68e2c1efb08a00edb3656dbc7df4c878e03af164154c9940c7f129913ecd75fe

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 12:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3a6060e2328e20262687d7e05f34b420_NeikiAnalytics.exe
Size

109KB
MD5

3a6060e2328e20262687d7e05f34b420
SHA1

d8814dce3ba3f32510de8ddfee18fa528a55a663
SHA256

68e2c1efb08a00edb3656dbc7df4c878e03af164154c9940c7f129913ecd75fe
SHA512

456664829c4b49109ebbdbfa4dea3453bdb12f4c209474229462c068a1ae6b1d2136c778693a46a3e97d96e52c932d0a07df6514e49d3973392d5a0d15036e53
SSDEEP

3072:o7nAVGkhSswcJBv1sUJ9mLCqwzBu1DjHLMVDqqkSpR:ocVGAFBv1hJ9iwtu1DjrFqhz

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hkdbpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdeoemeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcbihpel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbjcolha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abkjdnoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ligqhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpijnqkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Medgncoe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdnidn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klljnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mckemg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajfoiqll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abngjnmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdkcmdhp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gofkje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkgqfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gblngpbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcepkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Balfaiil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ickchq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ligqhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocqnij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogcpjhoq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odapnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmcojh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imdgqfbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klgqcqkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qchmagie.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdnjgmle.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgopffec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gododflk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icplcpgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kplpjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbjlfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmlbbdg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alkdnboj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdhfhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ehedfo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifjodl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nngokoej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgefeajb.exe

Malware Dropper & Backdoor - Berbew 64 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/memory/4408-0-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0008000000022f51-7.dat	family_berbew
behavioral2/memory/4536-12-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000700000002340a-15.dat	family_berbew
behavioral2/memory/2968-16-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000700000002340c-22.dat	family_berbew
behavioral2/memory/4788-24-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000700000002340e-30.dat	family_berbew
behavioral2/memory/752-36-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023410-38.dat	family_berbew
behavioral2/memory/2940-44-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023412-46.dat	family_berbew
behavioral2/memory/3956-48-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023414-54.dat	family_berbew
behavioral2/memory/3572-60-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023416-62.dat	family_berbew
behavioral2/files/0x0007000000023418-69.dat	family_berbew
behavioral2/memory/4664-72-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/memory/4952-71-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000700000002341a-78.dat	family_berbew
behavioral2/memory/2668-80-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000700000002341c-86.dat	family_berbew
behavioral2/memory/3168-88-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000700000002341e-94.dat	family_berbew
behavioral2/memory/2452-96-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023420-102.dat	family_berbew
behavioral2/memory/2508-104-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023422-110.dat	family_berbew
behavioral2/memory/4992-112-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023424-117.dat	family_berbew
behavioral2/memory/1812-120-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023426-126.dat	family_berbew
behavioral2/memory/2052-128-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023428-134.dat	family_berbew
behavioral2/memory/2412-136-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000700000002342a-142.dat	family_berbew
behavioral2/memory/4644-144-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000700000002342c-150.dat	family_berbew
behavioral2/memory/4896-152-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000700000002342e-158.dat	family_berbew
behavioral2/memory/2676-160-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023430-161.dat	family_berbew
behavioral2/files/0x0007000000023430-166.dat	family_berbew
behavioral2/memory/964-168-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023432-174.dat	family_berbew
behavioral2/memory/1832-176-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0008000000023407-177.dat	family_berbew
behavioral2/memory/2960-183-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023435-190.dat	family_berbew
behavioral2/memory/2276-191-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023437-198.dat	family_berbew
behavioral2/memory/5044-200-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023439-206.dat	family_berbew
behavioral2/memory/1964-207-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000700000002343d-214.dat	family_berbew
behavioral2/memory/2224-215-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x000800000002343e-222.dat	family_berbew
behavioral2/memory/4612-224-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023440-230.dat	family_berbew
behavioral2/memory/3600-236-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0005000000022abb-238.dat	family_berbew
behavioral2/memory/2220-240-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023443-246.dat	family_berbew
behavioral2/memory/4864-248-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew

Executes dropped EXE 64 IoCs

pid	Process
4536	Kcifkp32.exe
2968	Kkpnlm32.exe
4788	Kdhbec32.exe
752	Kkbkamnl.exe
2940	Lmqgnhmp.exe
3956	Lpocjdld.exe
3572	Lcmofolg.exe
4952	Lkdggmlj.exe
4664	Lpappc32.exe
2668	Lkgdml32.exe
3168	Laalifad.exe
2452	Ldohebqh.exe
2508	Lkiqbl32.exe
4992	Lnhmng32.exe
1812	Lcdegnep.exe
2052	Lklnhlfb.exe
2412	Lnjjdgee.exe
4644	Lcgblncm.exe
4896	Mnlfigcc.exe
2676	Mdfofakp.exe
964	Mkpgck32.exe
1832	Mpmokb32.exe
2960	Mjeddggd.exe
2276	Mamleegg.exe
5044	Mgidml32.exe
1964	Mglack32.exe
2224	Mnfipekh.exe
4612	Mgnnhk32.exe
3600	Nnhfee32.exe
2220	Nqfbaq32.exe
4864	Nklfoi32.exe
2076	Nnjbke32.exe
656	Nddkgonp.exe
4276	Nkncdifl.exe
1736	Njacpf32.exe
4608	Ndghmo32.exe
380	Ngedij32.exe
4476	Nbkhfc32.exe
764	Njfmke32.exe
1536	Ndkahnhh.exe
3440	Oboaabga.exe
4472	Oqbamo32.exe
3988	Ocqnij32.exe
2956	Obangb32.exe
4488	Okjbpglo.exe
1972	Onholckc.exe
2024	Obdkma32.exe
3040	Ocegdjij.exe
3256	Ojopad32.exe
2852	Oqihnn32.exe
2124	Ogcpjhoq.exe
1768	Onmhgb32.exe
216	Oqkdcn32.exe
4052	Pjdilcla.exe
1580	Peimil32.exe
1548	Pjffbc32.exe
1064	Pqpnombl.exe
3736	Pgjfkg32.exe
3740	Pndohaqe.exe
3316	Pengdk32.exe
4640	Pkhoae32.exe
1556	Pbbgnpgl.exe
556	Pgopffec.exe
900	Pjmlbbdg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Onholckc.exe	Okjbpglo.exe
File opened for modification	C:\Windows\SysWOW64\Pqpnombl.exe	Pjffbc32.exe
File created	C:\Windows\SysWOW64\Eocqqdjh.dll	Dboigi32.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Qchmagie.exe	Qjpiha32.exe
File created	C:\Windows\SysWOW64\Nconcm32.dll	Bdkcmdhp.exe
File created	C:\Windows\SysWOW64\Egdmkp32.dll	Clkndpag.exe
File opened for modification	C:\Windows\SysWOW64\Edkdkplj.exe	Ekcpbj32.exe
File created	C:\Windows\SysWOW64\Jimekgff.exe	Jfoiokfb.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Fqqlehck.dll	Hihbijhn.exe
File opened for modification	C:\Windows\SysWOW64\Hfnphn32.exe	Hcpclbfa.exe
File created	C:\Windows\SysWOW64\Qciaajej.dll	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Knkffk32.dll	Fomhdg32.exe
File created	C:\Windows\SysWOW64\Immapg32.exe	Iefioj32.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Migjoaaf.exe	Mgimcebb.exe
File opened for modification	C:\Windows\SysWOW64\Ogbipa32.exe	Oddmdf32.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Mgqddl32.dll	Cbcilkjg.exe
File created	C:\Windows\SysWOW64\Fplmmdoj.dll	Ldoaklml.exe
File opened for modification	C:\Windows\SysWOW64\Lljfpnjg.exe	Lgmngglp.exe
File opened for modification	C:\Windows\SysWOW64\Fdgdgnbm.exe	Fcfhof32.exe
File created	C:\Windows\SysWOW64\Mgddhf32.exe	Mdehlk32.exe
File opened for modification	C:\Windows\SysWOW64\Aqkgpedc.exe	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Meknidfo.dll	Qjbena32.exe
File created	C:\Windows\SysWOW64\Bcfmgfde.dll	Dhnnep32.exe
File created	C:\Windows\SysWOW64\Njkdbljm.dll	Ecmeig32.exe
File opened for modification	C:\Windows\SysWOW64\Ojllan32.exe	Odocigqg.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Njfmke32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Olihhh32.dll	Pjdilcla.exe
File created	C:\Windows\SysWOW64\Genaegmo.dll	Dhpjkojk.exe
File created	C:\Windows\SysWOW64\Bdkfmkdc.dll	Kplpjn32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Ajdbcano.exe	Agffge32.exe
File created	C:\Windows\SysWOW64\Ifbbmf32.dll	Ajfoiqll.exe
File created	C:\Windows\SysWOW64\Dbfmkjoa.dll	Gblngpbd.exe
File created	C:\Windows\SysWOW64\Pldhcm32.dll	Iefioj32.exe
File created	C:\Windows\SysWOW64\Kplpjn32.exe	Kibgmdcn.exe
File created	C:\Windows\SysWOW64\Qncbfk32.dll	Ldanqkki.exe
File created	C:\Windows\SysWOW64\Miifeq32.exe	Mcpnhfhf.exe
File created	C:\Windows\SysWOW64\Pgefeajb.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Ipnjafgo.dll	Hkdbpe32.exe
File created	C:\Windows\SysWOW64\Lpnlpnih.exe	Lmppcbjd.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Ndkahnhh.exe	Njfmke32.exe
File opened for modification	C:\Windows\SysWOW64\Onholckc.exe	Okjbpglo.exe
File created	C:\Windows\SysWOW64\Dadeieea.exe	Dbaemi32.exe
File created	C:\Windows\SysWOW64\Mdmann32.dll	Gbbkaako.exe
File opened for modification	C:\Windows\SysWOW64\Kmkfhc32.exe	Kfankifm.exe
File created	C:\Windows\SysWOW64\Jbaqqh32.dll	Olhlhjpd.exe
File created	C:\Windows\SysWOW64\Echmafdm.dll	Obangb32.exe
File opened for modification	C:\Windows\SysWOW64\Gbbkaako.exe	Gododflk.exe
File created	C:\Windows\SysWOW64\Iledokkp.dll	Ildkgc32.exe
File created	C:\Windows\SysWOW64\Onliio32.dll	Mpablkhc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
9868	9780	WerFault.exe	462

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hiefcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlqgg32.dll"	Hecmijim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jifhaenk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jheiojpj.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdcbom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jlbgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eepjpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phaedfje.dll"	Jimekgff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqbodd32.dll"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dadeieea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgnjkdco.dll"	Balfaiil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gblngpbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgimcebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqgmgehp.dll"	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjffbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmnoof32.dll"	Gomakdcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hbeqmoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iejcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ghlcnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgdpie32.dll"	Bjpaooda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnmfki.dll"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ahmlgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keblci32.dll"	Ipknlb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Imfdff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gijloo32.dll"	Klgqcqkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icpnnd32.dll"	Kbceejpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phkjck32.dll"	Lmiciaaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjgaigfg.dll"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fkopnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ehedfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncnaabfm.dll"	Jianff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hmcojh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lboeaifi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndokbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Edkdkplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilabfj32.dll"	Bhkhibmc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbefaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jcioiood.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lljfpnjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncianepl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qjpiha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jcbihpel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpnfbohh.dll"	Pndohaqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pengdk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ecmeig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcpnhfhf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnjpej32.dll"	Ndkahnhh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Becifhfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihlnnp32.dll"	Jlednamo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4408 wrote to memory of 4536	4408	3a6060e2328e20262687d7e05f34b420_NeikiAnalytics.exe	81
PID 4408 wrote to memory of 4536	4408	3a6060e2328e20262687d7e05f34b420_NeikiAnalytics.exe	81
PID 4408 wrote to memory of 4536	4408	3a6060e2328e20262687d7e05f34b420_NeikiAnalytics.exe	81
PID 4536 wrote to memory of 2968	4536	Kcifkp32.exe	82
PID 4536 wrote to memory of 2968	4536	Kcifkp32.exe	82
PID 4536 wrote to memory of 2968	4536	Kcifkp32.exe	82
PID 2968 wrote to memory of 4788	2968	Kkpnlm32.exe	84
PID 2968 wrote to memory of 4788	2968	Kkpnlm32.exe	84
PID 2968 wrote to memory of 4788	2968	Kkpnlm32.exe	84
PID 4788 wrote to memory of 752	4788	Kdhbec32.exe	85
PID 4788 wrote to memory of 752	4788	Kdhbec32.exe	85
PID 4788 wrote to memory of 752	4788	Kdhbec32.exe	85
PID 752 wrote to memory of 2940	752	Kkbkamnl.exe	87
PID 752 wrote to memory of 2940	752	Kkbkamnl.exe	87
PID 752 wrote to memory of 2940	752	Kkbkamnl.exe	87
PID 2940 wrote to memory of 3956	2940	Lmqgnhmp.exe	88
PID 2940 wrote to memory of 3956	2940	Lmqgnhmp.exe	88
PID 2940 wrote to memory of 3956	2940	Lmqgnhmp.exe	88
PID 3956 wrote to memory of 3572	3956	Lpocjdld.exe	89
PID 3956 wrote to memory of 3572	3956	Lpocjdld.exe	89
PID 3956 wrote to memory of 3572	3956	Lpocjdld.exe	89
PID 3572 wrote to memory of 4952	3572	Lcmofolg.exe	90
PID 3572 wrote to memory of 4952	3572	Lcmofolg.exe	90
PID 3572 wrote to memory of 4952	3572	Lcmofolg.exe	90
PID 4952 wrote to memory of 4664	4952	Lkdggmlj.exe	92
PID 4952 wrote to memory of 4664	4952	Lkdggmlj.exe	92
PID 4952 wrote to memory of 4664	4952	Lkdggmlj.exe	92
PID 4664 wrote to memory of 2668	4664	Lpappc32.exe	93
PID 4664 wrote to memory of 2668	4664	Lpappc32.exe	93
PID 4664 wrote to memory of 2668	4664	Lpappc32.exe	93
PID 2668 wrote to memory of 3168	2668	Lkgdml32.exe	94
PID 2668 wrote to memory of 3168	2668	Lkgdml32.exe	94
PID 2668 wrote to memory of 3168	2668	Lkgdml32.exe	94
PID 3168 wrote to memory of 2452	3168	Laalifad.exe	95
PID 3168 wrote to memory of 2452	3168	Laalifad.exe	95
PID 3168 wrote to memory of 2452	3168	Laalifad.exe	95
PID 2452 wrote to memory of 2508	2452	Ldohebqh.exe	96
PID 2452 wrote to memory of 2508	2452	Ldohebqh.exe	96
PID 2452 wrote to memory of 2508	2452	Ldohebqh.exe	96
PID 2508 wrote to memory of 4992	2508	Lkiqbl32.exe	97
PID 2508 wrote to memory of 4992	2508	Lkiqbl32.exe	97
PID 2508 wrote to memory of 4992	2508	Lkiqbl32.exe	97
PID 4992 wrote to memory of 1812	4992	Lnhmng32.exe	98
PID 4992 wrote to memory of 1812	4992	Lnhmng32.exe	98
PID 4992 wrote to memory of 1812	4992	Lnhmng32.exe	98
PID 1812 wrote to memory of 2052	1812	Lcdegnep.exe	99
PID 1812 wrote to memory of 2052	1812	Lcdegnep.exe	99
PID 1812 wrote to memory of 2052	1812	Lcdegnep.exe	99
PID 2052 wrote to memory of 2412	2052	Lklnhlfb.exe	100
PID 2052 wrote to memory of 2412	2052	Lklnhlfb.exe	100
PID 2052 wrote to memory of 2412	2052	Lklnhlfb.exe	100
PID 2412 wrote to memory of 4644	2412	Lnjjdgee.exe	101
PID 2412 wrote to memory of 4644	2412	Lnjjdgee.exe	101
PID 2412 wrote to memory of 4644	2412	Lnjjdgee.exe	101
PID 4644 wrote to memory of 4896	4644	Lcgblncm.exe	102
PID 4644 wrote to memory of 4896	4644	Lcgblncm.exe	102
PID 4644 wrote to memory of 4896	4644	Lcgblncm.exe	102
PID 4896 wrote to memory of 2676	4896	Mnlfigcc.exe	103
PID 4896 wrote to memory of 2676	4896	Mnlfigcc.exe	103
PID 4896 wrote to memory of 2676	4896	Mnlfigcc.exe	103
PID 2676 wrote to memory of 964	2676	Mdfofakp.exe	104
PID 2676 wrote to memory of 964	2676	Mdfofakp.exe	104
PID 2676 wrote to memory of 964	2676	Mdfofakp.exe	104
PID 964 wrote to memory of 1832	964	Mkpgck32.exe	105

C:\Users\Admin\AppData\Local\Temp\3a6060e2328e20262687d7e05f34b420_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3a6060e2328e20262687d7e05f34b420_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4408
- C:\Windows\SysWOW64\Kcifkp32.exe
  C:\Windows\system32\Kcifkp32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4536
- - C:\Windows\SysWOW64\Kkpnlm32.exe
    C:\Windows\system32\Kkpnlm32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Windows\SysWOW64\Kdhbec32.exe
      C:\Windows\system32\Kdhbec32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4788
    - - C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:752
      - C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4644
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        23⤵
        Executes dropped EXE
        
        PID:1832
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        24⤵
        Executes dropped EXE
        
        PID:2960
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        25⤵
        Executes dropped EXE
        
        PID:2276
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5044
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1964
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2224
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        30⤵
        Executes dropped EXE
        
        PID:3600
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        31⤵
        Executes dropped EXE
        
        PID:2220
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        32⤵
        Executes dropped EXE
        
        PID:4864
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        33⤵
        Executes dropped EXE
        
        PID:2076
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        34⤵
        Executes dropped EXE
        
        PID:656
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        35⤵
        Executes dropped EXE
        
        PID:4276
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        36⤵
        Executes dropped EXE
        
        PID:1736
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        37⤵
        Executes dropped EXE
        
        PID:4608
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        38⤵
        Executes dropped EXE
        
        PID:380
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Njfmke32.exe
        
        C:\Windows\system32\Njfmke32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:764
        
        C:\Windows\SysWOW64\Ndkahnhh.exe
        
        C:\Windows\system32\Ndkahnhh.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Oboaabga.exe
        
        C:\Windows\system32\Oboaabga.exe
        42⤵
        Executes dropped EXE
        
        PID:3440
        
        C:\Windows\SysWOW64\Oqbamo32.exe
        
        C:\Windows\system32\Oqbamo32.exe
        43⤵
        Executes dropped EXE
        
        PID:4472
        
        C:\Windows\SysWOW64\Ocqnij32.exe
        
        C:\Windows\system32\Ocqnij32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3988
        
        C:\Windows\SysWOW64\Obangb32.exe
        
        C:\Windows\system32\Obangb32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2956
        
        C:\Windows\SysWOW64\Okjbpglo.exe
        
        C:\Windows\system32\Okjbpglo.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4488
        
        C:\Windows\SysWOW64\Onholckc.exe
        
        C:\Windows\system32\Onholckc.exe
        47⤵
        Executes dropped EXE
        
        PID:1972
        
        C:\Windows\SysWOW64\Obdkma32.exe
        
        C:\Windows\system32\Obdkma32.exe
        48⤵
        Executes dropped EXE
        
        PID:2024
        
        C:\Windows\SysWOW64\Ocegdjij.exe
        
        C:\Windows\system32\Ocegdjij.exe
        49⤵
        Executes dropped EXE
        
        PID:3040
        
        C:\Windows\SysWOW64\Ojopad32.exe
        
        C:\Windows\system32\Ojopad32.exe
        50⤵
        Executes dropped EXE
        
        PID:3256
        
        C:\Windows\SysWOW64\Oqihnn32.exe
        
        C:\Windows\system32\Oqihnn32.exe
        51⤵
        Executes dropped EXE
        
        PID:2852
        
        C:\Windows\SysWOW64\Ogcpjhoq.exe
        
        C:\Windows\system32\Ogcpjhoq.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2124
        
        C:\Windows\SysWOW64\Onmhgb32.exe
        
        C:\Windows\system32\Onmhgb32.exe
        53⤵
        Executes dropped EXE
        
        PID:1768
        
        C:\Windows\SysWOW64\Oqkdcn32.exe
        
        C:\Windows\system32\Oqkdcn32.exe
        54⤵
        Executes dropped EXE
        
        PID:216
        
        C:\Windows\SysWOW64\Pjdilcla.exe
        
        C:\Windows\system32\Pjdilcla.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4052
        
        C:\Windows\SysWOW64\Peimil32.exe
        
        C:\Windows\system32\Peimil32.exe
        56⤵
        Executes dropped EXE
        
        PID:1580
        
        C:\Windows\SysWOW64\Pjffbc32.exe
        
        C:\Windows\system32\Pjffbc32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Pqpnombl.exe
        
        C:\Windows\system32\Pqpnombl.exe
        58⤵
        Executes dropped EXE
        
        PID:1064
        
        C:\Windows\SysWOW64\Pgjfkg32.exe
        
        C:\Windows\system32\Pgjfkg32.exe
        59⤵
        Executes dropped EXE
        
        PID:3736
        
        C:\Windows\SysWOW64\Pndohaqe.exe
        
        C:\Windows\system32\Pndohaqe.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3740
        
        C:\Windows\SysWOW64\Pengdk32.exe
        
        C:\Windows\system32\Pengdk32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3316
        
        C:\Windows\SysWOW64\Pkhoae32.exe
        
        C:\Windows\system32\Pkhoae32.exe
        62⤵
        Executes dropped EXE
        
        PID:4640
        
        C:\Windows\SysWOW64\Pbbgnpgl.exe
        
        C:\Windows\system32\Pbbgnpgl.exe
        63⤵
        Executes dropped EXE
        
        PID:1556
        
        C:\Windows\SysWOW64\Pgopffec.exe
        
        C:\Windows\system32\Pgopffec.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:556
        
        C:\Windows\SysWOW64\Pjmlbbdg.exe
        
        C:\Windows\system32\Pjmlbbdg.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:900
        
        C:\Windows\SysWOW64\Pbddcoei.exe
        
        C:\Windows\system32\Pbddcoei.exe
        66⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\Qcepkg32.exe
        
        C:\Windows\system32\Qcepkg32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4156
        
        C:\Windows\SysWOW64\Qjpiha32.exe
        
        C:\Windows\system32\Qjpiha32.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Qchmagie.exe
        
        C:\Windows\system32\Qchmagie.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3624
        
        C:\Windows\SysWOW64\Qjbena32.exe
        
        C:\Windows\system32\Qjbena32.exe
        70⤵
        Drops file in System32 directory
        
        PID:644
        
        C:\Windows\SysWOW64\Qalnjkgo.exe
        
        C:\Windows\system32\Qalnjkgo.exe
        71⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\Agffge32.exe
        
        C:\Windows\system32\Agffge32.exe
        72⤵
        Drops file in System32 directory
        
        PID:4596
        
        C:\Windows\SysWOW64\Ajdbcano.exe
        
        C:\Windows\system32\Ajdbcano.exe
        73⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\Abkjdnoa.exe
        
        C:\Windows\system32\Abkjdnoa.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1876
        
        C:\Windows\SysWOW64\Ahhblemi.exe
        
        C:\Windows\system32\Ahhblemi.exe
        75⤵
        
        PID:376
        
        C:\Windows\SysWOW64\Ajfoiqll.exe
        
        C:\Windows\system32\Ajfoiqll.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3532
        
        C:\Windows\SysWOW64\Abngjnmo.exe
        
        C:\Windows\system32\Abngjnmo.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1708
        
        C:\Windows\SysWOW64\Ajiknpjj.exe
        
        C:\Windows\system32\Ajiknpjj.exe
        78⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\Abpcon32.exe
        
        C:\Windows\system32\Abpcon32.exe
        79⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\Ahmlgd32.exe
        
        C:\Windows\system32\Ahmlgd32.exe
        80⤵
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Angddopp.exe
        
        C:\Windows\system32\Angddopp.exe
        81⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\Adcmmeog.exe
        
        C:\Windows\system32\Adcmmeog.exe
        82⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\Alkdnboj.exe
        
        C:\Windows\system32\Alkdnboj.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2588
        
        C:\Windows\SysWOW64\Becifhfj.exe
        
        C:\Windows\system32\Becifhfj.exe
        84⤵
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Bjpaooda.exe
        
        C:\Windows\system32\Bjpaooda.exe
        85⤵
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Bdhfhe32.exe
        
        C:\Windows\system32\Bdhfhe32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4444
        
        C:\Windows\SysWOW64\Balfaiil.exe
        
        C:\Windows\system32\Balfaiil.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:184
        
        C:\Windows\SysWOW64\Bdkcmdhp.exe
        
        C:\Windows\system32\Bdkcmdhp.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4656
        
        C:\Windows\SysWOW64\Bldgdago.exe
        
        C:\Windows\system32\Bldgdago.exe
        89⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\Bbnpqk32.exe
        
        C:\Windows\system32\Bbnpqk32.exe
        90⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\Bhkhibmc.exe
        
        C:\Windows\system32\Bhkhibmc.exe
        91⤵
        Modifies registry class
        
        PID:3444
        
        C:\Windows\SysWOW64\Boepel32.exe
        
        C:\Windows\system32\Boepel32.exe
        92⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\Ceoibflm.exe
        
        C:\Windows\system32\Ceoibflm.exe
        93⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\Cbcilkjg.exe
        
        C:\Windows\system32\Cbcilkjg.exe
        94⤵
        Drops file in System32 directory
        
        PID:4592
        
        C:\Windows\SysWOW64\Clkndpag.exe
        
        C:\Windows\system32\Clkndpag.exe
        95⤵
        Drops file in System32 directory
        
        PID:3708
        
        C:\Windows\SysWOW64\Cbefaj32.exe
        
        C:\Windows\system32\Cbefaj32.exe
        96⤵
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Cdfbibnb.exe
        
        C:\Windows\system32\Cdfbibnb.exe
        97⤵
        
        PID:648
        
        C:\Windows\SysWOW64\Ckpjfm32.exe
        
        C:\Windows\system32\Ckpjfm32.exe
        98⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\Cajcbgml.exe
        
        C:\Windows\system32\Cajcbgml.exe
        99⤵
        
        PID:928
        
        C:\Windows\SysWOW64\Chdkoa32.exe
        
        C:\Windows\system32\Chdkoa32.exe
        100⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\Conclk32.exe
        
        C:\Windows\system32\Conclk32.exe
        101⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\Camphf32.exe
        
        C:\Windows\system32\Camphf32.exe
        102⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\Chghdqbf.exe
        
        C:\Windows\system32\Chghdqbf.exe
        103⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\Ckedalaj.exe
        
        C:\Windows\system32\Ckedalaj.exe
        104⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\Daolnf32.exe
        
        C:\Windows\system32\Daolnf32.exe
        105⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\Ddmhja32.exe
        
        C:\Windows\system32\Ddmhja32.exe
        106⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\Dkgqfl32.exe
        
        C:\Windows\system32\Dkgqfl32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3944
        
        C:\Windows\SysWOW64\Dboigi32.exe
        
        C:\Windows\system32\Dboigi32.exe
        108⤵
        Drops file in System32 directory
        
        PID:1628
        
        C:\Windows\SysWOW64\Ddpeoafg.exe
        
        C:\Windows\system32\Ddpeoafg.exe
        109⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\Dkjmlk32.exe
        
        C:\Windows\system32\Dkjmlk32.exe
        110⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\Dbaemi32.exe
        
        C:\Windows\system32\Dbaemi32.exe
        111⤵
        Drops file in System32 directory
        
        PID:2084
        
        C:\Windows\SysWOW64\Dadeieea.exe
        
        C:\Windows\system32\Dadeieea.exe
        112⤵
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Dhnnep32.exe
        
        C:\Windows\system32\Dhnnep32.exe
        113⤵
        Drops file in System32 directory
        
        PID:1156
        
        C:\Windows\SysWOW64\Dohfbj32.exe
        
        C:\Windows\system32\Dohfbj32.exe
        114⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Deanodkh.exe
        
        C:\Windows\system32\Deanodkh.exe
        115⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Dhpjkojk.exe
        
        C:\Windows\system32\Dhpjkojk.exe
        116⤵
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\Dkoggkjo.exe
        
        C:\Windows\system32\Dkoggkjo.exe
        117⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Ddgkpp32.exe
        
        C:\Windows\system32\Ddgkpp32.exe
        118⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Dlncan32.exe
        
        C:\Windows\system32\Dlncan32.exe
        119⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Eolpmi32.exe
        
        C:\Windows\system32\Eolpmi32.exe
        120⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Ehedfo32.exe
        
        C:\Windows\system32\Ehedfo32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Ekcpbj32.exe
        
        C:\Windows\system32\Ekcpbj32.exe
        122⤵
        Drops file in System32 directory
        
        PID:5484
        
        C:\Windows\SysWOW64\Edkdkplj.exe
        
        C:\Windows\system32\Edkdkplj.exe
        123⤵
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Ekemhj32.exe
        
        C:\Windows\system32\Ekemhj32.exe
        124⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Ecmeig32.exe
        
        C:\Windows\system32\Ecmeig32.exe
        125⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Eekaebcm.exe
        
        C:\Windows\system32\Eekaebcm.exe
        126⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Eleiam32.exe
        
        C:\Windows\system32\Eleiam32.exe
        127⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Eemnjbaj.exe
        
        C:\Windows\system32\Eemnjbaj.exe
        128⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Ehljfnpn.exe
        
        C:\Windows\system32\Ehljfnpn.exe
        129⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Ekjfcipa.exe
        
        C:\Windows\system32\Ekjfcipa.exe
        130⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Eepjpb32.exe
        
        C:\Windows\system32\Eepjpb32.exe
        131⤵
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Ehnglm32.exe
        
        C:\Windows\system32\Ehnglm32.exe
        132⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Fohoigfh.exe
        
        C:\Windows\system32\Fohoigfh.exe
        133⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Febgea32.exe
        
        C:\Windows\system32\Febgea32.exe
        134⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Fkopnh32.exe
        
        C:\Windows\system32\Fkopnh32.exe
        135⤵
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Fcfhof32.exe
        
        C:\Windows\system32\Fcfhof32.exe
        136⤵
        Drops file in System32 directory
        
        PID:6104
        
        C:\Windows\SysWOW64\Fdgdgnbm.exe
        
        C:\Windows\system32\Fdgdgnbm.exe
        137⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\Flnlhk32.exe
        
        C:\Windows\system32\Flnlhk32.exe
        138⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\Fomhdg32.exe
        
        C:\Windows\system32\Fomhdg32.exe
        139⤵
        Drops file in System32 directory
        
        PID:5264
        
        C:\Windows\SysWOW64\Ffgqqaip.exe
        
        C:\Windows\system32\Ffgqqaip.exe
        140⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Fhemmlhc.exe
        
        C:\Windows\system32\Fhemmlhc.exe
        141⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Fkciihgg.exe
        
        C:\Windows\system32\Fkciihgg.exe
        142⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Fbnafb32.exe
        
        C:\Windows\system32\Fbnafb32.exe
        143⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Fdlnbm32.exe
        
        C:\Windows\system32\Fdlnbm32.exe
        144⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Fkffog32.exe
        
        C:\Windows\system32\Fkffog32.exe
        145⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Fcmnpe32.exe
        
        C:\Windows\system32\Fcmnpe32.exe
        146⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Fdnjgmle.exe
        
        C:\Windows\system32\Fdnjgmle.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5824
        
        C:\Windows\SysWOW64\Gkhbdg32.exe
        
        C:\Windows\system32\Gkhbdg32.exe
        148⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Gododflk.exe
        
        C:\Windows\system32\Gododflk.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5968
        
        C:\Windows\SysWOW64\Gbbkaako.exe
        
        C:\Windows\system32\Gbbkaako.exe
        150⤵
        Drops file in System32 directory
        
        PID:6036
        
        C:\Windows\SysWOW64\Ghlcnk32.exe
        
        C:\Windows\system32\Ghlcnk32.exe
        151⤵
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Gofkje32.exe
        
        C:\Windows\system32\Gofkje32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5164
        
        C:\Windows\SysWOW64\Gbdgfa32.exe
        
        C:\Windows\system32\Gbdgfa32.exe
        153⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Ghopckpi.exe
        
        C:\Windows\system32\Ghopckpi.exe
        154⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Gkmlofol.exe
        
        C:\Windows\system32\Gkmlofol.exe
        155⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Gbgdlq32.exe
        
        C:\Windows\system32\Gbgdlq32.exe
        156⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Gdeqhl32.exe
        
        C:\Windows\system32\Gdeqhl32.exe
        157⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Gmlhii32.exe
        
        C:\Windows\system32\Gmlhii32.exe
        158⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Gokdeeec.exe
        
        C:\Windows\system32\Gokdeeec.exe
        159⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Gcfqfc32.exe
        
        C:\Windows\system32\Gcfqfc32.exe
        160⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Gicinj32.exe
        
        C:\Windows\system32\Gicinj32.exe
        161⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Gomakdcp.exe
        
        C:\Windows\system32\Gomakdcp.exe
        162⤵
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Gblngpbd.exe
        
        C:\Windows\system32\Gblngpbd.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Hiefcj32.exe
        
        C:\Windows\system32\Hiefcj32.exe
        164⤵
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Hkdbpe32.exe
        
        C:\Windows\system32\Hkdbpe32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5776
        
        C:\Windows\SysWOW64\Hckjacjg.exe
        
        C:\Windows\system32\Hckjacjg.exe
        166⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Hihbijhn.exe
        
        C:\Windows\system32\Hihbijhn.exe
        167⤵
        Drops file in System32 directory
        
        PID:6116
        
        C:\Windows\SysWOW64\Hmcojh32.exe
        
        C:\Windows\system32\Hmcojh32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Hbpgbo32.exe
        
        C:\Windows\system32\Hbpgbo32.exe
        169⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Heocnk32.exe
        
        C:\Windows\system32\Heocnk32.exe
        170⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Hkikkeeo.exe
        
        C:\Windows\system32\Hkikkeeo.exe
        171⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Hcpclbfa.exe
        
        C:\Windows\system32\Hcpclbfa.exe
        172⤵
        Drops file in System32 directory
        
        PID:5548
        
        C:\Windows\SysWOW64\Hfnphn32.exe
        
        C:\Windows\system32\Hfnphn32.exe
        173⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Hkkhqd32.exe
        
        C:\Windows\system32\Hkkhqd32.exe
        174⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Hbeqmoji.exe
        
        C:\Windows\system32\Hbeqmoji.exe
        175⤵
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Hecmijim.exe
        
        C:\Windows\system32\Hecmijim.exe
        176⤵
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Hoiafcic.exe
        
        C:\Windows\system32\Hoiafcic.exe
        177⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Hbgmcnhf.exe
        
        C:\Windows\system32\Hbgmcnhf.exe
        178⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\Iefioj32.exe
        
        C:\Windows\system32\Iefioj32.exe
        179⤵
        Drops file in System32 directory
        
        PID:6216
        
        C:\Windows\SysWOW64\Immapg32.exe
        
        C:\Windows\system32\Immapg32.exe
        180⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\Ipknlb32.exe
        
        C:\Windows\system32\Ipknlb32.exe
        181⤵
        Modifies registry class
        
        PID:6308
        
        C:\Windows\SysWOW64\Ibjjhn32.exe
        
        C:\Windows\system32\Ibjjhn32.exe
        182⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\Iicbehnq.exe
        
        C:\Windows\system32\Iicbehnq.exe
        183⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\Icifbang.exe
        
        C:\Windows\system32\Icifbang.exe
        184⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\Iejcji32.exe
        
        C:\Windows\system32\Iejcji32.exe
        185⤵
        Modifies registry class
        
        PID:6484
        
        C:\Windows\SysWOW64\Ildkgc32.exe
        
        C:\Windows\system32\Ildkgc32.exe
        186⤵
        Drops file in System32 directory
        
        PID:6528
        
        C:\Windows\SysWOW64\Ickchq32.exe
        
        C:\Windows\system32\Ickchq32.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6572
        
        C:\Windows\SysWOW64\Ifjodl32.exe
        
        C:\Windows\system32\Ifjodl32.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6616
        
        C:\Windows\SysWOW64\Imdgqfbd.exe
        
        C:\Windows\system32\Imdgqfbd.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6660
        
        C:\Windows\SysWOW64\Ipbdmaah.exe
        
        C:\Windows\system32\Ipbdmaah.exe
        190⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Ifllil32.exe
        
        C:\Windows\system32\Ifllil32.exe
        191⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\Imfdff32.exe
        
        C:\Windows\system32\Imfdff32.exe
        192⤵
        Modifies registry class
        
        PID:6784
        
        C:\Windows\SysWOW64\Icplcpgo.exe
        
        C:\Windows\system32\Icplcpgo.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6828
        
        C:\Windows\SysWOW64\Jfoiokfb.exe
        
        C:\Windows\system32\Jfoiokfb.exe
        194⤵
        Drops file in System32 directory
        
        PID:6872
        
        C:\Windows\SysWOW64\Jimekgff.exe
        
        C:\Windows\system32\Jimekgff.exe
        195⤵
        Modifies registry class
        
        PID:6916
        
        C:\Windows\SysWOW64\Jcbihpel.exe
        
        C:\Windows\system32\Jcbihpel.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6956
        
        C:\Windows\SysWOW64\Jfaedkdp.exe
        
        C:\Windows\system32\Jfaedkdp.exe
        197⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        198⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        199⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7084
        
        C:\Windows\SysWOW64\Jbhfjljd.exe
        
        C:\Windows\system32\Jbhfjljd.exe
        200⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        201⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\Jianff32.exe
        
        C:\Windows\system32\Jianff32.exe
        202⤵
        Modifies registry class
        
        PID:6252
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6316
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        204⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        205⤵
        Modifies registry class
        
        PID:6456
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        206⤵
        Modifies registry class
        
        PID:6512
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        207⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        208⤵
        Modifies registry class
        
        PID:6688
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        209⤵
        Modifies registry class
        
        PID:6740
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        210⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        211⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        212⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6952
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        213⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7020
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        214⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        215⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        216⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        217⤵
        Modifies registry class
        
        PID:6384
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        218⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        219⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6592
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        220⤵
        Modifies registry class
        
        PID:6720
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        221⤵
        Drops file in System32 directory
        
        PID:6804
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        222⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        223⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7036
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        224⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        225⤵
        Drops file in System32 directory
        
        PID:6304
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        226⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6472
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        227⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6644
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        228⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        229⤵
        Drops file in System32 directory
        
        PID:7032
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        230⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        231⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        232⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6772
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        233⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        234⤵
        Modifies registry class
        
        PID:6452
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        235⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        236⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        237⤵
        Drops file in System32 directory
        
        PID:6912
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        238⤵
        Drops file in System32 directory
        
        PID:6624
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        239⤵
        Modifies registry class
        
        PID:6356
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        240⤵
        Drops file in System32 directory
        
        PID:7188
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        241⤵
        
        PID:7236
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        242⤵
        Modifies registry class
        
        PID:7280
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        243⤵
        
        PID:7320
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        244⤵
        
        PID:7368
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        245⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7408
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        246⤵
        
        PID:7444
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        247⤵
        Drops file in System32 directory
        
        PID:7496
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        248⤵
        
        PID:7536
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        249⤵
        
        PID:7584
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        250⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        251⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7668
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        252⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        253⤵
        
        PID:7752
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        254⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        255⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7836
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        256⤵
        Modifies registry class
        
        PID:7880
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        257⤵
        Drops file in System32 directory
        
        PID:7924
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        258⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7964
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        259⤵
        
        PID:8004
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        260⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8048
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        261⤵
        Modifies registry class
        
        PID:8088
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        262⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8124
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        263⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8176
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        264⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7204
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        265⤵
        
        PID:7276
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        266⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        267⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        268⤵
        
        PID:7484
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        269⤵
        
        PID:7552
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        270⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        271⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        272⤵
        Modifies registry class
        
        PID:7776
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        273⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7820
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        274⤵
        
        PID:7908
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        275⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7992
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        276⤵
        
        PID:8068
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        277⤵
        Modifies registry class
        
        PID:8132
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        278⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        279⤵
        
        PID:7300
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        280⤵
        
        PID:7400
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        281⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        282⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        283⤵
        
        PID:7720
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        284⤵
        Drops file in System32 directory
        
        PID:7824
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        285⤵
        Drops file in System32 directory
        
        PID:7956
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        286⤵
        
        PID:8056
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        287⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        288⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7316
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        289⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        290⤵
        
        PID:7600
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        291⤵
        Drops file in System32 directory
        
        PID:7772
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        292⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        293⤵
        
        PID:8116
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        294⤵
        Drops file in System32 directory
        
        PID:7348
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        295⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7576
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        296⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        297⤵
        
        PID:8144
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        298⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        299⤵
        
        PID:8044
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        300⤵
        Modifies registry class
        
        PID:7492
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        301⤵
        
        PID:7244
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        302⤵
        
        PID:8084
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        303⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8204
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        304⤵
        
        PID:8244
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        305⤵
        
        PID:8288
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        306⤵
        
        PID:8328
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        307⤵
        Modifies registry class
        
        PID:8372
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        308⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8420
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        309⤵
        
        PID:8464
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        310⤵
        Drops file in System32 directory
        
        PID:8508
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        311⤵
        
        PID:8552
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        312⤵
        Modifies registry class
        
        PID:8596
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        313⤵
        
        PID:8640
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        314⤵
        
        PID:8684
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        315⤵
        
        PID:8724
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        316⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8764
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        317⤵
        
        PID:8812
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        318⤵
        
        PID:8852
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        319⤵
        
        PID:8900
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        320⤵
        
        PID:8940
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        321⤵
        
        PID:8984
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        322⤵
        
        PID:9028
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        323⤵
        
        PID:9068
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        324⤵
        
        PID:9108
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        325⤵
        
        PID:9156
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        326⤵
        
        PID:9196
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        327⤵
        
        PID:8212
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        328⤵
        Modifies registry class
        
        PID:8276
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        329⤵
        
        PID:8344
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        330⤵
        
        PID:8416
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        331⤵
        Drops file in System32 directory
        
        PID:8492
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        332⤵
        
        PID:8560
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        333⤵
        
        PID:8624
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        334⤵
        
        PID:8692
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        335⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8756
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        336⤵
        
        PID:8840
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        337⤵
        
        PID:8892
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        338⤵
        
        PID:8968
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        339⤵
        Drops file in System32 directory
        
        PID:9048
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        340⤵
        
        PID:9116
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        341⤵
        
        PID:9180
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        342⤵
        
        PID:8232
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        343⤵
        Drops file in System32 directory
        
        PID:8340
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        344⤵
        
        PID:8456
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        345⤵
        
        PID:8544
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        346⤵
        
        PID:8660
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        347⤵
        
        PID:8744
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        348⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8868
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        349⤵
        
        PID:8960
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        350⤵
        Modifies registry class
        
        PID:9076
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        351⤵
        
        PID:9188
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        352⤵
        
        PID:8320
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        353⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8472
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        354⤵
        
        PID:8668
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        355⤵
        
        PID:8844
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        356⤵
        
        PID:9036
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        357⤵
        Drops file in System32 directory
        
        PID:8200
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        358⤵
        
        PID:8448
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        359⤵
        
        PID:8780
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        360⤵
        
        PID:8948
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        361⤵
        Modifies registry class
        
        PID:8440
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        362⤵
        Drops file in System32 directory
        
        PID:9012
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        363⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8284
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        364⤵
        
        PID:8876
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        365⤵
        
        PID:8720
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        366⤵
        
        PID:8620
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        367⤵
        
        PID:8632
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        368⤵
        
        PID:9248
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        369⤵
        
        PID:9300
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        370⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9340
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        371⤵
        
        PID:9384
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        372⤵
        
        PID:9424
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        373⤵
        
        PID:9472
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        374⤵
        
        PID:9516
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        375⤵
        Drops file in System32 directory
        
        PID:9560
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        376⤵
        
        PID:9600
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        377⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9644
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        378⤵
        
        PID:9688
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        379⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9732
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        380⤵
        
        PID:9780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9780 -s 408
        381⤵
        Program crash
        
        PID:9868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 9780 -ip 9780
1⤵
PID:9844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aclpap32.exe

Filesize
109KB

MD5
ab4e137ed4e0875dbc13ecfbae632e72

SHA1
31a2841f25caad70a5f322970982297dd11f038b

SHA256
6a55cf6fa3471ea16da1c50222a2025a1f04dd4b2f7c865295ada8e4e5d676eb

SHA512
3c18f33dcdfe5bdc2ec6cdda0281d4b933c6c3567a22a86064599036f4d4cb08255475466f6844eef9026f04fbd726bebdea3ca3198f0f9fd1c2ed3e6a80086d

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
109KB

MD5
ef635d4aab359126f7c08341fca19923

SHA1
c78b95dcf436411c5519c3df3914bb7c5f48623c

SHA256
01287fa40f6ac38edaa73f1634c8121c0e1e75bce20cdcc1dfdd5fb4808ae3ca

SHA512
08534ef639888278c113a14cabd52718f621df92fa25bab95d4590f096255c82facf9dbd7f54385a0fe5147dfb5ed1831d51d30bb6330ea72b13f0ecab343d60

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
109KB

MD5
12d841ec330fea6b401a0b9a1e583e88

SHA1
1142e7c8d14d8d12b085d3e6db0517bb7238309a

SHA256
7a0a253cb5755dff024bb6ce78b28e53cecec0e38b22b973a8dff47c0968c44f

SHA512
a759f11a862a78a0a211b0d86bb6ef6e16c3c5db13375c9d372c2e7c45d3f3663bd455ddc83e0b129573b479270487b2df42cfe634e6835592b8ad79161e21aa

Download Submit
C:\Windows\SysWOW64\Ajfoiqll.exe

Filesize
109KB

MD5
41b4bb5266c10f12730ec969c0ec3a59

SHA1
e341632810afaafca86b7db2a93790f07bcef465

SHA256
11c3f28350f2631b9a92b24102510d3669f5a4fe2a2dbc21da3c6ca47ce8d7cc

SHA512
4b886d7eeaf2ea13d829ad2e3a660a7e259349c1701d7342c9ca91a354b8eb476736478e1103d0f493013559104259dd658c58286ccbc83725efef20c10951bd

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
109KB

MD5
12d746c1aef7bce62faa5ad1a9ba2f7a

SHA1
0b9bf03179969119fea16ed8cb6ef04dcc883866

SHA256
ca9f25fd40ad6842bd019ac75ccee5f8cc962b6a32e33ad3b0f1d252f22a5129

SHA512
27cdbb55a279242068ccb5a30061d2b119d01bed257d4996987bdf2d39cb41a157240aec0b9539daf6a9324cb607249f94627c1d2090e1c9c9b3040cc72d0224

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
109KB

MD5
bd1da471c5a1e5aefb31a06cb990d39e

SHA1
7249d8219adb2c9aab1a43da92f9373ae06a925e

SHA256
d256df493e50689d173e2eaddd14be2c7221aace000ffc9b5270b502f3474095

SHA512
73adffdd087527c6bd43b1e122dbe3f723f161243a7a1ed7ae3678abcf239621ece2f80dbafde4cc57f2ca7293f46806d54ca062f28f8cfbb389676db05a306d

Download Submit
C:\Windows\SysWOW64\Bdhfhe32.exe

Filesize
109KB

MD5
7f5674a55b8e1d1fad38f2c4c107209f

SHA1
79296fe89b9682ee99fa1ef5dabdef803d9f4a86

SHA256
38cdd461e5bf0d68764502a729ed8e81f5f9ec0359a46155d962c6f0be68cc4b

SHA512
12127b8cee55e5c45adf3cd8bc6de3be3c81419803464543a7086b33ed908a0bd2bd41bc7790fdfaafbd4c7ebbed0fa4c7c26b166e73b2d28ee6fc468193b4db

Download Submit
C:\Windows\SysWOW64\Becifhfj.exe

Filesize
109KB

MD5
17a3f2cfe1a676ce5ceb283f619d37d7

SHA1
097954d64405a21534f17cc2f824c1a153b3aa01

SHA256
dc1805a450ed16f32917f6dbca17727ff41899081203c1defd9b35ac3571ca40

SHA512
f3fb4176dc14930648ed1f44862c4d64b0fa52d2d812e680d062a6bfd52925e54a76ae13634e72270d18cacc24493f351e3475e2e045976b5820f4010972049a

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
109KB

MD5
588e12b9b71babf78ca955677e8a36e5

SHA1
08d684bec0048271fc019028dc7cdab37bdb27a9

SHA256
05d7f8ca47c286e0c81c14d7ed11507c2a3187f8dd214e6d033f712f3116780a

SHA512
0e52d517bbc919f3625f3ab93e22f5feec7dd99103c926c4de0756d7782d591e1ab6f2e39b7faa4c423102c2093a79c5b49eb154fef3bfc5ee55ff7d393572ce

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
109KB

MD5
58714634e33e184da5598bb0abe88f6d

SHA1
24cac0434716c02c0d737fbe8db5d3d61d0932f5

SHA256
9a3052a75daec4219c9560f8071995335a1f945cee3b8bea5dd6d7ea1bcc5a2e

SHA512
b1f3ac502439cede58a2d360d1ce513f868be86f249465ff85a07481b0050c1bf3faa212143be4aa7ca4beff404ac3d4559f4d3890b7b257aa6027054574e5b8

Download Submit
C:\Windows\SysWOW64\Bhkhibmc.exe

Filesize
109KB

MD5
8d19bf01f11c5e8fa91a201d2423f08b

SHA1
5e7fa764b21d2f45c1394a2a1744c82ad77e1370

SHA256
f1576d044209d247244a0fab8b9b41c3cc7a942786aa4b19641e28076ac98891

SHA512
56fee7b8a2e348e18e9f3dbb72b553d75a61ef0bb58a468754694930df5f51e39b43fed41840aedb1362aabe0519bc5d55d49a295baad5de8bd023fc1f617264

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
109KB

MD5
506d5e163055e42ab332189eb75b449a

SHA1
1e07f3bb29ce007ebf0cc1cf740099367cadee83

SHA256
c37ddf3aebfc6f41801e8186f0c3748828238799dc290a4bead22927a1b13901

SHA512
decfcba93bf6f8c0f157668f041db8037a2eda8bf63e1281c8e4daa27281f60ae22f1dc4adcc2fcb10c6af795b97ab2d9c3cef9063da6392233596db75560496

Download Submit
C:\Windows\SysWOW64\Cbcilkjg.exe

Filesize
109KB

MD5
8fdc19e21359c30d50adc9c3cff39124

SHA1
32da3607edc8fdf900a4896fe59a861c68b916cb

SHA256
62e18cd031725f9ff8cdb6fc8126f5a5740f59dbfa4a4eed7904f27c352da491

SHA512
9cceae1518e18d54bf9508c8965ff5f5f1918fe1060a358f69b206616aff7a97606de9dd41c90f86e0230089ed8f4e0f2e560bf9606160c5a37303694faded8d

Download Submit
C:\Windows\SysWOW64\Cdfbibnb.exe

Filesize
109KB

MD5
e0144cd08045b869a428cbf74d659c4e

SHA1
cb9e681e1dfb21745aead14d706832159046f21c

SHA256
7dfcc6823c4da489a2b061c1cbf751d913c52eabb8c27d0dfd17283435509a03

SHA512
091a211a928f120599500b0c640ce2f5aac8788e905468238330ad43a6f931992deb1fbb9e5254544c5908e959c43712cf520c5048773dfeb73b581d1b3c1f62

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
109KB

MD5
de0e3cebb39a2e997a95ff4a007336f7

SHA1
3f65ee79b6a79b94ad7304628af61a376d2a8af3

SHA256
5a050f93855fe82cd16bf0e93b04745dce4df2176fc7ac695562d203f74e35fa

SHA512
cb7fd125355baf7acbeb89143b9098a5f2e85e265dfc519f2bedf29085583ff9eef82b3813edddc308078500a5e0e3902a8ceeabba121f7a130968b2489b643d

Download Submit
C:\Windows\SysWOW64\Chdkoa32.exe

Filesize
109KB

MD5
6a240f824f3a594ab153c0d78a7230e1

SHA1
daceb03ec6f9d1064f03fe1e9bb960b50b3b37f2

SHA256
e2b5ecab241b5db9fa49aefd8b64166a29fe1695fdcb3eef8930a24b8e7dfa4d

SHA512
05ee814dac8688674a5649828c6ca48aef33cb5ac43c149b5133bc77c3e62d9ebabd766b5bb25952bbd27ffc42cbb1bb7a3ca94ec827564012fd34bb74cd7658

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
64KB

MD5
4642f48708961f471cf7c86ac6d781b4

SHA1
6f2af9a700bb07ee93900c19dbb2971bbd506d2d

SHA256
e32efad3a4c5c49883b169df5349336724147cdcbaa1ddfb5dec972bf5cf8b28

SHA512
2de07bba1637ad4f37212098719ef6ff9422ed0cd328806216a7a34e806afbb4c4d8ab18160a4cb4969844b3ba949eb3006bb19f467ac9b5fc2b5e0a40898196

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
109KB

MD5
ae583be428334747975b51afd0fe0379

SHA1
c503e11a7bfa60608dd9d8a4786bc5eab56172ae

SHA256
31a5a3bbe2a20bbddb9ad7dd12b9cf48d466fde71417293abd3c052fc858290f

SHA512
69bbf6efc31b99b832a88c9e723f34cd5a8c6e92f8b00e414001cfb9287142560d1741b7dfefb47843cd5c3a5025b9e9f2ecaa18ad885cb4de037595f8fcb7cd

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
109KB

MD5
546305b36281de076739e60fd337a9a6

SHA1
bb64fb883a60821a6c68cd22ce272a4209dde143

SHA256
d9b860a48367955e15776f64e9e8e74eacf1e551f9f6e368432f3e8a8ac3fd1a

SHA512
ecd96cbe4383e887a1cf11ff3c9349f3c7e375960bd50d5ccd4e29437d001f7d70a358b5363835cd584a1410f02a2cb76df2d8fc23b259ea35088908e2cf0adb

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
109KB

MD5
ac1a7d07304e8e61305e9ee7d5cfa1ab

SHA1
76be38462eb30f83fe118cb3c088f2f86e57ff54

SHA256
9582f37f49ace6602189badbac1513fbe590717a76255eeb93add260783ffd9b

SHA512
73df19f6a7723399a201e5c1920c92466f73a302d89044c0bf745dfb127ce2156dcf1d98e9e9251caa0224f7febbc9d16adffce8a6a95b994160989c4e40bc50

Download Submit
C:\Windows\SysWOW64\Deanodkh.exe

Filesize
109KB

MD5
df3269226b35bd8895dc4cc3fc955f0a

SHA1
bda942da4bbbbcd2aa2b34c0b399fd77bf15c4ea

SHA256
bed0d4b8b117452cc4827d4da973886af3154dd0af4f8841389efb698d826859

SHA512
0ddc40b5c9ecf05f73702eb5d5665dfb882e83bfb059b7f77f60d1645194710d00aaf379da6215ec34e9d45744125e380d24822645f3210f3de6030c88aa623c

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
109KB

MD5
4638c4287267feeb6e53c97b2c5ad687

SHA1
123a9b98904716e15f5eb071df37d310ee3e1017

SHA256
ef5e3ce650c85419592fd5b9bebf791a7a64c2db1230e561cbe99784a89a8c37

SHA512
8bd6ade2a707859c1d2615e0bbd47c08fa954e4e71a49fc2ba096f10adeaa33cb4cf492cbbf20eeff7f54737cec6d00d288a18116e1979e2fe418c714c9e9b4c

Download Submit
C:\Windows\SysWOW64\Dkgqfl32.exe

Filesize
109KB

MD5
bad6854abab9727e0945df2164b86bf9

SHA1
be2fa9b8cb0a448834bfc6a3adefd543dbb8db00

SHA256
29026f6b9c00f7e948cb42ea91e3f4db7a60953edbbcfdb4e9f7330d55ebf772

SHA512
2a2ddf4e1b621d8430c09b56ac93a3e14c1eced0c0f1a6c8da6f58acc3b11b658d2a1ee37197a205472364e046fe1189484a606f7bcebeb3a9f484582b9e8df0

Download Submit
C:\Windows\SysWOW64\Dkoggkjo.exe

Filesize
109KB

MD5
5426a313bfe25efbf9c4a083fb6d8839

SHA1
e9c2561744b25bce477e41aae82b733f20e54472

SHA256
208f57c0e6482dd47b50cc60f9d41b2fe42f60a449e622a54bf385c9afb8217c

SHA512
a861e3ca8591ef572e7e5792295e8323332cfaca1ffb927d5f3075964c0b4d5fb85ae5fa59346674ff0534a096a510cc2bf937f0ae7d041aba095fa34beafdb8

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
109KB

MD5
1ce94df8ef3893e355a1374ff91826e5

SHA1
bfd7e9a50f570714988c704c4bde1f0e2c0a8260

SHA256
59e278f75545ea6387333a43a6e5d6f4045e96bc0a3f7fdcb6c815c5db7acd8d

SHA512
63d26f8df9985317ffa2a07c2c3b8929dad580d86a2f5f19bf3e50086321542857370cd99a75511a70b9c10d2960670910c7980b09917fa8d09685e2118b24f8

Download Submit
C:\Windows\SysWOW64\Edkdkplj.exe

Filesize
109KB

MD5
6eb27ba2dfd5fa0ce37a8e6c4b7b69ab

SHA1
683d2f5edb9150295640d5ca79aacf0e62f7306e

SHA256
f95cdd13ed40b3973a20679835707efce648865868cdcefcaae5d95978a2ff0e

SHA512
d7efd21c0da6df3c8baa22c9e272b22bdd54aec4575e2dfe55ac1e077979affff08bcb96c5eeb729dcbcee12dd56c804c57e6d968273ce6529defaf8feb7261c

Download Submit
C:\Windows\SysWOW64\Ehnglm32.exe

Filesize
109KB

MD5
0b049a404e6995f78300b5208176b7c7

SHA1
7385574d6444af57499766fc2822da83ce8c6b8c

SHA256
86949620ad063619d5c7cad5ff5c3e903c2fe889f634e3858c56bc8dbf18b787

SHA512
a9392b292b666963fd95b09d8aa0db4c2c7f0623703481f6e3a87fb3aa68a5b16691b8c92e834e3e79db648c26b1975f6540936634955f3898c6a4435bf13e89

Download Submit
C:\Windows\SysWOW64\Ekjfcipa.exe

Filesize
109KB

MD5
3a8636d12c4e6541b19394f96d8a3221

SHA1
3cc8a955c9d3246361bb116c6f8116af068c012c

SHA256
dcc9172600407ef8f3ff69a15247f087305c71aa0566be42114997d4eff17364

SHA512
dedecb55ba7c9fc8124e6ee85d554a3abd01be8366bff6bf37097a79cba39cc072a463411e32643afbb0cc0cce05546a69b41930f1496f734bb9651d6b95bd21

Download Submit
C:\Windows\SysWOW64\Eolpmi32.exe

Filesize
109KB

MD5
5f07e01b9a84d5d6c09719c71add6129

SHA1
27c1a640c14d3c5ce3f65986a126cc4c6434653a

SHA256
f14e05d38c4e79078d35d7e3708b18795aaadc21db82b6cac41ddba6d260743a

SHA512
d1f1f3f3779f828f158434afad7bbb2b20239d7b4fda95139675db9ea2840b7c1be61ae150aca1b3c228a68ac2f62c2c98d0c65bb0ce680ccd0d4a9b364f844c

Download Submit
C:\Windows\SysWOW64\Fbnafb32.exe

Filesize
109KB

MD5
ce58a01e81533e4ce7fa7133de8308d2

SHA1
953f6b4217614a9fdfc2995865e5960f6b943e5e

SHA256
b0a7c6a977443926b89ea7ff8aa1859b2adac0c695534d006ccb1d3c330973d9

SHA512
2215b8df87bf7a6ee001f0f11abd5b9de5e62bbfb3d458cfd2a2470b03bd94d4b76f3146acfc2243f3e63ff785d36d853e1539483ad4863c650766170dce5b52

Download Submit
C:\Windows\SysWOW64\Fcfhof32.exe

Filesize
109KB

MD5
cb7d4e2d5cf6535cb62722eb94c42006

SHA1
c6b582401c5f4ac4c0cc7135aec5252e92a8597f

SHA256
4bd4fe1558c106f5a706ecd46aed244a35de5bf39a3b63e12f8db0170eb4ce32

SHA512
124e7be0710054a3b7295cab80959ac538d555ce4cd5805247ac852be31e727e6a6bbfcd1fc4442f076f7061cda1bf717e9dac206ffba689b0a8bc195bd0404e

Download Submit
C:\Windows\SysWOW64\Fdnjgmle.exe

Filesize
109KB

MD5
d125288b922a96b78a62939d4c70d16e

SHA1
38ecd5826eb01d8c5cb133c05971768f3f6d62da

SHA256
782ebb3d2efe450753f6d49412e74251bf20081d25443f3919a6af6197dd5893

SHA512
1f0a9552e711de4d14cfbc4db63ebf5617c61e4054552389dc7077d8d792fc9119fe25d5c12d2ea13fb74e60e7789d794c88a812c1d096e46c6686cbf8224e3d

Download Submit
C:\Windows\SysWOW64\Febgea32.exe

Filesize
109KB

MD5
5e37400162aa83f51e8ca193feba42c1

SHA1
21428c4e84c1bc94137c08c363b46af907b183dd

SHA256
4bba77d974d71b4e8af25848f10d005351b391af9484cc00734c2c693c220a20

SHA512
b039f43f1296b2808a6a6215680a278eb3ac8f6f998efc7c9b6dc802d243c074c5e382fdf899632551f8e95ba6b5b8038bea01c62cd6564939c5f05805f83712

Download Submit
C:\Windows\SysWOW64\Ghlcnk32.exe

Filesize
109KB

MD5
5847aa6baec952b2fc06b2106a3115b8

SHA1
bf26e435d747c45052a4f7dd198f954f50fbe477

SHA256
27cb8a295f3626db9765327443d33d2df12e4b5920bceccb0c292eeb970771ba

SHA512
d20a8e2d42484dbeb0c9da48dee58fc3e7ec8cce2ca0d0493a2e148279205506cd1d7b4bb30ea0320f5552d4efd61f5da3cc5c4b181fa332e0d763f91a4b2927

Download Submit
C:\Windows\SysWOW64\Ghopckpi.exe

Filesize
64KB

MD5
4bf30db25ae0c703ca7062806f869807

SHA1
680c172b4344f415f1a843e6aca8a1a9ab0cd338

SHA256
e67bd03381f9a23a021baf760b4f8c563d4509fb07fa177bbcbad3d0ccefd5c1

SHA512
3fc7f73b95b35417fe962c3b702bfa43bf866cf6155063c4d0ea8f2b685fa481009c7a654b48cfada299cd9c4eb79c9eb686ecdbfe46445a03332d51409c665c

Download Submit
C:\Windows\SysWOW64\Gicinj32.exe

Filesize
109KB

MD5
af7495a07f2016aa15d3f00a2f1b7412

SHA1
a228c09cf2092dfcf5f86ad15df7b250f8d8533a

SHA256
b276d067e8609bd97d255defa4100a61e82d7286a3debb8c989ef6c50d9f99b2

SHA512
1a1f84e701c3f00c1a7983b4d955a40c5f41604d18dbf58cfd80cebef5be1649b2c8b747f26af7972927eb944756aea7ba56e4ae36a7c66e3e202fdcde91f7b0

Download Submit
C:\Windows\SysWOW64\Hckjacjg.exe

Filesize
109KB

MD5
2b43bffdc03ef922af93ed4c24ef48d6

SHA1
5a3e41b617c484ca918f87ecac784e106f930a6f

SHA256
ecfb4f52111cd5c97919a9ebc53a53d8204240988477150bacc7b7fa3c07f5ac

SHA512
e977402c304ba0da9079df000c451988ceefee5b4ec286274aa2f2db57527221d5a6456412e03fa1c7cb229cc70f14a070dbed47d145f2699629fbce78dd3413

Download Submit
C:\Windows\SysWOW64\Hkikkeeo.exe

Filesize
109KB

MD5
d9e7ee79864ba5a3af68cbc18beb79c2

SHA1
fd42c240d740ade34116e132b0d35ecf951b175f

SHA256
e54a6c08a864b0b83ccf54019ddbbcafc2510c00035f669115975143f18b712d

SHA512
65c59518fab4640eedc57af7c533b0fbd21031d9ebcbc39ffaba8e28718d3948f6a5b185aefe728f8948e951acb36ec46cf004a4d9b9dfd5867546dcbfdb4ed1

Download Submit
C:\Windows\SysWOW64\Hkkhqd32.exe

Filesize
109KB

MD5
c0411cd42cf311b82c0271c489d5da04

SHA1
cde1a7a9fc583f82132dedc4a2ade27a845995d2

SHA256
ff064469b59fde84c9f37080212468a40345ed2c64ff1a31f51d3268f59f19b7

SHA512
a7f9a59b1d137a79932961260ba0fb8a3b759ef5392b64b3c7332e2579930b9dd31a1b3d3e369ed9b112d58a4b69106ee3c2f361d0afcfd34b3595e570cb97f4

Download Submit
C:\Windows\SysWOW64\Icplcpgo.exe

Filesize
64KB

MD5
f8c61af9665a70762fab2f23d362c5eb

SHA1
65b757241dda3310e6618afe82866abfa7a43c2a

SHA256
5c5fc11a1a38d917f9d4fb0a76f1a687cdd3da01ed93c98c6ec3cf438d930b44

SHA512
8b9d5c7c18499b72a3ee79060316e42ee87b7ad3576ecb4f06389cfa7563c956c4aaded0c8bdd45919e47ad1663464ac8a9110ca3efff043ec476d088df84cb0

Download Submit
C:\Windows\SysWOW64\Ifjodl32.exe

Filesize
109KB

MD5
a2fe50d42631a6237484d69131fd4c3e

SHA1
af327ff873cb832b7a772b22545ed62bc704f787

SHA256
117688ef875119399afe520142f52f53a33dd4d18af38446bf55d15b789cc237

SHA512
1dc1bc9ec23085d178d30cdfe280eb417b83394d9f1715bec85486ec40f866d7ec6f0e1d8dcdbc785524e0c63da3370f420658cd50f8d959b63e2d17da552a6f

Download Submit
C:\Windows\SysWOW64\Iicbehnq.exe

Filesize
109KB

MD5
82d03f7272fa8e281cfe5b33c822b027

SHA1
ec4f4177860645774200033683536b01a128e83a

SHA256
25b5ef84fc2a8c346337741424dda6c6b6d1db05d5622778d8f7675874caf59e

SHA512
594e59972c733d2f127cb2e5f2123e3ed6b87563cbe8facd9f5475da30c9f2030a7b62483f7cd1be04bdb67dc40b84209d948cc4e6af93af816f8f186712ece3

Download Submit
C:\Windows\SysWOW64\Ildkgc32.exe

Filesize
109KB

MD5
062a3e582f991cc74703e9e49dc83043

SHA1
b8139ad8380ab687a410fe8239c518db8657d7b9

SHA256
b84b9af7d269976b94778a50fc7de0e4e1fd588267b26de4f1dd27f4589237dd

SHA512
e0aba4a9ddc20eac036d76845325084eb50233c5522c885ea8c38be9956de4723091292a2cbcdba3945c4cf6b55e099c160b6e743ac3ccfc63625a1c6a7d64da

Download Submit
C:\Windows\SysWOW64\Immapg32.exe

Filesize
109KB

MD5
5625e3020fe778791729e19ad3c6dbbd

SHA1
2a970e007b4e030946b0292a377b9ae56506d4ec

SHA256
d04c70ebb6241c9986a26d2638bdc131e031b47bc33e4728956b2a3fdb9c4f2f

SHA512
5e82f2196e9d9c02c35abea29ad0c03d8abfe7afc021ebd4cc015df853f8b1aedb34ffb2ab8340f2158267513d6c22a1e4b84a661b882947aeb26920ff1bbd9f

Download Submit
C:\Windows\SysWOW64\Jbjcolha.exe

Filesize
109KB

MD5
35608b3f1b0abb324c439294aeab60f9

SHA1
3f214d84e952131118bce0d25cf19c0c106ef3bf

SHA256
41f5d2540248738fb74eb1dd462178a2849f030243dad53a5de05d48ae2a2b75

SHA512
d863d014cfbcd58dbf4a2bfcbc4b7d0b4a5cc786cd89de0fb24640efc4e38437a4438082b9165f930315633a379415f184e5ff01b32a68cfd3ddfd311a7042d0

Download Submit
C:\Windows\SysWOW64\Jcllonma.exe

Filesize
109KB

MD5
a5af1fe36b2f356b3e020f992f65bf05

SHA1
06b3dbc34f3167368abf49d035e7e96be3c558c0

SHA256
bbb8392ad06d859969486971dd7235200b193b2d5f288757b8e89abb79945717

SHA512
0fcb2fe901d5aade2aadf74dafa90287df12a8c963cdb9a8567dcd4c00082d5f9c878e5874b4a8b7b59774115b36d37692016be2f7462515585335b8e7864776

Download Submit
C:\Windows\SysWOW64\Jlbgha32.exe

Filesize
109KB

MD5
2a85b3bd368c38eb75c53919f7e7dac6

SHA1
1c3f00323e0bd250614a5a55bcfad8a54fd698c7

SHA256
9e94455e9ea68d832613ef8e2996aaad11ebbec05f9f2cccfa29137bd0f91dd9

SHA512
1301706f33e4c325a56d6bc87b257bcf84d298f3037267cd9ee45d018ec63dd896410a82e745ef08a542fe68225a45a15ac82f17d811bc5fc63b65481681d6e2

Download Submit
C:\Windows\SysWOW64\Kbceejpf.exe

Filesize
109KB

MD5
d7114b636af2eccc1b988fb4b7895f5b

SHA1
03e88a7944f30c9172a648c216527138157e3f3e

SHA256
bb5447233919511f61c26ab2bf4c3c397ec645fd52ad6f2d325ac8d6c8d9289e

SHA512
0b8c38ced74b91ce89ef620e4aab1f26a1c5fccf03f3f5e9be5b24825a7a6e41f2bc17d3dcd95d1aaaabdfba4d0dd6806fcef0727aa16a59b7a8a501142fc476

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
109KB

MD5
e2352fac8fe396a44352059d4943db15

SHA1
60cad880815e4765a22986b946ee7baeadd00151

SHA256
44da335d592eb14f58ebd1879739dc1a786bb56708a55d6986ceaa6ab83e9a94

SHA512
e46f0feba8c146fe46bca3ded4c84f0fe14a796aa67f666eb98c743f0abb2110e4be12b7a23880bbf0bd0f38de7f10e22d7212d81b808671cd74e2f147d8584d

Download Submit
C:\Windows\SysWOW64\Kdeoemeg.exe

Filesize
109KB

MD5
aa5a5a7098cdb3d73ab864c1c28d977c

SHA1
7a7956e5b08e49ee53e03b375e38d054442ef65d

SHA256
e32bea07cdc367f3951a1b014ade1cea9a92536a75d99590b280f1df8d2deeac

SHA512
951be254543a1cf0e8d76edd729aa1e88e42d6d64c86cc392d5df7997b9409c55d5522b2f64a1927ea1e7696dd1fe24f263713d293b879e3602c3485ce9408fd

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
109KB

MD5
b2a2bdb103b80294869e5686e6a391a0

SHA1
34438c8e3e5fdffaf3f5ad3f65004f0a859c9979

SHA256
0a550fc7a7b83e82b32842211fd7d1f7e5d835e6f60da617d39522efcc3f1421

SHA512
c3db03bd27b08e865d9c1d651e5a895ebd86a0ccf97c7bfead02d66a7f4e8f887a44056dc514128287d22e4af33afbca3626a66b6e20f64102b307278510666e

Download Submit
C:\Windows\SysWOW64\Kibgmdcn.exe

Filesize
109KB

MD5
ce65f1c8f3b473e94e47171c9d85082b

SHA1
e2695f4b3e88bdafc26569804959d4c35ca1c3a4

SHA256
65611de7aa250371a20e94630dd44aa29ba5fd8e71d4bc385800e34792b8285c

SHA512
b08cacc0b779ed028c8b3878e81dddb5b8e17d07c33a38caa65b5538ae0062476039fbb4b931e41246eea3f725b4ba5f1c82a7af011b728621a92c9dcf96acfa

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
109KB

MD5
6eff3764dae1fb9abb625e6db75a779a

SHA1
5c2923e19e977264d446e244d92a4461dd3c6ed9

SHA256
3da075b3d4f34fa2bb4716495bbb5b78911c367b2599b28a43e54266886b949d

SHA512
038165a0c48d9309afd4fa232baf8d803a7545a340d6d90896b4247a2ffdf07fea5ebf8c860c80fef233424962defa82495f30d27fd6bd7d253fcd0f994b5a73

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
109KB

MD5
df62fc073239c5976ebb0b95b3432551

SHA1
bddcb2a6f1c33d9627d217de6e0a476f8ad58189

SHA256
4c68f3d57a49e31cba4081dcbbc8d050e812161556740d76cda1170b0d411313

SHA512
70fe948a459d4efd520b09194db729c347da8030c354a4833c2cc9caa3a473662e291e2c2879fd5ebc8bd29a89e2595be8d709ed9b172013055037d12762ae92

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
109KB

MD5
cb595a3d87c16e87ef37590764e4fa87

SHA1
16fd7b3da7bcfd03588c509272f04e401bc682ec

SHA256
d0cb729114b8908a892274577de856ae59f16433f2e99ecbaca3343bdb1bfa3c

SHA512
ccc96998459bc48ad059d34152496ea8b7181eb040cc71694478fbdc58c236ad0e89ea65a7807cc3636e4dbe09e445a7d36aac6ae601a034ac77ae851edc51fa

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
109KB

MD5
37cecb135ca11eec936357f9acd9d9c7

SHA1
5d1bf0553f7bcc4d1c68bc010fa447585b3d41fc

SHA256
0ee59cb597076331d8ad7b13cd2936b96b2b03e9eb1194e303b692a298ace547

SHA512
7e88844c265946afc165140970f07e92c1de2af82879c834737bc331a840198cfe7a15c04a753668778d23b71754204499bde37375be214f3be64b26bc3ce0e6

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
109KB

MD5
eda2a035ee8f489ff481bf314c6fa823

SHA1
44f808c25a6729f4b9bd535173c71dfb1d7fed70

SHA256
0c2c2ebebd324b3ab29711a71109ca87588f2eab3d97aecd06f514f48462c9b8

SHA512
a3a561223b1643384961f91f24850c1f9680edfd2994835e1b9ecad9fc751a5c50ccd7e51a09abf6e84a19de7932596ee381601bf2ca40aa199f9484c0bc36a8

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
109KB

MD5
b9ca87c0035a4c9c6294c72412a4cace

SHA1
010b420a7050663cc1775dadc50bcc60f7d8cbf6

SHA256
7a4558b57f62768cf66c4fe78d57557976a159672a12cc5967a33cf8fb660e6d

SHA512
5df5fc0f50ce6ba0ff580f44cf957c37901fbf4edee395603a7453d5f88200f4c0fe799503221907d62b5313cbccfe7b0da8328f3b0663645e7887d787bb95d0

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
109KB

MD5
efa749df89a9ca2d0347e1b5e9de1fed

SHA1
549393b28df8d5d55e6107edccfe10843a43d265

SHA256
94da9798ba4ea408138bf79a5b01d63f47ffc645c27f69ead1cef153d8e22cc0

SHA512
548c3c61fe796e95415201992547e34f2e716a3262a6370616286c2cf819b175a7e1cb4b1f53075e462bf4a6023e790d5d0293146842215aa11a6f5444507ddd

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
109KB

MD5
cf1c35397f28cb6b0e2200b33e92c4cc

SHA1
fca6b5dff5d17619ec0faad49c09f02f44a3187a

SHA256
c0c602c30a6cd0aa4024aa65cf8f75de1af155f24188bb60a347bf5537407b3d

SHA512
f1eb25e4739c874be18bfae0553bea57795d5f92beb43d1f19d74f50574547f4e840eab45f8442bc20a3a47291f7278434853675a2d7ee652b27739d267c91fe

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
109KB

MD5
bc05dee058387f9fd4c9b4fca1221b07

SHA1
dbaf924fc77cdb7e1aeb59b8e9e65c41169a14b9

SHA256
b77109f538cc29279cd5e04dc9032f0017992c08cf5f6b23215e4e9ce96aee31

SHA512
2fe6109e70842580be6d61399823876ea31380c82a8c207d4ad654260d4bc050b71ee3e9491fd6d1a765f58b2b2973a61720eba881329e18a92a47c501e35024

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
109KB

MD5
aaf8e0a1465aad52b7b2a22b7544b583

SHA1
24e7e2926df5346d40179da88efa605db8089b08

SHA256
5f69b2f3cc4b5d4871e89afb9f93257245bdf6749655b9b696bb4f22977e40be

SHA512
87170665935ae126e3a264d9d71f0809c8449dbf137878ef8d769545d6837492edf2d909601f420742cf02c9da1e83666dcafc195040fded6dd83caf7f459ebd

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
109KB

MD5
2c834d5ee6e6cf1db001bf239f4261b4

SHA1
7d0429fc07a802e89146854a74404fc0babf4daf

SHA256
ffce00cda9b34d047f2e2a297ef77401c6ba3b4339ccd050306b0592f5daebd0

SHA512
77058ec9d6930ae3d5519ed8204ed8eb751d38e663b2febef6484f947a02da99ad017de6dbcae5166f2a07e6f7045c7032850b000fee8ad55b47f8cc75baa7b8

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
109KB

MD5
53779c3385e186b10cbb6501b97c1f1e

SHA1
7fa49e4efcf4478e661b76fa79af1097520f9da9

SHA256
fcece14344badad06a8a3c1755f419591dc3b7eac41b37bfecf60032312d1ee5

SHA512
0bf972bb11246ac70ad7d53113a431d32ed729d912d7e64e2c743381136df394d947a1185dacf18695d88bd6235a675e8cb0c2fb115d2b7fcbee41bdc5604fc5

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
109KB

MD5
1b4dfb0bd1b95a377a9175ea32c7b020

SHA1
1df26e696459616beed777c06062a0fc1c993334

SHA256
d480f5e5c255866265c39ca89e914010a3f2482024ad79348b1230b4e51f0a72

SHA512
9a0d86b1d7c112fbd1c6e3ecbe43494ceb6dd2b2c193e1f688387a1bfe437440528ce94aae9bccb8ef98290fcb98da69fb3522d7c9764849cc9d72626032654b

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
109KB

MD5
803bfa0aa68b4f8e9d9f6842bbd9cc40

SHA1
0eb98fb482161de1acf4e6b27f00e2ca9cd5218f

SHA256
3622824e10959b801cd243824bc886a6ea9d3b807a31f1cc10af1e7e458567f4

SHA512
602cf604932802fdb245ab0ce2a1d840ef54ec2e0ad6168c42a22e35af8ac99be1993659314b519302b533c29c692fb23306826c0ad45a74e4aae06464b14724

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
109KB

MD5
aa0749aba8b8ad4d2e556ff00a40337d

SHA1
7b4a2ec4dbfd85223051f462d5f765c66299dc3a

SHA256
0577773b18d698bd058dcd223505bb0eb3ad9a6770f7cf5240b1a876aa7594d5

SHA512
f24366f2a1776ce4c79c80e2de73216973ce19784f386c189906168b70ed4c6e51b07a8d5a940546e1138123f4e5dd11ea37110da1eabb9f57f530b21d26b73f

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
109KB

MD5
d0e759685319ba18c3e8399d986298ff

SHA1
fdb0692763323a936f04728c2d5548217555f3d7

SHA256
5dce5a908d4dbbaad9b5a785099b5c8ed8d24bf24b68d424d7be1d3f463f3882

SHA512
cfb9c8f43ebba0027af38053380e82ccaa28cc688dd7b7dd93c066155be2448e128a4ed381ed825e2b56c2c759cb051f4aa1857b327f709bd406671884eb27e7

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
109KB

MD5
9c7e095d89308d60726cc6f99e8504b5

SHA1
910ea41e839b6dcd093ec402f9d97ae4bc231120

SHA256
cba135017495ad608827cec6be1db8cd760c7aec2dcd31e3bc0935c7397c61f3

SHA512
371f01b8aba7e7a289d022b1f4007852590cf417f49c2d75f0f269dd80885e127a5f7072c7aec3477d6178e6508c5f39d432745de403877c039464a2a2f8ff25

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
109KB

MD5
30b12944c1ece84741fadb194b8b7471

SHA1
9b59c5e680e33bf7179c74deb7c245470564006c

SHA256
1260b5cbb5942d5bf0eb215a19ad4491a4eb0e86eea4acd3362e395169d3d7a4

SHA512
de34832470b6b2031c6dbaa5f40eb71bf04dd2516148e23c9429e8ff3461055c75cbb267bc0926645d4f98098ce9b0c844414f206b03c83a7016d883b907beef

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
109KB

MD5
c5e4bd39404e1d341fba24f90df47f8e

SHA1
4ed08465b57e92560ce222926f7f51591b4ded23

SHA256
9daef426b1b6089e47d843145ed41ff122c2042cba86110447b23d4580b0c226

SHA512
a18986f9dfbe01f651ac2cd70dc88cf64ca8cedfaccf485794db1c846586e9ef5018d2e23b3604283796d2ba97bd18ca5b55d8913e44281987c7c9b1e16abe98

Download Submit
C:\Windows\SysWOW64\Lpnlpnih.exe

Filesize
109KB

MD5
c189f7ebd312424745e0a9abac9661b7

SHA1
6d3a585286a3b0fa03c620e806de25d1712326d4

SHA256
c4ee4e40aec0a78a0a35708e29b1d149db49c85a1736ab57b9eefe460a8c481d

SHA512
02bca3bcde326d8be1d2bee4b37ff2a7a91237e72053dfacf272eadbd55dff7c3bcd2c1210929d427be3f9fc3710b6bc791ec62488794d9dbbad18c38c90b5e1

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
109KB

MD5
3dc9bd7a4cf5d461ee86c8936012f896

SHA1
edad9a79d07f9ccda3cf99f974e5897c37bea078

SHA256
c491548f899605085757521bbcef37e5a093a7ffc44bd9f605cdcdaa4a6a1a08

SHA512
64a3c30a3e9d5bba9d781971caeb6f061e2e5098e511359c4f8937acae02de2f5c52b34395359176d03c9b9112c77bf6f6297ff87615ee16f82fa4d56d34d264

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
109KB

MD5
c6347c531370c61756fe67f5d86f9d6d

SHA1
b317aa5c2d5ed543242608a487ac0628da76d9fb

SHA256
c89935253013772823a60add990ed4b7cd3d2ee2c6cef2b6f6e36651000e5ef7

SHA512
3b8ce63805f722aa786936c3e00001acc4c5d15a4fda137a53fa0c5d4151678a4e912f63b5943ea528582a638dbef2a49e7f6b4027ed23d0f44e180867496ed2

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
109KB

MD5
7e2065e9f4728562bd64cb0819c9cbb1

SHA1
a72270f153fbbc27e604f01a25cc7bac1469cc72

SHA256
8b62deded31008665bc88e60f317803b539bab1ce933271f60e709ae31e80e5b

SHA512
a8f6e8ad4fcc3ca90ff71523a266987c2272d076bdb3cbe16e29ab0a41769d982f45d0df85b630de8a435aab9d0f06fcb448b33ce383a4a45897f4c7ecc4b5ee

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
109KB

MD5
2470ae89aa85129d31947055883afbbb

SHA1
d88da44328986fd537d13f0c69234a34012403f3

SHA256
7837dd9ba581d4b441b19056372912035912bcc16d0e943b12f47f68e3ae6445

SHA512
b6d0aa57cd5f1220133919b72d1ab1288039362bd5bc144fe6d5ddf4b03d37627193d2f889c8ed03b59c028ad2aa95da6792c6193af1524283a7da0044170d01

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
109KB

MD5
591e4da374a5ee98c231cbf2b69e9060

SHA1
e1c079fa323cb023d04cb6961bf1d9b6bac24d2d

SHA256
852390cd61c71e026cdf58c30e08eba5acd160d893a823b9f654d02c643edbce

SHA512
c04f69892225bc1559476b336b076c6c2b0522e452dbd85cce05e5c461286f2657594db5d3431a3023bab64652781671955aedec3661757730a3fb42d67ea5b8

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
109KB

MD5
6474a0cbce1e67702ea7881f4f5ca5f9

SHA1
3246dcbfccba50c6b7af622bc118ea674b69236e

SHA256
8788dbb5ee7e39d5bb4b99dc017b04f458c55144cceee9f5da28ae7437b35fae

SHA512
4e8034272ab6ec26fded8734804219596d760968276018f38e78d289f0244596bc9210236eb500fd51f184162b8eb73cef86fdd935c6ac6107ec1d4d47a72227

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
109KB

MD5
5d93043c0b7c29aec449eecd9bdc3e93

SHA1
e260b8656ec2b7bd483f235078c1802af0241b8e

SHA256
9e92b8862189ce97242681ce5a9054a7265d2a2bb3b6603bf5786c6bf8612e4d

SHA512
b2910c807a63fc81754ced02e905cbea4fd3b0737c735aa75bfff100cf9a87be9d096ed24c941b0c9bb469b2fe51674b7d9e17f5cf0be3e6ce9f4a53b1ff1baa

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
109KB

MD5
8c82401366cfb2afaf85c1039e22d39f

SHA1
449c4242ca0b44fca7f0bf07376427c155f909b0

SHA256
a1a00b4118b608812a94b48d49d692b682755e80e719cc27ea16b16affe673ed

SHA512
0d6b2c9dbba4680f1febe313f4916800652e49d136d3677dcc40cffc3d28c0ae67832184bfa6d4f899199e98ad08e85758bc29556bb4519dc0faf66801033267

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
109KB

MD5
d4ada4e9a0674c90ae7486c15789892b

SHA1
740a56e2fec2677a9f906dc4991a62b24e615ad6

SHA256
5e17bfe340122fc73caef7ae75d888f573c2733f9d0b29ecc408ed03e36e2423

SHA512
2d785e1d729f15bf5bd40edb758c7344a229474bd3a66dc0714936d427bed1bf906608415ca9717657805ca3d8187ab545dd2ac341a34ae130aa2020732cb396

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
109KB

MD5
2cde450c4234096f6970fe27bf5d90e7

SHA1
5fb293a1f79ed2911b62538cdab235833d594413

SHA256
d23a8c57708698751f1be77914d8155bf7ded890ec2d99366cb6eff10376ed72

SHA512
011e69fa492b9c5921a1fd87f1ece1c350abda8f8de4f5e5d83d11eaffa943b09565391d3533ef7b813b1ce32c66b0c154b61de6126c43a6927e1dd26c8f5ff1

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
109KB

MD5
5cf0adf4290bb445d28f3dd0049c99c0

SHA1
8fa66729971e4e4368f27df09758821aa516746a

SHA256
1dec52b68a3d447fa2fc1cb6255822d2ea4cfef5446dc53c3872a0b0cd225d0e

SHA512
859298e957db851607e6b4878120a8c4ea3a4d2cec95c953ab5fc613f9df1e4f17d01dec6770fa053bc3bf5da1ebe04d64fe621d54bb3e32efbf360b39e7b888

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
109KB

MD5
85f3d88d22520b111434f3038fd87776

SHA1
815f013ca3222e2c2aeb1d04ba2a645b3aa2a4e5

SHA256
c432acfba9fd4509c488dde3b14904e0b8c2cc916106d8d8d0616ef03e786f19

SHA512
5f99600258ac3ed88a32b243aed285c89d2bbf298797193e17399e7401a6a11d09d437806d55b538e167d24ea9b7400ce1beecd900b45ba5fc54d45f3e456ef1

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
109KB

MD5
debe081222bb1875f32d293366e57eec

SHA1
0ff3031b3a928dbdd087fe7a973c59262d1e64f7

SHA256
ce7fb3148a6c716c8fa821a0497aad74890013ab04985eca81e12788577c5c0d

SHA512
94420c5480955145621f7ee877d38f8a67373be7ef6d82c71cb78bb164c71ad720ac0f39d2c1ca7d809101cb67a5819149df27c1b3b6ce2ef845264907bc83db

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
109KB

MD5
36632fc8a62f60849fd45c9f996da64e

SHA1
f1d4d3077cd1df95ab8dcb40502724bc7fe3fc03

SHA256
ea71fe30fa7b612af951be584d6939c4cc59ec0f2928926b8b8593c0051d3024

SHA512
9ed307c7e87dd32e064073bf26668f457b12225f65dc7f48b03faf2f7f0d16f84238040f3104e0749702bb990e48e77adf8a29cec4ba2b9bd6156de45a5b87b0

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
109KB

MD5
1a3143dddc1054880cf0cbc486efcc02

SHA1
41bd04ced2473e9b6b119260527a641e462550c9

SHA256
3853c5b47f0a0ab21090f83123752e87cf60c7e4b7369a38329e52ee28cde4f4

SHA512
bbcc856ec619a4a003e6f58dd9b2373c43ca8a79a9ac2c5bba216a6310feb0d1a2591f47f0f61aeee2a141dfb3620da433b7712a0c4314bf8a7a5a4cbbda9879

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
109KB

MD5
aaec671418cfcc9785261018066bb21c

SHA1
70c2231fb8ad9a89202db3b65de2dfa3919a787d

SHA256
1c755eaa1016fc1b3ceb309c0c7a354e9e0aca608fcc001a5c074f37c3efa1a8

SHA512
3c9396326cb1753f1ce4f844cc51cc73eda3101069ca3d1259ae1c36ac1c5cb897cf760775c8ef9d9efca73be08de219177b9c94166c331b7a3b2f51ce8963da

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
109KB

MD5
26b9be9ed16cb1700668dd95d1018d20

SHA1
76022f5956588572eefc8fbb2d9b7f5027f21bea

SHA256
269b78b49a0440bcf571f8450e37806f1c863923da1acac9d992a8bb4986ff37

SHA512
37073f1799017e1211b04b08e2de5c5d8bded6fbdf167a20e802530c95a233d5cddc5ba5ba97550b3c2420218d04ee463260517b2c94e9a3b23a75ffffd41965

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
109KB

MD5
f93de46266aadcca6ff521bd72475f74

SHA1
a63eaaa4be3934d6c0d3acfea6aa01d55d4ac177

SHA256
a1c8b2ff05247e9499514d93d0b7a0d870076c09e18dd1a478214d131cdc290b

SHA512
43f76add5b70a95e09c38f68be43ab439592e53cb79b43f75a30639fe6ab30c6c20e27140caec3a7f1e578942453fda0a1a1d9dd4d0098847814edc5ec5bd6f3

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
109KB

MD5
9748eaef88a2c4bbaf082fe32acdd282

SHA1
efd389328083c7a5a72ac592583964479c840928

SHA256
6860b78ccda072586d7a0ee98516230be247d7c1f222c80e8cb094ffaee06bfd

SHA512
ca7ef8877e736683acff581311f6fcc17c0a2ac44831cfab06370f5732f70a1f9177a55ed8034b770542d1c150d5abfa289ae25fcf7c26ac9f7df5639d08ec31

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
109KB

MD5
373cd71ba51665a0b04e6af38eb84cd8

SHA1
9892b4c46478b728546b99567a640e32ff812a46

SHA256
0852aced2300d237303e4f82d6f0d666da8e588335963e7fde02335fe0743d82

SHA512
0a029b811bc19ec4313c81d36f2fd6745b3ea4b00d4399997fee1639c941be6bd3be01a073c917130aa54839d70bad0d67b2a17ab786274d0faa4cebde2e4636

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
109KB

MD5
b2519796afe07604d18a4bb39e3ca544

SHA1
565d4160da1019bb6776e3ceb8c6d69003a0515c

SHA256
4534a95ae2d817661178051e4c66ee3d55e86bd9990f03cba8f54a95fe6d4753

SHA512
08d135e6db1dc3c990855088b88ac33b6da3a55ddaf9c37c63ea23f87e16a07412305e93aeeb350796a6cb15f284a87e099b971a100a00ee4eebb4ba75702ad6

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
109KB

MD5
24b89ec3c7e25f67f8faa12b8306b865

SHA1
0512074eb8b93fec80aef9cc62d998a2bc24d3a2

SHA256
fdc58e886194d61e5b054093a0db71c03cb5a157360fe12d4a9d3039a80560f1

SHA512
ecd63397d82a2d5a231311f72240571b6191f0e8c92a60c61af7041f7595ea34e043f0a666109a4a5f9c19767e359390537dd3f720cc092ee03c4f109cd0510f

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
109KB

MD5
4387100a62eef5cf9da355d8d17326dd

SHA1
63229b73595248a117843042b3815e2af6019b07

SHA256
f97c7b9753a8eb1c3f18ed47552e79b7e380276a59ef6e379525e23e3294f175

SHA512
327128d917b6ddb6929461237bc95cbbbd081403bc8aaf59ad9d6d7e684b42496e7d06d25f4346e57ea55ab836abc696eedad57c995ee223ffbad2c4b93c9d6c

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
109KB

MD5
c04de32a8d06a5cfdba1411c257cc5fb

SHA1
9fbc8475b565a05dc0dcb4c67d6e05edd3655903

SHA256
a64a289f46e02bbd4a9c27e781af13af081a1eb21eaed4ad6da616cff7137a99

SHA512
1d49fd6cfa0ed753c77a028d7ee87061dbdefd010ce711ba4c4f2ab07f5f9402038108e9896dca5dd2d8903b3a971e0c912420017d5929c57bd41325a0d8f1eb

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
109KB

MD5
30f4d50598c63669fcbff14091a09085

SHA1
79b869a39a74f9327b62abb75b4352137a899b4e

SHA256
a22c2850f87b30926ec7b99886e98f386db324f6de0ab8883ddb021d8a8f88d8

SHA512
703c0488f4d26c9c8fb2e5ae8ce882e9e937c5c6a23b919a9a931ecd50270ed4dabb8f531df06bc7ea56fa19d88e6f3bb19110e10655bb8399652b310d4200f4

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
109KB

MD5
7b46f359055ba8452c27703b962f4d77

SHA1
5d58ce873ca4198f6ff3b50c2da51ea5e2cb25d6

SHA256
b71e8d057e3613ce05082472f9e4224d4e5f157b4118348246acceceb59816ec

SHA512
89d75f1ac38d4280aacc8cfa4cf4e289f5a02a92c917e2298856991c3096ee07703e0d2bc2d1db3975a8968e98449c28c0274e3776b660a5c2dd252985006164

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
109KB

MD5
9788ae931b3f361153c522b791be7f68

SHA1
2d3df14aba93b6b3a108841e0a259bd2acf11b62

SHA256
fd6b0c1aee7b7448b7426200ed8d943ba93a30329092519c01ae71ccbfa2a00e

SHA512
a96d4e01f375e9eee6ba113694e439a45472317a3add3b1d61448e0232af62bb26fe37687a87ec7f26d3a4dd5dda46d07be8b08ebb9a5a2d78bb10d8acde9d7f

Download Submit
C:\Windows\SysWOW64\Ofdhdf32.dll

Filesize
7KB

MD5
447c4bedc2a0990ab0f57666eec15493

SHA1
5956dccb6f40f0f4d1209a5d231d14d0049f90f7

SHA256
6c79c0257d2ee6dd941c6f1cd76df040dfdbcd2179004fa4df46546d2f8a8945

SHA512
397a9d35f2a774e0babd1c8e1f7d436bb8f5b9aa4d92dd2e82b8f34874df5e8567b546d4f52c401fc43d6152a563ef6569fa69eb8d7fae7dc3ab8ac32b6b859d

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
109KB

MD5
6e11f3c153eae95da0ec5cfb9f7c6f49

SHA1
0bda2f74c22ab5da07d38bdf6adc34b355bdc193

SHA256
e2e8c4fbe8cf442acdf2c768868b753728059a0ae9ed1e8299aa59c78c82d353

SHA512
d8adbf0ef01e5a78ae7d1b631ddd213d960603546e2aa1d5323120a6cb00f8f682ed848039f88b5770d8c161fd963707f4befb840c061923efea17fe6999cf77

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
109KB

MD5
a5bd6dedc503dfa75309e02eb053245d

SHA1
7536233043516b3bd7b1aac1f834fe4994f98496

SHA256
2883f8f252956946423336db31cc2f8d6b4b582426feee93771d1a4d136b379a

SHA512
8e332032f7ee4345398e4230302a66444984f271f6985a24f2bd77e5064f8003b4e3da52977b3d3c6b8bde87321f6c2a329ad66d54a696a72b553f19448f957b

Download Submit
C:\Windows\SysWOW64\Pjdilcla.exe

Filesize
109KB

MD5
2681ccecfcfcb461deaa06a6f84d7ecb

SHA1
9e0612b05bab746d7d0a2b8fd8c46e8dcc6cfbfe

SHA256
b547ed975fbaa5f3dd60f208afaabeef620dcc66f55cae85ba4a4d12d6a54113

SHA512
7788f937336269fa06c5285e393f97e0a1ca222048c19ed805bf99f00de7e5a928f71720b2bea2c1419ebcc90834cc0af746dee83accccf15f70b2c0ab69de89

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
109KB

MD5
df6dafa5714edb4448039741c9f40ad9

SHA1
3c155fa49b2a0c225b763fbc1adf2eaeefd86a5b

SHA256
a5ee1646ff06e0cb326394872e7834f8e902096cd91c9c271446ff10c2779c69

SHA512
8cca785528957c7cce90270e860440ba8bc75f16ad6e10d0f06fd56847ceba457d47a19f4309cd397e2f6cfaac5e6ab4d55dad198dbfb143c6d51278d355d668

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
109KB

MD5
e52811893214f5f55565f20542cf5369

SHA1
d9521965d36f3dd42ccf793a292761fa96dfc257

SHA256
f7c6158aa78ebbfb8226c09368bfb30b17315e9e463965c465567ffa231bb4cf

SHA512
e9d4c32bb25eeafc3f356cced97872ad92b2e2ac46aa0c34001995e10dbbdd6f75696173100717bf4372c1c41f76c50834977611ca8ccd60aea8ed7bf355752e

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
109KB

MD5
52223a8fbf0371e85af808fcda9352bc

SHA1
947f4269adf6417f3a1fc0551671e21ec46c8676

SHA256
b3711ed9724c07ef8544544e7146e982e7cf29cf13e4dce598e0709068e16ec7

SHA512
26824c5061b84c82f157391526defb2c16ed2c44ccce57d36c736a88767e5ba7f9debc33f3a62f9d8960f0e98fc6053edf682afbbc1dc50d6a7a4eefb80e98f9

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
109KB

MD5
e435ec5959b55f70c863a417638b31e6

SHA1
bb337ad0f552037a2ffc08f978f07f436812eb26

SHA256
0b62886c98dc7eb838cc2a8b792c57bc92d9891f266086e7c6b9332961b57d3d

SHA512
a8df9a1b27c2e2c9d70f2927ec75c023dd18c640efb5a779e755d7f9e314462b4945e6fce517ed1d9d30ab63c45a6faada847752a559894907558a2d082b051c

Download Submit
C:\Windows\SysWOW64\Qchmagie.exe

Filesize
109KB

MD5
2e0e0aea07a0de7eb93fe86ae26d8d68

SHA1
a1286753ea86dc7c7e8bbdbd4cb2918e9fc1b2ae

SHA256
b6dc2a84f2c46bbbfaee2ede03b6ebe19b00358a7f5be866b33bf8f696844a6e

SHA512
a6626170f2df8cecf35d7bc782e98446a7cd05c56135f09ad7094d2b645651a653c5f68e06fbaad89d5145dc32b0a27595496f448e0f97c35e9e36238cf21976

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
109KB

MD5
83ffdeca625f68bac1d658732647580c

SHA1
bf8ba0f555e16f53f9fa86af406d4041f40d3dab

SHA256
622dadd1a6081256bf60f651aa1082eb644b52a80f7a8d91936612368137f019

SHA512
01b6af845c3e4703a005615027f8f9b55e55b2037e75115c47cda3378df2c7ae980ee893f278c13777eb9bbebcec71b2330569f464ae3731d093d3080dec1a13

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
109KB

MD5
b837ded2e8f178466adbe7f1f0bf0d94

SHA1
27b1243cce8681062d25e710eb6d2c5012fb77ee

SHA256
216fc537493ecc4ac05938eaf0df1c20c6ad8e9154ca16a4b1df3b91c1be0886

SHA512
a45980aad4e67f6916914249bcd6f1555e5a74b894d5e54c613bb383cf03b25a5b7b2e180e8145aed74abc97565fc9eb914f6a524758d854cc1c0ca3b0f2f6b4

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
64KB

MD5
df84f6b022319fc82d6655c1493c0b49

SHA1
d9b51b1276d40f1b3a6a840fd96a6ed5ff308c23

SHA256
4c0d903f7c2a1e73c28b313e60244573b9660a583592139fc3f224a2e9c898fb

SHA512
eb5371cec7f0060ef2a7050d404ee1d9b3a2bb9e69d7456834a0bba2364d31e8ab83074794a184fd432fb4fa05978d2ed2bd6537a02cd1113b3c675b54952bc2

Download Submit
memory/184-585-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/216-382-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/376-508-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/380-286-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/556-442-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/636-466-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/644-478-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/656-262-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/752-36-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/752-571-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/764-298-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/900-448-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/964-168-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1064-409-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1124-545-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1536-304-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1548-400-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1556-436-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1580-394-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1708-520-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1736-274-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1768-376-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1812-120-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1832-176-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1856-457-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1876-502-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1964-207-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1972-344-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2024-346-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2052-128-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2076-256-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2124-370-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2220-240-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2224-215-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2252-598-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2276-191-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2348-555-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2412-136-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2452-96-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2508-104-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2588-558-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2668-80-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2676-160-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2852-364-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2940-44-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2956-328-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2960-183-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2964-565-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2968-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2968-557-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2984-500-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3040-352-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3168-88-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3256-358-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3316-424-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3440-310-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3532-514-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3572-60-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3572-591-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3600-236-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3624-472-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3736-412-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3740-418-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3956-584-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3956-48-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3988-322-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4052-388-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4156-460-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4276-268-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4372-532-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4408-544-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4408-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4444-578-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4472-316-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4476-292-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4488-334-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4512-526-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4536-12-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4596-490-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4608-284-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4612-224-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4640-430-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4644-144-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4656-592-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4664-604-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4664-72-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4788-564-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4788-24-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4820-572-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4840-538-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4864-248-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4896-152-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4936-484-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4952-71-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4992-112-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5044-200-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads