ed6bf88e4ae990bb275d09bbb9ac49e5076d052cce03bc399f9ee575380f82ab

Analysis

max time kernel
94s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc1ba1d0dafe06d87d01da11301d7910_NEIKI.exe
Size

240KB
MD5

bc1ba1d0dafe06d87d01da11301d7910
SHA1

2d8646477b69bf6cfc2a32775f0b80c95f5f1d5a
SHA256

ed6bf88e4ae990bb275d09bbb9ac49e5076d052cce03bc399f9ee575380f82ab
SHA512

0126213e40a102aec1757271ff78feef706527b16206d2a7d95f175e0e6e5102f166036f07456fbd7c8c81ad1146567f62a8b21d3fc75c6ddf4c1178719edc51
SSDEEP

6144:aN/Woqn5dXBxfsOqpooEcAJN+SYSUZCb6M3W8DStQUkA1FiHwSD:KWtn5NXJotycSly8DSUA1YHVD

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qalnjkgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceoibflm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clkndpag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Himldi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgddhf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmnlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbaemi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fakdpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gfpcgpae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lljfpnjg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncbknfed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blpnib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpebpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecoangbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gbiaapdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abbpem32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkidenlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfpcgpae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpeiioac.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kimnbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bdhfhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmabdibj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpnlpnih.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qalnjkgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdmpcdfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Deanodkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hecmijim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Icgjmapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jifhaenk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Helfik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kfankifm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdgljmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lmiciaaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Balfaiil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdehlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Llemdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llgjjnlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Immapg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iblfnn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imfdff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipdqba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibgmdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhkapp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhgjblfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Imoneg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pqdqof32.exe

Malware Dropper & Backdoor - Berbew 64 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x000900000002328e-6.dat	family_berbew
behavioral2/files/0x0008000000023405-14.dat	family_berbew
behavioral2/files/0x0007000000023407-22.dat	family_berbew
behavioral2/files/0x0007000000023409-31.dat	family_berbew
behavioral2/files/0x000700000002340b-38.dat	family_berbew
behavioral2/files/0x000700000002340d-46.dat	family_berbew
behavioral2/files/0x000700000002340f-54.dat	family_berbew
behavioral2/files/0x0007000000023411-62.dat	family_berbew
behavioral2/files/0x0007000000023413-70.dat	family_berbew
behavioral2/files/0x0007000000023415-78.dat	family_berbew
behavioral2/files/0x0007000000023417-86.dat	family_berbew
behavioral2/files/0x0007000000023419-94.dat	family_berbew
behavioral2/files/0x000700000002341b-102.dat	family_berbew
behavioral2/files/0x000700000002341d-110.dat	family_berbew
behavioral2/files/0x000700000002341f-118.dat	family_berbew
behavioral2/files/0x0007000000023421-126.dat	family_berbew
behavioral2/files/0x0007000000023423-135.dat	family_berbew
behavioral2/files/0x00090000000233ff-142.dat	family_berbew
behavioral2/files/0x0007000000023426-150.dat	family_berbew
behavioral2/files/0x000700000002342a-158.dat	family_berbew
behavioral2/files/0x0008000000023428-166.dat	family_berbew
behavioral2/files/0x000700000002342d-174.dat	family_berbew
behavioral2/files/0x000700000002342f-182.dat	family_berbew
behavioral2/files/0x000300000001e323-190.dat	family_berbew
behavioral2/files/0x0007000000023432-198.dat	family_berbew
behavioral2/files/0x0007000000023434-206.dat	family_berbew
behavioral2/files/0x0007000000023436-214.dat	family_berbew
behavioral2/files/0x0007000000023438-222.dat	family_berbew
behavioral2/files/0x000700000002343a-229.dat	family_berbew
behavioral2/files/0x000700000002343c-238.dat	family_berbew
behavioral2/files/0x000700000002343e-248.dat	family_berbew
behavioral2/files/0x0007000000023440-254.dat	family_berbew
behavioral2/files/0x0007000000023448-275.dat	family_berbew
behavioral2/files/0x0007000000023454-311.dat	family_berbew
behavioral2/files/0x000700000002345a-329.dat	family_berbew
behavioral2/files/0x0007000000023460-347.dat	family_berbew
behavioral2/files/0x0007000000023464-359.dat	family_berbew
behavioral2/files/0x0007000000023472-401.dat	family_berbew
behavioral2/files/0x0007000000023482-450.dat	family_berbew
behavioral2/files/0x0007000000023486-462.dat	family_berbew
behavioral2/files/0x000700000002348a-473.dat	family_berbew
behavioral2/files/0x0007000000023496-509.dat	family_berbew
behavioral2/files/0x00070000000234a0-539.dat	family_berbew
behavioral2/files/0x00070000000234a8-567.dat	family_berbew
behavioral2/files/0x00070000000234b0-595.dat	family_berbew
behavioral2/files/0x00070000000234ba-630.dat	family_berbew
behavioral2/files/0x00070000000234be-645.dat	family_berbew
behavioral2/files/0x00070000000234c4-665.dat	family_berbew
behavioral2/files/0x00070000000234c8-679.dat	family_berbew
behavioral2/files/0x00070000000234ca-687.dat	family_berbew
behavioral2/files/0x00070000000234ce-700.dat	family_berbew
behavioral2/files/0x00070000000234d6-726.dat	family_berbew
behavioral2/files/0x00070000000234dc-747.dat	family_berbew
behavioral2/files/0x00070000000234ec-803.dat	family_berbew
behavioral2/files/0x00070000000234f8-845.dat	family_berbew
behavioral2/files/0x00070000000234fc-858.dat	family_berbew
behavioral2/files/0x0007000000023500-873.dat	family_berbew
behavioral2/files/0x0007000000023506-894.dat	family_berbew
behavioral2/files/0x0007000000023516-950.dat	family_berbew
behavioral2/files/0x0007000000023520-985.dat	family_berbew
behavioral2/files/0x0007000000023526-1006.dat	family_berbew
behavioral2/files/0x0007000000023534-1055.dat	family_berbew
behavioral2/files/0x0007000000023536-1063.dat	family_berbew
behavioral2/files/0x000700000002353c-1083.dat	family_berbew

Executes dropped EXE 64 IoCs

pid	Process
1740	Pbbgnpgl.exe
2100	Pcccfh32.exe
3912	Pbddcoei.exe
2188	Qcepkg32.exe
3340	Qnkdhpjn.exe
4456	Qgciaf32.exe
1924	Qalnjkgo.exe
3656	Alabgd32.exe
1224	Aejfpjne.exe
2212	Ajfoiqll.exe
4716	Aelcfilb.exe
3224	Alfkbc32.exe
4928	Aacckjaf.exe
3256	Alhhhcal.exe
1932	Abbpem32.exe
1592	Adcmmeog.exe
848	Ajneip32.exe
4524	Bahmfj32.exe
1532	Bhaebcen.exe
5048	Bdhfhe32.exe
3708	Blpnib32.exe
4544	Balfaiil.exe
3748	Bdkcmdhp.exe
2240	Bopgjmhe.exe
5000	Baocghgi.exe
3308	Bdmpcdfm.exe
3408	Bemlmgnp.exe
4004	Bkidenlg.exe
2352	Ceoibflm.exe
4784	Chmeobkq.exe
4304	Clkndpag.exe
2504	Cojjqlpk.exe
868	Cdfbibnb.exe
4584	Cajcbgml.exe
220	Chdkoa32.exe
1636	Conclk32.exe
456	Chghdqbf.exe
604	Ddmhja32.exe
1020	Dboigi32.exe
4220	Dhkapp32.exe
4236	Dbaemi32.exe
3056	Dhnnep32.exe
4412	Dccbbhld.exe
1296	Deanodkh.exe
2812	Dkoggkjo.exe
2252	Echknh32.exe
4492	Elppfmoo.exe
2272	Edkdkplj.exe
4776	Ekemhj32.exe
4712	Eapedd32.exe
3140	Eleiam32.exe
4472	Ecoangbg.exe
3616	Edpnfo32.exe
3632	Ekjfcipa.exe
3672	Eepjpb32.exe
4208	Edbklofb.exe
3960	Fcckif32.exe
3980	Febgea32.exe
4328	Fkopnh32.exe
2512	Ffddka32.exe
5040	Fchddejl.exe
3772	Fakdpb32.exe
4392	Fkciihgg.exe
4404	Fckajehi.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Aadifclh.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Hmjehihl.dll	Dhnnep32.exe
File created	C:\Windows\SysWOW64\Nlaegk32.exe	Nnneknob.exe
File created	C:\Windows\SysWOW64\Qceiaa32.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Nphhmj32.exe	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Nloiakho.exe	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Fckajehi.exe	Fkciihgg.exe
File created	C:\Windows\SysWOW64\Ckijjqka.dll	Mbfkbhpa.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Mgqddl32.dll	Chmeobkq.exe
File created	C:\Windows\SysWOW64\Kimnbd32.exe	Kfoafi32.exe
File opened for modification	C:\Windows\SysWOW64\Lbmhlihl.exe	Lpnlpnih.exe
File created	C:\Windows\SysWOW64\Flfelggh.dll	Mplhql32.exe
File created	C:\Windows\SysWOW64\Glebhjlg.exe	Ffkjlp32.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Hmabdibj.exe	Gomakdcp.exe
File created	C:\Windows\SysWOW64\Oendmdab.dll	Jifhaenk.exe
File created	C:\Windows\SysWOW64\Ofqpqo32.exe	Odocigqg.exe
File opened for modification	C:\Windows\SysWOW64\Echknh32.exe	Dkoggkjo.exe
File created	C:\Windows\SysWOW64\Lljfpnjg.exe	Lepncd32.exe
File opened for modification	C:\Windows\SysWOW64\Lebkhc32.exe	Lpebpm32.exe
File created	C:\Windows\SysWOW64\Nnenbk32.dll	Conclk32.exe
File created	C:\Windows\SysWOW64\Jcgbco32.exe	Jmmjgejj.exe
File opened for modification	C:\Windows\SysWOW64\Ncdgcf32.exe	Npfkgjdn.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Fjpqmmkb.dll	Dbaemi32.exe
File created	C:\Windows\SysWOW64\Dkoggkjo.exe	Deanodkh.exe
File created	C:\Windows\SysWOW64\Ligqhc32.exe	Lbmhlihl.exe
File created	C:\Windows\SysWOW64\Lafdhogo.dll	Menjdbgj.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Conclk32.exe	Chdkoa32.exe
File created	C:\Windows\SysWOW64\Hmmblqfc.dll	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Menjdbgj.exe	Mdmnlj32.exe
File opened for modification	C:\Windows\SysWOW64\Odocigqg.exe	Oneklm32.exe
File opened for modification	C:\Windows\SysWOW64\Kpjcdn32.exe	Kmkfhc32.exe
File opened for modification	C:\Windows\SysWOW64\Pfjcgn32.exe	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Kpgfooop.exe	Kimnbd32.exe
File created	C:\Windows\SysWOW64\Empblm32.dll	Ngdmod32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Bfajji32.dll	Lboeaifi.exe
File created	C:\Windows\SysWOW64\Knfoif32.dll	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Oiqbfn32.dll	Alabgd32.exe
File created	C:\Windows\SysWOW64\Ddmhja32.exe	Chghdqbf.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Lgmlbfod.dll	Fchddejl.exe
File opened for modification	C:\Windows\SysWOW64\Gohhpe32.exe	Gdcdbl32.exe
File created	C:\Windows\SysWOW64\Hfnhlp32.dll	Jmmjgejj.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Alabgd32.exe	Qalnjkgo.exe
File created	C:\Windows\SysWOW64\Bopgjmhe.exe	Bdkcmdhp.exe
File created	C:\Windows\SysWOW64\Ncnkogdb.dll	Blpnib32.exe
File created	C:\Windows\SysWOW64\Deanodkh.exe	Dccbbhld.exe
File opened for modification	C:\Windows\SysWOW64\Hfcicmqp.exe	Hkmefd32.exe
File created	C:\Windows\SysWOW64\Cajolcjk.dll	Ekjfcipa.exe
File created	C:\Windows\SysWOW64\Jmmjgejj.exe	Jfcbjk32.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Hkfoeega.exe	Helfik32.exe
File created	C:\Windows\SysWOW64\Kdgljmcd.exe	Kibgmdcn.exe
File opened for modification	C:\Windows\SysWOW64\Ekjfcipa.exe	Edpnfo32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7720	7560	WerFault.exe	346

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ligqhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjeieojj.dll"	Lpebpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dboigi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iblfnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndqgbjkm.dll"	Jeklag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lebkhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Manffk32.dll"	Chdkoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fkciihgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bchdhnom.dll"	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkfcl32.dll"	Gdcdbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oendmdab.dll"	Jifhaenk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kfankifm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdehlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfligghk.dll"	Nnneknob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lbmhlihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empblm32.dll"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bhaebcen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Edpnfo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fchddejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jcgbco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nffbangm.dll"	Jcgbco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkknm32.dll"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcbnbmg.dll"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aacckjaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cajcbgml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Genaegmo.dll"	Deanodkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Icgjmapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcbgk32.dll"	Elppfmoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngndc32.dll"	Gbiaapdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Abbpem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ecoangbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Edbklofb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dokfjo32.dll"	Qcepkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hbeqmoji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohkhqj32.dll"	Lmiciaaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bemlmgnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdnidn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ladjgikj.dll"	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgempgqo.dll"	Bdmpcdfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dekclg32.dll"	Gohhpe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lffhfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dccbbhld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jfcbjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekphijkm.dll"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ainpbi32.dll"	Gmoeoidl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gohhpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lboeaifi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmamoe32.dll"	Jfcbjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kikame32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 560 wrote to memory of 1740	560	bc1ba1d0dafe06d87d01da11301d7910_NEIKI.exe	80
PID 560 wrote to memory of 1740	560	bc1ba1d0dafe06d87d01da11301d7910_NEIKI.exe	80
PID 560 wrote to memory of 1740	560	bc1ba1d0dafe06d87d01da11301d7910_NEIKI.exe	80
PID 1740 wrote to memory of 2100	1740	Pbbgnpgl.exe	81
PID 1740 wrote to memory of 2100	1740	Pbbgnpgl.exe	81
PID 1740 wrote to memory of 2100	1740	Pbbgnpgl.exe	81
PID 2100 wrote to memory of 3912	2100	Pcccfh32.exe	83
PID 2100 wrote to memory of 3912	2100	Pcccfh32.exe	83
PID 2100 wrote to memory of 3912	2100	Pcccfh32.exe	83
PID 3912 wrote to memory of 2188	3912	Pbddcoei.exe	85
PID 3912 wrote to memory of 2188	3912	Pbddcoei.exe	85
PID 3912 wrote to memory of 2188	3912	Pbddcoei.exe	85
PID 2188 wrote to memory of 3340	2188	Qcepkg32.exe	86
PID 2188 wrote to memory of 3340	2188	Qcepkg32.exe	86
PID 2188 wrote to memory of 3340	2188	Qcepkg32.exe	86
PID 3340 wrote to memory of 4456	3340	Qnkdhpjn.exe	88
PID 3340 wrote to memory of 4456	3340	Qnkdhpjn.exe	88
PID 3340 wrote to memory of 4456	3340	Qnkdhpjn.exe	88
PID 4456 wrote to memory of 1924	4456	Qgciaf32.exe	89
PID 4456 wrote to memory of 1924	4456	Qgciaf32.exe	89
PID 4456 wrote to memory of 1924	4456	Qgciaf32.exe	89
PID 1924 wrote to memory of 3656	1924	Qalnjkgo.exe	90
PID 1924 wrote to memory of 3656	1924	Qalnjkgo.exe	90
PID 1924 wrote to memory of 3656	1924	Qalnjkgo.exe	90
PID 3656 wrote to memory of 1224	3656	Alabgd32.exe	91
PID 3656 wrote to memory of 1224	3656	Alabgd32.exe	91
PID 3656 wrote to memory of 1224	3656	Alabgd32.exe	91
PID 1224 wrote to memory of 2212	1224	Aejfpjne.exe	92
PID 1224 wrote to memory of 2212	1224	Aejfpjne.exe	92
PID 1224 wrote to memory of 2212	1224	Aejfpjne.exe	92
PID 2212 wrote to memory of 4716	2212	Ajfoiqll.exe	93
PID 2212 wrote to memory of 4716	2212	Ajfoiqll.exe	93
PID 2212 wrote to memory of 4716	2212	Ajfoiqll.exe	93
PID 4716 wrote to memory of 3224	4716	Aelcfilb.exe	94
PID 4716 wrote to memory of 3224	4716	Aelcfilb.exe	94
PID 4716 wrote to memory of 3224	4716	Aelcfilb.exe	94
PID 3224 wrote to memory of 4928	3224	Alfkbc32.exe	95
PID 3224 wrote to memory of 4928	3224	Alfkbc32.exe	95
PID 3224 wrote to memory of 4928	3224	Alfkbc32.exe	95
PID 4928 wrote to memory of 3256	4928	Aacckjaf.exe	96
PID 4928 wrote to memory of 3256	4928	Aacckjaf.exe	96
PID 4928 wrote to memory of 3256	4928	Aacckjaf.exe	96
PID 3256 wrote to memory of 1932	3256	Alhhhcal.exe	97
PID 3256 wrote to memory of 1932	3256	Alhhhcal.exe	97
PID 3256 wrote to memory of 1932	3256	Alhhhcal.exe	97
PID 1932 wrote to memory of 1592	1932	Abbpem32.exe	98
PID 1932 wrote to memory of 1592	1932	Abbpem32.exe	98
PID 1932 wrote to memory of 1592	1932	Abbpem32.exe	98
PID 1592 wrote to memory of 848	1592	Adcmmeog.exe	99
PID 1592 wrote to memory of 848	1592	Adcmmeog.exe	99
PID 1592 wrote to memory of 848	1592	Adcmmeog.exe	99
PID 848 wrote to memory of 4524	848	Ajneip32.exe	100
PID 848 wrote to memory of 4524	848	Ajneip32.exe	100
PID 848 wrote to memory of 4524	848	Ajneip32.exe	100
PID 4524 wrote to memory of 1532	4524	Bahmfj32.exe	101
PID 4524 wrote to memory of 1532	4524	Bahmfj32.exe	101
PID 4524 wrote to memory of 1532	4524	Bahmfj32.exe	101
PID 1532 wrote to memory of 5048	1532	Bhaebcen.exe	102
PID 1532 wrote to memory of 5048	1532	Bhaebcen.exe	102
PID 1532 wrote to memory of 5048	1532	Bhaebcen.exe	102
PID 5048 wrote to memory of 3708	5048	Bdhfhe32.exe	103
PID 5048 wrote to memory of 3708	5048	Bdhfhe32.exe	103
PID 5048 wrote to memory of 3708	5048	Bdhfhe32.exe	103
PID 3708 wrote to memory of 4544	3708	Blpnib32.exe	104

C:\Users\Admin\AppData\Local\Temp\bc1ba1d0dafe06d87d01da11301d7910_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\bc1ba1d0dafe06d87d01da11301d7910_NEIKI.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:560
- C:\Windows\SysWOW64\Pbbgnpgl.exe
  C:\Windows\system32\Pbbgnpgl.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\SysWOW64\Pcccfh32.exe
    C:\Windows\system32\Pcccfh32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2100
  - - C:\Windows\SysWOW64\Pbddcoei.exe
      C:\Windows\system32\Pbddcoei.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3912
    - - C:\Windows\SysWOW64\Qcepkg32.exe
        
        C:\Windows\system32\Qcepkg32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2188
      - C:\Windows\SysWOW64\Qnkdhpjn.exe
        
        C:\Windows\system32\Qnkdhpjn.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\SysWOW64\Qgciaf32.exe
        
        C:\Windows\system32\Qgciaf32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\Qalnjkgo.exe
        
        C:\Windows\system32\Qalnjkgo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\Alabgd32.exe
        
        C:\Windows\system32\Alabgd32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3656
        
        C:\Windows\SysWOW64\Aejfpjne.exe
        
        C:\Windows\system32\Aejfpjne.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\SysWOW64\Ajfoiqll.exe
        
        C:\Windows\system32\Ajfoiqll.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Aelcfilb.exe
        
        C:\Windows\system32\Aelcfilb.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\SysWOW64\Alfkbc32.exe
        
        C:\Windows\system32\Alfkbc32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\SysWOW64\Aacckjaf.exe
        
        C:\Windows\system32\Aacckjaf.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SysWOW64\Alhhhcal.exe
        
        C:\Windows\system32\Alhhhcal.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\Windows\SysWOW64\Abbpem32.exe
        
        C:\Windows\system32\Abbpem32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\Adcmmeog.exe
        
        C:\Windows\system32\Adcmmeog.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\Ajneip32.exe
        
        C:\Windows\system32\Ajneip32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\SysWOW64\Bahmfj32.exe
        
        C:\Windows\system32\Bahmfj32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\SysWOW64\Bhaebcen.exe
        
        C:\Windows\system32\Bhaebcen.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\Bdhfhe32.exe
        
        C:\Windows\system32\Bdhfhe32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Blpnib32.exe
        
        C:\Windows\system32\Blpnib32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3708
        
        C:\Windows\SysWOW64\Balfaiil.exe
        
        C:\Windows\system32\Balfaiil.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4544
        
        C:\Windows\SysWOW64\Bdkcmdhp.exe
        
        C:\Windows\system32\Bdkcmdhp.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3748
        
        C:\Windows\SysWOW64\Bopgjmhe.exe
        
        C:\Windows\system32\Bopgjmhe.exe
        25⤵
        Executes dropped EXE
        
        PID:2240
        
        C:\Windows\SysWOW64\Baocghgi.exe
        
        C:\Windows\system32\Baocghgi.exe
        26⤵
        Executes dropped EXE
        
        PID:5000
        
        C:\Windows\SysWOW64\Bdmpcdfm.exe
        
        C:\Windows\system32\Bdmpcdfm.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3308
        
        C:\Windows\SysWOW64\Bemlmgnp.exe
        
        C:\Windows\system32\Bemlmgnp.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3408
        
        C:\Windows\SysWOW64\Bkidenlg.exe
        
        C:\Windows\system32\Bkidenlg.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4004
        
        C:\Windows\SysWOW64\Ceoibflm.exe
        
        C:\Windows\system32\Ceoibflm.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2352
        
        C:\Windows\SysWOW64\Chmeobkq.exe
        
        C:\Windows\system32\Chmeobkq.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4784
        
        C:\Windows\SysWOW64\Clkndpag.exe
        
        C:\Windows\system32\Clkndpag.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4304
        
        C:\Windows\SysWOW64\Cojjqlpk.exe
        
        C:\Windows\system32\Cojjqlpk.exe
        33⤵
        Executes dropped EXE
        
        PID:2504
        
        C:\Windows\SysWOW64\Cdfbibnb.exe
        
        C:\Windows\system32\Cdfbibnb.exe
        34⤵
        Executes dropped EXE
        
        PID:868
        
        C:\Windows\SysWOW64\Cajcbgml.exe
        
        C:\Windows\system32\Cajcbgml.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Chdkoa32.exe
        
        C:\Windows\system32\Chdkoa32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:220
        
        C:\Windows\SysWOW64\Conclk32.exe
        
        C:\Windows\system32\Conclk32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1636
        
        C:\Windows\SysWOW64\Chghdqbf.exe
        
        C:\Windows\system32\Chghdqbf.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:456
        
        C:\Windows\SysWOW64\Ddmhja32.exe
        
        C:\Windows\system32\Ddmhja32.exe
        39⤵
        Executes dropped EXE
        
        PID:604
        
        C:\Windows\SysWOW64\Dboigi32.exe
        
        C:\Windows\system32\Dboigi32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1020
        
        C:\Windows\SysWOW64\Dhkapp32.exe
        
        C:\Windows\system32\Dhkapp32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4220
        
        C:\Windows\SysWOW64\Dbaemi32.exe
        
        C:\Windows\system32\Dbaemi32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4236
        
        C:\Windows\SysWOW64\Dhnnep32.exe
        
        C:\Windows\system32\Dhnnep32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3056
        
        C:\Windows\SysWOW64\Dccbbhld.exe
        
        C:\Windows\system32\Dccbbhld.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Deanodkh.exe
        
        C:\Windows\system32\Deanodkh.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1296
        
        C:\Windows\SysWOW64\Dkoggkjo.exe
        
        C:\Windows\system32\Dkoggkjo.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2812
        
        C:\Windows\SysWOW64\Echknh32.exe
        
        C:\Windows\system32\Echknh32.exe
        47⤵
        Executes dropped EXE
        
        PID:2252
        
        C:\Windows\SysWOW64\Elppfmoo.exe
        
        C:\Windows\system32\Elppfmoo.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Edkdkplj.exe
        
        C:\Windows\system32\Edkdkplj.exe
        49⤵
        Executes dropped EXE
        
        PID:2272
        
        C:\Windows\SysWOW64\Ekemhj32.exe
        
        C:\Windows\system32\Ekemhj32.exe
        50⤵
        Executes dropped EXE
        
        PID:4776
        
        C:\Windows\SysWOW64\Eapedd32.exe
        
        C:\Windows\system32\Eapedd32.exe
        51⤵
        Executes dropped EXE
        
        PID:4712
        
        C:\Windows\SysWOW64\Eleiam32.exe
        
        C:\Windows\system32\Eleiam32.exe
        52⤵
        Executes dropped EXE
        
        PID:3140
        
        C:\Windows\SysWOW64\Ecoangbg.exe
        
        C:\Windows\system32\Ecoangbg.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Edpnfo32.exe
        
        C:\Windows\system32\Edpnfo32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Ekjfcipa.exe
        
        C:\Windows\system32\Ekjfcipa.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3632
        
        C:\Windows\SysWOW64\Eepjpb32.exe
        
        C:\Windows\system32\Eepjpb32.exe
        56⤵
        Executes dropped EXE
        
        PID:3672
        
        C:\Windows\SysWOW64\Edbklofb.exe
        
        C:\Windows\system32\Edbklofb.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4208
        
        C:\Windows\SysWOW64\Fcckif32.exe
        
        C:\Windows\system32\Fcckif32.exe
        58⤵
        Executes dropped EXE
        
        PID:3960
        
        C:\Windows\SysWOW64\Febgea32.exe
        
        C:\Windows\system32\Febgea32.exe
        59⤵
        Executes dropped EXE
        
        PID:3980
        
        C:\Windows\SysWOW64\Fkopnh32.exe
        
        C:\Windows\system32\Fkopnh32.exe
        60⤵
        Executes dropped EXE
        
        PID:4328
        
        C:\Windows\SysWOW64\Ffddka32.exe
        
        C:\Windows\system32\Ffddka32.exe
        61⤵
        Executes dropped EXE
        
        PID:2512
        
        C:\Windows\SysWOW64\Fchddejl.exe
        
        C:\Windows\system32\Fchddejl.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Fakdpb32.exe
        
        C:\Windows\system32\Fakdpb32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3772
        
        C:\Windows\SysWOW64\Fkciihgg.exe
        
        C:\Windows\system32\Fkciihgg.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Fckajehi.exe
        
        C:\Windows\system32\Fckajehi.exe
        65⤵
        Executes dropped EXE
        
        PID:4404
        
        C:\Windows\SysWOW64\Fhgjblfq.exe
        
        C:\Windows\system32\Fhgjblfq.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3344
        
        C:\Windows\SysWOW64\Foabofnn.exe
        
        C:\Windows\system32\Foabofnn.exe
        67⤵
        
        PID:408
        
        C:\Windows\SysWOW64\Ffkjlp32.exe
        
        C:\Windows\system32\Ffkjlp32.exe
        68⤵
        Drops file in System32 directory
        
        PID:1868
        
        C:\Windows\SysWOW64\Glebhjlg.exe
        
        C:\Windows\system32\Glebhjlg.exe
        69⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\Gcojed32.exe
        
        C:\Windows\system32\Gcojed32.exe
        70⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\Gfngap32.exe
        
        C:\Windows\system32\Gfngap32.exe
        71⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\Gofkje32.exe
        
        C:\Windows\system32\Gofkje32.exe
        72⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\Gfpcgpae.exe
        
        C:\Windows\system32\Gfpcgpae.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2524
        
        C:\Windows\SysWOW64\Gdcdbl32.exe
        
        C:\Windows\system32\Gdcdbl32.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Gohhpe32.exe
        
        C:\Windows\system32\Gohhpe32.exe
        75⤵
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Gdeqhl32.exe
        
        C:\Windows\system32\Gdeqhl32.exe
        76⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\Gkoiefmj.exe
        
        C:\Windows\system32\Gkoiefmj.exe
        77⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\Gbiaapdf.exe
        
        C:\Windows\system32\Gbiaapdf.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3892
        
        C:\Windows\SysWOW64\Gdhmnlcj.exe
        
        C:\Windows\system32\Gdhmnlcj.exe
        79⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\Gmoeoidl.exe
        
        C:\Windows\system32\Gmoeoidl.exe
        80⤵
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\Gomakdcp.exe
        
        C:\Windows\system32\Gomakdcp.exe
        81⤵
        Drops file in System32 directory
        
        PID:3044
        
        C:\Windows\SysWOW64\Hmabdibj.exe
        
        C:\Windows\system32\Hmabdibj.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1992
        
        C:\Windows\SysWOW64\Hckjacjg.exe
        
        C:\Windows\system32\Hckjacjg.exe
        83⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\Helfik32.exe
        
        C:\Windows\system32\Helfik32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3012
        
        C:\Windows\SysWOW64\Hkfoeega.exe
        
        C:\Windows\system32\Hkfoeega.exe
        85⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\Hijooifk.exe
        
        C:\Windows\system32\Hijooifk.exe
        86⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\Hodgkc32.exe
        
        C:\Windows\system32\Hodgkc32.exe
        87⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\Hbbdholl.exe
        
        C:\Windows\system32\Hbbdholl.exe
        88⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\Himldi32.exe
        
        C:\Windows\system32\Himldi32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1828
        
        C:\Windows\SysWOW64\Hofdacke.exe
        
        C:\Windows\system32\Hofdacke.exe
        90⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\Hbeqmoji.exe
        
        C:\Windows\system32\Hbeqmoji.exe
        91⤵
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Hecmijim.exe
        
        C:\Windows\system32\Hecmijim.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:916
        
        C:\Windows\SysWOW64\Hkmefd32.exe
        
        C:\Windows\system32\Hkmefd32.exe
        93⤵
        Drops file in System32 directory
        
        PID:2680
        
        C:\Windows\SysWOW64\Hfcicmqp.exe
        
        C:\Windows\system32\Hfcicmqp.exe
        94⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\Immapg32.exe
        
        C:\Windows\system32\Immapg32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2604
        
        C:\Windows\SysWOW64\Icgjmapi.exe
        
        C:\Windows\system32\Icgjmapi.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Imoneg32.exe
        
        C:\Windows\system32\Imoneg32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3248
        
        C:\Windows\SysWOW64\Iblfnn32.exe
        
        C:\Windows\system32\Iblfnn32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Imakkfdg.exe
        
        C:\Windows\system32\Imakkfdg.exe
        99⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\Ibnccmbo.exe
        
        C:\Windows\system32\Ibnccmbo.exe
        100⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\Iemppiab.exe
        
        C:\Windows\system32\Iemppiab.exe
        101⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\Icnpmp32.exe
        
        C:\Windows\system32\Icnpmp32.exe
        102⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\Ieolehop.exe
        
        C:\Windows\system32\Ieolehop.exe
        103⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\Imfdff32.exe
        
        C:\Windows\system32\Imfdff32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3756
        
        C:\Windows\SysWOW64\Ipdqba32.exe
        
        C:\Windows\system32\Ipdqba32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3232
        
        C:\Windows\SysWOW64\Jimekgff.exe
        
        C:\Windows\system32\Jimekgff.exe
        106⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\Jlkagbej.exe
        
        C:\Windows\system32\Jlkagbej.exe
        107⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\Jcbihpel.exe
        
        C:\Windows\system32\Jcbihpel.exe
        108⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        109⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        110⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        112⤵
        Drops file in System32 directory
        
        PID:5236
        
        C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        113⤵
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        114⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\Jmpgldhg.exe
        
        C:\Windows\system32\Jmpgldhg.exe
        115⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        116⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        117⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        118⤵
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        120⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        121⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        122⤵
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        123⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        124⤵
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5820
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        126⤵
        Drops file in System32 directory
        
        PID:5864
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5908
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        128⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        130⤵
        Drops file in System32 directory
        
        PID:6040
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        131⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        132⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5168
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5232
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        135⤵
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        136⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5444
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        138⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        139⤵
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5668
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        141⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        142⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5856
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        144⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        145⤵
        Drops file in System32 directory
        
        PID:6004
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6072
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        148⤵
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        150⤵
        Drops file in System32 directory
        
        PID:5464
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        151⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        152⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5900
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        155⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        156⤵
        Drops file in System32 directory
        
        PID:6116
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        157⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5420
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        159⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        160⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5936
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        163⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        164⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5848
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        166⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        167⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        168⤵
        Drops file in System32 directory
        
        PID:5992
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        169⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        170⤵
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        171⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        172⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        173⤵
        Drops file in System32 directory
        
        PID:6172
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        174⤵
        Modifies registry class
        
        PID:6220
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        175⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6264
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        176⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6304
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6352
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        178⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        179⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6484
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        181⤵
        Drops file in System32 directory
        
        PID:6528
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        182⤵
        Modifies registry class
        
        PID:6572
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        183⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        184⤵
        Modifies registry class
        
        PID:6652
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        185⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6700
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        186⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6744
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        187⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        188⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        189⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        190⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6960
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        192⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7052
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        194⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        195⤵
        Modifies registry class
        
        PID:7144
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6164
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6240
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        198⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6284
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        199⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        200⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        201⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6512
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        202⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        203⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6648
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        204⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        205⤵
        Modifies registry class
        
        PID:6784
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        206⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6820
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        207⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        208⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        209⤵
        Drops file in System32 directory
        
        PID:7044
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        210⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        211⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        212⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6248
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        213⤵
        Drops file in System32 directory
        
        PID:6388
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        214⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        215⤵
        Modifies registry class
        
        PID:6552
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        216⤵
        Modifies registry class
        
        PID:6712
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        217⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        218⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        219⤵
        
        PID:7040
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        220⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        221⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6328
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        222⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6420
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        223⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        224⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6796
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        225⤵
        Modifies registry class
        
        PID:6952
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        226⤵
        Drops file in System32 directory
        
        PID:7132
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        227⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        228⤵
        Drops file in System32 directory
        
        PID:6568
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        229⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        230⤵
        Drops file in System32 directory
        
        PID:6232
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        231⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        232⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        233⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        234⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        235⤵
        Modifies registry class
        
        PID:6708
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        236⤵
        
        PID:7216
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        237⤵
        Drops file in System32 directory
        
        PID:7260
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        238⤵
        
        PID:7300
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        239⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7344
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        240⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        241⤵
        Drops file in System32 directory
        
        PID:7432
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        242⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        243⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        244⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        245⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        246⤵
        
        PID:7652
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        247⤵
        
        PID:7692
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        248⤵
        Drops file in System32 directory
        
        PID:7736
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        249⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7784
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        250⤵
        
        PID:7828
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        251⤵
        Drops file in System32 directory
        
        PID:7868
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        252⤵
        
        PID:7912
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        253⤵
        
        PID:7952
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        254⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        255⤵
        Drops file in System32 directory
        
        PID:8040
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        256⤵
        
        PID:8080
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        257⤵
        
        PID:8120
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        258⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8164
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        259⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        260⤵
        
        PID:7224
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        261⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        262⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7376
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        263⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7428
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        264⤵
        Drops file in System32 directory
        
        PID:7496
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        265⤵
        
        PID:7560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7560 -s 412
        266⤵
        Program crash
        
        PID:7720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 7560 -ip 7560
1⤵
PID:7676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aacckjaf.exe

Filesize
240KB

MD5
771915e5b4ddb4953c869057cd2f6a1c

SHA1
63f876fc1e37d98f6d7e274fad3d9380329c50d3

SHA256
1c9655d77d7440f6e4d753ca82e4129be461a880ba9d27cee6f21f4d4671a541

SHA512
020b1138d6289a03b6ccca1b6e185412662bb689a07f0cbf735a13b3e9a00c4c5a2277c796047f444b508426ef7f65eead97e2f2e92aa19413b806de4f6f0038

Download Submit
C:\Windows\SysWOW64\Abbpem32.exe

Filesize
240KB

MD5
8c8b07dba34b75789d40522fd265c795

SHA1
674d9e841afd3b01076228f9933c8453cdfa609b

SHA256
5d1a732f7695da162b77ca0830e1bb8d7398b224467073f7046e1bb69b11d0f4

SHA512
f39b85a152b887fe76fb54b38887b74be8dbf22f8f75a0034fa03346b2b8b061ebfdfffcfa467e7b479ccce89f780f2d043450aed6df8b07856973dd63f27130

Download Submit
C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
240KB

MD5
3990f68b178c88586a0e5333f72350cf

SHA1
58e205ee01b864205139dec22b1953618e688a7d

SHA256
31d2ae10f96d8e60dc257034cc3b24cc6db626142461662cd52af2d55b52073a

SHA512
c6ad0fabc30a68c2d4814a7658cc09c22ec65595a5b7edf24d601628d8b1290fa89e2102d1b14658abd580cd05784adabb42b8110478e79343ee735d5c390a08

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
240KB

MD5
182d06398ee5d6d5da2723e47cff1985

SHA1
5171f31a6a9497201de85a766cf812e09f766aa7

SHA256
149c9cd4b89cc002cff3c2c7ec770f1bf0dc0e14ba5e0d58febf92ddee2f9ddf

SHA512
9ed4cc6e7d886c540d1e9e4e7b6378e7cf2a009c42616b3c53e8bef63f5f9b52f7d09ffab09b4bd3d59b120cbc4647b1fbe11fb7f8f2d9a65fba8b34584a6fd3

Download Submit
C:\Windows\SysWOW64\Adcmmeog.exe

Filesize
240KB

MD5
f961ca59083bec1f17d0a0317d973477

SHA1
2e44e35a70201d8989d8852fdad75b1f24037432

SHA256
3b152174835483a2dd1a98bdf2b7aa5d01a68cfd93fb1703b010eff838ebdb2a

SHA512
d8faf439b68f4a4d31bd0012bcf838c003fe0cafe52e13b85749d64145eda105ebdfa90734f7b54b4aaf0eaa239ed5e3f075fa5e212208bfea3d6d16d0c7ec0a

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
240KB

MD5
f0439d8731aee435f78a7246b549ddb6

SHA1
7cfdc825da18ac43d9c35a2ee32bbadad5068b06

SHA256
6112350323b5daec3d988c6b184eea2a3fb12b8ee00bcee6186b98482a8e95e7

SHA512
f8821a5bc2ddae1cff82f16426739e4df1454ba684a6f0fe2bca1f915b259490b2d1496cc76649bb5471ef287f376f44b9e0d6e809f1d66b4b111bca9e58135b

Download Submit
C:\Windows\SysWOW64\Aejfpjne.exe

Filesize
240KB

MD5
cbfd408e7c45a5fc0948123780b2834e

SHA1
1d9a997e4acb1d8c244cab03a83f85be674433bf

SHA256
a77fba7ea60c50859bc325a00334b97c36f2090f98cce4a2295692d2ec94a14b

SHA512
67deb891bd2fa4bff037102b80e1f5db88b50b9032b8ac3d9ab8f77809124ef4195c2f5e32cca696646a290c617797169318de94f4c8ae053145cb70732388b4

Download Submit
C:\Windows\SysWOW64\Aelcfilb.exe

Filesize
240KB

MD5
2a9b274bfc53b4516c8ce0bdfc381437

SHA1
79c45821724785456e18082543fbc6c37bb83069

SHA256
61c46ac9ff487779ecd3939b530fbbb8bf58e78003bf0fa08c8864dd25592175

SHA512
514fd2fd1a0e5ab020f56248e848679cc8039a07eee7112fc3ba3776a5801a2ee9cf5e8154743b2925df255e66c2a1457cebcb0780a4610edfc4c9ccf91abef1

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
240KB

MD5
c401f0f38a1bd3ac07e37cdc8376bb57

SHA1
b1b8e1774a42625e3e898cf7c9099238b05cf3e6

SHA256
c17ff14a6015df2534c4a5357c239f9215bac3c8cc1f58de2d751687964cfd1c

SHA512
37f2dfc0dc569835357d57066181029100e93fe66a95b18846579e3049a8e4d61e7c40344936174f3cae0b49f85f28597fcc17808131661c3506315d458a4088

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
240KB

MD5
d126116b6c13c8bad9f3dc8b8db7ed6c

SHA1
9b88f0bf9b2269712526b94c01eb9608ab3dc867

SHA256
c216671fd68948ec339578e276e3027425947aeb9c23b5231b7621f844718847

SHA512
a42001c9288549d94983bdb28657492d5e978159931fc7904334735639c2378f358157621f90049110cdb46e973603a95ea7fb2cb81cbf17d0589551e2bb6be0

Download Submit
C:\Windows\SysWOW64\Ajfoiqll.exe

Filesize
240KB

MD5
add780b48eaff42c87d1bc389566c774

SHA1
c5ec268e7c287cb8bec6a84f071a7b4a5f51bec6

SHA256
a811e21f96daac867480d88ad1aa578cea46c5af9d680539e16a70888ffb3145

SHA512
d017ab15a240bcff0d9f61dfa59b4d4a8ed99358650aeaecca2a0e8a15412124d0ac0026d52a3ab5ce16f76f6e3b9c41119f0eb01b5376f6f7e3301a835fbd78

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
192KB

MD5
13cf8c2122b7848fc695dd8bb2b747a0

SHA1
c47a176886a9be053990187ca4c306776c6f056d

SHA256
96101fd1be915f8a2c7eb4132c7e3db202025d83e89b58e714c2517e31dc64c3

SHA512
8885eab7226cf2a49d00295c4202544e0862c8d790b0d20e8bc46914ec6d9e47f2839460b693a9dcbd58dddb396ee50e939fa475ebc1db72ba73df746af29a3b

Download Submit
C:\Windows\SysWOW64\Ajneip32.exe

Filesize
240KB

MD5
f57786471c367743569a2926f1243f41

SHA1
c99fd03c826b494245d308fba7072b94678b7f1c

SHA256
e974f45cec31ba61ee1bea2a5cc2dfb63eacfbbc84c54ca48c31898bb0f9fb90

SHA512
bf6fbf48e9a7af436e39cc94cfe359fba8539dc5d2508ed05e6abd105cd186b5181e48f2ab034fefff3339421a755c6cab3cc41699a80137592da2a535c17967

Download Submit
C:\Windows\SysWOW64\Alabgd32.exe

Filesize
240KB

MD5
f0b839fcf3cab1e8a2b2a14021c1237d

SHA1
15e17e1a98e24df9a846b6e346634cafb4c7a329

SHA256
093724c5acd66af68f0b2fb8993af17e7dac427aca3b884c1e499cda35a53e5d

SHA512
82d648b0811013edb4339bf625a82528e1fffe983d3dd8ffb95f8c15e539ff77a035fe0c7806737c05c5cf76c3caa9117191e48f4040db779eb2e91d6080dba1

Download Submit
C:\Windows\SysWOW64\Alfkbc32.exe

Filesize
240KB

MD5
f07b71290c385ff6a23e227bfb98c499

SHA1
7fc6612545d30a906f4e11d9201c3da39b60224e

SHA256
5d80a475f8e77ec8bd93144e3f930580ad177950aa2b28c1f535496f7422d9d6

SHA512
d44c6692f5d98835dfc1f0444198fc1e57e2af1a436c103345f8cdde23a0c15f9cf94b06bf67b91dbe6023370b5fd7d1c71a6331bd6e7a168f8af4d6854ef468

Download Submit
C:\Windows\SysWOW64\Alhhhcal.exe

Filesize
240KB

MD5
5d6b1f691ed0496b09320a098fcc028c

SHA1
ec40d96adfb4a43962247bed192658493e92a9df

SHA256
366592570628556649edd695dd19307c77d7abbcad2a6a4d1cd65d5b6337d860

SHA512
ced2ed3580adcbdc1fdb27e4dd129351def4372b90db6371e227489e92080b1479c54fa4f0cc1b5c63cb83938a39c0c07d7750b9b8bcab365b8b031fe7366d2a

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
240KB

MD5
c5545d4f6dea8c2ed467d2a470958cb2

SHA1
92f6f474343f9f1727e7ccfdb70e9fdcb8f13f2d

SHA256
cb565324bfd5b1695f3247236506d6a842b2749f4e6373eafa3c385ff61646cd

SHA512
8e55cae8c8f1917b824d4603296c1355f7dbea69efbd30be6a381cd46651d432c22beb822e76c299732351847156ba4fe966ec524a9dce9a996e49c2784529d2

Download Submit
C:\Windows\SysWOW64\Bahmfj32.exe

Filesize
192KB

MD5
a889e1ecb0aaa39c6146656729e5757a

SHA1
bd4ab391d83f761cbc954d1176066619ceb8cb89

SHA256
1f25d5611c3324b9e22d08c3712f24330703f17be51286a6f7dbb0ad534fbcce

SHA512
3259308b709eed7c9465ab4548efa0f3f090b1f358ffba99cc97f722e76a45013b6837227d03d44f1ba11cbaa3bca2ea1cf0018278c2890aa17d59bbacb84d15

Download Submit
C:\Windows\SysWOW64\Bahmfj32.exe

Filesize
240KB

MD5
e0dbd2c177f2ceaa211c45a287ded10f

SHA1
6f1374aa2e751487a7cf2628f71628b7c6bd6ab0

SHA256
e0ee0f133b96c9a5d4ede8c34fcd548ce9688bc7d26e99c382f4aadaf9bc7e34

SHA512
25c83935c38422d28dc1172455202ac00eb09e704dca5d35535afd34823cf1921ff190db8f7436f3f0d08569c2b4eab2467cfbacee48454239b9505b5825d710

Download Submit
C:\Windows\SysWOW64\Balfaiil.exe

Filesize
240KB

MD5
b77ef204fdc6b9afb22b5a9b551d91b8

SHA1
36f0a6e72f235bb32548ab4cdeafb0e8bca477a6

SHA256
d1f18fc7a6b27a342196e4815072daab3a121a380e436cdc6b2356a669fe6756

SHA512
af233eb96549717d707713e4ba7dea5332d1295ff7b3f66d79faf6bd42f9ac96cccbf063f80686ad550015eabca3e8b48c4912b89a2ca073de65b168ac633424

Download Submit
C:\Windows\SysWOW64\Baocghgi.exe

Filesize
240KB

MD5
8e0daa8ebf09e1b4b3eb23c4e9c03038

SHA1
29b3e278ae68e9884c6e6181810cb6ad9f079136

SHA256
a7080ebf881c47ce1628ac933e3a4c273e362e94fe0917cef9227df445a6fa7e

SHA512
9447a299d9227de96587b5fa790e074578b8702157ec931e8506e0f639710973a0a603d542b91a57b3aa15bd7f66bbbd741e60cb9fada84bfe4fcfaa398b3117

Download Submit
C:\Windows\SysWOW64\Bdhfhe32.exe

Filesize
240KB

MD5
18810d978a50db082928aff24cdcd3e2

SHA1
36719801e57d4c00f423690e75babe6368e1ec6e

SHA256
fa977915e2a3aafb6d99e5cd0ca252b83300316311675f7d3dca356f17bda494

SHA512
e58755c823ff344a9115ee62f14533f9649de98ec9aae4a27d70ddc928a1f10d4aab73af05343052702185bbb9b9d5bf44aa30b07cfafbbbe832a042ee061ff6

Download Submit
C:\Windows\SysWOW64\Bdkcmdhp.exe

Filesize
240KB

MD5
8fbfeb2638ee4fd75152294f3f7e6fc6

SHA1
d08b8e78bc92a95f5c91922db27448c7bd0f4be5

SHA256
9c56497912af5bfd7effce3d37f1af6eab8c8405fa67cf4dc11823ae090175a5

SHA512
dcec259e51a98a18bebdbb97a85ec6adcaea38d8cbb17fc8e727beda557cb60932b09592591218aeaccdfda34966be1977a5800a95f0d1a1942770fe2a36b3fd

Download Submit
C:\Windows\SysWOW64\Bdmpcdfm.exe

Filesize
240KB

MD5
00351bb68d2d90b05b62bc66df606f6c

SHA1
1e8cb73eb2efa00d383843d62cacf8b6cb445f23

SHA256
9e8aadb8f0dfb31cc6f346ce481c99eaf4a5509610b50c4b1c30b60c837efadb

SHA512
bc3c7a00d092fd140eae60d6645d423f1f26a9eb1eb619fb061ab0703e0241ad89867177e3818d07cac15ff5a74b14612998598a288208414fb41f9b8c31cac7

Download Submit
C:\Windows\SysWOW64\Bemlmgnp.exe

Filesize
240KB

MD5
afa6d57ddec420da6e1722a14568274a

SHA1
1edbf88f811ee852ec8085a27a42767c4b8a0595

SHA256
0670132040018d8dc2e6dd03d051bb2814c6d0d850a9f2a42aa900178a25c5e4

SHA512
3dd4643e15cf49c3a4c98936d9438569236486a916d7fca150526a30d8b9ce2d047918ff9dc5df11be530c182c0ddedc1a7ac52b59605cbfe55dd8f02a49517a

Download Submit
C:\Windows\SysWOW64\Bhaebcen.exe

Filesize
240KB

MD5
95a488f43a38690f00a9cb9aef00351d

SHA1
f2e529f531a5b3e019e4e03326a9fcaa4763f87b

SHA256
ba796d50b0e6c388a2efc70ea285e5b1e68913de1ffbfe039710872dcdbb0a7e

SHA512
be8e5f3a931e6d45e042a1b239f14bf13656d9ef88bffcd7c8b058773d475e74e2d8a0173ce0ac67571ee46585501cfaf5ae903524ac47eb4ed79e209b8c960b

Download Submit
C:\Windows\SysWOW64\Bkidenlg.exe

Filesize
240KB

MD5
659e33153f6f2b15e0b613970bbecb19

SHA1
f60bfb1bae8d5feb23ace4a9b09bfdf564f3b2c2

SHA256
75e0f61d7e2e6f5410eef8d353d48e6e80c69233a8ca5efb5b4ab9dd5c4444aa

SHA512
269e98a4f15a9d5ff36a426036bc02d71c4d6bee40c10865f2df2820aaddc2ce05ccb591edd59a2ade7bd99259c40478a9c1908cfc7594ef6aef1e635ae8a014

Download Submit
C:\Windows\SysWOW64\Blpnib32.exe

Filesize
240KB

MD5
77ff98b1ac79e1bb9c463f8c3ca7b608

SHA1
c5006542e74800ed1088423ea89be8747574e399

SHA256
e648aaa493b4935be94b65ca0da52ba2e1d42e7892c7d57946a93fe4d1ca0a13

SHA512
0af05cfed4a85a64cd567a27aed0b8699715e92f99b27c12b5f382a2545f9efbfd3922bc88b2567bbdda2064361d8549877a924a1e0fcd78f222b55b5c00ad99

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
240KB

MD5
611b7e44b028dd505d484eeb604c52d8

SHA1
fb2225d14e7e475e004c03953a63f2e10f406205

SHA256
62c522f4dcf89d1fe59447ed850a5c2b8aafa05752f44850ea52577541f25cb8

SHA512
28473b1f3cb8a68b4654c4ce57550916c4d4c66ec031d1c1a9b1e6ce0cddf1017c9576cf2a303b1f52311ef919e00e5ea8a78422d3415a6ecb946f84385c93b5

Download Submit
C:\Windows\SysWOW64\Bopgjmhe.exe

Filesize
240KB

MD5
b41d58be1081ceb1168e7a653d237ae7

SHA1
c7ddae9bd986e5e1660e2776c1128e06de278d01

SHA256
b513a8ee0ac0f3487eae3c41496fa92595a6401a795bf10549e51123d4df7608

SHA512
f2d02a947ec817a584b31fae16dc814ddc1ba3ede93547643c02d1be72e74f892b0e08f266c15f6d782d4d82c531829f675675451e9459217078695365bc35cf

Download Submit
C:\Windows\SysWOW64\Ceoibflm.exe

Filesize
240KB

MD5
cfbd940f665e83be4a41bb914585be93

SHA1
5b267d0e1b2c33f43a30bb90fca07607669e3596

SHA256
db67aab48e860769d49aa6d7b90dc052ecf1d8589546c456a914fcf099c66fd8

SHA512
52c2f095e7ddebe1c9229ea3fccee3f45f33ab9c001a0902e331745811263100bc239028ee8e2cd2b3f1850e40d04ba0b8e4ac567bffd70f7975d9ece8b4eb38

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
240KB

MD5
69158d3f397ef47a9b11e2158d6646e3

SHA1
b58b8a30aee7a223312810de609048aae971c2eb

SHA256
ef26ac7310d3529fdd80431c77e967449df25a03472ff1accb9a9febf32af466

SHA512
f3ba65eb416994d822fbcc9bf9255095b37435d0138507c3f301e5313c3ab3b278bfae5d1ea63acd0b7c800ae5bcf2d6ab9b95f76f4a5a6b0b52659b03d0a33f

Download Submit
C:\Windows\SysWOW64\Chmeobkq.exe

Filesize
240KB

MD5
bcfbc3cd83057d4b043279606f34cf26

SHA1
f6d36544aa87b87394f07536ff571426730ee0b2

SHA256
2478dcfc0a9baebec2c6e9337dba9d33b4b70612f2e4c62c46bd5a84cf05dd85

SHA512
c88f0445c426a1fe9437fdf0013e75249d8ef7a5ede981050d554c17c4f3ca15da49edb41a1c648eff7d56222acf71111ff1278590753fd278c68c0f11ab6ab0

Download Submit
C:\Windows\SysWOW64\Clkndpag.exe

Filesize
240KB

MD5
aac8669cb8b0eb3e5324c5b58d2b9b39

SHA1
a63f7d779c19035d21f56c0443c7ab72da956517

SHA256
0a9ebe986515fa252a981baf4c210a95366349ce196b453a2398747dad2cbc0b

SHA512
c57e5718f370b1616fc3cf27382a42cbf2e4f28fffc5e5cedb5e0496077051645ce7a9b467be5dc5aee070008289e61684db6cb56265ea1ef81a559796c53e00

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
240KB

MD5
ef9c184e2d6d7af0666c672cf779491c

SHA1
2d65079a4e6ec3b6e1f2dea6dca541b9a3836b32

SHA256
d934d8669f0e5db1f148d0357f7775a6644f2a436695c13bc42176a8a0dfa98f

SHA512
3df1900b70cf890db1721c779aeb7bdacf7169adc97fbceda4f764a9af76503d25cc7dc2b93a8d9b35639206a720844456291af11cf67e9aa2f81f584c6c6346

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
240KB

MD5
d4af70307e4cfc2d3aa34c946e5cc292

SHA1
b4c4dab148abfad0bd5fcbc3de2c0cbfdd92af4e

SHA256
87911a96abd93b3278aa4e4ca9a861d0d1b6a5b353c7f3b57a51b6d834c72430

SHA512
833b74118bbc07a383d4726e200a337c4a22ff01a981425152d10425f4c6963495e2aa5064b4a9d65e5775a49a05645a060ab66beadc221bcee64baa6ed408b7

Download Submit
C:\Windows\SysWOW64\Cojjqlpk.exe

Filesize
240KB

MD5
cde7b26cbc3efd4869fd1ced28c9e587

SHA1
35ce30263947a3a621a02bbf8a8b3f138c2d4a68

SHA256
ebb0efafdd1e1183f17d357a740ec870a0409555e2e8524b1caf108be8fd2e27

SHA512
9b7ee64e8c705f36c18cd67a08d8c6702cdcaf457de45f6ffc4dd56f97da42e6a60f301a18c69531d5438200e9ec6a5900f17df1420004956f921ad42dd1a6f7

Download Submit
C:\Windows\SysWOW64\Conclk32.exe

Filesize
240KB

MD5
6a1b4af09af19f4c5c260626fd59bcea

SHA1
9db653272b9d582f0cf7c38370b06bf4ee56406d

SHA256
280209dbe85c212f8e9319a70e36394d6a5c2393b60ccb620dad33817d76a90f

SHA512
50ff23eff9aaf63dd434804ed54a500c87912d266033db111ecf9f121f5a273822249ebaa4ef6ef47ba434b22e4b2cfb49b8c65dab82ec7cfb6ac313d91ba8bd

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
240KB

MD5
afd54cd67cfdaaa2d304e9d32f62facc

SHA1
51651725bf9e02d0c6ceac073452b7d06add909f

SHA256
1d3f69c3be3c314ebea9f074eea3b3d661e33dd0500f31e3d5cae802fe2d20eb

SHA512
cc6903106c9b219c735e7a33f3725f170e9df66d1e01e2250e852ac89ee57a6dbad822c402cf7a190cfa63008024326b5bca43dec0c3159e466e25c78207d41b

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
240KB

MD5
6d00fea55dd907d41a145898236a0660

SHA1
caa5b9ca7ece2dd1c0be5a8f561ca001297311fd

SHA256
0643c8d769c0d12b6e5c9b65132fc80ed3340eefe337bd1bed8ac9b39125a32b

SHA512
43d2d25cefc660d249e1b62c54db92c2644c4421a652d3970e4eb66abbeda40861cc9fe161bdbc8a39c18615715f6ddb18b58985efe53970808f2cfa4d54985b

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
240KB

MD5
769ad91c0418ce060773c85ab5198c88

SHA1
bbd1a8516d3a634229502b9fe9abb71a1016101d

SHA256
5c0823523177fc293440f8422a7db4cc4870a9561ba1388e09f04b0513a2de0c

SHA512
49c6376600f96347d17cf0fcce7783fefdffeef770f4ae49a5e8a95d250cd573448105c672061b6059f71b1dfe107d456fbc4e808200dfc5b8d7db9d10d20455

Download Submit
C:\Windows\SysWOW64\Dhnnep32.exe

Filesize
240KB

MD5
66291897db51938beb5f00758a3a5f9e

SHA1
1ca6316f6d45542ea2764857f063efcf46747a98

SHA256
64f2de75bdae57b8ec0d4697aa00bb301fc5ce809e30264f9910a2a231c8b58b

SHA512
d7c592638bcb4f0a70707c977eec70457e6b7abfccf679eedd8cdef538173caf5c61615d10fada7cdf996530720cfc499ebf65a0ad970d1e33489ba5070be45b

Download Submit
C:\Windows\SysWOW64\Dkoggkjo.exe

Filesize
240KB

MD5
6d73ddd25270eba9dda3e7075b25c797

SHA1
3d56d6a639b336127aa191e12da762fd00c030c6

SHA256
f18d2c084c8fc821e391ae326dad267164f63783824633a4bd84da07113279b8

SHA512
4490abbfe67c14e1e74f982616396ebc912be979324554a6678e70b1ca4e271cdf978b9e1c61ad6ba121d173d6c85b51a25cefb37928844328a89652089edfb6

Download Submit
C:\Windows\SysWOW64\Dokfjo32.dll

Filesize
7KB

MD5
013044cbbfcf930fd4fa60323d487130

SHA1
c3e167011686e97db53f144cd69e1625b778b1f7

SHA256
96402716dd068b94a2e8fc7ed8a3633f64499b5074cf46eb2377bb0b56d2af9f

SHA512
0d01e20a61ef7d0fea3315aed258d57747f3b479c10a9ede4727e13eb5e6809b1927f6a1a5d756b31d8af4d30a311ec43469c72d5a177392fdf6093f31181a65

Download Submit
C:\Windows\SysWOW64\Eapedd32.exe

Filesize
240KB

MD5
12cc486b90718e00ab391370177f1678

SHA1
7d0618e22cf7fd4d9a5b7d4c6d6d71f6c964a0e1

SHA256
5d6a73c2a0eec10ba85504cc87e7f8d9636c160d22463909e7d11d8afc97267d

SHA512
bb341defe6ca9c027010f0fa7a409451ab3d32707ae9e09a7028d1986ddf81f98ea100014db8053c6bcd589dbadcd40be4eee318a1948b5a4bb908b443a2a72f

Download Submit
C:\Windows\SysWOW64\Edkdkplj.exe

Filesize
240KB

MD5
ba8ed94138ef2a27e2df04ac58802803

SHA1
59c131a858d37b152c22fead5a81dd32006ae02c

SHA256
d8f3c33a20c9de44c602f997ae6c773b1cd4aeedeed849e3817bf141a466d1ff

SHA512
39b6176741e0d0f06ce29c9945d433a117822a2fc5be0755f908c224d49d3197548592a361b833d5b7eaf58790b9b5e5d6bf9326277702ead2f337b69919cc95

Download Submit
C:\Windows\SysWOW64\Fcckif32.exe

Filesize
240KB

MD5
91c86241a7b636243682cddeb56dd049

SHA1
259f55d2b204d0c3db1262235e4a27432982f725

SHA256
147489099947bd9487daa7ed4eda5021b71d3c05502ff50e93e09075380af27b

SHA512
a82796dc91326deca214304f674bb6a2b89f89f6aced7f98d38ca2900e31bd1596280779bfa9bc7718f930c5865587c17e6864289d7da93fac3a1a75fa0a9e72

Download Submit
C:\Windows\SysWOW64\Ffkjlp32.exe

Filesize
240KB

MD5
c18c8dff09ca4901a66ca72f100007b6

SHA1
e3c574f6029dc9c2c83136c9cd962ff63a7a891a

SHA256
838d2da89ca5a8bfb630213e8e640297b565a00b2d581ba44e208e8ca63930c7

SHA512
bbf274784a7335c1c130aee0f5d6425ea0de95d5caf8edbb169c66018b81539154e910c0e2c271141ff6b57a4dc6a4332e7a1da15e0aeb6af5d6031e91ff827e

Download Submit
C:\Windows\SysWOW64\Fhgjblfq.exe

Filesize
240KB

MD5
16d8072df1cb8154c2601bb6238fa4ea

SHA1
a06c9576abd2f5fac3e4a0d27e81fbef64473413

SHA256
52e2798383b7d8924e8f29fa7f2029a807f4e604a066c90ea6f0fe37dfcdbbfc

SHA512
eb911989827068c150bd318a9fca11fce422ccd6a8fcf1fce550d516e321e245cbceaed432e16f25f9ece06879039bb1cfa0338a961861d3b88ecc91d2b40cf6

Download Submit
C:\Windows\SysWOW64\Gcojed32.exe

Filesize
240KB

MD5
711dfae6625a1439aeade5603a6026b0

SHA1
6f01958702f7809ad13431235decc7cfe61de2c1

SHA256
3990865425f59a8f7cacafe6ef168046b2448b2b680cde2b1db5ee786bec05ea

SHA512
57031ec14ebdd455ba18c7501549176dce75f5efb5ae52535e6f2875c31a6f0cf3682a2bc0ff796c3d17caf201afbe2df195787bb045c1b91ace38d0209ac7f1

Download Submit
C:\Windows\SysWOW64\Gdeqhl32.exe

Filesize
240KB

MD5
c738fc2b84f690436e1818182eafb114

SHA1
2b7fc3680e72e2155f64ba1f5640345a4d70b7c7

SHA256
f21d3ae15f8b805315e539b2646a5cfb2704cf27a0f30bce5ea6849944d375fb

SHA512
4637c4d4026db395c4fc474a12b04d082f84ed334bb15b1067cea88659c7a95519b141ad7b41fe91fa1bbb943e77d0cb7d621ed32598cac7251ea9efcc7e0fa7

Download Submit
C:\Windows\SysWOW64\Gomakdcp.exe

Filesize
240KB

MD5
7204a129c22ae492ffa88bcc7e16204c

SHA1
a560b29fa0f4a9ba457a0e4af113e13e35d98e4a

SHA256
a994ccbc227e46a52dcd61ddcc007fe6f8c04f8229150d116f6c1a8643098fc7

SHA512
1ab070fecf06afc2086c71a0956a01c64431f955bfe8d27a9fe9db2d4b94b3c1250c734b1614aea272331697bcedb38490feb0656b05e21e552e6afde1922442

Download Submit
C:\Windows\SysWOW64\Hfcicmqp.exe

Filesize
240KB

MD5
5f88df443f815ce2dbf084dff673626d

SHA1
c6beedf6096cf80f5db40ca01c13c971e74a0a86

SHA256
7a42dd4b959bce2cab13e9d1237af5ae4587b1c8679d3b4d995a99c9b00768bf

SHA512
d4bd0ee28b14ac45cef4191d15326278adfe81437df1217cdd646a8e2768a0e0800ac8c057944987296a46deaba43fe04ddd38a7782ad59a4d0fb3da121f3db0

Download Submit
C:\Windows\SysWOW64\Himldi32.exe

Filesize
240KB

MD5
cf52367badd80acb1d81658062fa20e9

SHA1
69c1e5d0a7a114d85da4917fdbdb62b1818aae75

SHA256
c08fc17c7492181462860daa8b661707a3b5c2ac8abd37ab3511741f73f44ad3

SHA512
d7393dcdccd5e527c88055d2c3cdbe8266bfc0087756e9ad405ebb19e7bf77719b6b4f7fcb1972711e21d27658a1010f60856e17e0c640e23df3de557210759c

Download Submit
C:\Windows\SysWOW64\Hkfoeega.exe

Filesize
240KB

MD5
014a5b142abc9d58f2cfb68b2039ca7c

SHA1
28061654fc1b125812cbae7303c81e15a3347851

SHA256
af813b7233b1adb3a8771a55b2207b2d16c535463b74f7478a400d0e9b0fe83a

SHA512
79263eb3ad64fedc944d172e9e813abd38f16faa447d1b1f63ea2b2f4398f64a2d561f14ec5993cdb2e4dc86513f08504b427342ca894c6d19b0dc761e421d78

Download Submit
C:\Windows\SysWOW64\Icgjmapi.exe

Filesize
240KB

MD5
58975b89ec890deb04eb14178dcee3c0

SHA1
90bd8ce26c51cfd89d0b6e08afcaec3eb52834bc

SHA256
5c24a6f38362bc3ac02945cdd77410a2291d6c618d74fde9391492c783e3a5de

SHA512
f2b9ebd8e1179567faf55926d78527198f8857eb190c04c964fbd45e335a0890eeb9138f1eff0d59f9d90be08435782b581ee92723622e8e66a8692d3ca26608

Download Submit
C:\Windows\SysWOW64\Icnpmp32.exe

Filesize
240KB

MD5
03275dd33199bf757abd73121bc44858

SHA1
935ea640e13dfce0b2a6654c7a5f058f110dd888

SHA256
d0ab8dab2b3ea437a06b57cec565a90e2377968ce4f8d9908df55543cdc3b841

SHA512
53ea4c1ff5e635788b3ab16d1cd9ce67c0695a0929c8a57274b7dc37d3ede29bafda531d0832f4697877052faf438aa80aca4f6508aede261c1587ce1685c04d

Download Submit
C:\Windows\SysWOW64\Iemppiab.exe

Filesize
240KB

MD5
8152e44149e4fdb736cce6754504856b

SHA1
7c7f44ef5b1b20f09114253134bf05d9f35367c1

SHA256
7149601420c21b34ac1dcd94f28cafd9da05e573664e6773fe40999ccd45bda0

SHA512
88917a9c39ae490664e226db8cfc6ffd4e01e7c3d9ffc8a1d62528875b46088c1023f03e370062f460b8785df946a2f21d9f87ba25f3ea7133be60c4008aafdf

Download Submit
C:\Windows\SysWOW64\Imakkfdg.exe

Filesize
240KB

MD5
cdebd34de48b7383931802581122ae13

SHA1
e8782a13ee6cc907bdb3051d28f4a2243fa5dd84

SHA256
ccf7d9b1635ae009f73787fec542337c2bf8a13fecbf58bbb5a27d8a6aa72363

SHA512
22ad6d8f55775c03b1e2aaf9a5dcec0ec0b606d82a2dbc9a07319618006bd2a1c0bba74db1ff4b587997381f0b97a810695fce018d4e1e5c70c2c7f9d7562ee0

Download Submit
C:\Windows\SysWOW64\Imfdff32.exe

Filesize
240KB

MD5
7340da86ab674f94c6326bca7dad0365

SHA1
db92d5ef559737a21d94ee97b6091bc17a8cb217

SHA256
b2dddbf41f1b02e077ca317a7c644334790114496df176a29e315ad2222920e0

SHA512
b360a4fdcfb15700918e604964a78856768c4768c40d129ba236353ca8cf7c30907f81c43911b46a9985f8aa6380038bf7bdaf101d926274d0efd9617124f6d7

Download Submit
C:\Windows\SysWOW64\Jcbihpel.exe

Filesize
240KB

MD5
f45d07551ec90c4515a429d88d70b62b

SHA1
0754a62e8051b1903095ca7e77babf62dba40380

SHA256
ba8de85f47d4dd09e7f7e450f045861d55acda1c0a24f1c865f6b7383bab78cf

SHA512
53e88110684e4db6004b5e1d1b23353976e70d35b4e970347a1b1a0d86b5d48f0031b602e4ec4b6c64b0da685c8309632371ac89c99c26489febeba62cc170e5

Download Submit
C:\Windows\SysWOW64\Jfcbjk32.exe

Filesize
240KB

MD5
abc5c27ecc82418052beb361b78c0a71

SHA1
88f8f42d1f43754273ef1caa314a536a34ea0358

SHA256
e76637f6812fd5c22c07056d9ef3c8195b16ad4b18100a2f27e92ce7b93f3f07

SHA512
2f60f196cdb99afdf65b38ba8761cbb6c11465c14f717ffcfafa6f47e91a779c2a5d9b5eff53ad2d935aa48ea03cb2dd685fe0cb3563f162ebcc547f05ce5c75

Download Submit
C:\Windows\SysWOW64\Jifhaenk.exe

Filesize
240KB

MD5
7fe1622b57c3aa52e977aa9fa2d66478

SHA1
bab2107c986ad55eb6544ebcae60ed62333c8bcb

SHA256
ef900957f3bd08ee30a362f40c44d78bc0ca18330244b8aabc25f3ecae25943c

SHA512
fd37673a2bd901b1d247dd22edb4b1b9214f7dffe801248d75c1f3900fb222e15b4536bce0c25b21e7ead2e7f5c31de1c87a1b5c21ff5938b2bc939c32ef9624

Download Submit
C:\Windows\SysWOW64\Kbhoqj32.exe

Filesize
240KB

MD5
d4a9b89c54b50b826686368eb03edf5c

SHA1
3bae99d62ddc805dc4b9d1653945830199d16a35

SHA256
591ccdfb6ccb91a4901d78f615438d146b7edfe438c586bb9a571b4888cbf3bd

SHA512
2a46c17cdce34a6a947e143908d4e705ba6731ec5ed17349e4ce6156a34600caf1623d5e82ab3411f51b664214a98da6a288332e1faf3e7cf824aa5b34178790

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
240KB

MD5
338299663e1b8a5fe026f67c198f8f04

SHA1
26a133c2a2e7bfd96e5118648e3a4a646829f758

SHA256
af74cf6b0333df1f1f33991f2ad25bb797a651fce8ddb31db39e2dbce0140c39

SHA512
fdf98e819978a849a45e883e98ac7663d0f35b24e876d8357ac7f3757558207097897dc71c22223daeb70c1dd1b9e4c69876908079afb20a013b766ecf673cd7

Download Submit
C:\Windows\SysWOW64\Kimnbd32.exe

Filesize
240KB

MD5
76a7ba92b84d25b61257d578aaca61fd

SHA1
3dd979b0e1e19ffc834286c662d58da9c05960ec

SHA256
72065f65796a63f512d0b31284a1c811ad607f311899441b3d4f83bb415ac111

SHA512
efeb198b1bfe1736fe890a367582a754fbb2f49b724be8d82cf8256646bd11c4e752808ccdcce1b2c2e8a242a2b1320eff90f0d409e9d04449fe582059962204

Download Submit
C:\Windows\SysWOW64\Kpeiioac.exe

Filesize
240KB

MD5
f47891a8c42c9429c763ac63a7cbda1a

SHA1
6528153818a9e7064da7fb4c7f08ce5fb8c1da8f

SHA256
1a026ac12eb943ffbccc56ee671b88998858b817750a8b76e88f162231765a27

SHA512
33070173d4b1281d6fd316732a7c26673c3e848f9a69c8923891770c8e38ca8c91a14360b0f73262013bc7b45863d1477e030cd362806af3c32544691be1429f

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
240KB

MD5
96ae2a956e946f4e32319eb7aae514a5

SHA1
10df5bac174e20f1ffe0346ac5ce40c5ed56a385

SHA256
5eadd6c4aa7c9770400d13f41e501c8ed89de758511b5ce481249800d08608fd

SHA512
42cad47b8986883870b67f3662d7dd77e413d5a2c6892ecbd279729e8d5574cab91bd30bcc15573aadd941108a38f9468f2dfab80a5170eb05e87b23b659c316

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
240KB

MD5
281a75a4ed20cc0b8a8eff44c835ad61

SHA1
c571952a0bb0b2d4af8e8cd5bb528b472b77ef6f

SHA256
609e5fbf3eebec1842e7ed8c0b22d4c2e2a614166b713faeec39aeb051c1c46c

SHA512
5f457d71e6dcae873da1de787288d13b8066df8d4b7cd3287ff8ff125d73fb878b5bcddae7b3f0466e2dd1a51e85bd9f2f5634eb46f64f235f7f6e2a38c773a1

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
240KB

MD5
16aac2cb270d3ad7609554e975c1e61e

SHA1
76b9c3a1a8fa2eb18d55543103c7f1cff2e09cc2

SHA256
af94fa9726c9ea1f57ed45d170f52afa7c5252f5e9d3ba0590d59fa8566d3054

SHA512
fa76b7553a64449edaf85496c7cacf0b2bc99493f8918866596d973d0204a82abacf67c018316367e4f198d0f705daba348a2b357e9d9c5e7c688929326ae49b

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
240KB

MD5
3a05c56d031c38e958bda5720cb4b10e

SHA1
8aadc119c1c63c68b86e7821856f992bb98359fb

SHA256
f18066dbfdb6ff1ff50743856eb781b08af59cbe9669d498d97848a35145ed88

SHA512
a9ca9126d0680b9826d46e7e2f81df83bbb7624edc82b88078126f2866a8d6b9ac46ec725b61973625ce89f5ad2f6f19615abf311e0ff12edac87e6cfad97bde

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
240KB

MD5
9afd0c7761a61fe691943b5171a23df1

SHA1
3842f2abfb1b16046a6889efdced12564e01fd27

SHA256
ddfee57e6b151ee9688397a52428fbcf6195a6283cac275f1897602e182b695c

SHA512
e41973e30efc4d0c690c350884d967fcb9ccd5f1deb168ca0a37a622502ad17baea3fc894c1cedc8ca43c49a7b3893af6bd576a33fc027102e6eda7172b8ce61

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
240KB

MD5
8ef4ab7d6d945e999a2c6b21c96ed243

SHA1
ef80f309fa003b09ab1d8f98cefb3092e7944599

SHA256
7da9f6026090310946574883493682b8c0257515f406863437836229f0ae6f15

SHA512
e6e5e7f6e862f824aa9346f5e5608184182fa4fb27a5f88deb667d9bed197083c12d73bf82f0ae517688a0358c944ab0507ac3c37fb66aa649df645c7cc70f94

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
240KB

MD5
20f38bde9440085276c2f78095a200a1

SHA1
c6a55ef79d9656253406723d9b8cd788e2bca9a2

SHA256
3967498673cae50c5cae122aff14fbcd1853445e4d09ca0c3342c6b965bca8bf

SHA512
d5a5a5fed02baa2ebe74bf6cfa9d29a76c13ac5346a9effab3fa2f7b34eda2f0a2860bc17a54e9f9d774a2d58058a1f5de39f7a58fb21772e29d73fb19c70f93

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
240KB

MD5
c4f9961f299ab24b23e39dd5b61116ed

SHA1
e87132ca5cffa414b0971939bdd89f7b271e79de

SHA256
e382da93f4a97f8c8e37a2c2d1f4650d4c953eacabc98c8bc1b0a134aad835f8

SHA512
4b7922f63a69af8671c6be6fe7cb00aaa48fe0244e478014f9c91c130b2b002a2df63ae2f3d01105f343bf31e3b44b0b1ba7c5c3a98df253dd2c4e5872050bb6

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
240KB

MD5
eefc76c7667d28b8b3cc558a417179ed

SHA1
f67a077ef3a0f7ba95105b86830a206038bb983f

SHA256
1cf8211d11e1404084fa39c6a6426e90e4c4b514ee3e0faa558ca928c63abc95

SHA512
6f3fe701010e1141afe6e75693ebaba33a58c21a45b19324dc09bf87fa9973a203cfb5ef73fff582e4fbe00ec97861fb42772a4f93dee60c045ae309ba6d4c25

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
240KB

MD5
be6d79042a17ed5b88b3aeb03f891f32

SHA1
7e3c83aee049918de52f9de4dd4482c4ec9387d2

SHA256
2d2f6dff4056c0f29115145da475f39afbbaba7181fb7d4716b0a3c5f260bf31

SHA512
0066a4d4c6bd666eb57d5dbca1e28e73fbeceb03c80a8ebabe01c64b552c5c72fcbea93fae842032c33a10f8499905f31bfbd229350100c92f914e9f8011d596

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
240KB

MD5
2785252868ee6708519f8fbb2ebbb7ed

SHA1
f4b0806a9ffa574eec458f419d78ebfaf044d6e1

SHA256
92ef545eaf7f74edccd3e993d541e3bc8e598e33dc0123888276a8903b3c146c

SHA512
652ae1c6bd682af125b12b953d3a4a75576f9ce72e6c2b30aa4b01ad06c4da13c9b73ba330c0e2a0eb08f5a7f7f968907920bd1210ea80b4df3c025ad467d9a6

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
240KB

MD5
1679dec34329f63a6503ada5df7c4eb1

SHA1
cc98a4c1f2777f8a6777ce8997d3c1ece1a8b9c5

SHA256
78e0160c20090eb54e7aa9af32f0f93ba00f50a119597025293858c8dd580ee2

SHA512
6176e18716a3f91fb1ff2c21938302cdf8b93a069a8e5482ad94dcf6563341b0430d6ea220e8b39cb250556d8c56fddd5dc0862acbd14a5106c8026e007b68a8

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
240KB

MD5
e2c74ed7c37e89a19b617580e96eec6b

SHA1
a251c55369cb78e995402bf5b8398c104678ad4e

SHA256
4462b57f0b590683dfba5556b13a12c7b1ed43658dc8f8697661a289736a365a

SHA512
16ef0443e491252015894ecb704984ffd9d8109d1c33a968d88d4b162a9c7d90ead87d3af8e5a62c6d553a6a6af0ad236cfa1d9c0d1b7cb5d7aabc736562b59b

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
240KB

MD5
3b0af9e2bd44e216c7c9b0699ef26876

SHA1
2406d010db6e45b4906ec0bd29b7568b70716ee3

SHA256
ce32fa0f164fc2cb5150245669c0db5e1e5101c6991d1691f7b852288200c8e4

SHA512
f0e92c658b3219bd3c71961cf03324e0bdf461eb6ced007a57571cd98d32cb7f836091cd978e552b79a18f48e34c0bb47370fbcb1e9e5c68dbd5e3f6342ae2a6

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
240KB

MD5
39809dae3b4863f8360eb2ff9211f40b

SHA1
8ec22673d791729bec3f808bbed619c083003587

SHA256
9221849b32edd985bfafc4b67a85babc6d1640192d61a53e5569319471c8da99

SHA512
432efb019a0fa33f02c7f0d16547b00e1991f8c5d9ba40714d371da29d7cefebb3c8efca6f61843ec0c6f2facde52cd57c4090c232a252545c96b719677b4864

Download Submit
C:\Windows\SysWOW64\Pbbgnpgl.exe

Filesize
240KB

MD5
afc5802fb702027b0678ffe4aa01228c

SHA1
1efb9144eee638a7d71fb1a5b6e90b2f90433d23

SHA256
1ef354b966212a70989e63050b78332b4d8c8eb75fbf0ade3a0081ffa6328d89

SHA512
8256caa9ca814b1c6cee6f15a6d9d8af28c9e37400cfe5c6ded2c202bf52641d0f6951d6c0ec0433783fb0147a3d040680f04fd20d16121a61c53624fdc00408

Download Submit
C:\Windows\SysWOW64\Pbddcoei.exe

Filesize
240KB

MD5
8e4745ea8b663248af7d2f0bc4b503d8

SHA1
7704df12e0728548bad3a8b4e970d57d88a25a60

SHA256
f5e0374241bd1c378d8b026c0f42c2eb70953caffd3668f6d7813fc0745bfaf9

SHA512
17bc698e8315789c2e8e6636ec7ac29c7736187cc998e0d6bd4a54596684a003af17f802ecb9601efee824b147487085b6a734e411f15fcd2cb064a08aeb4007

Download Submit
C:\Windows\SysWOW64\Pcccfh32.exe

Filesize
240KB

MD5
7d32798c0f6696aa99840366febad4ec

SHA1
15f2a0169d94b6f1b6a6d4455316ce692cace5f0

SHA256
a81aa7559829ad12e159c5180f219c3a6fc23c66f6a52894dbbe206594f9f661

SHA512
88e8a7e72f851a44e98273fd33cd9583deb6e6be78a7ff380dfe416ef721f35b7d5266b3b64dd6969944c4cdc7e631b7af128f035f1d01fd929440ad302eceff

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
240KB

MD5
78a0385ce495275b5808b989409212fd

SHA1
90427f3ebdd00e52692dccd26443589551a93fd0

SHA256
389a9c6d75126f78c63dcd9c3d5503cf7075c1515e3174a5ed547795c7de81fb

SHA512
163f0f1298f1392ccf4a5f2345525f211982aa4323a5a6785f1d59f8ed285aaecfc0567c386274d41215b042d571fa2704f67aef2dd0d3d1f4b8ff357abab326

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
240KB

MD5
d4b8f10093e0fa4ba696650162acae48

SHA1
5db1b420bf3a6f66bd2bc81ddd3931d742bd1402

SHA256
d37ea374fd4fdaa2a74b1cd230322ef4f9e8d7b46b12302bc6ec64d282073de7

SHA512
e1e71037ffff5a101b3f937baf2582afde3c36b0ed5aef0decc15667d0a4c1ab547bdccf558fdd84634500650bae70eb9f4cf436c620fbf178290d1febcb0ccd

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
240KB

MD5
58ea608e24bb4fb6efeb5773da7a27f7

SHA1
d6b344834edb37330bcf39c34dc4913ccf129a7d

SHA256
4c45c67585d9a491ed44640045773b0ce9ca3a8a29917182c151c5a6f9619b98

SHA512
9bd590710135d18084b31434d453c53ab182aefa47163bcb9cc7eb5ee94e5961235b67563a75445c27ba71e561859c60e42b3b2b0ba7d7bd31e30f54a462f7d1

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
240KB

MD5
d4e891f52789a2f805bc19b76dd97d10

SHA1
f54eb907b2413449871420f5c601c42c2437c349

SHA256
ae197b560db0ab2687c549388e51c0c01a3e316c702cad34374b0910a1fbe4b7

SHA512
6c4446f82da509074238cf2657716b3972c9ed714f798e0213dda28fc7f8247c1a75ce851b2d07225ad9a178835f6994721b54df73184ebbb31301872ac2a0cb

Download Submit
C:\Windows\SysWOW64\Qalnjkgo.exe

Filesize
240KB

MD5
5d0cde5b7c33a57ccfd7c413c4788991

SHA1
074369a3eb8bf07a585164c6b5d7bd917274bbe1

SHA256
1c8fa52bc7fab540af3688efb102677d4cb8a1700c1c5924ee0099cade94a8e6

SHA512
71e35e936fd422fb97b4d8649ba364c13e0cfeae2197f06dc95c7ef1804ebbd64ba7a179dd62b869074243841a9dcfc7b788857ac66c2c2824aa7df9729ed15e

Download Submit
C:\Windows\SysWOW64\Qcepkg32.exe

Filesize
240KB

MD5
d7562deb21da4d17a87615fa3808958e

SHA1
042a4b2f570d8bed8a1ecbc23b436855001f2a37

SHA256
034bb19e5fd094fb296ae1143ffb3e7cebdd5553df3e24b7db8d3bae96da4659

SHA512
2b0d94296dcb8fb211e0c6f6c566c82f0cb950a8c4519d81b2f9e44cc2c2a4b2aa0d112a0679db940abc980b81cf2a7e880b5eb671fc66e01c935e8f1d7588f2

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
240KB

MD5
89717ee8c258b355326b38f14f30ce37

SHA1
9e5c0ad3c1ff42bc605d69d99846f9a57ff57087

SHA256
cd2b1a5fe411f16f3aa98d223b94a5d12eade3661abcd17dd8c505dace2a8935

SHA512
fc50e95ecb2a28c4e95b254741ff0432c929eda1bb384ceed5220339a3f2066da2d391845e90c8394ece324f1b8717590d01ce5486de03f397701419d03f8d02

Download Submit
C:\Windows\SysWOW64\Qgciaf32.exe

Filesize
240KB

MD5
2ded6c2673563fcea95279e6babf0ffe

SHA1
b505fccb590cf7a6e6632e1e44ff9481c4ca97e0

SHA256
a730caff24c7f1f9516f3260306b40972fe948c6e2de3fa0e2b53932add9f1d1

SHA512
3b43a3f618360998aa9bee0dc6308d765b0b49d6cf0250092100c5e04d39aca8e5b91997574631dd0ffb49dea77d2ab7f1c544ed390eb9fef817292a13641bfb

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
240KB

MD5
6450c8944cabe2ee15d77ed6f77baf97

SHA1
7821e49ed51229bf044719e85666ef2357825109

SHA256
15dec81bd685b622a9bd0b9f3e1e7d44e8df57d5eb7a3beac64188ea99eb7e72

SHA512
347c8d28ae5b08ef9db7406e96f9c946706db4fa35e57e0474667a53e2f646f875efe488b5d6ba2119edfdbb2908638a475b91f22be264fbb081eb9cc17a04e4

Download Submit
C:\Windows\SysWOW64\Qnkdhpjn.exe

Filesize
240KB

MD5
7c2fdea5f23d93b3c3d28bec4c0f01b4

SHA1
6c8fccb749f3c9caf7a655cb4c31348d95c9b7f5

SHA256
30566063710af1330845ccba14cd08ce9ef96ac4ed52d0aa99d48086495dc518

SHA512
c1d8d9592888af1870da7a078b74be70cf3d4a9c3578d4f159f6d56d4ac8b105e15f69279eaae0f2e5edf9852f1baa0eeccad5020205413c3a872560fec062fa

Download Submit
memory/220-274-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/408-460-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/456-286-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/560-544-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/560-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/604-292-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/848-136-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/868-262-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1020-298-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1224-71-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1232-502-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1296-328-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1480-514-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1532-151-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1592-127-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1636-280-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1672-573-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1740-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1740-551-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1868-466-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1924-593-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1924-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1932-120-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1992-552-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1996-520-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2100-20-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2100-558-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2132-580-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2188-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2188-572-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2212-79-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2240-197-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2252-340-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2272-352-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2352-232-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2504-256-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2512-424-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2524-496-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2652-508-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2812-334-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3012-566-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3044-545-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3056-316-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3140-370-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3224-96-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3256-111-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3308-207-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3340-579-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3340-40-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3344-454-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3408-215-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3520-484-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3560-472-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3616-382-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3620-538-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3632-388-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3656-63-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3672-394-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3708-167-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3748-188-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3768-594-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3772-436-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3892-528-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3912-565-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3912-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3960-406-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3980-412-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4004-224-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4208-400-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4220-304-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4236-310-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4304-247-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4328-418-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4392-442-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4404-448-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4412-322-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4456-586-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4456-47-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4472-376-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4492-346-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4504-490-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4524-148-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4544-176-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4584-268-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4628-589-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4696-532-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4712-364-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4716-87-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4776-358-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4784-239-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4928-104-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4964-563-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4992-478-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5000-203-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5040-430-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5048-161-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads