windows\system32\Ikpaldog.exe
        116⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Iehfdi32.exe
        
        C:\Windows\system32\Iehfdi32.exe
        117⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Ikbnacmd.exe
        
        C:\Windows\system32\Ikbnacmd.exe
        118⤵
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Icifbang.exe
        
        C:\Windows\system32\Icifbang.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5840
        
        C:\Windows\SysWOW64\Ifgbnlmj.exe
        
        C:\Windows\system32\Ifgbnlmj.exe
        120⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Imakkfdg.exe
        
        C:\Windows\system32\Imakkfdg.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5924
        
        C:\Windows\SysWOW64\Ippggbck.exe
        
        C:\Windows\system32\Ippggbck.exe
        122⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Ibnccmbo.exe
        
        C:\Windows\system32\Ibnccmbo.exe
        123⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Imdgqfbd.exe
        
        C:\Windows\system32\Imdgqfbd.exe
        124⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Icnpmp32.exe
        
        C:\Windows\system32\Icnpmp32.exe
        125⤵
        Drops file in System32 directory
        
        PID:6104
        
        C:\Windows\SysWOW64\Imfdff32.exe
        
        C:\Windows\system32\Imfdff32.exe
        126⤵
        Drops file in System32 directory
        
        PID:3828
        
        C:\Windows\SysWOW64\Ipdqba32.exe
        
        C:\Windows\system32\Ipdqba32.exe
        127⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Jeaikh32.exe
        
        C:\Windows\system32\Jeaikh32.exe
        128⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Jlkagbej.exe
        
        C:\Windows\system32\Jlkagbej.exe
        129⤵
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Jbeidl32.exe
        
        C:\Windows\system32\Jbeidl32.exe
        130⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        131⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5560
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        133⤵
        Drops file in System32 directory
        
        PID:5640
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        134⤵
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        136⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        137⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        138⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        139⤵
        Drops file in System32 directory
        
        PID:1528
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6008
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        141⤵
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        142⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        143⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        144⤵
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        145⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        146⤵
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        147⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        148⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        149⤵
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        150⤵
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:616
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        152⤵
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        153⤵
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        154⤵
        Drops file in System32 directory
        
        PID:5332
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5720
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        157⤵
        Drops file in System32 directory
        
        PID:5868
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        158⤵
        Modifies registry class
        
        PID:3780
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        159⤵
        Drops file in System32 directory
        
        PID:6076
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        160⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        161⤵
        Drops file in System32 directory
        
        PID:5592
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        162⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        163⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        164⤵
        Drops file in System32 directory
        
        PID:5208
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        165⤵
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        166⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5696
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5256
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        169⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        170⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        171⤵
        Modifies registry class
        
        PID:6168
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6212
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6256
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        174⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        175⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6344
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        176⤵
        Drops file in System32 directory
        
        PID:6388
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        177⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        178⤵
        Modifies registry class
        
        PID:6476
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        179⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        180⤵
        Drops file in System32 directory
        
        PID:6564
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        181⤵
        Drops file in System32 directory
        
        PID:6608
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        182⤵
        Drops file in System32 directory
        
        PID:6652
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        183⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        184⤵
        Modifies registry class
        
        PID:6740
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        185⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        186⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        187⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        188⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6960
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7004
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7048
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        192⤵
        Drops file in System32 directory
        
        PID:7092
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7136
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        194⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6208
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        196⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6288
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        197⤵
        Drops file in System32 directory
        
        PID:6360
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        198⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        199⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        200⤵
        Modifies registry class
        
        PID:6556
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        201⤵
        Modifies registry class
        
        PID:6628
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6680
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        203⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6776
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        204⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        205⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6908
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        206⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        207⤵
        Modifies registry class
        
        PID:7056
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        208⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7132
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        209⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        210⤵
        Modifies registry class
        
        PID:6284
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        211⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6408
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        212⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6500
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        213⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        214⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        215⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6836
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        216⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        217⤵
        Drops file in System32 directory
        
        PID:7044
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        218⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        219⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        220⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        221⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        222⤵
        Drops file in System32 directory
        
        PID:6808
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        223⤵
        Modifies registry class
        
        PID:6968
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        224⤵
        Drops file in System32 directory
        
        PID:7148
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        225⤵
        Drops file in System32 directory
        
        PID:6452
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        226⤵
        Drops file in System32 directory
        
        PID:6684
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        227⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6924
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        228⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        229⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        230⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        231⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        232⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7112
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        233⤵
        Drops file in System32 directory
        
        PID:7040
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        234⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6472
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        235⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        236⤵
        Drops file in System32 directory
        
        PID:7236
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        237⤵
        
        PID:7280
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        238⤵
        
        PID:7324
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        239⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7368
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        240⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7412
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        241⤵
        Drops file in System32 directory
        
        PID:7460
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        242⤵
        Drops file in System32 directory
        
        PID:7504
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        243⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        244⤵
        Modifies registry class
        
        PID:7592
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        245⤵
        
        PID:7636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7636 -s 400
        246⤵
        Program crash
        
        PID:7732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 7636 -ip 7636
1⤵
PID:7708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aealah32.exe

Filesize
85KB

MD5
ebd47cb727af9d74161f31e93e82086d

SHA1
d00445bb4e50941a75f7fed776d2883fc3f68d18

SHA256
97d53a2c5a97214f342b22f9f5875a3f58d3160cf06ebb2845026c3ee0ba3c0c

SHA512
db005577d2beb91c6a79f8a13e1079d29f82682ee0ad07dbf549015009343e9bdf05514eb5b22c828d793ac2c903fa35273e32b25bd3360b7e109b1063d87f91

Download Submit
C:\Windows\SysWOW64\Aelcfilb.exe

Filesize
85KB

MD5
42ee22762ce9d90c7ca8cd20888a9553

SHA1
97fa96deb516bc1f01e3d22c78702da890c6a5ee

SHA256
1ad604a04df6e87c0105e4057c1477f17dd1bcd58bb0cad59bf9edfca457011a

SHA512
1ed12d18886268083d89208c00e42d24c966b1416dbe4cf51c35ceac18cdffa5a959fd2bfe1e6b8699d20ef996fdc4e948b0317f60551e622d487db6e8c18ee5

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
85KB

MD5
36c8bb3fde96fa87a06c252fc7ddad35

SHA1
12c4d7b569825e4b55f00dccb90117e95d2d53e6

SHA256
d5e5ebb0a8c3678d6c3cb1d57e3f509f956a574d168ca365e7a643544ac7d872

SHA512
557ec1c1e92b08ec58ab76559b65868a879bed215b08c9c08a1174e4860169f106078dc9af58c2dede5fdd30a18f242d9d2d5ecf469fa349d08d9a4978450e5b

Download Submit
C:\Windows\SysWOW64\Ahhblemi.exe

Filesize
85KB

MD5
0a56864e97681a2b04f9ca815dbba68c

SHA1
068de4995bcd979fb8ec41be11bf4a6a349ba79a

SHA256
bb25de599fd4f561dfec9e9903f27f4b18a67bbba71ebe23b80f641735f9cec8

SHA512
deb2174ad3ae6bb9cd6c52b7405b769df20b1a8f79ce82a8758b8ef636d95b7d90b5fac3049b0585fcf2557da4cb115a81ceaa0cfc882b41f2b496606342bc77

Download Submit
C:\Windows\SysWOW64\Ajdbcano.exe

Filesize
85KB

MD5
d47c267537ad9894b09d11d87008f26c

SHA1
8d5dbbea01c11ebcb293beba6f75959304e8c387

SHA256
134c6a228ec6e6b0bb3fc54553c7c25aaf6c2ec127582dd7c4de5a290c8feeb2

SHA512
e2a890987f154a8811e7f2c36b2bb536b53c5e0fa5f46522a1321b0ecff7a1898d8e44c0a4b1329f963275c7e34e2b0bddb80b588e16fb7299034167aaed94e5

Download Submit
C:\Windows\SysWOW64\Ajneip32.exe

Filesize
85KB

MD5
df3ac9208f638188abd6b74c96b33ed2

SHA1
61fb63acadc91cd47d960286c13072cbc51d7d65

SHA256
6848f6bf918bd537ec5af4e618b8cb4685c4743c2665713e4db90c4bf139dc5e

SHA512
32c190eb356293590359e6050733c66516ec18f4a84245006a3808fb2d860d164665cddfe3d1034407b75fc13429e8278367556c7818d46566dc5af6b38f14ef

Download Submit
C:\Windows\SysWOW64\Alhhhcal.exe

Filesize
85KB

MD5
242d718cfa8c56d2975cf6f153d51d0f

SHA1
8e6aa1ff20bff3dd485d63d4c1b5066ce6bfce64

SHA256
57850fe7f34cac83b8d8203a72cf5f2a96e27077df1968922abed7eac0a6cb5a

SHA512
c80dc22abf83783f0930fc9c09402180007dc3b35d05efb3cf96267faf67acd74212eaa829390340ed83eee74946e7b5eb30405eb9a70d438a778dcf51b28718

Download Submit
C:\Windows\SysWOW64\Andgoobc.exe

Filesize
85KB

MD5
2a4cc85215af00bdc9f78d65cc159c1a

SHA1
137ed337f9151544fff0b05d217b9401075b5095

SHA256
16cf0a6d3b523ba436fd1e064eff9a1a0abcb27fb746cf4cbac8edfaca314374

SHA512
12da7bcf95b0be0000ede4cca186a829d26e79619066b6045d4677bbcc5cfccec54f4485002e261c837835379ebc495136a2b92c0ab1caeaaaf4f02de9d9da47

Download Submit
C:\Windows\SysWOW64\Bajjli32.exe

Filesize
85KB

MD5
55aa4e20acd06c2d3fd9b8f40bb07252

SHA1
2997b65273c2e25824da782d5f1b5cf765b43194

SHA256
4923a389c1c9a3b0d0f12472b31e960d98a606f7521de800b47d853f10c5749f

SHA512
a14801a2b19ac1aba9d43b4a4f5b5fb4e2b7a5ba476891f6bc4c6f15c75fa3d4c66f4cd989cdac45f0fcfe93ecc78d036ba0e08d9f031f90321c084b7709fe4c

Download Submit
C:\Windows\SysWOW64\Bblckl32.exe

Filesize
85KB

MD5
ce1b175d23a5a09d650cdb4a2c3b00c8

SHA1
242104d47290ee982bee4fae904beb779b95f22f

SHA256
02f6e7233061afc52381e5b844316fb747fef194591bd75afe1745253ca378cf

SHA512
b62d1d542f0f0d3218f5ffac3e5654e4c9040bc81bd11d27bddbb264ef0ed9ddbd141081e6ce71b5205787819fe0eea2f6484cebda2b70757f9d649d99fcc786

Download Submit
C:\Windows\SysWOW64\Bdfibe32.exe

Filesize
85KB

MD5
ebff247789dcc213a6bcd55428a82f88

SHA1
5b40896a6700aa7254d4d1dac39b491c711c7cb9

SHA256
0638b940d30c0027798fec753ea283966b1b11cd9860926badf610bc6bdb4f63

SHA512
6c9ad5290c29638718fc8b6cb1bed8ddaf9b5ab709f8db8fb329afc01289832c975f5cf3aec0503a7eaede74ac5a9ea55370534192315a320afa290abeed9e6b

Download Submit
C:\Windows\SysWOW64\Bdhfhe32.exe

Filesize
85KB

MD5
85c2ad7eaf2b9cd8f7779434a863c18f

SHA1
7be195784be7571ecab7f7a28ec1beab4322df99

SHA256
4055cecfcb24b88628c1de0e40c125bd401e603b48429df6f4823b97e49c8259

SHA512
2d0e1b0f2028968d6446fffbb17b48d052b9a998e67d41d144e8100931c576c8ad0f454af1aeba9bf73034fbc936758d883f899692d2d399f3d8a20a5473c4d9

Download Submit
C:\Windows\SysWOW64\Bdkcmdhp.exe

Filesize
85KB

MD5
31be959224147f12d74ee0de08ee51f4

SHA1
a6f61d697ecfb3d3fc16408359f09b6824f8acfd

SHA256
55785980c301cd2632c8d16ca00f5da5ff2857fe72d89592a0691d4ec03272d9

SHA512
42b5082bc8718f1d2e75cd1ebeacaaf745aa73edfc129c4d0d27d77dbb2c0ae85555cc8124fe1bb1e6f0966eb0ef9be2f348e28933f5172f66f02f266dba0402

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
85KB

MD5
62f0e2f9bf9f7ce2c874f38eab9b2c9c

SHA1
2250c869d18f6df01ad8a986f4ecacd992b9538c

SHA256
6ec41af314f458e8a2e54dcccfc719143f2f6a7a2dac0389a679b976d3cfdb93

SHA512
0d92112e6a965add6626fe731333322eae410185e66d8707e4271550f98971277bc6dc36a97ad335ff8dac639a82f8523e9963d0f70b26edff8076e1d085cbff

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
85KB

MD5
8ffb8b452bf5e58b3c908ed82434e3ea

SHA1
41b6ec6dff75fedbcc3fd46669ea81b3b533016b

SHA256
20e4c1934e801a78f3f9056fc56719267947d898d0fca5c824af1ba146c7b447

SHA512
5296ab5d66ecfee6d66f06ce80388bf696d94d9cb2c1f932dbc397814a914dd7a7e3dc4be8c7ff676d6427e4baf08cc2ace3204d9d02ebe52c44de0ca831ea68

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
85KB

MD5
0763f20b84b8dc474d0988bfc8380ffa

SHA1
f0642443668df7ea7ab783bda16c56552ba5a6a7

SHA256
421e3a5c353e5ffe4dc2b22e92a56bcb5a0d9e225a9def926f83254fea16daa5

SHA512
ffa42c139ec8a0804e68ab64c19c1c02730422952e7439dd79f150deffe04fbd2b2152349b3ac9d116dd571b804be36641ee547a049191f69d03155502e964e3

Download Submit
C:\Windows\SysWOW64\Bnnjen32.exe

Filesize
85KB

MD5
9cc5fe52b116cb69eca3703a49394de9

SHA1
06722df7575be03a090653998b477a39e6d8eed6

SHA256
2614e32ebf3a329df0fa25d8167ce7af62dad09be16735095961e6d29c441a4f

SHA512
c0e6a02a0e2a1454d615b909bf99d1187cc2ec6ae00019220eb8d6cd15779853dea89926349a307caefe245d35d50b58557d5dd87633c19423c9a22ae78001d7

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
85KB

MD5
4100a978ae930274817060cb2937f3ca

SHA1
737d54e8942fde0198f421da22f6a5d83dfc2855

SHA256
29f478f00f6660d803fc14b18cb6215bca8ef5c3d17022d829ccdf45926e41c0

SHA512
80976ca4e31f582e4a53848d23f24357c0079fd9c28591ecd7cba7897fc48ad601afdb328358d4a9e9c78c94a9a29bebe7f92c3e0aae95855e1b7be3ca7cc0da

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
85KB

MD5
a94b6ed1ab70c21565853547ed4b6f22

SHA1
79bcd374bf757ac6ba88aa9c7ce003931dd68f1b

SHA256
6503f19325b8052f83198e6e5c4ce8e9d4d76afd90e2c1258faeb338a9b09c79

SHA512
4eb91235829611adf0164eaaacd38dd463e7acfc492fc15dd8ebbbf2408209a9256843bb7a6765c7b15afd68453746591047218a3453e0215a0377997185efa0

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
85KB

MD5
d8fc26ff49a61dd4f4e56269b23943a6

SHA1
8a26b56904b8cdfe390e81b893de147b1b5d6e44

SHA256
779cc900a37e8f45aeb50d09a79999b0223ab22dd19084ed2c3f4b0873830f32

SHA512
94ac5d7020f5d8228745095ddf2cad22b042952e2bb7bce2857e8be09755c288b18376f172ac571fef3916bcdd8cdc12ab47162e6242709239c6b31cbfa6071a

Download Submit
C:\Windows\SysWOW64\Eamhodmf.exe

Filesize
85KB

MD5
7244f637ede18b324b712cf59a807923

SHA1
3e0c0880ce12cfe64376b03738d5a01b26ccb1b5

SHA256
173135ccb1306e4c933f3961af9cd629a5ba40d5063bcf8a6c9fc582f1516254

SHA512
606f31bc8bf44e0ce23d9900cd0d32d26c7ce152283cb44d17c96480a2435729e7456e3482f99db356ac6aa145964049f6ff2757b6d4bcdb3d48edf109499384

Download Submit
C:\Windows\SysWOW64\Gblngpbd.exe

Filesize
85KB

MD5
0e7aea0e979a204aa309603c38c61ea1

SHA1
887293f196dcd8629b7aab8fc7581a0681516742

SHA256
99ad5cf4d79079b12331a4bd89d2a997fc2ebf15c02ab2d22e639dbe315c0402

SHA512
c5133b5244caf1388739b0c333a216e026a20a5534d88e8ea16e0b2f58db92972772e4078a8e1b42af690e6fdf39fb42d8d3298de82617803f91f55b8c7b338d

Download Submit
C:\Windows\SysWOW64\Hodgkc32.exe

Filesize
85KB

MD5
2fdb45a918cdba9e1641370be642fb09

SHA1
b89f37593ba05af88f2bb0f5043db6be11b4306f

SHA256
45a7aa1c707d62663b4a4be4dec50e36d8b4277248f849298de081cd216bea4b

SHA512
437368e2f7dd736a7e1724a827badeda443b0454f84bc2a64f63385905ea9243e89ad18e9f29760dc01d9fb835655e29bce1645da09186ab39c99e088dab94cf

Download Submit
C:\Windows\SysWOW64\Iefioj32.exe

Filesize
85KB

MD5
78e2ce8555198954012e16eeed66cd9c

SHA1
a2c128acfbd37c8f5881378e6c04ca938cb50fc2

SHA256
eedb235ff4b84b5d174d20c8d52895174498d7ed0287df14d632437a61aa9bfd

SHA512
3c98e6a7e57d856d00a225476a4e167dce56da777995ddf81db7f5d2b1991952da126ec85d66a37f4258cafbac74e1fb8d32edb6e7e7958ac2e09653556241a0

Download Submit
C:\Windows\SysWOW64\Jefbfgig.exe

Filesize
85KB

MD5
bb26c903cdbcace849c4826f7fc82092

SHA1
97ca59f64018a924516dd88a6838227c575f2d31

SHA256
c9405aa33225a5bb087169086b53a4c3c3adf1e5291352ff169332fbfa2066d6

SHA512
98777a736792bdbe585173544a08a791522792b743f88e2b06b05f0ceb2eb727300c0eccfe2b37dd39fa8300f0456c09e554b84e01a53a141d8c15480bde5e22

Download Submit
C:\Windows\SysWOW64\Jifhaenk.exe

Filesize
85KB

MD5
c86dbfe1ed7ab1b5438a7663ad0652b4

SHA1
5fcf8d11deb028c23f869290fd43c5d98fed44c3

SHA256
4c993c1081148f464e9389cd9f364913b7e82ce0e2517598f2d5ac78e50a6741

SHA512
135384b6c8831e73b7fe5ed2b88036e6a2039d1ad506ad729347f067cc84c73c5d365365df291703fc13200505fb10e78201a34ffafa74bcc9662435a366f971

Download Submit
C:\Windows\SysWOW64\Kfoafi32.exe

Filesize
85KB

MD5
6a7ef6be0f1c4ec2cd8dc02e898d8438

SHA1
423a28ecdc6083b73a5a0f5acf4c98463a87f6cf

SHA256
23c565512b0a7cc429ab02a9824a73dd771ddbfb7cfc4a2fbde71b8848fb43b0

SHA512
a87222ce207a0052c0a63fcd0f9bcca344c6049c382d9ce2a9e9b397103a6f1b99ae770a63f4ac71f50a76062ae5d227fc24c440b0c8d9588a7a7617d447ad02

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
85KB

MD5
a7cf1990894acb120e85e57a32f0abbf

SHA1
e604ae8b9abcc4a19e62d14503e674a5b0e2b7f7

SHA256
74c9cc8c3db03cb49980e7dd7f4755a450da2396f56aea4e4f7cb54fa96629ad

SHA512
3af0d65297f1afea9a5e5b0bad57c42b53d0e0ebf54b20183b139df2e6908ead67701d92dba484a6b9a148f6a6d03e7b3a451206a97c9b677aac97d1d4e84892

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
85KB

MD5
85d0f5ef81c141f8e63141f3533064c1

SHA1
fa91b9195e70c8011f8fc08a07cde259e463e405

SHA256
0c843a1b0ef6c642298dae48066877d02c8d6262c1f527cf1e121eb725cc00ac

SHA512
863dfc8ec838b08a536dcabce52bc27006362099b2d40fbe311994e3292cecdd26e2caa4cdbc58ab513c8e0e4c4b01f2e1e69d531c1eef0b50492b077ba4d1d8

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
85KB

MD5
f3d142ef225bea01c4c08307984197fb

SHA1
8e5629e0e08f91c10155a5db6aca8d3590b61a55

SHA256
617c5beb085ad20f1ac681fa199b198b1daadbd3f34d9c9e6fee6f15961712d4

SHA512
521fe22628a390e9a64ff679d58b3ede99a54288c17b37e671be085a997db848a5f441982870b37d70aea7e0cb5d0f64c444c5d6e8829cde7786643300c43c79

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
64KB

MD5
2bc1685758d55478c043abaffbeff72d

SHA1
db8860372cb2d6063ad4aa27fd3cdb2f12bdd016

SHA256
50fb73d310ef19ef1527e09830e3b4234823c00b77f925d3d0b1838949656fa0

SHA512
1a2882b1c11c5d4c8285a03d25b3c0df93b8d91cb176e8f12908ce489cc2462c3a869a4d488174e17632322410085c81b3d12ff39d34cc7ab7533318daf3aba0

Download Submit
C:\Windows\SysWOW64\Ocegdjij.exe

Filesize
85KB

MD5
ba19b01f4f510d87805a6c17328be4a4

SHA1
944f2851d1dc86528fc881dd4578136dcbda919e

SHA256
2ad2ffd3ec2d273d7c976f6c8d206f5cc2ddc71b41470ac1d1a70a0853cd9054

SHA512
48dbfb1a1a3757f9343efea0ae44de547488a83ddc5d19e91e768143a68398a2ea3a93573f9c6793325e11dc1cfc893bf20271292cc45e12ab9296cb1a500202

Download Submit
C:\Windows\SysWOW64\Odednmpm.exe

Filesize
85KB

MD5
2145677d896a43b22113399d7e4b4a91

SHA1
6760a17ca6ad32f4a066ada7e58fa0eb85ca51b7

SHA256
a34234dcf781526d37ffe585907ac80f65db3bd0dcf4e8d5cccf41f529ba57f6

SHA512
329c843858baf7da37e78190e029b53a0bf0e320d71c7d7e5077fbee436aae536f6245d7682f58a51983400328ddbedf745b244fdf5a92557e7d5bea97f2bc96

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
85KB

MD5
b797a7bd2b1711e86436048a5eb72783

SHA1
57a1c6facfc6929f1b651a27396af9cd875608b0

SHA256
39a56e8b8aea7920aa6b4fa43853f127612f2f59397d4f7066e60c3e32c3eadf

SHA512
1cfdcb1b521ff729837cc96e24515378d8208ba40847a80001f804f3dda5af29a445898cb91b9a8b3d5790ec79d6c1f836a8e0237ec39e22646674d87e450e25

Download Submit
C:\Windows\SysWOW64\Ogogoi32.exe

Filesize
85KB

MD5
25f71535f0993a67d321ab0d4a823699

SHA1
0889eeb8bb19e10d1db829c1a94e7c469e16cca6

SHA256
a034eac9f868baf01ac18abcd71e3c44826c8588cc139bdb7287cff139e7fea6

SHA512
a760113222399e077aa8ed94517636d5221383bf4cd553061f1020d5efb97ccf378fd642937078049c480827f7d3685abdf73ad711555e958a19037fd1261a50

Download Submit
C:\Windows\SysWOW64\Ojjffddl.exe

Filesize
85KB

MD5
f69bc12fcf320042adfede24c335dd27

SHA1
da1f9d484e876b3ee2eb331eb1bd1455ae04bcd6

SHA256
c20178becc58deece547aa0ae2991ec265bb7153a3b1e44021db399c7b9e3cd5

SHA512
3221f86260e281a4d7dc8c9754e9ff9a9fce71d13debbb5587deddc935bf51fb0ec9e41ef8346034495da5789976f65908a88323f6e0cc2a020ac0d5853e9c02

Download Submit
C:\Windows\SysWOW64\Ojmcld32.exe

Filesize
85KB

MD5
25a6f98d1d7aa40de1352e13cd6b3603

SHA1
3811249bfd442a6abda28b1ed7e3233d2c18540c

SHA256
a5de765f065c9425da06ee3a123fb8a7e6290143df7ecb98d409153043b310af

SHA512
606ed515995f65bc304ffe5cf5e0e264998905e7792ba72955a6419da5996ff568cc65bcd63728af822803eb6e98e0c7e9cb2e1ac2bf6e7522ac40ad244069b3

Download Submit
C:\Windows\SysWOW64\Ojopad32.exe

Filesize
85KB

MD5
ad813c65fcefbd7f0dcbbbd926d84665

SHA1
b3312b7bf9441692fcd27d195712a9ea5005dabf

SHA256
e0a82c34caf9887741f91c2a44c5cf912a1e3c65ec343a07b1440d4fa77a8918

SHA512
8421cd1bdaddcbf02f6095fb91bfcb22475f0a5b5b115a347e250d25380ba814b86514f4bcbf94afb7e6ab3ca286b8867aebab66cd3bdf494e50bab393add03a

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
85KB

MD5
dae60de4f08c1e8108c621e679e3bb79

SHA1
360a3f367e630ee724f574207d3c201422503382

SHA256
bc75865d615133ba89ad44609a121ca5f9bc6ce4bb907db64c5f3f0aef389e0b

SHA512
25dd46333ad99b7435d1e486df875ebbe3f66cb3dc935a6b6a046ffd6d17c5f0e2287a48f6037e92bc81644b4015c1399801842695213e86fd2d4d1512e53d32

Download Submit
C:\Windows\SysWOW64\Onmhgb32.exe

Filesize
85KB

MD5
c4b86084407d19b5b7124033e07679b9

SHA1
ac5aba8bf170f73a0de23f09651a455b6564e846

SHA256
dfdfbcd0b41cbdf627c482e3737021fa2ee53278f0b47f95f4fbfcd932e4f1df

SHA512
5a92b0d8d82ff1b4a780e0a7e94fcf4c90bcfe520669b3fab783f4f154fd47bae1b432d02aea3a2854b8f657c1c9fb2561698e1a1b98dff2f94348e8d3819031

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
85KB

MD5
8c3efaa7bebb6b28fd793c7f0c0b60dc

SHA1
6aad35fe93a38dd4e9985f22b6c3652a7ac9c872

SHA256
dbb5606d207449fcc30060f11094a68566ce89b6e88ea1da7d501e8c11b240de

SHA512
e7aec2cee9bd03508c40ba09a40290b567f791a107e385da252244c203cd25e0a038127a8dbd0e9faccbc4f40a35b626c170b29b4024c2a67a7a850a6fc3df4f

Download Submit
C:\Windows\SysWOW64\Pbmncp32.exe

Filesize
85KB

MD5
7995a206c37263924238e465cb3d6758

SHA1
37a11b394e9d087691873ab830f55002fc7538b5

SHA256
5c05430a35fb45e94cbb93b8a99a231e317bf16488ebc427857737b5fc5fba04

SHA512
6b40e26c4f05910a00bf05f5c8a9850458f5d2852fa64192ac8dffd26e4ca74c65dda2d95d322d40f3477628a4be7ceae19df3eb56ac75e994188e60a95ed166

Download Submit
C:\Windows\SysWOW64\Pcjapi32.exe

Filesize
85KB

MD5
46b052481e5bd3a41a41b90a561962a8

SHA1
16b3eedca15f0b8d8fc3c7fa9bdfc0a9184b34ff

SHA256
cb65f18742bf99df3d7e5a06dedfaef768e8b89341ef7f1d756ebe5eb2e55adf

SHA512
ac70fa74e4049af2b31e33ed497a219b8ae9579e5d0878e31a6bddbce31d891fc13c20c145c18503f2151b4e78e64fad7ba09adde8a86b13b9040281e3e4dc4a

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
64KB

MD5
94695ad502b281c776dddbf18891c175

SHA1
cc6be0b013abc20487f3ddeaa6980ad5fe21634f

SHA256
212436ec22ddaaf9b00915bf6204a094284a1e5b3b8c0c6ffa836f50f56e966b

SHA512
1d8529b107fac179d3974a202b130fb94e304daffa9a408af8d4d69d2dd70512ed6ab8ce9dc1a7105743fad2f8183022d250d6119b27ce71f75fd5ee67fc80dd

Download Submit
C:\Windows\SysWOW64\Pengdk32.exe

Filesize
85KB

MD5
faf9fbde2e20be0afcb2c7f19a9ca4c2

SHA1
da7c0f65d1c5c0dc215392edbda1360ea176cb08

SHA256
f54870d89757e0fe11bcaf539bca0585d5195ce01cc6281add7cd59bb37bb79e

SHA512
4cf0ec770a677fc6983fc5e543c881cceed5acaa84410df2d0d067e0aecfc1fc5ef13a924a04db1dd2193715e28a98389892b86de541242161a3a854698de5f1

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
85KB

MD5
8ddbdacba10854773eb3be1801ef7fca

SHA1
f28b367aee20c92d70abd4251063a85bcd3e5a20

SHA256
d30ab51021954befd0a556f219ee8c8c2c6797633cb475ba43422a4f8ffa20dd

SHA512
5ee01d8a7c80079513c53754d87f0040af532c56a941fd09f01be22f6b9273cc1b5f01e1c38742aac57b9000c0d953dbf51c0c6788aa507430cdccf8a8e4885a

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
85KB

MD5
7981d31c739b5c3962ed43ad6cb2e740

SHA1
3b84a0ead53f912f8560e4d1074ad29c32f1a859

SHA256
130037b40b9faecb5e19cea42932f48bfede1e6563e7233c597c09631d59ffb9

SHA512
d18759cf7e5ebeec4400edb96c4b3b265b5516cda390f6cc1b1154e6dcec19bb7771fede900f4edbeec62d5d2de5a35b74bf47e1055fb1674b10e174f80978b6

Download Submit
C:\Windows\SysWOW64\Pkfblfab.exe

Filesize
85KB

MD5
bd49b5f5399dff1e62b17fa76a61dcbc

SHA1
c5a4e0457d8433f0f98f813392161402e46d0361

SHA256
e32db8a31a9c0f2c2f0d87f2d7f37bb36a9988e219198929ebae5d1b8d201ac3

SHA512
dbc7408c7d7df711dad4e65a5b0ecb546437b1c63fb4aee980c3cf14e10daf4e8c27de8eb9f30d579922b9ebcbbcf1b3cda668383289e1385b7922190879908c

Download Submit
C:\Windows\SysWOW64\Pkhoae32.exe

Filesize
85KB

MD5
1e2ad0de2b27f81828d0f96c48c1f4c1

SHA1
b3b58b289352e6f9f7dec32da3e71cd0d5428144

SHA256
1f1fcd656b9a0b25a5c02ba2c3413e1d90041cb4413ca2ae967dfba89cf9cb6b

SHA512
36aae025968b6b6c54a56220537a1304a7cb4353c8b300366d4c8ba2849ff360874c3b76f15ee9513c5ef86a221205e4caad2041ff6c5139be20652c1fa0b1a2

Download Submit
C:\Windows\SysWOW64\Pkjlge32.exe

Filesize
85KB

MD5
0487541df6caa90e646223ab0b9dab30

SHA1
8793e309fddae95da540275a445a593c8ac68e28

SHA256
9cc8570a85a92cff26a73e13a43841c0b735285bbc750294f782d0b3d31b4381

SHA512
41655960cdbf5738ff6df33833e9dfb7bb38570772848a832ddcb5327d71f873ae5d4c05b87dbfa229955e383e2f68cffc6a1a1e57f3e4e5f50ef9863409ceaa

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
85KB

MD5
744a0b7d62a5ac6c2c36eb135ccd03c3

SHA1
97e161c38c479d2f08cc784cc4ed4f32676ad6b7

SHA256
baa8d03c18ef3ff999d81a13f6b45fa3aae69cd5ba7d69bad471124ede4481da

SHA512
2fd51751baf629a630613fd6901ebb370a5aa2155e0311a2b9e039a1ff85be9aebc4f41d055ed482736573a80bd9b1f098240685185e33253173fab185c99b26

Download Submit
C:\Windows\SysWOW64\Pnihcq32.exe

Filesize
85KB

MD5
2d5e749ed61b645eff13002c10c58985

SHA1
d2afdbb73b22746a5f6ffac2e41f2343f38f7dfe

SHA256
c57dd37fbd496f6882192ba376833aef3310a33f0dd59a722136a30525a17087

SHA512
b30605b114cf45de6d4063e53c08b4665d18e53ea1472fd69cfa00b7c023a1279b4a3aec2018dcfecea2ec1dcb32825d764602d71b71aa198b402acddeb19704

Download Submit
C:\Windows\SysWOW64\Pnpemb32.exe

Filesize
85KB

MD5
00e4329ead3e6ad2728ce7bafde54994

SHA1
db08120b01cf05c8685c0f27121edca721682783

SHA256
4f4de0da90144ea800bd3090c26f03eae3fc5a4c7a7f2667ba8db8e8e9392cd5

SHA512
768f747cec3b2372d326d7e70f27ffa2f9b44218201275b59917ab302db631242184636f0103b3f36d04e7b6999636066f98ae1d37f07fd929701fbb4472dbab

Download Submit
C:\Windows\SysWOW64\Pqnaim32.exe

Filesize
85KB

MD5
ad07989e0fc88b3c1068920bf89a7f20

SHA1
f5be160f9b37a2ad54b5891dad3d3c1a2ba5b11f

SHA256
49558448a799a360f6a6cb394c3413e5a74950116c624c1806a2dd718a24ffdf

SHA512
ce2d78b0904e3a5b132687c666572b980f9b02992ef8ea6d01b7be221620b830c766b515704c7ea8f88413c89510cbc1a6fe40fc0a7b404890bbfff18cf1ca31

Download Submit
C:\Windows\SysWOW64\Qalnjkgo.exe

Filesize
85KB

MD5
b7ae58cc7d949fcafb5677064ef7b4e7

SHA1
5c3eadd23fa594cc5eb9dffeb8e98fde95411c0f

SHA256
19186b9d88507aed507313dc5167a60e7fa1f9e84344e5646f51de0eb578eceb

SHA512
5092d849d9f348980c98e26e6806f999e878a1bfc86e80a53d3fbc252154e714f78898f53dbb3f6c8a4ebb7e3e2350f43723d5a8d5e20dfde74b91c469898127

Download Submit
C:\Windows\SysWOW64\Qchmagie.exe

Filesize
85KB

MD5
ff5b418867d2f728df4ea33c201f0e10

SHA1
a01534931b199b8382d0bb6cf9bb1413541bb07f

SHA256
6830675af8b7655ec01f696c131c297cbf55785cd868e49042ae26c7d0a99d0e

SHA512
7f1557ea891439b019dfdb941e26a58816600d8a62b264cfa61363393ea34ba70978336c5a73af473d7346e0876fac415255399c93e1d79fcb6a0f21dca5bf9d

Download Submit
C:\Windows\SysWOW64\Qnkdhpjn.exe

Filesize
85KB

MD5
f8234258c32f47b4c3cf6d8ff24bbd6a

SHA1
19873795106a540f7709de55c84ffb079acdf0f1

SHA256
cbf68bdc8b9b552823911942c3c41c4d8a0523d6aa5b258b5cd9b2829dbef0cf

SHA512
eccf52c8efdf2b9feb4142f43a6ccdfd6db0052aa50f6fa19dc4ec8d85817c2dc3dc0704783bcc9f018135afeacbbb5bcd0330d8af7305a6baf0eff97137837b

Download Submit
memory/228-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/228-99-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/380-376-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/548-317-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/740-242-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/740-153-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/756-344-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/756-260-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/848-422-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/848-355-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/916-375-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/916-306-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1008-89-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1008-9-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1012-362-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1012-429-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1120-423-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1320-259-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1320-172-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1356-305-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1356-215-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1428-180-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1428-268-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1448-118-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1448-206-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1484-269-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1484-347-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1524-65-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1524-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1572-368-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1572-299-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1720-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1720-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1840-170-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1840-82-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1960-361-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1960-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2084-278-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2084-354-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2156-382-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2216-108-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2216-25-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2328-162-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2328-251-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2360-252-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2360-333-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2452-388-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2452-320-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2464-161-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2464-74-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2568-396-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2580-224-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2580-316-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2732-326-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2732-247-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2884-416-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2960-298-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2960-207-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3036-117-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3036-32-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3464-188-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3464-100-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3540-189-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3540-277-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3544-145-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3544-232-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3640-409-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3648-334-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3648-402-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3664-403-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3760-223-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3760-136-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3868-319-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3868-234-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3988-291-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4176-345-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4344-126-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4344-41-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4480-197-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4480-290-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4508-389-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4536-113-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4728-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4728-73-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4728-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4788-369-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4888-214-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4888-131-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4912-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4912-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5044-91-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5044-179-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5072-348-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5072-415-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5080-327-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5080-395-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads