4f944dd8dae66cbdae10a30ba247db4594bd0ecadbc136f6e1aa906110f16cd4

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 17:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ae4d1c2c1798ebb85d8a2d201045e610_NeikiAnalytics.exe
Size

108KB
MD5

ae4d1c2c1798ebb85d8a2d201045e610
SHA1

9deb5a865cda998f408089d2e73716857343dfd1
SHA256

4f944dd8dae66cbdae10a30ba247db4594bd0ecadbc136f6e1aa906110f16cd4
SHA512

1437b43c21803f9748b4a0e6ca7588b176eff8a6d80788426eb677df8feae7d7763ddabd7fc83232b912115cbe87512691a8804bd74e20213d56187aa2e5549a
SSDEEP

3072:dS/KqXIZ/6eHjRjiCUD/HbFcFmKcUsvKwF:dKYZCgjRjiCUDPXUs

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qjbena32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkjmlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icifbang.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acjjfggb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdiooblp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cehkhecb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eemnjbaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhgjblfq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcddpdpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gicinj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edihepnm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fomhdg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnihcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aealah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fhgjblfq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlkagbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdfbibnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajfoiqll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdhfhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbjcolha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Febgea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fkciihgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpnchp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbjoljdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obidhaog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Clpgpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fcfhof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcmnpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqgkhnjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ilghlc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lekehdgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfbibnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhqcam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fooeif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcagkdba.exe

Executes dropped EXE 64 IoCs

pid	Process
2904	Ogogoi32.exe
4452	Oqgkhnjf.exe
4656	Ocegdjij.exe
2172	Ojopad32.exe
3940	Oqihnn32.exe
4932	Ocgdji32.exe
1376	Obidhaog.exe
1592	Odgqdlnj.exe
1696	Pnpemb32.exe
4996	Pclneicb.exe
4736	Pkceffcd.exe
4016	Pqpnombl.exe
1504	Pkfblfab.exe
1972	Pabkdmpi.exe
4500	Pcagphom.exe
4864	Pnfkma32.exe
4576	Pcccfh32.exe
968	Pnihcq32.exe
3124	Qcepkg32.exe
2544	Qgallfcq.exe
2456	Qbgqio32.exe
5024	Qeemej32.exe
1876	Qjbena32.exe
1604	Qbimoo32.exe
2312	Acjjfggb.exe
2724	Anpncp32.exe
4840	Aejfpjne.exe
4424	Acmflf32.exe
3632	Ajfoiqll.exe
4756	Abngjnmo.exe
4228	Acocaf32.exe
4324	Ajiknpjj.exe
4824	Aeopki32.exe
4052	Ahmlgd32.exe
2152	Ajkhdp32.exe
2464	Aealah32.exe
2864	Alkdnboj.exe
1892	Abemjmgg.exe
648	Bhaebcen.exe
2416	Bnlnon32.exe
3928	Bajjli32.exe
2596	Bdhfhe32.exe
5044	Bjbndobo.exe
1364	Bbifelba.exe
4640	Behbag32.exe
2424	Blbknaib.exe
2556	Bopgjmhe.exe
4480	Bejogg32.exe
1600	Bhikcb32.exe
4516	Bobcpmfc.exe
4352	Bemlmgnp.exe
3848	Bhkhibmc.exe
3684	Blfdia32.exe
2880	Boepel32.exe
3612	Cdainc32.exe
5056	Cliaoq32.exe
4384	Cbcilkjg.exe
1192	Cddecc32.exe
2972	Clkndpag.exe
1848	Cbefaj32.exe
4488	Cdfbibnb.exe
512	Ckpjfm32.exe
3620	Cajcbgml.exe
4508	Cdiooblp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Neiigifj.dll	Dahode32.exe
File created	C:\Windows\SysWOW64\Gicinj32.exe	Gokdeeec.exe
File created	C:\Windows\SysWOW64\Mjhmqf32.dll	Heapdjlp.exe
File opened for modification	C:\Windows\SysWOW64\Jpnchp32.exe	Jbjcolha.exe
File created	C:\Windows\SysWOW64\Eaklidoi.exe	Dlncan32.exe
File created	C:\Windows\SysWOW64\Ilghlc32.exe	Iemppiab.exe
File created	C:\Windows\SysWOW64\Qeobam32.dll	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Ajdhcbgd.dll	Bejogg32.exe
File created	C:\Windows\SysWOW64\Dcjfkm32.dll	Ecoangbg.exe
File created	C:\Windows\SysWOW64\Jfcbjk32.exe	Jioaqfcc.exe
File created	C:\Windows\SysWOW64\Neimdg32.dll	Mgddhf32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Qjbena32.exe	Qeemej32.exe
File created	C:\Windows\SysWOW64\Bdhfhe32.exe	Bajjli32.exe
File created	C:\Windows\SysWOW64\Behbag32.exe	Bbifelba.exe
File created	C:\Windows\SysWOW64\Egdmkp32.dll	Clkndpag.exe
File created	C:\Windows\SysWOW64\Hfbcpl32.dll	Cdfbibnb.exe
File opened for modification	C:\Windows\SysWOW64\Daolnf32.exe	Clbceo32.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Febgea32.exe	Fcckif32.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Dhnnep32.exe	Dadeieea.exe
File opened for modification	C:\Windows\SysWOW64\Fkalchij.exe	Fdgdgnbm.exe
File opened for modification	C:\Windows\SysWOW64\Glebhjlg.exe	Fcmnpe32.exe
File created	C:\Windows\SysWOW64\Hopnqdan.exe	Hiefcj32.exe
File created	C:\Windows\SysWOW64\Ndhmhh32.exe	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Qcepkg32.exe	Pnihcq32.exe
File created	C:\Windows\SysWOW64\Kpjgop32.dll	Ekhjmiad.exe
File created	C:\Windows\SysWOW64\Gjihje32.dll	Ddgkpp32.exe
File created	C:\Windows\SysWOW64\Hqdeld32.dll	Kfoafi32.exe
File created	C:\Windows\SysWOW64\Cihmlb32.dll	Nphhmj32.exe
File created	C:\Windows\SysWOW64\Pflplnlg.exe	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Ifbbmf32.dll	Ajfoiqll.exe
File created	C:\Windows\SysWOW64\Ckpjfm32.exe	Cdfbibnb.exe
File created	C:\Windows\SysWOW64\Ehljfnpn.exe	Eemnjbaj.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Ocgdji32.exe	Oqihnn32.exe
File created	C:\Windows\SysWOW64\Fooeif32.exe	Fkciihgg.exe
File created	C:\Windows\SysWOW64\Fjegoh32.dll	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Daolnf32.exe	Clbceo32.exe
File created	C:\Windows\SysWOW64\Olgkhn32.dll	Elppfmoo.exe
File created	C:\Windows\SysWOW64\Nlaegk32.exe	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Hfligghk.dll	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Bnlnon32.exe	Bhaebcen.exe
File opened for modification	C:\Windows\SysWOW64\Kfmepi32.exe	Kpbmco32.exe
File created	C:\Windows\SysWOW64\Ofqpqo32.exe	Ocbddc32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Ocegdjij.exe	Oqgkhnjf.exe
File opened for modification	C:\Windows\SysWOW64\Onhhamgg.exe	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Bemlmgnp.exe	Bobcpmfc.exe
File created	C:\Windows\SysWOW64\Mgcdak32.dll	Hiefcj32.exe
File created	C:\Windows\SysWOW64\Jholncde.dll	Mgfqmfde.exe
File created	C:\Windows\SysWOW64\Nfjjppmm.exe	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Pfhfan32.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Pclneicb.exe	Pnpemb32.exe
File created	C:\Windows\SysWOW64\Pllfhkno.dll	Bdhfhe32.exe
File created	C:\Windows\SysWOW64\Jioaqfcc.exe	Jlkagbej.exe
File created	C:\Windows\SysWOW64\Jlgbon32.dll	Klqcioba.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8256	7304	WerFault.exe	378

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fkalchij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bncfnnbj.dll"	Ickchq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okokppbk.dll"	Kpjcdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfajji32.dll"	Lboeaifi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ilghlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijnlbk32.dll"	Cbefaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Elppfmoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hiefcj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cddecc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Behbag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkjmlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eemnjbaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hobkfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khchklef.dll"	Jpnchp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lipdae32.dll"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baacma32.dll"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbglkbhg.dll"	Fdgdgnbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkfcl32.dll"	Ghopckpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kiidgeki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmjaol.dll"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjkolmml.dll"	Fakdpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiqbfn32.dll"	Anpncp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ekemhj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	ae4d1c2c1798ebb85d8a2d201045e610_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijmanlfp.dll"	Fkmchi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmmjgejj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dekhneap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hihbijhn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dikngm32.dll"	Pnpemb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cajolcjk.dll"	Ecandfpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jphopllo.dll"	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fooeif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iikhfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjgaigfg.dll"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocegdjij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjbndobo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eepjpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfhlejnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmhjbhod.dll"	Acjjfggb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naqcfnjk.dll"	Ffddka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lafdhogo.dll"	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cabfga32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3344 wrote to memory of 2904	3344	ae4d1c2c1798ebb85d8a2d201045e610_NeikiAnalytics.exe	83
PID 3344 wrote to memory of 2904	3344	ae4d1c2c1798ebb85d8a2d201045e610_NeikiAnalytics.exe	83
PID 3344 wrote to memory of 2904	3344	ae4d1c2c1798ebb85d8a2d201045e610_NeikiAnalytics.exe	83
PID 2904 wrote to memory of 4452	2904	Ogogoi32.exe	84
PID 2904 wrote to memory of 4452	2904	Ogogoi32.exe	84
PID 2904 wrote to memory of 4452	2904	Ogogoi32.exe	84
PID 4452 wrote to memory of 4656	4452	Oqgkhnjf.exe	86
PID 4452 wrote to memory of 4656	4452	Oqgkhnjf.exe	86
PID 4452 wrote to memory of 4656	4452	Oqgkhnjf.exe	86
PID 4656 wrote to memory of 2172	4656	Ocegdjij.exe	87
PID 4656 wrote to memory of 2172	4656	Ocegdjij.exe	87
PID 4656 wrote to memory of 2172	4656	Ocegdjij.exe	87
PID 2172 wrote to memory of 3940	2172	Ojopad32.exe	88
PID 2172 wrote to memory of 3940	2172	Ojopad32.exe	88
PID 2172 wrote to memory of 3940	2172	Ojopad32.exe	88
PID 3940 wrote to memory of 4932	3940	Oqihnn32.exe	89
PID 3940 wrote to memory of 4932	3940	Oqihnn32.exe	89
PID 3940 wrote to memory of 4932	3940	Oqihnn32.exe	89
PID 4932 wrote to memory of 1376	4932	Ocgdji32.exe	91
PID 4932 wrote to memory of 1376	4932	Ocgdji32.exe	91
PID 4932 wrote to memory of 1376	4932	Ocgdji32.exe	91
PID 1376 wrote to memory of 1592	1376	Obidhaog.exe	92
PID 1376 wrote to memory of 1592	1376	Obidhaog.exe	92
PID 1376 wrote to memory of 1592	1376	Obidhaog.exe	92
PID 1592 wrote to memory of 1696	1592	Odgqdlnj.exe	93
PID 1592 wrote to memory of 1696	1592	Odgqdlnj.exe	93
PID 1592 wrote to memory of 1696	1592	Odgqdlnj.exe	93
PID 1696 wrote to memory of 4996	1696	Pnpemb32.exe	94
PID 1696 wrote to memory of 4996	1696	Pnpemb32.exe	94
PID 1696 wrote to memory of 4996	1696	Pnpemb32.exe	94
PID 4996 wrote to memory of 4736	4996	Pclneicb.exe	95
PID 4996 wrote to memory of 4736	4996	Pclneicb.exe	95
PID 4996 wrote to memory of 4736	4996	Pclneicb.exe	95
PID 4736 wrote to memory of 4016	4736	Pkceffcd.exe	96
PID 4736 wrote to memory of 4016	4736	Pkceffcd.exe	96
PID 4736 wrote to memory of 4016	4736	Pkceffcd.exe	96
PID 4016 wrote to memory of 1504	4016	Pqpnombl.exe	97
PID 4016 wrote to memory of 1504	4016	Pqpnombl.exe	97
PID 4016 wrote to memory of 1504	4016	Pqpnombl.exe	97
PID 1504 wrote to memory of 1972	1504	Pkfblfab.exe	98
PID 1504 wrote to memory of 1972	1504	Pkfblfab.exe	98
PID 1504 wrote to memory of 1972	1504	Pkfblfab.exe	98
PID 1972 wrote to memory of 4500	1972	Pabkdmpi.exe	99
PID 1972 wrote to memory of 4500	1972	Pabkdmpi.exe	99
PID 1972 wrote to memory of 4500	1972	Pabkdmpi.exe	99
PID 4500 wrote to memory of 4864	4500	Pcagphom.exe	100
PID 4500 wrote to memory of 4864	4500	Pcagphom.exe	100
PID 4500 wrote to memory of 4864	4500	Pcagphom.exe	100
PID 4864 wrote to memory of 4576	4864	Pnfkma32.exe	101
PID 4864 wrote to memory of 4576	4864	Pnfkma32.exe	101
PID 4864 wrote to memory of 4576	4864	Pnfkma32.exe	101
PID 4576 wrote to memory of 968	4576	Pcccfh32.exe	102
PID 4576 wrote to memory of 968	4576	Pcccfh32.exe	102
PID 4576 wrote to memory of 968	4576	Pcccfh32.exe	102
PID 968 wrote to memory of 3124	968	Pnihcq32.exe	103
PID 968 wrote to memory of 3124	968	Pnihcq32.exe	103
PID 968 wrote to memory of 3124	968	Pnihcq32.exe	103
PID 3124 wrote to memory of 2544	3124	Qcepkg32.exe	104
PID 3124 wrote to memory of 2544	3124	Qcepkg32.exe	104
PID 3124 wrote to memory of 2544	3124	Qcepkg32.exe	104
PID 2544 wrote to memory of 2456	2544	Qgallfcq.exe	105
PID 2544 wrote to memory of 2456	2544	Qgallfcq.exe	105
PID 2544 wrote to memory of 2456	2544	Qgallfcq.exe	105
PID 2456 wrote to memory of 5024	2456	Qbgqio32.exe	106

C:\Users\Admin\AppData\Local\Temp\ae4d1c2c1798ebb85d8a2d201045e610_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ae4d1c2c1798ebb85d8a2d201045e610_NeikiAnalytics.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3344
- C:\Windows\SysWOW64\Ogogoi32.exe
  C:\Windows\system32\Ogogoi32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\SysWOW64\Oqgkhnjf.exe
    C:\Windows\system32\Oqgkhnjf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4452
  - - C:\Windows\SysWOW64\Ocegdjij.exe
      C:\Windows\system32\Ocegdjij.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4656
    - - C:\Windows\SysWOW64\Ojopad32.exe
        
        C:\Windows\system32\Ojopad32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2172
      - C:\Windows\SysWOW64\Oqihnn32.exe
        
        C:\Windows\system32\Oqihnn32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\SysWOW64\Ocgdji32.exe
        
        C:\Windows\system32\Ocgdji32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\SysWOW64\Obidhaog.exe
        
        C:\Windows\system32\Obidhaog.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Windows\SysWOW64\Odgqdlnj.exe
        
        C:\Windows\system32\Odgqdlnj.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\Pnpemb32.exe
        
        C:\Windows\system32\Pnpemb32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\SysWOW64\Pclneicb.exe
        
        C:\Windows\system32\Pclneicb.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\SysWOW64\Pkceffcd.exe
        
        C:\Windows\system32\Pkceffcd.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\SysWOW64\Pqpnombl.exe
        
        C:\Windows\system32\Pqpnombl.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\Pkfblfab.exe
        
        C:\Windows\system32\Pkfblfab.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\Pabkdmpi.exe
        
        C:\Windows\system32\Pabkdmpi.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\SysWOW64\Pcagphom.exe
        
        C:\Windows\system32\Pcagphom.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Pnfkma32.exe
        
        C:\Windows\system32\Pnfkma32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\Pcccfh32.exe
        
        C:\Windows\system32\Pcccfh32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Pnihcq32.exe
        
        C:\Windows\system32\Pnihcq32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\SysWOW64\Qcepkg32.exe
        
        C:\Windows\system32\Qcepkg32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\SysWOW64\Qgallfcq.exe
        
        C:\Windows\system32\Qgallfcq.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\Qbgqio32.exe
        
        C:\Windows\system32\Qbgqio32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\Qeemej32.exe
        
        C:\Windows\system32\Qeemej32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5024
        
        C:\Windows\SysWOW64\Qjbena32.exe
        
        C:\Windows\system32\Qjbena32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1876
        
        C:\Windows\SysWOW64\Qbimoo32.exe
        
        C:\Windows\system32\Qbimoo32.exe
        25⤵
        Executes dropped EXE
        
        PID:1604
        
        C:\Windows\SysWOW64\Acjjfggb.exe
        
        C:\Windows\system32\Acjjfggb.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\Anpncp32.exe
        
        C:\Windows\system32\Anpncp32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2724
        
        C:\Windows\SysWOW64\Aejfpjne.exe
        
        C:\Windows\system32\Aejfpjne.exe
        28⤵
        Executes dropped EXE
        
        PID:4840
        
        C:\Windows\SysWOW64\Acmflf32.exe
        
        C:\Windows\system32\Acmflf32.exe
        29⤵
        Executes dropped EXE
        
        PID:4424
        
        C:\Windows\SysWOW64\Ajfoiqll.exe
        
        C:\Windows\system32\Ajfoiqll.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3632
        
        C:\Windows\SysWOW64\Abngjnmo.exe
        
        C:\Windows\system32\Abngjnmo.exe
        31⤵
        Executes dropped EXE
        
        PID:4756
        
        C:\Windows\SysWOW64\Acocaf32.exe
        
        C:\Windows\system32\Acocaf32.exe
        32⤵
        Executes dropped EXE
        
        PID:4228
        
        C:\Windows\SysWOW64\Ajiknpjj.exe
        
        C:\Windows\system32\Ajiknpjj.exe
        33⤵
        Executes dropped EXE
        
        PID:4324
        
        C:\Windows\SysWOW64\Aeopki32.exe
        
        C:\Windows\system32\Aeopki32.exe
        34⤵
        Executes dropped EXE
        
        PID:4824
        
        C:\Windows\SysWOW64\Ahmlgd32.exe
        
        C:\Windows\system32\Ahmlgd32.exe
        35⤵
        Executes dropped EXE
        
        PID:4052
        
        C:\Windows\SysWOW64\Ajkhdp32.exe
        
        C:\Windows\system32\Ajkhdp32.exe
        36⤵
        Executes dropped EXE
        
        PID:2152
        
        C:\Windows\SysWOW64\Aealah32.exe
        
        C:\Windows\system32\Aealah32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2464
        
        C:\Windows\SysWOW64\Alkdnboj.exe
        
        C:\Windows\system32\Alkdnboj.exe
        38⤵
        Executes dropped EXE
        
        PID:2864
        
        C:\Windows\SysWOW64\Abemjmgg.exe
        
        C:\Windows\system32\Abemjmgg.exe
        39⤵
        Executes dropped EXE
        
        PID:1892
        
        C:\Windows\SysWOW64\Bhaebcen.exe
        
        C:\Windows\system32\Bhaebcen.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:648
        
        C:\Windows\SysWOW64\Bnlnon32.exe
        
        C:\Windows\system32\Bnlnon32.exe
        41⤵
        Executes dropped EXE
        
        PID:2416
        
        C:\Windows\SysWOW64\Bajjli32.exe
        
        C:\Windows\system32\Bajjli32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3928
        
        C:\Windows\SysWOW64\Bdhfhe32.exe
        
        C:\Windows\system32\Bdhfhe32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2596
        
        C:\Windows\SysWOW64\Bjbndobo.exe
        
        C:\Windows\system32\Bjbndobo.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Bbifelba.exe
        
        C:\Windows\system32\Bbifelba.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1364
        
        C:\Windows\SysWOW64\Behbag32.exe
        
        C:\Windows\system32\Behbag32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Blbknaib.exe
        
        C:\Windows\system32\Blbknaib.exe
        47⤵
        Executes dropped EXE
        
        PID:2424
        
        C:\Windows\SysWOW64\Bopgjmhe.exe
        
        C:\Windows\system32\Bopgjmhe.exe
        48⤵
        Executes dropped EXE
        
        PID:2556
        
        C:\Windows\SysWOW64\Bejogg32.exe
        
        C:\Windows\system32\Bejogg32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4480
        
        C:\Windows\SysWOW64\Bhikcb32.exe
        
        C:\Windows\system32\Bhikcb32.exe
        50⤵
        Executes dropped EXE
        
        PID:1600
        
        C:\Windows\SysWOW64\Bobcpmfc.exe
        
        C:\Windows\system32\Bobcpmfc.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4516
        
        C:\Windows\SysWOW64\Bemlmgnp.exe
        
        C:\Windows\system32\Bemlmgnp.exe
        52⤵
        Executes dropped EXE
        
        PID:4352
        
        C:\Windows\SysWOW64\Bhkhibmc.exe
        
        C:\Windows\system32\Bhkhibmc.exe
        53⤵
        Executes dropped EXE
        
        PID:3848
        
        C:\Windows\SysWOW64\Blfdia32.exe
        
        C:\Windows\system32\Blfdia32.exe
        54⤵
        Executes dropped EXE
        
        PID:3684
        
        C:\Windows\SysWOW64\Boepel32.exe
        
        C:\Windows\system32\Boepel32.exe
        55⤵
        Executes dropped EXE
        
        PID:2880
        
        C:\Windows\SysWOW64\Cdainc32.exe
        
        C:\Windows\system32\Cdainc32.exe
        56⤵
        Executes dropped EXE
        
        PID:3612
        
        C:\Windows\SysWOW64\Cliaoq32.exe
        
        C:\Windows\system32\Cliaoq32.exe
        57⤵
        Executes dropped EXE
        
        PID:5056
        
        C:\Windows\SysWOW64\Cbcilkjg.exe
        
        C:\Windows\system32\Cbcilkjg.exe
        58⤵
        Executes dropped EXE
        
        PID:4384
        
        C:\Windows\SysWOW64\Cddecc32.exe
        
        C:\Windows\system32\Cddecc32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\Clkndpag.exe
        
        C:\Windows\system32\Clkndpag.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2972
        
        C:\Windows\SysWOW64\Cbefaj32.exe
        
        C:\Windows\system32\Cbefaj32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Cdfbibnb.exe
        
        C:\Windows\system32\Cdfbibnb.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4488
        
        C:\Windows\SysWOW64\Ckpjfm32.exe
        
        C:\Windows\system32\Ckpjfm32.exe
        63⤵
        Executes dropped EXE
        
        PID:512
        
        C:\Windows\SysWOW64\Cajcbgml.exe
        
        C:\Windows\system32\Cajcbgml.exe
        64⤵
        Executes dropped EXE
        
        PID:3620
        
        C:\Windows\SysWOW64\Cdiooblp.exe
        
        C:\Windows\system32\Cdiooblp.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4508
        
        C:\Windows\SysWOW64\Clpgpp32.exe
        
        C:\Windows\system32\Clpgpp32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2860
        
        C:\Windows\SysWOW64\Cbjoljdo.exe
        
        C:\Windows\system32\Cbjoljdo.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:832
        
        C:\Windows\SysWOW64\Cehkhecb.exe
        
        C:\Windows\system32\Cehkhecb.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1584
        
        C:\Windows\SysWOW64\Clbceo32.exe
        
        C:\Windows\system32\Clbceo32.exe
        69⤵
        Drops file in System32 directory
        
        PID:876
        
        C:\Windows\SysWOW64\Daolnf32.exe
        
        C:\Windows\system32\Daolnf32.exe
        70⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\Dekhneap.exe
        
        C:\Windows\system32\Dekhneap.exe
        71⤵
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Dldpkoil.exe
        
        C:\Windows\system32\Dldpkoil.exe
        72⤵
        
        PID:540
        
        C:\Windows\SysWOW64\Dboigi32.exe
        
        C:\Windows\system32\Dboigi32.exe
        73⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\Demecd32.exe
        
        C:\Windows\system32\Demecd32.exe
        74⤵
        
        PID:556
        
        C:\Windows\SysWOW64\Dkjmlk32.exe
        
        C:\Windows\system32\Dkjmlk32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Dadeieea.exe
        
        C:\Windows\system32\Dadeieea.exe
        76⤵
        Drops file in System32 directory
        
        PID:4944
        
        C:\Windows\SysWOW64\Dhnnep32.exe
        
        C:\Windows\system32\Dhnnep32.exe
        77⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\Dkljak32.exe
        
        C:\Windows\system32\Dkljak32.exe
        78⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\Dohfbj32.exe
        
        C:\Windows\system32\Dohfbj32.exe
        79⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\Dddojq32.exe
        
        C:\Windows\system32\Dddojq32.exe
        80⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\Dkoggkjo.exe
        
        C:\Windows\system32\Dkoggkjo.exe
        81⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\Dahode32.exe
        
        C:\Windows\system32\Dahode32.exe
        82⤵
        Drops file in System32 directory
        
        PID:2188
        
        C:\Windows\SysWOW64\Ddgkpp32.exe
        
        C:\Windows\system32\Ddgkpp32.exe
        83⤵
        Drops file in System32 directory
        
        PID:5100
        
        C:\Windows\SysWOW64\Dlncan32.exe
        
        C:\Windows\system32\Dlncan32.exe
        84⤵
        Drops file in System32 directory
        
        PID:4232
        
        C:\Windows\SysWOW64\Eaklidoi.exe
        
        C:\Windows\system32\Eaklidoi.exe
        85⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\Edihepnm.exe
        
        C:\Windows\system32\Edihepnm.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4360
        
        C:\Windows\SysWOW64\Elppfmoo.exe
        
        C:\Windows\system32\Elppfmoo.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3180
        
        C:\Windows\SysWOW64\Ehgqln32.exe
        
        C:\Windows\system32\Ehgqln32.exe
        88⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\Ekemhj32.exe
        
        C:\Windows\system32\Ekemhj32.exe
        89⤵
        Modifies registry class
        
        PID:3488
        
        C:\Windows\SysWOW64\Ednaqo32.exe
        
        C:\Windows\system32\Ednaqo32.exe
        90⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\Ekhjmiad.exe
        
        C:\Windows\system32\Ekhjmiad.exe
        91⤵
        Drops file in System32 directory
        
        PID:3812
        
        C:\Windows\SysWOW64\Ecoangbg.exe
        
        C:\Windows\system32\Ecoangbg.exe
        92⤵
        Drops file in System32 directory
        
        PID:4300
        
        C:\Windows\SysWOW64\Eemnjbaj.exe
        
        C:\Windows\system32\Eemnjbaj.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Ehljfnpn.exe
        
        C:\Windows\system32\Ehljfnpn.exe
        94⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\Ecandfpd.exe
        
        C:\Windows\system32\Ecandfpd.exe
        95⤵
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Eepjpb32.exe
        
        C:\Windows\system32\Eepjpb32.exe
        96⤵
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Fkmchi32.exe
        
        C:\Windows\system32\Fkmchi32.exe
        97⤵
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Fcckif32.exe
        
        C:\Windows\system32\Fcckif32.exe
        98⤵
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Febgea32.exe
        
        C:\Windows\system32\Febgea32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5172
        
        C:\Windows\SysWOW64\Fhqcam32.exe
        
        C:\Windows\system32\Fhqcam32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5212
        
        C:\Windows\SysWOW64\Fcfhof32.exe
        
        C:\Windows\system32\Fcfhof32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5256
        
        C:\Windows\SysWOW64\Ffddka32.exe
        
        C:\Windows\system32\Ffddka32.exe
        102⤵
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Fdgdgnbm.exe
        
        C:\Windows\system32\Fdgdgnbm.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Fkalchij.exe
        
        C:\Windows\system32\Fkalchij.exe
        104⤵
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Fomhdg32.exe
        
        C:\Windows\system32\Fomhdg32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5424
        
        C:\Windows\SysWOW64\Fakdpb32.exe
        
        C:\Windows\system32\Fakdpb32.exe
        106⤵
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Fdialn32.exe
        
        C:\Windows\system32\Fdialn32.exe
        107⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Fhemmlhc.exe
        
        C:\Windows\system32\Fhemmlhc.exe
        108⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Fkciihgg.exe
        
        C:\Windows\system32\Fkciihgg.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5588
        
        C:\Windows\SysWOW64\Fooeif32.exe
        
        C:\Windows\system32\Fooeif32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Ffimfqgm.exe
        
        C:\Windows\system32\Ffimfqgm.exe
        111⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Fhgjblfq.exe
        
        C:\Windows\system32\Fhgjblfq.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5716
        
        C:\Windows\SysWOW64\Foabofnn.exe
        
        C:\Windows\system32\Foabofnn.exe
        113⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Fcmnpe32.exe
        
        C:\Windows\system32\Fcmnpe32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5800
        
        C:\Windows\SysWOW64\Glebhjlg.exe
        
        C:\Windows\system32\Glebhjlg.exe
        115⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Gbbkaako.exe
        
        C:\Windows\system32\Gbbkaako.exe
        116⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Gfngap32.exe
        
        C:\Windows\system32\Gfngap32.exe
        117⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Ghlcnk32.exe
        
        C:\Windows\system32\Ghlcnk32.exe
        118⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Gkkojgao.exe
        
        C:\Windows\system32\Gkkojgao.exe
        119⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Gcagkdba.exe
        
        C:\Windows\system32\Gcagkdba.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6060
        
        C:\Windows\SysWOW64\Ghopckpi.exe
        
        C:\Windows\system32\Ghopckpi.exe
        121⤵
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Gohhpe32.exe
        
        C:\Windows\system32\Gohhpe32.exe
        122⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Gcddpdpo.exe
        
        C:\Windows\system32\Gcddpdpo.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5160
        
        C:\Windows\SysWOW64\Ghaliknf.exe
        
        C:\Windows\system32\Ghaliknf.exe
        124⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Gokdeeec.exe
        
        C:\Windows\system32\Gokdeeec.exe
        125⤵
        Drops file in System32 directory
        
        PID:5328
        
        C:\Windows\SysWOW64\Gicinj32.exe
        
        C:\Windows\system32\Gicinj32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5372
        
        C:\Windows\SysWOW64\Gcimkc32.exe
        
        C:\Windows\system32\Gcimkc32.exe
        127⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\Hiefcj32.exe
        
        C:\Windows\system32\Hiefcj32.exe
        128⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Hopnqdan.exe
        
        C:\Windows\system32\Hopnqdan.exe
        129⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Hfifmnij.exe
        
        C:\Windows\system32\Hfifmnij.exe
        130⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Hihbijhn.exe
        
        C:\Windows\system32\Hihbijhn.exe
        131⤵
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Hobkfd32.exe
        
        C:\Windows\system32\Hobkfd32.exe
        132⤵
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Hmfkoh32.exe
        
        C:\Windows\system32\Hmfkoh32.exe
        133⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Heapdjlp.exe
        
        C:\Windows\system32\Heapdjlp.exe
        134⤵
        Drops file in System32 directory
        
        PID:5964
        
        C:\Windows\SysWOW64\Hkkhqd32.exe
        
        C:\Windows\system32\Hkkhqd32.exe
        135⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\Hofdacke.exe
        
        C:\Windows\system32\Hofdacke.exe
        136⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Hoiafcic.exe
        
        C:\Windows\system32\Hoiafcic.exe
        137⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Ipknlb32.exe
        
        C:\Windows\system32\Ipknlb32.exe
        138⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Ikbnacmd.exe
        
        C:\Windows\system32\Ikbnacmd.exe
        139⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Icifbang.exe
        
        C:\Windows\system32\Icifbang.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5220
        
        C:\Windows\SysWOW64\Iifokh32.exe
        
        C:\Windows\system32\Iifokh32.exe
        141⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Ildkgc32.exe
        
        C:\Windows\system32\Ildkgc32.exe
        142⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Ickchq32.exe
        
        C:\Windows\system32\Ickchq32.exe
        143⤵
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Iemppiab.exe
        
        C:\Windows\system32\Iemppiab.exe
        144⤵
        Drops file in System32 directory
        
        PID:5712
        
        C:\Windows\SysWOW64\Ilghlc32.exe
        
        C:\Windows\system32\Ilghlc32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Iikhfg32.exe
        
        C:\Windows\system32\Iikhfg32.exe
        146⤵
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Ilidbbgl.exe
        
        C:\Windows\system32\Ilidbbgl.exe
        147⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\Icplcpgo.exe
        
        C:\Windows\system32\Icplcpgo.exe
        148⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\Jlkagbej.exe
        
        C:\Windows\system32\Jlkagbej.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6112
        
        C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        150⤵
        Drops file in System32 directory
        
        PID:5224
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        151⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        152⤵
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5784
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3700
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        155⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        156⤵
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        157⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        158⤵
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        159⤵
        Drops file in System32 directory
        
        PID:4812
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        160⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        161⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        162⤵
        Drops file in System32 directory
        
        PID:3128
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        163⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        164⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        165⤵
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        166⤵
        Drops file in System32 directory
        
        PID:5984
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        167⤵
        Modifies registry class
        
        PID:6168
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6208
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        169⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        170⤵
        Modifies registry class
        
        PID:6284
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        171⤵
        Modifies registry class
        
        PID:6320
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        172⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        173⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        174⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        175⤵
        
        PID:6476
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        176⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        177⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        178⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        179⤵
        Drops file in System32 directory
        
        PID:6636
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        180⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        181⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6716
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        182⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        183⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        184⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        185⤵
        Modifies registry class
        
        PID:6876
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        186⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        187⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        188⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7036
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        190⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        191⤵
        Drops file in System32 directory
        
        PID:7116
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        192⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        193⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        194⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        195⤵
        Modifies registry class
        
        PID:6316
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6388
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        197⤵
        Drops file in System32 directory
        
        PID:6460
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6504
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        199⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6652
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        201⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6712
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        202⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6844
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        204⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        205⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6992
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        206⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7028
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        207⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7108
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        208⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6160
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        209⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        210⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        211⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        212⤵
        Modifies registry class
        
        PID:6664
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        213⤵
        Modifies registry class
        
        PID:6772
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        214⤵
        Modifies registry class
        
        PID:6904
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        215⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        216⤵
        Drops file in System32 directory
        
        PID:7152
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        217⤵
        Modifies registry class
        
        PID:6268
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        218⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6452
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        219⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        220⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        221⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        222⤵
        Drops file in System32 directory
        
        PID:6176
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        223⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6512
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        224⤵
        Modifies registry class
        
        PID:6732
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        225⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        226⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6584
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        227⤵
        Modifies registry class
        
        PID:7068
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        228⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        229⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        230⤵
        Modifies registry class
        
        PID:7212
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        231⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        232⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        233⤵
        Drops file in System32 directory
        
        PID:7344
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        234⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        235⤵
        Modifies registry class
        
        PID:7428
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        236⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        237⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7512
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        238⤵
        Modifies registry class
        
        PID:7560
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        239⤵
        
        PID:7600
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        240⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        241⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        242⤵
        
        PID:7732
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        243⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7772
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        244⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7808
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        245⤵
        Drops file in System32 directory
        
        PID:7848
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        246⤵
        
        PID:7888
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        247⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7928
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        248⤵
        Modifies registry class
        
        PID:7964
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        249⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8004
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        250⤵
        
        PID:8044
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        251⤵
        
        PID:8080
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        252⤵
        Drops file in System32 directory
        
        PID:8120
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        253⤵
        Drops file in System32 directory
        
        PID:8164
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        254⤵
        Modifies registry class
        
        PID:6780
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        255⤵
        Drops file in System32 directory
        
        PID:7204
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        256⤵
        
        PID:7276
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        257⤵
        Drops file in System32 directory
        
        PID:7332
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        258⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        259⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        260⤵
        Drops file in System32 directory
        
        PID:7524
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        261⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7588
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        262⤵
        
        PID:7652
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        263⤵
        Modifies registry class
        
        PID:7708
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        264⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        265⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7840
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        266⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7908
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        267⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7972
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        268⤵
        Drops file in System32 directory
        
        PID:8036
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        269⤵
        
        PID:8112
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        270⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        271⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        272⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7340
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        273⤵
        
        PID:7444
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        274⤵
        Modifies registry class
        
        PID:7544
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        275⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        276⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        277⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        278⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7960
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        279⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8072
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        280⤵
        
        PID:7200
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        281⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7372
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        282⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7536
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        283⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        284⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        285⤵
        
        PID:8064
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        286⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        287⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7500
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        288⤵
        Drops file in System32 directory
        
        PID:7836
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        289⤵
        
        PID:8152
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        290⤵
        
        PID:7596
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        291⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8088
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        292⤵
        
        PID:7872
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        293⤵
        
        PID:7304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7304 -s 408
        294⤵
        Program crash
        
        PID:8256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 7304 -ip 7304
1⤵
PID:8232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abemjmgg.exe

Filesize
108KB

MD5
3736c465ea66ec023cd71ad08b466259

SHA1
784dc26b81f566f3b0f47d4c0cfb1ab45e142e46

SHA256
f8d7562a802b33b2c1bc37cb1d51d226941a022f08b8936edd9b2439c3012d12

SHA512
26569639ac1baf8c6e6c85e22050761ba4cd3d3e790a5cd03ecf217391da5be0892bb3dbbde2a1a832e67fcae0501e36b40a62b0fecf2136df8acd02538db4e1

Download Submit
C:\Windows\SysWOW64\Abngjnmo.exe

Filesize
108KB

MD5
614a03374e76efa8af2f46df1125f381

SHA1
f49137a1b57d2106f6f6ea6d36f32622dd0a10ac

SHA256
6759d6e64176acde2696e98e1fe2d54292be2000567c7e04e8df355f499b1e6e

SHA512
b19c8be65a96257bbcfe83fd345631ec804fde15243dbc8106266b745aaf43fbb9148d936686e00b97ea71e61f35ef79d0fbbd0db4eb89aa12b3452d6ed517b7

Download Submit
C:\Windows\SysWOW64\Accfbokl.exe

Filesize
108KB

MD5
063f6254a5303de12b5b170b11fcd425

SHA1
ed9ce2ca9c284475d5cf04d263c1af5a7d17cccf

SHA256
ef3b7a1232a8426f3ba90504d077ff9a64914deae2e52e64c29ab4efecb89ef5

SHA512
49c770423a0c1d94a2d85f85b83144203eedc9a1fff15aabfdc2428bd61bfee021311959ef352037a9c5fe5ded42e83c89979f92e5495a86c7d2c294907e1099

Download Submit
C:\Windows\SysWOW64\Acjjfggb.exe

Filesize
108KB

MD5
7bd13beff73c1177ada498db9f9c4f82

SHA1
7ca0446d90aeed2ee667e89f910f69f5cd173490

SHA256
7056a0b0951f9b7d853057f550cf62f5ef7ff2bc8c1e1ac6144ddc23702f75a4

SHA512
edb3008428b3b103eb241051b770915e0402f62706b3308b5816cf195a3b75bfd4883687cca58992d1c81bd02cef53f8337e82a7e430ee10c6f513414c256204

Download Submit
C:\Windows\SysWOW64\Acmflf32.exe

Filesize
108KB

MD5
f6958037b95e70677a9071d70b231e8b

SHA1
4c780d006c9802e421381eca9e0cb76258bac900

SHA256
21eab4a8d776f28a1c594bf18c44211f9af6131458c05ecfe0e8df9a018c4ca9

SHA512
fc2228db69921e0b99ecd9c9e3080ced0a6661ffad538207a957ab9547fa13c2c8a2eef420d7dcccad526d4d52ff6b96c35c0f1de1a8efea5e437d75628f84c0

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
108KB

MD5
9ebcad981f249deadd14680c926ef14a

SHA1
1b4c36c1d2757aba7de4312515a3b539db12459c

SHA256
6a8a1678a92608d869ccd7b6aa0db7133c09391df31a5dc911bf98e2ef30c196

SHA512
1845799787141b188c554364bae73581cab98efb3d4fb7f7db9fcc44b4a99b442d43d23809a36f93026cfa2d7b79c7ce02321465af579a8331b39ef971df69b4

Download Submit
C:\Windows\SysWOW64\Acocaf32.exe

Filesize
108KB

MD5
f9938634e3385e96deef0558446843f4

SHA1
f6ceb3886e79b7bff6af12a8f3ba87abeec4130a

SHA256
f1130acf4e88d187898d47b596e669bea2a72159bfc94a31840cf0e7a72a90e2

SHA512
abfc8134e1922516dac35d984cfe395c7ef862ee3daaed4020ab32e4efbb6ef814cf1f8782d5db4c3d91021a6a868a9585675dcbc01f2c6f7087d15c046571f3

Download Submit
C:\Windows\SysWOW64\Aealah32.exe

Filesize
64KB

MD5
2dfe4562ce5999ad8e5d1e19384d2cd9

SHA1
bcac3f3b18b927c61a1128a04e42c6c57572c9ff

SHA256
a9b07f1da2209b1ede8c39df8716ce703c7e5f60af860212ecedb5c5d47d9f2f

SHA512
3b7a5606bec96c7a6174464a09201c14e16ade238c851fc9eb47cdd34cd5f51974d0d3c44df79e705e1c22310dbb24cd022ad2e0e0593cfefa1cc43f7c43ec65

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
108KB

MD5
5431449fb2f70734475bba7617c9d5d5

SHA1
790db03747d31af980c5ae5f1ce72d51b74d9723

SHA256
67e8cdf225cc593ba80c41b7a24df8a47927a43e3f83edbcd735117628d24c2a

SHA512
f072f7349789e1a54133a02b28598d092218e711ac3c4474cc57255205ad9b5f76c14f31541452ccb0c96d15dd733c7280038a2e230f850673e9669db0703559

Download Submit
C:\Windows\SysWOW64\Aejfpjne.exe

Filesize
108KB

MD5
548c4608fa9db5d64d26e7cce54e0300

SHA1
049cb05d446debb7011ee8f07aca21eb22ab51be

SHA256
7b8276f30f525adaa81def276990a49d540d63478552b90022a948895840a8cb

SHA512
2cbd89240e36a3bb7cfa7eac6dfad1583755cf81dee5efe92c8cc90c41ada005b3275c6da8590432570291e435c8d111610ad18e33831b3bdf21190a0257641b

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
108KB

MD5
394c15bff2c026c3e4eb6b5b265517de

SHA1
31697b915ae8d5b7ec82815fd1bac4257c4374f5

SHA256
7ab0ce486b3a99f44a1af5334f401671ca61d4c01188f2b2c0c5c32e4a07d691

SHA512
50c8fa1b2be25cd019f3352b2146c6bfd95118b84f73a5445a9ad0dc87cb40557510e5700b8af9c0908a6b363073011caddca50c5ed8dbe799dfa5b85f0b07d8

Download Submit
C:\Windows\SysWOW64\Ajfoiqll.exe

Filesize
108KB

MD5
b1d2668892d66e9d3c53b6061055fdc0

SHA1
6d582a87a62b0f7b4a37f2e1501d09f0f74500bd

SHA256
c8497250d787cc72b6e38a9910b4c58168fc68703a5e91a365b68df0fbc9bec6

SHA512
07c83b29302a7d56a9b696a3f055c6c0d199117dd6aa2e5aa6c3620db0a5e6ca33d190ba38b7da0e820900fc6b2c1e1b8636e2005259bf27d440e5b0b2af1a9f

Download Submit
C:\Windows\SysWOW64\Ajiknpjj.exe

Filesize
108KB

MD5
5e72a7dc39cb3ee31aae19d9b329df06

SHA1
217f0db3430d16035f3f5d88ea013afcbf678433

SHA256
e2fc093271d3415ad8125dfe4091f3e116ceb24e1cb1e700056ee252b8811a29

SHA512
f4d32d64ecd4ed8f35714d4c63caa89e2a2eb41d9245d25e2f4ad85cadc839ad2917cd9d43c547a0d08c652f46e5d0daddf94bd5a69c4be3f000ddf85b2ddad0

Download Submit
C:\Windows\SysWOW64\Anpncp32.exe

Filesize
108KB

MD5
93f871d18eb58a239a6ce8893c95bbfb

SHA1
8d46822e062d0d2b57e3c947d232d1bd9df740fb

SHA256
07eaae0ed83d9ccf0763ce190aa6f0e896e2cb74412280d78e56cd868037eadb

SHA512
c3b06284d886eaef49ca1f86df5cd65669b1010e92769966b0d68016e99b469ff3de48c827eff96a400245f21f57e0519038ad8cc0fc4f0d98dbccdb398ff20c

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
108KB

MD5
9a8b0f91786c76d2522abf51811174ec

SHA1
43085c700c8ef77bf551ceb8bb8753e09c20c0b4

SHA256
cd6070ed260a5f19559f8b0d39bbd54ed4601a2d2b598f952e8c4721721dc606

SHA512
9ae0cb596128483d3898ee61bb90a3590f09d2ca5169fc2281cbc98a8cef90c2b871260c63f64ffe19f7e00f7d5335dac3084837f69318b49695b640a738328f

Download Submit
C:\Windows\SysWOW64\Bdhfhe32.exe

Filesize
108KB

MD5
0599dc8269b799db8569885770d044ef

SHA1
2ac5fe1ec37a23bcb869446244bd9862a07ff7d3

SHA256
ee2b496a6b63ace3e576e71c063b6e29d9e799f9cae9486de175a033fd7abf84

SHA512
78f2c5d21ae07de1635c4e702371b1c9deb4546fcd93b33178cd52a6c57c05e87b322d2118c0d52af3102e2d513597f8d6db62bec8e15bfd163cfbeecc21f141

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
108KB

MD5
de12f1ba40f76be48f088255c82de132

SHA1
10542b0a88c7ee06e602196639efdcdd5a0dee16

SHA256
fba7d3f1c3b0704784bfac8f1aac1058e060c1458fcbe73190f05d31383279df

SHA512
689cc2a9e556a763b9bfca9a06538bee7994a7996d368b8c889ead07ff7b6f266b9413d48df33db08f93c94701a13a808b9693f10481c174af59b83fd77e2c2c

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
108KB

MD5
1a488b2571eda7b5f9397a5b89ec925a

SHA1
4ba6891594d6c7b2fbad8a8eafdf1b41ee208283

SHA256
930c5c2f684652378adefd3209d3f2a3b69474a506b4c47b1b2d4858e15c3beb

SHA512
19ffe8623a1ef3d019a15aa4bd60892b1cfbd9041b32c1d5fe0e29d11ef5e9d14bf4969c0be928aa475b314f8b1572f1799e339cfa3942fdee227fea47ee53c7

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
108KB

MD5
fa23682278d3b8a5fa5b2d8f4b384ae9

SHA1
ced7df72219a54acfe6288dc3cf930bf4c469416

SHA256
3ca10811fe79c01812c27a881a6d4ac16a3cd908e6a467fa9b5c88fd0dbae23c

SHA512
88ef41ef0e2040ce37863969bd90cca6d536619e65811c137811b71ffdf0cef5fd3ac283c0269e55c57312eb7f3ad03b3bdf88c11f2d5e09756b40044cb516ab

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
108KB

MD5
c549ca714053accecb039785b8a7d6a1

SHA1
ec3fbfba65dd171926de05ea335533a4ba0b0852

SHA256
35512b4858e686df12affa2da9d7ae6679e2f97799e41eaed8b1f4dab8519bb8

SHA512
be59b52338b2ab47d1532e47cd607603885f49db424ea35d9c783d8473a524156ec9b62a9b2a419b5569feb70a9a039811ca130bf9b60e0a92ab6e0bb75e1cf9

Download Submit
C:\Windows\SysWOW64\Cdainc32.exe

Filesize
108KB

MD5
11883d3f33e905fb00d6f2b2d0283476

SHA1
4d1c55b184064dfdc980ef50f0646bec2e9d7221

SHA256
cf696024d01e2bd57f82a468c3a5b685077627fdb27cefe7245bd8c6a0957cb2

SHA512
464a9ec59b433d53430432ff402fa56971928ec40a4d7ebe7abb2ff4a7c31a20bc1730ea96fa0524bdb480518f185555ab16c7225bb8de5bd7afe1c97f860c90

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
108KB

MD5
cf2822a6876037a516987dcbc28db7ad

SHA1
095c31d27964a11d0216db267e82b4e022749b88

SHA256
ee264c67ff2f193ef1f6970f8e0cdcc4a5949b9c63d8bcc7e613dc33c9983033

SHA512
c89c39e14ec52d1a41f3570c807f89e64040167590bb7fd084a2e5b9f1db2ff43cef336f5abe75d4fee98949569585c12a82ad3a19bc2e6d01154f93969dfd9b

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
108KB

MD5
e6d7aaa1aeab9d3d04c8341ccb4cf13d

SHA1
3b2c09131a40b868024c6f9a3be0b0c83e1827a2

SHA256
255820779e3ba4fe43a823234dc59b18f26e89bb2f36526323c2785915818cf4

SHA512
1e7b4901c4650d63207af0351a0426a6a424c0bee17f758cd5b726ba3db8946c867c8666060dd1dbfbc42aea828d093ef41db0f6d24c4749b6c141194d8d734e

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
108KB

MD5
84ec15a57a23c5a4dd2c1e80d67ecba8

SHA1
6db68aca57d18e6976fee92e0de69aa1164d7134

SHA256
c6e9a5151ea95a56b5c2bd5ca9e97881a3c6aaadc7be5b5b4d35a86fea960d5d

SHA512
c764f968a431faefec683f2ea73d7441cf11eac0f0caff07597e1c97eed541cd464db74fcc98d2c6140c8e26937aa0bdae0a0c2680d23f50751e74599c93dc4a

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
108KB

MD5
2c1dc1fcb41cbba3d790924050c7513e

SHA1
351653fe8b86539042b0b4d75850caea168717dc

SHA256
be39b85a17318225fb38e5df9c231a03f501adf8dbf354cbc233b0d20b194eb9

SHA512
430c06b588397c5fc70ddd2715623a9c1a94cb20a5d4abfc402643456a5d48d473af1eb24bbbf345929b396e772e0852be7185e6965019a57ea2e080fc9596f8

Download Submit
C:\Windows\SysWOW64\Dalchnkg.dll

Filesize
7KB

MD5
dc98bf3679cf0613a016427519a70d04

SHA1
3a23a336198438a12129e18c1f39fc5c30dcd414

SHA256
bc55516a5527e5d0bbe16624520f12b949b2edcb0a769d343be8276bcc528cc7

SHA512
83d1a549a775433b5dd7e265d10f74693a1bbcd7d590b160b3c80c406bacbae10bd9f722a56902c9971b7a1587b82b367124a2699e04e0ec26074f2b43568d1b

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
108KB

MD5
fd4a1351803530bd261f60b9a7bad45c

SHA1
cc371d250453ea8458f0469375f437fbfa3d8981

SHA256
b419306de1022f64080bba3a0e976f88cc61b412768717b84e62f8cc7d82643a

SHA512
a3c7194e334acd15ef616f6787c4cb8f186f390fd5ac02743b9e0b2ab89608aa392c2330f3a9721e3e38eeed557e351066c381a52cb2e62a9ff90c9ca558f530

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
108KB

MD5
b5761fe39903a0f70ef45a1e725323a0

SHA1
06460fe6443285ed560782860cdb44cb41da9955

SHA256
04ba369ef953d3ffc9af8b8fe3a8f16adbaefdbfe7e426e115776197aeb4d7d4

SHA512
2a54a20739a51123d41cec0eefc220f36b35b01389b52426cc06182e5e762b74c0bb60f8482568959d1a233bb5d5ac7b2ebaed2450e8567c43da1b3e6d23e7e4

Download Submit
C:\Windows\SysWOW64\Gcimkc32.exe

Filesize
108KB

MD5
c51067a477dca99beda55353e455c553

SHA1
5eaba759342121ad24c63ec49cad89604e12891a

SHA256
72b857318eb66443f82e6cc00f58349be73e19ea6eee5a598ee1bd0af9b7d5df

SHA512
4180ddf3f4d24f365a9a99da3c3da0280491f25086cb1dde20a88b3020feb715cc5d71284529d2f56b3eb63c08cec58d755f457844eab8e82a39b9a73ef5b243

Download Submit
C:\Windows\SysWOW64\Gokdeeec.exe

Filesize
108KB

MD5
e7b1f0e97942c2e45207165b89706083

SHA1
feba926b85b7050bbc73294b7f3d9e3f097b0e1c

SHA256
1dd4bc22f72843ef8d5af75a8ca5938ba28c6be94c617d95ac20a418feb0b10a

SHA512
12bde854d9b222aa6dc2f507edd48eb4faa3b3c01c252ad77e24fb532e415696cbdfc2ef4b6ad37e01121b5f4bc71ff3be6c12772cef8d3d9a577bf3f0c8a5a6

Download Submit
C:\Windows\SysWOW64\Hoiafcic.exe

Filesize
108KB

MD5
b85347828a737f2d9d1f0fbdccbf7597

SHA1
cdf695708639468137ac025e0416819b46ac8c92

SHA256
ed70262bfea8681364cc0eb757390050e45e7c120593a3b3e0033518dc091e16

SHA512
4b14e9844c8f88c832641d12d2fcf07a59967d1615a4da4da2235c211213c9250fc786ae69d87957087dbc98ebaa0427a25a46383fc2a30f3c95df52430afe5f

Download Submit
C:\Windows\SysWOW64\Jbjcolha.exe

Filesize
108KB

MD5
0e05d4422c9aab76065245597e37a651

SHA1
3a646f9a1f696afed22a7b67913f4e30674f067c

SHA256
bbc69a3e992cd64f44f4ba79ac5adbbae0bc9fe67ada47d05f76e3304159c1ca

SHA512
3392827f45b6407becd99bfeef3d99bd2c8b7f86946357fd4b553517acc91b78e1fe8aa67cd563975738c5eaec36e726df7228e62a47f4e18001b8f50ecea4e2

Download Submit
C:\Windows\SysWOW64\Jioaqfcc.exe

Filesize
108KB

MD5
363edb1c663758246250988c1ee315f2

SHA1
16256a20d0a1623d6e1034eab4293f5b7b315e71

SHA256
1251f55f1447be6e3d7c499351dd1065c0a9cc90a3c8df9d358e1a2041a00c72

SHA512
d6f5d2cdd2ed3e4c13acdf87c7430a2cdd07eb24da69432698da646b2a7c7889c6661b789e8a26d36f39c767d99944cfffa0340cb6d71b927a2f57b9428bc430

Download Submit
C:\Windows\SysWOW64\Jlednamo.exe

Filesize
108KB

MD5
a6c09b4e984c5537af177f8dd5c2f16a

SHA1
81cfd647c98d8c86c13e5906b9fabd6b4fccc74a

SHA256
b104aefc260cad43d785795de37706625cd8d0256c6cea89da1f7120f6d8f7d1

SHA512
328fd8fdc5c78491b92a401feeecbc91f40e83d8c32b1cf29fe3d57fe41323615f8743935aada608e94fc2e698b80dea3aba42c53a81ea73544c7efc77fa161d

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
108KB

MD5
d9be527047afb9101c8ef1630912b804

SHA1
6b7d7db571a6d513581703196c8fd64a5a3d7b04

SHA256
4e9c134bea784d2b5e25b1bbfb096bfb259a1be073aedad353588830eb579991

SHA512
13d79be5da34d1c60b763e9b73c5bb061b2eba44406675fe55be3c47039b2d3b4f0a6916396d19297654b7f25d75fae8b4900d08c13ff772793abb2fbe26b154

Download Submit
C:\Windows\SysWOW64\Kpbmco32.exe

Filesize
108KB

MD5
77fe3440ba85fa7819de997afb8b776d

SHA1
e787b649fc9faf74491cb3aea2f4a02236f62961

SHA256
19957ce611952e81cd9da7637be93f8e124d4d048773d2227f9879f3f2515415

SHA512
0d35e59e7cb48125e82b97540e14d503c0c2f8185b7d53eb47d20636b08688afd2333937595705355b342abbe214fe585a373760a037f61de15a92f1cf329d62

Download Submit
C:\Windows\SysWOW64\Kpjcdn32.exe

Filesize
108KB

MD5
fbe4b1dffeaa1fb776347b5fef74da7b

SHA1
46ed9720007032d81853e3c3eddb91b97ba232ec

SHA256
d3261a07f3a6d3d758e5e462c527c1d17384df6ec501a11f1a9ad3b22448d98b

SHA512
6dafd2587932b772fa8713250284af629017ecd2502390a381085b0263ba16fbf4ba11faebb0047271d4738ad130a5ecae469e8df8b029ee9c601734f7dea73a

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
108KB

MD5
8f67deed5eab4ecf173860ea50c34c5d

SHA1
3fa2e381b8117622d84ebd83ac4d925bb8a396fe

SHA256
f421b6b41541c1c057f864c6e15329e558403b03119910495008c93edcd3af11

SHA512
f101be56c37376753d0423c07f2d4145a5ca8e1a7a72259ec981c8aaf57faf9e9a9644e85347d629480c43f15fc0906876bb83d2a33c5a66d85baa8c3ea49fa8

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
108KB

MD5
813493ef8004fef57520b7e2db7d5b25

SHA1
a94b21402809d2cd9d880458293bc5ac5b58d8ae

SHA256
bda73d7708905a21bbe5218093cde7f6cbab8dba7aefcc9715bbba4d9998ba37

SHA512
e9b7a4fc174021464780f50ede33ea1ff02e81a722295f3b724c9b414b56e4c0c605b146640d3d646aa77cd197a4a6e641bfb800961405d3aea1608717fbfeeb

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
108KB

MD5
c084466634994635f8db0f60fd6a213a

SHA1
430b8ec1e85076b2d7f79ef518c0ea5abaf0ca38

SHA256
3d7a72a819dadd029d07bcf6d41d4f169f906638428527fc1a891fa24df5cce0

SHA512
f7ea3be6bd2c4ec8ded9332097ec56d086bea4b28340828e812003f42a2b0daf0249a9d0ff94a1f62f764a0af71dc31022c3f87bf41f6bcd65cfb59031f9b9ff

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
108KB

MD5
a56395ceb86a775d75ea593b6546ce79

SHA1
3c159dcd96d3a49daa758e68a8ca0b47755faecf

SHA256
36c4f8749f5da2b9b07c0316f64718bdcd8f34e72fcec4f67fbc8b4acb1ed4f1

SHA512
71f61164d1cdf6911391b64384e3684a143d9ae2457b5e82cf2766f9c68e421339443af5cb50391fcc46041ae741a6a8811927bf13f83affa0edac5080c8cf4e

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
108KB

MD5
f5e0fe530cf27dc4bba8ea5d0fb7db15

SHA1
1081914bcb41840023c3a90b1ad6f7107edb5f52

SHA256
39daeca659fd44319f658132b70d7a3afb9be1571747584e016f781f425326f1

SHA512
178e03936b94a5fba1076993a9dff961e459bd6fdb27143cee36e1bf9dc8c8c427929c15b0efcfed38c3112b884fe5f576b521313940a1f7f2acde35df7c8c9d

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
108KB

MD5
ea5bd86958a37e536c12e4af795bf185

SHA1
86bdd24efd2571c9a8a56633bd5f6752631241a3

SHA256
a99a26bc4287b69b0458215c903b905d6d965a2782d19c30dbb1302004521217

SHA512
0bfcbd5e83ab8cbbd731eaff045e2a2a6b343c0c058fda002b8b3fa4a00c498d5f26bc2c5da88375feff0ddb2761b4a374efb57d4e4940994123e227d0c3dc3f

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
108KB

MD5
a11079fad6604e5fb4bc7da473bb1d9c

SHA1
f22ec8befe6508b133c03e5d8e4720f88c08752e

SHA256
ec06966555d280a8667d186ddb4e53d4e44d334adefebfd36338ea3d1806552e

SHA512
09a3d6ceff292c3ee23a5cad3f86b485781324cd7d7ae7c0929c4b50f66915daf780d518d77dc8f9c2cc549650ef4dc8699116e442276cd36ac9850a126b1f2e

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
108KB

MD5
34e96f3b00b77bede94a62a69a1f07dd

SHA1
397b5c7c4635242a256ac22eb3ef8f7818297720

SHA256
4fc716398a6fb8721163cd0d7e3a5254a1496bf1aa83c6daf0789b62c02936d8

SHA512
6c94953d7f20cc72958c8a470f021d66ae862a20b465c9d00ed9d9ff776c940b6ebb481c5e4e240b9469b5c94756f70da7b701bdf91587c621adf360701af824

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
108KB

MD5
1b1b5bf614cf536294cb7a7f7a49db07

SHA1
45288fa694e30f0a6e02dffac6c8cd3c2645e029

SHA256
42db0fcead20fccc58deea9eefabc4caca75c208015bfbdc260ddd3e515b0ffe

SHA512
2d4414f926dbc7e2412d3e43872de3a8c4fba114cd54509b2c168470d02e9a35f39e3e055ee9d3f0b517534636afcca183c29cab7d9ca754d413f7b398783f6e

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
108KB

MD5
fced39b6fd0672dcc6343dfb383da881

SHA1
16a77222943fbb24797fef4e6eaec10cdef7ab85

SHA256
518b9b02305dcc2dd3acab04c5592991b3ef001c3142855106786e39966530ed

SHA512
16544b9f257f8d5af96b7ad0e8dfc2fc7a11c3d10953e4148caa4e5481dbccb8eb4e265a61720f5335cc9b262c9c5ee2379d188cfaab74fbc4bcb0b6c5c04d1c

Download Submit
C:\Windows\SysWOW64\Obidhaog.exe

Filesize
108KB

MD5
f5d5da2a52fab6e63ff6dee5c15d2081

SHA1
597322037b6d44b081840a922c5425d3e53197d7

SHA256
2388f99d8f46698ee65fd5e2bdb83af202c84111e38dbfff38c7e1a9e46daf72

SHA512
d29c8c75cc92c91d9b42c7fe6897fe2fa82c0875ec03a7f5a435d4791463833ef5b72567eb09ab52faa86f1da1afe2638cf2cf1fcf53cee5d87d62f7b63f1419

Download Submit
C:\Windows\SysWOW64\Ocegdjij.exe

Filesize
108KB

MD5
25beba7a2a83dfe084365f7cdf7550bb

SHA1
247d2cbf6fe1da6b645c6562f141936d7820bc36

SHA256
22a30eff8c996d0622d5a73e698d00ae001228ef93c18a81ee7f0108da5f99a8

SHA512
f63b3ea92a855545d14f72109b18ad50a61d54ac57f5993d3d067ab9dd87f8ddb821a49edf1cb1d8037a855e2f96c55b20daf2ba2066048d5d94b72e354fccc9

Download Submit
C:\Windows\SysWOW64\Ocgdji32.exe

Filesize
108KB

MD5
277890cfcfadc2ae12b8f72e6e2c7b29

SHA1
3a967402e70c0c0457d7633e2038a9d2d265774b

SHA256
d4cdfdf9379a5e30af6ea0260bed87eb1636083489acb1f5620a1ed69f3816b4

SHA512
97a5974403221b30688f352c2054ad984fcbe6388d8d4890a10054a1ced039b3f0391e6f2d300146043871957b94229c72f2ee4a0cd6995b5b4bb436b345664d

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
108KB

MD5
fcb11d6e58fd3d3c20f7ac623940d8cc

SHA1
dde0fbb1018c146e4262091033ed44b36a72d4ac

SHA256
7b6d5dda8b14ab0360aa34767b661188bc326e1c2e16309f3f7cc1a215f0f956

SHA512
ffdc93c863bf394eeb226254ce20352466913ae9acd0e4ca2377b3ea73670f85a279db7e6b5bdafde2e53077d7ed0c8569681683ae85e493a56484d30084a753

Download Submit
C:\Windows\SysWOW64\Odgqdlnj.exe

Filesize
108KB

MD5
90c3a42e6bb6707114308583169ae4c5

SHA1
19bdf6302b02d895a2e009633ba7f0aad465829b

SHA256
a8c0ab58bdf6723934573a3bc213111cb86fe4964363d8dff7630edb0df069b3

SHA512
6aa401ea17eed43a46bc1d8da9178a832f8b93511969e17c5ccd3cd1bac26fa08794b4e0d4191b71183774adb3185821ec21c3ec885acede1156da1f29b646bf

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
108KB

MD5
d0759f937bfe6bc531e5a07e39d713e8

SHA1
598d4d203d0788a9ba3ac8340a11b08788c17893

SHA256
3043a4144d636f990efd6cd636799dcbdb90d4520cb3b97cad9bb174a2319034

SHA512
a81c7ed6fa32bfc666053d705f6ef8d21a8b6ed26789c6d7ec68370b1857f8030b66ee147d96120cb134093c084aa18c761b4c9295c0f003ccf929ac3794fc42

Download Submit
C:\Windows\SysWOW64\Ogogoi32.exe

Filesize
108KB

MD5
a0cff6b5cdd0b7cb25a7cb320d943ce5

SHA1
fe8f0708b4121454982a2599f336fcdcc6bd4664

SHA256
449bbfb5fbfa0b7c7c8981f46e13a139da6308fa45d0e5ffece20ee23c7c3161

SHA512
8af843b801bb67a3bf418b569b76f6f229209038219b4dc4568d8393423fb93b251ac090c43c01346b6ca58010a792e0e6d24c4bab138a3e32e769941cebcd4e

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
108KB

MD5
2c1447841b256a8b07df5d9beeb99194

SHA1
86d5203ff6d7d6c7b49ef380db92b5598239ca34

SHA256
ae5f58c2f73d8fd5449b3b8fe9507fc61680f6dcc0d003e32b8edd1ec0b63046

SHA512
779b45898328a4b8b756756cc3be76448129f5ba83f7bb43927b81becf24f4dc63a39ec1c3bbd5991475696a627880c6c8d5606d38abd84a85639e5e72dc5cd1

Download Submit
C:\Windows\SysWOW64\Ojopad32.exe

Filesize
108KB

MD5
6ed35160ffeea953c8109e276a8fabea

SHA1
a6fc427780f29d850b1ea21726ff0fabbc1c8889

SHA256
6aa74c47bde1883967f61f27a9d99889a60962a751d19dcc986aca181a450780

SHA512
2b82b58e43595be98c7a0558dd29f0c1d04d97b33d84f704a6caf0c481786e38791276b24c2b330cb816e846e232b0b90525a256297ddab7575b16764ab2587f

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
108KB

MD5
ec6d0c97a6c48dd1a592b84fa3ae27b3

SHA1
8984ede6bba40d9ffc24fa07c134a178c7ca5f08

SHA256
efdc4fb981877119e9e60329406172d09681ed49618caedc93fcadf8bc967c7f

SHA512
bacbdef65e298ed85408cc45018859c099d5e4729147d60bed99d909e287cc432d20e30aaf77790ffcbdba8d2d99e63b4ab7fcfd4cc3b14b05815fbeb0db4fb5

Download Submit
C:\Windows\SysWOW64\Oqgkhnjf.exe

Filesize
108KB

MD5
cb4d514a9043e786ae9b1cf455431a3f

SHA1
016f7ae55fc84fb1fa3e1b15f30f5265c6115198

SHA256
ce619f6adb8e7b2e6fb74e618de030389d1f5dcaaf4aa77e073a3f624e4baa2d

SHA512
15e5b0263c5e8248eee66b8925417ce7a3574319f1d7446445aed31f2e99d75c5dc5ab823f5118974546c3b60b0fa983bc46fe43c56339154890b23b7954e76f

Download Submit
C:\Windows\SysWOW64\Oqihnn32.exe

Filesize
108KB

MD5
5ae4da8bb2c9a0429b1ec0e1363f1a83

SHA1
71bdcd7ca152512d5dab588a6c1e5477b04ec2a8

SHA256
ab22038355679f1810096479873483f3030d68c7fc292b1a20b0535c36ce0b0e

SHA512
8def526e3bdde3756990a865aa0c05496785f2ad1909415b98aca0e80e2ae6aecd714f46e22e1eaac31873b9c7d1bc63922e07c24d8cbe41d62020d318d40d71

Download Submit
C:\Windows\SysWOW64\Pabkdmpi.exe

Filesize
108KB

MD5
f268fb6eafb2acfc1e1ede7c5b691b79

SHA1
fb7c9faae9e5b94d6b14637caaf9da76b4697d78

SHA256
39abb13b3c93ebb2adf24b2ef416a95410250f3e79e2f26d80ef9a99014375ef

SHA512
94e02a37e80821737596c8e9784abdba257b5774e0015461baba4815fa6b62f26032a940df4641c1bfd80f0512dd86da22262f0f7b5a6114e93a3992bf86e0e5

Download Submit
C:\Windows\SysWOW64\Pcagphom.exe

Filesize
108KB

MD5
89ea65165cdd9bbb0b70ed1936417582

SHA1
570d37f691d5420f7246d059b465bce78b938495

SHA256
f9fd644ecff519e87cf1dbaeeb69831f54455c2d7903578deb998c67b19e41be

SHA512
dc9b0f72321ef35ad5049c5594ed35761584ec0d0428b560f5af0ea77aec0080b1dff616319c3dc99814fe0f77b93bc4f80f28e789f568a0d55b0e1ea41e0dd5

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
108KB

MD5
c71bc0611bba1dbc9882028e88f5dc68

SHA1
f7f14590ae55d182ceb8f50a2a296fe6e0593800

SHA256
c7bc4d004edb6f074ccc8b80648b8e66173805506917d392928e47f6accd1452

SHA512
72725be63fa121853eda46f926c41edf15f4ad81b1531b005cbb8d1c43d64c716e52e4d0b2bc4835784bec19ef3ab3606f560898d3d33c678ba86fff9b349bdf

Download Submit
C:\Windows\SysWOW64\Pcccfh32.exe

Filesize
108KB

MD5
8c30b622b014446a11d5bf8c156376cd

SHA1
8850a020192bd60492fd995b39885f6a88eab7fb

SHA256
35e5294da48a182175702e3dd476f0619721c84609a66ca951a414450186514b

SHA512
fb349535a36d631ab7506ed87a634429943081bbadcb4b9ec292bda9f7dd3fbbf553082f7e898c24eb97d666551acfbdc3ffc6a878dc7a68217701b8e7da75b6

Download Submit
C:\Windows\SysWOW64\Pclneicb.exe

Filesize
108KB

MD5
206b0eb806641f70021d45b8ee7604f3

SHA1
2d0054eb3e401e73f5f5795fa25b40aca8a4f20e

SHA256
691c6e2be2daf28cf37c3ef0e2c8da052d4630fc4325ab70f8b991ef547ce506

SHA512
9b7624a3d6cee27fb5a4e3e633f4696d382f901a429078b937d7a9a8f93a879d9ac1dbac1e2ec75f1cce80a96842f1da48fdd96cac1481aaf2882cebe448e213

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
108KB

MD5
d1ec8c2a0628dd677987c569d456ef76

SHA1
bf45b867c743dbb3499a6b3c7ac1531cf3838e6c

SHA256
ab186de37e83a5567a688aa94b67c1767b8da64a48cb0be7034b4a306e60cbf8

SHA512
16505c182169c579cc9e235b93c66b46659f3feccaee269821c8d137702196eaa3a69fae58876e3f3aae5c29c0c95013e57f2fa06b0a81009e4fc75849ae9ed4

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
108KB

MD5
88012d8750b7e48d59cdd7c93a8f5088

SHA1
e01180ddb99526e52e6c19ecddc145e378e7117b

SHA256
fe90e1821760630e38a7eb814b3352f9144d86b6975942355fd24c1d2582d1d1

SHA512
fd4a576f11c6099b507ce1855fb8f7077e5a60073c5bda6539240a3e08da36fa84eab7ff2eaa418dab5738439527c3788f04cffb3987a3247cd6c2ecba423171

Download Submit
C:\Windows\SysWOW64\Pkceffcd.exe

Filesize
108KB

MD5
2a47d3257df8deb44ca876d9e944829d

SHA1
7ef19b6f3f273c3a19bf6f332b46e1e4e81c46d2

SHA256
c97cf0f4b908124ec84789e99a805afd61716bc3153c92ce1ce21c263f21a94a

SHA512
cd9967a19da0b8a1a35854d2e36638221d99d60c2c74cc984d111e405bc2b48e2df635d3dd255632dfa5094b9436ffafd2551c6915ae71b1c58b04a1bc80527e

Download Submit
C:\Windows\SysWOW64\Pkfblfab.exe

Filesize
108KB

MD5
541053132e2928cbdcfb66192b72d971

SHA1
078594335d08c70e85edf9619263fcf0a4e80f5e

SHA256
a0166721071898fc92d2e41451c3843943729d0d9759b53224391f567e1e84b5

SHA512
f42f426373c29db2be5c28c87840cb1d6e3c381c72d37bd423433f3bf91334fdbda9e7776cae912d90ea73940ca11a3876552b2d8f1604808657e827078e0c00

Download Submit
C:\Windows\SysWOW64\Pnfkma32.exe

Filesize
108KB

MD5
e96e0b10eb4579712bd08b61de70c93c

SHA1
17c285528df9fa947ab0a287d0c21f083a43b98a

SHA256
23636b902d66037daf0bee14edeb5ab066c6a69eee3574fe5bc4cd145bb56986

SHA512
03d7264e4c24d7d78a46ef1cff4880d17a93805290ff3099475ccc7ee22fdb1d5c11c51af55e741e7e799a99aade1d68e30098e9320eeb3ac7a264f0f451f1aa

Download Submit
C:\Windows\SysWOW64\Pnihcq32.exe

Filesize
108KB

MD5
0fac99e1c0c7b51aeaccbe0941d7903e

SHA1
9db4c022bbe6443a04198b98cc28e04c8b2b8cf8

SHA256
c7fc226e6f2b1e7ec6389d1295ec51248c9c3446bed6cbbc320868e1922d94a5

SHA512
3ecd23a1661f905fd3f7670599eac3e5848389a9be4890ec9db765f3d0b48b154e56509ab9f6bfed5c311ba96a491545e384c963d3b7f00c069cc4cf373b4bfb

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
108KB

MD5
ce120ca1d5a3ff82c91386bc59c2fbba

SHA1
7a124e7a9f3e305776af5ac377af381f0c6c7863

SHA256
9042c1a5092c87fe070bc2e1a8074f2f94268c6303a5209159ca4e9a710e5546

SHA512
cdfb1e36c95db49c11b5d2442135c7cf1cb5bc0cab34653c862400f6a93bcded24acc695657d5e477c611ebb45dfeddfe556761119a4deeedff3f66b241147e6

Download Submit
C:\Windows\SysWOW64\Pnpemb32.exe

Filesize
108KB

MD5
fa46916b05c6b1181c72a90025d82a08

SHA1
259e942e926fece243bb527a79620a5254950262

SHA256
dcbd528bbe23e5eef1b4c6ff010c27114b6032ef616c2d737498d9c30c9f5c47

SHA512
a290929a55bc5b2a66c986bfee637a0b5056c6bcc1d6fcf9a4f64d672f7ad5cc3bfb260c5fe0738532e8a06ccbfdca65f01c0bd2fd6e12fbfd9771464774f4b1

Download Submit
C:\Windows\SysWOW64\Pqpnombl.exe

Filesize
108KB

MD5
9d033d9821a70360e3961f006313db31

SHA1
c26e0ccfed11e643b56f56213a3ba4031bdbe42a

SHA256
66dee69cf6d6b9f8182da21914d349fb122cbcc25756f2b7b02acc931f53d8ea

SHA512
2c156b9b4d072b6b3e1857d0d6e71ee1a16d276d868bab8db17ff501eee93bb7c916f1350c75771d0e867622a2656f75b682dfc287c9ca2f90db40277f1d68fd

Download Submit
C:\Windows\SysWOW64\Qbgqio32.exe

Filesize
108KB

MD5
482cfcc487861410abea7e8c461cdcad

SHA1
3cd66c1f304dabfdf0c3c50002b5e8fe5b0ef7ec

SHA256
664af665ed53a6b3321e534cabf26ce98cb4c88b3cbfa01ee8720f1d5fce6ad2

SHA512
8ea41f83435ce88d3947fc63721925905ab2bda7adce1ae696f70b8d79e6a7572d0d55917cf823f1c81387addf477a325c4b3284ba28901f2479941a149905b8

Download Submit
C:\Windows\SysWOW64\Qbimoo32.exe

Filesize
108KB

MD5
29208a8af19b2e280cfd4c096cf1393d

SHA1
8ba3e79dfaab45a3f8919b852bdb14edc6287774

SHA256
b95758d0d3e82488b6a531e4bea9997297c952ef0262294d4c1a3b31a2cfde7e

SHA512
1329354152e13beac998c1e2ea91859d4e35d1f8421040255ea9bcdb801d46d209977fe6f1f22ce6890ed8b4c6cd80866f6e9d11a92b14810cb27366c1fcbbe2

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
108KB

MD5
1f736fcf6b487f48ecf713017a618ef4

SHA1
d5be917a6b415eea831dcb9a53a722adcc8ff95c

SHA256
e60dede5c105a57078e9d676a743ee4ab7b5dd1b130084ab6a223783ef1b5da3

SHA512
c6a574c6d39db1885a1038caa66407d76df4cb61acb46504cf1a894cd0107b7d7a2a183fdc723e1565c23460b0621e2e78faf3764b706c2394aeffecb86e21ee

Download Submit
C:\Windows\SysWOW64\Qcepkg32.exe

Filesize
108KB

MD5
c0fca545c8ac420612d347cfc147f247

SHA1
1b5d0bc02588c52015a6c57be2eb878428cd4050

SHA256
e48cfb649d21342a15c7c78d3d657111ed2fe67d9f851a885089727c20f9120b

SHA512
87ab328e3234dbdaf80b2ad48cff28c9f657a41c91c37d7ae0efa2c4a96c9931e194868c1d300e2d60105d01108c80a63d9ff9b8c003b27616d052c48fe044d7

Download Submit
C:\Windows\SysWOW64\Qeemej32.exe

Filesize
108KB

MD5
8ae70a7db427a1b730af76f90d232d1c

SHA1
85934a6008dc7cb3d2d5252fbacbb64252213082

SHA256
261a471673cd017cdeee3182c6a12a3671dacfa9efb1762735811dc8495d96f9

SHA512
8b7e43bee11e1cb704ffce54a73ad9da392889852ff6fb5a5698ff7bf32afdd3aacb2d731e46324da146a6bf71b20a36f36804fac82d48d25415a01dcd0292c8

Download Submit
C:\Windows\SysWOW64\Qgallfcq.exe

Filesize
108KB

MD5
b00845c6aae7faeb4b9d959238d290fd

SHA1
f2fe5ee4250854d8c8dbfdd8fb53f77b262d6fe8

SHA256
d37996a4ffda03942b5688345a8d1530ba18bd426897badf16202043320fa0d9

SHA512
1b381edc56d959286740cb0736f622f7d5f4e30892076ca3acf5924862a84d315a713972517e256eb7eb39346d61809b9f39baadcb2f16ab0eec49f1b132e413

Download Submit
C:\Windows\SysWOW64\Qjbena32.exe

Filesize
108KB

MD5
16984962929d1117f6ec2ab973d74487

SHA1
f89a1be955292afc0e8097bd1406df0aeba113bd

SHA256
4e6ac125a44e97bc2908626f53cb699f8865c37ee999547cd53db3b8628ed727

SHA512
15f5912df97a9d2d09315665a2f173bae3018622ddb37ea20b8fa16554284c0f65e5da63321dc3ef788ef073ac5d04139e92e45aef5fcbd7a01d44f72a8d59d6

Download Submit
memory/512-431-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/540-483-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/556-495-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/648-296-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/832-453-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/876-465-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/968-144-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1056-2145-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1192-411-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1252-530-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1292-537-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1364-2350-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1364-326-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1376-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1376-582-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1504-104-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1504-620-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1584-459-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1592-64-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1592-588-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1600-359-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1604-191-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1664-627-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1696-71-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1696-595-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1848-419-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1876-188-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1876-2394-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1892-290-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1972-626-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1972-112-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2152-272-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2172-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2172-567-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2188-548-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2212-503-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2212-2288-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2312-200-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2416-302-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2424-2345-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2456-167-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2464-278-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2464-2364-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2544-159-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2556-343-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2596-314-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2724-207-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2864-284-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2880-384-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2880-2330-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2904-543-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2904-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2972-413-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3124-152-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3180-576-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3344-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3344-536-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3488-589-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3632-236-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3644-518-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3684-378-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3848-376-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3928-308-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3940-44-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3940-569-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4016-613-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4016-95-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4216-2270-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4228-247-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4292-471-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4308-516-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4320-614-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4324-254-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4360-570-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4384-401-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4408-524-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4424-223-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4452-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4452-550-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4480-349-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4488-425-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4500-633-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4500-119-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4508-446-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4516-361-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4528-2144-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4576-136-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4640-335-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4656-28-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4656-557-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4736-607-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4736-88-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4756-239-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4760-477-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4824-265-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4864-127-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4864-639-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4932-47-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4996-2419-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4996-601-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4996-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5024-175-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5032-493-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5032-2294-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5044-320-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5044-2351-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5056-395-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5100-551-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5168-2128-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5232-2120-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5296-2236-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5328-2189-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5372-2186-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5456-2185-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5544-2216-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5712-2152-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/6104-2198-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/6208-2104-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/6248-2102-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/6460-2046-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/6584-1986-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/6732-1991-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/6788-2036-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/6916-2068-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/7108-2026-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/7148-1990-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/7156-2056-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/7296-1976-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/7332-1926-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/7560-1963-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/7588-1918-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/7808-1951-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/7908-1908-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/8120-1936-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/8164-1934-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads