c2d4b056ac54b4978ba70a5065aeecf998eeeea5dd171e8435925d4870aa7910

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 16:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a89c9c29d7c12960fbdace4a2773360_NeikiAnalytics.exe
Size

336KB
MD5

1a89c9c29d7c12960fbdace4a2773360
SHA1

7ed4109c65ddccc4a07cfabf09e0721a1f8eb12e
SHA256

c2d4b056ac54b4978ba70a5065aeecf998eeeea5dd171e8435925d4870aa7910
SHA512

d1d12ea97467d9d4d17f9fac70237a7663a8d7e701ce79a09bff30123d1d648d58e4dc7369272eb620cce533d1b6c684e6e3e0b9c308cb8e22d6b3c12a9628f7
SSDEEP

6144:uzLJGpjYBgKoHbD5W3glbGFIasUDsIjost0A25evOloWgRLereLVmhgoBlaNxn:uzLQjYBvaH5W3ybwwUb6ls2oWdeVoon

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ilidbbgl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chbnia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hecmijim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iicbehnq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llgjjnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cddecc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Foabofnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmcojh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eleiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Flnlhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ifgbnlmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpgldhg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pghieg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnkdhpjn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jedeph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkfblfab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdiooblp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceoibflm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbjcolha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbpgbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bajjli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcfqfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Migjoaaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieolehop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okhfjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gkmlofol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmkfhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbjlfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Conclk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fljcmlfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hckjacjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oncofm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dccbbhld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eapedd32.exe

Executes dropped EXE 64 IoCs

pid	Process
3876	Ncnadk32.exe
2472	Ojhiqefo.exe
1904	Okhfjh32.exe
2240	Obangb32.exe
2964	Oqgkhnjf.exe
4652	Onklabip.exe
4724	Ogcpjhoq.exe
4824	Obidhaog.exe
4196	Pjdilcla.exe
4088	Pghieg32.exe
1660	Pqpnombl.exe
3508	Pkfblfab.exe
3968	Pkhoae32.exe
3228	Pkjlge32.exe
4984	Pagdol32.exe
2168	Qnkdhpjn.exe
4076	Qjbena32.exe
4936	Alabgd32.exe
2448	Acmflf32.exe
3244	Aelcfilb.exe
4092	Ajiknpjj.exe
1516	Adapgfqj.exe
3080	Aaepqjpd.exe
3596	Adcmmeog.exe
5104	Bdfibe32.exe
4528	Bajjli32.exe
3036	Blpnib32.exe
4948	Behbag32.exe
2236	Baocghgi.exe
3120	Bdmpcdfm.exe
3064	Blfdia32.exe
1148	Ceoibflm.exe
2352	Cliaoq32.exe
4164	Cafigg32.exe
8	Cddecc32.exe
4596	Cbefaj32.exe
776	Cecbmf32.exe
3984	Chbnia32.exe
548	Colffknh.exe
4400	Cdiooblp.exe
4420	Ckcgkldl.exe
4440	Conclk32.exe
4772	Chghdqbf.exe
2256	Ckedalaj.exe
3824	Dekhneap.exe
3360	Dhidjpqc.exe
4760	Daaicfgd.exe
3068	Dhkapp32.exe
2012	Dkjmlk32.exe
3868	Dadeieea.exe
4876	Dlijfneg.exe
3808	Dccbbhld.exe
3424	Dddojq32.exe
756	Dllfkn32.exe
408	Dojcgi32.exe
400	Ddgkpp32.exe
2016	Dlncan32.exe
1748	Eefhjc32.exe
4568	Elppfmoo.exe
1604	Eoolbinc.exe
4360	Edkdkplj.exe
2652	Ekemhj32.exe
1992	Eapedd32.exe
2700	Eleiam32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cibifp32.dll	Hoiafcic.exe
File opened for modification	C:\Windows\SysWOW64\Megdccmb.exe	Mchhggno.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Bdfibe32.exe	Adcmmeog.exe
File created	C:\Windows\SysWOW64\Ibjjhn32.exe	Ipknlb32.exe
File created	C:\Windows\SysWOW64\Jmpgldhg.exe	Jbjcolha.exe
File opened for modification	C:\Windows\SysWOW64\Ncbknfed.exe	Npcoakfp.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bagflcje.exe
File created	C:\Windows\SysWOW64\Chghdqbf.exe	Conclk32.exe
File created	C:\Windows\SysWOW64\Ecandfpd.exe	Ehljfnpn.exe
File created	C:\Windows\SysWOW64\Flqimk32.exe	Ffgqqaip.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Ncnadk32.exe	1a89c9c29d7c12960fbdace4a2773360_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ncianepl.exe	Nloiakho.exe
File created	C:\Windows\SysWOW64\Odaoecld.dll	Pdmpje32.exe
File opened for modification	C:\Windows\SysWOW64\Gfbploob.exe	Gkmlofol.exe
File created	C:\Windows\SysWOW64\Iccbgbmg.dll	Ifgbnlmj.exe
File created	C:\Windows\SysWOW64\Ldamee32.dll	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Eleiam32.exe	Eapedd32.exe
File created	C:\Windows\SysWOW64\Kpihae32.dll	Gdhmnlcj.exe
File created	C:\Windows\SysWOW64\Empbnb32.dll	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Gfpcgpae.exe	Gcagkdba.exe
File created	C:\Windows\SysWOW64\Hddeok32.dll	Nloiakho.exe
File opened for modification	C:\Windows\SysWOW64\Agglboim.exe	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Pkfblfab.exe	Pqpnombl.exe
File opened for modification	C:\Windows\SysWOW64\Ckcgkldl.exe	Cdiooblp.exe
File opened for modification	C:\Windows\SysWOW64\Fhjfhl32.exe	Foabofnn.exe
File opened for modification	C:\Windows\SysWOW64\Ilidbbgl.exe	Ieolehop.exe
File opened for modification	C:\Windows\SysWOW64\Jeaikh32.exe	Icplcpgo.exe
File created	C:\Windows\SysWOW64\Olcbmj32.exe	Nggjdc32.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Pkjlge32.exe	Pkhoae32.exe
File opened for modification	C:\Windows\SysWOW64\Llemdo32.exe	Lekehdgp.exe
File created	C:\Windows\SysWOW64\Hcbpab32.exe	Hkkhqd32.exe
File created	C:\Windows\SysWOW64\Ghlcnk32.exe	Gododflk.exe
File created	C:\Windows\SysWOW64\Mcmabg32.exe	Mmpijp32.exe
File created	C:\Windows\SysWOW64\Hbcbgk32.dll	Eoolbinc.exe
File created	C:\Windows\SysWOW64\Ddgkpp32.exe	Dojcgi32.exe
File created	C:\Windows\SysWOW64\Fcckif32.exe	Fljcmlfd.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Bdfibe32.exe	Adcmmeog.exe
File opened for modification	C:\Windows\SysWOW64\Kpgfooop.exe	Kimnbd32.exe
File created	C:\Windows\SysWOW64\Pldhcm32.dll	Hfcicmqp.exe
File created	C:\Windows\SysWOW64\Hfgefhai.dll	Hmcojh32.exe
File opened for modification	C:\Windows\SysWOW64\Iicbehnq.exe	Ibjjhn32.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Ckafhlkg.dll	Dccbbhld.exe
File created	C:\Windows\SysWOW64\Gfgkmfoj.dll	Ghlcnk32.exe
File opened for modification	C:\Windows\SysWOW64\Jeklag32.exe	Jcioiood.exe
File created	C:\Windows\SysWOW64\Ljodkeij.dll	Llemdo32.exe
File created	C:\Windows\SysWOW64\Kcdgbkil.dll	Lenamdem.exe
File opened for modification	C:\Windows\SysWOW64\Olhlhjpd.exe	Ofnckp32.exe
File opened for modification	C:\Windows\SysWOW64\Pkjlge32.exe	Pkhoae32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Lbabgh32.exe	Llgjjnlj.exe
File created	C:\Windows\SysWOW64\Mjhmqf32.dll	Heapdjlp.exe
File created	C:\Windows\SysWOW64\Pggbkagp.exe	Pdifoehl.exe
File opened for modification	C:\Windows\SysWOW64\Nilcjp32.exe	Ncbknfed.exe
File created	C:\Windows\SysWOW64\Fllpbldb.exe	Fcckif32.exe
File created	C:\Windows\SysWOW64\Oggacefk.dll	Ffgqqaip.exe
File created	C:\Windows\SysWOW64\Ocgmpccl.exe	Onjegled.exe
File created	C:\Windows\SysWOW64\Jbllbm32.dll	Pghieg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7480	6924	WerFault.exe	353

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipenkiei.dll"	Dadeieea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghkmacoj.dll"	Jbjcolha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lekehdgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hleecc32.dll"	Mchhggno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	1a89c9c29d7c12960fbdace4a2773360_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgdphnlp.dll"	Hkkhqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qnkdhpjn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Adapgfqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jeklag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkjmlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcdgpfak.dll"	Jmknaell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcmabg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fcfhof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfilim32.dll"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jihdea32.dll"	Eefhjc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iicbehnq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eoolbinc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hkkhqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aelcfilb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fllpbldb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kboeke32.dll"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cliaoq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fljcmlfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfbgbeai.dll"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Okhfjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flioncbc.dll"	Dkjmlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkjmlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhclbphg.dll"	Flqimk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iicbehnq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igjnojdk.dll"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ghlcnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gilnhifk.dll"	Lekehdgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Adapgfqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Baocghgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lbmhlihl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qnhahj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 3876	4888	1a89c9c29d7c12960fbdace4a2773360_NeikiAnalytics.exe	81
PID 4888 wrote to memory of 3876	4888	1a89c9c29d7c12960fbdace4a2773360_NeikiAnalytics.exe	81
PID 4888 wrote to memory of 3876	4888	1a89c9c29d7c12960fbdace4a2773360_NeikiAnalytics.exe	81
PID 3876 wrote to memory of 2472	3876	Ncnadk32.exe	82
PID 3876 wrote to memory of 2472	3876	Ncnadk32.exe	82
PID 3876 wrote to memory of 2472	3876	Ncnadk32.exe	82
PID 2472 wrote to memory of 1904	2472	Ojhiqefo.exe	83
PID 2472 wrote to memory of 1904	2472	Ojhiqefo.exe	83
PID 2472 wrote to memory of 1904	2472	Ojhiqefo.exe	83
PID 1904 wrote to memory of 2240	1904	Okhfjh32.exe	84
PID 1904 wrote to memory of 2240	1904	Okhfjh32.exe	84
PID 1904 wrote to memory of 2240	1904	Okhfjh32.exe	84
PID 2240 wrote to memory of 2964	2240	Obangb32.exe	85
PID 2240 wrote to memory of 2964	2240	Obangb32.exe	85
PID 2240 wrote to memory of 2964	2240	Obangb32.exe	85
PID 2964 wrote to memory of 4652	2964	Oqgkhnjf.exe	86
PID 2964 wrote to memory of 4652	2964	Oqgkhnjf.exe	86
PID 2964 wrote to memory of 4652	2964	Oqgkhnjf.exe	86
PID 4652 wrote to memory of 4724	4652	Onklabip.exe	87
PID 4652 wrote to memory of 4724	4652	Onklabip.exe	87
PID 4652 wrote to memory of 4724	4652	Onklabip.exe	87
PID 4724 wrote to memory of 4824	4724	Ogcpjhoq.exe	88
PID 4724 wrote to memory of 4824	4724	Ogcpjhoq.exe	88
PID 4724 wrote to memory of 4824	4724	Ogcpjhoq.exe	88
PID 4824 wrote to memory of 4196	4824	Obidhaog.exe	89
PID 4824 wrote to memory of 4196	4824	Obidhaog.exe	89
PID 4824 wrote to memory of 4196	4824	Obidhaog.exe	89
PID 4196 wrote to memory of 4088	4196	Pjdilcla.exe	90
PID 4196 wrote to memory of 4088	4196	Pjdilcla.exe	90
PID 4196 wrote to memory of 4088	4196	Pjdilcla.exe	90
PID 4088 wrote to memory of 1660	4088	Pghieg32.exe	91
PID 4088 wrote to memory of 1660	4088	Pghieg32.exe	91
PID 4088 wrote to memory of 1660	4088	Pghieg32.exe	91
PID 1660 wrote to memory of 3508	1660	Pqpnombl.exe	92
PID 1660 wrote to memory of 3508	1660	Pqpnombl.exe	92
PID 1660 wrote to memory of 3508	1660	Pqpnombl.exe	92
PID 3508 wrote to memory of 3968	3508	Pkfblfab.exe	93
PID 3508 wrote to memory of 3968	3508	Pkfblfab.exe	93
PID 3508 wrote to memory of 3968	3508	Pkfblfab.exe	93
PID 3968 wrote to memory of 3228	3968	Pkhoae32.exe	94
PID 3968 wrote to memory of 3228	3968	Pkhoae32.exe	94
PID 3968 wrote to memory of 3228	3968	Pkhoae32.exe	94
PID 3228 wrote to memory of 4984	3228	Pkjlge32.exe	95
PID 3228 wrote to memory of 4984	3228	Pkjlge32.exe	95
PID 3228 wrote to memory of 4984	3228	Pkjlge32.exe	95
PID 4984 wrote to memory of 2168	4984	Pagdol32.exe	96
PID 4984 wrote to memory of 2168	4984	Pagdol32.exe	96
PID 4984 wrote to memory of 2168	4984	Pagdol32.exe	96
PID 2168 wrote to memory of 4076	2168	Qnkdhpjn.exe	97
PID 2168 wrote to memory of 4076	2168	Qnkdhpjn.exe	97
PID 2168 wrote to memory of 4076	2168	Qnkdhpjn.exe	97
PID 4076 wrote to memory of 4936	4076	Qjbena32.exe	98
PID 4076 wrote to memory of 4936	4076	Qjbena32.exe	98
PID 4076 wrote to memory of 4936	4076	Qjbena32.exe	98
PID 4936 wrote to memory of 2448	4936	Alabgd32.exe	99
PID 4936 wrote to memory of 2448	4936	Alabgd32.exe	99
PID 4936 wrote to memory of 2448	4936	Alabgd32.exe	99
PID 2448 wrote to memory of 3244	2448	Acmflf32.exe	100
PID 2448 wrote to memory of 3244	2448	Acmflf32.exe	100
PID 2448 wrote to memory of 3244	2448	Acmflf32.exe	100
PID 3244 wrote to memory of 4092	3244	Aelcfilb.exe	101
PID 3244 wrote to memory of 4092	3244	Aelcfilb.exe	101
PID 3244 wrote to memory of 4092	3244	Aelcfilb.exe	101
PID 4092 wrote to memory of 1516	4092	Ajiknpjj.exe	102

C:\Users\Admin\AppData\Local\Temp\1a89c9c29d7c12960fbdace4a2773360_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1a89c9c29d7c12960fbdace4a2773360_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Windows\SysWOW64\Ncnadk32.exe
  C:\Windows\system32\Ncnadk32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3876
- - C:\Windows\SysWOW64\Ojhiqefo.exe
    C:\Windows\system32\Ojhiqefo.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Windows\SysWOW64\Okhfjh32.exe
      C:\Windows\system32\Okhfjh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1904
    - - C:\Windows\SysWOW64\Obangb32.exe
        
        C:\Windows\system32\Obangb32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2240
      - C:\Windows\SysWOW64\Oqgkhnjf.exe
        
        C:\Windows\system32\Oqgkhnjf.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\Onklabip.exe
        
        C:\Windows\system32\Onklabip.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\SysWOW64\Ogcpjhoq.exe
        
        C:\Windows\system32\Ogcpjhoq.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\SysWOW64\Obidhaog.exe
        
        C:\Windows\system32\Obidhaog.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Pjdilcla.exe
        
        C:\Windows\system32\Pjdilcla.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\SysWOW64\Pghieg32.exe
        
        C:\Windows\system32\Pghieg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4088
        
        C:\Windows\SysWOW64\Pqpnombl.exe
        
        C:\Windows\system32\Pqpnombl.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\Pkfblfab.exe
        
        C:\Windows\system32\Pkfblfab.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Windows\SysWOW64\Pkhoae32.exe
        
        C:\Windows\system32\Pkhoae32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\SysWOW64\Pkjlge32.exe
        
        C:\Windows\system32\Pkjlge32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\SysWOW64\Pagdol32.exe
        
        C:\Windows\system32\Pagdol32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\SysWOW64\Qnkdhpjn.exe
        
        C:\Windows\system32\Qnkdhpjn.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Qjbena32.exe
        
        C:\Windows\system32\Qjbena32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\SysWOW64\Alabgd32.exe
        
        C:\Windows\system32\Alabgd32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\Acmflf32.exe
        
        C:\Windows\system32\Acmflf32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\Aelcfilb.exe
        
        C:\Windows\system32\Aelcfilb.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3244
        
        C:\Windows\SysWOW64\Ajiknpjj.exe
        
        C:\Windows\system32\Ajiknpjj.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\Adapgfqj.exe
        
        C:\Windows\system32\Adapgfqj.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Aaepqjpd.exe
        
        C:\Windows\system32\Aaepqjpd.exe
        24⤵
        Executes dropped EXE
        
        PID:3080
        
        C:\Windows\SysWOW64\Adcmmeog.exe
        
        C:\Windows\system32\Adcmmeog.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3596
        
        C:\Windows\SysWOW64\Bdfibe32.exe
        
        C:\Windows\system32\Bdfibe32.exe
        26⤵
        Executes dropped EXE
        
        PID:5104
        
        C:\Windows\SysWOW64\Bajjli32.exe
        
        C:\Windows\system32\Bajjli32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4528
        
        C:\Windows\SysWOW64\Blpnib32.exe
        
        C:\Windows\system32\Blpnib32.exe
        28⤵
        Executes dropped EXE
        
        PID:3036
        
        C:\Windows\SysWOW64\Behbag32.exe
        
        C:\Windows\system32\Behbag32.exe
        29⤵
        Executes dropped EXE
        
        PID:4948
        
        C:\Windows\SysWOW64\Baocghgi.exe
        
        C:\Windows\system32\Baocghgi.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Bdmpcdfm.exe
        
        C:\Windows\system32\Bdmpcdfm.exe
        31⤵
        Executes dropped EXE
        
        PID:3120
        
        C:\Windows\SysWOW64\Blfdia32.exe
        
        C:\Windows\system32\Blfdia32.exe
        32⤵
        Executes dropped EXE
        
        PID:3064
        
        C:\Windows\SysWOW64\Ceoibflm.exe
        
        C:\Windows\system32\Ceoibflm.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1148
        
        C:\Windows\SysWOW64\Cliaoq32.exe
        
        C:\Windows\system32\Cliaoq32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2352
        
        C:\Windows\SysWOW64\Cafigg32.exe
        
        C:\Windows\system32\Cafigg32.exe
        35⤵
        Executes dropped EXE
        
        PID:4164
        
        C:\Windows\SysWOW64\Cddecc32.exe
        
        C:\Windows\system32\Cddecc32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:8
        
        C:\Windows\SysWOW64\Cbefaj32.exe
        
        C:\Windows\system32\Cbefaj32.exe
        37⤵
        Executes dropped EXE
        
        PID:4596
        
        C:\Windows\SysWOW64\Cecbmf32.exe
        
        C:\Windows\system32\Cecbmf32.exe
        38⤵
        Executes dropped EXE
        
        PID:776
        
        C:\Windows\SysWOW64\Chbnia32.exe
        
        C:\Windows\system32\Chbnia32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3984
        
        C:\Windows\SysWOW64\Colffknh.exe
        
        C:\Windows\system32\Colffknh.exe
        40⤵
        Executes dropped EXE
        
        PID:548
        
        C:\Windows\SysWOW64\Cdiooblp.exe
        
        C:\Windows\system32\Cdiooblp.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4400
        
        C:\Windows\SysWOW64\Ckcgkldl.exe
        
        C:\Windows\system32\Ckcgkldl.exe
        42⤵
        Executes dropped EXE
        
        PID:4420
        
        C:\Windows\SysWOW64\Conclk32.exe
        
        C:\Windows\system32\Conclk32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4440
        
        C:\Windows\SysWOW64\Chghdqbf.exe
        
        C:\Windows\system32\Chghdqbf.exe
        44⤵
        Executes dropped EXE
        
        PID:4772
        
        C:\Windows\SysWOW64\Ckedalaj.exe
        
        C:\Windows\system32\Ckedalaj.exe
        45⤵
        Executes dropped EXE
        
        PID:2256
        
        C:\Windows\SysWOW64\Dekhneap.exe
        
        C:\Windows\system32\Dekhneap.exe
        46⤵
        Executes dropped EXE
        
        PID:3824
        
        C:\Windows\SysWOW64\Dhidjpqc.exe
        
        C:\Windows\system32\Dhidjpqc.exe
        47⤵
        Executes dropped EXE
        
        PID:3360
        
        C:\Windows\SysWOW64\Daaicfgd.exe
        
        C:\Windows\system32\Daaicfgd.exe
        48⤵
        Executes dropped EXE
        
        PID:4760
        
        C:\Windows\SysWOW64\Dhkapp32.exe
        
        C:\Windows\system32\Dhkapp32.exe
        49⤵
        Executes dropped EXE
        
        PID:3068
        
        C:\Windows\SysWOW64\Dkjmlk32.exe
        
        C:\Windows\system32\Dkjmlk32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Dadeieea.exe
        
        C:\Windows\system32\Dadeieea.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3868
        
        C:\Windows\SysWOW64\Dlijfneg.exe
        
        C:\Windows\system32\Dlijfneg.exe
        52⤵
        Executes dropped EXE
        
        PID:4876
        
        C:\Windows\SysWOW64\Dccbbhld.exe
        
        C:\Windows\system32\Dccbbhld.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3808
        
        C:\Windows\SysWOW64\Dddojq32.exe
        
        C:\Windows\system32\Dddojq32.exe
        54⤵
        Executes dropped EXE
        
        PID:3424
        
        C:\Windows\SysWOW64\Dllfkn32.exe
        
        C:\Windows\system32\Dllfkn32.exe
        55⤵
        Executes dropped EXE
        
        PID:756
        
        C:\Windows\SysWOW64\Dojcgi32.exe
        
        C:\Windows\system32\Dojcgi32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:408
        
        C:\Windows\SysWOW64\Ddgkpp32.exe
        
        C:\Windows\system32\Ddgkpp32.exe
        57⤵
        Executes dropped EXE
        
        PID:400
        
        C:\Windows\SysWOW64\Dlncan32.exe
        
        C:\Windows\system32\Dlncan32.exe
        58⤵
        Executes dropped EXE
        
        PID:2016
        
        C:\Windows\SysWOW64\Eefhjc32.exe
        
        C:\Windows\system32\Eefhjc32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Elppfmoo.exe
        
        C:\Windows\system32\Elppfmoo.exe
        60⤵
        Executes dropped EXE
        
        PID:4568
        
        C:\Windows\SysWOW64\Eoolbinc.exe
        
        C:\Windows\system32\Eoolbinc.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Edkdkplj.exe
        
        C:\Windows\system32\Edkdkplj.exe
        62⤵
        Executes dropped EXE
        
        PID:4360
        
        C:\Windows\SysWOW64\Ekemhj32.exe
        
        C:\Windows\system32\Ekemhj32.exe
        63⤵
        Executes dropped EXE
        
        PID:2652
        
        C:\Windows\SysWOW64\Eapedd32.exe
        
        C:\Windows\system32\Eapedd32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1992
        
        C:\Windows\SysWOW64\Eleiam32.exe
        
        C:\Windows\system32\Eleiam32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2700
        
        C:\Windows\SysWOW64\Eocenh32.exe
        
        C:\Windows\system32\Eocenh32.exe
        66⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\Ehljfnpn.exe
        
        C:\Windows\system32\Ehljfnpn.exe
        67⤵
        Drops file in System32 directory
        
        PID:2968
        
        C:\Windows\SysWOW64\Ecandfpd.exe
        
        C:\Windows\system32\Ecandfpd.exe
        68⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\Edbklofb.exe
        
        C:\Windows\system32\Edbklofb.exe
        69⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\Fljcmlfd.exe
        
        C:\Windows\system32\Fljcmlfd.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:424
        
        C:\Windows\SysWOW64\Fcckif32.exe
        
        C:\Windows\system32\Fcckif32.exe
        71⤵
        Drops file in System32 directory
        
        PID:1800
        
        C:\Windows\SysWOW64\Fllpbldb.exe
        
        C:\Windows\system32\Fllpbldb.exe
        72⤵
        Modifies registry class
        
        PID:64
        
        C:\Windows\SysWOW64\Fcfhof32.exe
        
        C:\Windows\system32\Fcfhof32.exe
        73⤵
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Flnlhk32.exe
        
        C:\Windows\system32\Flnlhk32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1752
        
        C:\Windows\SysWOW64\Fomhdg32.exe
        
        C:\Windows\system32\Fomhdg32.exe
        75⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\Ffgqqaip.exe
        
        C:\Windows\system32\Ffgqqaip.exe
        76⤵
        Drops file in System32 directory
        
        PID:2264
        
        C:\Windows\SysWOW64\Flqimk32.exe
        
        C:\Windows\system32\Flqimk32.exe
        77⤵
        Modifies registry class
        
        PID:1312
        
        C:\Windows\SysWOW64\Ffimfqgm.exe
        
        C:\Windows\system32\Ffimfqgm.exe
        78⤵
        
        PID:940
        
        C:\Windows\SysWOW64\Foabofnn.exe
        
        C:\Windows\system32\Foabofnn.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3204
        
        C:\Windows\SysWOW64\Fhjfhl32.exe
        
        C:\Windows\system32\Fhjfhl32.exe
        80⤵
        
        PID:512
        
        C:\Windows\SysWOW64\Gododflk.exe
        
        C:\Windows\system32\Gododflk.exe
        81⤵
        Drops file in System32 directory
        
        PID:4864
        
        C:\Windows\SysWOW64\Ghlcnk32.exe
        
        C:\Windows\system32\Ghlcnk32.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Gcagkdba.exe
        
        C:\Windows\system32\Gcagkdba.exe
        83⤵
        Drops file in System32 directory
        
        PID:3308
        
        C:\Windows\SysWOW64\Gfpcgpae.exe
        
        C:\Windows\system32\Gfpcgpae.exe
        84⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\Gkmlofol.exe
        
        C:\Windows\system32\Gkmlofol.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4520
        
        C:\Windows\SysWOW64\Gfbploob.exe
        
        C:\Windows\system32\Gfbploob.exe
        86⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\Gcfqfc32.exe
        
        C:\Windows\system32\Gcfqfc32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3032
        
        C:\Windows\SysWOW64\Gdhmnlcj.exe
        
        C:\Windows\system32\Gdhmnlcj.exe
        88⤵
        Drops file in System32 directory
        
        PID:3564
        
        C:\Windows\SysWOW64\Gkaejf32.exe
        
        C:\Windows\system32\Gkaejf32.exe
        89⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\Gblngpbd.exe
        
        C:\Windows\system32\Gblngpbd.exe
        90⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\Hkdbpe32.exe
        
        C:\Windows\system32\Hkdbpe32.exe
        91⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\Hckjacjg.exe
        
        C:\Windows\system32\Hckjacjg.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4300
        
        C:\Windows\SysWOW64\Helfik32.exe
        
        C:\Windows\system32\Helfik32.exe
        93⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\Hmcojh32.exe
        
        C:\Windows\system32\Hmcojh32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4472
        
        C:\Windows\SysWOW64\Hbpgbo32.exe
        
        C:\Windows\system32\Hbpgbo32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1596
        
        C:\Windows\SysWOW64\Hijooifk.exe
        
        C:\Windows\system32\Hijooifk.exe
        96⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\Hodgkc32.exe
        
        C:\Windows\system32\Hodgkc32.exe
        97⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\Heapdjlp.exe
        
        C:\Windows\system32\Heapdjlp.exe
        98⤵
        Drops file in System32 directory
        
        PID:3092
        
        C:\Windows\SysWOW64\Hkkhqd32.exe
        
        C:\Windows\system32\Hkkhqd32.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\Hcbpab32.exe
        
        C:\Windows\system32\Hcbpab32.exe
        100⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\Hecmijim.exe
        
        C:\Windows\system32\Hecmijim.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4364
        
        C:\Windows\SysWOW64\Hoiafcic.exe
        
        C:\Windows\system32\Hoiafcic.exe
        102⤵
        Drops file in System32 directory
        
        PID:2500
        
        C:\Windows\SysWOW64\Hfcicmqp.exe
        
        C:\Windows\system32\Hfcicmqp.exe
        103⤵
        Drops file in System32 directory
        
        PID:1884
        
        C:\Windows\SysWOW64\Immapg32.exe
        
        C:\Windows\system32\Immapg32.exe
        104⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\Ipknlb32.exe
        
        C:\Windows\system32\Ipknlb32.exe
        105⤵
        Drops file in System32 directory
        
        PID:3328
        
        C:\Windows\SysWOW64\Ibjjhn32.exe
        
        C:\Windows\system32\Ibjjhn32.exe
        106⤵
        Drops file in System32 directory
        
        PID:3820
        
        C:\Windows\SysWOW64\Iicbehnq.exe
        
        C:\Windows\system32\Iicbehnq.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Ikbnacmd.exe
        
        C:\Windows\system32\Ikbnacmd.exe
        108⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\Ifgbnlmj.exe
        
        C:\Windows\system32\Ifgbnlmj.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2800
        
        C:\Windows\SysWOW64\Iifokh32.exe
        
        C:\Windows\system32\Iifokh32.exe
        110⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\Ippggbck.exe
        
        C:\Windows\system32\Ippggbck.exe
        111⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\Ifjodl32.exe
        
        C:\Windows\system32\Ifjodl32.exe
        112⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\Imdgqfbd.exe
        
        C:\Windows\system32\Imdgqfbd.exe
        113⤵
        
        PID:736
        
        C:\Windows\SysWOW64\Icnpmp32.exe
        
        C:\Windows\system32\Icnpmp32.exe
        114⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\Ieolehop.exe
        
        C:\Windows\system32\Ieolehop.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1460
        
        C:\Windows\SysWOW64\Ilidbbgl.exe
        
        C:\Windows\system32\Ilidbbgl.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3932
        
        C:\Windows\SysWOW64\Icplcpgo.exe
        
        C:\Windows\system32\Icplcpgo.exe
        117⤵
        Drops file in System32 directory
        
        PID:3816
        
        C:\Windows\SysWOW64\Jeaikh32.exe
        
        C:\Windows\system32\Jeaikh32.exe
        118⤵
        
        PID:632
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        119⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\Jcbihpel.exe
        
        C:\Windows\system32\Jcbihpel.exe
        120⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3016
        
        C:\Windows\SysWOW64\Jmknaell.exe
        
        C:\Windows\system32\Jmknaell.exe
        122⤵
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Jcefno32.exe
        
        C:\Windows\system32\Jcefno32.exe
        123⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        124⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        125⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Jmpgldhg.exe
        
        C:\Windows\system32\Jmpgldhg.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5384
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        128⤵
        Drops file in System32 directory
        
        PID:5428
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        129⤵
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        130⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        131⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        132⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        133⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        134⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        135⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        136⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        137⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        138⤵
        Drops file in System32 directory
        
        PID:5876
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        139⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        140⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6004
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        142⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        143⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        144⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5152
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        146⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        147⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        148⤵
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        149⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        150⤵
        Drops file in System32 directory
        
        PID:5504
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5588
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        152⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5720
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        154⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        155⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        156⤵
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4292
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        158⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        159⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        160⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        161⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        162⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        163⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        164⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        165⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        166⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        167⤵
        Drops file in System32 directory
        
        PID:5904
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        168⤵
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3152
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        170⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        171⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        172⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        173⤵
        Drops file in System32 directory
        
        PID:5776
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        174⤵
        Drops file in System32 directory
        
        PID:2408
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6100
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        176⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        177⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6116
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        180⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        181⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        182⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        183⤵
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        184⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        185⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        186⤵
        Drops file in System32 directory
        
        PID:6172
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        187⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6260
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        189⤵
        Modifies registry class
        
        PID:6300
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6344
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        191⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6432
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6476
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        194⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6564
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        196⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        197⤵
        Modifies registry class
        
        PID:6644
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        198⤵
        Modifies registry class
        
        PID:6676
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        199⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6732
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        200⤵
        Drops file in System32 directory
        
        PID:6776
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        201⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6816
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        202⤵
        Modifies registry class
        
        PID:6860
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        203⤵
        Modifies registry class
        
        PID:6904
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        204⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        205⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6988
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        206⤵
        Modifies registry class
        
        PID:7036
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        207⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        208⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7124
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        209⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        210⤵
        Drops file in System32 directory
        
        PID:6200
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        211⤵
        Modifies registry class
        
        PID:6280
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        212⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6332
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        213⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6408
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        214⤵
        Modifies registry class
        
        PID:6484
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        215⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        216⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        217⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6688
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        218⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        219⤵
        Modifies registry class
        
        PID:6828
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        220⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6896
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        221⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        222⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        223⤵
        Drops file in System32 directory
        
        PID:7120
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        224⤵
        Drops file in System32 directory
        
        PID:6156
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        225⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6252
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        226⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        227⤵
        Drops file in System32 directory
        
        PID:6460
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        228⤵
        Modifies registry class
        
        PID:6600
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        229⤵
        Drops file in System32 directory
        
        PID:6672
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        230⤵
        Modifies registry class
        
        PID:6800
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        231⤵
        Modifies registry class
        
        PID:6932
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        232⤵
        Modifies registry class
        
        PID:7020
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        233⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        234⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6288
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        235⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        236⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        237⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        238⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7024
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        239⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        240⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        241⤵
        Modifies registry class
        
        PID:6704
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        242⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        243⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7000
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        244⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        245⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        246⤵
        Modifies registry class
        
        PID:6976
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        247⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        248⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6468
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        249⤵
        
        PID:7192
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        250⤵
        
        PID:7236
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        251⤵
        
        PID:7280
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        252⤵
        
        PID:7324
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        253⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7364
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        254⤵
        
        PID:7404
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        255⤵
        Modifies registry class
        
        PID:7456
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        256⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7500
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        257⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        258⤵
        
        PID:7588
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        259⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7632
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        260⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7680
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        261⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        262⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7764
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        263⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7808
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        264⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        265⤵
        Drops file in System32 directory
        
        PID:7904
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        266⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7948
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        267⤵
        
        PID:7992
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        268⤵
        Modifies registry class
        
        PID:8036
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        269⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8080
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        270⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        271⤵
        Modifies registry class
        
        PID:8164
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        272⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7188
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        273⤵
        Modifies registry class
        
        PID:7264
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        274⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6924 -s 420
        275⤵
        Program crash
        
        PID:7480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 6924 -ip 6924
1⤵
PID:7424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
336KB

MD5
235a30d8d41dfb5dd67e7ec1bcf275fd

SHA1
ad9d78f61136ceeace2b462b3bcac028abeb5814

SHA256
481957b03a4524ecbad2242672add9aafe73f99ffe07e8329d8c05b9d0a2412f

SHA512
98cfd80b0cd239e5e0682297b5717128755d4da6abdec84e4893569028817c93aaa58ed2b57151e6986aebd1e2db7770baa0b35d968febbe9b1302d4c8968b3b

Download Submit
C:\Windows\SysWOW64\Aaepqjpd.exe

Filesize
336KB

MD5
557333cf544f882715ee1af133e5d6e3

SHA1
8977c6e14d52a92d1a6a48b3f6549178d49a49fd

SHA256
ce7366e33cd9e10020266702569515baf56358b279fc9883fab404bbbfaf5d71

SHA512
957ab24dbb3550aef8391a7f05f22c6be3332f093210b5e5f386ca854105c81475a61365bcd3a08422460f10d1243ad133cf2c45a605e73e76493b5b148bd32d

Download Submit
C:\Windows\SysWOW64\Acmflf32.exe

Filesize
336KB

MD5
426e3f196b51c44c8409b0237fa0ebcd

SHA1
e1927c5301721846a69160b1c3cc154d3bb024b7

SHA256
96c7d3185768bb3c2c741ade0f424d32b7047127f98ef933a6b5196d3d0b0b44

SHA512
8899baa2e0f8df83ea7ec43767c6eb9e9859ffd074a83ab4f95cacfb2833c444f23af3fd2706f6973c6cfa8464688af05c46e47f1beed89d3f4f61cbacd30024

Download Submit
C:\Windows\SysWOW64\Adapgfqj.exe

Filesize
336KB

MD5
628142f3d92963e18306e161254be278

SHA1
8338679774bf5cea48ebd6bd527d222974b0992c

SHA256
d4dd827422b86963935ca54ce77f10caa3bb04b4d94a9305c1e206a6328a48f1

SHA512
e3354f38d72d17c7d05a15474f787212dc4892ee567d63e239094e7d30a496749e0e9a8c712973bb3a5353db5862027516ab589385caf27e93c6d1a67464579d

Download Submit
C:\Windows\SysWOW64\Adcmmeog.exe

Filesize
336KB

MD5
b58648a98e2fe56910a45a5479ee4795

SHA1
7601fa994aa930f3a0192f111b1f62a87cfc54df

SHA256
57d5d22a576efbca5c109f0cb470f3e5bd6a5259b97c62a094dbafee749710a5

SHA512
c65a455c4f22883e3ac4d63b741b7752c6ad35c3d8f7494b0970bc13d76809249bfc5084e9b818af5f0ff4434d52541e5cf818b0cf03494fe8fa7f667e4a64f8

Download Submit
C:\Windows\SysWOW64\Aelcfilb.exe

Filesize
336KB

MD5
7ccd92b31210a987a17fbe6e5504be29

SHA1
579160b83e46aceb829a14bb34369f0febe0a051

SHA256
3d86126fe190e75705fd1b0db5ce9ed49ca81b173f50942b27f31fd85894c987

SHA512
5e2f6906c3095c8d8b40671988111c7c227c29c168f50e3474d119d8f21a61b27fbf21ddef83d3e10c3730c532e354b19dbbc5ff7cfc482e819684884d14e978

Download Submit
C:\Windows\SysWOW64\Ajiknpjj.exe

Filesize
336KB

MD5
945ae4c07a6002722104eedd0358f9c4

SHA1
ff7724de9d2b543d8b16808ff52190adfbd79294

SHA256
ec2c4c7d4c8ef25ced8640393b476df4137ef3f3deeec1e6d8898883003bbe8f

SHA512
069d26844e6d8d6a13b6eb38b3d398acf57ce7d722f43d2ac19843fe807046b73a9d88ea451a3d266ba1339591d00e19d44b5d2ef35456f0b668252e3242ef46

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
336KB

MD5
d54314a4ccaf9006c36c5a5e43b81caf

SHA1
c61234734ee9b55248c271d9197d26e29559e00b

SHA256
fcbb3568dc685f3d554297200e0580b115aa6100ab1a7c7f0d6f30fd1ee8d749

SHA512
2c90099be12c28d5ace79d04f088ea44b075d8c844186e50ed406e5ae63c57b1f01fbe0a2e2ee7790af027f86a5d1d8c33ada5b4337a237da5bfb79e46a2802e

Download Submit
C:\Windows\SysWOW64\Alabgd32.exe

Filesize
336KB

MD5
679b12f6a653a4b389790beda4d9798b

SHA1
964b0c13c453070550f3dc6972620de70bd98c53

SHA256
d7c1c5a4bf73d7a4dd48278a3c0aa8de67b59875d9456f4d4c6536131cd5fd9b

SHA512
8e9777824cddce2526e82c0dd1af48cd1f5c47e973444c9de2aec44cfca47899c522c3cd35960f2f0e1a0be691df3e72a047ee655d53836f180fb5047a88cb7e

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
336KB

MD5
b34d2b3febe2fa05490bc45565b72a4f

SHA1
40b4001b278a1aff474f88c996bfe455b105f649

SHA256
0a3ea09a5a20665335a0b0bd47c461ca555e1f9ef7e7103967c640684eb0c2c8

SHA512
79c8f975d23093e2ba83843ed5c0fe8a2b717a43c49ae5ef5c52a6552a71018cf2af7081f558415f0414344902f7558746bb6455f301afbdb5d246690042e9c7

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
336KB

MD5
58c80984303c70ff1304d6be262b4c09

SHA1
6770575c2fafd671b311181e31c007d40af5e80b

SHA256
709c245da249dc0c3776febb04ca8d7a77dd78f0e6446c2fbc0875425004f99a

SHA512
1a7fb0a6e92320d538733f4c19d5af51acc23e29fc893300a832074f8991b3636f4e39c81b12bf5f0ae7c9da034536419c1a65c0ffc314c6ac8b59b08340f49d

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
336KB

MD5
75c4d9664c1369a2bf07e88f9eeca1ee

SHA1
d1f427ae4cf366b3ec9cc6927b972f129148b2db

SHA256
44bf19d63f600d5666a8ea57b1c5889ac3171fd95a6a325acaff983541f1276d

SHA512
2a16317f955b29cbd57d0abf233d087652ed8f70fc159a544ec8cec1238b772ca21108a7461724af178a965a6764d402d4ca494023566d5ddb6021a6f2ed4ac8

Download Submit
C:\Windows\SysWOW64\Bajjli32.exe

Filesize
336KB

MD5
476425b59da6d865dd4e31b2bcced3d9

SHA1
deca1ee8d9903c706fb62c006fff7135977251c7

SHA256
74f2e8fa0a25bd3e122cdcf559b57d6606780d172851726a142c4bba67ef30d3

SHA512
930a4b12bdd21a166b1f7f7825909e1fc5164cfebd0c097fdb19232dd1050b046fb260350f533d125b935c5f6c88a37613890a0de4ab40379315b8793ddc6d1a

Download Submit
C:\Windows\SysWOW64\Baocghgi.exe

Filesize
336KB

MD5
468624bb7a6fc863d9012af047f12206

SHA1
6f8a0de314f53bd59b58e7a7ae40902f1eac53aa

SHA256
2b107755ad830f0717174fd0583431c0e50d471c2331104c6055a7bbb9f6de74

SHA512
d39b3ebef353712e4665d01d4c256858331bc0749fba08051828831574d7d26f18d47f564b4c5ca6485b76ba4abeb7af5a175771704e2d3ddf867f382815a399

Download Submit
C:\Windows\SysWOW64\Bdfibe32.exe

Filesize
256KB

MD5
b0a5531826d79bab4ecbcd3c392cb0df

SHA1
9ab28433814059dd23c359d28aa18924136ed09a

SHA256
18bf065b32fb6387115570bff5950b5e553e5209c4591549867bbd7b24d5c88c

SHA512
abb4852b33b93ca62e2ffd2c86b106422fadfce6c22035a9ad85be446b86e38e157c2f7e7240ae45f4d7993f9e82f555787bd46cc9c709c96e652619960f3d1c

Download Submit
C:\Windows\SysWOW64\Bdfibe32.exe

Filesize
336KB

MD5
885e9205514dc101858b33a818b0608d

SHA1
e20d71246b7da3b5d3d6086e5527ba99788e3a71

SHA256
bbabf54d4c3b5cc3029b5ff1d0d0f5f5de3cee18d68ac6c8fd7d89ab5bfd2832

SHA512
46e06ad2e6c433d254cd6f7fabb3ded0dd46bf2c0e7c700b04a591216f936a80e95fbfc49ad72b10d6456e1f831879db1a66acba6837f1dc286b628f4fbbc3a0

Download Submit
C:\Windows\SysWOW64\Bdmpcdfm.exe

Filesize
336KB

MD5
32976ea1eaef71593fd36ec90a6cca88

SHA1
d687a668dea0dfbe77d80d98f33bcc042d62c7e0

SHA256
2da15bf9315029e5b61ea6b56e4798b63b6c84d18c203bc04eb5e08be375c5c1

SHA512
0f33c6ef89af554d84afb43778b9e176ce36ac9a4466bd66ce962179dbfbae0dd2ec515aeec8408099550a9db7035550cc484cd58969a28514d0dc120ce81bfe

Download Submit
C:\Windows\SysWOW64\Behbag32.exe

Filesize
336KB

MD5
50cba8d0eaa4ac7bd68a9ad0ed5e2f18

SHA1
f9221ce875b15b2d67487343b2b404a74c5a59b2

SHA256
c1a38e8f4f3f5dbde93bdbc6dddfd60380cfb781eba60bcd4449c34374c68906

SHA512
76e72393cf823326975c3f6230269b43cfab1983bc61781ea96ce6af91385405d7a359bd39f834436c6a6fc3df94c2135b31b2eb4cba376e4ade46e44257b909

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
336KB

MD5
8b13ed508d9a8477ffae3e613867ec06

SHA1
e818736dd65dc5fef332310c8ece6bd12665dd30

SHA256
3b91a09d9b367012306c27c03ab938a82855c1348e9cc3643217eca3532ec66e

SHA512
8e4b126ad73a0016a92ad755ecfed934b87879cba9a11bc77fd00eca48d33a3db3c5f73a42639bbfb58e00c478983568df697f7edcd8400ce553f24c7f9589ec

Download Submit
C:\Windows\SysWOW64\Blfdia32.exe

Filesize
128KB

MD5
c4fe952b37afa74ea508b16b8b7881d4

SHA1
c3ee813f565d821fc2fe15d29bfbf74157cb5e8c

SHA256
c4a93d842eb86e55753f76e3c7cf201218d53663705f75e9dd9c0063d0063a13

SHA512
8e5b26beae55cf7861e6ee78ac31b86a0a50662d2eb2061a6cd312bfe71a6d0de976e6a03274da6e568e9068b7f60c3baa975019cbf7f09344544145f9f0a748

Download Submit
C:\Windows\SysWOW64\Blfdia32.exe

Filesize
336KB

MD5
2d83d90c9be6ac7bb9564ae207a725d4

SHA1
f951f7ffa4f69bd298f1b609d58545b733ee0e38

SHA256
df6db37001d94879f3823db90f835b945acf50c1011843de9c38e49c556c97d8

SHA512
89736f98c34ec5417b402a3bc7c8b447166ab22d26742c4c00acfa086c9416e585e8dc2dff0509928d764d2055dfea88084b281185158835721a275437e5abcc

Download Submit
C:\Windows\SysWOW64\Blpnib32.exe

Filesize
336KB

MD5
a3efe481b19c6260650126e420810ef6

SHA1
a7c89c9c17dd8d7a35e2ef16058d1610d4b6775b

SHA256
1effc902ca7e458fe90766a57a42bac4ed224e15d86f72c6de81d9c9e506ebb6

SHA512
c5cb3945c463009c8393688a69581f015a74fe751086034e1d663d852e0f9cd5e915b1388db831142f558d1a392793540cb94e5ed1488aeac728955a0ba38ead

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
336KB

MD5
4d81dad51cb264efe6e387f1a105e285

SHA1
b0f67b8d2854f376441310e427d45426b5858b7c

SHA256
649d0c5bafb9cf6ab946ac4493b79bcee69531cfaa72335cbbac412a515c9eae

SHA512
1ecb83741cfd6ae0c8da0eff58c6fdb8582f60374149b9437c56e372a6d767848e4cb73c4ba3731846da07acec4dabf033f74a3da21e2cdb2af19419edac365f

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
336KB

MD5
3b249fe4e34e7737ebee2d5e59cf244d

SHA1
5c93ff0688b77faed9ced8bacaef5411d0e0ede6

SHA256
1f2183e532618a7a114aeccd6733c7473ab04cc80157b20f3fdd72ae14e83ff4

SHA512
f71280c233d5738c0d473b58107ec1a5b80a610ccf073a5350565c286965a223fb4356c3517427ef5e1c2aa43c186115beb6e101313e4e6804d25133046b6507

Download Submit
C:\Windows\SysWOW64\Cafigg32.exe

Filesize
336KB

MD5
7087c0002b77723d988bfaec0ab52f32

SHA1
0cd2a3056d6fc6990532da1e25c91feb5c81b09a

SHA256
daa9bfaddfada6b134b2745bc36c8721a9612205e374078ecd869929c33dc2a3

SHA512
30243e6f2b1b7aed499df94b4708022c1172dd7e07b780fb39af3bd13151aad23dc968aa9fc2d2efb7158c7ae7f436025c4cede032f15a200db9829c2c6a61ab

Download Submit
C:\Windows\SysWOW64\Cddecc32.exe

Filesize
336KB

MD5
43fbbf339dad474f3bafa7d517f5d053

SHA1
27d7986a3ab9374a5e05443e17337006d0f38767

SHA256
4c73558765b2d52717c5686a943f7c4befd32fef568a4b496541e7293a20ab24

SHA512
0aa82aa8a79d55c2bb14d5cad8a52f09ad937d8210864551532e00eb13907bf18a1285b40b6408134661cf75ad60ad5bccf33f3bfaf6d07e7f2a4d95ddb21276

Download Submit
C:\Windows\SysWOW64\Ceoibflm.exe

Filesize
336KB

MD5
8517ac370f48fe8003bed045b145a2cf

SHA1
bfa94c2aaa04813646517e4baa1f577c1f13ad27

SHA256
b215bc8f23a4f933aa8eaeab2aade8300d928d56d1698a54561f12d7dc82a753

SHA512
6e5ddb6de0697e5c6e0dd8f37c57f83915f0a026f312ea79041bdff8ba0f100c692edf7b1fea204ee8d0dc2d256e3cf0092c84869161182dffef80c08e7df8bb

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
336KB

MD5
7895c47e8c43f0f30b13134177091c71

SHA1
17923f58fc067ebc4de9d8b333245431a63a3d6b

SHA256
979649c16ea0bcc0955c9145c8e78b85a44c85243dbb6eaa2409f4c55dea4b92

SHA512
941d34009cb01b11661c2632ae97366108282fc048464c010ad985afaac5e71e877d01841d9b4065e4d052f286966bb2dd24502b3a9c9a14c444d0fe355f4af3

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
336KB

MD5
876854594ba71dccb139513d48b7551a

SHA1
1ce52e13b73439a571299f39caff57c92b113f72

SHA256
f96ab8ad9b83ec2bb36b4748a58354a58c851932e0c68ccb1daec3867939f251

SHA512
5d24a4ff1d0c87c1e6874c58924149c6eb0d9ce02f5eb4c7f2017c535cf609c15f459af4952a06bac85fc865ac54f5941f80ddb4bb06d357db911be0bd3541a3

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
336KB

MD5
061259b08b9a28bea898e241a41ccd7c

SHA1
20a4ef02603173f92d0c235e090c173a93e9d095

SHA256
1f2770e9da1ba6b08b373afdb53b38dd145e7fcc8a90fea398e43988b4b56647

SHA512
5c38511390090d0bdbc3cca2e373e155a31faee4f5b147fad0aa94317d23d1ffa480270669b92626479ae02dc3ef14f018c01cd8ab584ce4c53f0974e9c9fa88

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
336KB

MD5
4a58ef4f99e9c30bfe7f4f0bf1641c62

SHA1
9abe284415ad0dde6fe67fb907617ff0af7727ff

SHA256
46758add3451c8d55de0853880a2bbcde5c7c2557c07d922232aa7fa87392763

SHA512
571b1c457b243743f3ed229554e5db71c85c270b372a7e71c37a2a07397961b64685ecefce90badc83814caca2e8b27bbcdb9f76acc9e335768fd00913cd3417

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
336KB

MD5
385f4919c6f4df5c6877b10a41c7dcea

SHA1
9cfe97ecb3534a6ad6cf3a7bc471b64acc683315

SHA256
b2f89b5805feb004ef59e0894f806cc90487fd1f23b5a883a6317df30f07db8c

SHA512
309d84a2fa0e2129bdbc499adfaf77a848de4ecb59ba00ff76128836888cfa1db0d2cb16394c58f84e0bb121a45e7d220293f35b0f58d57d1a75fd7b2b711169

Download Submit
C:\Windows\SysWOW64\Ckedalaj.exe

Filesize
336KB

MD5
6ff0b68dbc20f85a193eb8483e330493

SHA1
3ae495ccb3bc61942268c5475c92307b79e4c159

SHA256
103fbcb9f3d1c279e4b1cfee0c8d7006846376916480d4a7205d37c9f2b4374f

SHA512
5320a9cd632c451822502c0415070a325fdfa10fe5137aaed315d71f5578b7fe9adc26415b13e38d229885223fef87f48f233b8ed820e8018773f29dbb6a9628

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
336KB

MD5
d89c6bf3f8ff45a571702578fd62dfad

SHA1
526bae04899df43335f1f2da1e47d2126ef13112

SHA256
630a6f7fc84cd0bfa582a7f8e8c506fa7d83a7578813cb266ceb94cedffab636

SHA512
d0f04d043cab659c5b887080f059a8059316720637e3ad1e19121beca5305d2d8aa7180a7cf1f4fc2677957d8a726df9c5031a932eec8ebbb526a964df900478

Download Submit
C:\Windows\SysWOW64\Colffknh.exe

Filesize
336KB

MD5
35af5cce9914cc331fa80435af2024a1

SHA1
64d12ec5f45a43034bc24f2f3ddca2feb4954283

SHA256
07b2d97ceedc31b6e35b5c6e852115564637b0ec04387adf2ce0bb3e9970959c

SHA512
14b7c829f6035a33a42663fe8994534aa0568693fa146801751a53a04317304119bdfdeb66457ee54dd9f24ed557fca7029600fb951fb7a6b9b7b3bccf988e0f

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
336KB

MD5
b5ef7175f328abd6e3f988fdc84d3b93

SHA1
ce5cfd79f77d4d6435e524da9764a2e96ee4755c

SHA256
14fa4d7d0013d08278190135e7d0c2bfdc325e214eba4c5457efa29d77dff1de

SHA512
68882c16b11fa69909e7af64f255ae8b8ceb9bf3d33840c54831caea4e96c7679fb0fadacb25cc330c7fed850882ec35a7e7e30e133f42564bacfeb18ec640bb

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
336KB

MD5
0c8eb13700c41bd98fbbcabefecef4e7

SHA1
5798c235758994bdd60b9116dc313b637320dc20

SHA256
382a74ce6b4f8577bbc9f3dbe820eac959821e238147cbfcfd2f879bf15bcd5b

SHA512
de1fe5f9e1afad5882280cff22962ad2776c7e82100f220766fb07587810c33d26d58650a8638ddc4772e6b22f1e264e470a631a2cb615af94b1dc31852204a0

Download Submit
C:\Windows\SysWOW64\Dhidjpqc.exe

Filesize
336KB

MD5
9b96f68ba11de8a04407b740249fa5ba

SHA1
94286080d8ccf2918346e76ee286dd540c76dd60

SHA256
e3e6dd6e1290ce2e940dd2b2563effc828895f6e7b089906603ad29b8498d95e

SHA512
fb51913a7cbcbb61c7a72028c577b977f9e177056950cbf606990f1550cce4efcce942cc3e6c5613e4fca87f429d2bf683d57fddd1f58a6253e96667dd05a089

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
336KB

MD5
3194240571f69449a4ad52c012d1899d

SHA1
e773066c8cbd8fe270a07b17ae8877708fbd6911

SHA256
2e2a2eaab073ae0581b30c40ecf872d61794dd0ea54693d85f66e6bdb8666402

SHA512
03dec7460f5d04d35e725d472b99c7ed075e1f6967332fc02d0925cab6b6fb43d4930927a785193c44ba22e425e81e1b768546d6a681d99f3266bd7ff6bde84e

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
336KB

MD5
d194066d0874067604a679c7a4029713

SHA1
25cd350df75b5440dcca9649ecfa546a18699fd8

SHA256
b49999a941cda3087a3bdccf6a176b0b148e230632a90fdfe97ffd3e671d265c

SHA512
67d930b2584e537b52d9b021b5c43149dd1af6980c9201ab657b7a86b141a64afe750e0519e93893e0c3858e1ac57f2e38055cc33805f42f95f3a5ca1e9fd4e3

Download Submit
C:\Windows\SysWOW64\Dlijfneg.exe

Filesize
336KB

MD5
e171321e9598ffc8746954e5ce2a496d

SHA1
9856bcc93b19c1b0b7c0ea7ec04147a648f38715

SHA256
4a363f5cd283d20265a90612783f93b6ec1ee928500d8e06e4d176aa14144cb1

SHA512
e595c55c525cea2f0041282e20b7a25653bd07303d623e2e1aa49dbf90ad492bb5bfec53363eea213f5f2e711b89c09b33b7806689fd64150cef9992b9b472ed

Download Submit
C:\Windows\SysWOW64\Dlncan32.exe

Filesize
336KB

MD5
09e6e0634ca5ede7e918411c0ff61e4e

SHA1
7e26427343fc032bb0026412996ed5d0786eab2e

SHA256
9a9132debb3c0276f49b2e27bafea0cb0ec198988c243347f4c6d3b851b99c74

SHA512
8794dde3e8f3514d099782ea8eefaaebcda4ba5843aef37824f8f0645e34e361294f45eede5c92b5defe3a82eab796de7025ed8a91379f4ed457a1dd139c11e7

Download Submit
C:\Windows\SysWOW64\Eapedd32.exe

Filesize
336KB

MD5
4fa4f76ddc47b7d7ff9beefc8dd66bb0

SHA1
3d4a7f11204cc3883ca4a89dd21a51ed5ab7efaa

SHA256
0d94752563c35b645a0b5ff656d44bf50fd5f7bfd017258832b4488335c4408f

SHA512
90211dc98642fff03b0c585a9662a475869fb79ea531f0dff7423b3c458d3dd64bcb540c186d2563c91054668784e448dcaeafe0c6fde1de79e952fbd4ae3361

Download Submit
C:\Windows\SysWOW64\Ehljfnpn.exe

Filesize
336KB

MD5
b23193a92e3a31f2c729526f73ef0ebb

SHA1
4a434c7a214208747819259fcdc131dc6d99c26d

SHA256
3bf7fe7a500e693267b15c4ea9f02a552b2cae198428f1a89272ae117ed2caf2

SHA512
31eecd208d89dac88558f4e1d8a1c2105b013d6ccaaa5dc8242dc00403c66e676128404384c8853276a940318ed6c59fc1e0f5e1788e051246b64dcb329003e7

Download Submit
C:\Windows\SysWOW64\Fhjfhl32.exe

Filesize
336KB

MD5
60612eb3615aeaddfa68641e5bd0b51c

SHA1
d11d4cb901da63385323e698dfdc65a35a2a32b1

SHA256
f6d4f9a7dd4479e3b3bed0e4841a8e4b3055bae94aa3ad662784cc28ca88b3bf

SHA512
6b4641b96a764bdc180e3dd2be028e587789426fc800e10d9a7c444eb83f542dbec676ab531bd9badbbb32ad6620e8764c19690676c4401f2a669efc11c8e670

Download Submit
C:\Windows\SysWOW64\Fllpbldb.exe

Filesize
336KB

MD5
ebc6a6e67a4762576ba104146e9613a9

SHA1
e7bbd0575d92834d07451f498976a703100de0c2

SHA256
d3792317972e34bbd1f6d924b26053b20276d9985905f1407469309a54372381

SHA512
564c528a786b01cd033482029c2e9897a04fd8ddcc4391fb440ffb281e5b262c1f5c5338335f175ad972c5eaf905a1fb076f29c56c2e3716121de729146b51e9

Download Submit
C:\Windows\SysWOW64\Gblngpbd.exe

Filesize
336KB

MD5
eb5b21b0fe65f81155c376d1f1642a5b

SHA1
2afb0cce421c20c363310d2372ed6004f172f2b4

SHA256
040ff7bacd3dc7470716ae3d6875a57326e4e71e0f42ee20fef2318e2877930b

SHA512
052d4f236b041ab9ecc73681f9eb1ab97dbf9a0873793552e2a0880359132bf8f2599fcc4663461a17b1840e197e0f15c34147ce0fea63d28b3e00ce6387d76f

Download Submit
C:\Windows\SysWOW64\Gkmlofol.exe

Filesize
336KB

MD5
9ec9c817ca34ea9e47358d931e0f8d54

SHA1
7f4d471c5eae299025eb235b301b4d78fd888dfa

SHA256
229bb9d562b564cb0e67fcd2c7071ca18d8e8b979dc6f5a9ec2e5c556b3d6d8d

SHA512
13c8525480634cd61c5aeb134bdf4d925886d8c8e15b1d027728b62bab0694bfe5e82d3aa63d69048d11a35bad0c3abafec8b750433ee70c640503715b40b1f5

Download Submit
C:\Windows\SysWOW64\Hecmijim.exe

Filesize
336KB

MD5
e1f174a7652f269e3af9a75d8a6dd2ef

SHA1
b48147e7ed768650a787edb879b5c91151729f71

SHA256
0d24fb1bd17f18b08c0192d9c4ed3f19a6a3f4f3212da56653634bb1a19e4883

SHA512
f67aa4b273f3765e6bb178814bab169cb4c2c23a33c4bf794f77991889fc7d278077aca4a513e133df1631a7d412f866dfae81c9be522c6497cca9fafd580845

Download Submit
C:\Windows\SysWOW64\Hmcojh32.exe

Filesize
336KB

MD5
3126793e13e4bd3340676a5ba7ab36a2

SHA1
b40ca9e6f738b86e998ab7788d7391cef8b42c95

SHA256
7a97eb1f72617c1b52a720b9b45ee25bbe87f9b5e9ff88876bb5f2eb7b2008d9

SHA512
19cf3a31b058daad95351aa7075f1dac84046e67e15a5592abb7a448ce6ff46008b2ea131d0391d0b4621973d4905933574b437554597f9959f89314230e6b34

Download Submit
C:\Windows\SysWOW64\Hodgkc32.exe

Filesize
336KB

MD5
90e2409a3834fa662e68fe21b72c3eb0

SHA1
fb93c7173e51bfbc2f4da7ca5937a7e7446c3573

SHA256
3cf5cf905bf63ab3e0de3fb2d32bd3eeca7b7216ce6e5fd251e034d2f64dc75a

SHA512
f6a9c19b5f76aae313da0c88d9db0fb62898dceda1eb43e29ac95cd44a76fc94c62b1558f5f5779a37998f9e3a085c15573a3f1ddd769b3adeb14f4cc7e24055

Download Submit
C:\Windows\SysWOW64\Icnpmp32.exe

Filesize
336KB

MD5
26fef721007d3f9e1d1cb0161dfda1b8

SHA1
ce9593ec6172052890d091e4f72f7b03bbb9c8d4

SHA256
521ff1fab538767909857dd5379d5391dd29c9cdb3bb4550f114e0d43d0d3060

SHA512
c51d259df2c5113948e4c95d71ae26ee0b9fed4968e1a1bfd5e417f973ec274bb475ec0789d78c62395421bc723c4ceb1bd876eff9d4d6f4454b2a429345233d

Download Submit
C:\Windows\SysWOW64\Ilidbbgl.exe

Filesize
336KB

MD5
f03dbf62c99b60d7d1ba62d8e65dfd46

SHA1
d33614a54f9cace09b34067cde81c82bad21fcee

SHA256
dfa0692d2a9090d92fd69c639258f9932c7efcada4e56504dcf75f9a2102a367

SHA512
a3f53bf74720778a13febcac93ba308b5bd006423902bc69f669592ecc6c7653fc84d6a3e5f560e6b5a29dfb278012344b706eee603d489c8328b35eea97d9c5

Download Submit
C:\Windows\SysWOW64\Ippggbck.exe

Filesize
336KB

MD5
ee9601771d51d54fdc4528f88f3bf338

SHA1
65ad65fdddc6a8d0dc200bf7666254f0b36eb2e7

SHA256
7b0c9558bc7054aa9204a0b7266132f1f6add466729399e91061f957a773aef8

SHA512
b97e34a548c16d0fcb17ae2e86be5562631144199f01dd7201ed1b8d0764a112fbe6b0ce00091f9cc7a1451e381d8778f613e945801b19cc48c0e333625aac38

Download Submit
C:\Windows\SysWOW64\Jcllonma.exe

Filesize
336KB

MD5
864afd6c31e72c4ac446ef18e31a645f

SHA1
c14a4eada852fe7d809c2bd558eff14ddc85805e

SHA256
b309678c9c0033996d45dd69cc4581edab5f542009d1c90e0a469ff5570c2b37

SHA512
781c407d12f3e98467cb1513c30cd87dd32ab635e76c718749e85aa8c1bdd7f5c12d414288d91bfe65eeb55cae2df93cd43727702f6b20d3403bc08d875d5246

Download Submit
C:\Windows\SysWOW64\Jmpgldhg.exe

Filesize
336KB

MD5
f1b43bc503b0a42bf15cb8fb31ab3785

SHA1
85fba288f8673aee73a7fd9ee47c1530e9f7cd1a

SHA256
39348ff36b6b64be9933e6e96c5fe954a3dd8a500737895ae9520596b765c50e

SHA512
4e4c330de915955e63b18ed373224684bea060eb0595442f4cb61a6751b9a5df5bbcd87c62b2be578ba51f9b7ce6cbe2f4d9d2210e7c6befec05fa3859cd6643

Download Submit
C:\Windows\SysWOW64\Jplfcpin.exe

Filesize
336KB

MD5
12466bbb19d3f3696ae6fc7f4711afa6

SHA1
1670d2e164726bf14379e53288ef6b758a52ef76

SHA256
2cb5b09e240af4aeaf8c7fe756d2319d84c551fd5c7872b426ec886bfcaff9fc

SHA512
106f1b6ab5f8892d103ddfb206f613f443e255c6bcf623dd0ae6a5d694962086492dce5d553a9cba6d779ef5ad1acf742a850d34058da9773f368ba20e8c743e

Download Submit
C:\Windows\SysWOW64\Kikame32.exe

Filesize
336KB

MD5
a94891f14f9be1fdf305ee0fd6085287

SHA1
fb621e1ba91268c0a6854585a2b3023d283c12c9

SHA256
2759b63134eb7456be1c3690836265b9e8e57c6ed70f47a0ae8011454039c31f

SHA512
6a6d85e90168a18e596e340ac8eec6979c2970e07d6d99126c6a14bc3f371d30ecafce5954d20b5bccd3f0effaf92eed8d7f84ace02373cc9db8f26168ef499e

Download Submit
C:\Windows\SysWOW64\Kpgfooop.exe

Filesize
336KB

MD5
8dd6c1173c3548880746dbb6ded42b0c

SHA1
49e1b2992b40dae4a5c1b2df32b09d686b3f75a0

SHA256
ea0ee3d972edc0ce51fc86cb79a730a6abe8f6140f5a99331f274f0fe2dca6f7

SHA512
2b206bdd9a68fbe19877108e3de85fa7246d5b33ecbafef1d41a0a1fb9eb7cc0087bc9f47b1bb82e305edf381258547238e2f894de769a9ea3a561bf1ca96b3f

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
336KB

MD5
834ebf414f7dcfbba877229441b2dcaa

SHA1
38fd069a7c54d91063acf47739467d5d93dba795

SHA256
4c1f0a6990834f14b9464b5d88d6a35e5622fbba4efaf1d84a8c44cff92782d1

SHA512
5ef6e0db64521f69fd9c9b5030185cbd53dede242847d116e1e30ee990bd4041795dc1f4b01d3d93cf7e98c491ed036a3914d3ff0652da299772666619cb7114

Download Submit
C:\Windows\SysWOW64\Lbjlfi32.exe

Filesize
336KB

MD5
7ce2df1627673fe12941c56b66b79cb1

SHA1
0f803bf2c643dd3eaca42f1c1e46f0317cceb88f

SHA256
73a9bad86a187733866f23e7a00b1c031573778b5f9936336a0eb75a006feb72

SHA512
8cbb1889df382dca5496f3867d92deb08429b2eaa6e6233d80a3a95bf3647b4c355ab9671812335f5cdb8b5b4974971a073669906dc872fe08992f126127844a

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
336KB

MD5
e1ca4b3efd23994b83215c45d1118509

SHA1
47af34d53d4810ecf161fe31262f3f47857f3b51

SHA256
cf55d912a66a5d09c13aa04e760655100a93a86e4f9b74077a312c7743c2edde

SHA512
22b42160706072063e394eb3f115da47e5ff51ec5ad63d0ab2c7f5cac83471f3e406a4007a9a700b47a981847cd9ffe946f29722c9867b793532adc634cf69df

Download Submit
C:\Windows\SysWOW64\Llcpoo32.exe

Filesize
336KB

MD5
afb965b2b5cdab7b702113eb31cdb400

SHA1
8c9f31b22c501d2f84a09ec602fa59234a1f7e07

SHA256
ac5c4054c0fd5533ef6fdc95a8e4104548b8a1a643335a0ca1c5ad084881582c

SHA512
c65866454321780a706fae447d4177910b81bc664e92b4d71c8795fa2a0dde256d16cf009438d4ab219a760a613af607762dec2858ea882eed30b01d0c3c0e72

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
336KB

MD5
32998c14285d369f06df74bea7f891a1

SHA1
de48c7ec31e233b06f6bf1ce5114fa710ed88358

SHA256
a00a2447323daa0667bdee0f25cf1679e2f8b9c7567cd2988a63e69e00029f7f

SHA512
aa533abae32fab687d3babe59c8603e927e89a3de89e022736a12a96d8e7d6163279a9793b40f182d7019443dfaef9c6d23e8f5b39cd4a5f2adf7553b0c110fd

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
336KB

MD5
fe254903fff9c566335ef27f961fe1bd

SHA1
889634959ad982f9f13b16d47d21f4affbf0001f

SHA256
83b3ce3b0f70af47f3a287852c788bc542f49ba6add713e166f3528ede1739c8

SHA512
7c8bb8aefd76ae9c73a66243df09c19be08e6f8e31cf6822dbcda3ff16e5ed269cb68ca7acaffa3502fc50bdd213d34fbf56ff8b860f1e56c8a65bdcd8263834

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
336KB

MD5
ce7adb885b23d2c8160de96036a2bc28

SHA1
35721b6cc3fc36adec75db83eb4c7e4f6b79a62a

SHA256
2569f4617bfbe2419b130a76a3f9394486f1b88dcb2d4dad3a09a4222431fa35

SHA512
fe2786c28db277ff4ec051f2f4b3de818adb10103ea11107955b2094f3751c80f46d71ecbbc3a7b426a94aeced96fa11cb2688a9021bccff66636e159d0afc4b

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
336KB

MD5
6c37cae7ba92c4ee19d56bac4cad2049

SHA1
487d6c1a9b2fe4f7acfb3530a1b61f76ecdfb920

SHA256
b3c3b816cf76db61e4b854d27586fee56c3d69cdec7f1f960849169cfebe68eb

SHA512
65c121430415c5dc824890a527f799c3916d90a8295b45d6c010b5571d95acdb730f097c691847e29349d5db06b59775fc17889a6eb8729c2e07d4226fd21911

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
336KB

MD5
bc4c4e9449efeb0e7ddb6ae66a10f52e

SHA1
850b7960b294a4eeea69e1478d8a67d5a768089e

SHA256
9ca45bf2d817c21f662db48a524ff172a684e8a8c7588713f967c822233ee4ee

SHA512
782509bd0d1fe85768f333801ab9d5a36423de2c20fa4cafe7fcb53ff5e3e7bf8501ce7d3c1c8bc6aba49d8701fd4aaf984b8dbe45462681adb9ab72031aafad

Download Submit
C:\Windows\SysWOW64\Ncnadk32.exe

Filesize
336KB

MD5
3128659684c6d73078e9ceebeea0d375

SHA1
7cd506f185631e291c6579a433a45ade53503867

SHA256
e4db0cfd94e6b196a94c69c695fce36ab5a4605f25efc11637867fba111ea3fa

SHA512
8094e63716569b782b3f244a00a89473712b8b0a2780e09f302be1d29333b137134f0fddf71535bcb209f2bdb86ebda5f783e62d8b6df07a86810bc250e41bbd

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
336KB

MD5
34325937a4a4803c35dc4780146400dc

SHA1
08858336a7de8ad3378fd7e7428f19130e14d886

SHA256
1344e4c84328c60f7699e79bd03f6df1136c01b31fe78f6e3cebf2d28a889ca1

SHA512
67d859e172165b5422ff29da853d6c1b4cbcf392b16afa62c63fd8c05c5ce76ba605fe32897d707bf61dcf4e71563435ac136280ccd98f6d33a0d972ebff60bb

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
336KB

MD5
30b70aa6af7949cae22925db0e1bea91

SHA1
bf172a0c6484a4d12a5efcdea02df7b298846fc0

SHA256
28b57d9e38e6eb772a158bd66213175a586a47a15c1f50696daf3fe358e94c3a

SHA512
bc97aec8435e54a3187052a9f5a926c732157e2b0dda9289b82f7fe9a308025d1d8d28d6c9421d4472b9fede93c4a4795feb1ee63e0613b023ad397c5c755793

Download Submit
C:\Windows\SysWOW64\Nmfgdeof.dll

Filesize
7KB

MD5
6e6755ed68b67e990b854066793e6eee

SHA1
0b7f1747a7544e597c1530b16ad64055ced4ef64

SHA256
452177dd7720c7b68af0f92cb42e6fb6aeb19f61a66db519f6523a1634496fa5

SHA512
650ce56cec18ee5656402f3c2de29e78bfcfe2ecd634308b0bb6fbcbf4f20d6ec0a4e8d0461af1e6bf3580bd665c9531f83b3dc4aecd8ba2b905cfb3f681cd25

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
336KB

MD5
b16a435c595dbb3c9a847cd07606cffc

SHA1
a7b6ab1ef550420ba6eeb92c31feae18d89767cf

SHA256
723f0a0d8391eddcfbd16f4133649b3bad821e0a6ec27acb304a40bd80f4c390

SHA512
88e460b83c239f4500ab4c864b7febb96456ce1234607939281a6fc6735732ea625578f6cdb42df8c5524ac6ec4d2003bffaca4b48d3be0bf5f81c7eca138efd

Download Submit
C:\Windows\SysWOW64\Obangb32.exe

Filesize
336KB

MD5
3b1fcd10da4a2648390fd59fa5103751

SHA1
7a73b3c7649fccf4d1e445b5d91893ca32e49c1e

SHA256
836d8bd1c29f71a14c0d2058485efc5fd55adf2ece37a8e25fb01ce43913d94a

SHA512
472e9f459383cff034991c40ed77db18c81a9c3842e99887ad1e030639256f011e7895d068c2f59d2106c26210c594dc81da3a37c56c68fbad4047e9e840d6dd

Download Submit
C:\Windows\SysWOW64\Obidhaog.exe

Filesize
192KB

MD5
e11f8302d541c058b77ca2c083e4db91

SHA1
75e8268fbe51ff95b746cdfa0678f2c65f630398

SHA256
acfc0e3155d05918af8c6e1a3f8b8213ffac02ae0a3b72866f03f798ceb23d60

SHA512
cdbd20d79f71a7ea3b882cfdc5b1aea70358b497815a3c4ec2fd8558226cb911b2f800aa331115b22e0b8b2f1b23b782ed591c355b18d07fc8ba8ffdc7ae03b5

Download Submit
C:\Windows\SysWOW64\Obidhaog.exe

Filesize
336KB

MD5
bc190e7a8261edcae1e784593ac706ec

SHA1
f6241718d7c555817f644f5d54dffa2d3126a3a4

SHA256
81fd6b72f97abaea74c930463db67baa195d292e34d9a8dc45496c04ce3e6386

SHA512
128dcdff8002fe498cd7c0655e87ad4c5aaf6a4910b2fdff468116a24b051fd83537cf96605c91b480547ebaaa25586f9280a496b1058f3140a9ee829d3beb16

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
336KB

MD5
fd90751474491caeb95a04dfa9340ec4

SHA1
29fa16d22a4669e2f9fec04e97be516176ca89fa

SHA256
5ce2a028636c8b8f55c1a851cbdcf0ea98794c92ac8a1c285a3ddc5584667f62

SHA512
25972c9fa10df01240245fb7332ec5be5f94a61f8b83ec184d34eca6a96017785c658e6c7faf690ce361bb320781ddab22b166e065fc65a85ae59dc455a50d21

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
336KB

MD5
26b6a28655467ce37b4fd0aa97a0fdfd

SHA1
4c4661cb2d2a7e3c8345d13a4b59bf640bf37ca5

SHA256
69873783a2a657da126ebd0218c0c318bb6d3a1de65f4337388976303ec6f4ff

SHA512
1f2d0efd34f2d38f9cf172287c4cfa23518a8d604ca4f30dda91f16acce9b2ef87ffced890a4e4766b735b5c7086c075c85686ca794850a6ba73965f8006b9b4

Download Submit
C:\Windows\SysWOW64\Ogcpjhoq.exe

Filesize
336KB

MD5
763f8fb3baad5a6d4dcb60d3e43943f4

SHA1
4a755569549cc297b53247e626ea24695000dcf7

SHA256
cbbc58a40724b109b340fe199bab5d36b1423be3f154a5576b75c5b935c3f47c

SHA512
fadf84a92fa0bfdeb377e40355036c691aa898925e347fdfb61a1b33c62d9940d4070d1b0151b11f27a3412eca1e4ea0e40b7abc665aa1b9ff0ba525985bbfac

Download Submit
C:\Windows\SysWOW64\Ojhiqefo.exe

Filesize
336KB

MD5
9a429fe7ba504f82534aec42be0d1729

SHA1
f2f46b9f3de3918b94b5ccb8246249e19b9cdaa1

SHA256
2fc9d974489ea363f24ec1dfa63dbb634f0d4203d08ed145ab3a445195c3c4e6

SHA512
f8c88e6f4441485c122fc88be4565a8b61ffeb15560546e7ee0a7f6aa47292b4c71fadce5b4a529e08e8d5659e7cccba424fe6da172d6fb3d864dbd4cbedf77e

Download Submit
C:\Windows\SysWOW64\Okhfjh32.exe

Filesize
336KB

MD5
906fac1292475ebb2725619863b37736

SHA1
f3d2c2380852dc20b1ece816b0ea2786e60882f3

SHA256
ceccd196db3045a54db4d7aa4a1d49235611357aa32f1611895079d047b988c5

SHA512
af49e050434563b52873d88c5aa59d6aa480ae27de9e62415d344b2ba18810860eae5f5ec861571fd9367dcd4f20b5bc19159ead41bc7c3d12f0b717861ad97e

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
336KB

MD5
6c80f8e895ba0475cf5d27cfa08a4db1

SHA1
07c217bf76b6b002fcecd4dddf2c460ef4548c2f

SHA256
1ba876163b4a9ea18719139fdcd58d164efc0c83808190aa43a207796871d692

SHA512
f05cdea64c4a4845736d0759db36011282f8f4c073a8adae81f834af383b3e3b1f484cc8522629b59ed712cde7aa8268f4360c6b7cb6c9e2dbb800d302610124

Download Submit
C:\Windows\SysWOW64\Onklabip.exe

Filesize
336KB

MD5
8cb259d6cad191b05337f186df69d541

SHA1
d4fa2eb0b63b7830050856798c280e752c7c0124

SHA256
9f15220015b50e8393e445ee51db6bf90ff196e33f12a0fc0bbb3fb01613d80e

SHA512
0354ef1304c2a95d4546793596ab815eea0b74120ee816dfd627e49847fbc1d1bea34a97f27f17677dc1c6eb0f93ec025af03912016d971552cbd768faa58ce2

Download Submit
C:\Windows\SysWOW64\Oqgkhnjf.exe

Filesize
336KB

MD5
b45a7ada62d2d373e954aa81aea4a6ab

SHA1
3ec19627db01738d8572ce7673a280edfe1d0fdd

SHA256
0257d5cff3d3e9d1dfd4f61ee0e04053b1434ffa30869fa25f3c260c49d52012

SHA512
43d89ed8258d04a251d36d825b4b4c32433a4929fba96da8ce9f074a67db3b7c12b5b29520aa73b97dc1d98ab1065fe4894e43b227acda8625d48db4769837f6

Download Submit
C:\Windows\SysWOW64\Pagdol32.exe

Filesize
336KB

MD5
6a1a1dbe246927a47f9d995f8494606d

SHA1
7567cbde9530196ae40d01ee5289da2dea947ccf

SHA256
65655fbc9d67a50afa74cdbe375b661dde5680b7e67bdbeb359dc2a2741d9d44

SHA512
33cad303eeda30f56bc7fbf3d33b7a47d389ce3fda44cb963b11611d96514603edac25a4525ff6fb424718ec0cf8bd385024575d6d3dc0ee13f0a4d64a8faae3

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
336KB

MD5
6e5c2aecdbe005a7311e867876efb5f1

SHA1
c3a014acb8ca5570aed67ccf23355b9971cf0762

SHA256
83808b20e450ac71501377e01b2e0a59c37bb84e8dc98522a094735880ea4637

SHA512
0355109195c84ec35a209e8b710af9fe246b4392949bcf69016b02b36811c6286d1c816c5b2e5ba03900557df7f8d426cac148308393f6aa07855c87738aabfe

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
336KB

MD5
ae3d02bc7a167403cf85b5e95257ff51

SHA1
d47fb111015b9e6d789204edbd72282a8952ca6b

SHA256
30dde327dd3fa3f9de1ed75feffeae8494f3d4f0230c29cdd928f3a5482e50e4

SHA512
f7a5718f8ab955f4e3232aead1f0011368d79b51d2e8f8a02ec442ddd2cee0cf9ee06e74e3ff67a1ed76badcda8a8e983f2a578f21dcb9177f0668b14daa4276

Download Submit
C:\Windows\SysWOW64\Pghieg32.exe

Filesize
336KB

MD5
517de63be752dcfd1179b08efbb9d0ef

SHA1
ad12646d73bdc381d8a44c85383552a8abb6b090

SHA256
c87df81be127fbaf4f38d523caa5eb894d35b235598548823e5e4b07f33d4e29

SHA512
89375210c014a4a0ec2940eee5d57a4f7dd179ce19b1af5053ac52d7aa04b8e4a4947162c454b0d961b6e5c8e5676caa66a2439f1937ddb0214d8497848ef25e

Download Submit
C:\Windows\SysWOW64\Pjdilcla.exe

Filesize
336KB

MD5
940a5a2395889b9f79f20ca8b053b567

SHA1
101ea06083add31867067cadbf515a36d88f7824

SHA256
ad860d28ff8b5633d3ca9208fac81e351bbd9ebbdcc5c2d8f272264a73e62c05

SHA512
05615f68271680dc3dfbd39a00e4244dbdae5fd512b734a73523fcc159fbd8db375fe24e8fd5a36d16a4f49e2e442065e378552e80e32fb3086aa8c8e89b3af0

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
336KB

MD5
710a132731d70191351bee3a9771799f

SHA1
7ad1248a459cbc448ee3a18360d3bbe3f86c39eb

SHA256
32dc1078f171265cb801609bc68357e54b5d4fa099f67f193de1fc808fc6ea26

SHA512
7106ccd9681f678cbde69ff90a353adbbcd150060360c20b818c4c5a134d9cf0f3581b403876e650467f28b9cf564ae4049562c20249d7be984afa36bc491944

Download Submit
C:\Windows\SysWOW64\Pkfblfab.exe

Filesize
336KB

MD5
ebd95ad73934a200d21b23aa457e9597

SHA1
2ae214f24b9c3b4788a3ce6b8e4089e400b87a67

SHA256
8a77cc57747edd26ffa20c6ae778ca0b45b6adcb4685a5625845c0f5bae34ca7

SHA512
782bd15e853e513ed93c946532fd352fcef70fc07b64f873b087109d19aa8c27adcb5e1f936088ea765adba288e1c88a0101b97dc0a47e7b7151712f0fc2d7ed

Download Submit
C:\Windows\SysWOW64\Pkhoae32.exe

Filesize
336KB

MD5
ea19659257994ccaead8e8a67e47c858

SHA1
0fc9eb6e27185215e967d32bacbbbf76fff7b4ec

SHA256
5b5671fbc7749361c9da52e04842962357c896cca7109fe8967f002eda8da6a9

SHA512
4c075a396b00b1d724743a671d4c3374e580e8fb5becb1318f58c3008bdf4a7aaa63782ce6cfc69f3dc644b9619bce6ed45cb615545cec74997578201964358d

Download Submit
C:\Windows\SysWOW64\Pkjlge32.exe

Filesize
336KB

MD5
f5793eb0da8cb58b0e72148d9f5743e4

SHA1
0b49dd41186aaec39b7203b86dac8b4905508081

SHA256
45479904ce57b8500de289b1f8ea3fd32c77069b3ec58b1725c76331e3037079

SHA512
594da1c07e06060e471cacded821219ef0aa228a352d6bff1cf760e44a3254b25887caa40e541c34ea27e8fc8fcd1695d66042dc476bc89dc85798eb8f0b4e0a

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
336KB

MD5
5d087491527a7f5242f1e88bc408d03e

SHA1
4e72b763ef42cd7b649ece6832d465be8f361704

SHA256
bae60f606cc7b45bbde2cdd2260c066b37eade8a7d33eb747fdf74f2bf594f7c

SHA512
a7ca803e0ddd9d37429e863697aed0161a15b44420270a7b8cef9cafa881e32da80087ac25c03e65a0c448d646985d2557cd75b2758fb11ffd06b56c3a98fd18

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
336KB

MD5
ced4b89c88422f7f0ab7a657451202db

SHA1
05b43f11bdae2b9836bb2669c03ef7bbd5d4d05b

SHA256
dc2771f750ef302e6ff2323057007ab5ac4255d38f7686eeeb9d5e68d7bb2e8c

SHA512
c3d412a80be845319e16caa5a41a2549b38cecac7a977a005cbf314a4555f78355eab38184df02a7a0de6a2b2bc5f1ece4ce7b3e28be8232b6b57fb57542f1c8

Download Submit
C:\Windows\SysWOW64\Pqpnombl.exe

Filesize
336KB

MD5
4cb306d31265c2a47ea749c06eaf17d2

SHA1
d339d3188a8988fe9831ae630e8f2e00ae5b001f

SHA256
e091010e051981131236aa75bf3d074e140e7e6bb1d0c051b411196e12579ab5

SHA512
ee540e35d6dcb41994ecaae0c1330f7ce7e8d030ea726689f89ccef32ecbb84f9277bca686209b00ccc592a079f9914df449f760bfb64e39d254f70681b57b7d

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
336KB

MD5
8114871da2885df88f2aede63c6c728c

SHA1
a7b3c74edd6ce2815f04b716ad1f37c268942cba

SHA256
ae6836b5b23b1507ca62ee8678e144730782a9332cdc9fbe4ae5e7d4ebb429d0

SHA512
359dcb80844c14fdc083c6b4b3fc575549c50dc119b58d60deb22c9a2456d337c850a21ab03102f19abb5ec961ec8337d82456c98e68baac3e69b1ba940d1d89

Download Submit
C:\Windows\SysWOW64\Qjbena32.exe

Filesize
336KB

MD5
12cc7b24192d0e47b08968a738f647fd

SHA1
f4c141f0dd7b9572ef2c71c1c36f9a0240d78846

SHA256
da13b8eae365f7ac3f21408c09406b88cf13cc1937cd609cf1d5e7ea2994161a

SHA512
d1d490aea3b1cc6081e6beff9de2c3b2857ce303ddd3993790e367bc17698f0326bc3be68362c420631aa67649d2ead85b7177a97345e1cd0da59e4040c9fcae

Download Submit
C:\Windows\SysWOW64\Qnkdhpjn.exe

Filesize
336KB

MD5
27bcbc4bfb471544b19bb93982351105

SHA1
6be051460d3e790784f849f3067b680770938e53

SHA256
6039fd5b22f632a2584e1af14ee9de7d032e62e527cfc199e3b32795500b41dc

SHA512
784e1ac27b8bee24fa63dbce2f99ef8baac7f8728918d55315b9d020114167192329ef61ad255ab29bd9874b08b054557d6c8ec5d4c57711db5c8b0f05136c97

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
336KB

MD5
b5ab81db89835ef136d33f7713d5723b

SHA1
424e04084a3be745ff6b069f9c9318a1a65e9767

SHA256
36256476ffb6e35e44531e64955fa12a8c89001cb138f9d012524b33e9bd15db

SHA512
413d1b55ac9a9bebf648b556f3b5143d93afe9220382274530c4696b09a5a5363d0b13d473daf7f657547c862afc5e3e6a753d77e2184ea6618da977866b67ed

Download Submit
memory/8-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/64-491-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/400-400-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/408-394-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/424-479-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/512-538-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/548-298-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/756-388-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/776-286-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/940-526-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1148-256-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1312-524-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1516-175-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1604-424-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1660-87-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1748-412-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1752-506-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1800-484-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1816-472-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1904-565-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1904-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1992-442-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2012-360-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2016-406-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2168-127-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2236-232-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2240-31-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2240-572-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2256-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2264-518-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2352-262-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2448-151-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2472-558-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2472-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2652-436-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2700-452-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2820-466-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2824-454-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2964-579-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2964-39-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2968-460-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3032-587-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3036-215-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3064-248-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3068-352-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3080-188-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3120-239-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3124-566-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3204-532-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3228-112-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3244-160-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3308-563-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3360-340-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3424-382-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3508-95-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3564-594-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3596-191-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3808-376-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3824-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3868-364-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3876-12-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3876-551-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3968-103-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3984-292-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4072-580-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4076-135-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4088-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4092-168-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4164-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4196-71-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4360-430-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4400-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4404-552-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4420-310-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4440-316-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4520-573-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4528-208-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4568-422-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4596-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4652-586-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4652-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4656-512-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4724-593-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4724-56-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4760-346-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4772-322-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4824-64-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4864-545-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4876-370-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4888-544-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4888-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4936-143-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4944-496-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4948-224-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4984-119-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5104-200-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads