c97fe0c46ba267c702848a9d7c27f958b7a560841b6cd0438d778a91696237e6

Analysis

max time kernel
94s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2024, 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d29e92c9cdd4747f491e21e0c19bf00_NeikiAnalytics.exe
Size

89KB
MD5

0d29e92c9cdd4747f491e21e0c19bf00
SHA1

36b2fe806e4faab96d92c22d7b429062b5b64a50
SHA256

c97fe0c46ba267c702848a9d7c27f958b7a560841b6cd0438d778a91696237e6
SHA512

2fc8ae00f9a776ce3ee0378696847c1d105a2b1a90b9cd0379eacbfcd71c02b00bb0ce5a315350943c2dd2f3c73801b99911c516f8160d37efc2d3dcfc485814
SSDEEP

1536:kZOJNieIKmbVnUkxRaGF3f8d/Z4jZV2O6H7TXcHkZQBbmsCIK282c8CPGCECa9bX:O+0gbTWkyBbmhD28Qxnd9GMHqW/

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocqnij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfnphn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifllil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edpnfo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfifmnij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgjfkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eamhodmf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhpjkojk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klimip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbefaj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chghdqbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipnjab32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlkagbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmijbcpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njfmke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dccbbhld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqnaim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlnnmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gododflk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfpcgpae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdeqhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpgfooop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkjlge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdkcmdhp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceoibflm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekjfcipa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jefbfgig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cddecc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eoaihhlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eekaebcm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeflhdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpnlpnih.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klimip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfankifm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjcdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocegdjij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnnanphk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eofbch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icgjmapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmdqgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkaiqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpnombl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qeemej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dldpkoil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcimkc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kefkme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe

Executes dropped EXE 64 IoCs

pid	Process
3300	Mnapdf32.exe
3580	Mpolqa32.exe
2360	Mcnhmm32.exe
3804	Mkepnjng.exe
3524	Mdmegp32.exe
2040	Mglack32.exe
4488	Mkgmcjld.exe
2780	Mdpalp32.exe
4700	Njljefql.exe
1612	Nqfbaq32.exe
1964	Nceonl32.exe
1788	Njogjfoj.exe
1404	Nddkgonp.exe
1408	Nkncdifl.exe
2532	Nnmopdep.exe
1756	Ncihikcg.exe
4624	Nnolfdcn.exe
3196	Ndidbn32.exe
1400	Njfmke32.exe
2068	Nbmelbid.exe
4764	Ogjmdigk.exe
1664	Ondeac32.exe
1992	Ocqnij32.exe
2128	Okhfjh32.exe
3684	Ogogoi32.exe
2480	Onholckc.exe
4956	Ocegdjij.exe
4852	Ojopad32.exe
1944	Obfhba32.exe
5092	Ogcpjhoq.exe
5108	Okolkg32.exe
4240	Oqkdcn32.exe
4380	Pgemphmn.exe
548	Pkaiqf32.exe
1340	Pnpemb32.exe
2568	Pqnaim32.exe
3256	Pghieg32.exe
1972	Pjffbc32.exe
3612	Pbmncp32.exe
3240	Pqpnombl.exe
2224	Pgjfkg32.exe
2504	Pndohaqe.exe
2348	Pengdk32.exe
4880	Pgmcqggf.exe
932	Pnfkma32.exe
760	Paegjl32.exe
4788	Pcccfh32.exe
3752	Pkjlge32.exe
3216	Pnihcq32.exe
2844	Qecppkdm.exe
2060	Qkmhlekj.exe
2244	Qnkdhpjn.exe
4448	Qeemej32.exe
4892	Qgciaf32.exe
1816	Qnnanphk.exe
644	Acjjfggb.exe
2356	Ajdbcano.exe
4840	Anpncp32.exe
1884	Acmflf32.exe
2576	Aldomc32.exe
4328	Anbkio32.exe
3800	Aaqgek32.exe
2180	Acocaf32.exe
4012	Ajiknpjj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dlijfneg.exe	Ddbbeade.exe
File created	C:\Windows\SysWOW64\Gkhbdg32.exe	Fhjfhl32.exe
File created	C:\Windows\SysWOW64\Ngpccdlj.exe	Npfkgjdn.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Anadoi32.exe
File opened for modification	C:\Windows\SysWOW64\Pnfkma32.exe	Pgmcqggf.exe
File created	C:\Windows\SysWOW64\Cefoce32.exe	Cbgbgj32.exe
File opened for modification	C:\Windows\SysWOW64\Eoolbinc.exe	Elppfmoo.exe
File created	C:\Windows\SysWOW64\Ghlcnk32.exe	Gfngap32.exe
File created	C:\Windows\SysWOW64\Chmhoe32.dll	Ofnckp32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Qnkdhpjn.exe	Qkmhlekj.exe
File created	C:\Windows\SysWOW64\Hfbcpl32.dll	Chbnia32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkapp32.exe	Daaicfgd.exe
File created	C:\Windows\SysWOW64\Eapedd32.exe	Eoaihhlp.exe
File created	C:\Windows\SysWOW64\Chdfonda.dll	Gdjjckag.exe
File created	C:\Windows\SysWOW64\Pcbmka32.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Pengdk32.exe	Pndohaqe.exe
File created	C:\Windows\SysWOW64\Bdkcmdhp.exe	Bbifelba.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Aeopki32.exe	Abpcon32.exe
File created	C:\Windows\SysWOW64\Gcagkdba.exe	Gkkojgao.exe
File created	C:\Windows\SysWOW64\Lpnlpnih.exe	Kdgljmcd.exe
File created	C:\Windows\SysWOW64\Njqmepik.exe	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Bdjinlko.dll	Pnlaml32.exe
File opened for modification	C:\Windows\SysWOW64\Bblckl32.exe	Blbknaib.exe
File created	C:\Windows\SysWOW64\Gkkojgao.exe	Ghlcnk32.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Jpphah32.dll	Jcgbco32.exe
File opened for modification	C:\Windows\SysWOW64\Likjcbkc.exe	Lbabgh32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Abpcon32.exe	Ajiknpjj.exe
File created	C:\Windows\SysWOW64\Aealah32.exe	Ajkhdp32.exe
File opened for modification	C:\Windows\SysWOW64\Bjbndobo.exe	Beeflhdh.exe
File opened for modification	C:\Windows\SysWOW64\Bbifelba.exe	Bjbndobo.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Pqnaim32.exe	Pnpemb32.exe
File opened for modification	C:\Windows\SysWOW64\Gkkojgao.exe	Ghlcnk32.exe
File opened for modification	C:\Windows\SysWOW64\Cefoce32.exe	Cbgbgj32.exe
File opened for modification	C:\Windows\SysWOW64\Edbklofb.exe	Eadopc32.exe
File opened for modification	C:\Windows\SysWOW64\Flqimk32.exe	Fdialn32.exe
File created	C:\Windows\SysWOW64\Hfnhlp32.dll	Jplfcpin.exe
File created	C:\Windows\SysWOW64\Dbagnedl.dll	Pncgmkmj.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Pqnaim32.exe	Pnpemb32.exe
File created	C:\Windows\SysWOW64\Eekaebcm.exe	Eapedd32.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Ojopad32.exe	Ocegdjij.exe
File created	C:\Windows\SysWOW64\Chdkoa32.exe	Cefoce32.exe
File created	C:\Windows\SysWOW64\Jcefno32.exe	Jlnnmb32.exe
File created	C:\Windows\SysWOW64\Bhaomhld.dll	Kmdqgd32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dekclg32.dll	Gcddpdpo.exe
File created	C:\Windows\SysWOW64\Mcmabg32.exe	Miemjaci.exe
File created	C:\Windows\SysWOW64\Hodgkc32.exe	Hflcbngh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
9136	8888	WerFault.exe	419

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffhoqj32.dll"	Kfoafi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkgqfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkoggkjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhpjkojk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekjfcipa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmijbcpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cleqadmh.dll"	Abpcon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epogol32.dll"	Pcccfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajneip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Namdcd32.dll"	Kmncnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjinlko.dll"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeopki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcddpdpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfadpi32.dll"	Iejcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jidklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlampmdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odgdacjh.dll"	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbifelba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eicplccq.dll"	Baaplhef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcfmgfde.dll"	Dlijfneg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehjgecbe.dll"	Paegjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmenjlfh.dll"	Hkfoeega.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chmbmidf.dll"	Pgemphmn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blfdia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpili32.dll"	Eofbch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdihjfbe.dll"	Fohoigfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Choehhlk.dll"	Hfqlnm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojllan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eofbch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfqlnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdkkfn32.dll"	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmiciaaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocegdjij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Flqimk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iejcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpqiemge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajdbcano.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmeobkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbbkg32.dll"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnkdhpjn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmnjlc32.dll"	Aldomc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iemppiab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjgaigfg.dll"	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojdamdma.dll"	Cogmkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daaicfgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fafkecel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfjhkjle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 3300	5036	0d29e92c9cdd4747f491e21e0c19bf00_NeikiAnalytics.exe	81
PID 5036 wrote to memory of 3300	5036	0d29e92c9cdd4747f491e21e0c19bf00_NeikiAnalytics.exe	81
PID 5036 wrote to memory of 3300	5036	0d29e92c9cdd4747f491e21e0c19bf00_NeikiAnalytics.exe	81
PID 3300 wrote to memory of 3580	3300	Mnapdf32.exe	82
PID 3300 wrote to memory of 3580	3300	Mnapdf32.exe	82
PID 3300 wrote to memory of 3580	3300	Mnapdf32.exe	82
PID 3580 wrote to memory of 2360	3580	Mpolqa32.exe	83
PID 3580 wrote to memory of 2360	3580	Mpolqa32.exe	83
PID 3580 wrote to memory of 2360	3580	Mpolqa32.exe	83
PID 2360 wrote to memory of 3804	2360	Mcnhmm32.exe	84
PID 2360 wrote to memory of 3804	2360	Mcnhmm32.exe	84
PID 2360 wrote to memory of 3804	2360	Mcnhmm32.exe	84
PID 3804 wrote to memory of 3524	3804	Mkepnjng.exe	85
PID 3804 wrote to memory of 3524	3804	Mkepnjng.exe	85
PID 3804 wrote to memory of 3524	3804	Mkepnjng.exe	85
PID 3524 wrote to memory of 2040	3524	Mdmegp32.exe	86
PID 3524 wrote to memory of 2040	3524	Mdmegp32.exe	86
PID 3524 wrote to memory of 2040	3524	Mdmegp32.exe	86
PID 2040 wrote to memory of 4488	2040	Mglack32.exe	87
PID 2040 wrote to memory of 4488	2040	Mglack32.exe	87
PID 2040 wrote to memory of 4488	2040	Mglack32.exe	87
PID 4488 wrote to memory of 2780	4488	Mkgmcjld.exe	88
PID 4488 wrote to memory of 2780	4488	Mkgmcjld.exe	88
PID 4488 wrote to memory of 2780	4488	Mkgmcjld.exe	88
PID 2780 wrote to memory of 4700	2780	Mdpalp32.exe	89
PID 2780 wrote to memory of 4700	2780	Mdpalp32.exe	89
PID 2780 wrote to memory of 4700	2780	Mdpalp32.exe	89
PID 4700 wrote to memory of 1612	4700	Njljefql.exe	90
PID 4700 wrote to memory of 1612	4700	Njljefql.exe	90
PID 4700 wrote to memory of 1612	4700	Njljefql.exe	90
PID 1612 wrote to memory of 1964	1612	Nqfbaq32.exe	91
PID 1612 wrote to memory of 1964	1612	Nqfbaq32.exe	91
PID 1612 wrote to memory of 1964	1612	Nqfbaq32.exe	91
PID 1964 wrote to memory of 1788	1964	Nceonl32.exe	92
PID 1964 wrote to memory of 1788	1964	Nceonl32.exe	92
PID 1964 wrote to memory of 1788	1964	Nceonl32.exe	92
PID 1788 wrote to memory of 1404	1788	Njogjfoj.exe	93
PID 1788 wrote to memory of 1404	1788	Njogjfoj.exe	93
PID 1788 wrote to memory of 1404	1788	Njogjfoj.exe	93
PID 1404 wrote to memory of 1408	1404	Nddkgonp.exe	94
PID 1404 wrote to memory of 1408	1404	Nddkgonp.exe	94
PID 1404 wrote to memory of 1408	1404	Nddkgonp.exe	94
PID 1408 wrote to memory of 2532	1408	Nkncdifl.exe	95
PID 1408 wrote to memory of 2532	1408	Nkncdifl.exe	95
PID 1408 wrote to memory of 2532	1408	Nkncdifl.exe	95
PID 2532 wrote to memory of 1756	2532	Nnmopdep.exe	96
PID 2532 wrote to memory of 1756	2532	Nnmopdep.exe	96
PID 2532 wrote to memory of 1756	2532	Nnmopdep.exe	96
PID 1756 wrote to memory of 4624	1756	Ncihikcg.exe	98
PID 1756 wrote to memory of 4624	1756	Ncihikcg.exe	98
PID 1756 wrote to memory of 4624	1756	Ncihikcg.exe	98
PID 4624 wrote to memory of 3196	4624	Nnolfdcn.exe	99
PID 4624 wrote to memory of 3196	4624	Nnolfdcn.exe	99
PID 4624 wrote to memory of 3196	4624	Nnolfdcn.exe	99
PID 3196 wrote to memory of 1400	3196	Ndidbn32.exe	100
PID 3196 wrote to memory of 1400	3196	Ndidbn32.exe	100
PID 3196 wrote to memory of 1400	3196	Ndidbn32.exe	100
PID 1400 wrote to memory of 2068	1400	Njfmke32.exe	102
PID 1400 wrote to memory of 2068	1400	Njfmke32.exe	102
PID 1400 wrote to memory of 2068	1400	Njfmke32.exe	102
PID 2068 wrote to memory of 4764	2068	Nbmelbid.exe	103
PID 2068 wrote to memory of 4764	2068	Nbmelbid.exe	103
PID 2068 wrote to memory of 4764	2068	Nbmelbid.exe	103
PID 4764 wrote to memory of 1664	4764	Ogjmdigk.exe	104

C:\Users\Admin\AppData\Local\Temp\0d29e92c9cdd4747f491e21e0c19bf00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0d29e92c9cdd4747f491e21e0c19bf00_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Windows\SysWOW64\Mnapdf32.exe
  C:\Windows\system32\Mnapdf32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3300
- - C:\Windows\SysWOW64\Mpolqa32.exe
    C:\Windows\system32\Mpolqa32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3580
  - - C:\Windows\SysWOW64\Mcnhmm32.exe
      C:\Windows\system32\Mcnhmm32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2360
    - - C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3804
      - C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\SysWOW64\Njfmke32.exe
        
        C:\Windows\system32\Njfmke32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\SysWOW64\Nbmelbid.exe
        
        C:\Windows\system32\Nbmelbid.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\Ogjmdigk.exe
        
        C:\Windows\system32\Ogjmdigk.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\SysWOW64\Ondeac32.exe
        
        C:\Windows\system32\Ondeac32.exe
        23⤵
        Executes dropped EXE
        
        PID:1664
        
        C:\Windows\SysWOW64\Ocqnij32.exe
        
        C:\Windows\system32\Ocqnij32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1992
        
        C:\Windows\SysWOW64\Okhfjh32.exe
        
        C:\Windows\system32\Okhfjh32.exe
        25⤵
        Executes dropped EXE
        
        PID:2128
        
        C:\Windows\SysWOW64\Ogogoi32.exe
        
        C:\Windows\system32\Ogogoi32.exe
        26⤵
        Executes dropped EXE
        
        PID:3684
        
        C:\Windows\SysWOW64\Onholckc.exe
        
        C:\Windows\system32\Onholckc.exe
        27⤵
        Executes dropped EXE
        
        PID:2480
        
        C:\Windows\SysWOW64\Ocegdjij.exe
        
        C:\Windows\system32\Ocegdjij.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Ojopad32.exe
        
        C:\Windows\system32\Ojopad32.exe
        29⤵
        Executes dropped EXE
        
        PID:4852
        
        C:\Windows\SysWOW64\Obfhba32.exe
        
        C:\Windows\system32\Obfhba32.exe
        30⤵
        Executes dropped EXE
        
        PID:1944
        
        C:\Windows\SysWOW64\Ogcpjhoq.exe
        
        C:\Windows\system32\Ogcpjhoq.exe
        31⤵
        Executes dropped EXE
        
        PID:5092
        
        C:\Windows\SysWOW64\Okolkg32.exe
        
        C:\Windows\system32\Okolkg32.exe
        32⤵
        Executes dropped EXE
        
        PID:5108
        
        C:\Windows\SysWOW64\Oqkdcn32.exe
        
        C:\Windows\system32\Oqkdcn32.exe
        33⤵
        Executes dropped EXE
        
        PID:4240
        
        C:\Windows\SysWOW64\Pgemphmn.exe
        
        C:\Windows\system32\Pgemphmn.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Pkaiqf32.exe
        
        C:\Windows\system32\Pkaiqf32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:548
        
        C:\Windows\SysWOW64\Pnpemb32.exe
        
        C:\Windows\system32\Pnpemb32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1340
        
        C:\Windows\SysWOW64\Pqnaim32.exe
        
        C:\Windows\system32\Pqnaim32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2568
        
        C:\Windows\SysWOW64\Pghieg32.exe
        
        C:\Windows\system32\Pghieg32.exe
        38⤵
        Executes dropped EXE
        
        PID:3256
        
        C:\Windows\SysWOW64\Pjffbc32.exe
        
        C:\Windows\system32\Pjffbc32.exe
        39⤵
        Executes dropped EXE
        
        PID:1972
        
        C:\Windows\SysWOW64\Pbmncp32.exe
        
        C:\Windows\system32\Pbmncp32.exe
        40⤵
        Executes dropped EXE
        
        PID:3612
        
        C:\Windows\SysWOW64\Pqpnombl.exe
        
        C:\Windows\system32\Pqpnombl.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3240
        
        C:\Windows\SysWOW64\Pgjfkg32.exe
        
        C:\Windows\system32\Pgjfkg32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2224
        
        C:\Windows\SysWOW64\Pndohaqe.exe
        
        C:\Windows\system32\Pndohaqe.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2504
        
        C:\Windows\SysWOW64\Pengdk32.exe
        
        C:\Windows\system32\Pengdk32.exe
        44⤵
        Executes dropped EXE
        
        PID:2348
        
        C:\Windows\SysWOW64\Pgmcqggf.exe
        
        C:\Windows\system32\Pgmcqggf.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4880
        
        C:\Windows\SysWOW64\Pnfkma32.exe
        
        C:\Windows\system32\Pnfkma32.exe
        46⤵
        Executes dropped EXE
        
        PID:932
        
        C:\Windows\SysWOW64\Paegjl32.exe
        
        C:\Windows\system32\Paegjl32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\Pcccfh32.exe
        
        C:\Windows\system32\Pcccfh32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Pkjlge32.exe
        
        C:\Windows\system32\Pkjlge32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3752
        
        C:\Windows\SysWOW64\Pnihcq32.exe
        
        C:\Windows\system32\Pnihcq32.exe
        50⤵
        Executes dropped EXE
        
        PID:3216
        
        C:\Windows\SysWOW64\Qecppkdm.exe
        
        C:\Windows\system32\Qecppkdm.exe
        51⤵
        Executes dropped EXE
        
        PID:2844
        
        C:\Windows\SysWOW64\Qkmhlekj.exe
        
        C:\Windows\system32\Qkmhlekj.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2060
        
        C:\Windows\SysWOW64\Qnkdhpjn.exe
        
        C:\Windows\system32\Qnkdhpjn.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Qeemej32.exe
        
        C:\Windows\system32\Qeemej32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4448
        
        C:\Windows\SysWOW64\Qgciaf32.exe
        
        C:\Windows\system32\Qgciaf32.exe
        55⤵
        Executes dropped EXE
        
        PID:4892
        
        C:\Windows\SysWOW64\Qnnanphk.exe
        
        C:\Windows\system32\Qnnanphk.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1816
        
        C:\Windows\SysWOW64\Acjjfggb.exe
        
        C:\Windows\system32\Acjjfggb.exe
        57⤵
        Executes dropped EXE
        
        PID:644
        
        C:\Windows\SysWOW64\Ajdbcano.exe
        
        C:\Windows\system32\Ajdbcano.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Anpncp32.exe
        
        C:\Windows\system32\Anpncp32.exe
        59⤵
        Executes dropped EXE
        
        PID:4840
        
        C:\Windows\SysWOW64\Acmflf32.exe
        
        C:\Windows\system32\Acmflf32.exe
        60⤵
        Executes dropped EXE
        
        PID:1884
        
        C:\Windows\SysWOW64\Aldomc32.exe
        
        C:\Windows\system32\Aldomc32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Anbkio32.exe
        
        C:\Windows\system32\Anbkio32.exe
        62⤵
        Executes dropped EXE
        
        PID:4328
        
        C:\Windows\SysWOW64\Aaqgek32.exe
        
        C:\Windows\system32\Aaqgek32.exe
        63⤵
        Executes dropped EXE
        
        PID:3800
        
        C:\Windows\SysWOW64\Acocaf32.exe
        
        C:\Windows\system32\Acocaf32.exe
        64⤵
        Executes dropped EXE
        
        PID:2180
        
        C:\Windows\SysWOW64\Ajiknpjj.exe
        
        C:\Windows\system32\Ajiknpjj.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4012
        
        C:\Windows\SysWOW64\Abpcon32.exe
        
        C:\Windows\system32\Abpcon32.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Aeopki32.exe
        
        C:\Windows\system32\Aeopki32.exe
        67⤵
        Modifies registry class
        
        PID:3932
        
        C:\Windows\SysWOW64\Alhhhcal.exe
        
        C:\Windows\system32\Alhhhcal.exe
        68⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\Ajkhdp32.exe
        
        C:\Windows\system32\Ajkhdp32.exe
        69⤵
        Drops file in System32 directory
        
        PID:3248
        
        C:\Windows\SysWOW64\Aealah32.exe
        
        C:\Windows\system32\Aealah32.exe
        70⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\Ahoimd32.exe
        
        C:\Windows\system32\Ahoimd32.exe
        71⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\Ajneip32.exe
        
        C:\Windows\system32\Ajneip32.exe
        72⤵
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Bahmfj32.exe
        
        C:\Windows\system32\Bahmfj32.exe
        73⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\Blmacb32.exe
        
        C:\Windows\system32\Blmacb32.exe
        74⤵
        
        PID:428
        
        C:\Windows\SysWOW64\Bbgipldd.exe
        
        C:\Windows\system32\Bbgipldd.exe
        75⤵
        
        PID:64
        
        C:\Windows\SysWOW64\Beeflhdh.exe
        
        C:\Windows\system32\Beeflhdh.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4588
        
        C:\Windows\SysWOW64\Bjbndobo.exe
        
        C:\Windows\system32\Bjbndobo.exe
        77⤵
        Drops file in System32 directory
        
        PID:3764
        
        C:\Windows\SysWOW64\Bbifelba.exe
        
        C:\Windows\system32\Bbifelba.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Bdkcmdhp.exe
        
        C:\Windows\system32\Bdkcmdhp.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4432
        
        C:\Windows\SysWOW64\Blbknaib.exe
        
        C:\Windows\system32\Blbknaib.exe
        80⤵
        Drops file in System32 directory
        
        PID:2580
        
        C:\Windows\SysWOW64\Bblckl32.exe
        
        C:\Windows\system32\Bblckl32.exe
        81⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\Bejogg32.exe
        
        C:\Windows\system32\Bejogg32.exe
        82⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\Bobcpmfc.exe
        
        C:\Windows\system32\Bobcpmfc.exe
        83⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\Baaplhef.exe
        
        C:\Windows\system32\Baaplhef.exe
        84⤵
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Blfdia32.exe
        
        C:\Windows\system32\Blfdia32.exe
        85⤵
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Ceoibflm.exe
        
        C:\Windows\system32\Ceoibflm.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3692
        
        C:\Windows\SysWOW64\Chmeobkq.exe
        
        C:\Windows\system32\Chmeobkq.exe
        87⤵
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Cogmkl32.exe
        
        C:\Windows\system32\Cogmkl32.exe
        88⤵
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Cddecc32.exe
        
        C:\Windows\system32\Cddecc32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4056
        
        C:\Windows\SysWOW64\Cbefaj32.exe
        
        C:\Windows\system32\Cbefaj32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1072
        
        C:\Windows\SysWOW64\Cecbmf32.exe
        
        C:\Windows\system32\Cecbmf32.exe
        91⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\Chbnia32.exe
        
        C:\Windows\system32\Chbnia32.exe
        92⤵
        Drops file in System32 directory
        
        PID:3792
        
        C:\Windows\SysWOW64\Ckpjfm32.exe
        
        C:\Windows\system32\Ckpjfm32.exe
        93⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\Cbgbgj32.exe
        
        C:\Windows\system32\Cbgbgj32.exe
        94⤵
        Drops file in System32 directory
        
        PID:3360
        
        C:\Windows\SysWOW64\Cefoce32.exe
        
        C:\Windows\system32\Cefoce32.exe
        95⤵
        Drops file in System32 directory
        
        PID:2572
        
        C:\Windows\SysWOW64\Chdkoa32.exe
        
        C:\Windows\system32\Chdkoa32.exe
        96⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\Conclk32.exe
        
        C:\Windows\system32\Conclk32.exe
        97⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Camphf32.exe
        
        C:\Windows\system32\Camphf32.exe
        98⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Chghdqbf.exe
        
        C:\Windows\system32\Chghdqbf.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5220
        
        C:\Windows\SysWOW64\Doqpak32.exe
        
        C:\Windows\system32\Doqpak32.exe
        100⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Daolnf32.exe
        
        C:\Windows\system32\Daolnf32.exe
        101⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Ddmhja32.exe
        
        C:\Windows\system32\Ddmhja32.exe
        102⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Dldpkoil.exe
        
        C:\Windows\system32\Dldpkoil.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5396
        
        C:\Windows\SysWOW64\Dkgqfl32.exe
        
        C:\Windows\system32\Dkgqfl32.exe
        104⤵
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Daaicfgd.exe
        
        C:\Windows\system32\Daaicfgd.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Dhkapp32.exe
        
        C:\Windows\system32\Dhkapp32.exe
        106⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Dadeieea.exe
        
        C:\Windows\system32\Dadeieea.exe
        107⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Ddbbeade.exe
        
        C:\Windows\system32\Ddbbeade.exe
        108⤵
        Drops file in System32 directory
        
        PID:5624
        
        C:\Windows\SysWOW64\Dlijfneg.exe
        
        C:\Windows\system32\Dlijfneg.exe
        109⤵
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Dohfbj32.exe
        
        C:\Windows\system32\Dohfbj32.exe
        110⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Dccbbhld.exe
        
        C:\Windows\system32\Dccbbhld.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5756
        
        C:\Windows\SysWOW64\Deanodkh.exe
        
        C:\Windows\system32\Deanodkh.exe
        112⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Dhpjkojk.exe
        
        C:\Windows\system32\Dhpjkojk.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Dkoggkjo.exe
        
        C:\Windows\system32\Dkoggkjo.exe
        114⤵
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Dojcgi32.exe
        
        C:\Windows\system32\Dojcgi32.exe
        115⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Dahode32.exe
        
        C:\Windows\system32\Dahode32.exe
        116⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Ddgkpp32.exe
        
        C:\Windows\system32\Ddgkpp32.exe
        117⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Ekacmjgl.exe
        
        C:\Windows\system32\Ekacmjgl.exe
        118⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Echknh32.exe
        
        C:\Windows\system32\Echknh32.exe
        119⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Elppfmoo.exe
        
        C:\Windows\system32\Elppfmoo.exe
        120⤵
        Drops file in System32 directory
        
        PID:4596
        
        C:\Windows\SysWOW64\Eoolbinc.exe
        
        C:\Windows\system32\Eoolbinc.exe
        121⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Eamhodmf.exe
        
        C:\Windows\system32\Eamhodmf.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5256
        
        C:\Windows\SysWOW64\Ehgqln32.exe
        
        C:\Windows\system32\Ehgqln32.exe
        123⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Eoaihhlp.exe
        
        C:\Windows\system32\Eoaihhlp.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5416
        
        C:\Windows\SysWOW64\Eapedd32.exe
        
        C:\Windows\system32\Eapedd32.exe
        125⤵
        Drops file in System32 directory
        
        PID:5488
        
        C:\Windows\SysWOW64\Eekaebcm.exe
        
        C:\Windows\system32\Eekaebcm.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5544
        
        C:\Windows\SysWOW64\Ehimanbq.exe
        
        C:\Windows\system32\Ehimanbq.exe
        127⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\Ekhjmiad.exe
        
        C:\Windows\system32\Ekhjmiad.exe
        128⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Eocenh32.exe
        
        C:\Windows\system32\Eocenh32.exe
        129⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Eabbjc32.exe
        
        C:\Windows\system32\Eabbjc32.exe
        130⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Edpnfo32.exe
        
        C:\Windows\system32\Edpnfo32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5876
        
        C:\Windows\SysWOW64\Ekjfcipa.exe
        
        C:\Windows\system32\Ekjfcipa.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Eofbch32.exe
        
        C:\Windows\system32\Eofbch32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Eadopc32.exe
        
        C:\Windows\system32\Eadopc32.exe
        134⤵
        Drops file in System32 directory
        
        PID:6080
        
        C:\Windows\SysWOW64\Edbklofb.exe
        
        C:\Windows\system32\Edbklofb.exe
        135⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\Fljcmlfd.exe
        
        C:\Windows\system32\Fljcmlfd.exe
        136⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\Fohoigfh.exe
        
        C:\Windows\system32\Fohoigfh.exe
        137⤵
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Fafkecel.exe
        
        C:\Windows\system32\Fafkecel.exe
        138⤵
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Fdegandp.exe
        
        C:\Windows\system32\Fdegandp.exe
        139⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Fkopnh32.exe
        
        C:\Windows\system32\Fkopnh32.exe
        140⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Fcfhof32.exe
        
        C:\Windows\system32\Fcfhof32.exe
        141⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Ffddka32.exe
        
        C:\Windows\system32\Ffddka32.exe
        142⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Fhcpgmjf.exe
        
        C:\Windows\system32\Fhcpgmjf.exe
        143⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\Fomhdg32.exe
        
        C:\Windows\system32\Fomhdg32.exe
        144⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Fakdpb32.exe
        
        C:\Windows\system32\Fakdpb32.exe
        145⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Fdialn32.exe
        
        C:\Windows\system32\Fdialn32.exe
        146⤵
        Drops file in System32 directory
        
        PID:5332
        
        C:\Windows\SysWOW64\Flqimk32.exe
        
        C:\Windows\system32\Flqimk32.exe
        147⤵
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Fooeif32.exe
        
        C:\Windows\system32\Fooeif32.exe
        148⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Fbnafb32.exe
        
        C:\Windows\system32\Fbnafb32.exe
        149⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Fdlnbm32.exe
        
        C:\Windows\system32\Fdlnbm32.exe
        150⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Flceckoj.exe
        
        C:\Windows\system32\Flceckoj.exe
        151⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Foabofnn.exe
        
        C:\Windows\system32\Foabofnn.exe
        152⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Ffkjlp32.exe
        
        C:\Windows\system32\Ffkjlp32.exe
        153⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Fhjfhl32.exe
        
        C:\Windows\system32\Fhjfhl32.exe
        154⤵
        Drops file in System32 directory
        
        PID:5124
        
        C:\Windows\SysWOW64\Gkhbdg32.exe
        
        C:\Windows\system32\Gkhbdg32.exe
        155⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Gododflk.exe
        
        C:\Windows\system32\Gododflk.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6004
        
        C:\Windows\SysWOW64\Gfngap32.exe
        
        C:\Windows\system32\Gfngap32.exe
        157⤵
        Drops file in System32 directory
        
        PID:5436
        
        C:\Windows\SysWOW64\Ghlcnk32.exe
        
        C:\Windows\system32\Ghlcnk32.exe
        158⤵
        Drops file in System32 directory
        
        PID:5520
        
        C:\Windows\SysWOW64\Gkkojgao.exe
        
        C:\Windows\system32\Gkkojgao.exe
        159⤵
        Drops file in System32 directory
        
        PID:5984
        
        C:\Windows\SysWOW64\Gcagkdba.exe
        
        C:\Windows\system32\Gcagkdba.exe
        160⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\Gfpcgpae.exe
        
        C:\Windows\system32\Gfpcgpae.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6228
        
        C:\Windows\SysWOW64\Gmjlcj32.exe
        
        C:\Windows\system32\Gmjlcj32.exe
        162⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\Gkmlofol.exe
        
        C:\Windows\system32\Gkmlofol.exe
        163⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\Gcddpdpo.exe
        
        C:\Windows\system32\Gcddpdpo.exe
        164⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6360
        
        C:\Windows\SysWOW64\Gdeqhl32.exe
        
        C:\Windows\system32\Gdeqhl32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6400
        
        C:\Windows\SysWOW64\Gmlhii32.exe
        
        C:\Windows\system32\Gmlhii32.exe
        166⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\Gcfqfc32.exe
        
        C:\Windows\system32\Gcfqfc32.exe
        167⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\Gfembo32.exe
        
        C:\Windows\system32\Gfembo32.exe
        168⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\Gmoeoidl.exe
        
        C:\Windows\system32\Gmoeoidl.exe
        169⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\Gcimkc32.exe
        
        C:\Windows\system32\Gcimkc32.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6628
        
        C:\Windows\SysWOW64\Gdjjckag.exe
        
        C:\Windows\system32\Gdjjckag.exe
        171⤵
        Drops file in System32 directory
        
        PID:6672
        
        C:\Windows\SysWOW64\Hmabdibj.exe
        
        C:\Windows\system32\Hmabdibj.exe
        172⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\Hkdbpe32.exe
        
        C:\Windows\system32\Hkdbpe32.exe
        173⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\Hfifmnij.exe
        
        C:\Windows\system32\Hfifmnij.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6800
        
        C:\Windows\SysWOW64\Hkfoeega.exe
        
        C:\Windows\system32\Hkfoeega.exe
        175⤵
        Modifies registry class
        
        PID:6844
        
        C:\Windows\SysWOW64\Hflcbngh.exe
        
        C:\Windows\system32\Hflcbngh.exe
        176⤵
        Drops file in System32 directory
        
        PID:6888
        
        C:\Windows\SysWOW64\Hodgkc32.exe
        
        C:\Windows\system32\Hodgkc32.exe
        177⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\Hfnphn32.exe
        
        C:\Windows\system32\Hfnphn32.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6976
        
        C:\Windows\SysWOW64\Hofdacke.exe
        
        C:\Windows\system32\Hofdacke.exe
        179⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\Hfqlnm32.exe
        
        C:\Windows\system32\Hfqlnm32.exe
        180⤵
        Modifies registry class
        
        PID:7076
        
        C:\Windows\SysWOW64\Hmjdjgjo.exe
        
        C:\Windows\system32\Hmjdjgjo.exe
        181⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\Hoiafcic.exe
        
        C:\Windows\system32\Hoiafcic.exe
        182⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\Hfcicmqp.exe
        
        C:\Windows\system32\Hfcicmqp.exe
        183⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\Immapg32.exe
        
        C:\Windows\system32\Immapg32.exe
        184⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\Icgjmapi.exe
        
        C:\Windows\system32\Icgjmapi.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6308
        
        C:\Windows\SysWOW64\Ifefimom.exe
        
        C:\Windows\system32\Ifefimom.exe
        186⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\Iicbehnq.exe
        
        C:\Windows\system32\Iicbehnq.exe
        187⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\Ipnjab32.exe
        
        C:\Windows\system32\Ipnjab32.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6512
        
        C:\Windows\SysWOW64\Iejcji32.exe
        
        C:\Windows\system32\Iejcji32.exe
        189⤵
        Modifies registry class
        
        PID:3284
        
        C:\Windows\SysWOW64\Ildkgc32.exe
        
        C:\Windows\system32\Ildkgc32.exe
        190⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\Ickchq32.exe
        
        C:\Windows\system32\Ickchq32.exe
        191⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\Iemppiab.exe
        
        C:\Windows\system32\Iemppiab.exe
        192⤵
        Modifies registry class
        
        PID:6604
        
        C:\Windows\SysWOW64\Imdgqfbd.exe
        
        C:\Windows\system32\Imdgqfbd.exe
        193⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\Ipbdmaah.exe
        
        C:\Windows\system32\Ipbdmaah.exe
        194⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\Ifllil32.exe
        
        C:\Windows\system32\Ifllil32.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6808
        
        C:\Windows\SysWOW64\Icplcpgo.exe
        
        C:\Windows\system32\Icplcpgo.exe
        196⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\Jlkagbej.exe
        
        C:\Windows\system32\Jlkagbej.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6948
        
        C:\Windows\SysWOW64\Jcbihpel.exe
        
        C:\Windows\system32\Jcbihpel.exe
        198⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        199⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7152
        
        C:\Windows\SysWOW64\Jcefno32.exe
        
        C:\Windows\system32\Jcefno32.exe
        201⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6324
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        203⤵
        Drops file in System32 directory
        
        PID:6420
        
        C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        204⤵
        Drops file in System32 directory
        
        PID:6524
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        205⤵
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        206⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        207⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        208⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        209⤵
        Modifies registry class
        
        PID:6916
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        210⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7032
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        211⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        212⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        213⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6412
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        214⤵
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        215⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6616
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        216⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6788
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        217⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6960
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        218⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7104
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        219⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6288
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        220⤵
        Modifies registry class
        
        PID:6480
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        221⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        222⤵
        Drops file in System32 directory
        
        PID:6992
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        223⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6356
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        224⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        225⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        226⤵
        Modifies registry class
        
        PID:772
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        227⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        228⤵
        Modifies registry class
        
        PID:6896
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        229⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        230⤵
        Drops file in System32 directory
        
        PID:7236
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        231⤵
        
        PID:7280
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        232⤵
        
        PID:7328
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        233⤵
        
        PID:7368
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        234⤵
        Modifies registry class
        
        PID:7412
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        235⤵
        Modifies registry class
        
        PID:7456
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        236⤵
        
        PID:7496
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        237⤵
        
        PID:7540
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        238⤵
        
        PID:7584
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        239⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        240⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        241⤵
        Modifies registry class
        
        PID:7712
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        242⤵
        Drops file in System32 directory
        
        PID:7752
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        243⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        244⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        245⤵
        
        PID:7884
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        246⤵
        
        PID:7928
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        247⤵
        Modifies registry class
        
        PID:7964
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        248⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        249⤵
        Drops file in System32 directory
        
        PID:8064
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        250⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        251⤵
        
        PID:8148
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        252⤵
        Drops file in System32 directory
        
        PID:6176
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        253⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        254⤵
        Modifies registry class
        
        PID:7304
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        255⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        256⤵
        
        PID:7448
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        257⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        258⤵
        Modifies registry class
        
        PID:7592
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        259⤵
        
        PID:7656
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        260⤵
        Modifies registry class
        
        PID:7728
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        261⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        262⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        263⤵
        
        PID:7976
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        264⤵
        Drops file in System32 directory
        
        PID:8008
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        265⤵
        
        PID:8080
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        266⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        267⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        268⤵
        Modifies registry class
        
        PID:7312
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        269⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        270⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        271⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7636
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        272⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        273⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7840
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        274⤵
        
        PID:7952
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        275⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        276⤵
        
        PID:7200
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        277⤵
        
        PID:7300
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        278⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        279⤵
        Modifies registry class
        
        PID:7704
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        280⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        281⤵
        Drops file in System32 directory
        
        PID:8056
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        282⤵
        
        PID:8136
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        283⤵
        Drops file in System32 directory
        
        PID:7492
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        284⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7720
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        285⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        286⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        287⤵
        
        PID:7664
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        288⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7276
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        289⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        290⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        291⤵
        
        PID:8016
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        292⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        293⤵
        
        PID:8228
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        294⤵
        Drops file in System32 directory
        
        PID:8276
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        295⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8320
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        296⤵
        
        PID:8364
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        297⤵
        
        PID:8408
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        298⤵
        
        PID:8452
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        299⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8496
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        300⤵
        
        PID:8540
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        301⤵
        
        PID:8580
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        302⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8624
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        303⤵
        
        PID:8668
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        304⤵
        Drops file in System32 directory
        
        PID:8716
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        305⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8760
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        306⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8804
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        307⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8848
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        308⤵
        Modifies registry class
        
        PID:8892
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        309⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8932
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        310⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8976
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        311⤵
        
        PID:9016
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        312⤵
        
        PID:9060
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        313⤵
        
        PID:9100
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        314⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9144
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        315⤵
        
        PID:9188
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        316⤵
        
        PID:8220
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        317⤵
        Modifies registry class
        
        PID:8288
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        318⤵
        Drops file in System32 directory
        
        PID:8352
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        319⤵
        Drops file in System32 directory
        
        PID:8432
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        320⤵
        
        PID:8492
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        321⤵
        Modifies registry class
        
        PID:8568
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        322⤵
        Drops file in System32 directory
        
        PID:8608
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        323⤵
        
        PID:8700
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        324⤵
        
        PID:8768
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        325⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8856
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        326⤵
        
        PID:8908
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        327⤵
        
        PID:8968
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        328⤵
        
        PID:9028
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        329⤵
        Drops file in System32 directory
        
        PID:9112
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        330⤵
        Drops file in System32 directory
        
        PID:9180
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        331⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8268
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        332⤵
        Drops file in System32 directory
        
        PID:8372
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        333⤵
        Drops file in System32 directory
        
        PID:7216
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        334⤵
        
        PID:8588
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        335⤵
        
        PID:8680
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        336⤵
        Drops file in System32 directory
        
        PID:8816
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        337⤵
        
        PID:8888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8888 -s 400
        338⤵
        Program crash
        
        PID:9136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 8888 -ip 8888
1⤵
PID:9076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
89KB

MD5
1033ed284d4dbb3343ad20420a1ef05f

SHA1
023c6bfa84b04dbf50a08e69d38ed228aba8dd25

SHA256
5b8eb7c90f5b87dae2291bb29c4c6692209101d8105feadeb4359b160d0b9439

SHA512
a3aeac7ae7959bae9ca1df82618802260a7f62e69e3bb081d62d356f8d4a7850bac38ed1e0c07b30a7063cb78269384c0c52305b15a9cfca097060502b03449e

Download Submit
C:\Windows\SysWOW64\Ajiknpjj.exe

Filesize
89KB

MD5
e07fef9c84cc381b0ebc0c2bbd75ff84

SHA1
989566ce502f99def19f2be562f900be1d7d7a86

SHA256
34060ef663d0701936b51a96f0b70a03150ca0ad861243d8bd113e36a6862e5a

SHA512
cddc4571b7719ac968640f2b0a5c269e903c77b789911c197f9bf8c5f9321218192df4faec582d95f6941912138dd5d26bfc1026d33530a3e36d775521a63ec6

Download Submit
C:\Windows\SysWOW64\Ajneip32.exe

Filesize
89KB

MD5
54a680f81f16c4682ea0221466a3f38f

SHA1
d090cfaf25c8f88b64e2e611c235815185db9e38

SHA256
27fa9289fdb4685796768cbc0afcfc975375e1d7b48cac7485e2fc9ffcf2933f

SHA512
cb93b635e3306acd98ca9a0a7c95a2a8697acaafe25091af067011add4ecfee2756b72511b8e3c28af70a6e5b3511c04181f0c7cdaf572fb7238c3b66d747275

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
89KB

MD5
3ccd32dc19ada7d4b1686aaa8651e16b

SHA1
fc3b8b22e4354cfba140eeacc5a4c455d1f88ec4

SHA256
a75ab11eda4d96bd5f4cd87a0cfea053aa33351725d9e57ccd9cdc0b39c760b8

SHA512
8d13a1cda8879be521c2b4d5d1a027214eacaf7547fdc21d3ecd9a3c9bddb65780360b4b1ef49fb1a5c9df631490786debad3352ffb32bf9419ddf7cd53a702d

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
89KB

MD5
3afe3b10aa1b6e027a5c253adf86baac

SHA1
395760336f4527f613551d0c954d5371c874f3ce

SHA256
0b914b831e2a5dec0f3940c7fa20b04dc6771afabcbacf9f77260c77f58da1b3

SHA512
efb66a02a76cec2f0a5752abd26ded161a3500bcbb2242523cca75de135612e95fcb23e73029d46d422122e220a07d6e8a3d98965d4ecccdd028a816af3c7781

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
89KB

MD5
53300a3cac129f804d092c8de536b89c

SHA1
c2f1efa129cda716c80180494940bbe212afee1d

SHA256
885e05f5aa29fc7fb4cb51ab52da6048fd067c61d7495c3f6310bd4053c05808

SHA512
6ffb6cf5c8af9d2007cfb349f1b4965742636035a38b0246eb913044c623507293cff1912120ef45e46675028b09864c78148f72c1dadcf8fbf75d025563f3c0

Download Submit
C:\Windows\SysWOW64\Blbknaib.exe

Filesize
89KB

MD5
2b7b646eda35d2ec31ace6a00250b2e8

SHA1
2f2863e6d980147f4efc98b026fbf6cfc45f4ae9

SHA256
8bc822afdbd9b5fa89c7500c9cb9026b60f4846fc189bb6085b75777e3ddfefb

SHA512
4739514e073ec3ee903d07278a30e76c2c2a94ea5e3b18cfebbbc306e1368d4974bba8ab660c0a17020a09984529ae863f430ca977ad8b96804bfc9218c8b566

Download Submit
C:\Windows\SysWOW64\Blmacb32.exe

Filesize
89KB

MD5
e5dcab23e8506e4fedc5e55e95d468f6

SHA1
588dfc4d75f0411541bf48649c85a9120c111f48

SHA256
cf1f4f496e6f4a5a0e591798d17b227fb5c528a0486802b0d1aea389d5154117

SHA512
07c5e463e015e60b9de7d803757fdd6854839cf5021facd379dfb4f3a778b1525b8e930f6265a9aa3736d483693e6ff874b071bb411c9df48abf27c5b7c685af

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
89KB

MD5
a46ebca7ea8c40905ce14d3e801d3606

SHA1
5749afbe5bb04a16b2651e5b293dfb60fb6cb2cb

SHA256
7fb3973f3cbb7102eba92268c2c0819cf27f3609f5d9562d20d776c25d900a13

SHA512
7eeb926c487110312c53a91cf6bd229f832b796d274ba570a91889ec316568095170e80fd040fb32b2882ba77ec72b5af8c7aab0a26216ac91163975459a9778

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
89KB

MD5
90712cc6ffdb047ad343add096f754ae

SHA1
fa23fef2dbb1a989ea3647039ffe810fcb218cc5

SHA256
6b8e98d8a5ce9c019e7bf1d5d9da9cdf533ea0acb75e46cce2f86d6c5ee1cfba

SHA512
f85b09db27b21a467390b147bce899f1cae71913079dc0f3cae53599c6c56dc511682b5fe549ed7fc6e3ae91a329884c0f7081cf1d2b2b8f819db92b9481b36e

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
89KB

MD5
47e70784da5b1082da0878a3d0a5b8ac

SHA1
b20dd3c9cbc2ed001ddf9d8bcf7d351dcdd156f8

SHA256
0fb71d9853de63590d3f42cc960d44f042ce1afb570cc63a347aaa07040c40bd

SHA512
f5c6c772e9b481f3adb451d1b65fe65ea602f8a634e71b485df5f21f8ac20bc5c21b8b8d1320339c3fc7bbba3407f00ec4763943ce6aa71d27be6d1c38d7a75d

Download Submit
C:\Windows\SysWOW64\Camphf32.exe

Filesize
89KB

MD5
dac91fab20f9d97e581b841cdb916ead

SHA1
6c57b54f805e623abfa95efe3414382c058ec6c7

SHA256
74b7d22eb2fd9c59794bd2fca4155abcf5d99706d892f06ff0ac4113b2e0ab1f

SHA512
2e6d05f4c1888fe4c6b633593a71e79b2258bb9f1f19d8a026a6e695b12c6113e4ac7bff6ab1b8c4a8cfc889e9c4d4905977d5af1a9a1d1791709d1cfcee87aa

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
89KB

MD5
8614afb2849c7b49925df1577e406ba2

SHA1
2ec1f859b0d9c9d7ed4557dfaaa8030bc357c6e3

SHA256
5dd410f41f7106c08aa6ac2e10c250cda77e2afb66682f8a27ed39eceddc4aa2

SHA512
dc21014421c0d0bc42b58fa4fdb20bdc03ff16ec74903b7cd0ab0144557c5dd517bca6b2f5f403bd51f703db62dff9d17ba598dfff09829f90dc1f534bd4788e

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
89KB

MD5
925a971745a88307ea37d9d43fa5a229

SHA1
03c6f181399eddd107ce8a568f03bd7b46a4e29d

SHA256
53e6a443d28007cf7126262cd3357ba125f4ab284ae34f58961d038371b92e38

SHA512
6ed245fbdf848f1ec3337f27f774245b5d3e7229d3f56badc92914f3b4e742b976a06390f6e7affd45a35b32c480b6de2e07e7063a8995ab83e2864cf2242118

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
89KB

MD5
dc3dbd0c959b2dabe9973a2bf268211b

SHA1
5cccbb7ba9524fc3c06b3265ddbd908a8d333f26

SHA256
5ab89100ccdd0b9fb46c74730edb8a69e90bd48caa2a38245b6455de3e6bb10f

SHA512
ec820126286e3e2e58a0bf4db87de748cf44a5b5489f3007d200809a7d94899b7ef32531d9d5ddea6077f7fb7041f5c726a9aea5d8fdcc6a46dea8c05a73707e

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
89KB

MD5
c6a0a01ea933201f8a786ae498c93a86

SHA1
3c7d13ebb6d1ec6ec18088eaee25c9cc81a16133

SHA256
e9a42441ba6354221cd681d3ecfef52daeec0d10a616da3459afe8a8760f299a

SHA512
69fc1ac393acb2f1c7b8492f537100991889f0aac911253560b062122ca43cb2eea5634669f5222916ecbbb21ed39fb828b28d2de229b514268ee9321afa939a

Download Submit
C:\Windows\SysWOW64\Dadeieea.exe

Filesize
89KB

MD5
ab13e7fe7bcbe6d53bcf611e8a02835c

SHA1
86907ab2d9d4457b496cfe2c47d19ac928a5fd23

SHA256
ef5c0e34ecbb5e4369baa526ae19d6b562c3a91f365c09b49a560a283b9103b6

SHA512
16e0430e073667f6309e764d03b67b7c50633afd04e7f81add6e0509da12ef8fd70e98e5b5c94631988b26ef662c366ff62dccfec0de499a7f483a555f7edc8c

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
89KB

MD5
7ecacfc8c12d4ec0f0a00ed95b43485d

SHA1
dc8565a80a2ba6be4e440a1c591bf12a223b2b39

SHA256
fa3d9ea6b9aea83f6eb8fe6754761e8f12f94961b5c23ffdd0fd2c5480581e87

SHA512
144f0e115de5af2ed8ba29c9fc06819cb85c01d50c89156239281c51a26948aa004fae21155b204b93f6bfba90145ce6dc29c773902a297b98931a6468128bf3

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
89KB

MD5
caa663be9ba99bbe2ede4c42b5365b4d

SHA1
d098c8f1e07ed4cf72687dfe6a46e7746135d963

SHA256
317225880b451798f2489381c665e93e08e2faa0e8eb6ee4fea8a0810eb807c2

SHA512
cc97cecaf727d87affaf4c32c722ba1a277c9ccdec97b4b1e6f47c840e0dc1ebde4059ba80e66c5f3cbd00d2ea54ccbdf30eab9c5898f686a16c2d853108cb7e

Download Submit
C:\Windows\SysWOW64\Eoaihhlp.exe

Filesize
89KB

MD5
6e10ba016b385e258d3affafa49ceb66

SHA1
1798f09d257383361f7915e504159dff5bc1dfb0

SHA256
bb7df97fb5d5f2d94e418332683026cb2b8f4be806b18357c301338aa15c5ac6

SHA512
8b470d8816d05ffa973b7bd29313dca55d6926c2ce195039cec78b5610ed5efdf01b9648339ce4dd9ab20e0e974a127c60198634f2e48ed2840942c20899527b

Download Submit
C:\Windows\SysWOW64\Fdlnbm32.exe

Filesize
89KB

MD5
c84ed522ce1f0fe8c150d2e30f2a060e

SHA1
5df587654ed855328e0b5e123ee5e775d30876f9

SHA256
6f8f35f2e00361ba24a9d8e7025619aae75cbbbbe732aead1f262256154bf2ed

SHA512
3935f564bb381014cc8bafb727da57afb9ce3068d4ff18eadadea1d62d5d1b010495abee2eec868e333357967f33fcaaa7f40dbe82ea4454398e25be1bcc3a22

Download Submit
C:\Windows\SysWOW64\Ffkjlp32.exe

Filesize
89KB

MD5
055ac03c4570db7673932fe4c10b0644

SHA1
4a54c5d05bd110102de59a7660bfca878da5706b

SHA256
3a1af6ac903bd170e4164fa455ed905753271518e52fea843314a6173c80c820

SHA512
f2a45bfba3cd78b84b6a9fa276c0c2724de13746ddfa06f914c4041ac12f3b7f39e263d495cc15b6b6d6f80882a5802354d0f0efe89ae88c2bb820b6050497f6

Download Submit
C:\Windows\SysWOW64\Fljcmlfd.exe

Filesize
64KB

MD5
88a8f2af3bfc286b83dc417b939678eb

SHA1
b3a15d4f3823d658f7746c54cf65973ed3bf15af

SHA256
4b32b0a19526c35722918d79d69d694a34033cb34ad633df080d5b9ccf855238

SHA512
34f0f26f921290db5dad47ece44f65b93c890b371b283dea13d4912f0dd9ea4d98d6654a727c708f1a8affdbfd51894277d09d67b5c6d80555f9fa2a221aba6e

Download Submit
C:\Windows\SysWOW64\Gfembo32.exe

Filesize
89KB

MD5
150ecce070c9ce70c261693e053146e6

SHA1
1deb6b365d421ac12869f93b2a8a82a060f17a36

SHA256
ae2e974f96f8723eb75613a1c280d6f9c33383dd99086d6509843228d2254f24

SHA512
1545b4490969af251c630e3920a5cdbeb39eb180c0518949843588bd8d91b00a735e81ba70f7b01e9edaddf7fefb48bbef7c802ad55fac31dbd9ff5243567407

Download Submit
C:\Windows\SysWOW64\Gfpcgpae.exe

Filesize
89KB

MD5
4c98f6731389db34ac0635d5d3d86d15

SHA1
6174e9abbab28b6009676d7d351753ec8cccad30

SHA256
51eccae21f86385b85a538ccab3c92017a0bd052bdc89d3434163b9585ad526d

SHA512
f72dbf89099b58672b6be3d827f4ea2212adf19b809452bfef304de45c34adc41d896e7b2dffe1c26fb84c6f3088f5ec22250fa463d414ab5272fa7c7d8cc148

Download Submit
C:\Windows\SysWOW64\Ifllil32.exe

Filesize
89KB

MD5
c3673b9ae33ba7437253f3183cb06857

SHA1
d229e0a792b8d6510851b8710b92ec5fc17182dc

SHA256
1c546e81802372924dfbd4da9483784fd1ad24735512848d4ffe26dffc335e1c

SHA512
ba38a43415c1ac734ce0e6e67042d8b9491dca7e96f488140a6b3fceb3182975e6bd664bbc0e6c0ad5ddd3479cb43fa9e2d4506614c57c1a18afd7757688dfb2

Download Submit
C:\Windows\SysWOW64\Jcbihpel.exe

Filesize
89KB

MD5
3bc560888cc97e2a237b361190a20b7c

SHA1
05453f4c72d0b96573b81ccd5a36cef9a89f2ee6

SHA256
2996ca7cf51d5da34c27d3cbaae30a0e1f3c8c5a0219d543e2eb94267e18452d

SHA512
4ee79eaf4d0dce89481dcb6d2a8282724342a7e95fdc0adfc9f293c914f7776406fdb859d9f75fd80e0fed811f1cdc9912e7c78ebaae6cedb7188091e7bb5b92

Download Submit
C:\Windows\SysWOW64\Jcgbco32.exe

Filesize
89KB

MD5
4d126233d6444cd7ece15f7ad33d5c7b

SHA1
c3e9561976e518f26a4112b80d0a63d86cd12f9f

SHA256
6adfb19272e4c71cc1ebad8c5c34fd90e82ca7c8561a034a68272c8125e22446

SHA512
afb1036afc823b737eca04b049acb7c97db9875394376e8beb380c2f347d137d4c4e206765af21ca0e93976c184f2b05e8d4d34adc064e12a86fc412f280d7b4

Download Submit
C:\Windows\SysWOW64\Jlnnmb32.exe

Filesize
89KB

MD5
62c9ebe7a090205248ac5aebb550d403

SHA1
61151232562fe9a34e792b9c837b5ad31b1f752d

SHA256
f44b7d188023efad679aa417e4a81e9cf0bb4d587e086d09d1f4824b7645747e

SHA512
6872c580f948a0114333c1df0ca5235e2dc4f63cec66dbbdd5a11107519ed4875ac5a131ca34a1616302a2db75cfdb8936395c4e9388a08bb19bc80bb71e8ef4

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
89KB

MD5
5eb9842a6d306a7ab12e314aef46b36c

SHA1
af0e5f7bb1e824cabd9581cb25f8c0ddbd5efb83

SHA256
3acfc1f7692cf6a4ce95f337b74270757732cf9298d26b245e29de09d27b7e33

SHA512
eda3646bb281dfac9f8d1e0f6ab54f153fd9ecd6685612cf38b671f1cb7cea2df1fc60b8b5292f86902c12d41ad436200e659bffd7f8e7cbd825b58763495aaf

Download Submit
C:\Windows\SysWOW64\Kfjhkjle.exe

Filesize
89KB

MD5
e7697ff38cbcd73346b729ed5bd78218

SHA1
d8bd99eaed267023d05a495a8d23f814f78d0ddb

SHA256
d81fe33b850349f9ddd32b1782a89e33c5003c490dfb1717d7ff87d3b63f79f0

SHA512
45bb4864de935ed582f23364354a85811c4d841c72d47ac129e6abd2e0edd829faaf7b0e6630ce9d3b0b0f7fd401203ad463fcd0a18e4845d96c81f6d381cdfe

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
89KB

MD5
9d17102c4171ffe629c4a44980a5937e

SHA1
9ebc1a6f27431e7c9d5bc91b093eccad6fed8093

SHA256
4fec06b4f9a8fd003fcec659f26d2b643f4028438a317885f74ef0d8835beb97

SHA512
97bd2d9b4b1c4ba749d4203fa9f2a96712d10cce90580b6d6c262fc1d4e3588e9fba1539ba0fb0b00092d38b8722fd6609dea994aa6c4d3c26208cdf1a0f203c

Download Submit
C:\Windows\SysWOW64\Kmncnb32.exe

Filesize
89KB

MD5
ef04b4c66f7fa49cc0d77e529b702fe4

SHA1
746eb0f47fd15f73d9b6666495b01de8b7edcb31

SHA256
4c9ad67fe508d407d22d135acff7214f607ac0d20d2525f548c0d1d486591dcd

SHA512
2dbc84cc5357d4f6914c2cca0350db431268d9377be72f89fb2aa0e55a049c8219f4ead98755c5ac8ec9d641243877ec4fdc1edf8be83e32c04d3c156db3facc

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
89KB

MD5
fe879db7d227dbe1a811d35a22e5eb84

SHA1
0a9d5643de076de6cc88321e2e2081f5617b2e08

SHA256
e340b677120c6d5986d3336f65ce2e7ea90c41c5510ce06a73d8987ee9adb68a

SHA512
ce1c9caf170c3c31b6c929a6725ca2819abf20ae9751b469cf294310339dae93cf957401dd7fa006575625f57ced048ac3786becba15826cb6bce4cb8ac48525

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
89KB

MD5
eb8b4007a83dabf613c293a4d2c673a6

SHA1
dd15768b88f002f30692075f419ee03924480d70

SHA256
1e1d1c2fc801768c66c338744bb4b4216aa34ffda1e4a79361197bbd6b50e678

SHA512
43fce849b29eb7003e1dd5a3c698ce790909eca142e0a18f63aa177fe3bfc71ab745e1fe14fc5c42bdf5089cc0dd0dc62db1f02cebfc88d7a03dc3dabfd90c33

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
89KB

MD5
541bbb1d57c4755796aaa50fb2739fe1

SHA1
6ec088ded53d27b23f99fd8ed7ea904f008a17da

SHA256
b733f06c87838bcc4a81110b29fa9368d8cf5a16aa8e9a39efac62e195bdbc32

SHA512
351ca6b37e3f6051a7627d5cc49f0e2ed4ffd4b8b4f647f7bf0177cfaff09d07c3d85b54747892b1566df484fd1645703803b3a024d0c36f334a2132edd013e1

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
89KB

MD5
eb55408abadf91244fd927d8bef9f8cd

SHA1
8db0fcdf6952162fc3fe65644ae2f1a8893b633c

SHA256
37f617d6543a8497d294dd80aa32ad228a8040193b735ac4f98411bef895a705

SHA512
504b1d4f460c28b688f3ad09b663897ae73fe766a2b107d3c9ff8477d7695911b220699b2734fa27c0b9aefe279aaa6498b00a94ecb68372e7ab612a580f6cff

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
89KB

MD5
bf44fabfe3777b11ffd7ea0f6727b0b7

SHA1
8a73a6dd823eaf78feed47e2ffa2e555eca07518

SHA256
14616ea4bfb26fdbc3db27974c2188798dbd9aa55c397353ec8323803906bd0b

SHA512
ba79b71cd3a06a0363712d0105aeb7437bb0337d25624958a3612eefad86637da25db60da2c0c69c72674df2e6d4612cd1c4bb6324e136254e2260a1d7da1d88

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
89KB

MD5
c2b426ba1ed21f21b5f3a59bcd42061b

SHA1
749407fd4af49c3f035ddcd1e90790d438babb92

SHA256
6801da221c63bbf9348ed9d3df089f64f36a19ef3f2a9bd38c4ed3a7bd72c820

SHA512
0ffb03a3f8fcffacc3a575174b302006e6dacc964237910fefa6ecd26cbdc96f6dd8b8b10a6f89d282a866752d6e79a496afdf94a1baa40f48d92f40bdedb761

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
89KB

MD5
48d825074df5441da6dc7b7b85fe033c

SHA1
d752c3f6edf963ada8807e83b7461daac0cb313a

SHA256
dde01a9c7e13a99f8e0d09c47fcb035867420b244392a4ee0e5ada5749900d5a

SHA512
de159d967cee01f181957a3cdf53f2fe0168245da4ad8b112a283baff1fafbdf6448d86bd142972190f2138d6d46e71e659b75dc34dca0aec10803f5fe5169f2

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
89KB

MD5
a81745ec7848dde34b62de18872976cf

SHA1
776bfed7bc8519e61951a4bc764b912588badf61

SHA256
0c5d20967419793c50b3188509ac4b3777bf634601409cd86cc5f6221f70b064

SHA512
8ff27c316e3f6ebf1362e037007e7227ad5166cae08f59a76ec590c57381124c2d0b9b4c4d54dc95e005340a3df36fe214889edb5cc0a7cb04599e38d5def6a1

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
89KB

MD5
16f8f94fd19cc92e3b3a0ecc55bfd93c

SHA1
b08a3e176509b9bb1eb8ea882f0f4d191c044381

SHA256
b9864f172f4474a93aa0d1deec15363c159776b37f0116d6a7455fed9615ae4b

SHA512
6754d6d02221eae26af9bb7e99b42ddf44ac7e6477fdac66f2dae39fd52a84f0155965f6b85b041274964768c044e9542f499a3db98b95018453fab1f33a0d1f

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
89KB

MD5
19230c16224c5574928c70e13a8a89ee

SHA1
1edbed6931760d550814aea344b309713a832973

SHA256
71dc687ce7d80897eaa2a00690e9ca716fc8868dcf31729bc534b64fbebfd6eb

SHA512
091409990c9a0021aa06e5858806d546bb7ff646332f7b83c7b35eebe74e111ad2fc3542c91ee96c3021cd2f2f1ae5f87473459aca8ad195a2329a87109998a9

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
89KB

MD5
1ea14200f7fcaa365e91012fda3418d1

SHA1
c71a8baefaa2d0f55810cbb037ca18e758fcea3c

SHA256
394caa9e9687d905778e96e4e141f45a46b9bfc5cc97eba7c585a42c7e69cbce

SHA512
fd5f5f547c94879a74f49d36b54cf31397adb000dd8529ad1ec8efecad488a671c0207a80943ed1c4be1e9485d602ae687122713b83f75b4994f16ccd7917311

Download Submit
C:\Windows\SysWOW64\Nbmelbid.exe

Filesize
89KB

MD5
781914c1cce4d5fe949c3a93b4d321d8

SHA1
6fecd984146fc2d21a8f783dcde18338998c9176

SHA256
760a45d4b4c6f0a41a50b9408e872d65697cd5a8829c99af951b9b0fce135312

SHA512
53f175e35572fbf38f28c505ceac8104b2c3f6275098c7c73f3dad6dcb8248bea575d065cbda3ef78914a77ed955ee23a34eec79a1d0a33ac57e84a245c9c311

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
89KB

MD5
c33209c8c083e14d1b844c1ca974d3aa

SHA1
eb69854ff91aeac5b42ab55bce91b9c1f78ee3eb

SHA256
6c77bb25d8d715c13f9ba17fcc128254b1a967d989d0c1f1f2223b41c43d257e

SHA512
2a6e717c673b5576053a5f227ac583b05e02be8c70c3ce82d1633b861b50cc045d7811b1d81cc331abca98194d215fd018e59ff7ee869248bc3ee85882a3c73a

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
89KB

MD5
dd79fccbf30980179e7a000ba687313d

SHA1
a3535ec7d0c8fc5af55974c1ea2c66cac6b9e4b6

SHA256
1af8848ddc5ed66e461f5c8ad9b07e51afb758018ca3dcf6c3db35133229a392

SHA512
7fad095776fc68823d09bf776ad8adf1d3a6d944a72a3f1a2c9f835974a5b1841e86899a72fb3cc525b41e49479b30e84a3a1dafecda47a5ce75e49cd8ccc795

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
89KB

MD5
7f99aa58fc78d62e61a941d411d7cf67

SHA1
33a0614fdaccc408fa036eabb2c2a22c10dfa9cc

SHA256
546f85f46d1f0e7e55d2f672034b26f591894710d1c095d2e4a73d950ed94a8d

SHA512
25f270424022cd292618137e615f236723f31a4e3074ef69da7547062175fcf58988b4fca0ca6b3da10094fd079414c428c8b5ac3b5dce9a09646222fbfc035d

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
89KB

MD5
cb88d79f979b860a2407aafbabe99e63

SHA1
97943456bce1f173dd2d24636536e5998c5f5173

SHA256
246255e970aea2fbed6a7d50f5802fbefa54145bf5a538cdd9cbfa5383d2d103

SHA512
8a3ec387abc668278ae466d052aa5e910e036a7c9260898796168d81f3ae72f725523c267c008f578e2a080891a276b7303fa376023029a7e2b6ef36f6a53018

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
89KB

MD5
54d8e7ae24cbb5c3a143d2ce5ad00c4b

SHA1
565d8006920dcce77415bbbb5c9c43d7c1a04d89

SHA256
768f71d496a3cfdbd540fc0e87e74e605c6e2a255e9259933dc2c8080ccf9643

SHA512
9b2b0835b2b33cdc26709541162a626d0f35901d9e2363b23ab6a2e1bf8f96484a41044324b6c22b7465546e195e19e0ee60f8da5947de9c57a251788fda8c97

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
89KB

MD5
9766f50d967aca1302598376482d1a75

SHA1
13bc89e364866a1d4a181a9817342b46c0be4ea0

SHA256
3d4aed92ba714e072ced4058b4cd250276916ffbbb55481977192b055d3c492a

SHA512
212469468a3aba5e7d05c8df73009b06048dd3e1adb37622109be865ef927c4b35a67c4139e753d9a45a7dde89d953eab917bea4d529e57f2edeb4cb27338bf1

Download Submit
C:\Windows\SysWOW64\Njfmke32.exe

Filesize
89KB

MD5
e569fd423fcb4a61fe7bc4fd612302c5

SHA1
552e0e4c65704c9ed3577ac7dd70c87908e8cb82

SHA256
8f4fa14f2783c31acaf77a4ba52b066fa01d309b0f1301b0fb9647b49444c5e2

SHA512
ebc9e3c7a0e05d450e4f5a78fecb18edde4a3552ed36770cd4fe7cc1cd8c08ed7aea2cb6f82f62137be1c70127285cf983a2426bc64b78e4b31ec781346c494a

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
89KB

MD5
963c0302a391cd46463240cde3d2fb9c

SHA1
dcdbe6f9d5ab344a90200bd5b6f35a27575b1d4b

SHA256
af3591ac13da5b35ae320b79b1b6f39f9838acf7e3c84644fa3011edfbe3b3e7

SHA512
e1604c3bc08782c3620b078a8b7983a21284531687b032792f4a086af7e1790db99b1aa85aa05ca5fd22f1d3a34afeb8dc3297eb742e7e0ed25e2b4441269c92

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
89KB

MD5
df01f979605aafd167154bb034a8ab10

SHA1
de6569f4566d6bdf4211cfc04eb515b7d2c8f6bd

SHA256
5e0d7f57f90dec609830b251e11122d1f615a562c9aa3ed481bcf120829fca9e

SHA512
5609d9e0a19ffaa4218ba22decb44ae7a5578054fab8bae9354aa8380033dfa323726718083d38102033795d244da7fedbd95add9490e865ee5db539bcb4e922

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
89KB

MD5
6677f2dd9d8f5dd26bd1712b39ea3ee5

SHA1
6c92139323777422af48f0f787e33d0d5ccb5a58

SHA256
24f8eb6976c048c14a0e3a8856d771242838a66996bddebba77109870279a3e3

SHA512
b938c07f2f3779359d39c36f84ca89a490a3bb893ebd196faeb579ae27d5ea74136d3d6cbac48aabf040dbda11c1928877d428319f1a85b4a1262d4790c7689e

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
89KB

MD5
ae2a1d188152ecfd1e55bee30889ffea

SHA1
d6375252cae9448245e1d98d3814999028711281

SHA256
3f6316df3b453c6c8c101cfedabbc1aa26fc7f4e93bac2db3ec53ad5ecdc327d

SHA512
3358912c2b201ffac67e4c1a732dcd00ff4d3e1931918556b22eb1ad1b3df3a936ac70e043c8f2d02f36a77b83e8bf15f56ad84acab062acef5ad49e4cd6246f

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
89KB

MD5
155c9055b12ce1973198e914475cf7c5

SHA1
236f34ebfda38c38515fbb55effa845c7d98ae41

SHA256
874ac42d5489b25a15fa8d9da0633e88422a3b212fe1de468a48b300a3f169fb

SHA512
4742aa0874666c003e4bc6022869d40b9943836efebc20909cd354bc61b333a178c2c3dc25df2804e0d0e730b8b2c1f9f276540212741ff9770640165fd6dc35

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
89KB

MD5
317e1fa63608d36b677ef3eab8739843

SHA1
c7c7970be83696c07d5a60dae1334bcbc90d33c6

SHA256
ccdce8e2ee737c1a8b0518b93f68a0d8f45bcbf718de7a2d0406c0792b8d67f3

SHA512
0b0842674f91f20de32a1ede11cb271f9ae6dcc600ba39cb49b2bfe95faa1a9a3d488815ac5d47aeedef8137b7a56594297a7bdbd10e555cd29a1d0b7d3ebce7

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
89KB

MD5
db5d3aeb1e7d718fe9f8b84e8e3cccbd

SHA1
6831a28168da44e9ad06fe210352bad7756f2bb1

SHA256
6835ab367e8e6cf937105d5e979b83240b21d9b41c50cee596f3836b1621b260

SHA512
ce888f21ae12957e5add4be557d87ef57497300087c29e394b0914dc7a0347ebd0c73b1175258e46ec0e4963fd9968e73c7a9e8079967dbcad59e41f4db1c863

Download Submit
C:\Windows\SysWOW64\Obfhba32.exe

Filesize
89KB

MD5
528c6d935e4baefea7b289b5e65076a2

SHA1
c0da2f8420a8c2b268e3019601db56e1104e73b6

SHA256
dd197a88bdb19f9a9e75d29b2075f97198087d62a2dd70f79866b45acce9f5ad

SHA512
182294927ce2038cb26bb1c614e1171a793073882349b4e79aa48a3bf1574d9b8857bd78a95b1fe9fa7004a81dc3864f2f2f0621bd04d9ebad0791a108708c27

Download Submit
C:\Windows\SysWOW64\Ocegdjij.exe

Filesize
89KB

MD5
6413653eb137aaf3869a231fabffe500

SHA1
f025f3214495529f981f67ca385af9fa9ae15c8e

SHA256
d0e31fb945709eee546f627ed1e3bfcca90cf48dac5c4168cd7dec4b1e3dd5e9

SHA512
be0e3f87c34a2776fae4e13e1eadd93b47aa9cdd5e9f8a6089bc8e43207eda4b688e486e6f5e2f03fd2971358db0e20353e3c614ff09310beed867f717ba0857

Download Submit
C:\Windows\SysWOW64\Ocqnij32.exe

Filesize
89KB

MD5
d8acec8d67bb409349878357d47fa3c6

SHA1
5293c9ccbaee35e23770da0089b17723b896ba2a

SHA256
1839a594c21bcf07b2a9ad7c266b90e2c835c8a1c3bdf4092b0e22e590f30b28

SHA512
1e0594e8147f9cb0b3a638a33a6429b428b46924a01241d64e0734e8d42335b88faeb5ae3e96577b8f810e617d92e7e803f8b8fb8d6a9b46b896f4aa8fb5ef09

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
89KB

MD5
cf09d0d05cbb3ea68e86970377574afb

SHA1
ffba4621c286b729e9cb612e150020d67af12add

SHA256
485f19aa06c2ee6edb21034735bd4bde1ec912923d8271275d8a59f3d394da29

SHA512
f8261fed4c535640e56bb3836b96e1d560423b4f0d8e9ad35337958f5dbc031b3f5ac3a38e34822f6a9c88a9d19c723c93c1a805b0d14f2be0ac39721a746b0f

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
89KB

MD5
9fadc9ac4c641a4a521809997bc7473c

SHA1
b7e61588a1ccb42f4197bce7ae0e170cb92eeebb

SHA256
a88fa351c193d5befafe3146812192f293225db5fcf95a5ff534326e2d0f586f

SHA512
fef3d1839d71058121e7a07e8a653dbac7cd6a97ae4be63db812f0c3933c8e99394e9d07c9cb8be02818d1e0086df208e71952e560cf2bc7c737c53034bfbd5e

Download Submit
C:\Windows\SysWOW64\Ogcpjhoq.exe

Filesize
89KB

MD5
6aa5045b5ef3e40fd8fac9ae37cc69c6

SHA1
c96487a3d49eaed2b1521a9fc7984710d80e38e6

SHA256
53e2ebede976c752ca38828548fedc15c222f2605f550c55a0d51bc1f5a5fefe

SHA512
b10dfcfed9f6f0734a4ccdf704c27963289fe92f2e9e96ea8c8fa1a4bf59eb2dde13bf6fe247c0306d75fdf4300dc27d9ada79ca454d72a2d5e84629fae6fdbc

Download Submit
C:\Windows\SysWOW64\Ogjmdigk.exe

Filesize
89KB

MD5
8cd1ccc876eecac2968e7ee563e11673

SHA1
9c8b0dd28e9ba59d76d8e007bd9299851c318f14

SHA256
8922d27a4948a42df31ed3a93d58087f57387004bac37aa08a3c1b095b5fa917

SHA512
5e7e4108a6d4c381d9ba1f4a38b085723791ad79a97bd21475e44e055ea6b06089aa4f54170765ef3e1f3b4135394747db36f930c28b5aaf7cd2073fd7aca5ac

Download Submit
C:\Windows\SysWOW64\Ogogoi32.exe

Filesize
89KB

MD5
7f28ac1577296b6869219954caee3cc4

SHA1
dbc53b24ac56de99e3ae95a2bf0eea3fbfa8d8f9

SHA256
23dac0c6d0dcc2719d62cff74784b75e82e73dea9d5294b2fce321e82ad8304f

SHA512
acac081fde19858a47bfbc91eb7006c1b1b758fdf4d4ece6450f297e562420742c060b85a925e2e435c265b9408d2bf3a86966e5e4bc3cf9b03aac7206ac48c5

Download Submit
C:\Windows\SysWOW64\Ojopad32.exe

Filesize
89KB

MD5
9f044709604dbc117f03813e08143889

SHA1
4602316eb3407475ad15f929d317229b82c40f77

SHA256
7926ca1d91eff80e73119416c7b9bb7c7e1395d4fd2bd2396371d107eb50aa21

SHA512
769620f27d4e2c3459b16768dda2bdfb1f228e4cde97ff2e73a7b208f117172d809419a83191ba8470c49066ab16730863e38262720a8c178fc73b462f145f65

Download Submit
C:\Windows\SysWOW64\Okhfjh32.exe

Filesize
89KB

MD5
04549238d8b8eb85bfd96e83eb62f07b

SHA1
e31dcaf34adee5f69238710985e86ad130bfec48

SHA256
b14e06a5f744b811d394e95efd87e6ab815f32e565f1da4ae00dd7de4b0bc467

SHA512
e92c294b83333fba8c4826cf04b0a75360e824606e062f8ac5ed7e8537ac0189821da68a2800cda28bf41e9d4a4e67bf4e9534289c5ae3f2a8911f9ffdda0fc4

Download Submit
C:\Windows\SysWOW64\Okolkg32.exe

Filesize
89KB

MD5
3e438a12dc714b80a97efdfc4ab16b5b

SHA1
1f20ce65a0dd16dbd0e13ac317230bcad8dd3420

SHA256
06306e8477f1813ca14fd90825f8fc2894a7393fb097ebd91141c5c3699b7c33

SHA512
99f713559146f2b946b4024be1540c8d62ea1692ae181ef0d48a9bdf474bd36244600844036fdb25339142f51bde3ea1f8c2f199f280657e07470a9bfd5dee44

Download Submit
C:\Windows\SysWOW64\Ondeac32.exe

Filesize
89KB

MD5
f28cc718823f4c3c17cfcb02f9ac18b6

SHA1
62e9f46957a4da5a4571fb6c2328d9f266efa0bb

SHA256
ea82be398760b594230db7f00384b6d0df948f6ca1106c18f4090c08c59ad80c

SHA512
1dbe48e57e90bfbbf48afaa4b30080f825397b7e0eda91ef2d0e4acd5e5201e9760a6db5fda26cf1bc19447a399ee752f6506aa423abdb698f19b543cea4dbae

Download Submit
C:\Windows\SysWOW64\Onholckc.exe

Filesize
89KB

MD5
487db8cf40753011669db9bc1a1fde52

SHA1
26848ef0e8ecc30a732b93534d12c841e7617c78

SHA256
c0b8283d8451d361b4950504518fb43b3c654e80df8b394b6c0904545a4ea31f

SHA512
ae6c696f356915cd5f5ec5868a28f8ff34545ed249a7398ab2f653657b2e046dface283e4226ca5720bc8c2d32cb8b66759d418a9b0e96beaedaa7bc9b9bde10

Download Submit
C:\Windows\SysWOW64\Oqkdcn32.exe

Filesize
89KB

MD5
0190cddaa485119a0dceddc760f4fc80

SHA1
f3635425d9e7e05140ad46a6d02cbdf0fa321d05

SHA256
7c0012c85d93c7eb083ca888d685068809e38e49a49a60ab50c3f7177e7b787a

SHA512
3f40725f92041e50bdb86c795a971aee3e4965248bc6c40904e1b5bb76673a117f035b82ed9e37d5cdfa97a7c78a03a01247c5b27853ffeacd3218414ce55f61

Download Submit
C:\Windows\SysWOW64\Paegjl32.exe

Filesize
89KB

MD5
0f76636000af9fea23578f1e71c5b1bd

SHA1
38b9c431237fe3a5783f45c36a4dce77a90666c4

SHA256
d21b06e014c94bdb7bc408e96fb8dc627718aca00fb581971066088428ed4280

SHA512
a3a63234e7347904fdb628b7791835e914b5dc481b201d7273ef91f8e01ca2eabe48d52612f0df4244c70ffe2d84324c38cdde42fb8b6ff75d403d160faa46b7

Download Submit
C:\Windows\SysWOW64\Pbmncp32.exe

Filesize
89KB

MD5
9e7e3283be418185f93aad8704110373

SHA1
c13c3a631108009d9043acd5eebc108beaef922a

SHA256
07874b9a49a29dfbf1feed318dd9024c0b4b3babaa1df23edbf9c753b92b6990

SHA512
0a3c9afa279f4bb71c4e2bcbaa0c8d1ed5a21080a4f23ce6f5c482f3ff2fb8293c7f9ee55810bac0abf9b7482b5f30cb0a51293b9d6cc744888fd634aaf8e63a

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
89KB

MD5
cd2ff7e78b9f9859771a74ad0154949e

SHA1
9ea521bf2d19116899c29b03a0b4409542000ef1

SHA256
93858c176663de1afa28435b88ab2b78608495957d14bbe32834a36a3cb32a6f

SHA512
e0c2b8395c36ea970c36fb28b11a61fbfedd4c9e99b019b385b4ba0d962e8d6443ab8f57ac2abef2358194bd27f5c1e622eb2f9b22f06263c69381530c0b7bd9

Download Submit
C:\Windows\SysWOW64\Pengdk32.exe

Filesize
89KB

MD5
8f9fbefc35bbb83eddb3b38664e04761

SHA1
8a1c5de466e2521026f2717c24b5e36ff4118d6e

SHA256
4d3341afa3d31c03d8e80b9d4c2a455c9df37456103a013509662c626365a3c8

SHA512
4a9873e2af215c4b578e0b7cc7b117d3612ff21a7a9a01732c575595038a9e457d70c9aa63e467ac24b902903bb6b053d100cc0fb88599ff77a88997b50c2198

Download Submit
C:\Windows\SysWOW64\Pgjfkg32.exe

Filesize
89KB

MD5
6f7660fe1cd17de3776b9654b4792b5a

SHA1
7612bf694a644a1df91e4ea039049ead64f25e40

SHA256
248810f5b06e4e98772330bfbf7f5388689958724596260ec04f750042b28db7

SHA512
d0d43184fa3053e07b440f331aa061481bfbcc8f47f1c188b410dfd1fb0f900aa1ae3f972602d343baf1717807309f4dbfc863fb5111481de34d754c061be611

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
89KB

MD5
e4fd08babff8ad67eb0a1438afdf395a

SHA1
27dbf75eb84ec4d3d2de29c169ab3af709fb796f

SHA256
f2b04633264e62ef1038e8d7882b06fb4848cace65ed7efb2129c5959082e10e

SHA512
1e02f6a125bba782869cd4b732ffb380b0faebf376f8a937531cfa14fa188f649f9fd8d06e521cba40af1bf48a5587258400eaf6407c3321acef20a41e7d520f

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
89KB

MD5
9eb6abd38921240552f523cfdc98c61b

SHA1
db259dad67cbea55d5f00dbc36738393a19918a4

SHA256
6eef21a675521e906e33b442a3c4adcd77bf9486c0f2fe3a7e092fde4d65e17e

SHA512
e669a1afa985ff8012903268af8ceffb6daf1d3f62021ceb9091f83508082505e2ba4f1a37b42c2181f6ebf0db745139cb6fb6d63ae8d89c39f91e24e78e26eb

Download Submit
C:\Windows\SysWOW64\Qeemej32.exe

Filesize
89KB

MD5
4260d064ab357bd10cde6d9662907c54

SHA1
7a4356a90c9aa0db995f9e326f1ec2e0f243daf1

SHA256
42e3428afbfbd18bc6a817bc0ff3ca19ed0d0f8a50e0c09e371a9b1c37a439d2

SHA512
3bb75c688b25bf4344744137003d3ad2dd98990e221abd26be491c6b5a4350f85052e29c09ac0c77dd54499e8617fdada105f8b8fe35589954606739d7e75633

Download Submit
memory/64-509-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/428-503-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/548-273-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/644-401-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/760-345-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/932-335-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1340-275-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1400-153-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1404-104-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1408-113-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1612-81-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1664-176-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1756-129-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1784-485-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1788-96-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1808-467-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1816-395-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1884-419-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1944-233-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1952-455-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1964-89-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1972-293-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1992-185-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2040-53-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2060-375-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2068-161-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2128-192-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2180-443-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2200-497-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2224-311-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2240-493-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2244-377-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2288-567-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2348-323-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2356-411-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2360-25-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2360-566-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2480-209-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2504-317-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2532-121-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2568-281-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2576-429-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2580-544-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2620-563-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2780-599-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2780-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2844-365-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2864-593-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2956-527-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3188-549-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3196-144-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3216-359-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3240-305-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3248-473-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3256-287-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3300-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3300-552-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3524-45-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3580-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3580-559-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3612-303-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3684-200-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3692-580-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3752-357-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3764-524-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3800-441-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3804-573-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3804-32-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3932-461-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3952-479-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4012-449-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4240-257-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4328-436-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4380-267-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4432-533-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4448-387-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4488-592-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4488-57-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4540-586-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4588-515-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4624-137-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4700-73-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4764-173-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4788-347-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4840-413-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4852-225-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4856-553-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4880-329-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4892-389-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4956-217-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5004-574-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5036-539-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5036-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5036-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/5092-241-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5108-248-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads